HTTPS Only mode

a pain in the nether that people on Russian IP’s

Yup. I get a lot of hack attempts. Unsuccessful, of course.

The way my BBS deals with this is that it caches the country level IPdb in a Dynamic Area and when a connection is started, it looks up the IP address to determine its country of origin. If Russia, China, etc etc then the connection is terminated hard.
I’d like to add that into WebJames.

[it’s a 3.2MiB data file that references the entirety of IPv4 space; god help us when IPv6 comes]

NGINX can [etc]

Is there a RISC OS version of NGINX, or am I supposed to set up another box to do that? The point is to minimise how much stuff is actually running (hence electricity consumption).

WebJames CAN be hacked,

Probably. But it is unlikely to be because there’s no point. It isn’t hiding anything of value, you’re not going to pull out encryption keys or the sources to iOS or pwn a machine to be useful in a botnet army.

by sending huge POSTs

Hmm…

if people want to put webjames exposed directly it’s their choice :)

My home/private server. The non-PHP build. It’s been online for ages now. Since at least March 2016 (that’s when the weather station thingy was created). It’s stable, it does its job, and it hasn’t be taken down yet, though god knows the script kiddies try all the freakin’ time…

Some examples:

103.106.82.194 - - [26/Nov/2020:21:12:55 +0000] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F
%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+
%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F
%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+
%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+
%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64
%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 332 "" "Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"

103.106.82.194 - - [26/Nov/2020:21:12:59 +0000] "GET /_query.php HTTP/1.1" 404 327 "" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)"
103.106.82.194 - - [26/Nov/2020:21:13:00 +0000] "GET /test.php HTTP/1.1" 404 325 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:01 +0000] "GET /db_cts.php HTTP/1.1" 404 327 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:01 +0000] "GET /db_pma.php HTTP/1.1" 404 327 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:05 +0000] "GET /pmd_online.php HTTP/1.1" 404 331 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:06 +0000] "GET /x.php HTTP/1.1" 404 322 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:06 +0000] "GET /shell.php HTTP/1.1" 404 326 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:07 +0000] "GET /htdocs.php HTTP/1.1" 404 327 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:07 +0000] "GET /b.php HTTP/1.1" 404 322 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:08 +0000] "GET /sane.php HTTP/1.1" 404 325 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:08 +0000] "GET /desktop.ini.php HTTP/1.1" 404 332 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:09 +0000] "GET /z.php HTTP/1.1" 404 322 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:09 +0000] "GET /lala-dpr.php HTTP/1.1" 404 329 "" "Mozilla/4.0 [...]
103.106.82.194 - - [26/Nov/2020:21:13:10 +0000] "GET /lala.php HTTP/1.1" 404 325 "" "Mozilla/4.0 [...]
[...and so on for about fifty more URIs...]

103.106.82.194 - - [26/Nov/2020:21:13:32 +0000] "GET /index.php/module/action/param1/${@die(md5(HelloThinkPHP))} 
HTTP/1.1" 400 213 "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)"
103.106.82.194 - - [26/Nov/2020:21:13:34 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 
HTTP/1.1" 200 6053 "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)"

This. A never-ending cesspit of effluent.

And anyway the only lala worth considering is (was!) Lala Ward (aka Romana).

Is there a RISC OS version of NGINX, or am I supposed to set up another box to do that? The point is to minimise how much stuff is actually running (hence electricity consumption).

Not yet, BUT:

• You can run a Linux on another Rpi still less power than an Intel Atom and you can use the linux box for DNS, DHCP, SMB and more if you really want to go super tight on electrical bills ;)
• You can run RISC OS and Linux on the same RPi using virtualisation and QEMU, spin up an RPi 2 VM for RISC OS and either run NGINX on the hypervisor or on another guest (so bonus no more cables for WebJames!)
• If instead you’re more adventurous you can run Linux on the same RPi where you run your RISC OS (using all the cores that RISC OS doesn’t uses), add a virtual nic driver to RISC OS to interconnect to Linux and let them talk this way and let Linux use your physical NIC and/or WiFi (so bonus no more cables for WebJames!)

Again just as an idea… :)

On the other hand, if you have NGINX, simply use NGINX :)

If instead you’re more adventurous you can run Linux on the same RPi where you run your RISC OS (using all the cores that RISC OS doesn’t uses), add a virtual nic driver to RISC OS to interconnect to Linux and let them talk this way and let Linux use your physical NIC and/or WiFi (so bonus no more cables for WebJames!)

I started reading the whole post and thought, why not run in the other cores, and in item 3 you suggest exactly that.

On the other hand, if you have NGINX, simply use NGINX :)

but… but… you’er taking all the fun away! :(

loool joking, sure that is another option!

I started reading the whole post and thought, why not run in the other cores, and in item 3 you suggest exactly that.

then you’re the adventurous one! :D