 | NixOS Networking | 914 Members |
| Declaratively manage your switching, routing, wireless, tunneling and more. | 265 Servers |
| NixOS Networking | 914 Members |
| Declaratively manage your switching, routing, wireless, tunneling and more. | 265 Servers |
| Sender | Message | Time |
|---|---|---|
| 15 Jun 2025 | ||
 Luke | I agree it is strange | 18:55:11 |
 hexa | You also don't want to share the same origin for various apps for safety reasons | 18:55:18 |
| Luke | Or at least uncommon | 18:55:19 |
| hexa | * You also don't want to share the same origin for various apps for security reasons | 18:55:23 |
| hexa | Even if the sotware supports it we should not | 18:55:48 |
| Luke | In reply to @hexa:lossy.networkI could yse some elaboration on this | 18:55:52 |
| Luke | * I could use some elaboration on this | 18:56:00 |
| hexa | https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy\ | 18:56:07 |
| hexa | * https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy | 18:56:09 |
| hexa | basically every app on the same domain gets the same cookies for one | 18:56:32 |
| hexa | but there's more beyond that | 18:56:54 |
| Luke | Perhaps I am not seeing the risk here - the machines running these services don’t get exposed to public internet (which is maybe not a good arguement, but should be considered). Further, this is a use case supported for print farms in Fluidd afaik? You could run moonraker on say, 20 machines, select a different route prefix for each, proxy those websockets to anothet machine that serves them behind a domain at some subdirectory, and a single server running one instance of Fluidd could manage those 20 printers by inputing the proxied moonraker address, e.g. printer1 is at http://example.com/printer1 (I think, I would have to flush out the details here a bit) | 19:08:07 |
| Luke | * Perhaps I am not seeing the risk here - the machines running these services don’t get exposed to public internet (which is maybe not a good arguement, but should be considered). Further, this is a use case supported for print farms in Fluidd afaik? You could run moonraker on say, 20 machines, select a different route prefix for each, proxy those websockets to another machine that serves them behind a domain at some subdirectory, and a single server running one instance of Fluidd could manage those 20 printers by inputing the proxied moonraker address, e.g. printer1 is at http://example.com/printer1 (I think, I would have to flush out the details here a bit) | 19:09:17 |
| Luke | So using the same domain to manage many different services for 3D printer farms is by design? Or maybe I am not seeing the issue with this setup | 19:10:34 |
| Luke | Also all of this assumes they have their own DNS server to make this private and not a publicly accessable service | 19:11:07 |
| Luke | With any other proper auth built into Moonraker | 19:11:32 |
 K900 | That's a lot of assumptions | 19:29:43 |
| K900 | That the option doesn't explicitly state | 19:29:50 |
| K900 | Or even begin to state | 19:29:56 |
| K900 | Genuinely I don't see a problem with doing the same thing with subdomains | 19:30:10 |
| K900 | And that comes with a significantly smaller number of footguns | 19:30:20 |
| Luke | In reply to @k900:0upti.me I didn’t think I’d need to tell anyone not to expose their manufactuing machinary to the public internet 😆 But yeah, the same setup could be performed with DNS, but clearly there are users that serve it at a subpath instead - Moonraker or Fluidd would not support this otherwise? I imagine the subpath could be simpler to manage from an infrastructure configuration perspective, which might be the reason it exists at all | 19:46:15 |
| Luke | * It is a fairly uncommon setup (because most people with printers tend not to go about using a domain at all from my time in the 3D printing community), but some people like myself end up exposing these machines under a subpath that only gets served if the request comes from behind a VPN subnet. If you have many machines, like a print farm, you would also benefit from this sort of setup - easier to serve at a subpath than manage a ton of DNS entries for subdomains etc. But if you mean, “why do Moonraker and the web interface share a domain?” That seems to be the default configuration already for the most part, given that Moonraker gets served at “/websocket” as this combination of apps usually runs from the same SBC and is tightly coupled to control a 3D printer running Klipper. The pattern for these printers is as follows:
| 20:09:34 |
| Luke | I have asked the Moonraker and Fluidd devs if they see a security issue with this pattern - I'll see what they have to say regarding how much of a bad idea this is 😆 If they think it is a bad pattern to support then I will close the PR (and possibly make a flake for my own purposes), otherwise I will respond with more info on the PR | 20:22:27 |
| 16 Jun 2025 | ||
| Luke | The other thing that is a bit odd is the fact that the Moonraker websocket is currently configured with nginx in the Fluidd service (as well as Mainsail)… that doesn’t quite seem like the right pattern? | 00:40:31 |
| Luke | The websocket and regex parts of this nginx configuration probably belong in the moonraker service? | 00:42:06 |
| hexa | I was today years old when I found out that systemd.network.enable also enables resolved | 03:48:25 |
| hexa | I kinda get that this is required for the DNS-related settings in networkd to work | 03:48:52 |
| hexa | but when you have a proper resolver enabled and they keep fighting over resolv.conf … | 03:49:13 |
| hexa | I wish we could do better, but I fear there is no clear way out | 03:49:29 |