BasedFlare - New Cloudflare-like service

emgh

@let_rocks said:
@emgh @neel_qeru thanks for ur replies
I already know dnschecker and whatsmydns, good websites.
Also use HE BGP Toolkit (bgp.he.net) really nice since it also gives whois info (and no RIPE whois block like on bgpview.io)

And I use ipinfo.io, check-host.net, bgpview.io, db-ip.

I’m crazy about these tools xd

Thanks

bgpview.io is a gem for sure. Really easy to use

ScreenReader

based project, updooted.
why is it LET seething like this thing won't take off? jelly much to see someone actually do something instead of $7 posting?

stefeman

@fatchan said:
Thanks for the comments and criticism everybody.

Yes, the name will probably change but I think it's funny for now. I'm surprised people are so serious in thinking there is a political statement in the name. It's seriously a meme, don't think about it any deeper than that. Be like jmaxwell :^) Anyways, the website is incomplete and nothing is final. Currently I have some smaller websites testing it to find issues and make suggestions.

The goal is not to be a cloudflare competitor. They offer a free ($0) service, have bazillions of dollars of infrastructure, investment, and many many employees. This is built for a different purpose.

It's primarily a software project, with a few components:

• HAProxy with Lua to extend it for some L7 filtering capabilities and dataplaneapi for remote control of webservers
• CoreDNS with some forked plugins for geoDNS and reading records from redis for the nameservers
• Grafana, loki, etc for some statistics and logging
• A custom control panel for managing it One reason I started this project is that I often see people asking what is a good "free speech" hosting provider, domain registrar, etc. The answer is NONE. There is no such thing because even T1 providers can and will censor you without any court order, bypassing even the hosting provider themselves. See KiwiFarms for example. (Fun fact, Kiwifarms is using my haproxy-protection project linked in OP to protect their .onion site)

I wanted a system where I can quickly plug in dedicated servers/vms from anywhere and control them all in a single location for a sort of home grown CDN. With all components self-hosted. Its a best-effort approach for a hostile environment and I'm having fun with it

I'm trying to make a free version of this right now with no paid plans, ever.

It's pretty hard to get this up and running as tutorials are not as clear as I'd wish xD

I have roped in @Neoon today to solve it xD

Expect LES/LET free service thread later after I have set up plenty of infra and tested it prior with high traffic live sites.

stefeman

@ScreenReader said:
based project, updooted.
why is it LET seething like this thing won't take off? jelly much to see someone actually do something instead of $7 posting?

Been on this project since june, but only now have enough funds secured to actually make it happen on permanent basis and for free always.

sillycat

@stefeman said: Expect LES/LET free service thread later after I have set up plenty of infra and tested it prior with high traffic live sites.

I love you.

Maounique

Will it have an option to donate BW?
I mean setup a node by a third party, a consensus of sorts, etc?

ehhthing

Why are we still talking about this, all of their claims are absolute bullshit.

They CANNOT do any kind of WAF (beyond TLS fingerprinting) or caching if they don't MITM.

kait

@ehhthing said: all of their claims are absolute bullshit

What claims are bs? They never claim to not do MiTM

ahnlak

@kait said:

@ehhthing said: all of their claims are absolute bullshit

What claims are bs? They never claim to not do MiTM

Literally the very first words of the very first post - "Cloudflare alternative promising no MiTM"

kait

@ahnlak said: Literally the very first words of the very first post - "Cloudflare alternative promising no MiTM"

Is treesmokah basedflare? Basedflare never claimed no MiTM

sillycat

@ahnlak said:

@kait said:

@ehhthing said: all of their claims are absolute bullshit

What claims are bs? They never claim to not do MiTM

Literally the very first words of the very first post - "Cloudflare alternative promising no MiTM"

I mean, if you self-host it, there is no man in the middle. You are the man in the middle.

stefeman

@fatchan

https://gitgud.io/fatchan/haproxy-protection is fine, but the panel seems to be broken.

@Neoon attempted setting up https://gitgud.io/fatchan/haproxy-panel-next/-/blob/master/docker-compose.yml?ref_type=heads but apparently the docker file is incomplete and there is no persistent storage. From the looks of it, you are not updating or using it.

This looks like amazing project, and I would love to deploy this for community, but we have no idea how to setup it without docker as you had nothing written about that.

Could you help and give a few pointers for this project?

stefeman

Basically the issue is:

docker file error: Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /tmp/acme-tests/.well-known/acme-challenge

The path mentioned in the error is inside the docker container, so the compose won't even finish.

and instructions are missing for non-docker install.

On top of that, which one would you suggest running on production? docker or non-docker version?

Thank you in advance.

sillycat

@stefeman said: docker file error: Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /tmp/acme-tests/.well-known/acme-challenge

Doesn't that mean that you don't have the /tmp/acme-tests/.well-known/acme-challenge/ folder on the host machine?

stefeman

@sillycat said:

@stefeman said: docker file error: Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /tmp/acme-tests/.well-known/acme-challenge

Doesn't that mean that you don't have the /tmp/acme-tests/.well-known/acme-challenge/ folder on the host machine?

Nah, its probly referencing inside the docker container so the compose won't even finish.

edit: it might actually be target of the host machine. Thanks for the info, will attempt to verify.

yusra

Having no free plan puts it miles away from Cloudflare

stefeman

@fatchan We solved the /tmp/acme-tests/.well-known/acme-challenge/ and few other issues, but its a mess without a proper install guide.

It worked just before and we copied repo again and made a fresh copy and now its just crashing.

I would love to run this as a free service, but this would require some guidance from you.

dosai

@JoshuaMoon can help I guess

kait

@dosai said: @JoshuaMoon can help I guess

No, he has nothing to do with basedflare.

stefeman

@kait said:

@dosai said: @JoshuaMoon can help I guess

No, he has nothing to do with basedflare.

Apparently he managed to deploy it.

kait

@stefeman said: Apparently he managed to deploy it.

The protection yes, he doesn't use the dashboard

ezeth

@stefeman said: but the panel seems to be broken.

I don't see the issue? I managed to setup front end in 20min. Want me to give you copy paste?

~/haproxy-panel-next# npm run start

[email protected] start
NODE_ENV=production node server.js

Ready on http://localhost:3000

Neoon

@ezeth said:

@stefeman said: but the panel seems to be broken.

I don't see the issue? I managed to setup front end in 20min. Want me to give you copy paste?

I tried only the Docker version, which should make stuff easier, but sadly it didn't work.
Natively no clue, never touched mongoDB until now, npm barely.

Hence the request for a install guide.
Since you got it working, wanna post a full guide?

ezeth

Ok

git clone https://gitgud.io/fatchan/haproxy-panel-next.git
cd haproxy-panel-next/
cp .env.example .env

Then install nodejs 16

snap install node --classic --channel=16

Then install mongodb

curl -fsSL https://pgp.mongodb.com/server-7.0.asc |    sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg    --dearmor

echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
apt update
apt install -y mongodb-org

Then install redis.

apt install -y redis

Then start both redis and mongodb

systemctl start mongod
systemctl start redis-server

Inside the .env file replace NAMESERVERS="YOURIPHERE"

Then generate certificates

mkdir -p /root/haproxy-panel-next/ca
cd /root/haproxy-panel-next/ca

# Generate a new private key
openssl genpkey -algorithm RSA -out ca-private-key.pem

# Generate a root CA certificate
openssl req -key ca-private-key.pem -new -x509 -days 365 -out ca-certificate.pem

After that you're almost done.

cd /root/haproxy-panel-next
npm run build
npm run start

Done!

It starts with no errors. But there is a ton of stuff to configure inside .env.

I think I caught everything in the history command output. Please say if it does not work!

Neoon

@ezeth said:
Ok

git clone https://gitgud.io/fatchan/haproxy-panel-next.git
cd haproxy-panel-next/
cp .env.example .env

Then install nodejs 16

snap install node --classic --channel=16

Then install mongodb

curl -fsSL https://pgp.mongodb.com/server-7.0.asc |    sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg    --dearmor

echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list

apt-get install -y mongodb-org

Then install redis.

apt install redis

Then start both redis and mongodb

systemctl start mongod
systemctl start redis-server

Inside the .env file replace NAMESERVERS="YOURIPHERE"

Then generate certificates

mkdir -p /root/haproxy-panel-next/ca
cd /root/haproxy-panel-next/ca

# Generate a new private key
openssl genpkey -algorithm RSA -out ca-private-key.pem

# Generate a root CA certificate
openssl req -key ca-private-key.pem -new -x509 -days 365 -out ca-certificate.pem

After that you're almost done.

cd /root/haproxy-panel-next
npm run build
npm run start

Done!

It starts with no errors. But there is a ton of stuff to configure inside .env.

I think I caught everything in the history command output. Please say if it does not work!

That's something my brain does understand. Thanks.
Its a good starting point, yea you have to configure a bunch of stuff, to be honest, I was a bit drunk and watched One Piece on Netflix in the meanwhile.

Its a fucking good series, waiting for the second season, dope af.
But can remove the CA part, it does support a private CA but you don't need to generate one.

fatchan

@ezeth said: It starts with no errors. But there is a ton of stuff to configure inside .env.

Env values:

COOKIE_SECRET="changeme" - secret to sign session cookies
REDIS_HOST=127.0.0.1
REDIS_PORT=6379
REDIS_PASS=
DB_URL="mongodb://localhost:27017"
NEXT_PUBLIC_CUSTOM_BACKENDS_ENABLED="true" - leave this true unless you want to hardcode the backend servers in haproxy.cfg
CUSTOM_BACKENDS_ENABLED="true" - same
BACKEND_NAME="servers" -name of the backend section in haproxy.cfg
SERVER_PREFIX="websrv" -name orefixing the actual backend servers in the backend section i.e they will become websrv1, websrv2, etc

- map names, dont change these because these arent used in 100% of places on the code. Use these map names in haproxy.
HOSTS_MAP_NAME="hosts" 
BLOCKED_IP_MAP_NAME="blockedip"
BLOCKED_ASN_MAP_NAME="blockedasn"
DDOS_MAP_NAME="ddos"
DDOS_CONFIG_MAP_NAME="ddos_config"
BACKENDS_MAP_NAME="backends"
WHITELIST_MAP_NAME="whitelist"
MAINTENANCE_MAP_NAME="maintenance"
REDIRECT_MAP_NAME="redirect"
REWRITE_MAP_NAME="rewrite"
DOMTOACC_MAP_NAME="domtoacc"

DEFAULT_CLUSTER="http://admin:admin@localhost:2001/" - dataplaneapi url with credentials for haproxy. Comma separated list if you have multiple servers.

- DNS stuff (might not work without the dns part which doesnt have source code available atm
NAMESERVERS="what.ever.your.nameserver" - your ns1 domain
NAMESERVER_TXT_DOMAIN="whatever.whatever.com" - a TXT record that has your nameservers listed (just for onboarding page)
ALL_IP_DOMAIN="whatever.whatever.com" - domain with A record that has all your server IPs

ALLOW_SELF_SIGNED_SSL= - allow selfsigned dataplane api certs, not recommended
PINNED_FP= -pinned fingerprint of dataplane api cert, just leave blank
CUSTOM_CA_PATH= - path to your ca cert if its in a custom location
INFLUX_HOST= -influxdb details for collecting stats from haproxily, requires stats endpoint enabled
INFLUX_TOKEN=
LOKI_HOST= -not used yet iirc but for loki collecting haproxy logs.
LOKI_AUTH=

NOTE:

• The dns part wont work because its not open source, so some stuff wont work like dns health checking and using it as a dns control panel.

• Each account needs the same clusters list in the "clusters" prop of their account in the db. In theory they can have multiple but there are other processes (dns healthcheck, auto renewing certs, etc that only support 1 cluster atm). You can edit it in app on the /clusters url

• You can see the other processes in ecosystem.config.js and run them with pm2 if you want.

• certs are saved in the db and can be redeployed, but maps (any page with url starting in /map) is read and written directly to haproxy and persisted to disk on all proxies. If you lose the maps folder on all proxies in a cluster you can't get them back. Also you can face syncing issues if a proxy goes offline and misses commands. I personally use ansible to resync them if this happens but a builtin automated method and more robust dataplaneapi interaction is coming

• There is a lot of stuff that is hardcoded to basedflare branding or otherwise very customised to my use case as i am "productising' it, but you can remove those for your own deplpyment ofc.

If this is too much headache, and depending on your websites bandwidth usage im happy to proxy it for you, for a small fee :^)

Neoon

@fatchan said:
The dns part wont work because its not open source, so some stuff wont work like dns health checking and using it as a dns control panel.

That is a pity, so you would have to add your own DNS integration to make the Panel full work so users are able to add their domains.

fatchan

@ehhthing said: Why are we still talking about this, all of their claims are absolute bullshit.

They CANNOT do any kind of WAF (beyond TLS fingerprinting) or caching if they don't MITM.

I never said this, but its not impossible.

You can deploy your own haproxy+dataplaneapi. In theory with a stripped out client-native (the golang api client for haproxy), and give me credentials. This would let you run your own proxy, and hold the keys with no way for me to extract it. But you could grant access to stats, anonymized logs, and control over maps that let me enable protection modes.

@Neoon said: That is a pity, so you would have to add your own DNS integration to make the Panel full work so users are able to add their domains.

Basically, I have forked a plugin for coreDNS and it works great. But the plugin that is "official" and recommended by coredns has no LICENSE so its a bit ambiguous. And their plugin is a fork of an abandoned project which had no LICENSE. I emailed the company who used to maintain it, but they are iranian(?) and weren't able to understand my question about licensing. Hers is the original repo: https://github.com/arvancloud/redis
If you get them to give a green light, i can release my improved fork that is compatible with the control panel.

ehhthing

@fatchan said:

@ehhthing said: Why are we still talking about this, all of their claims are absolute bullshit.

They CANNOT do any kind of WAF (beyond TLS fingerprinting) or caching if they don't MITM.

I never said this, but its not impossible.

You can deploy your own haproxy+dataplaneapi. In theory with a stripped out client-native (the golang api client for haproxy), and give me credentials. This would let you run your own proxy, and hold the keys with no way for me to extract it. But you could grant access to stats, anonymized logs, and control over maps that let me enable protection modes.

This is not a WAF or even DDoS protection, at that point, you might as well just have a script that turns on when your website's CPU usage goes up too high...

fatchan

@ehhthing said:

Just spitballing ideas, its not something i do or ever said i do. Anyway, it could be more detailed than that, CPU is not the only stat or log you know 🙂

Just dont get caught up on something being bullshit/impossible when i never made that claim.