I know lemm.ee is hosted in the EU, but I can’t find that information for lemmy.world.

  • bndkt@lemm.ee
    link
    fedilink
    English
    arrow-up
    17
    ·
    14 小时前

    They probably use Cloudflare for Loadbalancing and Anti DDOS. This doesn’t mean it is hosted on Cloudflare, it is only a proxy. The point is not to show you the real IP so you can’t attack the origin server.

  • Successful_Try543@feddit.org
    link
    fedilink
    arrow-up
    28
    arrow-down
    1
    ·
    edit-2
    13 小时前

    AfaIk, they are hosted at Hetzner, so physically in Germany or Finland.

    Edit: Source https://lemmy.world/post/22397634

    Edit 2: The ip online tool on the website below indicates that it may actually be physically hosted in US (on a virtual server as, according to Wikipedia, Hetzner doesn’t offer bare metal servers in US).

    https://www.ipaddress.com/website/lemmy.world/

    Edit 3: The IP is from Cloudflare, the servers are from Hetzner in EU.

    • ᴇᴍᴘᴇʀᴏʀ 帝@feddit.uk
      link
      fedilink
      arrow-up
      6
      ·
      11 小时前

      AfaIk, they are hosted at Hetzner, so physically in Germany or Finland.

      If I remember correctly, the main servers are in Hetzner’s data centre in Finland with back-ups in Germany. Although they have a complex set-up so it may not be as cleanly divided up these days.

      I suspect half the Fediverse runs on Hetzner at this point.

    • notabot@lemm.ee
      link
      fedilink
      arrow-up
      9
      ·
      13 小时前

      The US IP address is for Cloudflare, who are acting as a front end for things like DDoS protection. A lot of lemmy servers use them, which is unfortunate, but there don’t seem to be any viable European alternatives.

      You can check the details with the whois command. The relevant bit when querying for one of their addresses is:

      NetRange:       104.16.0.0 - 104.31.255.255
      CIDR:           104.16.0.0/12                         
      NetName:        CLOUDFLARENET                         
      NetHandle:      NET-104-16-0-0-1                      
      Parent:         NET104 (NET-104-0-0-0-0)              
      NetType:        Direct Allocation                     
      OriginAS:       AS13335                               
      Organization:   Cloudflare, Inc. (CLOUD14)            
      RegDate:        2014-03-28                            
      Updated:        2024-09-04                            
      Comment:        All Cloudflare abuse reporting can be
      done via https://www.cloudflare.com/abuse             
      Comment:        Geofeed: https://api.cloudflare.com/local-ip-ranges.csv                                     
      Ref:            https://rdap.arin.net/registry/ip/104.16.0.0
      
      • Successful_Try543@feddit.org
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        13 小时前

        Thank you. So that’s why you ‘see’ an US IP address while the physical server may be located anywhere, e.g. in Germany.

        By looking at their Wikipedia, I’ve already found out that Cloudflare doesn’t do hosting.

        • notabot@lemm.ee
          link
          fedilink
          arrow-up
          3
          ·
          7 小时前

          Cloudflare don’t hoat sites, but they do end up being a ‘man in the middle’ attack on any site they proxy for, regardless of where that site is nominally hosted. That ends up exposing all traffic on those sites to a US corporation, and ultimately the US government. Considering that Cloudflare proxy somewhere between 19% and 40% of all websites, I think that’s pretty alarming.

            • notabot@lemm.ee
              link
              fedilink
              arrow-up
              1
              ·
              2 小时前

              You’ll be attacked and pay for the priviledge! I suppose what you’re really paying for is knowing who’s attacking you. Mind you, I think it’s free for small sites, which is probably quite an attractive trade-off for many.

          • Successful_Try543@feddit.org
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            5 小时前

            I don’t get the ‘man in the middle’ part. Is the ssl key for the encrypted https connection not from LW, but from cloudflare?
            It’s still problematic that they have metadata of the connections.

              • Successful_Try543@feddit.org
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                4 小时前

                But isn’t for https the traffic supposed to be e2e encrypted between the client web browser and the server hosting the web page with the same cert? Does cloudflare decrypt and then re-encrypt the traffic data?

                • notabot@lemm.ee
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  2 小时前

                  You see the problem. Yes, cloudflare decrypt the request from the browser, inspect it, then reencrypt it and send it to the host server. Then they take the response, decrypt that, inspect it, reencrypt it and send it to the browser.

                  Basically there are two TLS flows, one from the browser to cloudflare, and one from clourflare to the host server. Between those, on the cloudflare system, both the traffic and response are in plain text. That includes usernames, passwords (for HTTP basic auth anyway) and any sensitive data you send or receive.

                  Given that they front sonewhere between 19 and 40% of all websites, d£pending on whose stats you trust, that should be pretty alarming.

    • grue@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      12 小时前

      It’s Germany. You can tell because the ToS mentions the service being subject to German law.