Hi all, I selfhost private instance of Lemmy for my friends behind Pangolin reverse proxy. I noticed something interesting in the logs; Lemmy specifically gets pinged / tried to access each midnight UTC from what looks like an IP from inside the network. Just out of curiosity, do you have any idea what that could be? I have federation off and private instance on, but maybe it is something from Lemmy network checking if my server is alive? Thank you in advance

Update: So it turns out I was perhaps correct with my hunch. The local IP turns out to be the proxy I set for ports 80 and 443 (it was internal Wireguard IP). Unfortunately my current setup did not allow me to catch which IP the request came from (which is a problem I have to solve later) but the lemmy-proxy container got requests for GET /.well-known/nodeinfo and GET /nodeinfo/2.1. So it is probably something checking my server, likely from the Lemmy network.

Update 2: So after I disabled Pangolin for one night, after I reenabled it, the requests do not come again! So the Lemmy network must have figured out that my instance is set to private and stopped pinging.

    • removerpuzzlehunchback@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 days ago

      Well it is definitely specific to Lemmy, I selfhost over 20 services and only Lemmy gets pinged on midnight. The only other service I saw doing this was Nextcloud, Nextcloud instance needs to reach itself, but for Lemmy it is a different IP, which is puzzling me

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    6 days ago

    An ICMP ping or a web request?

    If it’s a web request the first thing that comes to mind is do you have BitWarden?

      • slazer2au@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        6 days ago

        There was a post a few days ago about someone using it and it pulled a tonne of data. I wonder if it also does polls to check if the link is still valid.

        • Appoxo@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          7
          ·
          6 days ago

          Bitwarden uses the favicon from the first link in the password entry.
          For my selfhosted web pages I use the public info page of the selfhosted page (e.g. openMediaVault) and set detection to [none].
          This way it won’t match against the 3rd party page but I get the icon :)

          BUUUT it should only poll if you activate the program/extension.
          Don’t know why it should poll at midnight

  • EarMaster@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    5 days ago

    Is your server running on UTC? Depending on your location midnight UTC could also be 8 AM and it could be a user with a very regular morning schedule.

    Only you can find out which machine is sending this request…

    • removerpuzzlehunchback@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 days ago

      My timezone is CET, so I get the ping on 2AM. The Lemmy container should be on UTC as I did not specify the timezone when launching the container. It is definitely not human, as the ping comes exactly on midnight UTC, or seconds away from midnight. I will turn off the Pangolin auth and investigate further this midnight. Again sorry for not providing more information, I was certain that it is a thing internal to Lemmy and I was just curious what it is

  • removerpuzzlehunchback@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    5 days ago

    Update: So it turns out I was perhaps correct with my hunch. The local IP turns out to be the proxy I set for ports 80 and 443 (it was internal Wireguard IP). Unfortunately my current setup did not allow me to catch which IP the request came from (which is a problem I have to solve later) but the lemmy-proxy container got requests for GET /.well-known/nodeinfo and GET /nodeinfo/2.1. So it is probably something checking my server, likely from the Lemmy network.

  • SayCyberOnceMore@feddit.uk
    link
    fedilink
    English
    arrow-up
    3
    ·
    6 days ago

    And when you ping that IP address back, what happens?

    Can you trace it?

    Maybe setup wireshark and record what happens at that time of night…

    • removerpuzzlehunchback@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 days ago

      I will definitely do that, right now I can’t work with anything because the traffic gets stopped at Pangolin’s level, but I will turn off Pangolin’s auth for one night