@bender@twtxt.net AS Number:

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet.[1] Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end-user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use (and should therefore not be announced to the global Internet).

⤋ Read More

@bender@twtxt.net Yes they are rather large 🤣 Here you go:

proxy-1:~# cat /etc/caddy/waf/bad_asns.txt
# CHINANET-BACKBONE No.31,Jin-rong Street, CN
# Why: DDoS
4134

# CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
# Why: DDoS
4837

# CHINAMOBILE-CN China Mobile Communications Group Co., Ltd., CN
# Why: DDoS
9808

# FACEBOOK, US
# Why: Bad Bots
32934
proxy-1:~#

⤋ Read More

So this should build caddy with both modules:

$ xcaddy build --with git.mills.io/prologic/caddy-ratelimit --with  git.mills.io/prologic/caddy-waf

Right?

⤋ Read More

Ahh fuck! Sorry I was fixing a rule 🤣 This is much better!

proxy-1:~# grep -c 'Bad ASN' /var/log/caddy/caddy.log
2441

⤋ Read More

This is how I build my caddy:

proxy-1:~# cat build.caddy.sh
#!/bin/sh

xcaddy build \
	--with github.com/caddy-dns/cloudflare \
	--with github.com/caddyserver/cache-handler \
	--with git.mills.io/prologic/caddy-ratelimit \
	--with git.mills.io/prologic/caddy-waf
proxy-1:~#

⤋ Read More

I’ll try to add a README for caddy-waf soon™ (going back to bed now) at least document the customizations I’ve made to this WAF (which I forked from caddy-coraza)

⤋ Read More

Note for reference I was trying to write and fix this rule (fixed version below):

# Ignore Content-Type restrictions for Git
SecRule REQUEST_HEADERS:Host "@streq git.mills.io" "id:101,phase:1,t:none,nolog,ctl:ruleRemoveById=920420"

⤋ Read More

On a test I ran, with a static site that is a PWA, like this:

example.com {
        root * /web/example.com
        route / {
             rate_limit {path} 20r/m
             file_server
        }
}

It works (as limiting rate), but when rate isn’t reached, the page doesn’t render. Not sure what could be going on.

⤋ Read More

Hmm, yeah, I am doing something wrong. Same is happening with any site to which I apply the this.

Is there a reason you forked this from mholt? What was added, or changed? Your “Initial commit” throws an error.

⤋ Read More

Participate

Login to join in on this yarn.