# I am the Watcher. I am your guide through this vast new twtiverse.
# 
# Usage:
#     https://watcher.sour.is/api/plain/users              View list of users and latest twt date.
#     https://watcher.sour.is/api/plain/twt                View all twts.
#     https://watcher.sour.is/api/plain/mentions?uri=:uri  View all mentions for uri.
#     https://watcher.sour.is/api/plain/conv/:hash         View all twts for a conversation subject.
# 
# Options:
#     uri     Filter to show a specific users twts.
#     offset  Start index for quey.
#     limit   Count of items to return (going back in time).
# 
# twt range = 1 27
# self = https://watcher.sour.is/conv/cmttsmq
prologic
twtxt.net
View Thread
Cool! 😎 So I can now block ASN(s) 🤣 (_And I bet no-one noticed anything_)
prologic
twtxt.net
View Thread
Cool! 😎 So I can now block ASN(s) 🤣 (_And I bet no-one noticed anything_)
bender
twtxt.net
View Thread
@prologic what's ASN again?
prologic
twtxt.net
View Thread
@bender AS Number):

> An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet.\n Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end-user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use (and should therefore not be announced to the global Internet).
prologic
twtxt.net
View Thread
@bender AS Number):

> An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet.[1] Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end-user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use (and should therefore not be announced to the global Internet).
prologic
twtxt.net
View Thread
@bender AS Number):

> An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet.[1] Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end-user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use (and should therefore not be announced to the global Internet).
bender
twtxt.net
View Thread
@prologic can you give me an example of one ASN you have blocked? First time I heard of ASNs but, furthermore, blocking ASNs. It seems like they are *huge* blocks!
prologic
twtxt.net
View Thread
@bender Yes they are rather large 🤣 Here you go:


proxy-1:~# cat /etc/caddy/waf/bad_asns.txt
# CHINANET-BACKBONE No.31,Jin-rong Street, CN
# Why: DDoS
4134

# CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
# Why: DDoS
4837

# CHINAMOBILE-CN China Mobile Communications Group Co., Ltd., CN
# Why: DDoS
9808

# FACEBOOK, US
# Why: Bad Bots
32934
proxy-1:~#
prologic
twtxt.net
View Thread
@bender Yes they are rather large 🤣 Here you go:


proxy-1:~# cat /etc/caddy/waf/bad_asns.txt
# CHINANET-BACKBONE No.31,Jin-rong Street, CN
# Why: DDoS
4134

# CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
# Why: DDoS
4837

# CHINAMOBILE-CN China Mobile Communications Group Co., Ltd., CN
# Why: DDoS
9808

# FACEBOOK, US
# Why: Bad Bots
32934
proxy-1:~#
bender
twtxt.net
View Thread
@prologic cool! Looking forward to the README for https://git.mills.io/prologic/caddy-waf! :-) I will probably build that module on my Caddy!
bender
twtxt.net
View Thread
The rate-limit one too (https://git.mills.io/prologic/caddy-ratelimit), for sure! Would the caddy-waf be:


$ xcaddy build --with git.mills.io/prologic/caddy-waf


Yes? Still, the README for a configuration example would be awesome!
bender
twtxt.net
View Thread
So this should build caddy with both modules:


$ xcaddy build --with git.mills.io/prologic/caddy-ratelimit --with  git.mills.io/prologic/caddy-waf


Right?
prologic
twtxt.net
View Thread
Ahh fuck! Sorry I was fixing a rule 🤣 This is much better!


proxy-1:~# grep -c 'Bad ASN' /var/log/caddy/caddy.log
2441
prologic
twtxt.net
View Thread
Ahh fuck! Sorry I was fixing a rule 🤣 This is much better!


proxy-1:~# grep -c 'Bad ASN' /var/log/caddy/caddy.log
2441
prologic
twtxt.net
View Thread
This is how I build my caddy:


proxy-1:~# cat build.caddy.sh
#!/bin/sh

xcaddy build \
	--with github.com/caddy-dns/cloudflare \
	--with github.com/caddyserver/cache-handler \
	--with git.mills.io/prologic/caddy-ratelimit \
	--with git.mills.io/prologic/caddy-waf
proxy-1:~#
prologic
twtxt.net
View Thread
This is how I build my caddy:


proxy-1:~# cat build.caddy.sh
#!/bin/sh

xcaddy build \
	--with github.com/caddy-dns/cloudflare \
	--with github.com/caddyserver/cache-handler \
	--with git.mills.io/prologic/caddy-ratelimit \
	--with git.mills.io/prologic/caddy-waf
proxy-1:~#
prologic
twtxt.net
View Thread
This is how I build my caddy:


proxy-1:~# cat build.caddy.sh
#!/bin/sh

xcaddy build \\
\t--with github.com/caddy-dns/cloudflare \\
\t--with github.com/caddyserver/cache-handler \\
\t--with git.mills.io/prologic/caddy-ratelimit \\
\t--with git.mills.io/prologic/caddy-waf
proxy-1:~#
prologic
twtxt.net
View Thread
I'll try to add a README for caddy-waf soonâ„¢ (_going back to bed now_) at least document the customizations I've made to this WAF (_which I forked from caddy-coraza_)
prologic
twtxt.net
View Thread
I'll try to add a README for caddy-waf soonâ„¢ (_going back to bed now_) at least document the customizations I've made to this WAF (_which I forked from caddy-coraza_)
prologic
twtxt.net
View Thread
Notably the custom operator @lookupASN
prologic
twtxt.net
View Thread
Notably the custom operator @lookupASN
prologic
twtxt.net
View Thread
Note for reference I was trying to write and fix this rule (_fixed version below_):


# Ignore Content-Type restrictions for Git
SecRule REQUEST_HEADERS:Host "@streq git.mills.io" "id:101,phase:1,t:none,nolog,ctl:ruleRemoveById=920420"
prologic
twtxt.net
View Thread
Note for reference I was trying to write and fix this rule (_fixed version below_):


# Ignore Content-Type restrictions for Git
SecRule REQUEST_HEADERS:Host "@streq git.mills.io" "id:101,phase:1,t:none,nolog,ctl:ruleRemoveById=920420"
bender
twtxt.net
View Thread
On a test I ran, with a static site that is a PWA, like this:


example.com {
        root * /web/example.com
        route / {
             rate_limit {path} 20r/m
             file_server
        }
}


It works (as limiting rate), but when rate isn't reached, the page doesn't render. Not sure what could be going on.
bender
twtxt.net
View Thread
Hmm, yeah, I am doing something wrong. Same is happening with any site to which I apply the this.

Is there a reason you forked this from mholt? What was added, or changed? Your "Initial commit" throws an error.
kat
yarn.girlonthemoon.xyz
View Thread
@prologic i would be very interested in this as a caddy user who needs a WAF probably lol
kat
yarn.girlonthemoon.xyz
View Thread
@prologic i would be very interested in this as a caddy user who needs a WAF probably lol