nutbutter

What are your favourite, or least favourite but necessary, cost-cutting methods?

I feel I am spending too many resources on unnecessary stuff.

Edit: I feel the need to reduce both – the resources, to host multiple things on one system, and cost, to buy/pay for multiple systems. Currently, I have 2 ARM VPSes and 1 old MacBook Air as a home server.

Currently, I am using Montserrat. Even though it is licensed under Open License Font, I do not feel comfortable using it anymore, probably because it is used in over 17 million websites and is considered overused.

Another reason is that I have to load multiple font weights, as bold tags do not work as intended. A single weight is over 20kb in size (after removing unused glyphs). I want to keep my site lightweight, and good looking.

Also, after looking at motherfuckingwebsite.com and perfectmotherfuckingwebsite.com, I feel sad about loading any external fonts.

I want a sans font, and I am also using -webkit-text-stroke with transparent fill to give some text outline effect.

What are your suggestions, fellow lemmings? What is your favourite font? Should I just stick with Liberation Sans?

Until yesterday, I didn’t even know you could use the docker images and the same docker-compose configs with Podman.

The UI you are looking at is Cockpit, which can be installed on almost any Linux Server. I have used it before but I am amazed by its integration with Podman.

Seriously, consider trying this, once.

Here's another screenshot of Cockpit:

TL;DR - option forwardfor and http-request set-header X-Real-IP %[src] are not working.

My setup is slightly complicated. I have a homeserver, with HAProxy installed and some docker containers. My homeserver is, then, connected to a VPS via WireGuard which also has HAProxy installed. HAProxy on homeserver forwards the docker containers with an SSL certificate to the VPS. The VPS, then, just does TLS pass through to the clients.

The issue is, if I do not use option forwardfor in either of the 2 HAProxy configurations, I get the internal IP address of the docker container (172.XX.XX.1). If I add option forwardfor on the homeserver's HAProxy config, I get the internal IP of the WireGuard of the home server (10.0.0.2). And if I add option forwardfor to the HAProxy config of the VPS as well, I get the internal IP of the WireGuard tunnel (10.0.0.1). And as far as I know, http-request set-header X-Real-IP %[src] has no impact. I have also tried using send-proxy and send-proxy-v2, but then the whole setup stops working.

HAProxy config on home server:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20>
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen rp
        bind *:443 ssl crt /path/to/cert.pem

        acl service1 hdr_sub(host) -i service1.domain.me
        acl service2 hdr_sub(host) -i service2.domain.me

        use_backend service1_backend if service1
        use_backend service2_backend if service2

backend service1_backend
        server service1_server 127.0.0.1:8080

backend service2_backend
#       option forwardfor
#       http-request set-header X-Real-IP %[src]
        server service2_server 127.0.0.1:9090

HAProxy config on VPS:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        tune.ssl.default-dh-param       4096

defaults
        log     global
        mode    tcp
#       option  forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000

listen http
        bind *:80
        mode tcp
        server default 10.0.0.2:80
listen https
        bind *:443 alpn h2,http/1.1
        mode tcp
#       option forwardfor header X-Real-IP
#       http-request set-header X-Real-IP %[src]
        server main 10.0.0.2:443

I have to resort to this because I am behind CGNAT, and want TLS pass through on the VPS for privacy.

What am I doing wrong?

Why should we install wordpress using dnf install wordpress rather than just downloading the files? is it because those PHP file won't work due to SELinux, or is it something else?

Also, if I am importing NGINX config files and database backups (made using msqldump) from another server, do I have to do something with them before they can work?

Another thing that I have seen is that in the nginx.conf file in Fedora, the user is set to nginx, while on other operating systems it is set to www-data by default. Why is that?

I am asking this because I want to migrate from a Debian server to a Fedora Server (preferably on ARM).

I am trying to set up a reverse proxy server, with TLS passthrough.

I am behind CGNAT, so I cannot forward any ports from my home server. So, my current workaround was that I connected my home server to a VPS via WireGuard and used Nginx Proxy Manager (NPM) to proxy services running on different docker containers to the VPS, so that they are accessible publicly. But now I want to use TLS passthrough for better privacy. But I cannot find any guides for my case.

I need help with 2 issues, basically. Let's take a look at my passthrough.conf file, which I have included in nginx.conf file.

stream {
    # Listen for incoming TLS connections on service1.domain.me
    server {
        listen 443;
        proxy_pass service1.domain.me;
        proxy_ssl on;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_name $ssl_preread_server_name;
    }

    # Listen for incoming TLS connections on service2.domain.me
#    server {
#        listen 443;
#        proxy_pass service2.domain.me;
#        proxy_ssl on;
#        proxy_ssl_protocols TLSv1.2 TLSv1.3;
#        proxy_ssl_name $ssl_preread_server_name;
#    }

    # Define the backend server for service1.domain.me
    upstream service1.domain.me {
        server homeserverIP:port;
    }

    # Define the backend server for service2.domain.me
#    upstream service2.domain.me {
#        server homeserverIP:port;
#    }
}

The services are running in docker containers on different ports. When I used two server blocks and two upstream blocks, I got this error while testing NGINX config: nginx: [emerg] duplicate "0.0.0.0:443" address and port pair in /etc/nginx/passthrough.conf:13. So, I commented out the other server block and tested it again. The test was successful, but NGINX failed to restart. When I checked the systemctl status I saw: nginx[2480644]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use). This is because I am already hosting multiple WordPress sites on this VPS.

Here's my nginx.conf file:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
}

http {

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;


        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;

        gzip_vary on;
        gzip_proxied any;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

        client_max_body_size 100M;
        server_tokens off;

}

#include /etc/nginx/passthrough.conf;

I do not know much about NGINX configuration, any help or article links would help.

We all hate ads, primarily because it is an unethical usage of our data for profits. So, if a person does not want to pay companies like Google, Meta and Microsoft, what alternatives are there to advertise or promote a product or service?

Sure, there are options like posting on online forums, groups and email marketing, but the results do not come anywhere close when compared to paid ads. Are there privacy respecting companies that provides ad placement services? DuckDuckGo uses Microsoft ads, Mojeek didn't reply and Qwant isn't available in my country.

Say, I provide a service to a specific type/group of people, what is the most efficient and ethical, and least annoying way to reach them? Say, I own a restaurant or something. How do I attract more customers? I am willing to pay, but to not data-hungry companies.

Hi. I have been into self-hosting for about 2 years, now. My current setup is that I have a home server and a VPS. My ISP does not let me forward any ports (I am behind CGNAT, I think), so, I have connected my home server to a VPS via a WireGuard tunnel and am using Nginx Proxy Manager (NPM) to proxy the services hosted on my homeserver to the public.

Now, the traffic that goes from my home server to the VPS and from VPS to the public are encrypted, but theoretically, the VPS provider can look at the data passing through, since this is technically TLS termination. Although, I trust my VPS provider more than I trust my ISP, I am thinking about setting up TLS passthrough, for additional privacy. But I have a few questions and I would be greatful if anyone can help me.

1. Do I need to put the SSL certificates on my homeserver, or can they remain on the VPS if I have to set up TLS Passthrough?
2. Is port forwarding required to set up TLS passthough?
3. Does NPM support TLS passthrough, or should I shift to HAProxy?

If there are any issues with my current setup, or the assumptions I am making, please guide me.

I would donate to (and have donated to some of) the following:

• Vaultwarden
• Jellyfin
• Invidious project and yewtu.be instance
• Shynet
• Riseup VPN
• Photoview
• Jerboa

Lemmyers? Lemmurs?

Lemmyists?

Lemmitors?

Considering my threat model is just preventing my ISP to know which websites I am visiting and to prevent my government (India) from tracking me, do I need to use a VPN?

Currently, I am using a trusted VPN provider with a permanent kill switch and am never off of the VPN. Today, I was reading IVPN's homepage and it says, "A VPN can be effective at encrypting your DNS requests so your ISP or mobile network provider cannot monitor or log the domains you visit." But as far as I know, DNS over HTTPS does encrypt the DNS requests. Right?

I regularly clean my cookies, use hardened browsers, etc. So is a VPN really necessary for me? Or shall I just shift to using Quad9's DoH or something?

Edit - I am using the router provided by the ISP and I cannot change it because I am behind CGNAT. I can use a separate device and install PfSense or OpenWRT or something on it and use that as a firewall. Any suggestions there?