home.social

#sniproxy — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sniproxy, aggregated by home.social.

  1. What to use to forward SSL connections? #sniproxy tells it's EOLed but is there something else? Or does one need to terminate the SSL connections now?

  2. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  3. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  4. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  5. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  6. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  7. As of 2023-12-13 #sniproxy is marked as deprecated.

    That's a shame, because there is no equivalent replacement. All other reverse proxies (Nginx, HAProxy, Caddy etc.) are significantly more complex, more resource-hungry or less performant.

    github.com/dlundquist/sniproxy

  8. Just discovered how to get `sniproxy` and `nginx` / `apache2` to play together using HAProxy v1 protocol so that I can see client IPs in my server logs.

    It's a bit fiddly to get going, but essentially you add the relevant entries to your `sniproxy` rules with the `proxy_protocol` directive.

    At the server end:
    - on `nginx`: add `set_real_ip_from <sniproxy_host_ip>` to /etc/nginx/conf.d/realip.conf; add `proxy_protocol` to your IPv4 `listen` directives
    - on `apache2`; enable `mod_remoteip.so`, put `RemoteIPProxyProtocol On` and `RemoteIPProxyProotocolExceptions 2001::/4`

    What this does:
    - IPv6 traffic directly hits the box without `sniproxy`
    - IPv4 proxy which presumably is directed at a NAT gateway, goes via SNIProxy, HAProxy header gets added, picked up by your HTTP server and can be used in logs or forwarded to applications (like #Mastodon).

    #nginx #apache #sniproxy