alarmingly large glaceon girl 🍓

how nginx works i think, by holly:

so you have programs on your server that think they're talking to the internet. like my mastodon tihnks it's talking to the internet directly. but it's not because that would be bad. instead you have nginx sitting between them. the internet talks to nginx and then nginx tells mastodon what it said, and then whatever mastodon says back nginxs says to the internet

1+
the Hearth :ms_agender_flag:
Follow

@monorail why would that be bad
-F

· · 2 · 0 · 1
alarmingly large glaceon girl 🍓

@Felthry in general? ¯\_(ツ)_/¯

in my case, in addition to whatever other benefits it has: mastodon wants to be the only thing talking to the internet, but nginx knows how to talk to more than one thing, and it knows how to tell which thing any given request is for

1
the Hearth :ms_agender_flag:

@monorail oh so it's kind of like using an rs232 to rs485 conversion thingy
-F

1
alarmingly large glaceon girl 🍓

@Felthry yeah

only one thing can actually talk to the internet at a time, so you have to have nginx in the middle telling everything "oh yeah don't worry, i'm the internet, you're the only one talking to me"

but it says that to both my mastodon instance and to my phpbb board

also nginx knows how to serve files, too, so it itself is one of the things that the internet might be talking to

1+
the Hearth :ms_agender_flag:

@monorail addressable buses are very handy when you need to have more than one thing in existence
-F

1
alarmingly large glaceon girl 🍓

@Felthry i find that, quite often, you need more than one thing to exist

1+
the Hearth :ms_agender_flag:

@monorail it tends to help yeah
-F

0
packbats in existence

@monorail @Felthry is it okay for us to boost this with no context?

- 🔥 ✨

1
alarmingly large glaceon girl 🍓

@packbat @Felthry oh I didn't see this but sure

0
shork

@monorail @Felthry you could run two web servers but they'd have to be on different ports

1
alarmingly large glaceon girl 🍓

@noiob @Felthry yeah but that would be bad because everyone assumes 80 and 443

1
the Hearth :ms_agender_flag:

@monorail @noiob why those specific numbers
-F

1
alarmingly large glaceon girl 🍓

@Felthry @noiob convention

1+
alarmingly large glaceon girl 🍓

@Felthry @noiob 80 is used for http connections, 443 is used for https connections. anything else could be used, but that's what your browser will try by default

1
shork

@monorail @Felthry also most of the first few hundred ports are reserved for services/programs or have been used by services/programs enough that everyone else just acknowledges that

port 666 is Doom's port, for example, they never formally requested that port but even Windows just labels it doom

there's a benefit to not running stuff on the default port, moving ssh to a different port than 22 means that your login service won't get attacked with dictionaries all the time

1
alarmingly large glaceon girl 🍓

@noiob @Felthry yeah but you can also just install fail2ban

1
the Hearth :ms_agender_flag:

@monorail @noiob what's fail2ban?
-F

1+
alarmingly large glaceon girl 🍓

@Felthry @noiob it just bans anyone who fails to connect too many times in a row

1
alarmingly large glaceon girl 🍓

@Felthry @noiob so you can't just throw dictionaries at an ssh connection until you find the right password

1+
the Hearth :ms_agender_flag:

@monorail @noiob oh that's just a more aggressive version of "you failed to authenticate three times so you have to wait five minutes before you can try again"
-F

0
shork

@monorail @Felthry you can't do that anyways if you disable password login as everyone will advise you to do

0
shork

@Felthry @monorail idk sounds harder to set up than changing a number in my sshd config

1+
the Hearth :ms_agender_flag:

@noiob @monorail i'm assuming sshd here is not solid state hybrid drive
-F

1+
alarmingly large glaceon girl 🍓

@Felthry @noiob yeah it's the service you run on a server so you can ssh into it

1
the Hearth :ms_agender_flag:

@monorail @noiob sshinto... super shinto
-F

0
shork

@Felthry @monorail it's the ssh daemon, the ssh server program

0
alarmingly large glaceon girl 🍓

@noiob @Felthry mmm i guess but that also makes it a pain to connect from unfamiliar computers

tbh the correct answer is to use key auth, which is also a pain to use from unfamiliar computers but it's a lot more secure

1
shork

@monorail @Felthry yeah but I have a ssh client on my phone so I can just add keys from there if I have to

0
the Hearth :ms_agender_flag:

@monorail @noiob but didn't they hear about the pandemic, all the cons are cancelled
-F

0
Crinklewott 💕

explainy 

@Felthry @monorail one common reason is because nginx can run as root so your actual server that might have holes in it doesn't need to

root is the highest permission level on linux, and you typically need to use them to have a server that listens on ports browsers actually try to connect to

basically, nginx is heavily battle tested, so there's a smaller chance that someone can exploit it and gain root privileges than whatever random and less-tested thing you put behind it

0
Sign in to participate in the conversation
Awoo Space

Awoo.space is a Mastodon instance where members can rely on a team of moderators to help resolve conflict, and limits federation with other instances using a specific access list to minimize abuse.

While mature content is allowed here, we strongly believe in being able to choose to engage with content on your own terms, so please make sure to put mature and potentially sensitive content behind the CW feature with enough description that people know what it's about.

Before signing up, please read our community guidelines. While it's a very broad swath of topics it covers, please do your best! We believe that as long as you're putting forth genuine effort to limit harm you might cause – even if you haven't read the document – you'll be okay!

Trending now

Resources

Developers

What is Mastodon?

awoo.space

  • v3.5.3+glitch

More…

v3.5.3+glitch · Privacy policy