Categories
Guide Networking

HAProxy as a TCP reverse proxy with DDNS target discovery and load balancing

HAProxy is an excellent tool for forwarding or load-balancing TCP traffic. It is far more memory-efficient than socat and offers a persistent configuration between reboots, but without requiring net.ipv4.ip_forward to be enabled. Compared to NGINX, HAProxy offers a more comprehensive and user-friendly status page with far more metrics, which can be easily integrated with third-party monitoring services.

Categories
Guide Networking

A Cloudflare DDNS script that uses an API Token instead of your Global API Key

I have been using this simple bash script for a while for my DDNS needs. It is simple enough for quick deployment, and gets the job done. That is until Caddy2’s Cloudflare DNS provider moves away from Global API Key to API Token for the API access. This prompted me to rethink the security implications of using that script.

The Global API Key basically allows for *ALL* access to your entire Cloudflare account, which includes making changes to other domains under your account as well as your account settings. And this key is stored as plain-text within the script, to be placed on a server which you don’t have physical access — sounds a lot like the perfect recipe for a security nightmare. An API Token, on the other hand, is created with specific permissions. You can, for instance, create a Token that only has the permission to make changes to a specific domain, without the ability to add or delete anything.

Categories
Networking

The official Telegram CIDR list

If for whatever reason you have the need to reroute or block Telegram Messenger traffic, at some point, you would have come across an ASN list with a list of /22 IPv4 blocks and one or two /48 IPv6 blocks. If you’ve hastily based your firewall rules on that list, you’ll notice it works only intermittently. That’s because the list is incomplete. JTT got you covered and you have come to the right place! Below are the known CIDR used by the Telegram Messenger service:

Categories
Networking

My favorite Traceroute tool

Traceroute helps you quickly find out the network path and measure the transit delays of packets across the internet. The standard implementation displays only the IP or rDNS entries, which may not allow you to identify the geographic path at first glance.

Categories
Networking

Allow only Cloudflare CDN servers to your web servers

We love to use Cloudflare CDN because it improves latency and uptime, and the price is just right (free) for the starter pack.

Normally, a web server’s ports 80 and 443 would be opened to the public internet, with access restricted by selected IP ranges by either ASN or country, depending on what the administrator has configured. But if you are using Cloudflare’s CDN service, you can permit TCP 80/443 access only to their servers, and block all other incoming requests. You can then fine-tune access control using Cloudflare’s web application firewall. It would greatly reduce your web server’s attack surface.

Categories
Networking

Using your cloud instance as a proxy with Dante server

Let’s say you have a Cloud VM lying around with, it is entirely possible to turn it into a personal proxy for your internet traffic. It is probably not going to help you unlock region-protected content since services like Netflix and Hulu would probably have blocked the IP range operated by hosting service providers, but it may still be useful in cases where you need to get around your ISP’s slow network transit and peering issues.