```bash
go get -u -t; go mod tidy
go install golang.org/x/tools/cmd/goimports@latest
go install github.com/onsi/ginkgo/v2/ginkgo@latest
```
Drive-by: placate the Markdown linter in DEVELOPER.md
When IBM's quad9 (9.9.9.9) blocked us, we opened a ticket with them to
unblock us, and to make it easier for me to cut-and-paste the references
the next time I open a ticket, I incorporated the references into the
blurb at the top of the sslip.io homepage.
Drive-by:
I reformatted the homepage after modifying the VS Code setting, so this
appears to a be a bigger commit than it actually is:
```json
"html.format.preserveNewLines": false
```
[#106]
The "status" footnote was too pedantic, and I've grown to dislike it. No
one cared about it except for me. Now the webpage is even more spare.
Removed an errant ", and". And simplified a sentence.
A short, succinct description of how to report abuse. I only show the
"abuse@nip.io" email, but I've also set up the "abuse@sslip.io" email
just in case.
I wanted so badly to say, "we've blocked 774 sites, every second we
prevent an innocent web user from hitting a phishing site.", but I felt
it was clutter. Less is more.
I prefer "nip.io" over "sslip.io", mostly because it's shorter, but also
because TLS is more appropriate than SSL ("sslip.io" should've been
"tlsip.io").
This commit uses "nip.io" in more places.
- Even though the anchor uses "nip.io", I left the href as sslip.io
because I was loath to regenerate the certificates on the mirror
websites
- For "White Labeling", I left the nameservers as "sslip.io" because
those are the ones that have host records in my registrar, Namecheap
- 🐞 My CI link pointed to a long-gone Concourse CI server; I've updated
it to point to GitHub actions
- I re-ordered the names of who created sslip.io; since I've been
running it lo these last ten years, my name should go first. It's not
an ego thing; it's more so that people can see right away who runs it,
whom they should contact.
The "Experimental Features" section was a wall of text that interested
no one except me. It was clutter. So I slimmed down that main page by
moving the experimental content to its own page.
They are similar services, so they should be near each other, and near
the top because they're identical to us (nip.io sslip.io).
I had "demoted" backname.io because the creator hadn't gotten back to
me; I put him at the bottom of the list. But my memory was faulty, he
had gotten back to me, and he was quite cordial.
...and also advertise that we've been running for over ten years.
My intent is not so much to advertise as to have something to
cut-and-paste when Hetzner threatens to take down my service due to a
misinformed abuse report.
I've been pinged privately on Mastodon and via email to help with
wildcard certificates, and I've come to the conclusion that the process
of acquiring a wildcard certificate is too complicated for even the
sophisticated user (e.g. me), and I want no part of it.
- Added an "About" section: I realized I like to see who's behind a
service, so why not return the favor?
- Added two new related services, ipq.co and afraid.org.
- Removed broken links (xip.io)
- Consolidated the section about Sam Stephenson inspiring sslip.io
- Freshened the download link to run your own server 3.2.7 -> 5.0.0
- Freshened the output in the "Experimental Features" section
- Removed the alert to "disable indexing"; that was to accommodate Morty
Feldman, but he hasn't swatted a mirror site in over a year, so I think
he's lost interest. And I certainly don't care enough to swat mirror
sites on my own.
I'm tired of people raising GitHub issues asking me to unblock them. "I
can't unblock; you've received a takedown notice. Don't be so cheap: buy
your own domain for $3 instead of freeloading off sslip.io / nip.io. and
asking me to cover for your inability to properly secure your WordPress
site."
This commit addresses that by updating the "blocked site" web page to no
longer include the suggestion to raise a GitHub issue.
Sometimes Google AI and Brave browser will misinform users about
sslip.io based on stale information from 2015, when we published the
private key to the sslip.io wildcard certificate. This stale information
includes stentorian warnings about the security of using sslip.io,
warnings which no longer apply.
This commit updates the homepage to let users know they can discount
those warnings from Brave/Google.
Note that stale information seems to have had no discernible affect on
the popularity of using Let's Encrypt TLS certificates for sslip.io
hostnames: just this week we hit our Let's Encrypt limits for the
umpteenth time (https://github.com/cunnie/sslip.io/issues/104).
Apparently 10,000 certificates wasn't enough. ;-)
[fixes#103]
When placating the linter, substituting `$CHILD_STATUS` for `$?`, I
broke the tests. The linter neglected to say that this substitution
needed a `require "English"`. This commit brings in "English".
This sort of linting is overreach in my opinion: `$?` is universal for
people who have coded bash scripts, and is easily learned for those who
haven't. `$CHILD_STATUS` is not universal, only meaningful for English
speakers, and has additional dependencies.
This is a learning experience: I shouldn't commit & push code that I
can't test because I'm on the train and their internet hijacks the DNS
service.
Thanks <https://github.com/rubocop/rubocop/issues/1747>
During our operational test which checks the health of our four
nameservers, 21/25 falsely failed, all due to difficulties reaching the
Singapore server. I'm sick of reading the emails that my checks have
failed, only to discover that it was false-positive.
Yes, in a sense I'm giving up on CI for the Singapore server for the
time being. Hopefully in the future I'll come up with a way to more
reliably test its healthiness.
No functional changes in this commit, merely cosmetic changes to mollify
the Ruby linter.
This code has but one Ruby file, and sometimes I regret even that one.
It helps to include the URL when requesting an unblock; otherwise
there's an extra back-and-forth.
https://github.com/cunnie/sslip.io/issues/101
Drive-by: reformatted using VS Code. It looks like a big change. It
isn't.
Previously hosts like `www.7f000001.usa.nip.io` would resolve to 127.0.0.1,
but the same hostname with dashes delimiting the hexadecimal notation
would not (e.g. `www-7f000001-usa.nip.io`).
This commit now allows dashes to delimit the hexadecimal notation. It
was a feature that some had asked for, but at the time I was worried
about breaking backwards compatibility. Also, some of their demands
rubbed me the wrong way: they seemed devoid of any sense of gratitude
for a free service, nor any sensitivity regarding Roopinder's death.
My regex was broken, and it didn't correctly identify the following
hostnames lookups (real, actual hostname lookups):
- funprdmongo30-03.10.1.4.133.nip.io.
- olvm-engine-01.132.145.157.105.nip.io.
- wt32-ETh01-03.172.26.131.29.NIp.IO.
The problem? The leading zero. `funprdmongo30-03.10.1.4.133.nip.io.`
should've resolved to `10.1.4.133`, but the regex incorrectly matched it
as `03.10.1.4`, which isn't a valid IPv4 address according to Golang's
net library, so the hostname DNS resolution was incorrectly treated as
not having an A record.
With this commit, the regex is now fixed, though I must admit I have a
certain trepidation tinkering with the regex at the very core of
sslip.io.
- refactored a portion of the `NameToA()` function to another function,
`String2IPv4()`. `NameToA()` is now more readable.
- added simple fuzz test, but it wouldn't have discovered the problem.
- added a helper method for the fuzz test, `RandomIPv4String()`, and
bumped `math/rand` to `math/rand/v2` along the way.
From @brakhane:
> While the recent release sets the SPF policy to fail, it might not be
enough to deter spammers, as some services might still deliver mail that
fails the check if no DMARC policy is set.
With this commit, we set DMARC TXT records for both nip.io and
sslip.io., e.g.
```
dig txt _dmarc.nip.io. +short
```
results in
```
"v=DMARC1; p=reject"
```
By the way, this is identical to google.com's DMARC record with the
exception of reporting (`rua=...`). We dispense with reporting. I don't
have time to read DMARC reports.
[fixes#99]
Previously we blocked by CIDRs, not IPs, but that was flawed: of the 746
CIDRs, 744 of them were /32 — in other words, IP addresses. And matching
CIDRs is computationally expensive: consuming 4.8% of the CPU for each
query.
We switched to a string-indexed map instead to accelerate matching.
- Fivefold increase in blocklist lookup speed, dropping from consuming
4.8% of the CPU to 0.96%
- Added a new member, `xip.BlocklistIPs`
- All blocked sites are IPv4. I have never gotten a takedown for an IPv6
site
- I wanted to maintain backwards-compatiblity with my blocklist file; I
didn't want to be forced to coordinate updating that simultaneously
with a deploy of this code, hence the automated "/32" conversion from
a CIDR to an IP address
- I cleaned up the test blocklist file (`blocklist-test.txt`); it's
easier to read & understand
- I added profiling from before, `profile/cpu-cidr.prof`, and after,
`profile/cpu-ip.prof`, the change.
We've been added to the Spamhaus Domain Blocklist (DBL):
<https://check.spamhaus.org/results/?query=sslip.io>
This commit tightens the SPF (Sender Policy Framework) from a soft-fail
("~all") to a hard-fail ("-all")
From: Namecheap Legal & Abuse Team <legalandabuse@namecheap.com>
We have recently received some reports indicating that there might be unsolicited email activity associated with your domain. The following domain registered under your Namecheap account has been flagged by anti-spam organizations:
The Spamhaus Project Ltd. DBL:
sslip.io
Surprisingly, nip.io didn't have a problem.
I'd like to keep the nameservers fresh, and this commit incorporates
`apt-get update` in the procedure to update the sslip.io nameserver
because I'll be rebooting the servers anyway (rebooting is key because
I'd like the updated kernel to match the running kernel).
Our commit history is cluttered with blocking sites due to takedown
notices. It's unseemly, so we've created a new repo,
<https://github.com/cunnie/sslip.io-blocklist>, to be used exclusively
for blocking phishers, scammers, and grifters.
The documentation on how to procure a wildcard certificate had gotten
overly-complicated and stale, the Docker image, old, and the code, even
older.
Perhaps more importantly I couldn't bring myself to care whether people
could procure a wildcard certificate.
Signed-off-by: Brian Cunnie <brian.cunnie@gmail.com>
Bug: my self-hosted GitHub Actions experiences failures when files owned by root are
introduced in the runner user's homedir. I'm not sure how they're introduced because
runner doesn't have sudo access, but this ugly workaround will prevent the problem
from getting too bad.
Fixes, from GitHub Actions: <https://github.com/cunnie/sslip.io/actions/runs/16803947661/job/47591559499>
```
Error: File was unable to be removed Error: EACCES: permission denied, rmdir '/home/runner/actions-runner/_work/sslip.io/sslip.io/.github/workflows'
```
Now that our GitHub Actions workflow is functional, let's brag about how
many queries / second we're handling by displaying the badge at the top
of the README and of the web page.
Claude assures me this will fix the problem. Really.
Fixes, when running GitHub Action:
```
Deploy to gist
[INFO] Action failed with "Error: ENOENT: no such file or directory, open '/home/runner/actions-runner/_work/sslip.io/sslip.io/tmp/qps.json'"
```
The number of queries per second we handle is simply ginormous (> 20k!),
and I'd like to be able to communicate that to the user via a badge.
This commit has a GitHub Actions workflow that kicks off every six
hours to gather the current queries per second and create a JSON file
which is pushed to a gist which is used to create a shields.io badge.
Note: I'd normally test the Actions before I pushed, but it seemed
overly-complicated and brittle. So I'm taking the YOLO (you only live
once) approach, and pushing and hoping it works.
- some of the examples to use "nip.io" instead of "sslip.io". I like
"nip.io" better; it's shorter
- The examples that previously used "jammy" now use "noble"; "jammy" is
no longer the latest Ubuntu "Long Term Support" (LTS) release
Default PTR record domain has changed from "sslip.io" to "nip.io".
For example, `dig -x 127.0.0.1 @ns.nip.io` previously returned
`127-0-0-1.sslip.io.`, now returns `127-0-0-1.nip.io.`
Previously, the PTR domain was hard-coded to `sslip.io.`, but this
commit introduces two changes:
- the default PTR domain is now `nip.io.`. Hey, it's shorter.
- the PTR domain can now be set with the `-ptr-domain` flag, e.g. `go
run main.go -ptr-domain=xip.example.com` and then querying `dig -x
169.254.169.254` would return `169-254-169-254.xip.example.com.`
Notes:
- Our new flag, `-ptr-domain`, follows the kebab-case convention of
Golang flags, but this is inconsistent with our previous camelCase
convention, e.g. `-blocklistURL`. We didn't know any better, and it's
too late to change existing flags.
- removed two comment-out `panic()` whose purpose has long since been
forgotten
- I don't feel bad about changing the default behavior because hardly
anyone uses PTR lookups. Out of 12,773,617,290 queries, only 1564 were
PTR records (0.000012%)!
- In that vein, I acknowledge that this is a feature that no one's
clamoring for, no one will use, but it's important to me for reasons
that I don't fully understand.
When using the default addresses, the server would start with a warning
caused by an extra comma at the end of the last `-addresses` argument.
This commit removes that errant comma.
Fixes, when server starts:
```
-addresses: arguments should be in the format "host=ip", not ""
```
- Even though I don't use BOSH anymore, I couldn't change the image name
"fedora-golang-bosh" because it's used in too many places
- Bumped BOSH to the latest version
- reformatted via VS Code; it looks like everything has changed, but the
changes were actually minor
- Spent far too much time trying to get Powerlevel10k's gitstatusd
loaded during build instead of when the container was run, but I gave
up after several attempts
- replaced "fasd" with "autojump"
- deprecated the MAINTAINER directive in favor of the LABEL directive
We test our four production nameservers using `rspec`, and although that
worked fine when we used GitHub actions with a curated Ruby, it didn't
always work as well when running locally.
With this commit we introduce a Gemfile which has the necessary Ruby
dependencies, which make it easer to run the tests locally.
