Previously we blocked by CIDRs, not IPs, but that was flawed: of the 746
CIDRs, 744 of them were /32 — in other words, IP addresses. And matching
CIDRs is computationally expensive: consuming 4.8% of the CPU for each
query.
We switched to a string-indexed map instead to accelerate matching.
- Fivefold increase in blocklist lookup speed, dropping from consuming
4.8% of the CPU to 0.96%
- Added a new member, `xip.BlocklistIPs`
- All blocked sites are IPv4. I have never gotten a takedown for an IPv6
site
- I wanted to maintain backwards-compatiblity with my blocklist file; I
didn't want to be forced to coordinate updating that simultaneously
with a deploy of this code, hence the automated "/32" conversion from
a CIDR to an IP address
- I cleaned up the test blocklist file (`blocklist-test.txt`); it's
easier to read & understand
- I added profiling from before, `profile/cpu-cidr.prof`, and after,
`profile/cpu-ip.prof`, the change.
The documentation on how to procure a wildcard certificate had gotten
overly-complicated and stale, the Docker image, old, and the code, even
older.
Perhaps more importantly I couldn't bring myself to care whether people
could procure a wildcard certificate.
Signed-off-by: Brian Cunnie <brian.cunnie@gmail.com>
Now that our GitHub Actions workflow is functional, let's brag about how
many queries / second we're handling by displaying the badge at the top
of the README and of the web page.
- "nip.io" is in the title
- "wildcard" NS ns.nip.io is used in examples
- nip.io is used for special TXT queries (ip, version, metrics)
- bump Bootstrap v3.7.7 -> v5.3.7
- freshen metrics
- describe metric "Blocked"
`nip.io` is a better domain name, shorter and more apropos (the "ssl" of
"sslip.io" has long since lost its relevance), so I use more examples of
nip.io.
Signed-off-by: Brian Cunnie <brian.cunnie@gmail.com>
- the sslip.io favicon wasn't working, a side effect of switching away
from k8s. I now hard-code the favicon.ico to https://sslip.io so that
I don't need to copy it to all the mirrors
- the nip.io favicon wasn't working, I forgot to copy it from
Roopinder's site, so I'm using sslip.io's icon instead
- Similarly, I forgot to copy Roopinder's `app.css`; oh well, the
styling looks good enough
- remove `ie10-viewport..`; it 404'ed. Besides, who uses Windows 8?
- remove `starter-template.css`; I couldn't see any obvious difference,
and I'm a big fan of keeping things simple, including the minimum
number of files. Also, the comment about IE8 made no sense.
- got rid of the warning about deprecating ns-azure & ns-aws; they've
been gone for over six months. It wasted space & mind share
- moved the alert about indexing to the bottom; I never cared about
impostor sites, but accommodated Morty Feldman, and he appears to have
lost interest (his last PR was nine months ago, 2024-09-19)
- updated instructions for updating the website when rolling out new
releases
Prior to switching to GitHub actions, I used Concourse CI to run
continuous integration, but I didn't switch all the URLs over to GitHub
actions.
This commit fixes that by switching over the last two occurrences of
ci.nono.io.
- Include hexadecimal example. Use the nip.io domain name because those
are the users that want hexadecimal.
- Update the nip.io website to no longer mention that sslip.io doesn't
have hexadecimal notation. It has hexadecimal notation.
- Make nip.io more prominent in the sslip.io website. Heck, it's a
shorter domain name. A better domain name.
- Update that nip.io is incorporated into sslip.io
TODO: expand the
ns-ovh-sg, at $60/month, was an expensive experiment. I suspected the
traffic would be voluminous, matching ns-ovh. That wasn't the case: it
wasn't even a tenth of the traffic.
The Digital Ocean droplet costs ~$24/month, almost a third of the OVH
offering,
```
ns-do-sg.sslip.io
"Queries: 33781674 (641.4/s)"
ns-hetzner.sslip.io
"Queries: 89852958 (1716.1/s)"
ns-ovh.sslip.io
"Queries: 661406550 (12670.2/s)"
```
Rather than buy the Roopinder dedication in the third line, it's now its
own banner at the top, replacing the navbar which long ago lost its
purpose (a holdover when we had several pages).
I'm worried the traffic to my GCP server will cost me a hundred dollars
in bandwidth fees. It has a volume similar to my late AWS server which,
in its last month, racked up ~$130 in bandwidth fees!
I'm also trying to balance the servers more geographically: instead of
having two servers in the US and none in Asia, I'll have one server in
the US and one in Asia (Singapore).
The OVH server in Asia is expensive — $60/month instead of $20/month for
the OVH server in Warsaw. Also there's a monthly bandwidth cap in
Singapore in addition to the 300 Mbps cap.
I went with a dedicated server, similar to the one in Warsaw, but I took
the opportunity to upgrade it (same price):
- ns-ovh: KS-4: Intel Xeon-E3 1230 v6
- ns-ovh-sg: KS-5: Intel Xeon-E3 1270 v6
I'm hoping that by adding this server to Singapore, the traffic to the
ns-ovh, the Warsaw server, will lessen, and I won't get thos "Anti-DDoS
protection enabled for IP address 51.75.53.19" emails every few days.
Current Queries per second:
- 4,087 ns-gce
- 1,131 ns-hetzner
- 7,183 ns-ovh
- ns-aws & ns-azure have been replaced by ns-hetzner & ns-ovh
- ns-azure has been completely destroyed (`terraform apply -destroy`);
the elastic IP has been released, so there's no hope of bringing it
back.
- ns-aws has been renamed to "blocked.sslip.io". It no longer answers
DNS queries, but lives on as the website we point "blocked" queries to
that warns about phishing.
- Some of the Markdown files' changes were mere reformatting changes
When using dig to determine the metrics of my servers, e.g. "dig txt
metrics.status.sslip.io @ns-ovh.sslip.io +short", one record looks
particularly heinous:
```
"Answer \226\137\165 1: 67974722 (651.9/s)"
```
It's supposed to look like this:
```
"Answer ≥ 1: 67974722 (651.9/s)"
```
`dig` doesn't handle Unicode well. So I'm replacing "Answer ≥ 1" with
"Answer > 0". No Unicode.
It was a worthy effort, but ultimately failed.
I've always been uncomfortable with the metric "Answered Queries" — it
implies that we don't answer all the queries. But we do answer all the
queries!
What the metric meant is "the number of DNS responses that we send that
have one or more records in the ANSWER section".
The new metric is "Answer ≥ 1". Not great, but better than before.
- remove the alert about not using the sslip.io nameservers as
general-purpose nameservers — I feel if they're looking at the page,
they already know enough not to use the nameservers as recursive
nameservers.
- deprecate ns-azure.
- extend the shutdown to 12/25 for ns-aws & ns-azure
- add a shoutout to Let's Encrypt
`tidy`, a UNIX-based HTML-formatter, has had its day in the sun, but
with the advent of VS Code, which I'll be using often to modify the
HTML, it makes more sense to format within the editor rather than in a
separate terminal window.
The torrent of traffic I'm receiving has caused my AWS bill to spike
from $9 to $148, all of the increase due to bandwidth charges.
I'm still maintaining ns-aws; the VM still continue to run, and continue
to serve web traffic, and maintain its hostname and IP addresses;
however, it will no longer be in the list of NS records for sslip.io.
There are much less expensive hosting providers. OVH is my current
favorite.
- located in Warsaw, Poland
- IPv4: 51.75.53.19
- IPv6: 2001:41d0:602:2313::1
The crux of this is to take the load off ns-aws, which jumped from
$12.66 → $20.63 → $38.51 → $62.30 in the last four months due to
bandwidth charges exceeding 10 TB.
The real fix is to randomize the order in which the nameservers are
returned.
The sslip.io service has been abused by scammers and phishers who create
sites that masquerade as legitimate sites. For example,
<https://nf-43-134-66-67.sslip.io/sg> masqueraded as Netflix.
To combat this, we've undertaken to block all sites that masquerade as a
legitimate sites, but this had the unfortunate consequence of ensnaring
a legitimate staging site (th-ab.de).
This commit assists developers by updating the documentation to warn
developers not to index their staging site.
[#53]
When we promoted the Golang code to the root of the repo, we neglected
to update the paths in the documentation, helper scripts, and pipelines.
This commit addresses that oversight by updating the paths.
The GKE's cluster's IP address is now an ephemeral IP because otherwise
I'd have to pay $360 extra per year from a premium-tier load balancer.
I don't want my website to point to an ephemeral address that quickly
becomes stale, so I'm pointing from what previously was the GKE
cluster's address to the AWS's NS server's address.
From
<https://support.google.com/analytics/answer/10759417>:
> Google Analytics 4 is replacing Universal Analytics. On July 1, 2023
all standard Universal Analytics properties will stop processing new
hits.
I wonder if Google Analytics is worth the trouble.
- Move "Directory Structure" lower down--it's not terribly useful,
certainly less useful than the "DNS Server" section.
- Remove the "tidy" turd at the bottom of the page. It adds no value,
and I'm not sure how it got there in the first place.
- A specific sections for flags such as `-nameservers`
- Add a section about running official Docker containers.
- get rid of the old, deprecated "faq" and "about" pages
[#21]
Also includes a gratuitous change to the HTML in order to trigger a
build.
Fixes <https://ci.nono.io/teams/main/pipelines/dockerfiles/jobs/build-and-push-sslip.io-nginx/builds/33>:
```
error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c dnf install -y bind-utils iproute less lsof neovim net-tools nginx nmap-ncat procps-ng RUN mv /usr/share/nginx/html /usr/share/nginx/html-orig]: exit code: 1
```
