Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Stéphan Kochen
@stephank
All done, looks to be working fine. Will also try upgrading the production broker from 0.3.2 -> 0.3.5 later (not today).
Specifically wanted to upgrade because of the OpenSSL security release just now, and I think NixOS 20.03 was EOL already. :o
Plus, NixOS 20.09 hardened the nginx install, which is nice.
jestarray
@jestarray
are there any good self hosted versions of mailgun/postmark?
jestarray
@jestarray
also does anyone recommend what lightweight rust(or C libraries) to make a post request to the portier server for authentication?
Stéphan Kochen
@stephank
@jestarray Mailgun/Postmark have fairly specific APIs; I’m not aware of any reimplementations. But you can use any SMTP server with Portier, so Postfix, Exim, etc all work. Running a mailserver is almost its own profession, though. 😅
It’d be cool if we could extract the Rust client code from the Portier broker itself into a separate crate, but right now, we don’t have any Rust or C client libraries, unfortunately.
Stéphan Kochen
@stephank
Should add: generic OpenID Connect clients should work, in theory. We’ve fixed some issues related to those in the past, so people have tried it. Hopefully successfully. 🙂 (Would be neat if we had some docs on this, like a cookbook of how to use different popular libraries.
jestarray
@jestarray
@stephank i didnt realize setting up a mailserver would be so much of a pain in the ass lol... guess ill just use mailgun or something then
Stéphan Kochen
@stephank
Yeah, it’s full of pitfalls. Configuring Postfix is okay, especially of you let Debian do it for you, but then there’s all the extra fluff like SPF, DKIM, reverse DNS and spamlist reputation. I think, https://mailinabox.email/ could be the easiest way to run your own mailserver, because it helps with some of that stuff.
Stéphan Kochen
@stephank
The production broker is now on 0.3.5 :)
Stéphan Kochen
@stephank
A start for monitoring: https://prometheus.portier.io/
I think we can leave that open? If I read this correctly, untrusted access there is fine: https://prometheus.io/docs/operating/security/
Not really intuitive to query right now, there's no listing of metrics, I think? But it does have some exporters running and is scraping from them: https://prometheus.portier.io/targets
Also not sure what those errors there mean
Stéphan Kochen
@stephank
I also configured pushgateway because I plan on modifying autotest to push to prometheus (instead of managing its own files)
Plus I want to look at Grafana, and if that's useful on top of this
And obviously a /metrics for Portier broker itself. :)
Stéphan Kochen
@stephank
I guess you can do {job="nginx"} and see a list of everything it pulls out of nginx. Similarly, node and prometheus jobs are configured, but are worse examples (tons of metrics, apparently). :)
Stéphan Kochen
@stephank
Oh, the errors on prometheus /targets are already fixed, apparently: prometheus/prometheus#8358
Stéphan Kochen
@stephank
onli
@onli
Up status, cpu used and how many connections are open could be important
Ideal would be something like "X logins processed the last Y minutes", no?
Stéphan Kochen
@stephank
Definitely, the metrics prometheus logs of itself include counters per route, per HTTP status code too: https://prometheus.portier.io/graph?g0.expr=%7Bjob%3D%22prometheus%22%7D&g0.tab=1&g0.stacked=0&g0.range_input=1h
There's already a prometheus crate, could be useful: https://docs.rs/prometheus
Stéphan Kochen
@stephank
Hmm, at least for my work gmail account, Google has now started showing an intermediate 'choose an account' screen for every Portier login.
I'm not sure, though, if we fail when someone selects an email different from their previous input to Portier.
(I only have one account to test)
onli
@onli
I recently did a change to Pipes so that the login is not permanent (because Sinatra dropped the session if someone used Chrome and I could not fix it).
I now had multiple reports of users that can not login at all
That might be related, but it doesn't have to be the same thing...

I'm not sure, though, if we fail when someone selects an email different from their previous input to Portier.

Should depend on whether the portier client uses the nonce or the email to identify the login later

onli
@onli
Did you notice anything in that direction, that logins suddenly fail? Testing again now it works with the same account on some devices, but not on others, with the same browser version. It's frankly bizarre
onli
@onli
Hm, it seems to have been a sinatra issue. To disable the rack protection :remote_token seemed unnecessary on my initial test devices after the cookie change, but now disabling it proved necessary again
No direct portier mistake
jestarray
@jestarray
does portier use mailgun?
onli
@onli
@jestarray Optionally, yes :)
Stéphan Kochen
@stephank
Oh, funny. Someone tried to login with an address that autoreplies to unknown senders with a captcha. (Mailinblack, appears to be a French service or something.)
But that captcha is ending up in the staff mailbox, I think. Maybe we should blackhole the noreply address. Though, I wouldn’t have seen this if we did.
Also not sure if there’s a good way to deal with this kind of antispam mechanism. 🧐
Must be a common problem though? Lots of services send mail. No idea if this person completed the flow.
It was a pipes.digital login, btw. Maybe related to your report, @onli?
Stéphan Kochen
@stephank
Then again, it was much more recent. Didn’t see this when you mentioned it.
onli
@onli
Yeah, I think that's something else. The user didn't contact me for support yet ;)
https://www.mailinblack.com/en/ <-- you saw the english site?
I don't see much info there though
Stéphan Kochen
@stephank
Ah, nope, didn't see that :)
They do have instructions to allow senders manually. Maybe we can add some text along the lines of "you'll receive an email from noreply@portier.io"