00:24 <TimMc> I'm happy to look over the nginx stuff if you'd like another set of eyes.

00:48 <ocdtrekkie> I torched everything I had tried so far, but the goal is basically to add a location to the lemp-box nginx config such that I continue to serve / out of /var/www but that I can do like /footgun-manager and it will go to /opt/app/footgun-manager

00:48 <ocdtrekkie> The main problem I seemed to be having was getting PHP to process the files correctly.

00:54 <ocdtrekkie> "Primary script unknown" was the error I was hitting, I spent a lot of time in ServerFault/StackOverflow threads.

03:46 <ocdtrekkie> So Standalone Domains will not let me host these at their original URLs, sadly. Sandstorm doesn't recognize the hostname I'm CNAMEing to the standalone subdomain. RIP

03:47 <ocdtrekkie> That's like... probably for the best anyways?

12:46 <TimMc> Standalone Domains?

12:47 <TimMc> And what did the footgun-manager do?

12:49 <ocdtrekkie> https://github.com/sandstorm-io/sandstorm/wiki/Standalone-Grains

12:50 <ocdtrekkie> I was thinking if I can get a management tool on there I'd put my sql import/export crud there, for one, maybe eventually a file manager.

12:51 <ocdtrekkie> Right now once you restore grain a footgun, you can't add/upload anything else without making it a new grain and breaking any existing links and sharing.

12:55 <TimMc> ah

12:57 <ocdtrekkie> I hadn't actually put anything there but a hello worldish php file to test Nginx.

12:58 <ocdtrekkie> But if you know how to modify nginx to successfully get it to do that I could throw something together.

13:55 <TimMc> "Primary script unknown" is pretty mysterious. Kind of sounds like something (what layer is even generating that?) can't find the PHP file to start with, or can't find the CGI executable or something.

13:59 <ocdtrekkie> If you look at nginx.conf in the lemp stack, it involves the script_filename variable and stuff I think.

14:00 <ocdtrekkie> But search results on primary script unknown, php multiple locations, should start to get you an idea where the difficulties I'm hitting are.

14:10 <TimMc> I saw some stuff pointing to systemd's ProtectHome setting. Not sure what to make of it.

14:11 <TimMc> (it made me think there was maybe something about not having permissions to read the specified script)

14:17 <TimMc> I've seen a post where someone got "Primary script unknown" via Apache, which means it's a layer down -- in php-fpm or PHP itself.

14:21 <TimMc> Where is $fastcgi_script_name defined?

14:22 <TimMc> oh, I see: https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html

18:32 <ocdtrekkie> https://github.com/simonw/datasette-sandstorm-support 👀

18:32 <ocdtrekkie> I asked Simon if he maybe had some time in the future to help me with it, and he like, did most of it on the spot.

19:56 <ocdtrekkie> I randomly discovered something weird/confusing.

19:59 <ocdtrekkie> Is Let's Encrypt cross signing with Google Trust Services or something?

20:00 <TimMc> https://letsencrypt.org/certificates/

20:01 <ocdtrekkie> That's the page I'm on and it doesn't mention GTS

20:02 <TimMc> I've never heard of GTS.

20:03 <ocdtrekkie> But I did a crt.sh and it looks like some of my domains came up with a Google Trust Services cert at the same time as the new Let's Encrypt starting late this year.

20:03 <ocdtrekkie> Google Trust Services, one of the many ways the entire Internet stack is critically compromised by a single company who is every role simultaneously.

20:04 <TimMc> and https://pki.goog/faq/#faq-22

20:05 <ocdtrekkie> Certificate Transparency says they're issuing certs for my domains though.

20:15 <TimMc> Oooh... are you sure it's actually Let's Encrypt?

20:15 <TimMc> https://community.letsencrypt.org/t/difference-between-lets-encrypt-ssl-and-google-trust-services-ssl/184198

20:16 <ocdtrekkie> Cloudflare has it's own certificates in the transparency log.

20:17 <TimMc> Do you have an example I can look at?

20:17 <ocdtrekkie> https://crt.sh/?q=jacobweisz.com

20:20 <TimMc> Looks like it's only the wildcard ones (*.jacobweisz.com)

20:22 <ocdtrekkie> Cloudflare is the only other party pulling a wildcard it looks like.

20:22 <ocdtrekkie> Maybe for some reason CF is both issuing year long certs itself and pulling 90 day certs from Google?

20:37 <TimMc> Or they cut over to using GTS on 2022-06-01.

20:38 <TimMc> (on that day, it was issued by both)

20:49 <ocdtrekkie> Found a Cloudflare Community thread

20:50 <ocdtrekkie> Looks like Cloudflare started issuing "backup certificates" this year.

20:51 <TimMc> Interesting!

20:52 <ocdtrekkie> And knowing what it is, there it is in my CF dashboard

20:53 <ocdtrekkie> I don't suppose as a free plan user they'd take kindly to a request they explicitly not get backup certs for my domains from Google.

20:54 <ocdtrekkie> But anyways I guess it clearly states the certificate hasn't been deployed and now I know where it came from, so whatever I guess.

21:25 <TimMc> Interesting! I wonder what their rationale was.

21:26 <ocdtrekkie> https://blog.cloudflare.com/introducing-backup-certificates/

21:31 <ocdtrekkie> Although I imagine if the source of the compromise is Cloudflare they would also have to revoke all the Google certs they store the private keys for too?

22:11 <ocdtrekkie> ...so app icon for a footgun

22:11 <ocdtrekkie> any ideas?

23:14 <TimMc> An open box labeled "DO NOT OPEN" XD

23:18 <ocdtrekkie> That's not bad...