a muffin with purple glowing regions where a 3d vornoi function using chebychev distance exceeds some threshold

metamuffin's personal website

New Website and gnix

fixme: probably contains a lot of errors, shouldn't have written this late

Last weekend I started a new attempt writing a reverse proxy: This time, with success! I have been able to finally replace nginx for all services. Additionally I now have a wildcard TLS certificate for all of *.metamuffin.org.

The cgit instance is no longer available since it used CGI, which gnix does not support nor I like.

The reverse-proxy

Nginx was not optimal because I found it was hard to configure, required certbot automatically chaning the config and was also just too much for my use case. (Who needs a http server that can also serve SMTP?!)

My new solution (gnix) has very limited configuration abilities for now but just enough to work. I simplified about 540 lines of /etc/nginx/nginx.conf to only 20 lines of /etc/gnix.toml (yesss. TOML. of course it is.). The Proxy now only acts as a "Hostname Demultiplexer". A configuration could look like this:

bind = ""

bind = ""
tls_cert = "/path/to/cert.pem"
tls_key = "/path/to/key.pem"

"domain.tld" = { backend = "" }
"www.domain.tld" = { backend = "" }
"keksmeet.domain.tld" = { backend = "" }
"otherdomain.tld" = { backend = "example.org:80" }

I am running two gnix instances now, one for :80+:443 and another for matrix federation on :8448. Additionally this required me to move my matrix homeserver from https://metamuffin.org/_matrix to https://matrix.metamuffin.org/_matrix via the .well-known/matrix/server file. And that intern required me to host a file there, which was nginx' job previously. At this point I started rewriting my main website.

Wildcard Certificates

Another inconvinience was that I would need certbot to aquire one certificate for each subdomain. Letsencrypt offers wildcard certificates; These can be obtained by solving an ACME challenge that requires changing a DNS record (to prove you own the domain). My current registrar (Namecheap) does not offer me an API for automatically applying these though. They do however (through a very very confusing, badly designed user interface) allow me to set a custom nameserver. By setting the nameserver to (IP address of my VPS) the server can run its own nameserver that has authority over resolving metamuffin.org. I used BIND9's named to do that and also dynamically update records.

# /etc/named.conf (-rw-------; owned by named)
zone "metamuffin.org" IN {
	type master;
    # the zone file is trivial to configure, look it up somewhere else. :)
	file "metamuffin.org.zone";
    update-policy {
        # only allow certbot to change TXT records of _acme-challenge.metamuffin.org
        grant certbot. name _acme-challenge.metamuffin.org. TXT;

# generated with `tsig-keygen -a HMAC-SHA512 -n HOST certbot`
key "certbot" {
	algorithm hmac-sha512;

Then certbot can be configured to use these credentials for solving challenges:

# /etc/certbot/rfc2136.ini (-rw-------; owned by root)
dns_rfc2136_server =
dns_rfc2136_port = 53
dns_rfc2136_name = certbot
dns_rfc2136_algorithm = HMAC-SHA512

Now you can automatically request new wildcard certificates by running doas certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.domain.tld' -d 'domain.tld' --server https://acme-v02.api.letsencrypt.org/directory

Rewrite of my website

As mentioned above, I replace my former Deno + pug.js + static file server setup with a custom rust application (using Rocket and Markup and 253 other dependencies). I rewrote my blog rendering system too, that why you don't see syntax highlighting right now.


In case of questions, ask me. Have fun suffering with the modern web!

Article written by metamuffin, text licenced under CC BY-ND 4.0, non-trivial code blocks under GPL-3.0-only except where indicated otherwise

Advertisement by a first-party
Advertisement by a third-party