genericweb Thank you mercutio. Leveraging the reserved domain "example.com" was too attractive in the end and I went with that. As you'll see, it worked out Is it a selling point for company websites running over HTTPS? (this does not include signing in et. al naturally) I block JS, images, and cookies from non-HTTPS Web sites. most sites are shifting towards https some quicker than others there's positives and negatives. bespokeserver.com i think i call most of my servers AvinIT v.blah https://blog.shodan.io/its-the-data-stupid/ mike-burns: May I ask why you block images from non-HTTPS websites? grody: That isn't a real site is it? The menu links don't work kellytk: images can be exploited at a surprising rate. My bias: I am (one of) security@ for my company. We make a bunch of open source products, including a file uploading library for Rails (we make Paperclip). I've dealt with multiple emails to security@ for vulns (all of which are fixed now so I can talk about them) around using image uploads to exploit Web browsers. So I figure: if I'm going to be exploited, I want it to be by the Web site itself and not from some MITM. Given how crazy font rendering is, I'd block custom fonts from non-HTTPS if I could figure out how. mike-burns: That makes sense, thank you kellytk, im not entirely sure.. the location is not far from me, but i have never heard of them it's been registered by what looks like an individual, no company name - but that doesn't mean they aren't a sole trader was just some random site i remember i helped a customer to use for their site (since it was an sitebuilder site) s/an/a/ was just some radom site i remember i helped a customer to use for their site (since it was a sitebuilder site) simple, clean, efficient, no hidden palava or mind numbing navigation i imagine the holder of example.com gets a lot of traffic if they were to run MTA/HTTP example.com is run by IANA and is defined in RFC to be used for documentation etc. ^ there ya go :) i noticed an odd thing with IANA assigned IPv6 for "special use" when i misconfigured an IP41 on a 3G connection with no actual support for it - was quite shocked as i never saw that before it ofc didn't work, but before it'd link local only staticsafe: That's why I went with it, and said last night "Leveraging the reserved domain "example.com"" It's too convenient to pass up example.com has no MX record :( &%"%! IPSec ^&"(!£ pfSense mercutio, 417mbps huh? NAT traffic this router will handle (software) was a simple port to port with masq claims 900 in hardware (original firmware) - it became unresponsive when i saw it hit 417mbps that meets the (if ever) 300mbps service i may one day dream of grody: what packet size were you testing with? i'd almost guarantee the claim is based on ~1500byte frame size testing with IMIX wouldn't look as good from a marketing standpoint yea 1500 did read that 3000 should work (probably 9000) but meh technically that should reduce load i wonder... bit scared of tampering MTU actually on this switch.. had to fiddle it just to get 1508 MTU on PPPoE heh wasn't as straight forward as it should have been bizaare as hell though small PI space i manage, added a rule to allow a sort of spoofing from my @home IPs and routed them via it me > tunnel > server (No NAT) > | > server > me odd as hell trying to fix policy routing between ARP | ME | OVH to have a simple choice exit point based on dest IP w/o sending crap or bad traffic bgp! http://www.speedtest.net/my-result/4517203674 thats interesting yea sadly i no longer own any PI space, i do manage a /22 mind didnt actually realise this host was on the west coast you didn't know arp was on west coast? lol no i did wonder why the ping was 70 odd ms higher than my NYC server might have to get some PI/PA on IPv6 - should be easy enough gonna have to poke around NZ, see what route it takes to ARP you don't necessarily need pi space for ipv6 you just need permission to re-advertise the space. hmm then again.. most provision of IPv6 i have are /48's ARP, AA and even HE have the blocking weird with AA - routed as /52's ideally i want to mesh all my VPS into a single VBC of sorts, with Alias IPs on each IP allocation each provider offers that way they can all use their own IPs from their providers, but take alternate routes for other kinds of policy routing ie: now all my traffic from @home to ARP and OVH is OpenVPN first, if OVPN link down, over internet as-is sounds complicated i can divert one (or more) hosts or subnets via a designates gateway (US/FR/UK) as request, even if the IP sourcing is a public IP of another hoster, it gets NATd on the outbound of given exit im not allowed to do simple things been setting this up more precisely all weekend with lots of success.. i went to print a letter of resignation the other day and my wireless printer decided it wasn't going to work it took me ages to figure out CUPs on the laptop was using the old printer (static) location and not it's dynamic/discoverable gonna have to add the NYC into this now.. learning ARP is on west coat is just icing on the cake :D ideally i can send NZ via US to UK and not via it's stupid satelitel uplink over china/rus/eu satelite? im guessing.. the latency is about 300ms higher than it should be for nz? for new zealand?! sounds about right for 170 miles + 2000 mules + 170 mules yea there's no satelite here i get about 600 there, 600 back what really? where does it go? well not for normal people there's cables to australia that go to japan ahhh and cables from australia to singapore nothing to US? and there's cables direct to the US err via guam hmm umm what are your ping times to japan like? jp.meh.net.nz is easy site to test to from UK 290ms from ARP 100ms i wonder yeh so going via japan could give 500msec pings or something 260ms going via ARP from UK you know that your ping time to arp is less than 190 msec :) wait what how teh.. it was 80msec from arp to jp.meh.net.nz it's 108 atm for me ok what about emerald.meh.net.nz what are your pings like to that? my routes are broken again :/ oh oh wait.. pings are L2 haha i was routing TCP/UDP ahh L3 sorry if it's 600 something is whack 300 yeh that's more normal that's in new zealand what were you saying about weird routes? well, 294 where to? thats gong via ARP over the OpenVPN oh what's it like native? i know the arp route is fine :) 260 so not a massive loss 260 is damn good gameservers :) there's meant to be a new translantic cable sometime yea, my ISP has a pretty epic network which should bring down EU<->US ping gameservers is vultr jp.meh.net.nz is on vultr it's been having some network issues recently though i have a few vultr vm's i use for testing things and they all seem to have issues :/ sounds like a phase heartinternet here went through no idea what it was.. had a few VPS and they went from great to ^&%£ used to be a really good and cheap provider here years ago that were first to offer freebsd guests.. was brilliant until they sold their soulds i even gave up reselling VPS because the platforms broke more than they fixed heh i think a handful of my customers ended up using ARP since i diverted them here when i shut it down remember doing that, site was google adsensed and for the next 6 months i kept getting ARP ads oddly you said BGP as i was speed testing the UK > ARP routing and it was advertising BGP peers i swear browsers steal text from screen wow.. ARP to that host is 100ms to what host? that .nz host jp? ARP goes via CORESITE to asiannet then scnet and whatever jp is japan UK foes the same route from asiannet out emerald is nz though AA > LINX > AISANET ah, ARP > Phyber > Coresite > AsiaNet wonder what happens between Linx and asianet - it's a direct hop and goes from 10ms to 150ms http://pastebin.com/6Wp1gb1t yeah pacnet suck http://pastebin.com/7QUTMxnH i dunno 150 from uk to los angeles is normal similar with ARP hop 5 is los angles hop 6 is japan yea, lax i suspect aimless is a weird name for a router haha AA name all their stuff something"less" i should obtain a .net.uk for network naming but i like the comedial effect comical? interesting flaw in pfsense regardless of firewall rules, openvpn client in tap mode to server, server to client can talk to networks in reach via the openvpn grody: You would need to be an ISP to get a .net.uk