Also aim for non-networked TVs or they might be doing ACR and phoning home, even if you’re watching your own physical content. A former coworker on ad selling side mentioned before ACR on smart TVs, companies like Nielsen and alike would track content using digital fingerprints hidden in the overscan part of your TV. So there’s all sorts of creepy tracking tech all over.
If privacy is the concern, you should really read the breakdown from Mozilla someone shared. Can’t miss it, large wall of text in this thread. Apple ecosystem is much better than others in the privacy department. The other players are much worse when it comes to personal data collection and selling.
FWIW, I think there is a slow push towards a consolidated “TV” experience which may or may not have started as result of Apple launching Apple TV+. Sometime over the last several years, there have been a push towards consolidating the streaming content into one place, so users would theoretically get a unified search and viewing experience. I think the most recent version of tvOS even did away the iTunes Store in favor of having that integrated directly in the TV app.
However, I said may or may not have started as result of Apple TV+ service because that seems like a consistent trend across the board. Even in Plex, I do a search, I get a bunch of content that they’re trying to redirect me towards (Plex’s own FAST TV service, and maybe even purchase else where if memory serves).
None of these negates what you’ve said though. It has nothing to do with TV+ service, and dude could’ve just ignored the TV app and used the Plex app if that’s their streaming source. In fact, Plex cannot integrate into the TV app because Plex cannot provide searchable metadata about content on your server to Apple in a unified fashion — vaguely recall reading something about Apple requires app to give one search end-point that will return one search result to Movie X, and there’s no way for Plex to differentiate my version of Movie X on my server from your version of Movie X on your server. So even the whole TV app thing is kind of moot.
If you have Apple users at home, the integrated experience and the video quality is going to be very hard to match from other platforms. My parents use Chromecast and it takes so many more steps to send content on to their media system. The video quality when casting also suffers a little, though that may be because they’re using cheap ISP router AP combo box, and I’m using Ubiquiti APs instead. Having said that, I do think the A15 processor in the most recent model is an overkill in the graphics performance department, so I wouldn’t completely rule out device capability compared as the cause of video quality difference.
Based on my readings, I think most recent high end nVIDIA Shield Tv Pro is the only closest in terms of raw performance and even then it may be a bit behind. Tegra X1+ found in the Shield Pro is on Maxwell architecture, which is older than GeForce 1080 series’ Pascal architecture, if I’m not mistaken. This would date it to around 2015-ish; whereas the previously mentioned A15 processor in most recent version of AppleTV 4K was introduced in 2021 with iPhone 13 series.
Another user already gave you the answer, but one thing to bear in mind is that Cloudflare only “speak” HTTP(S), and nothing else. So if for example you want to run Minecraft, CloudFlare’s free plan will not allow you to route it through port 80/443 as they don’t know how to “speak” the Minecraft protocol.
Ah sorry I went down the wrong rabbit hole.
I’d imagine an isolated VLAN should be sufficient good starting point to prevent anyone from stumbling on to it locally, as well as any potential external intruder stumbling out of it?
Changing port is security by obscurity and it doesn’t take much time for botnets to scan all of IPV4 space on all ports. See for example the ever updated list that’s available on Shodan.
Disable password login and use certificates as you’ve suggested already, add fail2ban to block random drive-bys, and you’re off to the races.
Cloudflare tunnel is a thin client that runs on your machine to Cloudflare; when there’s a request from outside to Cloudflare, it relays it via the established tunnel to the machine. As such, your machine only need outbound internet access (to Cloudflare servers) and no need for inbound access (I.e. port forwarding).
but I haven’t find that much information on which labels should I add to set it up.
I’ve not automated creation of records for new services, but I’ve made it easier for myself by making hostname.domain.ext the dynamic DNS (managed by a simple cron job with curl commands interacting with the API), and all service.domain.ext just CNAME to the main record.
I don’t think I’ll be automating the creation of the CNAME records because something tells me I’d end up leaving a bunch of dead service DNS records behind.
Most likely some sum of (cores x Ghz) each processor in all servers? While it kind of makes sense, it feels like a much higher clock speed than what I’m used to seeing.
I have a single quad sock E5-4640 server, I think in terms of me having 4 processors with 8 cores at base 2.4Ghz each; I don’t regularly (or ever, for that matter) think in terms of me having 76.8Ghz.
360G8s should be single or dual sock E5 v2 processors. I can’t really math right now (insufficient caffeine), but I can’t seem to make the math work, so I’d imagine something that to be an aggregated across all three systems, not individual systems?
Think of the path the user go form their browser to your service as a children’s connect the dots game. They must go from their browser, to the internet, … eventually to your service, each step doing one thing to get closer to the service and back. Both Traefik and Nginx reverse proxy does the same thing, routing traffic from the entry point to your service, so you don’t need both.
I think the path currently might look something like this:
User -> Internet -> Cloudflare DNS (port 80/443) -> Cloudflare Tunnel (inside your network) -> Traefik (port 80/443) -> Service A
And now you want to add an extra route that goes something like:
User -> Internet -> Cloudflare DNS (port 80/443) -> Cloudflare Tunnel (inside your network) -> Nginx Reverse Proxy (can’t use port 80/443 because it’s taken by Traefik, so port XYZ but that costs a fee) -> Service B
If this understanding is correct, I’d recommend simplifying to just either Traefik or Nginx, as both does the same job of routing traffic from your entrypoint (Cloudflare tunnel) to your service.
For a Traefik based setup, you’d ideally put it on a bridged host network in docker, and have it listen there. Add individual service you’d want to expose (i.e. just the container of the web server for the app, not the database) to that network, and apply the appropriate container labels to expose it. It’d then be able to handle all the appropriate routing for you.
I don’t use Nginx, so I can’t touch on that, but I’d imagine similar setup in which you have Nginx listen to 80/443, then have it route the request to your service as needed based on whatever setup mechanism it uses.
On incoming side of things:
In between your IP change, your script update your DNS record, and finally sender’s server gets the new IP address, you may lose emails coming to you. Most mail providers will eventually, at their chosen cadence and frequency, attempt to re-deliver the messages, so you might get them eventually on a delay. There is no way of knowing what you’re not missing in the event the sender’s server not retrying. Mails coming to you is delivered into folders per your configuration, and should not end up in spam because of your IP change.
On the outgoing side of things:
Every IP address has some reputation attached to it. Residential addresses tends to score lowly because of people getting virus/malware and become part of a bot net to spam. As you’ve got no control over the IP address you’d receive from your provider, there’s no guarantee if you will receive a clean IP or not. Worst case scenario here is you might end up with a blacklisted IP, and your mail never gets accepted (or silently discarded) by receiver’s mail server. You may also run into SPF record needing the IP address but you can probably get your DDNS script to update this as well or, maybe just use an A record.
If your intention is to receive emails, it might work, but you might miss a message or few.
If your intention is to send mails, it is cheaper and easier to just get a transactional mail provider and pay pennies per thousand mails, and never worry about it.
If your intention is to make a full fledged mail service with send and receive… it’s just not worth the hassle and headache.
A CA cert is higher up can sign for any desired domain. Certificates are a chain of trust and as long as the entire chain can be validated (by the root level installed by the user), then the entire cert will appear valid. During installation, that’s what gets installed and then the provider signs for whatever domain you’re visiting that they’d need (or want) to MITM.
Cloudflare uses LetsEncrypt, Google and a few other CAs to sign their certs. You’re not forced to use them as registrar, and they could (though they will lose accreditation very quickly) in theory sign any domain without you using them to host your domain’s DNS.
As the person I replied to mentioned, these kind of providers would often also get you to install a cert that they’d use to sign with. Once it is installed, the certificates wouldn’t appear broken anymore.
It’s not so absolute; your DNS provider could resolve domains to their own server’s IP and MITM your traffic. This is how some of those DNS based region bypass work — by re-routing your traffic through their server in a supported region.
all your traffic goes through them right?
Depending on provider and intended purpose… strictly speaking, a DNS server tells your computer that example.com resolves to 169.254.169.254 and nothing more.
However, for example, if your DNS provider adds ad blocking, they may choose to change ads.example.com from 169.254.169.254 to 127.0.0.1 thereby preventing any advertiser JavaScripts from being requested. This is fine and all, but you’d have no way to be automatically alerted if they changed it to 123.234.123.234 and serve their own blank scripts.
If for example your DNS provider provides region bypass for streaming providers, they could resolve streaming.example.com from 169.254.169.254 to a server in another country with address 123.234.123.234; and route your request through that in order to circumvent the region lock.
These are all fine and well, but if the provider was compromised and/or sold to malicious actor, they could resolve your-bank.website to a phishing site, and then MITM all the traffic just like the region lock bypass example.
So… in theory, it shouldn’t do anything more than resolving, but in practice, it may be hard to detect, and they could be doing more than just resolving.
If you have Apple users in your household, the current generation of Apple TV 4K 128GB is a solid device that’s going to offer the best integrated experience, along with capability of Thread. If not, it’s probably a bit overpriced compared to the other solutions.
Companies need money to pay their employees. Who would’ve thunk they’d change the licensing to allow them to make money. -surprised pikachu face-
The amount of confidently incorrect responses is exactly what one could expect from Lemmy.
First: TCP and UDP can listen on the same port, DNS is a great example of such. You’d generally need it to be part of the same process as ports are generally bound to the same process, but more on this later.
Second: Minecraft and website are both using TCP. TCP is part of layer 4, transport; whereas HTTP(S) / Minecraft are part of layer 7, application. If you really want to, you could cram HTTP(S) over UDP (technically, QUIC/HTTP3 does this), and if you absolutely want to, with updates to the protocol itself, and some server client edits you can cram Minecraft over UDP, too. People need to brush up on their OSI layers before making bold claims.
Third: The web server and the Minecraft server are not running on the same machine. For something that scale, both services are served from a cluster focused only on what they’re serving.
Finally: Hypixel use reverse proxy to sit between the user and their actual server. Specifically, they are most likely using Cloudflare Spectrum to proxy their traffic. User request reaches a point of presence, a reverse proxy service is listening on the applicable ports (443/25565) + protocol (HTTPS/Minecraft), and then depending on traffic type, and rules, the request gets routed to the actual server behind the scenes. There are speculations of them no longer using Cloudflare, but I don’t believe this is the case. If you dig their mc.hypixel.net domain, you get a bunch of direct assigned IP addresses, but if you tried to trace it from multiple locations, you’d all end up going through Cloudflare infrastructure. It is highly likely that they’re still leaning on Cloudflare for this service, with a BYOIP arrangement to reduce risk of DDOS addressed towards them overflow to other customers.
In no uncertain terms:
mc.hypixel.net, but also have a SRV record for_minecraft._tcp.hypixel.netset for 25565 onmc.hypixel.netmc.hypixel.netdomain has CNAME record formt.mc.production.hypixel.io.which is flattened to a bunch of their own direct assigned IP addresses.