Post ABDsOKZDwez4pMMuoq by pra@mstdn.io
(DIR) More posts by pra@mstdn.io
(DIR) Post #ABDUtK3bUeoDK4p81w by izaya@social.shadowkat.net
2021-09-10T11:13:16.070271Z
0 likes, 1 repeats
Is there some way I can redirect youtube to invidious, twitter to nitter, etc, at the network level rather than having to install software on every client device?Would setting CNAME records in my router's DNS config work?
(DIR) Post #ABDV90VtvKzPLJXS5I by TransGal4872@mk.absturztau.be
2021-09-10T11:16:05.585Z
0 likes, 0 repeats
@izaya@social.shadowkat.net You don't want to ever end up relying on a single invidious node though
(DIR) Post #ABDVBJP6f1WSVeSXqa by nihl@p.umbriel.fr
2021-09-10T11:14:04.314456Z
0 likes, 0 repeats
@izaya Redirecting to your own servers or public ones? A problem I think of is certificates, especially the SANs that won't match and your browser won't be very happy if you don't redirect properly.
(DIR) Post #ABDVBJvMj5KK7hYJ84 by izaya@social.shadowkat.net
2021-09-10T11:16:29.012003Z
0 likes, 0 repeats
@nihl I wouldn't be strictly opposed to running my own nitter and invidious instances, but I'd prefer to just use public ones.
(DIR) Post #ABDVDNJt4ZP3EX0BU0 by izaya@social.shadowkat.net
2021-09-10T11:16:53.598723Z
0 likes, 0 repeats
@TransGal4872 My plan was to write a script to grab the list from invidio.us and then round-robin the responses
(DIR) Post #ABDVFGG2IgqFuT6GDw by TransGal4872@mk.absturztau.be
2021-09-10T11:17:13.735Z
0 likes, 0 repeats
@izaya@social.shadowkat.net Nice
(DIR) Post #ABDVhQYraLLPyTKwyW by izaya@social.shadowkat.net
2021-09-10T11:22:19.330003Z
0 likes, 0 repeats
@TransGal4872 An alternative implementation may be a local CGI script that redirects to a random onenot 100% sure how I want to do it
(DIR) Post #ABDW9uIyalxkKbUCOW by Stellar@mk.absturztau.be
2021-09-10T11:27:28.022Z
0 likes, 0 repeats
@izaya@social.shadowkat.net i guess
(DIR) Post #ABDXpzQC3kzmJfUa2q by wolf480pl@mstdn.io
2021-09-10T11:46:15Z
0 likes, 0 repeats
@izaya point the DNS to a local http server doing 3xx redirects. That's how the govts do it, and it only causes 1 certificate warning instead of 1000
(DIR) Post #ABDdOW33l9p57hxE8W by izaya@social.shadowkat.net
2021-09-10T12:48:24.697009Z
0 likes, 1 repeats
So I wrote a CGI script to grab the current invidious instances and redirect to one at random.Works great in curl.Firefox chucks a fit when I try, because of HSTS. I cleared HSTS for Youtube, and it still does it.Can't create an exception and can't disable HSTS.
(DIR) Post #ABDdrbXYQ6WiYP5XUG by izaya@social.shadowkat.net
2021-09-10T12:53:43.124425Z
0 likes, 0 repeats
Okay, I found a sekrit option to disable HSTS.This isn't a solution, what the fuck.
(DIR) Post #ABDdtbYDLqjXAMLojQ by simon@weeaboo.space
2021-09-10T11:53:01.973317Z
0 likes, 0 repeats
@wolf480pl @izaya http will not work since most of those sites should use hsts (preloading).
(DIR) Post #ABDdtc7fE35cwIw7zE by wolf480pl@mstdn.io
2021-09-10T12:53:42Z
0 likes, 0 repeats
@simon @izaya by http server I mean https server as well. It will give you a certificate warning the dirst time, but if you click through it and browser sees the redirect, it should be fine from there
(DIR) Post #ABDdtcgP8ssYg3Bs8W by wolf480pl@mstdn.io
2021-09-10T12:54:07Z
0 likes, 0 repeats
@simon @izaya Unless HSTS messes with the warning too
(DIR) Post #ABDdwZjaYtA4Ov5V0S by izaya@social.shadowkat.net
2021-09-10T12:54:41.103429Z
0 likes, 0 repeats
@wolf480pl @simon HSTS will stop you from creating an exception for the site even if you've never been there before.
(DIR) Post #ABDeHR2Q5bVDVkqIN6 by izaya@social.shadowkat.net
2021-09-10T12:58:26.185517Z
0 likes, 0 repeats
Disabling the HSTS preload stuff makes it work.What a janky piece of shit. This hasn't saved me any work, and what about browsers where I can't turn off HSTS preloading?
(DIR) Post #ABDeMWeadcCcNM7j6G by wolf480pl@mstdn.io
2021-09-10T12:59:21Z
0 likes, 0 repeats
@izaya @simon damn.Ok one other option that it'd be hilarious if it worked, but why not try:search lanyoutube.com.lan IN CNAME ...
(DIR) Post #ABDfjzEadqyhdDiHlA by simon@weeaboo.space
2021-09-10T13:14:12.852055Z
0 likes, 0 repeats
@izaya @wolf480pl Thats what I meant. HSTS does a lot more than enforcing https. I protects the user from clicking on buttons they should not.
(DIR) Post #ABDfjzj4oVMf9lydHM by izaya@social.shadowkat.net
2021-09-10T13:14:45.254044Z
0 likes, 0 repeats
@simon @wolf480pl And stops admins from administrating, in this case >.>
(DIR) Post #ABDfk0vWLiueseo5JY by simon@weeaboo.space
2021-09-10T13:14:35.232205Z
0 likes, 0 repeats
@izaya @wolf480pl*it
(DIR) Post #ABDfsE8v614OBbzTMm by izaya@social.shadowkat.net
2021-09-10T13:16:15.892122Z
0 likes, 0 repeats
okay in the case of nitter I can just add cname=twitter.com,twiiit.com to /etc/dnsmasq.confmaybe I need to make a public, HTTPS, "redirect me to a random invidious" page
(DIR) Post #ABDhsddmUngZAskWno by izaya@social.shadowkat.net
2021-09-10T13:38:46.499327Z
0 likes, 0 repeats
well, it appears the last several hours of my life have been wasted thanks to the effort of googlehere’s the source for my mediocre redirect script I guess#!/usr/bin/env lualocal json = require "json"math.randomseed(os.time())local f = io.open("/tmp/invidious.json","rb")local t=json.decode(f:read("*a"))f:close()local instances = {}for i=1,10 do instances[#instances+1] = t[i][2].uriendprint(string.format("Location: %s%s\n\n",instances[math.random(1,#instances)], os.getenv("REQUEST_URI")))return 200
(DIR) Post #ABDi9o7KnTXGael9aS by wolf480pl@mstdn.io
2021-09-10T13:41:52Z
0 likes, 0 repeats
@izaya @simon let's face it, what you're trying to do is a MITM (or at least indistinguushable from a MITM from the browser's POV).
(DIR) Post #ABDiDg0urr0OcFbPu4 by izaya@social.shadowkat.net
2021-09-10T13:42:34.747945Z
0 likes, 0 repeats
@wolf480pl @simon I don't care about the traffic, I just want the browser to go somewhere else
(DIR) Post #ABDiIbtjb753Iab0C0 by izaya@social.shadowkat.net
2021-09-10T13:43:30.387292Z
0 likes, 0 repeats
@wolf480pl @simon which is why browsers chucking a fit when I return an IP and a CNAME when they ask for a website because "waa this doesn't match the certificate for the website that we're not even visiting any more" is complete bullshit
(DIR) Post #ABDk3cn2COnhd6RadM by wolf480pl@mstdn.io
2021-09-10T14:03:10Z
0 likes, 0 repeats
@izaya @simon But then you could totally proxy it to youtube under the hood, or make a youtube-lookalike and phish the passwords out of users
(DIR) Post #ABDkFsEabQpJ0MAoSW by kayden@fedi.nullob.si
2021-09-10T14:04:41.313Z
0 likes, 0 repeats
@izaya@social.shadowkat.net @wolf480pl@mstdn.io @simon@weeaboo.space you could use self signed CA certificate and add it to your devices :)
(DIR) Post #ABDkFskUgoLabJ6IBk by izaya@social.shadowkat.net
2021-09-10T14:05:23.481239Z
0 likes, 0 repeats
@kayden @wolf480pl @simon unfortunately that's what I'm trying to avoid with this not-so-trivial bit of redirectionthe point was to avoid having to do any client-side configuration x_x
(DIR) Post #ABDkGL79EB6aZfumO0 by izaya@social.shadowkat.net
2021-09-10T14:04:48.157979Z
0 likes, 0 repeats
@wolf480pl @simon with just DNS redirection?they could check the URL bar
(DIR) Post #ABDkRVN1R6yfZIfECe by wolf480pl@mstdn.io
2021-09-10T14:07:29Z
0 likes, 0 repeats
@izaya @simon In a world when people confiscate their grandmas' smartphones, sure
(DIR) Post #ABDlVY7hF8tbDbzJLM by pra@mstdn.io
2021-09-10T14:19:26Z
0 likes, 0 repeats
@izaya Unfortunately what you're doing is basically indistinguishable from malicious actors trying to impersonate a secure site.
(DIR) Post #ABDlVZJ4qJaqtCJuim by pra@mstdn.io
2021-09-10T14:19:27Z
0 likes, 0 repeats
@izaya Perhaps a browser extension would work better?
(DIR) Post #ABDmr68A6D8Kj62pEW by izaya@social.shadowkat.net
2021-09-10T14:34:30.452420Z
0 likes, 0 repeats
@pra The entire point was to avoid having to install extensions and configuration on every device.Also all the twitter -> nitter ones are broken, at least on my setup. Preferable to get an error page than twitter though I guess.
(DIR) Post #ABDs0vVqvl82SidEcC by simon@weeaboo.space
2021-09-10T15:29:34.548269Z
0 likes, 0 repeats
@izaya @wolf480pl Adding your own CA to the cert storage should work though. Unless certificate pinning and DoH messes with you once again.
(DIR) Post #ABDs0w3WuY4E9AO86i by wolf480pl@mstdn.io
2021-09-10T15:32:19Z
0 likes, 0 repeats
@simon @izaya I think the point is it should work for guests visiting Izaya as well
(DIR) Post #ABDsOJAj8FnKV5tpzs by pra@mstdn.io
2021-09-10T15:36:34Z
0 likes, 0 repeats
@izaya Well you're up against decades of work by security researchers to prevent a MITM actor from interfering with HTTPS data. Modifying clients is going to be easier.
(DIR) Post #ABDsOKZDwez4pMMuoq by pra@mstdn.io
2021-09-10T15:36:35Z
0 likes, 0 repeats
@izaya The least intrusive option I can think of is what enterprise companies do -- install a local CA on your clients and have your reverse proxy/interceptor use certs signed by that CA to masquerade as the sites you want to disrupt.
(DIR) Post #ABDsOPGGUZn1O0XLSi by pra@mstdn.io
2021-09-10T15:36:36Z
0 likes, 0 repeats
@izaya Lots of footguns there, though. Keep that CA private key securely offline!
(DIR) Post #ABE5imJHo29A4Azhs8 by izaya@social.shadowkat.net
2021-09-10T18:05:48.449310Z
0 likes, 0 repeats
@pra I don't want to touch the data, I just want to point clients to a different domain entirelywhich fair could be interpreted as phishing but they're my computers, I own them, they should do what I goddamn tell them