StormyCloud
Anyone notice any outproxy issues within the past 24 hours?
dr|z3d
yeah, it smells funny, StormyCloud
dr|z3d
faint smell of rotten eggs and cabbage.
StormyCloud
New feature, smell-o-vision
dr|z3d
I've got another config for you to try in a few moments to further boost your traffic, mesh.
Irc2PGuest66955
dr|z3d: oh lay it on me
dr|z3d
download the latest /dev/ build mesh.
dr|z3d
then before you restart, add the following to your router.config -> router.blockOldRouters=false
dr|z3d
you'll still block some old routers, notably those that have been identified as hostile, but not so many.
Irc2PGuest66955
aren't the old routers those being used by the attacker for evil?
Irc2PGuest66955
hehe ok
dr|z3d
some are, sure. those will still be blocked.
dr|z3d
defaults tend to err on the side of caution rather than permissive.
Irc2PGuest66955
dr|z3d: I come back to the concept of a "carrier node
dr|z3d
hostile routers do damage to the network, so you can't be totally hands off.
Irc2PGuest66955
dr|z3d: like I set "router.profile=carrier" and it sets all these configuration knobs to maximize transit because this router is really just for transit
dr|z3d
you've got as many knobs as you're going to get.
dr|z3d
and they should be more than sufficient. :)
dr|z3d
don't forget i2np.ntcp.maxConnections and i2np.udp.maxConnections mesh.
dr|z3d
try setting both of those to something like 8000 or more.
dr|z3d
no restart required.
dr|z3d
you can also experiment with setting ntcp low and udp high to see how that adjusts things. ntcp appears to be preferred.
dr|z3d
also make sure ulimit -n in the account you're running i2p from isn't returning 1024. not fatal, but you want that much higher.
dr|z3d_
> also make sure ulimit -n in the account you're running i2p from isn't returning 1024. not fatal, but you want that much higher.
dr|z3d_
if you don't know how to adjust that, google for /etc/security/limits.conf and ulimit
zzz
we fixup ulimit in i2prouter, what matters is the hard limit (-n -H) not the soft limit
dr|z3d
yeah, you really want to be editing limits.conf and setting both hard and soft limits to something high, 65535 or more.
zzz
no, you don't have to as long as the hard limit is >= 2048, we'll raise the soft limit to 2048 in i2prouter
dr|z3d
maybe I need to reread the docs, but 2048 seems like a very conservative limit to me, especially when you're running other things on the box, like nginx.
zzz
it's per-process
dr|z3d
yeah, per-process, and nginx can use a ton more than that when it's handling a lot of traffic, iirc service_workers is limited by file descriptors for concurrent connections.
dr|z3d
also, have you looked at your netdb country list lately?
dr|z3d
check Iran.
dr|z3d
I saw Iran briefly at the top, above US, though it's dropped now to 2nd place.
zzz
in canon we essentially cap NTCP conns at 1500 which leaves plenty for everything else, and haven't heard any complaints
zzz
no iran spike here
dr|z3d
Iran hit over 900 on one of my routers.
dr|z3d
maybe you need to be a ff to see the spike, dunno.
zzz
maybe the china botnet hopped over there
dr|z3d
or it could be the russians working in tandem with the iranians.
dr|z3d
china's still a large contingent here
zzz
look if they're all the same version or something else in common
dr|z3d
yeah, I looked. a couple of version strings and caps jump out.
dr|z3d
PR/PU
dr|z3d
no consistent version string, everything from 0.9.55 up.
dr|z3d
mostly 0.9.62
zzz
since it's all i2pd there's not a lot of caps variation anyway
dr|z3d
vast majority are P tier
zzz
typical for i2pd
dr|z3d
a few FXRs in there as well.
dr|z3d
about ntcp, it appears to be preferred over ssu where available?
dr|z3d
there's a rebalance algorithm to attempt to push some connections over to ssu, but presumably that only kicks in when ntcp connection limits are hit?
dr|z3d
I don't remember if orignal was reporting ssu or ntcp being faster, but he had an opinion :)
zzz
no, we still prefer ssu, at least a little
dr|z3d
but that's based on connection limits per transport or something else?
zzz
that and "cost"
dr|z3d
ok, just trying to work out why no one's bothering to connect via ssu2 here. outbound connections look fairly balanced between the two transports.
dr|z3d
on one router with http blocklist active, 50 odd dests blocked in the last 3 days.
dr|z3d
for odd read "or so"
dr|z3d
dests piped to tunnel filter for instant-o-bans.
zzz
how many patterns do you have?
dr|z3d
around 100, give or take.
zzz
zowie
dr|z3d
cribbed from the vuln scanner spider urls.
dr|z3d
no latency on connections, all seems to be functioning a.ok :)
dr|z3d
probably all it needs now is some zzz sprinkles and fairy dust. :)
zzz
aka total rewrite? :)
dr|z3d
:P
not_bob
I take it that killyourtv is back?
not_bob
The most recent "new" host is irc.killyourtv.i2p, but that host has been around for a long while.
dr|z3d
your powers of observation are exceptional, not_bob
not_bob
And it works!
not_bob
Not that anyone is using it.
dr|z3d
what works? I missed that part.
not_bob
The IRC server.
dr|z3d
mostly for test purposes afaik
not_bob
Yeah, it's lonely.
dr|z3d
have you taken the new http blocklist feature for a spin yet in +?
not_bob
I have not.
not_bob
I should get some time today to play with that.
not_bob
I think I'm a week behind on + dev builds.
dr|z3d
I have a list of urls, ping me if you want them. + is currently at -3+
dr|z3d
as you probably read, 50+ dests snagged in the course of 3 days on one router.
not_bob
Ahh, yeah. I did read about the scanners and whatnot.
not_bob
So long as you arn't blocking my scanner, it's all good.
dr|z3d
if your scanner happens to be cycling through a list of potentially vulnerable urls, then yes. otherwise, no.
not_bob
No, it does not.
snex
is it at all possible that my issues are due to my external IP changing? or is that just a red herring?
dr|z3d
how frequently, snex?
snex
very rarely. it changed like a week ago and thats when i saw the problems start
dr|z3d
shouldn't be an issue.
snex
i am forcing the router to use hostname based peer config
dr|z3d
keep an eye on the dev builds.
not_bob
Are the blocklist urls dynamic?
dr|z3d
dynamic?
not_bob
Rather, do I pull them once, or pull them every 24 hours or something for updates?
dr|z3d
neither. you supply your own list.
not_bob
Ahh
not_bob
I assume it's a list of blacklisted b32s?
dr|z3d
no
not_bob
Ok, now I'm curious.
dr|z3d
it's a list of prohibited urls or strings you don't want matched in requests.
not_bob
Ahh!
not_bob
I can understand that.
dr|z3d
requests that match any in your blocklist will get logged to a separate file you can then use the tunnel filter to block.
dr|z3d
ie the dest (b32) making the request will get logged.
not_bob
Understood
dr|z3d
snex: you could just try letting your ip be automatically detected.
dr|z3d
see if that helps.
snex
i had it that way originally but things stopped working entirely when my IP changed. the autodetect simply didnt work (this might have been i2p not i2p+) which is why i set it to the hostname based resolution
dr|z3d
ok, maybe turn on warn level logging and see if anything obvious appears.
snex
lots of WARN errors but not sure how relevant they are
dr|z3d
yeah, warn is constant. most won't be related to your issue.
cumlord
Can I set allow only certain requests and block all else?
dr|z3d
you'll have to be a bit more specific, cumlord
cumlord
Like if I only want someone to be able to access /index and block everything else on a site
not_bob_afk
Why would you put stuff on the site you don't want people to access?
dr|z3d
oh, you mean with the http blocklist?
StormyCloud
change the permissions on the other pages/folders?
snex
seems like something you do on the http server
dr|z3d
yeah, plenty of ways to achieve that, mostly server-side.
dr|z3d
but if you wanted to actually block requests to the resource in + before webserver gets to see the request, you'd give it a list of urls you want to block.
dr|z3d
that's a roundabout way of saying, no, there is no whitelist feature yet. just a blacklist.
cumlord
Yeah with http blocklist is what I meant
not_bob_afk
Depending on your server, you can use url rewrite.