[{"content":"Bonjour,\nCe jour, je me rends sur un site web pour m\u0026rsquo;informer et chercher une réponse technique, comme à l\u0026rsquo;accoutumée, quand tout à coup !\nLa « sécurité » a bon dos !\nPréambule # La plupart des applications que vous utilisez sur vos ordiphones, voitures, bracelets, colliers, sonettes, cafetières, aspirateurs, cuvettes de chiotte, etc. sont connectées 24 heures sur 24 à des tonnes de serveurs qui téléchargent, stockent et dupliquent des quantités faramineuses de données.\nLes ordiphones, et derrière eux une armée d\u0026rsquo;autres produits comparables ; Les applications en tant que services et tout un tas d\u0026rsquo;autres concepts « modernes », « innovants » et « disruptifs » ont gagné !\nPour compléter ce tableau déjà bien peu reluisant, tout ce beau monde se « protège » avec CloudFlare.com. Entendez, lisez et voyez CloudFlare Incorporated, dont le sigle NASDAQ, NET, ne se gêne pas pour afficher les ambitions.\nLe « marketing de la bêtise et de la fainéantise » a le vent en poupe.\nTous ses indicateurs sont au vert.\nCette approche sordide qui consiste à se servir du fait que la plupart des humain·e·s sont des faibles d\u0026rsquo;esprit qui cherchent surtout à ne jamais avoir à faire le moindre effort.\n« Si c\u0026rsquo;est du tout cuit et du prémâché, c\u0026rsquo;est parfait !\nS\u0026rsquo;il faut réfléchir et penser par soi-même, c\u0026rsquo;est… mission impossible.\nOu alors le résultat est plus fumeux que fameux. »\nLe plan fonctionne « du feu de Dieu » ! 1\nSachez-le, CloudFlare Inc. et leurs alter-egos ne sont pas là pour plaisanter ni pour vos beaux yeux. Quoiqu\u0026rsquo;ils disent, cela a tout autant de valeur que le fameux « Don\u0026rsquo;t be evil » : celle que vous accordez à ces jolis mots.\nEn attendant, la réalité des faits est implacable.\nC\u0026rsquo;est fait. Mission accomplie. Un travail net et sans bavure : vous êtes non seulement dépendants·e·s, sous emprise, mais aussi sous contrôle et sous surveillance. 24 heures sur 24.\nVous avez mis la Gestapo dans votre poche.\nDe votre plein gré.\nEt vous n\u0026rsquo;avez aucun moyen de la faire sortir du produit dont vous croyez être « propriétaires ».\nPour ma part, je me passerai de ce site, comme de beaucoup d\u0026rsquo;autres choses.\nJe me sens bien plus en « sécurité » et je crois bien mieux protéger la « sécurité » des autres comme cela.\nAu passage, cela m\u0026rsquo;évite de financer directement ou indirectement l\u0026rsquo;effort de guerre et de puissance impériale qui ne respecte pas le droit qu\u0026rsquo;elle entend imposer aux autres de qui vous savez.\nMais pourquoi cela peut-il fonctionner aussi bien et aussi facilement ?\nJe me le demande plus.\nJ\u0026rsquo;ai compris certaines choses depuis belle heurette.\nParlons de sécurité # Parlons maintenant un peu de sécurité, puisque c\u0026rsquo;était l\u0026rsquo;objet.\nNon, ce n\u0026rsquo;est pas de sécurité qu\u0026rsquo;il s\u0026rsquo;agit # Un agent de sécurité qui me demande de baisser ma garde pour lui permettre d\u0026rsquo;assurer SA sécurité n\u0026rsquo;est pas un bon système. Jamais. Il faudrait être fou pour le penser plus.\nAu passage, les responsables de la sécurité des systèmes d\u0026rsquo;information apprécieront le « Si vous n\u0026rsquo;êtes pas autorisé·e à régler les paramètres réseau, essayez un autre réseau. ». 🤣\nMes données ont tant de fois fuité # Mes données personnelles ont fuité tellement de fois déjà via ces « grands maîtres » de la sécurité et ceux qui font appel à ces mêmes solutions de sécurité pré-mâchées que j\u0026rsquo;ai du mal à croire qu\u0026rsquo;ils sont à même de faire les meilleurs choix.\nEn réalité, ils n\u0026rsquo;en ont pas besoin # Les sachants sachent que les solutions de sécurité abouties, y compris celles de CloudFlare Incorporated, n\u0026rsquo;ont pas besoin d\u0026rsquo;exécuter des scripts ni d\u0026rsquo;accéder à l\u0026rsquo;intérieur de nos navigateurs web pour bien faire leur travail.\nOn peut faire de la sécurité proprement # Il est toujours possible de faire de la sécurité proprement et sans vassaliser une région du monde à une autre.\nCertes, cela demande de l\u0026rsquo;intelligence, de la compétence et de la détermination. Trois qualités que vous ne trouverez pas en grande quantité chez ces gens qui se font payer très cher en prétendant être des expert·e·s de quelque-chose et qui, à l\u0026rsquo;arrivée, ne font que copier-coller bêtement des recettes toutes prêtes, bien souvent sans en avoir tout compris.\nEt nous n\u0026rsquo;avons pas commencé à parler de valeurs ni d\u0026rsquo;intégrité…\nMoi, qui repense à ce grand maître du développement libre que j'ai croisé récemment, qui fait partie officiellement depuis 1998 d'une des communautés que je respecte le plus qui… communique avec une adresse de courriel Gmail… Au plaisir,\nMarc JESTIN\nhttps://marcjestin.fr\nÉpilogue # Je ne dis pas dans quel domaine le site intervient ni de qui il s\u0026rsquo;agit, mais sachez que cela rend la forfaiture encore plus abjecte et minable. Quand on prétend tenir le rôle que cette entreprise tient, on se respecte un minimum.\nJe ne peux donc pas vous dire que l\u0026rsquo;entreprise propriétaire du site en question prétend former vos développeurs et vos brillants responsables sécurité… Et donc je ne le dirai pas.\nBotus et mouche cousue !\nExpression choisie pour rappeler que la manipulation des « masses laborieuses » n\u0026rsquo;est pas un phénomène nouveau dans l\u0026rsquo;histoire de l\u0026rsquo;Humanité.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"May 14, 2026","externalUrl":null,"permalink":"/fr/posts/cloudflare-de-plus-en-plus-intrusif-la-gestapo-chez-vous-et-avec-vous-24-heures-sur-24/","section":"Posts","summary":"Bonjour,\nCe jour, je me rends sur un site web pour m’informer et chercher une réponse technique, comme à l’accoutumée, quand tout à coup !\nLa « sécurité » a bon dos !\nPréambule # La plupart des applications que vous utilisez sur vos ordiphones, voitures, bracelets, colliers, sonettes, cafetières, aspirateurs, cuvettes de chiotte, etc. sont connectées 24 heures sur 24 à des tonnes de serveurs qui téléchargent, stockent et dupliquent des quantités faramineuses de données.\n","title":"CloudFlare de plus en plus intrusif : la Gestapo chez vous et avec vous 24 heures sur 24","type":"posts"},{"content":"","date":"May 14, 2026","externalUrl":null,"permalink":"/fr/tags/donn%C3%A9es-personnelles/","section":"Tags","summary":"","title":"Données Personnelles","type":"tags"},{"content":"","date":"May 14, 2026","externalUrl":null,"permalink":"/fr/categories/enjeux/","section":"Categories","summary":"","title":"Enjeux","type":"categories"},{"content":"","date":"May 14, 2026","externalUrl":null,"permalink":"/fr/areas/informatique-et-technologies-num%C3%A9riques/","section":"Areas","summary":"","title":"Informatique Et Technologies Numériques","type":"areas"},{"content":"","date":"May 14, 2026","externalUrl":null,"permalink":"/fr/tags/libert%C3%A9/","section":"Tags","summary":"","title":"Liberté","type":"tags"},{"content":"","date":"May 14, 2026","externalUrl":null,"permalink":"/fr/tags/s%C3%A9curit%C3%A9/","section":"Tags","summary":"","title":"Sécurité","type":"tags"},{"content":"","date":"May 14, 2026","externalUrl":null,"permalink":"/fr/tags/surveillance/","section":"Tags","summary":"","title":"Surveillance","type":"tags"},{"content":"Bonjour,\nAujourd\u0026rsquo;hui, comme cela faisait un moment que je voyais des échecs de tentatives de connexion d\u0026rsquo;un groupe d\u0026rsquo;adresses suspect sur les journaux (logs) de mon serveur de messagerie Postfix / Dovecot, je suis passé voir les logs de l\u0026rsquo;outil de protection Fail2Ban.\nJ\u0026rsquo;ai vu passer une belle brochette d\u0026rsquo;adresses qui étaient retirées du bannissement temporaire :\n1 2 3 4 5 6 7 8 9 10 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.84/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.44/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.181/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.174/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.62/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.66/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.142/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.49/32 […] # et pas mal d\u0026#39;autres… Et un peu plus loin, des tentatives de connexion depuis ce même réseau qui continuaient tranquillement comme si de rien n\u0026rsquo;était :\n1 2 3 4 5 6 2026-05-12 xx:xx:xx WARN: 81.30.98.207 matched rule id xxx (warning: unknown[81.30.98.207]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=xxxxxx) 2026-05-12 xx:xx:xx WARN: xxx more attempts in the next xxx seconds until 81.30.98.207/32 is banned 2026-05-12 xx:xx:xx WARN: 81.30.98.194 matched rule id xxx (warning: unknown[81.30.98.194]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=xxxxxx) 2026-05-12 xx:xx:xx WARN: xxx more attempts in the next xxx seconds until 81.30.98.194/32 is banned […] # La liste est tout aussi longue… Le SASL Login authentication failed signifie qu\u0026rsquo;ils essaient de se connecter à des comptes utilisateurs sur le serveur, tout simplement. 1\nNous avons là des petits malins qui se sont adaptés aux outils de protection. Ils font de la force brute lente et distribuée.\nL\u0026rsquo;attaque par force brute (brute force attack), c\u0026rsquo;est le fait de tenter de se connecter et de répéter inlassablement l\u0026rsquo;opération. Les pirates utilisent généralement des listes d\u0026rsquo;identifiants et de mots de passes connus ou des dictionnaires pour finir, parfois, par réussir à se connecter.\nLa force brute lente et distribuée est une variante plus ingénieuse. Elle consiste à le faire à l\u0026rsquo;aide d\u0026rsquo;un groupe d\u0026rsquo;adresses sources et en respectant des intervalles entre chaque tentative depuis chacune des adresses.\nComme chaque IP ne tente sa chance qu\u0026rsquo;une ou deux fois toutes les quelques minutes, elle reste bien en dessous du seuil de xxx tentatives en xxx secondes.\nSi l\u0026rsquo;algorithme est sophistiqué, il est capable de déduire nos paramétrages de protection assez rapidement. Il peut alors se caler pour « passer sous le radar » et continuer son petit bonhomme de chemin jusqu\u0026rsquo;à, peut-être, un jour, réussir à casser un code d\u0026rsquo;accès à un compte.\nIci, ils font l\u0026rsquo;erreur de faire tourner l\u0026rsquo;algorithme sur un plage d\u0026rsquo;adresses IP facilement identifiable, ce qui a attiré mon attention.\nContrairement à pas mal d\u0026rsquo;autres adresses qui sont déjà « brulées » (inscrites dans les différents registres de veille que mes outils de sécurité utilisent automatiquement), ces adresses semblent ne pas avoir été déjà identifiées.\nJ\u0026rsquo;ai donc ajouté ce réseau manuellement dans la liste des réseaux bannis (bloqués) sur mon serveur.\nJ\u0026rsquo;en ai profité pour durcir considérablement les règles du « jeu » par rapport aux paramètres par défaut de Fail2Ban.\nCela va réduire considérablement le remplissage de mes logs.\nLa sécurité informatique est active bien plus que passive : notre stratégie n\u0026rsquo;est réellement efficiente que si nous avons le temps et les ressources pour surveiller les événements et nous y adapter.\nAu plaisir,\nMarc JESTIN\nhttps://marcjestin.fr\nSASL = Simple Authentication and Security Layer, couche d\u0026rsquo;authentification et de sécurité simple.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/posts/attaque-par-force-brute-lente-distribuee-12-mai-2026/","section":"Posts","summary":"Bonjour,\nAujourd’hui, comme cela faisait un moment que je voyais des échecs de tentatives de connexion d’un groupe d’adresses suspect sur les journaux (logs) de mon serveur de messagerie Postfix / Dovecot, je suis passé voir les logs de l’outil de protection Fail2Ban.\nJ’ai vu passer une belle brochette d’adresses qui étaient retirées du bannissement temporaire :\n1 2 3 4 5 6 7 8 9 10 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.84/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.44/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.181/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.174/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.62/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.66/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.142/32 2026-05-12 xx:xx:xx INFO: Unbanning 81.30.98.49/32 […] # et pas mal d'autres… Et un peu plus loin, des tentatives de connexion depuis ce même réseau qui continuaient tranquillement comme si de rien n’était :\n","title":"Attaque par force brute lente distribuée, 12 mai 2026","type":"posts"},{"content":"Bonjour,\nIl est possible de désactiver IP v6 définitivement sur une machine qui n\u0026rsquo;en a pas besoin.\nAttention aux conséquences possibles sur certains services qui essaient de s\u0026rsquo;en servir !\nDésactiver ipv6 # Pour désactiver ipv6 (ip v6) dans une distribution Debian, il suffit d\u0026rsquo;éditer le fichier etc/sysctl.conf et d\u0026rsquo;ajouter ces lignes :\n1 2 3 4 5 net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 net.ipv6.conf.all.autoconf=0 net.ipv6.conf.default.autoconf=0 La commande sysctl -p applique les paramètres immédiatement.\nRevenir à l\u0026rsquo;état par défaut # Pour revenir à l\u0026rsquo;état par défaut, nous pouvons :\nretirer ces lignes ou commenter ces lignes puis effectuer un sysctl -p.\nVérifier le statut en cours # La commande sysctl -a permet d\u0026rsquo;afficher les paramètres du système.\nNous pouvons affiner notre recherche avec\n1 2 3 4 5 sysctl -a |grep disable_ipv6 sysctl -a |grep ipv6 |grep autoconf sysctl -a |grep all.disable_ipv6 sysctl -a |grep default.disable_ipv6 # etc. Au plaisir,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/posts/comment-desactiver-ipv6-sur-une-debian/","section":"Posts","summary":"Bonjour,\nIl est possible de désactiver IP v6 définitivement sur une machine qui n’en a pas besoin.\nAttention aux conséquences possibles sur certains services qui essaient de s’en servir !\nDésactiver ipv6 # Pour désactiver ipv6 (ip v6) dans une distribution Debian, il suffit d’éditer le fichier etc/sysctl.conf et d’ajouter ces lignes :\n1 2 3 4 5 net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 net.ipv6.conf.all.autoconf=0 net.ipv6.conf.default.autoconf=0 La commande sysctl -p applique les paramètres immédiatement.\n","title":"Comment désactiver ipv6 sur une Debian","type":"posts"},{"content":"Bonjour,\nLorsque nous travaillons sur des projets de développement, nous apprécions pouvoir compter sur notre gestionnaire de dépôt pour réaliser des opérations automatiquement lorsque se produisent certains événements.\nC\u0026rsquo;est le cas ici pour moi lorsque je commit mes modifications dans ce blog Hugo : un script exécute la compilation et transfère les modifications sur le serveur sans que j\u0026rsquo;aie à m\u0026rsquo;en préoccuper.\nNous parlons ici bien sûr des crochets client (côté machine de développement).\nHistoriquement, et par défaut, nous créons des crochets (hooks) dans le dossier hooks caché dans les méandres du dossier .git.\nDeux inconvénients à cela :\nla plupart des EDI ne nous donnent pas accès facilement à ce dossier (pour nous protéger) ; les fichiers de crochets sont dans un espace non suivi par le gestionnaire de versions. Je présente ici une méthode simple et pratique pour gérer les crochets gits client.\nCréation des crochets (hooks) git dans un dossier du projet # Nous pouvons créer un dossier hooks dans la racine de notre projet et y créer et éditer nos scripts.\nSans oublier bien sûr de les rendre exécutables avec le chmod u+x qui va bien. Pour indiquer à git d\u0026rsquo;utiliser ce dossier en lieu et place du dossier par défaut .git/hooks dans le projet en cours, nous utilisons la commande\n1 git config --local core.hooksPath hooks L\u0026rsquo;argument --local est généralement omis car c\u0026rsquo;est le comportement par défaut. Dorénavant, sans que nous ayons besoin de « bidouiller » comme avant la version 2.9 de git, et sauf mention contraire dans gitignore, nos crochets git (hooks) sont sauvegardés et versionnés avec le reste de notre projet.\nNiveaux local, global et system # Il est possible de définir des crochets git\nau niveau local comme nous venons de le voir ; au niveau global et au niveau system (sous réserve de disposer des privilèges associés) Il est possible d\u0026rsquo;indiquer un chemin absolu ou relatif.\nNous pouvons ainsi adopter la même convention pour tous nos projets, avec la variante immédiate de la commande au niveau projet :\n1 git config --global core.hooksPath hooks git ira voir dans le dossier hooks du dépôt dans lequel nous nous trouvons lorsque nous l\u0026rsquo;exécutons.\nQuels sont les fichiers impactés ? # Même si nous n\u0026rsquo;avons pas besoin de les éditer, il est bon de savoir où ils sont par défaut dans Debian et Linux généralement :\nlocal : .git/config ; global : ~/.gitconfig et system : /etc/gitconfig. Ces fichiers sont créés si nécessaire (ils n\u0026rsquo;existent pas s\u0026rsquo;il n\u0026rsquo;y a rien à mettre dedans).\nVérifier la configuration qui s\u0026rsquo;applique # La commande simple et laconique qui retourne le paramètre qui s\u0026rsquo;applique est :\n1 git config --get core.hooksPath Nous obtenons plus d\u0026rsquo;informations avec :\n1 git config --list --show-origin | grep core.hookspath Si plusieurs paramètres existent, ils sont listés ; les niveaux sont indiqués lisiblement via les chemins des fichiers. Exemple :\n1 2 3 file:/etc/gitconfig core.hookspath=/usr/local/share/git-core/hooks file:/home/user/.gitconfig core.hookspath=/home/user/globalhooks file:.git/config core.hookspath=hooks =\u0026gt; C\u0026rsquo;est hooks (défini dans le cadre du projet) qui s\u0026rsquo;applique ici.\nDans un tel cas, cela vaut sûrement la peine d\u0026rsquo;aller voir ce qu\u0026rsquo;il y a aux niveaux global et system pour savoir si nous avons intérêt à reprendre tout ou partie de ce qui est prévu là-bas au niveau du projet. Supprimer un paramétrage personnalisé # Pour revenir à l\u0026rsquo;état par défaut de git, ou pour supprimer sélectivement un des paramètres, nous disposons des commandes :\n1 2 3 4 5 6 # niveau dépôt git config --local --unset core.hooksPath # niveau global git config --global --unset core.hooksPath # niveau system git config --system --unset core.hooksPath Quel niveau s\u0026rsquo;applique ? # Le niveau le plus proche l\u0026rsquo;emporte : Local \u0026gt; Global \u0026gt; System \u0026gt; Default.\nSi nous avons défini un paramètre au niveau d\u0026rsquo;un dépôt (local), c\u0026rsquo;est celui-ci qui s\u0026rsquo;applique.\nSinon, le paramètre au niveau global et ainsi de suite.\nEn l\u0026rsquo;absence de paramétrage spécifique, c\u0026rsquo;est la valeur par défaut qui s\u0026rsquo;applique : .git/hooks dans le dépôt en cours.\nDésactiver les crochets (hooks) # En cas de besoin, il suffit d\u0026rsquo;indiquer le dossier /dev/null.\nCeci peut être utile lorsque nous voulons exécuter une commande précise sans déclencher les scripts qui devraient en principe être exécutés :\n1 git -c core.hooksPath=/dev/null ... Au plaisir,\nMarc JESTIN\nhttps://marcjestin.fr\nDocumentation officielle : https://git-scm.com/docs/git-config#Documentation/git-config.txt-corehooksPath.\n","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/posts/comment-mieux-gerer-les-crochets-hooks-git-et-les-integrer-aux-suivis-de-versions-du-depot/","section":"Posts","summary":"Bonjour,\nLorsque nous travaillons sur des projets de développement, nous apprécions pouvoir compter sur notre gestionnaire de dépôt pour réaliser des opérations automatiquement lorsque se produisent certains événements.\nC’est le cas ici pour moi lorsque je commit mes modifications dans ce blog Hugo : un script exécute la compilation et transfère les modifications sur le serveur sans que j’aie à m’en préoccuper.\nNous parlons ici bien sûr des crochets client (côté machine de développement).\n","title":"Comment mieux gérer les crochets (hooks) git et les intégrer aux suivis de versions du dépôt","type":"posts"},{"content":"Bonjour,\nDocker est pratique pour monter des projets pour le plaisir d\u0026rsquo;apprendre, de tester, d\u0026rsquo;approfondir, etc.\nIl arrive souvent que nous ayons besoin de faire du ménage.\nVoici un petit pense-bête.\nFaire l\u0026rsquo;inventaire des données persistantes # Bien souvent, nous créons des données dans des dossiers du système hôte.\nIl convient d\u0026rsquo;en maintenir un inventaire à jour et de veiller à les sauvegarder et / ou supprimer lorsque nous en avons terminé.\nTracer les éventuelles modifications périphériques # Avons-nous créé ou modifié des fichiers ou des configurations périphériques ?\nSi oui, et si nous avons travaillé comme il faut, nous avons tracé ces modifications.\nC\u0026rsquo;est le moment de vérifier tout cela de manière à ne pas laisser traîner des choses.\nC\u0026rsquo;est beaucoup plus compliqué si nous avons\nutilisé des « outils miracles » qui ne nous disent pas tout ce qu\u0026rsquo;ils font ou suivi tous les conseils qu\u0026rsquo;une IA nous a donnés sans prendre de notes structurées ni de recul… Le risque ? Un exemple au hasard : oublier de supprimer des tâches cron qui peuvent perturber le bon fonctionnement d\u0026rsquo;autres services.\nArrêter et supprimer les conteneurs # Pour arrêter et supprimer les conteneurs, nous nous plaçons dans le dossier du projet et utilisons, avec ou sans options,\n1 docker compose down Sous réserve d\u0026rsquo;avoir bien vérifié que nous les avons sauvegardés si besoin et que nous ne nous en servons plus, nous pouvons supprimer les volumes et les images associés avec ces options :\n--volumes (-v) supprime les volumes ; --rmi all supprime les images. Vérifier l\u0026rsquo;état du système # Les commandes simples pour lister les conteneurs, les volumes et les réseaux ne font jamais de mal.\n1 2 3 docker ps -a docker volume ls docker network ls S\u0026rsquo;il reste quelque-chose qui ne devrait pas être là, nous le ciblons spécifiquement avec des commandes de suppression, par exemple :\n1 2 3 docker rm \u0026lt;ID_ou_NOM_DU_CONTENEUR\u0026gt; docker volume rm \u0026lt;NOM_DU_VOLUME\u0026gt; docker network rm \u0026lt;NOM_DU_RESEAU\u0026gt; Sauvegarder et / ou supprimer l\u0026rsquo;infrastructure hôte # Une fois le nettoyage vérifié côté Docker,\nnous archivons ou pas, puis nous supprimons les fichiers de configuration (docker-compose.yml et autres) et le dossier associé au projet. Au plaisir,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/posts/comment-purger-un-ensemble-de-services-stack-docker/","section":"Posts","summary":"Bonjour,\nDocker est pratique pour monter des projets pour le plaisir d’apprendre, de tester, d’approfondir, etc.\nIl arrive souvent que nous ayons besoin de faire du ménage.\nVoici un petit pense-bête.\nFaire l’inventaire des données persistantes # Bien souvent, nous créons des données dans des dossiers du système hôte.\nIl convient d’en maintenir un inventaire à jour et de veiller à les sauvegarder et / ou supprimer lorsque nous en avons terminé.\n","title":"Comment purger un ensemble de services (stack) Docker","type":"posts"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/courriel/","section":"Tags","summary":"","title":"Courriel","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/crochet/","section":"Tags","summary":"","title":"Crochet","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/default/","section":"Tags","summary":"","title":"Default","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/d%C3%A9truire/","section":"Tags","summary":"","title":"Détruire","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/dossier/","section":"Tags","summary":"","title":"Dossier","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/effacer/","section":"Tags","summary":"","title":"Effacer","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/%C3%A9teindre/","section":"Tags","summary":"","title":"Éteindre","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/fail2ban/","section":"Tags","summary":"","title":"Fail2ban","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/git/","section":"Tags","summary":"","title":"Git","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/global/","section":"Tags","summary":"","title":"Global","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/hook/","section":"Tags","summary":"","title":"Hook","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/ip/","section":"Tags","summary":"","title":"Ip","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/ipv4/","section":"Tags","summary":"","title":"Ipv4","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/ipv6/","section":"Tags","summary":"","title":"Ipv6","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/liste-grise/","section":"Tags","summary":"","title":"Liste Grise","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/local/","section":"Tags","summary":"","title":"Local","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/mailcow/","section":"Tags","summary":"","title":"Mailcow","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/messagerie-%C3%A9lectronique/","section":"Tags","summary":"","title":"Messagerie Électronique","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/microsoft/","section":"Tags","summary":"","title":"Microsoft","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/postfix/","section":"Tags","summary":"","title":"Postfix","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/purger/","section":"Tags","summary":"","title":"Purger","type":"tags"},{"content":"Bonjour,\nPour que notre serveur de messagerie soit correctement traité par les serveurs de Microsoft, nous devons signer les contrats SNDS (Smart Network Data Services) et JMRP (Junk Mail Reporting Partner Program) de Microsoft en nous rendant sur leur serveur https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0.\nPas de bol : le courriel de vérification d\u0026rsquo;adresse envoyé par leur serveur ressemble trop à du spam.\nPremière mauvaise nouvelle # Pour commencer, nous devons créer un compte Microsoft.\nAh bon, il faut créer un compte Microsoft pour simplement pouvoir déclarer son serveur de messagerie et quelques informations, informations que nous ne devrions pas à avoir besoin d\u0026rsquo;aller saisir manuellement.\nLa démence narcissique n\u0026rsquo;a pas de limite chez ces gens-là…\nDont acte, essayons de « jouer le jeu », puisqu\u0026rsquo;on nous dit qu\u0026rsquo;il faut le faire.\nJe décide de prendre mon courage à deux mains et de créer un compte Microsoft pour que mon tout nouveau serveur de messagerie ne soit pas trop pénalisé par d\u0026rsquo;autres décisions arbitraires, puériles et imbéciles.\nLe courriel de vérification d\u0026rsquo;adresse n\u0026rsquo;arrive pas # Lorsque je renseigne une adresse de courriel pour créer ce compte, je ne reçois pas le courriel avec le code de confirmation après quelques minutes.\nJe me rends alors dans le tableau de bord de mon outil anti-spam, pour découvrir que le courriel de Microsoft a été détecté comme du spam potentiel. Et pas qu\u0026rsquo;un peu !\n1 2 3 4 5 6 7 8 9 FUZZY_DENIED (7.885743) [1:c7f2556fdf:0.56:txt] WHITELIST_SPF_DKIM (-3) [microsoft.com:d:+,microsoft.com:s:+] RBL_SENDERSCORE_REPUT_4 (2) [52.101.46.92:from] BAD_REP_POLICIES (2) DWL_DNSWL_LOW (-1) [microsoft.com:dkim] MID_RHS_NOT_FQDN (0.5) MIME_GOOD (-0.1) [multipart/alternative,text/plain] MX_GOOD (-0.01) [] IP_REPUTATION_HAM (-0.005001) [asn: 8075(0.00), country: US(-0.01), ip: 52.101.46.92(0.00)] Pour résumer,\nLes éléments clefs de vérification sont bons (SPF, DKIM) mais Trop d\u0026rsquo;éléments entraînent une suspicion forte de spam : Le message ressemble à des modèles très courants dans les courriels de spam ou d\u0026rsquo;arnaques ; Il est très bref et propose un lien suspect ; l\u0026rsquo;adresse IP de Microsoft a servi à l\u0026rsquo;envoi de courriels qui ont été signalés. En conséquence, l\u0026rsquo;outil anti-spam de Mailcow, Rspamd, attribue un score de 8,27 à ce message, ce qui est très élevé. (Plus le score est élevé dans les valeurs positives, plus la probabilité que ce soit du spam est importante.)\nLe message passe en « liste grise » (grey list).\nMon serveur effectue un « refus temporaire » (soft reject) : il rejette le message et indique au serveur émetteur d\u0026rsquo;attendre un peu et d\u0026rsquo;essayer à nouveau un peu plus tard.\nUn comportement de (mauvais) spammeur dans les minutes qui suivent… # Le serveur de Microsoft ne réalise pas d\u0026rsquo;autres tentatives pour déposer son message dans mon serveur de messagerie dans les 10 minutes qui suivent.\nCela ressemble à un comportement des mauvais programmes de spammeurs et c\u0026rsquo;est justement ce comportement qui justifie l\u0026rsquo;utilisation des listes grises (grey lists) dans Rspamd : L\u0026rsquo;outil anti-spam considère que les spammeurs ne vont pas repasser. C\u0026rsquo;est partiellement vrai (et donc globalement faux), mais peu importe…\nLe second courriel a un score bien plus raisonnable # Faute de nouvelles au bout de 10 minutes, je prends les devants.\nComme j\u0026rsquo;ai horreur de perdre mon temps, je modifie mes seuils dans Rspamd afin que le message soit accepté même avec un score aussi élevé.\nPour rien. Comme nous allons le voir.\nEnsuite, je clique sur le bouton renvoyer un code (resend code) pour demander l\u0026rsquo;envoi d\u0026rsquo;un nouveau message avec le code tant désiré.\nL\u0026rsquo;analyse du second courriel présente meilleure figure :\n1 2 3 4 5 6 7 8 9 WHITELIST_SPF_DKIM (-3) [microsoft.com:d:+,microsoft.com:s:+] BAD_REP_POLICIES (2) RBL_SENDERSCORE_REPUT_6 (1) [52.101.62.95:from] DWL_DNSWL_LOW (-1) [microsoft.com:dkim] MID_RHS_NOT_FQDN (0.5) MIME_GOOD (-0.1) [multipart/alternative,text/plain] MX_GOOD (-0.01) [] IP_REPUTATION_HAM (-0.005001) [asn: 8075(0.00), country: US(-0.01), ip: 52.101.62.95(0.00)] … Score global : − 0,62.\nMême avec des critères stricts, il passe.\n… qui s\u0026rsquo;avère être potentiellement une bonne pratique… # Autre bonne nouvelle, les serveurs de Microsoft ont finalement refait une tentative 12 minutes et 10 secondes ou 16 minutes et 19 secondes plus tard.\nPourquoi ou ? Parce-que j\u0026rsquo;ignore lequel des deux correspond à ma seconde demande.\nC\u0026rsquo;est une bonne pratique en général : si le serveur de réception demande un délai, autant attendre patiemment quelques minutes pour lui laisser le temps de revenir à un état plus stable.\nSi c\u0026rsquo;est volontaire, et dans le cas général, ce peut être une bonne pratique.\n… mais pas vraiment en fait ! # Malheureusement, l\u0026rsquo;adresse IP qui envoie les tentatives est rarement la même chez Microsoft. Ils utilisent une ferme de serveurs sur une grande plage d\u0026rsquo;adresses IP. Le serveur en réception ne peut donc pas faire le lien avec son rejet précédent. Au risque que le nouveau message, considéré comme tout beau tout nouveau, reçoive le même traitement et ainsi de suite à l\u0026rsquo;infini !\nDans le cas particulier d\u0026rsquo;un envoi de code de confirmation, attendre aussi longtemps n\u0026rsquo;est plus une bonne pratique. À moins de l\u0026rsquo;expliciter clairement à l\u0026rsquo;utilisateur, ce qui n\u0026rsquo;est pas le cas ici. Dans le cas contraire, l\u0026rsquo;utilisateur va immanquablement cliquer, et cliquer encore. Créant ainsi autant de cycles infernaux que de tentatives.\nBref, si j\u0026rsquo;étais l\u0026rsquo;enseignant en charge de l\u0026rsquo;élève Microsoft, il ne validerait pas son UV UI/UX avec ça ! 1\nAnalyses # Contrôler pour mieux gérer # Peu de choses sont sûres et certaines, fiables et viables, bien conçues et bien menées dans ce monde.\nUne des choses dont je suis sûr, c\u0026rsquo;est qu\u0026rsquo;il vaut largement mieux disposer\nd\u0026rsquo;un maximum de sources d\u0026rsquo;informations fiables et des manettes pour contrôler nous-mêmes. Prendre patience et s\u0026rsquo;adapter # C\u0026rsquo;est avec la force de l\u0026rsquo;expérience que l\u0026rsquo;on arrive à forger une compétence et la capacité à gérer toutes les situations qui se présentent à nous.\nCette expérience nous apprend la patience.\nBien souvent, nous devons subir les mauvais comportements :\nde ceux·celles qui savent qu\u0026rsquo;ils agissent mal mais également ce ceux·celles qui croient bien agir (mais, en réalité, agissent mal). Nous devons nous adapter continuellement, dans la mesure du raisonnable.\nMaîtriser et perfectionner nos outils # Beaucoup de choses laissent à désirer dans la liste des critères et des coefficients par défaut dans l\u0026rsquo;implémentation de Rspamd proposée dans Mailcow. Il n\u0026rsquo;est pas innocent dans ce scénario d\u0026rsquo;échec.\nJe perfectionnerai tout cela avec des paramètres que je crois plus pertinents.\nÉpilogue # Pour finir, voici à quoi j\u0026rsquo;ai eu droit un peu plus tard dans le processus de confirmation de la création de mon compte :\nJe ne pourrai pas aller plus loin.\nPas tout de suite.\nAu plaisir,\nMarc JESTIN\nhttps://marcjestin.fr\nLe contenu du courriel # Le contenu du courriel n\u0026rsquo;a rien de très suspect, à vrai dire…\nJe n\u0026rsquo;adhère pas du tout à ces analyses à la Madame IRMA que les outils anti-spam se sentent obligés de proposer sans pour autant garantir qu\u0026rsquo;ils font du bon travail.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 --=**********************== Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Microsoft account Verify your email address To finish setting up your Microsoft account, we just need to make sure this email address is yours. To verify your email address use this security code: xxxxxx If you didn\u0026#39;t request this code, you can safely ignore this email. Someone else might have typed your email address by mistake. Thanks, The Microsoft account team Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839 Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 --=**********************== Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit \u0026lt;!DOCTYPE html PUBLIC \u0026#34;-//W3C//DTD XHTML 1.0 Transitional//EN\u0026#34; \u0026#34;http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\u0026#34;\u0026gt; \u0026lt;html xmlns=\u0026#34;http://www.w3.org/1999/xhtml\u0026#34; dir=\u0026#34;ltr\u0026#34;\u0026gt; \u0026lt;head\u0026gt; \u0026lt;style type=\u0026#34;text/css\u0026#34;\u0026gt; .link:link, .link:active, .link:visited { color:#2672ec !important; text-decoration:none !important; } .link:hover { color:#4284ee !important; text-decoration:none !important; } \u0026lt;/style\u0026gt; \u0026lt;title\u0026gt;\u0026lt;/title\u0026gt; \u0026lt;/head\u0026gt; \u0026lt;body\u0026gt; \u0026lt;table dir=\u0026#34;ltr\u0026#34;\u0026gt; \u0026lt;tr\u0026gt;\u0026lt;td id=\u0026#34;i1\u0026#34; style=\u0026#34;padding:0; font-family:\u0026#39;Segoe UI Semibold\u0026#39;, \u0026#39;Segoe UI Bold\u0026#39;, \u0026#39;Segoe UI\u0026#39;, \u0026#39;Helvetica Neue Medium\u0026#39;, Arial, sans-serif; font-size:17px; color:#707070;\u0026#34;\u0026gt;Microsoft account\u0026lt;/td\u0026gt;\u0026lt;/tr\u0026gt; \u0026lt;tr\u0026gt;\u0026lt;td id=\u0026#34;i2\u0026#34; style=\u0026#34;padding:0; font-family:\u0026#39;Segoe UI Light\u0026#39;, \u0026#39;Segoe UI\u0026#39;, \u0026#39;Helvetica Neue Medium\u0026#39;, Arial, sans-serif; font-size:41px; color:#2672ec;\u0026#34;\u0026gt;Verify your email address\u0026lt;/td\u0026gt;\u0026lt;/tr\u0026gt; \u0026lt;tr\u0026gt;\u0026lt;td id=\u0026#34;i4\u0026#34; style=\u0026#34;padding:0; padding-top:25px; font-family:\u0026#39;Segoe UI\u0026#39;, Tahoma, Verdana, Arial, sans-serif; font-size:14px; color:#2a2a2a;\u0026#34;\u0026gt;To finish setting up your Microsoft account, we just need to make sure this email address is yours.\u0026lt;/td\u0026gt;\u0026lt;/tr\u0026gt; \u0026lt;tr\u0026gt;\u0026lt;td style=\u0026#34;padding:0; padding-top:25px; font-family:\u0026#39;Segoe UI\u0026#39;, Tahoma, Verdana, Arial, sans-serif; font-size:14px; color:#2a2a2a;\u0026#34;\u0026gt;To verify your email address use this security code: \u0026lt;span style=\u0026#34;font-family:\u0026#39;Segoe UI Bold\u0026#39;, \u0026#39;Segoe UI Semibold\u0026#39;, \u0026#39;Segoe UI\u0026#39;, \u0026#39;Helvetica Neue Medium\u0026#39;, Arial, sans-serif; font-size:14px; font-weight:bold; color:#2a2a2a;\u0026#34;\u0026gt;xxxxxx\u0026lt;/span\u0026gt;\u0026lt;/td\u0026gt;\u0026lt;/tr\u0026gt; \u0026lt;tr\u0026gt;\u0026lt;td id=\u0026#34;i6\u0026#34; style=\u0026#34;padding:0; padding-top:25px; font-family:\u0026#39;Segoe UI\u0026#39;, Tahoma, Verdana, Arial, sans-serif; font-size:14px; color:#2a2a2a;\u0026#34;\u0026gt;If you didn\u0026#39;t request this code, you can safely ignore this email. Someone else might have typed your email address by mistake.\u0026lt;/td\u0026gt;\u0026lt;/tr\u0026gt; \u0026lt;tr\u0026gt;\u0026lt;td style=\u0026#34;padding:0; padding-top:25px; font-family:\u0026#39;Segoe UI\u0026#39;, Tahoma, Verdana, Arial, sans-serif; font-size:14px; color:#2a2a2a;\u0026#34;\u0026gt;Thanks,\u0026lt;/td\u0026gt;\u0026lt;/tr\u0026gt; \u0026lt;tr\u0026gt;\u0026lt;td id=\u0026#34;i8\u0026#34; style=\u0026#34;padding:0; font-family:\u0026#39;Segoe UI\u0026#39;, Tahoma, Verdana, Arial, sans-serif; font-size:14px; color:#2a2a2a;\u0026#34;\u0026gt;The Microsoft account team\u0026lt;/td\u0026gt;\u0026lt;/tr\u0026gt; \u0026lt;/table\u0026gt; \u0026lt;div lang=\u0026#34;en\u0026#34; style=\u0026#34;margin-top:20px;margin-bottom:10px;\u0026#34;\u0026gt;\u0026lt;a class=\u0026#34;link\u0026#34; href=\u0026#34;https://go.microsoft.com/fwlink/?LinkId=521839\u0026#34;\u0026gt;Privacy Statement\u0026lt;/a\u0026gt;\u0026lt;div style=\u0026#34;margin-top:10px;\u0026#34;\u0026gt;Microsoft Corporation, One Microsoft Way, Redmond, WA 98052\u0026lt;/div\u0026gt;\u0026lt;/div\u0026gt;\u0026lt;/body\u0026gt; \u0026lt;/html\u0026gt; --=**********************==-- Unité de Valeur eXpérience Utilisateur (User eXperience) / Interface Utilisateur (User Interface)\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/posts/quand-le-serveur-d-incription-a-la-politique-antispam-de-microsoft-envoie-du-spam-potentiel-et-se-comporte-comme-les-spammeurs/","section":"Posts","summary":"Bonjour,\nPour que notre serveur de messagerie soit correctement traité par les serveurs de Microsoft, nous devons signer les contrats SNDS (Smart Network Data Services) et JMRP (Junk Mail Reporting Partner Program) de Microsoft en nous rendant sur leur serveur https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0.\nPas de bol : le courriel de vérification d’adresse envoyé par leur serveur ressemble trop à du spam.\nPremière mauvaise nouvelle # Pour commencer, nous devons créer un compte Microsoft.\n","title":"Quand le serveur d'inscription à la gestion antispam de Microsoft envoie du spam potentiel et se comporte comme un spammeur","type":"posts"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/refus-temporaire/","section":"Tags","summary":"","title":"Refus Temporaire","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/rspamd/","section":"Tags","summary":"","title":"Rspamd","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/serveur/","section":"Tags","summary":"","title":"Serveur","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/services/","section":"Tags","summary":"","title":"Services","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/spam/","section":"Tags","summary":"","title":"Spam","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/stack/","section":"Tags","summary":"","title":"Stack","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/suivi-des-versions/","section":"Tags","summary":"","title":"Suivi Des Versions","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/supprimer/","section":"Tags","summary":"","title":"Supprimer","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/sysctl/","section":"Tags","summary":"","title":"Sysctl","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/tags/system/","section":"Tags","summary":"","title":"System","type":"tags"},{"content":"","date":"May 12, 2026","externalUrl":null,"permalink":"/fr/categories/tutoriels/","section":"Categories","summary":"","title":"Tutoriels","type":"categories"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/tags/administration/","section":"Tags","summary":"","title":"Administration","type":"tags"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/tags/lien/","section":"Tags","summary":"","title":"Lien","type":"tags"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/tags/mot-de-passe/","section":"Tags","summary":"","title":"Mot De Passe","type":"tags"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/tags/nginx-proxy-manager/","section":"Tags","summary":"","title":"Nginx Proxy Manager","type":"tags"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/tags/npm/","section":"Tags","summary":"","title":"Npm","type":"tags"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/tags/openssl/","section":"Tags","summary":"","title":"Openssl","type":"tags"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/tags/protection/","section":"Tags","summary":"","title":"Protection","type":"tags"},{"content":"Bonjour,\nNous pouvons protéger sélectivement des liens (ou dossiers) avec NPM (Nginx Proxy Manager).\nQuand j\u0026rsquo;écris nous pouvons, je pense en réalité nous devrions très très fort lorsqu\u0026rsquo;il s\u0026rsquo;agit de liens d\u0026rsquo;accès à des niveaux de privilèges dans les sites ou applications que nous déployons. Les opportunités ne manquent pas d\u0026rsquo;utiliser ce type d\u0026rsquo;outil pour protéger nos serveurs, ne passons pas à côté.\nJ\u0026rsquo;illustre mon propos avec l\u0026rsquo;accès à l\u0026rsquo;administration et à l\u0026rsquo;administration de domaines dans Mailcow, un serveur de messagerie Internet très complet.\nParamétrage avancé dans Nginx Proxy Manager # Cette configuration nécessite de rentrer en paramétrage avancé, c\u0026rsquo;est-à-dire d\u0026rsquo;ajouter des lignes de code dans une zone qui apparaît dans l\u0026rsquo;interface graphique lorsque nous cliquons sur la roue crantée, visible à droite quel que soit l\u0026rsquo;onglet en cours.\nNous avons alors accès à l\u0026rsquo;espace Custom Nginx Configuration:\nConfiguration pour protéger un dossier admin # Voici une première configuration simple :\n1 2 3 4 5 6 location /admin { auth_basic \u0026#34;Protected\u0026#34;; auth_basic_user_file /data/access.auth/admin; proxy_set_header Authorization \u0026#34;\u0026#34;; include conf.d/include/proxy.conf; } C\u0026rsquo;est très simple, et nous nous servons de l\u0026rsquo;include de NPM (nous n\u0026rsquo;avons pas à créer ce fichier). 1\nNote : Attention, dans cette configuration, tous les liens commençant par /admin seront inclus dans la règle comme par exemple /administration, /administrer-un-medicament, etc. On peut être plus spécifique avec location = /admin ou encore location ~ ^/admin$…\nLa ligne proxy_set_header Authorization \u0026quot;\u0026quot;; est importante : elle évite que le proxy envoie les éléments d\u0026rsquo;authentification à l\u0026rsquo;application. 2\nProtection de deux liens # Nous pouvons étendre ce principe avec deux « dossiers » pour protéger par exemple\nl\u0026rsquo;administration de Mailcow (/admin) et l\u0026rsquo;administration de domaines dans Mailcow (/domainadmin). 1 2 3 4 5 6 location ~ ^/(admin|domainadmin) { auth_basic \u0026#34;Protected\u0026#34;; auth_basic_user_file /data/access.auth/admin; proxy_set_header Authorization \u0026#34;\u0026#34;; include conf.d/include/proxy.conf; } Autorisation d\u0026rsquo;une ou plusieurs plage(s) d\u0026rsquo;adresses IP # Durcissement # Nous pouvons « blinder » la sécurité en n\u0026rsquo;autorisant qu\u0026rsquo;une ou plusieurs adresse(s) IP à se connecter avec authentification.\nC\u0026rsquo;est cette approche que je recommande, quitte à devoir « ouvrir » des plages larges. On limite les risques.\nLa consigne à utiliser est satisfy all. C\u0026rsquo;est la consigne par défaut, mais je trouve préférable de l\u0026rsquo;écrire explicitement lorsque nous l\u0026rsquo;utilisons.\n1 2 3 4 5 6 7 8 9 10 location ~ ^/(admin|domainadmin) { satisfy all; allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; auth_basic \u0026#34;Protected\u0026#34;; auth_basic_user_file /data/access.auth/admin; proxy_set_header Authorization \u0026#34;\u0026#34;; include conf.d/include/proxy.conf; } Assouplissement # Nous pouvons, au contraire, assouplir la règle et autoriser une ou plusieurs adresse(s) à passer sans montrer patte blanche, c\u0026rsquo;est-à-dire sans avoir besoin de saisir un identifiant et mot de passe de protection.\nLa consigne est satisfy any (en lieu et place de satisfy all).\nCette approche n\u0026rsquo;est pas celle que je recommande dans la mesure où un attaquant qui réussirait à passer par une adresse autorisée aurait « porte ouverte » sans avoir besoin de connaître une paire d\u0026rsquo;identifiant et de mot de passe valide.\nPuisque nous avons défini ces paires, autant nous en servir. Tout le temps, sérieusement.\nRappels au sujet de la protection par le proxy (ou le serveur) # Cette protection est un premier niveau de sécurité : Elle empêche d\u0026rsquo;accéder aux pages de connexion.\nElle très utile et fortement recommandée pour limiter les possibilités d\u0026rsquo;attaque sur des accès critiques. L\u0026rsquo;administration en fait évidemment partie. L\u0026rsquo;attaquant ne peut même pas essayer des combinaisons d\u0026rsquo;identifiants et mots de passe au niveau de l\u0026rsquo;application.\nUtilisation par plusieurs personnes # Nous pouvons définir autant d\u0026rsquo;identifiants et de mots de passe que nous souhaitons.\nComme d\u0026rsquo;autres niveaux de sécurité s\u0026rsquo;ajoutent — parmi lesquels l\u0026rsquo;authentification de l\u0026rsquo;application elle-même —, nous pouvons nous accorder un petit relâchement en ne définissant qu\u0026rsquo;un compte commun pour plusieurs personnes.\nDans l\u0026rsquo;exemple que j\u0026rsquo;ai pris avec Mailcow, nous pouvons gérer\nun identifiant pour l\u0026rsquo;accès à l\u0026rsquo;administration, et un pour l\u0026rsquo;accès à l\u0026rsquo;administration des domaines. Nous pouvons alors séparer les deux dossiers ainsi :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 location ^~ /admin { satisfy all; allow 192.168.1.0/24; deny all; auth_basic \u0026#34;Protected\u0026#34;; auth_basic_user_file /data/access.auth/admin_mailcow; proxy_set_header Authorization \u0026#34;\u0026#34;; include conf.d/include/proxy.conf; } location ^~ /domainadmin { satisfy all; allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; auth_basic \u0026#34;Protected\u0026#34;; auth_basic_user_file /data/access.auth/admin_domains; proxy_set_header Authorization \u0026#34;\u0026#34;; include conf.d/include/proxy.conf; } Comment remplir le fichier des identifiants et mots de passe # Les fichiers ./data/access.auth/[…] de mes exemples sont à créer, tout comme le dossier ./data/access.auth (avec des noms de votre choix). J\u0026rsquo;ai choisi access.auth pour qu\u0026rsquo;il apparaisse à côté du dossier access utilisé par l\u0026rsquo;interface graphique NPM.\nPour générer les hash des mots de passe, nous pouvons utiliser openssl avec cette syntaxe :\n1 openssl passwd -6 \u0026#39;Le_Mot.De@Passe\u0026gt;Que!Tout[Le#Monde+Aime%Saisirµ1000\u0026amp;Fois\u0026#39; Note : Le -6 signifie que nous utilisons l\u0026rsquo;algorithme SHA-512.\nIl suffit ensuite de coller le hash du mot de passe après l\u0026rsquo;identifiant et : comme par exemple :\n1 admin_mailcow:$6$zUV7UtqsGW4Nuf38$9MKI9HZztEK4J0yyiXetf1DmjtibC8rKuGYdahq1XwuLJcekCkUDu9gr3mCcD79YUxtT4XL8G4PPqoNl6lIOV/ Nous pouvons ajouter autant de paires identifiant / mot de passe que nécessaire : une ligne par paire.\nAu plaisir,\nMarc JESTIN\nhttps://marcjestin.fr\nFichier présent dans /etc/nginx/conf.d/include/proxy.conf dans l\u0026rsquo;image Docker jc21/nginx-proxy-manager gérée par Jamie CURNOW.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nComme le trafic passe en clair entre le proxy et le serveur, n\u0026rsquo;importe qui peut accéder aux secrets. L\u0026rsquo;encodage Base64 utilisé n\u0026rsquo;offre aucune protection. N\u0026rsquo;importe qui peut le décoder très simplement. Essayez avec echo \u0026quot;TCdlbmNvZGFnZSBuJ2VzdCBwYXMgbGUgY2hpZmZyZW1lbnQuwqA=\u0026quot; | base64 -d; echo \u0026quot;\u0026quot; ! 😉\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/posts/proteger-selectivement-des-liens-avec-npm-nginx-proxy-manager/","section":"Posts","summary":"Bonjour,\nNous pouvons protéger sélectivement des liens (ou dossiers) avec NPM (Nginx Proxy Manager).\nQuand j’écris nous pouvons, je pense en réalité nous devrions très très fort lorsqu’il s’agit de liens d’accès à des niveaux de privilèges dans les sites ou applications que nous déployons. Les opportunités ne manquent pas d’utiliser ce type d’outil pour protéger nos serveurs, ne passons pas à côté.\nJ’illustre mon propos avec l’accès à l’administration et à l’administration de domaines dans Mailcow, un serveur de messagerie Internet très complet.\n","title":"Protéger sélectivement des liens avec NPM (Nginx Proxy Manager)","type":"posts"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/tags/regex/","section":"Tags","summary":"","title":"Regex","type":"tags"},{"content":"","date":"May 11, 2026","externalUrl":null,"permalink":"/fr/categories/s%C3%A9curit%C3%A9/","section":"Categories","summary":"","title":"Sécurité","type":"categories"},{"content":" Welcome # Welcome to this blog by Marc JESTIN.\nI am an independent and libre freelance service provider.\nTo hire me, please visit:\nhttps://php2.marcjestin.fr/en/contact.\nBest regards,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"9 May 2026","externalUrl":null,"permalink":"/en/","section":"","summary":"Welcome # Welcome to this blog by Marc JESTIN.\nI am an independent and libre freelance service provider.\nTo hire me, please visit:\nhttps://php2.marcjestin.fr/en/contact.\nBest regards,\nMarc JESTIN\nhttps://marcjestin.fr\n","title":"","type":"page"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/acl/","section":"Tags","summary":"","title":"Acl","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/areas/","section":"Areas","summary":"","title":"Areas","type":"areas"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/cache/","section":"Tags","summary":"","title":"Cache","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/tags/certificat/","section":"Tags","summary":"","title":"Certificat","type":"tags"},{"content":"Bonjour,\nAlors que je tentais de créer un nouveau service dans NPM (Nginx Proxy Manager) ce vendredi soir, tout a bloqué des suites d\u0026rsquo;un incident sur les serveurs de production de lets\u0026rsquo; Encrypt 1.\nAprès que leur service soit rétabli, j\u0026rsquo;ai voulu reprendre mon travail normalement et là, patatras !\nPlus rien ne fonctionnait comme il faut.\nJ\u0026rsquo;ai dû ouvrir le capot et rentrer dans le moteur pour rétablir le bon fonctionnement de mon système :\nsupprimer les certificats créés après la panne dans les dossiers archive, sans oublier les liens dans live ; supprimer leurs fichiers de configuration dans renewal ; rentrer dans la base database.sqlite pour vérifier les tables et supprimer les enregistrements orphelins ou mal configurés. Pour accéder à la base de données sqlite, j\u0026rsquo;ai utilisé un sqlite3 installé sur le serveur hôte car le conteneur n\u0026rsquo;en proposait pas.\nPour mémoire, voici quelques commandes utiles à connaître une fois dans la base via sqlite3 database.sqlite :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 .headers on .mode columns -- Lister les hosts SELECT id, domain_names, certificate_id, is_deleted FROM proxy_host; -- Si besoin, uniquement les hosts actifs SELECT id, domain_names, certificate_id FROM proxy_host WHERE is_deleted = 0; -- Ou cibler un host en particulier SELECT id, domain_names, is_deleted FROM proxy_host WHERE id = 666; -- Lister les certificats SELECT id, nice_name, domain_names, expires_on FROM certificate; -- Suppressions sélectives DELETE FROM proxy_host WHERE id = 666; DELETE FROM certificate WHERE id = 666; -- Quitter sqlite .exit Addendum : 9 mai 2026 # Je pensais avoir tout mis au propre en « purgeant » tout ce que je pouvais trouver d\u0026rsquo;incohérent et postérieur au plantage de Let's Encrypt, que nenni !\nJe m\u0026rsquo;aperçois que les indices de host et des noms de dossiers pour le stockage des certificats sont décalés.\nQuand NPM crée un certificat en l\u0026rsquo;identifiant #666 dans l\u0026rsquo;interface, il crée un dossier npm-667.\nOn peut vivre comme ça, mais c\u0026rsquo;est franchement pénible.\nComme je ne connais pas suffisamment l\u0026rsquo;intérieur de l\u0026rsquo;engin, je suis coincé pour le moment.\nLa seule solution viable que je vois à l\u0026rsquo;horizon va être de refaire une installation propre et de tout remettre en place ex nihilo.\nAvis aux développeurs·ses # Quand on travaille sur des processus multi-tâches couches basses, on peut effectivement laisser chacun faire sa popote dans son coin, mais le « best effort » n\u0026rsquo;est pas suffisant pour bien faire. À un moment donné, il faut contrôler et resynchroniser tous ses petits. C\u0026rsquo;est mieux.\nAu plaisir,\nMarc JESTIN\nhttps://marcjestin.fr\nVoir Let\u0026rsquo;s Encrypt empêtré dans le syndrome de la maintenance du vendredi soir.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/posts/comment-l-incident-lets-encrypt-m-a-oblige-a-aller-grenouiller-dans-la-base-sqlite-de-mon-npm-nginx-proxy-manager/","section":"Posts","summary":"Bonjour,\nAlors que je tentais de créer un nouveau service dans NPM (Nginx Proxy Manager) ce vendredi soir, tout a bloqué des suites d’un incident sur les serveurs de production de lets’ Encrypt 1.\nAprès que leur service soit rétabli, j’ai voulu reprendre mon travail normalement et là, patatras !\nPlus rien ne fonctionnait comme il faut.\nJ’ai dû ouvrir le capot et rentrer dans le moteur pour rétablir le bon fonctionnement de mon système :\n","title":"Comment l'incident de Let's Encrypt m'a obligé à aller grenouiller dans la base sqlite de mon NPM (Nginx Proxy Manager)","type":"posts"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/debian/","section":"Tags","summary":"","title":"Debian","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/deletion/","section":"Tags","summary":"","title":"Deletion","type":"tags"},{"content":"","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/tags/d%C3%A9ploiement/","section":"Tags","summary":"","title":"Déploiement","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/deployment/","section":"Tags","summary":"","title":"Deployment","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/categories/devops/","section":"Categories","summary":"","title":"DevOps","type":"categories"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/areas/digital-tech-and-computer-science/","section":"Areas","summary":"","title":"Digital Tech and Computer Science","type":"areas"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/disable/","section":"Tags","summary":"","title":"Disable","type":"tags"},{"content":"","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/tags/droits/","section":"Tags","summary":"","title":"Droits","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/getfacl/","section":"Tags","summary":"","title":"Getfacl","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/group/","section":"Tags","summary":"","title":"Group","type":"tags"},{"content":"","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/tags/groupe/","section":"Tags","summary":"","title":"Groupe","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/hardening/","section":"Tags","summary":"","title":"Hardening","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/linux/","section":"Tags","summary":"","title":"Linux","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/mask/","section":"Tags","summary":"","title":"Mask","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/permissions/","section":"Tags","summary":"","title":"Permissions","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/php/","section":"Tags","summary":"","title":"Php","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"Hello,\nA server must be available 24 hours a day and obviously should not go to sleep, especially if we don\u0026rsquo;t have the tools to \u0026ldquo;wake it up.\u0026rdquo;\nBy default, or following the installation of certain packages, a Debian distribution may retain power-saving settings. The result: our machine \u0026ldquo;falls asleep\u0026rdquo; after a period of inactivity, and we can no longer access it remotely. 1\nThis is particularly true for systems installed in a Desktop version (i.e., with a desktop manager like GNOME or others).\nIt\u0026rsquo;s a bit stupid for a server, isn\u0026rsquo;t it?\nHere is how to prevent sleep at the system level.\nWe will only use the command line. 2\nStandard GUI configuration is not enough (and can be misleading) # On Debian, power management is multi-layered.\nDisabling sleep in a GUI or via a simple script isn\u0026rsquo;t always enough, as several services can trigger a suspend event:\nsystemd targets, which orchestrate the transition to sleep states. systemd-logind, which reacts to hardware events (power button, reset button, inactivity…). For a production machine, we can mask the sleep tools to make them inaccessible even to the system itself.\nMasking sleep services # Rather than simply disabling the services associated with sleep, we mask them to prevent any access.\nWe use the mask command (instead of disable). It creates a symbolic link to /dev/null, making it impossible to activate the service, even if another process requests it.\nTo do this, we run: 3\n1 systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target suspend-then-hibernate.target systemd-suspend.service systemd-hibernate.service systemd-hybrid-sleep.service systemd-suspend-then-hibernate.service To confirm that the targets are indeed locked:\n1 systemctl list-unit-files | grep -E \u0026#39;sleep|suspend|hibernate\u0026#39; Example output:\n1 2 3 4 5 6 7 8 9 10 11 systemd-hibernate-clear.service static - systemd-hibernate-resume.service static - systemd-hibernate.service masked enabled systemd-hybrid-sleep.service masked enabled systemd-suspend-then-hibernate.service masked enabled systemd-suspend.service masked enabled hibernate.target masked enabled hybrid-sleep.target masked enabled sleep.target masked enabled suspend-then-hibernate.target masked enabled suspend.target masked enabled Configuring systemd-logind # Even if the targets are masked and thus inaccessible, we can configure the session manager (systemd-logind = login daemon) so that it doesn\u0026rsquo;t even try to interpret inactivity signals or physical buttons… Better safe than sorry.\nWe edit the configuration file:\n1 nano /etc/systemd/logind.conf We modify and/or uncomment the following lines to force the ignore state:\n1 2 3 4 5 6 [Login] HandlePowerKey=ignore HandleSuspendKey=ignore HandleHibernateKey=ignore LidSwitchIgnoreInhibited=no IdleAction=ignore We restart the service to apply the changes:\n1 systemctl restart systemd-logind Analyzing logs # Two commands can be useful for auditing the server logs:\nTo check systemd-logind events:\n1 journalctl -u systemd-logind --since \u0026#34;1 hour ago\u0026#34; For ACPI state changes at the kernel level:\n1 journalctl -k | grep -i \u0026#34;ACPI: PM\u0026#34; This command allows you to see if the kernel has actually prepared a transition to S3 (sleep to RAM) or S4 (hibernation).\nConclusion # By combining the masking of systemd targets and the neutralization of actions in logind.conf, we eliminate any risk of accidental sleep on our Debian server. 4\nThis is a hardening step that is best taken BEFORE you find yourself in a mess.\nBest regards,\nMarc JESTIN\nhttps://marcjestin.fr\nSleep is generally of the ACPI S3 type = the computer stays on standby to keep the RAM active in its current state for a much faster restart than ACPI S4.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nIn principle, you don\u0026rsquo;t install a graphical interface on a server, but it\u0026rsquo;s true that it can be convenient for self-hosting.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nAll commands in this article require root privileges. I am among those who do not recommend using sudo. And I know why.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nProvided, of course, that we have ensured no sleep settings are configured at the UEFI (e.g., BIOS) level on the machine.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"9 May 2026","externalUrl":null,"permalink":"/en/posts/preventing-sleep-and-suspension-on-a-debian-server/","section":"Posts","summary":"Hello,\nA server must be available 24 hours a day and obviously should not go to sleep, especially if we don’t have the tools to “wake it up.”\nBy default, or following the installation of certain packages, a Debian distribution may retain power-saving settings. The result: our machine “falls asleep” after a period of inactivity, and we can no longer access it remotely. 1\nThis is particularly true for systems installed in a Desktop version (i.e., with a desktop manager like GNOME or others).\n","title":"Preventing sleep and suspension on a Debian server","type":"posts"},{"content":"","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/tags/r%C3%A9paration/","section":"Tags","summary":"","title":"Réparation","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/rights/","section":"Tags","summary":"","title":"Rights","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/root/","section":"Tags","summary":"","title":"Root","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/rsync/","section":"Tags","summary":"","title":"Rsync","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/self-hosting/","section":"Tags","summary":"","title":"Self-Hosting","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/server/","section":"Tags","summary":"","title":"Server","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/setfacl/","section":"Tags","summary":"","title":"Setfacl","type":"tags"},{"content":"","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/tags/sqlite/","section":"Tags","summary":"","title":"Sqlite","type":"tags"},{"content":"","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/tags/suppression/","section":"Tags","summary":"","title":"Suppression","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/systemd/","section":"Tags","summary":"","title":"Systemd","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/systemd-logind/","section":"Tags","summary":"","title":"Systemd-Logind","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/categories/tutorials/","section":"Categories","summary":"","title":"Tutorials","type":"categories"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/user/","section":"Tags","summary":"","title":"User","type":"tags"},{"content":"Hello,\nWe often find ourselves working in directories where multiple users \u0026ldquo;clash\u0026rdquo; with one another.\nA common example is when we need to clear caches generated by web server components. We then run into ownership and permission issues.\nUsually, we rely on \u0026ldquo;bad good solutions\u0026rdquo;, such as:\nAdding our user to a group it doesn\u0026rsquo;t truly belong to. Creating custom sudo rules (which often end up being too broad, creating a significant security loophole). Managing ACLs in Debian allows us to handle this very simply.\nUnderstanding ACLs (Access Control Lists) # ACLs are an extension of standard Linux permissions (Owner / Group / Others).\nThey allow us to assign custom rights to multiple users or groups on a single directory or file.\nSpecifically, ACLs allow us to:\nGrant rwx access to another user or group without changing the file or directory owner; Define rules that will automatically apply to all future files created within a directory. It is an extremely useful tool for allowing users and groups to coexist cleanly, without forcing them into the same groups or granting excessive privileges.\nMy rsync-based Workflows # I rely on lots of simple and efficient rsync-based workflows to update servers.\nrsync uploads files to the server using my non-privileged user. Everything works perfectly until I need to interact with files or directories that my user doesn\u0026rsquo;t own.\nIt gets tricky when I want to delete a cache written by a server component, for instance, using:\n1 ssh my-ssh-alias \u0026#34;rm -rf /var/www/html/var/cache/*\u0026#34; The Solution: ACLs (Access Control Lists) # ACLs allow us to add rules on a case-by-case basis within our server\u0026rsquo;s directory structure.\nThe idea is very simple: tell the system:\n\u0026ldquo;Regardless of who creates a file here, both users user and www-data have full rights over it.\u0026rdquo;\nWe perform the setup in administrator mode (root or similar).\nFirst, we apply the rights to existing files and directories:\n1 setfacl -R -m u:www-data:rwx,u:user:rwx /path/to/our/site/var Then, we define default rights for all future files and folders created inside these directories:\n1 setfacl -dR -m u:www-data:rwx,u:user:rwx /path/to/our/site/var Result # When my template engine (Twig, to name one) generates a cache file, that file receives ACL attributes in addition to standard permissions.\nThis allows my user user to clear the cache created by the engine (which uses the www-data account) without:\nBeing part of the corresponding group. Having privileges I don\u0026rsquo;t want to grant. My deployment and/or automated cleanup scripts can now perform all necessary tasks without getting stuck on permission errors.\nThis is a simple, clean, and robust technique to keep a server organized without mixing everything up or sacrificing security.\nHow to Check if ACLs are Active? # When we run ls -l, we can spot a small + sign right after the traditional permission strings. For example:\n1 2 3 ls -l drwxrwxr-x+ 2 user www-data 4096 May 9 10:30 var The + indicates that an ACL is attached to this directory.\nTo view the specific ACL details, we use the getfacl command:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 getfacl /path/to/your/site/var # file: var/ # owner: user # group: www-data user::rwx user:www-data:rwx user:user:rwx group::rwx mask::rwx other::r-x default:user::rwx default:user:www-data:rwx default:user:user:rwx default:group::rwx default:mask::rwx default:other::r-x Warnings # Standard permission rules still apply to directories and files, and to users and groups not specified in the ACL.\nOnce ACLs are in place, some behaviors we are used to in the \u0026ldquo;world before\u0026rdquo; might change regarding how chmod commands and standard rights (Owner / Group / Others) are interpreted.\nI am intentionally not going into detail here.\nCheers,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"9 May 2026","externalUrl":null,"permalink":"/en/posts/using-acls-for-advanced-file-and-directory-permissions-in-debian/","section":"Posts","summary":"Hello,\nWe often find ourselves working in directories where multiple users “clash” with one another.\nA common example is when we need to clear caches generated by web server components. We then run into ownership and permission issues.\nUsually, we rely on “bad good solutions”, such as:\nAdding our user to a group it doesn’t truly belong to. Creating custom sudo rules (which often end up being too broad, creating a significant security loophole). Managing ACLs in Debian allows us to handle this very simply.\n","title":"Using ACLs for Advanced File and Directory Permissions in Debian","type":"posts"},{"content":"","date":"May 9, 2026","externalUrl":null,"permalink":"/fr/tags/utilisateur/","section":"Tags","summary":"","title":"Utilisateur","type":"tags"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/en/tags/www-data/","section":"Tags","summary":"","title":"Www-Data","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/categories/anecdotes/","section":"Categories","summary":"","title":"Anecdotes","type":"categories"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/certificate/","section":"Tags","summary":"","title":"Certificate","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/deluser/","section":"Tags","summary":"","title":"Deluser","type":"tags"},{"content":"","date":"May 8, 2026","externalUrl":null,"permalink":"/fr/tags/durcissement/","section":"Tags","summary":"","title":"Durcissement","type":"tags"},{"content":"Hello,\nSecurity Best Practices # A secure machine is one where just anyone cannot do just anything.\nA secure machine requires logging into an account with elevated privileges to perform administrative tasks.\nThis can be the root account itself or other specific accounts, but it should not be just any user account, even if it belongs to the owner of the machine.\nThis is the default behavior in Debian, and—spoiler alert—it\u0026rsquo;s no accident: in Debian, if you make this mistake, it is by your own choice…\nImportant Precaution # Before disabling or uninstalling sudo, we must ensure that we can access the root account:\nusing the command: 1 su - or directly via a local or remote connection to the machine. 1\nDisabling sudo # The command to use with root privileges (preferably logged in as root) to modify sudo settings is:\n1 visudo This allows us to modify the configuration file and comment out the following lines to:\nRevoke privileges from the sudo group. Stop loading additional sudoers files. 1 2 3 4 5 6 7 ```conf # Allow members of group sudo to execute any command # %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on \u0026#34;@include\u0026#34; directives: # @includedir /etc/sudoers.d While we are at it, we should ensure this file does not contain any other lines granting sudo privileges to accounts or groups we don\u0026rsquo;t want.\nWe can also clear the contents of the /etc/sudoers.d directory (but do not delete the /etc/sudoers file itself).\nUninstalling sudo # As a further precaution, we can go even further in hardening our machine by removing sudo entirely.\nSimply uninstall the package associated with sudo:\n1 apt purge sudo About \u0026ldquo;Substitution\u0026rdquo; Commands # As a reminder:\nsu = Substitute user (execute as another user) and sudo = Substitute user do (execute as another user) These are very similar. The main difference lies in which password is requested:\nsu: the password of the target account. sudo: the password of the requesting account. The fact that the root account is associated with these commands by default when no user is specified should not make us forget their broader uses.\nFor this reason, it is generally preferable to keep both sudo and su on a machine.\nHowever, we may choose to remove them, after an audit, as part of strict hardening requirements.\nBest regards,\nMarc JESTIN\nhttps://marcjestin.fr\nNote: I do not recommend enabling direct root access via SSH or other equivalent protocols.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"8 May 2026","externalUrl":null,"permalink":"/en/posts/how-to-disable-sudo-in-debian/","section":"Posts","summary":"Hello,\nSecurity Best Practices # A secure machine is one where just anyone cannot do just anything.\nA secure machine requires logging into an account with elevated privileges to perform administrative tasks.\nThis can be the root account itself or other specific accounts, but it should not be just any user account, even if it belongs to the owner of the machine.\n","title":"How to disable sudo in Debian","type":"posts"},{"content":"Hello,\nSecurity Best Practices # A secure machine is one where just anyone cannot do just anything.\nA secure machine requires logging into an account with elevated privileges to perform administrative tasks.\nThis can be the root account itself or other specific accounts, but it should not be just any user account, even if it belongs to the owner of the machine.\nThis is the default behavior in Debian, and—spoiler alert—it\u0026rsquo;s no accident: in Debian, if you make this mistake, it is by your own choice…\nCommunication and Preliminary Checks # Before making these changes, we discuss them with the user concerned.\nWe perform an audit to ensure that no important data or tasks are currently being managed via their user account.\nWe transfer administrative tasks or data to an account dedicated to administration.\nHow to Remove Sudo Privileges from a User # To remove sudo privileges from a user, simply remove them from the sudo group.\n1 deluser user sudo We also check the sudo configuration file (using visudo) to ensure there is no line such as:\n1 user ALL=(ALL:ALL) ALL We should only see:\n1 root ALL=(ALL:ALL) ALL Or, possibly, accounts (or groups) specifically dedicated to administration and used only for that purpose.\nHow to Verify That a User No Longer Has Sudo Privileges # To check that everything went as planned:\nOn the user side, we attempt to run a command with sudo: 1 2 3 user@debian:~$ sudo ls [sudo] password for user: user is not in the sudoers file. On the administrator side, we verify that the sudo group is no longer in the user\u0026rsquo;s list with the command: 1 groups user Closing the Open User Session # For changes to take effect, the user session must be closed.\nIn principle, we should not have to do this as an administrator, as we communicate clearly and visibly with the user.\nSystem Reminder / Warning Message # We can send a message via:\n1 echo \u0026#34;Closing your session in [time to be completed]\u0026#34; | write user But be careful: we cannot be certain that this message will actually be seen.\nI will say it clearly again: we communicate with the user and ensure they have understood.\nIdeally, if we do our job well, the user logs out and back in on their own when instructed.\nCommands to Close User Session / Processes # However, here are the commands that may be useful if needed.\nThe command to terminate a session:\n1 loginctl terminate-user user To check if a user still has active processes:\n1 pgrep -u user If the user has stuck processes, we can perform a:\n1 pkill -u user Best regards,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"8 May 2026","externalUrl":null,"permalink":"/en/posts/how-to-remove-sudo-privileges-from-a-user-in-debian/","section":"Posts","summary":"Hello,\nSecurity Best Practices # A secure machine is one where just anyone cannot do just anything.\nA secure machine requires logging into an account with elevated privileges to perform administrative tasks.\nThis can be the root account itself or other specific accounts, but it should not be just any user account, even if it belongs to the owner of the machine.\n","title":"How to remove sudo privileges from a user in Debian","type":"posts"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/incident/","section":"Tags","summary":"","title":"Incident","type":"tags"},{"content":"Hello,\nWhile I was getting ready to deploy a new service to visualize my traffic statistics, I briefly thought I had broken my NPM (Nginx Proxy Manager) configuration. Indeed, I was getting some rather vague errors and, when checking the ad hoc folder, I couldn\u0026rsquo;t see any new directory for the key and certificate I was trying to obtain.\nIt was only after checking the Docker container logs that I realized the problem wasn\u0026rsquo;t on my end.\n1 2 3 4 5 6 7 [5/8/2026] [7:27:32 PM] [SSL ] › ℹ info Requesting LetsEncrypt certificates for […].marcjestin.fr [5/8/2026] [7:27:32 PM] [SSL ] › ℹ info Command: certbot […].marcjestin.fr [5/8/2026] [7:27:33 PM] [Nginx ] › ℹ info Reloading Nginx [5/8/2026] [7:27:33 PM] [Express ] › ⚠ warning Saving debug log to /data/logs/letsencrypt.log An unexpected error occurred: The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt.log or re-run Certbot with -v for more details. And the confirmation on https://letsencrypt.status.io/:\nThis is the very first time I\u0026rsquo;ve encountered this issue.\nThe little detail that amused me most when visiting the status page was that a scheduled maintenance had been performed on the same resources just a short time before the incident (see screenshot below).\nIt\u0026rsquo;s a safe bet that the two are linked.\nEven though I am aware that the maintenance occurred during the morning in San Francisco, where the ISRG is based, it\u0026rsquo;s a good time to remember that:\nthe best time to schedule maintenance is definitely not late Friday afternoon, just before leaving for the weekend.\nBest regards,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"8 May 2026","externalUrl":null,"permalink":"/en/posts/lets-encrypt-caught-in-the-friday-night-maintenance-syndrome/","section":"Posts","summary":"Hello,\nWhile I was getting ready to deploy a new service to visualize my traffic statistics, I briefly thought I had broken my NPM (Nginx Proxy Manager) configuration. Indeed, I was getting some rather vague errors and, when checking the ad hoc folder, I couldn’t see any new directory for the key and certificate I was trying to obtain.\nIt was only after checking the Docker container logs that I realized the problem wasn’t on my end.\n","title":"Let's Encrypt caught in the Friday night maintenance syndrome","type":"posts"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/letsencrypt/","section":"Tags","summary":"","title":"Letsencrypt","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/loginctl/","section":"Tags","summary":"","title":"Loginctl","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/maintenance/","section":"Tags","summary":"","title":"Maintenance","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/pkill/","section":"Tags","summary":"","title":"Pkill","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/security/","section":"Tags","summary":"","title":"Security","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/ssl/","section":"Tags","summary":"","title":"Ssl","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/su/","section":"Tags","summary":"","title":"Su","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/sudo/","section":"Tags","summary":"","title":"Sudo","type":"tags"},{"content":"","date":"8 May 2026","externalUrl":null,"permalink":"/en/tags/tls/","section":"Tags","summary":"","title":"Tls","type":"tags"},{"content":"","date":"May 6, 2026","externalUrl":null,"permalink":"/fr/tags/auto-h%C3%A9bergement/","section":"Tags","summary":"","title":"Auto-Hébergement","type":"tags"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/tags/dokploy/","section":"Tags","summary":"","title":"Dokploy","type":"tags"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/tags/email/","section":"Tags","summary":"","title":"Email","type":"tags"},{"content":"","date":"May 5, 2026","externalUrl":null,"permalink":"/fr/tags/f%C3%A9divers/","section":"Tags","summary":"","title":"Fédivers","type":"tags"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/tags/fediverse/","section":"Tags","summary":"","title":"Fediverse","type":"tags"},{"content":"Hello,\nI can now officially announce it: I have crossed the Rubicon of self-hosting—the act of hosting one\u0026rsquo;s own server(s) and/or Internet service(s) at home for ALL my Internet tools.\nFor several years, I had been experimenting and testing various solutions to host services on dedicated servers or directly at home. Some of my customers have used some of them.\nI would regularly reopen the file as the anniversary date of my hosting contract approached for the email and web servers.\nThis year, I seized the opportunity.\nTechnical Infrastructure # I am using a machine running Linux Debian on which I rely on Docker services.\nI use the reverse proxy NPM (Nginx Proxy Manager).\nFor electronic messaging, I use Mailcow. I chose to use this \u0026ldquo;packaged\u0026rdquo; tool even though, in general, I prefer to remain as independent as possible.\nMotivations for Changing # Among the key motivations, here are the most strategic ones:\nRegaining more freedom to install whatever I wish without being throttled by a strategy decided by others, nor limited by technology that no longer truly evolves and is resting on its laurels. Having access to features that were sometimes restricted—wrongfully, in my opinion—by the host. Being able to deploy modern services with high added value; No longer penalizing Tor network users who do me the honor of visiting (including myself); Moving toward a vision of the Internet that suits me better; And more broadly, a vision of the world. All this may seem rather abstract, especially since I don\u0026rsquo;t want to disclose all the points that bothered me in the previous situation, but believe me, it manifested in very concrete ways.\nGreat Satisfaction Already # I already feel much lighter, and I have already found many reasons to be satisfied with my choice.\nTo begin with, I feel better for having finally turned my back on commercial practices that go against my vision of the world.\nThe same goes for technological and technical approaches and technical approaches that I consider profoundly inept and thoughtless. Plenty of others exist in this new world, but I can choose not to subscribe to them. Until now, I had to endure them while biting my tongue.\nOne example: the filling of DNS zones with heaps of records I never requested and never used. Add to that a undoubtedly poorly-crafted management interface, and I regularly found myself with \u0026ldquo;this site is slowing down your browser\u0026rdquo; messages and unacceptable waiting times to perform very simple operations.\nI have already encountered immense joy and satisfaction in tackling various tools that I couldn\u0026rsquo;t really test without taking the leap to a dedicated server (testing them offline is not the same thing at all).\nWhile it was already much more advanced than most people\u0026rsquo;s, I have been able to further perfect my email management strategy.\nFrom now on, I freely have:\nA catch-all address; Numerous services: Rspamd for spam protection; ClamAV for antivirus; Sieve by Dovecot for automated processing; and An integrated management tool, easy to use and full of useful features to make a manager\u0026rsquo;s life easier. Promises and Hopes # For me, this migration is an opportunity to make a major technological leap that was becoming essential.\nI was able to do it without incurring costs—on the contrary, since I am removing the burden of external hosting.\nI can now consider extending or developing the tool very extensively. The possibilities are countless, even if I know I won\u0026rsquo;t be able to do everything: the machine I\u0026rsquo;m using isn\u0026rsquo;t exactly young, and some applications like MongoDB require things I don\u0026rsquo;t have.\nToo Easy # Of course, I was already able to do (and was doing) great things. I had already made this leap several times without finalizing the switch.\nIt was not difficult for me to cross this threshold.\nSo, it\u0026rsquo;s done…\nBetter late than never.\nNote # I had first decided to use a tool like Coolify or Dokploy. After several attempts in that direction, I don\u0026rsquo;t think these tools are mature or serious enough for me.\nI like reliable, \u0026ldquo;no-surprise\u0026rdquo; solutions. I prefer to master what I\u0026rsquo;m doing when I do something. Best regards,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"5 May 2026","externalUrl":null,"permalink":"/en/posts/free-at-last/","section":"Posts","summary":"Hello,\nI can now officially announce it: I have crossed the Rubicon of self-hosting—the act of hosting one’s own server(s) and/or Internet service(s) at home for ALL my Internet tools.\nFor several years, I had been experimenting and testing various solutions to host services on dedicated servers or directly at home. Some of my customers have used some of them.\nI would regularly reopen the file as the anniversary date of my hosting contract approached for the email and web servers.\n","title":"Free at last","type":"posts"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/tags/glitch-soc/","section":"Tags","summary":"","title":"Glitch-Soc","type":"tags"},{"content":"","date":"May 5, 2026","externalUrl":null,"permalink":"/fr/tags/h%C3%A9bergement/","section":"Tags","summary":"","title":"Hébergement","type":"tags"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/tags/hosting/","section":"Tags","summary":"","title":"Hosting","type":"tags"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/categories/journal/","section":"Categories","summary":"","title":"Journal","type":"categories"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/tags/mastodon/","section":"Tags","summary":"","title":"Mastodon","type":"tags"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/areas/towards-a-healthy-peaceful-and-serene-life/","section":"Areas","summary":"","title":"Towards a Healthy, Peaceful, and Serene Life","type":"areas"},{"content":"Hello,\nYesterday and last night, I installed a glitch-soc Mastodon instance on my server.\nIt wasn\u0026rsquo;t exactly a walk in the park, but I eventually got it done.\nI took the opportunity to learn and to uncover a few flaws, if not bugs, in Dokploy.\nLearning and Know-how # I only deployed this tool to learn how to do it.\nThere, it\u0026rsquo;s done.\nWe don\u0026rsquo;t share the same vision of the digital world # I have been puzzled by some of the design choices made in Mastodon for quite some time now.\nWhen I set up my own instance, I tested a \u0026ldquo;personal\u0026rdquo; installation (without opening registrations to third parties).\nSome might tell me this is logical, but I argue the opposite: in this mode, the tool does not offer to generate two separate accounts—one for administration and another for communication (the actual usage).\nFirst of all, I find this contrary to basic user interface design principles. You don\u0026rsquo;t design an admin interface the same way you design a user interface. And, above all, you don\u0026rsquo;t mix the two—unlike what I observed here.\nMore importantly, it goes against all my rules and best practices regarding security. Regardless of the projects I work on, I always have at least two separate accounts with no bridge between them (see my articles on sudo 1, for example).\nI avoid logging in with elevated privileges as much as possible, and I compartmentalize (I use Qubes OS, those who know will understand).\nThis is yet another item on my long list of things \u0026ldquo;I wouldn\u0026rsquo;t have done that way.\u0026rdquo;\nVeni, vidi, abii # Since I had the tool handy, I took the opportunity to browse around the Fediverse a bit.\nThis inspired the following reflection:\n\u0026ldquo;I came, I saw, I left.\u0026rdquo; — Marc JESTIN\nBest regards,\nMarc JESTIN\nhttps://marcjestin.fr\nhttps://blog.marcjestin.fr/en/?q=sudo.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"5 May 2026","externalUrl":null,"permalink":"/en/posts/veni-vidi-abii/","section":"Posts","summary":"Hello,\nYesterday and last night, I installed a glitch-soc Mastodon instance on my server.\nIt wasn’t exactly a walk in the park, but I eventually got it done.\nI took the opportunity to learn and to uncover a few flaws, if not bugs, in Dokploy.\nLearning and Know-how # I only deployed this tool to learn how to do it.\n","title":"Veni, vidi, abii","type":"posts"},{"content":"","date":"May 5, 2026","externalUrl":null,"permalink":"/fr/areas/vers-une-vie-saine-paisible-et-sereine/","section":"Areas","summary":"","title":"Vers Une Vie Saine, Paisible Et Sereine","type":"areas"},{"content":"","date":"5 May 2026","externalUrl":null,"permalink":"/en/tags/web/","section":"Tags","summary":"","title":"Web","type":"tags"},{"content":"","date":"May 4, 2026","externalUrl":null,"permalink":"/fr/areas/bien-%C3%AAtre-et-%C3%A9ducation-du-chien/","section":"Areas","summary":"","title":"Bien-Être Et Éducation Du Chien","type":"areas"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/categories/case-studies/","section":"Categories","summary":"","title":"Case Studies","type":"categories"},{"content":"","date":"May 4, 2026","externalUrl":null,"permalink":"/fr/tags/chiens/","section":"Tags","summary":"","title":"Chiens","type":"tags"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/tags/ci-cd/","section":"Tags","summary":"","title":"Ci-Cd","type":"tags"},{"content":"Hello,\nOrion and I once again crossed paths with that lady and her dog, which clearly suffers from a behavioral disorder.\nI fear the dog isn\u0026rsquo;t the only one exhibiting behavioral issues\u0026hellip;\nInitial Aggressions # This dog has already charged Orion in aggressive mode several times.\nThe first time it happened, Orion and I were playing peacefully, as we usually do during our walks on a path between the fields. I was throwing the ball and Orion was fetching it. This dog came out of nowhere from behind us, running at full speed. It headed straight for Orion and attacked him for the first time.\nNot once did I hear the slightest recall from a human.\nPathological Aggression # In this dog, the behavioral disorder takes a rather strange form: It rushes toward the other dog, barking aggressively and pretending to bite. Fortunately, it stops and, it seems to me, does not actually bite its counterpart. At least for now, and given Orion’s good behavior as he dodges the encounter\u0026hellip;\nI turn around and see a person in the distance. The dog returns to them. So be it.\nI naively thought the person would have taken the precaution of calling their dog back and leashing it to prevent a repeat performance.\nThink again.\nA few moments later, it happened all over again!\nA Painful Adaptation # As I often say:\nIf you make a mistake once, it’s no big deal.\nIf you do it again, it’s because you are truly an idiot.\nI apply this simple principle to myself and put the ball away. Poor Orion is very disappointed, but it is the best thing to do if we hope to be left in peace. My adorable and beloved baby, who has done nothing wrong, finds himself doubly penalized: first by the unpleasant aggressions of this dog, and then by being deprived of his favorite game with his favorite \u0026ldquo;dad.\u0026rdquo;\nOur priority is to continue our walk peacefully without bothering anyone and, if possible, without being bothered. We comply.\nConsternation # For reasons I no longer remember—likely because I let Orion sniff around—the lady caught up to us. 1\nI notice she neither greets me nor apologizes for her dog\u0026rsquo;s behavior.\nI say to her calmly:\n\u0026ldquo;— Madam, your dog has attacked mine twice. You should leash him. If he does it again, I will have to take matters into my own hands.\u0026rdquo;\nAnd then, to my great surprise, this lady denies the facts and turns on me as if I had committed a crime of lèse-majesté.\nAn altercation ensues where she behaves like all narcissistic fools who absolutely must be right even when everything proves them wrong.\nI finally ask her to move away and leave me alone—or, more accurately, I tell her where to go.\nThe analogy between these unbalanced, snarling dogs barking like mad and her behavior becomes so obvious that I cannot help but share it with you here.\nFoolish Arrogance # I won\u0026rsquo;t elaborate on all the events that followed; it’s of little importance to me.\nHowever, let’s note this rather amusing detail: the first time we crossed paths with this lady and her dog on that same path after that first very unpleasant episode, she took it upon herself to tell me, in a haughty and unpleasant tone, that I should leash Orion.\nThis, while Orion was walking quietly in front of me.\nAnyone who knows us, Orion and me, knows how ridiculous and profoundly stupid this request is. 🤣\nOrion is excellently trained and has never harmed or disturbed anyone.\nUnlike her dog, and her, for that matter.\nConsequences for my baby Orion # Orion, who is always very attentive, has become even more so. He looks behind us more often since these tragic events, especially near the spots where that dog attacked him.\nHe has shown signs of worry or irritation two or three times in the presence of similar-looking dogs.\nI make sure, of course, to guide and help him with explanatory words and cues. This helps him better master his emotions, manage situations, and progress in his analysis and behavior.\nA Self-Destructive Process # This Sunday, around 6:30 PM, we set off for our long walk along that same agricultural path between the fields.\nI see a dog of that type and two people walking toward us in the distance.\nAt first, the person seems to recall their dog, and I think to myself they are going to leash it.\nThink again.\nOrion, recognizing the parties involved, slows down and sticks close to me. I have to encourage him to move forward. 2\nOrion and I are walking peacefully on the shoulder of the path (which is about the width of a small road); the people are coming toward us on the other side.\nSuddenly, as he reaches our level, the dog rushes Orion again, right at my feet, in front of me.\nHe still displays that same behavioral disorder I described above. Not from behind or by surprise like the previous times, but it is still just as unacceptable and concerning for his mental state.\nThe lady is accompanied by another woman.\nI think to myself: \u0026ldquo;At least this way, another person has seen the problem. Perhaps this other lady, who seemed charming and very courteous, will be able to open her \u0026lsquo;friend\u0026rsquo;s\u0026rsquo; eyes.\u0026rdquo;\nOnce again, as always, the lady does not call her dog back or correct it.\nI look at the lady as I pass, silent: I am waiting for an apology.\nInstead, I receive undeniable proof of this lady\u0026rsquo;s profound disorders.\nI am actually quite astonished, given the context and the presence of a third party next to her.\n\u0026ldquo;ASSHOLE!\u0026rdquo; 3\nshe yells at me like a moron or someone under the influence of psychotropics in the middle of an uncontrolled demented crisis.\nSuch experiences do not reconcile me with these things you still call humans, which I classify into other categories of biological specimens or aggregates of organic matter\u0026hellip;\nI could only make a biting but objectively realistic remark:\n\u0026ldquo;— Bravo, the same stupid [aggressive] behavior as your dog!\u0026rdquo;\nConclusions # An Impeccable Attitude # First of all, I didn\u0026rsquo;t need to manage or worry about Orion\u0026rsquo;s behavior.\nHe has been, is, and will remain a very good dog.\nI had given him clear instructions well before the altercation, which he followed.\nHe did not respond to the aggression and managed to go about his life peacefully throughout the events without me having to worry about him.\nHe flies far above the cuckoo\u0026rsquo;s nest.\nOf these two cuckoos in particular, as well as many others.\nExpect Nothing from Them # These people are disconnected from reality. They self-condition, self-hallucinate, and carry themselves away in their own whirlwind of cognitive and behavioral degeneration.\nAll these symptoms are a visible part of a vast DE PROFUNDIS: a great void where their lost souls wander without ever finding a way out.\nConcretely:\nthey do not rehabilitate their dog, or do it very poorly; they are unaware of the level of anxiety and stress their poor dog lives in; they do not realize the severity of their dog’s condition, or their own. I assert that they are seriously mistreating their dog (and those of others, by the way, through him).\nSo, when it comes to\nrealizing how badly they behave toward others, or taking adequate measures (here, simply leashing their dog to prevent it from attacking ours), there is nothing to expect from them.\nThese people live in the deepest and most irremediable denial of reality and irresponsibility, I fear.\nWhat Can We Do? # Doing Right by Our Dog # The first thing to do is to ensure that we, above all, do not become like them.\nWe see to the good education and behavior of our companion.\nAnd Even More for Our Dog # The second thing is to raise the bar for our dog.\nWe prepare our dog more than should be necessary.\nWe prepare him more than would be required in a healthy world, because the world is what it is.\nThus, our dog manages these situations better and lives through them more easily. He is less affected by having to live in a world full of \u0026ldquo;mushrooms\u0026rdquo; 4, both canine and human, of this sort.\nI call this over-educating the dog.\nHe sorely needs it, as he does not have all the tools that (the best of) us have to analyze situations and take the best options. This is especially true since he has little room for maneuver.\nProtecting and Preserving Our Dog # The third thing is to continue living as long as possible as far as possible from all these toxic, unhealthy, and clearly contemptible beings, both human and canine.\nThis allows us to protect and preserve our dog, and ourselves at the same time.\nWe avoid risky or painful situations for our dog.\nRespectfully,\nMarc JESTIN\nhttps://marcjestin.fr\nNotes for Humans # Postures Toward Narcissistic Perverts # Many people are victims of various forms of narcissistic perversion that leave them swimming in a DE PROFUNDIS of delusions and hallucinations. All of this leads them to lose sight of the reality of facts and to become toxic to themselves, to those close to them—here, for example, their dog—and to others.\nFaced with them, we can be:\n—preferably—courteous, while remaining as inert and silent as possible; sardonic and playful; or sometimes, silent without courtesy (no longer greeting them); and in rare, very serious cases, very unpleasant. Active Self-Defense Countermeasures # When we are unpleasant and therefore vulgar, it is not out of anger or frustration, but rather a deliberate maneuver.\nWe use very harsh and strong terms when we are forced to reprimand certain people.\nThis is often the only way to be heard and \u0026ldquo;respected\u0026rdquo; by such individuals.\nFailing to obtain an improvement in their behavior—a very rare if not impossible feat with these people—it serves to push them away.\nUnfortunately, one must sometimes tune into mediocrity to obtain a semblance of a \u0026ldquo;result.\u0026rdquo;\nOur only goal is to keep nuisances as far away as possible and to avoid wasting our time in verbal jousts that have no chance of leading to any progress: when the weakness of mind exceeds certain thresholds, progress is no longer possible.\nWe have much better things to do with our lives.\nRespectfully,\nMarc JESTIN\nhttps://marcjestin.fr\nRemind me to make sure I don\u0026rsquo;t cross paths with these kinds of people and to not speak to them. At my age, I still sometimes forget how unpleasant and totally unproductive it is.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nI didn\u0026rsquo;t necessarily think this choice through. I could have perhaps avoided this new incident for Orion. Probably, even. Especially since I know the solutions. The last time we had crossed paths in the same context on this path, the \u0026ldquo;stupid dog\u0026rdquo; hadn\u0026rsquo;t attacked Orion. I told myself in the moment that it would go well.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nThis lady had already manifested this kind of behavioral disorder several times during other encounters. Those other times, the dog had kept its distance and hadn\u0026rsquo;t attacked Orion. It’s impossible not to draw a parallel between this lady\u0026rsquo;s glaring lack of education and her dog\u0026rsquo;s problems. Both show aggression with no cause or motivation other than their own personal delusions\u0026hellip;\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nAn expression I borrow from the famous Little Prince, of course.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"4 May 2026","externalUrl":null,"permalink":"/en/posts/de-profundis/","section":"Posts","summary":"Hello,\nOrion and I once again crossed paths with that lady and her dog, which clearly suffers from a behavioral disorder.\nI fear the dog isn’t the only one exhibiting behavioral issues…\nInitial Aggressions # This dog has already charged Orion in aggressive mode several times.\nThe first time it happened, Orion and I were playing peacefully, as we usually do during our walks on a path between the fields. I was throwing the ball and Orion was fetching it. This dog came out of nowhere from behind us, running at full speed. It headed straight for Orion and attacked him for the first time.\n","title":"De Profundis","type":"posts"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/tags/devops/","section":"Tags","summary":"","title":"Devops","type":"tags"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/tags/docker/","section":"Tags","summary":"","title":"Docker","type":"tags"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/areas/dog-well-being-and-education/","section":"Areas","summary":"","title":"Dog Well-Being and Education","type":"areas"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/tags/dogs/","section":"Tags","summary":"","title":"Dogs","type":"tags"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/tags/education/","section":"Tags","summary":"","title":"Education","type":"tags"},{"content":"","date":"May 4, 2026","externalUrl":null,"permalink":"/fr/tags/%C3%A9ducation/","section":"Tags","summary":"","title":"Éducation","type":"tags"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/tags/gitea/","section":"Tags","summary":"","title":"Gitea","type":"tags"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/tags/livingtogether/","section":"Tags","summary":"","title":"LivingTogether","type":"tags"},{"content":"","date":"May 4, 2026","externalUrl":null,"permalink":"/fr/tags/vivreensemble/","section":"Tags","summary":"","title":"VivreEnsemble","type":"tags"},{"content":"","date":"4 May 2026","externalUrl":null,"permalink":"/en/tags/webhook/","section":"Tags","summary":"","title":"Webhook","type":"tags"},{"content":"Hello,\nI struggled a bit to get my workflow running for automating updates to this blog when I push to the main branch of my repository on my Gitea server.\nThe Challenge: Automating Deployment # The goal was simple: use Gitea Actions so that every git push automatically triggers a container update for my site on my Dokploy instance.\nOn paper, it only takes a simple curl command to call the Webhook URL provided by Dokploy. In reality, it turned into a true exercise in \u0026ldquo;blind debugging.\u0026rdquo;\nSymptoms: \u0026ldquo;All indicators are green, but nothing moves\u0026rdquo; # The initial diagnostic was puzzling:\nThe Gitea Actions log showed a clear success (Green badge). The Dokploy interface, however, remained desperately silent: no trace of any new deployment. This is where the golden rule of DevOps comes in: Never trust an exit code 0 without checking the response body.\nThe Diagnostic: Hunting down \u0026ldquo;Branch Not Match\u0026rdquo; # By running curl in verbose mode and capturing the server\u0026rsquo;s response, the culprit finally revealed itself: {\u0026quot;message\u0026quot;:\u0026quot;Branch Not Match\u0026quot;}\nDokploy was indeed receiving the call, but it was rejecting it because it couldn\u0026rsquo;t identify which branch the webhook was referring to. The problem stemmed from several combined factors:\nThe Phantom Redirection (301): Since my instance is behind a reverse proxy, the HTTP URL was being redirected to HTTPS. Without the -L option, curl stopped at the redirection without transmitting the data. Missing Identity: Gitea does not send the same headers as GitHub. Dokploy, not seeing the familiar \u0026ldquo;label,\u0026rdquo; ignored the request parameters. The Solution: A \u0026ldquo;Bulletproof\u0026rdquo; Call # To resolve this communication conflict, I had to \u0026ldquo;force\u0026rdquo; the negotiation between the client and the Dokploy API by adding crucial elements to the Gitea workflow:\nFollow Redirects (-L): To follow the transition from HTTP to HTTPS. Content-Type Header (-H \u0026quot;Content-Type: application/json\u0026quot;): To confirm the data format. Event Header (-H \u0026quot;X-Gitea-Event: push\u0026quot;): So that Dokploy knows it should process the call as a Git action. Request Body (-d): To explicitly specify the branch (main). The Final Gitea Workflow Code # Here is what the call that finally resolved the situation looks like in my .gitea/workflows/deploy.yaml:\n1 2 3 4 5 6 - name: Trigger Dokploy Webhook run: | curl -L -X POST \u0026#34;${{ secrets.DOKPLOY_DEPLOY_WEB_HOOK }}\u0026#34; \\ -H \u0026#34;Content-Type: application/json\u0026#34; \\ -H \u0026#34;X-Gitea-Event: push\u0026#34; \\ -d \u0026#39;{\u0026#34;ref\u0026#34;: \u0026#34;refs/heads/main\u0026#34;}\u0026#39; This issue is documented here: https://github.com/Dokploy/dokploy/issues/2149\nBest regards,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"4 May 2026","externalUrl":null,"permalink":"/en/posts/webhooks-cicd-when-dokploy-and-gitea-refuse-to-talk-to-each-other/","section":"Posts","summary":"Hello,\nI struggled a bit to get my workflow running for automating updates to this blog when I push to the main branch of my repository on my Gitea server.\nThe Challenge: Automating Deployment # The goal was simple: use Gitea Actions so that every git push automatically triggers a container update for my site on my Dokploy instance.\n","title":"Webhooks \u0026 CI/CD: When Dokploy and Gitea refuse to talk to each other","type":"posts"},{"content":"","date":"3 May 2026","externalUrl":null,"permalink":"/en/tags/blog/","section":"Tags","summary":"","title":"Blog","type":"tags"},{"content":"","date":"3 May 2026","externalUrl":null,"permalink":"/en/tags/caddy/","section":"Tags","summary":"","title":"Caddy","type":"tags"},{"content":"","date":"3 May 2026","externalUrl":null,"permalink":"/en/tags/hugo/","section":"Tags","summary":"","title":"Hugo","type":"tags"},{"content":"Hello and welcome to this new blog.\nI chose to use the Hugo content management engine and static site generator, paired with Caddy.\nEverything is deployed within a Docker infrastructure managed by Dokploy. In this setup, Caddy is used solely for the rapid rendering of static pages.\nThe server\u0026rsquo;s reverse proxy is Traefik.\nI still haven\u0026rsquo;t managed to get my gitea actions running correctly for automatic updates upon commit, but that should be fixed soon. 😉\nAddendum (05/04/2026) # The workflow is now operational: gitea \u0026ndash;\u0026gt; docker runner \u0026ndash;\u0026gt; site container rebuild. A small procedure was required to force the POST call to pass the correct parameters (the core of the issue was the negotiation between the curl client and the Dokploy API).\nAddendum 2 (05/04/2026) # All that for this! I finally decided to switch back to a much simpler workflow: I now build the site on my local machine and upload the generated files directly to the server. It’s so much simpler and more efficient! 😉\nBest regards,\nMarc JESTIN\nhttps://marcjestin.fr\n","date":"3 May 2026","externalUrl":null,"permalink":"/en/posts/my-first-post/","section":"Posts","summary":"Hello and welcome to this new blog.\nI chose to use the Hugo content management engine and static site generator, paired with Caddy.\nEverything is deployed within a Docker infrastructure managed by Dokploy. In this setup, Caddy is used solely for the rapid rendering of static pages.\nThe server’s reverse proxy is Traefik.\nI still haven’t managed to get my gitea actions running correctly for automatic updates upon commit, but that should be fixed soon. 😉\n","title":"My First Post","type":"posts"},{"content":"","date":"3 May 2026","externalUrl":null,"permalink":"/en/tags/traefik/","section":"Tags","summary":"","title":"Traefik","type":"tags"}]