BitFolk Users July 2019

users@mailman.bitfolk.com

21 participants
15 discussions

by Mike Zanker

Today I’ve been getting the following errors from “apt-get update”: E: Repository 'http://deb.debian.org/debian buster InRelease' changed its 'Suite' value from 'testing' to 'stable <http://deb.debian.org/debian%20buster%20InRelease'%20changed%20its%20'Suite'%20value%20from%20'testing'%20to%20'stable>' E: Repository 'http://deb.debian.org/debian-security buster/updates InRelease' changed its 'Suite' value from 'testing' to 'stable <http://deb.debian.org/debian-security%20buster/updates%20InRelease'%20changed%20its%20'Suite'%20value%20from%20'testing'%20to%20'stable>' E: Repository 'http://deb.debian.org/debian buster-updates InRelease' changed its 'Suite' value from 'testing-updates' to 'stable-updates <http://deb.debian.org/debian%20buster-updates%20InRelease'%20changed%20its%20'Suite'%20value%20from%20'testing-updates'%20to%20'stable-updates>’ The solution (for me) was to run apt-get update --allow-releaseinfo-change once. Thought this might be useful for anybody else hitting the same issue. Cheers, Mike

5 years, 5 months

Stretch after Buster becomes "stable"

by Mike Zanker

I’m already running a couple of fresh installs of Buster outside of Bitfolk, but I’d like to keep my VPS running Stretch for the time being. Do I need to make any changes to sources.list to carry on receiving security updates? I’ve currently got this: deb http://deb.debian.org/debian stretch main deb-src http://deb.debian.org/debian stretch main deb http://deb.debian.org/debian-security/ stretch/updates main deb-src http://deb.debian.org/debian-security/ stretch/updates main deb http://deb.debian.org/debian stretch-updates main deb-src http://deb.debian.org/debian stretch-updates main Cheers, Mike

5 years, 5 months

How to set up 2 default routes for IPv6 on Debian automatically on boot to give a fall back

by Keith Williams

Sorry long long post. tl;dr 2 default IPv6 routes different metrics set up persistent on Debian. I need a bit of advice concerning routing IPv6. Here is the problem. I do quite a bit of travelling around and a lot of it in SE Asia. I frequently find my self where the relevant ISP does not provide IPv6 connectivity. Even here at home my connection will occasionally change my address or I have to reboot the router and get a different one. I do things over the net for which I want IPv6, but also for DNS I need a stable fixed address. So I have an additional /56 subnet allocated to my VPS. Over the years I have tinkered with different VPN solutions to push these addresses down to my home network. I have found a different solution which not only was easy to set up, but works a dream except for one tiny issue. The /56 has been added to eth0 of my VPS. I am running wireguard and have it set up interface wg0 to which I route a /60 subnet. <bitfolk prefix>:e10::/60. Packets hitting this are encrypted with the server key and then encapsulated in IPv4 UDP packets and sent to the wg0 interface on my home machine, decrypted and if meeting criteria move through firewall etc. Sending out it is the same in reverse, encryption being via the client keypair. The client wg0 has subnet <bitfolk prefix>:e10::2/64, the server only accepting packets from this range and properly encrypted. Now here comes the problem. It is the default route issue. All that I read says that you cannot have 2 default routes in the same table. I have looked at a variety of solutions but find none except the one everyone seems to say is impossible but which works. I set the route *ip -6 route add ::0/0 dev wg0 metric 512. * Note the metric 512. The autoconfigured one has a metric of 1024. which gives me *ip -6 routedefault dev wg0 metric 512 pref mediumdefault via fe80::42c7:29ff:fe26:78c9 dev enp3s0 proto ra metric 1024 expires 265sec mtu 1488 hoplimit 64 pref medium* When I have finished fiddling and checking I will change the wg0 route to metric 2000 so that traffic will normally go through the main interface and when that has no IPv6 connectivity or is playing up, the wg0 route will be selected, (I hope). My 2 laptops, and Raspberry Pi will then be set up with their own wg1 etc interfaces and will then have their own /64 subnets. But when I try to get the route established automatically through the wireguard conf files or through PostUp I get the message can't do it as there is already an autoconfigured default. So I am stuck, at the moment with adding manually after every boot/reboot. Any suggestions please? VPS running Debian Stretch This box at home running Debian Buster. The only answer I can think of at the mo is turn off autoconfig, but then I lose this fallback mechanism and add difficulties with communicating with mobile phone/router etc. Or I guess I could forget the fancy fall back idea and just go through VPS but that could add a long delay when doing ordinary surfing. IPv4 of course just goes out through the normal interface

5 years, 5 months

Re: [bitfolk] HSTS fun on bitfolk.com

by Jess Robinson

Hi Andy, On 2019-07-01 09:58, Andy Smith wrote: > Hi Jess, > > On Mon, Jul 01, 2019 at 10:39:23AM +0100, Jess Robinson wrote: > > I eventually realised that the main bitfolk.com itself is sending > > hsts-required headers, and including all subdomains, which seems > > to trigger regardless of port :( Removing bitfolk.com fixed it for > > now, though presumably it will return if I visit the toplevel site > > again. > > TL;DR: Use example.vps.bitfolk.space. Aha! Do you need to add that for me? (didnt Just Work (tm)) > When I first started putting customers who did not have a domain of > their own under vps.bitfolk.com, I only ever thought that this would > be a short term arrangement for them. I didn't (and still don't) > really understand how anyone who would use a VPS would exist without > at least one domain name of their own. > > However, subsequent experience taught me that such people do exist, > in quite a number. It is perhaps not that they don't HAVE a domain > name, but that they do not wish to ADVERTISE any particular domain > name. > > I still don't understand it, but I accept that people keep wanting > to do this. Heh well, in the general case of actually deploying websites etc, I'd agree.. In this particular case I'm using my vps as a development box, cos its debian based, and sometimes easier to install stuff on than my desktop (which is gentoo) > Use of example.vps.bitfolk.com has a few different issues, such as > (non-exhaustive list): > > - Makes you subject to BitFolk's HSTS policy as you pointed out > > - May in future make you subject to Content Security Policy: > https://www.w3.org/TR/CSP3/ > > (bitfolk.com and panel.bitfolk.com have one but I don't think they > enforce it on subdomains at present) > > - Cross-domain leaking of cookies from .bitfolk.com to sub-domains. > > - Impossible for the customer to add extra DNS records like CNAME, > MX, AAAA, SRV, TXT or anything that might be generally useful in > one's own domain. > > HSTS is the real killer so far, so in January we introduced > the domain bitfolk.space and started putting customers who didn't > have a preference into vps.bitfolk.space instead, copying over all > existing records from under vps.bitfolk.com. > > We aren't going to enforce HSTS or anything like that on > bitfolk.space. At some point we will deprecate vps.bitfolk.com. I > still do not recommend long-term use of host names under > vps.bitfolk.space. > > HSTS etc won't be removed from bitfolk.com. It was a bad idea to > ever put customer stuff inside bitfolk.com. Aye, live and learn! Could you move jandj.vps.bitfolk.com over to .space please? (or do I need to email via the official support address for that..) Jess

5 years, 5 months

HSTS fun on bitfolk.com

by Jess Robinson

Yesterday I spent several hours trying to figure out why a dev website I am running on my bitfolk vps under a non-standard port, kept failing to load in my main browser - every time I visited it using http:// it kept directly requesting a https:// page .. which doesn't exist. I twigged fairly early (cos internet searchings) that it was probably something HSTS related (https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/) .. but no amount of removing "jandj.vps.bitfolk.com" or "jandj.vps.bitfolk.com:8002" from hsts ( vivaldi://net-internals/#hsts ) was doing anything. I eventually realised that the main bitfolk.com itself is sending hsts-required headers, and including all subdomains, which seems to trigger regardless of port :( Removing bitfolk.com fixed it for now, though presumably it will return if I visit the toplevel site again. Any ideas if this can be worked around? (other than the obvious buy another domain / use one of my other ones temporarily) Jess

5 years, 5 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

BitFolk Users July 2019