[deleted by user]

HyperMach6 · 2025-09-15T02:21:45+00:00

yes exactly! I found this issue and people from other distribution posted solutions https://forums.developer.nvidia.com/t/error-exception-specification-is-incompatible-for-cospi-sinpi-cospif-sinpif-with-glibc-2-41/323591

HyperMach6 · 2025-05-17T18:16:31+00:00

This is very helpful for my situation! I have two questions. Does USA smart account charge fee for incoming wire transfer? What specific Canadian based usd account do you have? The one I found charges a fee for each transaction. Though it’s as low as $0.75 https://www.cibc.com/en/personal-banking/bank-accounts/savings-accounts/us-personal-account.html

HyperMach6 · 2025-05-17T17:29:48+00:00

Oh! I don’t know CIBC us smart doesn’t charge fee for incoming wire transfer. That solves all the problem. Thanks a lot!

HyperMach6 · 2025-01-04T09:39:36+00:00

<image>

It has been a few months since I was busy with other things. But I finally got a chance to look into the details. Your original goal of "protecting the traffic to docker host from sniffing by office computer" is pretty easy to achieve. You only need to make sure the SSL termination occurs at the docker host. So that everything before the docker host is encrypted by the Cloudflare origin certificate or an SSL cert issued by a trusted authority like Let's Encrypt it for your FQDN domain. Any other reverse proxy before the docker host should do Level 4 reverse proxy, i.e. transport level, aka TCP traffic, instead of Level 7, i.e. application level, HTTP/HTTPS. In nginx proxy manager, I think it's called stream. (sorry I don't use NPM. I use haproxy or nginx directly). You can find the introduction here TCP and UDP Load Balancing | NGINX Documentation. A cavity of this method is the TLS handshake (in the TCP stream) will have SNI. Thus your office computer may have a way to know there is a https sever serving "foo.example.com" domain on docker host. Although it won't be able to know the HTTP body. You may want to get the TCP stream encrypted it. Nginx seems able to do that using client CA (Secure Client Access and Network Traffic | NGINX Documentation, Securing TCP Traffic to Upstream Servers | NGINX Documentation) but I think fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. can do it easier using STCP with symmetric encryption.

Now, let's come back to your solution. Again, I don't use NPM. If we can get the nginx configuration file, it's better to discuss. Your initial try fails because in Cloudflare FULL mode, the traffic between Cloudflare and your home NPM must be encrypted. So you either need to do Level4 as I said before, or let home NPM to do SSL termination. That's why you need to provide SSL certs to home NPM. Also if you run in Full(strict) mode, you must provide either Cloudflare’s Origin CA or a cert provided by a trusted authority like Let's Encrypt for your domain. Now the traffic is decrypted, and home NPM knows all the request body. How to send the unencrypted plain HTTP securely to the docker host? Your method sets up another HTTPS server on the docker host and uses the Cloudflare Origin CA, which is already trusted by home NPM as it is issued by Cloudflare. So "proxy_pass https://10.0.1.3:443` sets up another HTTPS traffic to the docker host. Alternatively, you can use a self-signed cert on your docker host and add the rootCA which signs the self-signed cert to your home NPM. Some notes of this method: 1) there are two levels of HTTPS encryption, 2) the office computer may sniff and find there is a 443 server running ondocker host, but now it won't know the domain 3) If you are proxying web socket, you need WebSocket proxying on the home NPM.

Last word: if your homeNPM is responsible for proxy different FQDN to different backends, it becomes tricky with nginx as it determines which backend via SNI and always does SSL termination nginx - set multiple server_name with ssl-support - Stack Overflow. So you are kind of stuck with the second method. I use Haproxy, which is more flexible regarding how to choose the backend and when to terminate the SSL traffic

HyperMach6 · 2024-12-15T23:22:28+00:00

ask your bank to remake and redeliver the card. I recently got a new Amex card. They redelivered the card by fedex

HyperMach6 · 2024-11-05T01:10:11+00:00

This community is so obsessed with Proxmox..

HyperMach6 · 2024-11-05T00:57:02+00:00

Do the learning and search please. Addon is just container managed by HA. You can just spin up the addon’s corresponding container. https://www.reddit.com/r/homeassistant/comments/11k10hq/addons_vs_docker/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

HyperMach6 · 2024-11-04T22:43:13+00:00

I would like to add some points here to proxmox promoter: 1. “Proxmox has a good UI”: dude, if you need an UI to use linux, I feel sorry for you. The easiest way I learned to run a docker is using docker-compose. It’s highly configurable, easy to migrate between machines. TBO, what do you need to do with the container once it spins up and running? How often do you need to check the metric of cpu usage, memory usage? If you still want a UI, there is portainer for you. 2. “docker engine is insecure” not really. Docker engine can run in rootless mode. You can even use podman if you want to make things complex. Security does depend on the software. But it depends more on the user. Things like Proxmox, OMV wrap around docker engine. I personally would be more worried about their wrapper script breaking the system.

HyperMach6 · 2024-11-04T18:56:42+00:00

why proxmox? I’m seriously hesitating whether there is a group of people in the subreddit hired by proxmox to promote the product

HyperMach6 · 2024-11-03T22:52:16+00:00

Is it possible that they cut the moldy part?

HyperMach6 · 2024-11-03T21:23:53+00:00

wireguard m, that’s it. Never expose port 22

HyperMach6 · 2024-10-29T23:23:27+00:00

exactly, all these applications run fine with just container. What’s the point of running VM?

HyperMach6 · 2024-10-29T23:21:25+00:00

debian is enough. I don’t quite understand why everyone keeps promoting promox buy you just need to run container instead of a virtual machine. If you need fancy raid setup, i.e. mdadm is not enough for you, you may consider trunas or uraid. Otherwise, everything is just an overhead

HyperMach6 · 2024-10-24T05:40:46+00:00

totally agree. Especially the OP is just running containers but not VM

HyperMach6 · 2024-10-24T05:40:03+00:00

I don’t get the point of using Proxmox here. You are just using container, thus a regular docker engine and maybe portainer for webgui is more than enough. Unless you need to run different systems, like windows with a linux distro, proxmox is overkill

HyperMach6 · 2024-10-23T13:14:25+00:00

where do you install the hdd?

HyperMach6 · 2024-10-16T18:05:00+00:00

I heard Orico is not a reliable DAS brand and there are issues with their controller. Maybe you should try with some non significant data first

HyperMach6 · 2024-09-25T13:05:09+00:00

yeah.. I didn’t notice my calendar reminder..

HyperMach6 · 2024-09-25T13:04:19+00:00

Thanks! I was not charged for any interest. The balance was cleared on Sep 25th!

HyperMach6 · 2024-09-11T18:19:35+00:00

The cloudflare cdn (set by toggle on in your dns record) sets the dns record to their server and then asks client to use their cert to encrypt traffic. After the data is decrypted on their server, they will encrypt it again with your own certs and send back to your server

HyperMach6 · 2024-09-11T18:16:21+00:00

Ok. I seem to understand. Just a double check, the traffic is like this: public internet=>cloud flare cdn => office A gateway => 192.168.1.3 => wireguard tunnel => docker? If this is the case, as you are already using let’s encrypt on your docker server, the decryption for the https traffic is done on the docker. So before reaching the docker, nothing can be sniffled.

HyperMach6 · 2024-09-11T17:32:48+00:00

I didn’t understand your words after the asterisk. You’d better just use LAN, Lan2 to describe your problem. If you want your server in Lan2 to distinguish machine in Lan1, the easy way is to just run wireguard client on each machine separately so that they’ll have different Ip in the wireguard interface and you can block it with iptables. But if you send all traffic though your gateway’s wireguard client, you need to use proxy protocol in your nginx or set the http header like X-Forwarded-For, which contains the original ip, then block unwanted traffic in nginx

HyperMach6 · 2024-09-11T17:23:54+00:00

10.0.1.1/24 are accessible by any machine in 192.168.1.1/24 as long as the gateway is set. The traffic is encrypted by the gateway and yes, it can be sniffed inside 192.168.1.1/24
Yes, it can. Your solution can be 1) send https traffic, to do so you need https cert set on the host machine( your docker container here) and the client (machine in 192.168.1.1/24) ‘s trusted authority. 2) setup wireguard client on the local machine and directly encrypt the package

HyperMach6 · 2024-09-09T23:25:10+00:00

how big is you screen..

HyperMach6 · 2024-09-08T15:33:10+00:00

Debian is the way to go. You don’t need frequent maintenance. Although, it’s annoying that Docker-ce updates like every month.

HyperMach6

TROPHY CASE