Well, this kinda blew up a bit. My original post here[1] has so far seen well over a hundred boosts, a new personal best :D
It has been suggested it is time to detail a bit about the configuration of this beast. Let's start with the basics: This is a straight-up #NetBSD 11rc2 installation on a stock #Nintendo #Wii. Many people have detailed how to install it, but one useful source of information is Alex Haydock's blog[2], and of course the NetBSD release documentation. The kernel config[3] is modified slightly from the default
Building #snac2 was straight forward; no difference from building on i486 or i686. Simply
Since snac won't do TLS for inbound connections, a TLS proxy is needed. My go-to nginx isn't in the 11rc2 PPC package repository at the time of writing, so I built it from
Next up, I found ttp[4]. It is a very small and simple proxy server, which works fine but cannot serve static files, nor does it support TLS 1.3. It is also incapable of dropping privileges, and since I want to run it as
Luckily, NetBSD has
TTP wasn't without problems - but they turned out to not be entirely its fault. I kept getting connection failures and snac kept exiting for no obvious reason.
After some fiddling around, the snac author suggested[5] that I was running out of file handles, which is indeed the case. Adding
Then my thoughts landed on an old acquaintance of mine - pound[6]. This is a reverse proxy with good TLS support, and recent versions can even serve static files in a fairly simple way. After a couple of bug reports, lots of help by the current maintainer, and some more fiddling, I got the most recent versions to build. Once the next release drops (4.21), I'll have a go at doing my first
The pound configuration[7] now seems to be fairly complete, even keeping out most random scanning attacks (yes, they have already started).
[1] https://wii.cafe/ltning/p/1773014130.033156
[2] https://blog.infected.systems/posts/2025-04-21-this-blog-is-hosted-on-a-nintendo-wii/
[3] https://anduin.net/~ltning/WII_TINY
[4] https://github.com/Theldus/ttp
[5] https://codeberg.org/grunfink/snac2/issues/576
[6] https://www.gnu.org.ua/software/pound/manual/index.html
[7] https://anduin.net/~ltning/pound/wiicafe_pound.tgz
It has been suggested it is time to detail a bit about the configuration of this beast. Let's start with the basics: This is a straight-up #NetBSD 11rc2 installation on a stock #Nintendo #Wii. Many people have detailed how to install it, but one useful source of information is Alex Haydock's blog[2], and of course the NetBSD release documentation. The kernel config[3] is modified slightly from the default
WII in an attempt to save a bit of memory.Building #snac2 was straight forward; no difference from building on i486 or i686. Simply
make and make install, with the -f Makefile.NetBSD (the NetBSD-specific makefile is included with the snac sources).Since snac won't do TLS for inbound connections, a TLS proxy is needed. My go-to nginx isn't in the 11rc2 PPC package repository at the time of writing, so I built it from
pkgsrc myself. This only took a couple of hours.. But alas, it's a bit too memory hungry for my taste, even with a minimal configuration.Next up, I found ttp[4]. It is a very small and simple proxy server, which works fine but cannot serve static files, nor does it support TLS 1.3. It is also incapable of dropping privileges, and since I want to run it as
nobody I had to find a different way to pass port 443 traffic to it.Luckily, NetBSD has
npf, a built-in firewall that can do NAT and which is fairly easy to configure (at least with the usual good documentation and examples included). Picking up port 443 and NATing it to a high port for ttp to handle worked fine - and allows me to easily move traffic from one TLS proxy to another while I experiment.TTP wasn't without problems - but they turned out to not be entirely its fault. I kept getting connection failures and snac kept exiting for no obvious reason.
After some fiddling around, the snac author suggested[5] that I was running out of file handles, which is indeed the case. Adding
ulimit -n 1024 to /etc/rc.d/snac solved that issue as well.Then my thoughts landed on an old acquaintance of mine - pound[6]. This is a reverse proxy with good TLS support, and recent versions can even serve static files in a fairly simple way. After a couple of bug reports, lots of help by the current maintainer, and some more fiddling, I got the most recent versions to build. Once the next release drops (4.21), I'll have a go at doing my first
pkgsrc port update :)The pound configuration[7] now seems to be fairly complete, even keeping out most random scanning attacks (yes, they have already started).
[1] https://wii.cafe/ltning/p/1773014130.033156
[2] https://blog.infected.systems/posts/2025-04-21-this-blog-is-hosted-on-a-nintendo-wii/
[3] https://anduin.net/~ltning/WII_TINY
[4] https://github.com/Theldus/ttp
[5] https://codeberg.org/grunfink/snac2/issues/576
[6] https://www.gnu.org.ua/software/pound/manual/index.html
[7] https://anduin.net/~ltning/pound/wiicafe_pound.tgz
