this post was submitted on 05 Jul 2023
3332 points (99.4% liked)

Lemmy.World Announcements

29084 readers
207 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news ๐Ÿ˜

Outages ๐Ÿ”ฅ

https://status.lemmy.world

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to info@lemmy.world e-mail.

Report contact

Donations ๐Ÿ’—

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 2 years ago
MODERATORS
 

Another day, another update.

More troubleshooting was done today. What did we do:

  • Yesterday evening @phiresky@phiresky@lemmy.world did some SQL troubleshooting with some of the lemmy.world admins. After that, phiresky submitted some PRs to github.
  • @cetra3@lemmy.ml created a docker image containing 3PR's: Disable retry queue, Get follower Inbox Fix, Admin Index Fix
  • We started using this image, and saw a big drop in CPU usage and disk load.
  • We saw thousands of errors per minute in the nginx log for old clients trying to access the websockets (which were removed in 0.18), so we added a return 404 in nginx conf for /api/v3/ws.
  • We updated lemmy-ui from RC7 to RC10 which fixed a lot, among which the issue with replying to DMs
  • We found that the many 502-errors were caused by an issue in Lemmy/markdown-it.actix or whatever, causing nginx to temporarily mark an upstream to be dead. As a workaround we can either 1.) Only use 1 container or 2.) set ~~proxy_next_upstream timeout;~~ max_fails=5 in nginx.

Currently we're running with 1 lemmy container, so the 502-errors are completely gone so far, and because of the fixes in the Lemmy code everything seems to be running smooth. If needed we could spin up a second lemmy container using the ~~proxy_next_upstream timeout;~~ max_fails=5 workaround but for now it seems to hold with 1.

Thanks to @phiresky@lemmy.world , @cetra3@lemmy.ml , @stanford@discuss.as200950.com, @db0@lemmy.dbzer0.com , @jelloeater85@lemmy.world , @TragicNotCute@lemmy.world for their help!

And not to forget, thanks to @nutomic@lemmy.ml and @dessalines@lemmy.ml for their continuing hard work on Lemmy!

And thank you all for your patience, we'll keep working on it!

Oh, and as bonus, an image (thanks Phiresky!) of the change in bandwidth after implementing the new Lemmy docker image with the PRs.

Edit So as soon as the US folks wake up (hi!) we seem to need the second Lemmy container for performance. So that's now started, and I noticed the proxy_next_upstream timeout setting didn't work (or I didn't set it properly) so I used max_fails=5 for each upstream, that does actually work.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] pathief@lemmy.world 21 points 1 year ago* (last edited 1 year ago) (4 children)

Is it safe to use 2FA yet?

[โ€“] ruud@lemmy.world 8 points 1 year ago (1 children)

It doesn't really work I think. Havent tested yet.

[โ€“] pathief@lemmy.world 4 points 1 year ago

Thanks for the feedback, I'll hold for now!

[โ€“] Rootiest@lemmy.world 7 points 1 year ago

I couldn't get it to work.

I was able to enable it and add the code to my authenticator but it would not accept a login with the 2FA code.

Fortunately I was still logged in elsewhere to disable 2FA again or I may have gotten locked out

[โ€“] pitninja@lemmy.world 4 points 1 year ago (1 children)

It's always been safe to use 2FA if your authenticator app supports SHA256. Unfortunately, it turns out that a lot don't. The only solutions are going to be Lemmy switching to SHA1 or users switching to auth apps that support SHA256. I think the first is more likely to happen than the second.

[โ€“] pathief@lemmy.world 2 points 1 year ago (1 children)

I suppose Authy doesn't yet support SHA256? :/

[โ€“] pitninja@lemmy.world 1 points 1 year ago (1 children)

I believe that is correct, from what I'm reading. I think Lemmy is probably going to switch to SHA1 as the default. Research has shown that it's basically as safe to use for 2FA as SHA256 and SHA512 and obviously it has universal compatibility per the spec. The spec only lists SHA256 & 512 as allowed alternatives, not required for full adherence to the spec. I imagine Lemmy will change it so that SHA1 is the default option with maybe an option to still do SHA256 with some well explained warnings.

[โ€“] pathief@lemmy.world 1 points 1 year ago

From what I've researched you're 100% correct.

The main problem is that even though Authy doesn't support SHA256, Lemmy still enables 2FA. Lemmy doesn't ask for an auth token before enabling 2FA nor generates any backup codes. The user is prompted with success but will be locked out on of the account on sign out. Not good.

[โ€“] dzervas@lemmy.world 3 points 1 year ago

just tried it and it works