So HN is still a shit hole, then :)

Gotta love that the first comment is literally “This article is nonsense.” (This sort of thing used to make me angry, these days I just laugh and move on.)

· · Web · 6 · 3 · 8


I have a great workaround for HN stuff! These few lines in my nginx config are wonderful:

if ($http_referer ~ "news\.ycombinator\.com") {
return 400;

No more HN troubles.

@algernon @aral Do you proxy outgoing HTTP requests through your own Nginx?

@aral this toot is nonsense! ;-)

HN for the articles, and rarely anymore, never for the comments IMO.

@aral I think it's amazing how many missed the point of the article, and run around stating:

"As an admin you don't want some random user to start something on port…" not realising that admin and user are the same person in your described case :D

Yet, I do think, that containers are the better solution to the problem. Every user/application gets a network namespace and the exposure itself, should be a privileged step (which it already is due to firewall rules).

@sheogorath @aral From what I understand, with container you're just moving the problem elsewhere

At the end of the day, you need a "front" web server such as nginx or whatever that will actually expose your container. As explained in the article, that server will need to run as root (at least when started) *only* to be able to bind port 80 ...

@aleks @aral I think you misunderstand how containers work in this case. You definitely need privileges to expose the container, yes. But that's because you reconfigure firewall rules. Docker for example already disables privileged ports in the containers. And when you expose a container, all you do is setup a firewall rule, that says "forward all traffic from port 80 to this internal container IP on port 80".

@aleks @aral (Note: There is a tool called docker-proxy around, and it has valid use-cases, but it's technically not needed to solve there here described problem.)

@aral One of the reasons I stopped reading Hacker News.

@aral "...writing your own policies, while strange and esoteric because it uses m4, is straightforward."

Right, 4 files of m4 macros, straightforward. Yup.

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.