Ancestors

Written by Darkassassin07@lemmy.ca on 2024-09-28 at 20:03

Randomly getting ECH errors on self-hosted services.

https://lemmy.ca/post/29918830

=> More informations about this toot | More toots from Darkassassin07@lemmy.ca

Written by bobslaede@feddit.dk on 2024-09-28 at 20:14

Any chance you are both accessing your services locally with a local DNS, and publicly with something like Cloudflare?

=> More informations about this toot | More toots from bobslaede@feddit.dk

Toot

Written by Darkassassin07@lemmy.ca on 2024-09-28 at 20:19

I do have external acces to Ombi via cloudflare; but the device I’m seeing this problem on is permanently connected to a VPN hosted from the same server machine as ombi/nginx with ‘block all connections without VPN’ enabled. And this testing has been done from within the same LAN.

It should never see/reach cloudflare for this service.

=> More informations about this toot | More toots from Darkassassin07@lemmy.ca

Descendants

Written by bobslaede@feddit.dk on 2024-09-28 at 20:22

Try with nslookup and see if you’re resolving the domain to both your local ipv4 address, and the Cloudflare ipv6 at the same time. I am using pihole for my local DNS, and it would give me both my local address, and also the Cloudflare ipv6 address.

=> More informations about this toot | More toots from bobslaede@feddit.dk

Written by Darkassassin07@lemmy.ca on 2024-09-28 at 20:31

Crap, looks like that’s exactly what it is.

Now how to fix that…

=> More informations about this toot | More toots from Darkassassin07@lemmy.ca

Written by Darkassassin07@lemmy.ca on 2024-09-28 at 20:36

Added an AAAA record to pihole:

ombi.mydomain.example 0000:0000::0000:0000

Now nslookup returns the correct ipv4 address, and ‘::’ as the ipv6.

We’ll see if that works.

=> More informations about this toot | More toots from Darkassassin07@lemmy.ca

Written by Darkassassin07@lemmy.ca on 2024-09-28 at 20:57

That unfortunately did not work. I am only getting the ipv4 address now, but I still get the same ECH error in chrome 1/5 tries.

Firefox now changed errors from ‘invalid certificate’ to ‘connection is insecure but this site has HSTS’. Still wont show the cert or provide any further info. (forgot to grab a screenshot before the below ‘solution’)

I’m really annoyed at this point and have just disabled cloudflare proxying for this service. That seems to have sorted it for all browsers. I may look further later, I may just say fuck it and leave it like this. Gotta walk away for a bit.

=> More informations about this toot | More toots from Darkassassin07@lemmy.ca

Written by bobslaede@feddit.dk on 2024-09-29 at 05:56

You should change to use cname in pihole. I will write up on my computer later for you.

=> More informations about this toot | More toots from bobslaede@feddit.dk

Written by solrize@lemmy.world on 2024-09-28 at 20:24

Can you verify with wireshark that the traffic is only going through your lan? I’m not hip enough for nginx but I used to have to run apache under gdb all the time to trace random errors from the server. That would be next, if the traffic is really local.

=> More informations about this toot | More toots from solrize@lemmy.world

Written by Darkassassin07@lemmy.ca on 2024-09-28 at 20:37

I’ll look into that next if what I’ve done doesn’t work. (see other comments)

=> More informations about this toot | More toots from Darkassassin07@lemmy.ca