#nginx
3 posts3 participants0 posts today
Just released: #swad v0.2
SWAD is the "Simple Web Authentication Daemon", meant to add #cookie #authentication with a simple #login form and configurable credential checker modules to a reverse #proxy supporting to delegate authentication to a backend service, like e.g. #nginx' "auth_request". It's a very small piece of software written in pure #C with as little external dependencies as possible. It requires some #POSIX (or "almost POSIX", like #Linux, #FreeBSD, ...) environment, OpenSSL (or LibreSSL) for TLS and zlib for response compression.
Currently, the only credential checker module available offers #PAM authentication, more modules will come in later releases.
swad 0.2 brings a few bugfixes and improvements, especially helping with security by rate-limiting the creation of new sessions as well as failed login attempts. Read details and grab it here:
GitHubRelease swad 0.2 · Zirias/swadNew features:
Configurable rate-limits for new session creation
Configurable rate-limits for failed login attempts (per session, realm
and user name)
Configurable types of proxy headers (X-Forward...
Here is a very great overview and installation video of HortusFox - including how to deploy via portainer! Thanks to SYNACK Time for giving HortusFox a spotlight. 
Released: #swad v0.1 
Looking for a simple way to add #authentication to your #nginx reverse proxy? Then swad *could* be for you!
swad is the "Simple Web Authentication Daemon", written in pure #C (+ #POSIX) with almost no external dependencies. #TLS support requires #OpenSSL (or #LibreSSL). It's designed to work with nginx' "auth_request" module and offers authentication using a #cookie and a login form.
Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: #PAM. But as pam already allows pretty flexible configuration, I already consider this pretty useful 
If you want to know more, read here:
https://github.com/Zirias/swad
GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
#IngressNightmare – czyli jak przejąć klaster Kubernetes
Podatności określane jako krytyczne mogą wzbudzać skrajne emocje. W sekuraku jesteśmy pewni, że nie wszyscy zgodzą się z punktacją CVSS 3.1 (9.8/10) przypisaną do serii podatności określonych jako IngressNightmare, które zostały opisane 24.04.2025 przez badaczy z wiz.io. TLDR: Problematycznym komponentem jest Ingress NGINX Controller, czyli ingress controller (kontroler ruchu wejściowego,...
#WBiegu #Ingress #K8s #Kubernetes #Nginx #Podatność #Rce
https://sekurak.pl/ingressnightmare-czyli-jak-przejac-klaster-kubernetes/
Sekurak · #IngressNightmare - czyli jak przejąć klaster KubernetesPodatności określane jako krytyczne mogą wzbudzać skrajne emocje. W sekuraku jesteśmy pewni, że nie wszyscy zgodzą się z punktacją CVSS 3.1 (9.8/10) przypisaną do serii podatności określonych jako IngressNightmare, które zostały opisane 24.04.2025 przez badaczy z wiz.io. TLDR: Problematycznym komponentem jest Ingress NGINX Controller, czyli ingress controller (kontroler ruchu wejściowego,...
I've set up my new #inkscape website AI bot trap. It works by giving everyone a chance to not fall into it.
An anchor link that says "I am a bot" and links to /P3W-451/{datetime}/ it's got a fixed position at top -100px so should never be seen
The robots.txt says "Disallow: /P3W-451/" so if you were reading the robots, you'd know.
Then #nginx logs the requests to a log of their ip-addresses and browser strings and sends them a 301 redirect to google.com
1/2
Replied in thread
First "production test" successful 
... after band-aid "deployment" (IOW, scp binaries to the prod jail).
#swad integrates with #nginx exactly as I planned it. And #PAM authentication using a child process running as root also just works (while the main process dropped privileges).
So, I guess I can say goodbye to #AI #bots hammering my poor DSL connection just to download poudriere build logs.
Still a lot to do for #swad: Make it nicer. So many ideas. Best start would probably be to implement more credentials checking modules besides PAM.
Continued thread
Si ça continue, nous bloquerons Azure, AWS et consort 
Latest issue of my curated #cybersecurity and #infosec list of resources for week #13/2025 is out!
It includes the following and much more:
➝ DNA of 15 Million People for Sale in #23andMe Bankruptcy,
➝ #Trump administration accidentally texted a journalist its war plans,
➝ Critical Ingress #NGINX controller vulnerability allows RCE without authentication,
➝ #Cyberattack hits Ukraine's state railway,
➝ Troy Hunt's Mailchimp account was successfully phished,
➝ #OpenAI Offering $100K Bounties for Critical #Vulnerabilities,
➝ #Meta AI is now available in #WhatsApp for users in 41 European countries... and cannot be turned off
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end 
https://infosec-mashup.santolaria.net/p/infosec-mashup-13-2025
X’s InfoSec Newsletter🕵🏻♂️ [InfoSec MASHUP] 13/2025DNA of 15 Million People for Sale in 23andMe Bankruptcy, Trump administration accidentally texted a journalist its war plans, Critical Ingress NGINX controller vulnerability allows RCE without authentication, Cyberattack hits Ukraine's state railway, Troy Hunt's Mailchimp account was successfully phished, OpenAI Offering $100K Bounties for Critical Vulnerabilities, Meta AI is now available in WhatsApp for users in 41 European countries... and cannot be turned off
Trying to come up with my own little self-hosted #http #authentication #daemon to work with #nginx' "authentication request" facility ... first step done!
Now I have a subset of HTTP 1.x implemented in #C, together with a dummy handler showing nothing but a static hello-world root document.
I know it's kind of stubborn doing that in C, but hey, #coding it is great fun
GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
Motivated by Samuel Reichör, I took another try for Craft CMS + Coolify. But I can't get the nginx conf quite right 
Thx for any hints! 
Source code Docker Compose:
- https://github.com/mandrasch/ddev-craftcms-vite/blob/coolify-test/docker-compose.yml
- https://github.com/mandrasch/ddev-craftcms-vite/blob/coolify-test/Dockerfile
- https://github.com/mandrasch/ddev-craftcms-vite/blob/coolify-test/nginx.conf
Coolify Discord question: https://discord.com/channels/459365938081431553/1355504172920864911
GitHubddev-craftcms-vite/docker-compose.yml at coolify-test · mandrasch/ddev-craftcms-viteDemo repository for CraftCMS + DDEV + Vite, including support for GitHub codespaces. - mandrasch/ddev-craftcms-vite
Replied in thread
@bagder Wow. For a few months, I was wondering why I suddenly have bandwidth issues when activating my camera in MS Teams meetings, so others can't understand me any more.
A look into my #nginx logs seems to clarify. Bots are eagerly fetching my (partially pretty large) #poudriere build logs. 
(#AI "watching shit scroll by"?)
I see GPTBot at least occassionally requests robots.txt, which I don't have so far. Other bots don't seem to be interested. Especially PetalBot is hammering my server. And there are others (bytedance, google, ...)
Now what? Robots.txt would actually *help* well-behaved bots here (I assume build logs aren't valuable for anything). The most pragmatic thing here would be to add some http basic auth in the reverse proxy for all poudriere stuff. It's currently only public because there's no reason to keep it private....
Have to admit I feel inclined to try one of the tarpitting/poisoning approaches, too. 
Vanochtend is aan het licht gekomen dat een kwetsbaarheid in de Kubernetes Ingress NGINX Controller (ingress-nginx) kwaadwillenden in staat stelt een ongeauthenticeerde remote code execution (RCE) uit voeren.
Alle organisaties die gebruik maken van ingress-nginx dienen deze zo snel mogelijk te patchen naar versie 1.11.5. Meer info vind je op: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0095
advisories.ncsc.nlNCSC Advisories
If you're running ingress-nginx in your Kubernetes cluster please take a look at this latest CVE details, it's a big one! Patches are out so please get updating as soon as you can!
https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
Kubernetes · Ingress-nginx CVE-2025-1974: What You Need to KnowToday, the ingress-nginx maintainers have released patches for a batch of critical vulnerabilities that could make it easy for attackers to take over your Kubernetes cluster. If you are among the over 40% of Kubernetes administrators using ingress-nginx, you should take action immediately to protect your users and data.
Background Ingress is the traditional Kubernetes feature for exposing your workload Pods to the world so that they can be useful. In an implementation-agnostic way, Kubernetes users can define how their applications should be made available on the network.
Dieser Moment wenn man das #nginx #logfile in #matomo importiert und dabei fast der #server krepiert.
Unser access.log ist nahe der 800.000 Zeilen, kein Wunder bekommt der Server #prozessorkernschmelze 
Anyone else experiencing this file list flicker in the #PrusaLink webinterface when behind an #nginx reverse proxy?
Ⓥ
Looks like there might still be some #NGINX issues. This article links are going to 404 (not found) pages
Replied to Terence Eden
Continued thread
Right!
#JellyFin installed. Most of my media reorganised and indexed.
#Tailscale deleted. I can't be bothered running it 24/7 on my phone.
#Docker and #NGINX reverse proxy manager installed. Probably done that right. No idea if it'll survive a reboot.
#LetsEncrypt set up with Dynamic DNS. No SSL errors!
HD Streaming over 5G works - but will have to see how adaptive it is on shitty hotel WiFi.
Bit of a faff, but seems to be working. Next step is configuring a Fire Stick to work with it.
Replied in thread
