curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

style(slugize): follow gfm & vscode 

lowercase & remove dot
This commit is contained in:
Ming Di Leom 2024-06-08 04:45:34 +00:00
parent 772df1da56
commit 4f26c5e813
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
25 changed files with 61 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
_config.yml
View File

@ -81,16 +81,15 @@ pagination_dir: page
## Themes: https://hexo.io/themes/
theme: chameleon
# hexo-yam
## https://github.com/curbengh/hexo-yam
# https://github.com/curbengh/hexo-yam
minify:
svg:
plugins:
cleanupIds: false
marked:
# https://github.com/hexojs/hexo-renderer-marked/pull/179
descriptionLists: false
modifyAnchors: 1
feed:
icon: "/svg/favicon.svg"

6
source/_posts/aliexpress-no-login-firefox.md
View File

@ -11,7 +11,7 @@ AliExpress login doesn't show up on Firefox when there is a strict cross-origin
## Background
> Click [**here**](#My-Orders) to go straight to the workarounds.
> Click [**here**](#my-orders) to go straight to the workarounds.
Firefox can restrict the referrer to the same origin only ([docs](https://wiki.mozilla.org/Security/Referrer)), by setting `network.http.referer.XOriginPolicy` value to 2 in `about:config`. Initially, I figured this would break many websites. But to my surprise, I have yet to encounter any issue; well, *except* for AliExpress.
@ -36,7 +36,7 @@ From the Network inspection (`Ctrl + Shift + E`), `https://passport.aliexpress.c
## My Orders
**Edit:** This step alone doesn't work anymore, requires resetting referer policy. See [next section](#Reset-referer-policy).
**Edit:** This step alone doesn't work anymore, requires resetting referer policy. See [next section](#reset-referer-policy).
To use the old login page, mouse-over on the **Account** link at the top right corner and click on **My Orders**. It should redirects to `https://login.aliexpress.com/...`
@ -70,4 +70,4 @@ That's how the whitelist works on the extension; you add the domain of the ifram
## Direct link
If none of the above work, the last resort is to use the direct link https://login.aliexpress.com/express/mulSiteLogin.htm
If none of the above work, the last resort is to use the direct link https://login.aliexpress.com/express/mulSiteLogin.htm

4
source/_posts/caddy-nixos-part-1.md
View File

@ -23,7 +23,7 @@ This post is Part 1 of a series of articles that show you how I set up Caddy, To
## Background
> Skip to [Installation](#Installation) part.
> Skip to [Installation](#installation) part.
I set up this website with JAMstack architecture. Before moving to the current domain, I set four requirements:
@ -204,4 +204,4 @@ Following is my "configuration.nix". I'll show you how to secure NixOS using has
};
}
```
```

2
source/_posts/caddy-nixos-part-2.md
View File

@ -397,7 +397,7 @@ _NixOS [defaults](https://nixos.wiki/wiki/Linux_kernel) to the latest LTS kernel
Since my web server has limited disk space, it needs to run [garbage collector](https://nixos.org/nixos/manual/index.html#sec-nix-gc) from time to time.
Since [unattended upgrade](#Unattended-upgrade) is executed on 00:00, I delay garbage collection to 01:00 to avoid time conflict. The order doesn't matter, but there should be at least 15 minutes buffer.
Since [unattended upgrade](#unattended-upgrade) is executed on 00:00, I delay garbage collection to 01:00 to avoid time conflict. The order doesn't matter, but there should be at least 15 minutes buffer.
```nix
## Garbage collector

8
source/_posts/caddy-nixos-part-3.md
View File

@ -14,7 +14,7 @@ series: true
> 8 Jul 2022: Updated to Caddy 2.5 syntax.
In this segment, I show you how I set up this website (mdleom.com) to reverse proxy to curben.netlify.app using Caddy on NixOS (see above diagram). If you're not using NixOS, simply skip to the [Caddyfile](#Caddyfile) section.
In this segment, I show you how I set up this website (mdleom.com) to reverse proxy to curben.netlify.app using Caddy on NixOS (see above diagram). If you're not using NixOS, simply skip to the [Caddyfile](#caddyfile) section.
This post is Part 2 of a series of articles that show you how I set up Caddy and Tor hidden service on NixOS:
@ -59,7 +59,7 @@ caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use
## caddyProxy.nix
I created another nix file which is similar to "caddy.nix", but without `CAP_NET_BIND_SERVICE` capability. I also removed Let's Encrypt-related options since I'm using Cloudflare origin certificate. I renamed the `options.services.caddy` to `options.services.caddyProxy` to avoid clash with "caddy.nix". Save the file to "/etc/caddy/caddyProxy.nix" with root as owner. We'll revisit this file in "[configuration.nix](#configuration.nix)" section later in this guide.
I created another nix file which is similar to "caddy.nix", but without `CAP_NET_BIND_SERVICE` capability. I also removed Let's Encrypt-related options since I'm using Cloudflare origin certificate. I renamed the `options.services.caddy` to `options.services.caddyProxy` to avoid clash with "caddy.nix". Save the file to "/etc/caddy/caddyProxy.nix" with root as owner. We'll revisit this file in "[configuration.nix](#configurationnix)" section later in this guide.
``` nix /etc/caddy/caddyProxy.nix
{ config, lib, pkgs, ... }:
@ -182,7 +182,7 @@ Move the files to home folder of "caddyProxy" user, which is "/var/lib/caddyProx
# chmod 600 /var/lib/caddyProxy/*
```
If you followed my {% post_link caddy-nixos-part-2 'Part 2' %} guide, you should have `caddyProxy` user and group before executing chown and chmod. If you haven't, check out [this section](/blog/2020/03/04/caddy-nixos-part-2/#Run-each-service-as-different-user) of Part 2.
If you followed my {% post_link caddy-nixos-part-2 'Part 2' %} guide, you should have `caddyProxy` user and group before executing chown and chmod. If you haven't, check out [this section](/blog/2020/03/04/caddy-nixos-part-2/#run-each-service-as-different-user) of Part 2.
### Initial setup
@ -617,7 +617,7 @@ mdleom.com:4430 www.mdleom.com:4430 {
## configuration.nix
One last thing to do is to import "[caddyProxy.nix](#caddyProxy.nix)" and enable `services.caddyProxy`.
One last thing to do is to import "[caddyProxy.nix](#caddyproxynix)" and enable `services.caddyProxy`.
``` nix /etc/nixos/configuration.nix
require = [ /etc/caddy/caddyProxy.nix ];

4
source/_posts/caddy-plugins-nixos.md
View File

@ -8,7 +8,7 @@ tags:
- nixos
---
> [Previous method](#Custom-package) no longer works on 22.11. Refer to [xcaddy](#xcaddy) section instead.
> [Previous method](#custom-package) no longer works on 22.11. Refer to [xcaddy](#xcaddy) section instead.
Caddy, like any other web servers, is extensible through plugins. Plugin is usually installed using [xcaddy](https://github.com/caddyserver/xcaddy); using it is as easy as `$ xcaddy build --with github.com/caddyserver/ntlm-transport` to build the latest caddy binary with [ntlm-transport](https://github.com/caddyserver/ntlm-transport) plugin.
@ -173,4 +173,4 @@ If you prefer to specify a version, modify the following lines:
${xcaddy}/bin/xcaddy build "v${version}" ${pluginArgs}
```
To install the above package, use the same config shown in the [Install custom package](#Install-custom-package) but remove the `vendorSha256` line. Remember to `nixos-rebuild` again.
To install the above package, use the same config shown in the [Install custom package](#install-custom-package) but remove the `vendorSha256` line. Remember to `nixos-rebuild` again.

2
source/_posts/caddy2-pre-compressed.md
View File

@ -13,7 +13,7 @@ Caddy v0.9.4+ and v1.0.0+ support pre-compressed gzip and brotli files automatic
## Default usage
This configuration supports URL normalisation; when a URL has a trailing slash `http://localhost:8080/about/`, Caddy will serve `http://localhost:8080/about/index.html` using _internal/transparent_ redirect (without 301/302 redirect). If you need to internal redirect `http://localhost:8080/bio` to `http://localhost:8080/bio.html`, refer to the [next section](#Pretty-URLs).
This configuration supports URL normalisation; when a URL has a trailing slash `http://localhost:8080/about/`, Caddy will serve `http://localhost:8080/about/index.html` using _internal/transparent_ redirect (without 301/302 redirect). If you need to internal redirect `http://localhost:8080/bio` to `http://localhost:8080/bio.html`, refer to the [next section](#pretty-urls).
``` plain Caddyfile
http://localhost:8080 {

4
source/_posts/cloudflare-hsts.md
View File

@ -11,7 +11,7 @@ tags:
HTTP Strict Transport Security ([HSTS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)) preload is used to instruct browsers to always use HTTPS for your website. Browsers will initiate and connect to any site in the preloaded HSTS list through HTTPS only. The list is currently maintained by [Chromium](https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json) (GitHub mirror [link](https://github.com/chromium/chromium/raw/master/net/http/transport_security_state_static.json)) and the list is utilised by all [supported](https://caniuse.com/stricttransportsecurity) browsers. Eligible website can request to be included at [hstspreload.org](https://hstspreload.org/). In order to be accepted to the HSTS preload list through this form, your site must satisfy the following set of requirements:
1. Serve a valid certificate.
2. Redirect from HTTP to HTTPS on the **same host**, if you are listening on port 80. (see [next section](#Redirect))
2. Redirect from HTTP to HTTPS on the **same host**, if you are listening on port 80. (see [next section](#redirect))
3. Serve all subdomains over HTTPS.
1. In particular, you must support HTTPS for the **www** subdomain if a DNS record for that subdomain exists.
4. Serve an HSTS header on the base domain for HTTPS requests:
@ -72,7 +72,7 @@ This website is now included in the Chromium's preload list after I submitted a
```
$ curl -L https://github.com/chromium/chromium/raw/master/net/http/transport_security_state_static.json -o hsts-chromium.json
$ grep mdleom.com hsts-chromium.json
$ grep mdleom.com hsts-chromium.json
{ "name": "mdleom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
```

2
source/_posts/cloudflare-html-cache.md
View File

@ -6,7 +6,7 @@ tags:
- cloudflare
---
In this guide, I'll show you how to enable html caching. Since I started using Cloudflare eight months ago, I always make sure [caching](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) is configured correctly so that most of the content are served from CDN, which is much faster than serving content from my origin server. This is in addition to the fact that this website is a static site, so _all_ content are cacheable. I configured caching in [Netlify](https://gitlab.com/curben/blog/-/blob/master/source/_headers), [Caddy](/blog/2020/03/14/caddy-nixos-part-3/#Cache-Control) and [Cloudflare](https://support.cloudflare.com/hc/en-us/articles/200168276-Understanding-Browser-Cache-TTL). However, every time I check the analytics (Analytics -> Performance), it only showed 1% of content is served from cache.
In this guide, I'll show you how to enable html caching. Since I started using Cloudflare eight months ago, I always make sure [caching](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) is configured correctly so that most of the content are served from CDN, which is much faster than serving content from my origin server. This is in addition to the fact that this website is a static site, so _all_ content are cacheable. I configured caching in [Netlify](https://gitlab.com/curben/blog/-/blob/master/source/_headers), [Caddy](/blog/2020/03/14/caddy-nixos-part-3/#cache-control) and [Cloudflare](https://support.cloudflare.com/hc/en-us/articles/200168276-Understanding-Browser-Cache-TTL). However, every time I check the analytics (Analytics -> Performance), it only showed 1% of content is served from cache.
![1% bandwidth saved](20201121/cf-before.png)

2
source/_posts/disable-control-alt-s-mate-shortcut.md
View File

@ -8,7 +8,7 @@ tags:
Control+Alt+S shortcut is used for toggling shaded state in MATE desktop environment. Once toggled, a window's content is hidden except for the title bar. It's useful for peeking at the content behind a window. I personally never use it as I usually just Alt+Tab or place two windows side by side. I prefer to disable it so I can use the 'Save As' shortcut in Notepad++.
There are two methods of disabling the shortcut. Use the [second](#Method-2) method if Compiz is enabled with CCSM (CompizConfig Settings Manager).
There are two methods of disabling the shortcut. Use the [second](#method-2) method if Compiz is enabled with CCSM (CompizConfig Settings Manager).
## Method 1

4
source/_posts/engadget-redirect-guce.md
View File

@ -7,7 +7,7 @@ tags:
- web
---
> Skip to [solution](#Block-cookie).
> Skip to [solution](#block-cookie).
Whenever I try to open an Engadget article, it will automatically redirect me to `guce.advertising.com/...` which is (thankfully) blocked by uBO.
@ -42,4 +42,4 @@ Firefox can block cookie by website. To block Engadget from setting a cookie, in
That's it. If you want to know what is the purpose of `guce.advertising.com`, read on.
The previous owner of Engadget, AOL Inc was acquired by Verizon Media (previously known as Oath Inc) in May 2015. With Yahoo! and other media companies as part of its portfolio, Verizon Media can track readers across those websites. One way to do it is through cookie. So, `guce.advertising.com` is essentially a [cookie consent form](https://archive.fo/ik3Pu) (page archived using [archive.today](https://archive.fo/)).
The previous owner of Engadget, AOL Inc was acquired by Verizon Media (previously known as Oath Inc) in May 2015. With Yahoo! and other media companies as part of its portfolio, Verizon Media can track readers across those websites. One way to do it is through cookie. So, `guce.advertising.com` is essentially a [cookie consent form](https://archive.fo/ik3Pu) (page archived using [archive.today](https://archive.fo/)).

2
source/_posts/firefox-instances-profiles.md
View File

@ -12,7 +12,7 @@ Running more than one Firefox instance allows you to use multiple cookies for a
For example, you are looking for item A and B at a shopping website using the private window but you prefer to keep the browsing separate as not to let the website knows that you are browsing both of them. Or you want to login to more than two accounts of a website.
**Edit:** Similar functionality can be achieved by using [Multi-Account Containers](#Multi-Account-Containers).
**Edit:** Similar functionality can be achieved by using [Multi-Account Containers](#multi-account-containers).
A useful feature of Firefox is that it allows more than one profile, which otherwise would requires multiple operating system accounts. The feature even allows you to run multiple profiles at the same time by having multiple instances.

3
source/_posts/gitlab-github-mirror.md
View File

@ -148,7 +148,7 @@ On your GitLab repository, navigate to **Settings** -> **CI / CD** -> **Variable
![CI variable](20200421/ci-variable.png)
Add another Var variable named `SSH_KNOWN_HOSTS` and the output of `ssh-keyscan github.com 2>&1 | grep -vE '^#'`. I explained the necessity of this step in [previous section](#Add-GitLab-and-Github-as-trusted-hosts).
Add another Var variable named `SSH_KNOWN_HOSTS` and the output of `ssh-keyscan github.com 2>&1 | grep -vE '^#'`. I explained the necessity of this step in [previous section](#add-gitLab-and-github-as-trusted-hosts).
Add a new job named `mirror` in your repository's **.gitlab-ci.yml**. Optionally, you could move _Import SSH key_ step to `before_script` if preferred, it does not make any practical difference. However, if you want to use _Update GitHub mirror_ step in `after_script`, _Import SSH key_ has to be moved there as well--`before_script` and `script` are executed in the same shell, while `after_script` is executed in a [_different_ shell](https://docs.gitlab.com/ee/ci/yaml/#before_script-and-after_script).
@ -195,4 +195,3 @@ mirror:
- if: '$CI_COMMIT_REF_NAME == "master" && $CI_PIPELINE_SOURCE == "web"'
when: always
```

2
source/_posts/gnu-vs-busybox-tools.md
View File

@ -11,7 +11,7 @@ tags:
## Intro
> Skip to the [list](#List).
> Skip to the [list](#list).
Alpine Linux is known for its minimal size. The '[mini root filesystem](https://www.alpinelinux.org/downloads/)' flavour is only 2MB. This size makes it suitable as a Docker image, so CI job can start running script sooner instead of downloading larger image like Ubuntu.

10
source/_posts/hexo-blog-github.md
View File

@ -44,7 +44,7 @@ deploy:
local-dir: public
```
10. You can start writing a new post straightaway without [installing](#Installation) Hexo. You still need to change the blog's name and favicon though ([how-to](#naming)).
10. You can start writing a new post straightaway without [installing](#installation) Hexo. You still need to change the blog's name and favicon though ([how-to](#naming)).
1. To create a new post (through [GitHub.com](https://help.github.com/en/articles/creating-new-files)), create a new `<post-title>.md` file in `source/_posts` folder.
2. Start with the following header/[front-matter](https://hexo.io/docs/front-matter):
@ -65,7 +65,7 @@ deploy:
1. Having Hexo means you can debug locally, rather than waiting for [Travis](https://travis-ci.com/). You can even run a local server to preview your blog (see step 6 below).
2. Clone your repo to your workstation.
3. Install Node.js and Hexo using the [official guide](https://hexo.io/docs/).
4. Create a [new post](#Writing). Then generate static files to check for any error. You should always do this before pushing/merging commits to the `master` branch.
4. Create a [new post](#writing). Then generate static files to check for any error. You should always do this before pushing/merging commits to the `master` branch.
```bash
$ hexo generate
@ -85,7 +85,7 @@ $ git commit -a -m 'Commit Message'
$ git push -u
```
7. Check the build status by going to your project in [Travis](https://travis-ci.com/). Due to a limitation of `hexo`, the build will always pass even when there is error. Check the Jobs log, look for any error after `$ hexo deploy`.
7. Check the build status by going to your project in [Travis](https://travis-ci.com/). Due to a limitation of `hexo`, the build will always pass even when there is error. Check the Jobs log, look for any error after `$ hexo deploy`.
8. If there is no error, the generated website can be accessed on <b>*username*.github.io</b>
## Writing
@ -129,8 +129,8 @@ author:
menu:
GitHub: <your-github-project-link>
# Customize /about page
nickname:
description:
nickname:
description:
```
### Favicon

12
source/_posts/how-to-create-a-hexo-blog.md
View File

@ -19,7 +19,7 @@ Create a website/blog using Hexo on [GitLab Pages](https://about.gitlab.com/feat
3. Shared Runners should be enabled. Go to your (forked) project `Settings -> CI / CD -> Shared Runners`.
4. Change project website to a user website. This is so that the website's home page is <b>*username*.gitlab.io</b>, instead of username.gitlab.io/hexo.
Go to `Settings -> General -> Advanced -> Change path`. Change the value to <b>*username*.gitlab.io</b>, where username is your username on GitLab.
5. You can start writing a new post straight away without [installing](#Installation) Hexo. You still need to change the blog's name and favicon though ([how-to](#Naming)).
5. You can start writing a new post straight away without [installing](#installation) Hexo. You still need to change the blog's name and favicon though ([how-to](#naming)).
1. To create a new post (through GitLab.com), create a new `<post-title>.md` file in `source/_posts` folder.
2. Start with the following header/[front-matter](https://hexo.io/docs/front-matter):
@ -40,7 +40,7 @@ Create a website/blog using Hexo on [GitLab Pages](https://about.gitlab.com/feat
1. Having Hexo means you can debug locally, rather than waiting for [CI](https://docs.gitlab.com/ee/ci/). You can even run a local server to preview your blog (see step 6 below).
2. Clone your repo to your workstation.
3. Install Node.js and Hexo using the [official guide](https://hexo.io/docs/).
4. Create a [new post](#Writing). Then generate static files to check for any error. You should always do this before pushing/merging commits to the `master` branch.
4. Create a [new post](#writing). Then generate static files to check for any error. You should always do this before pushing/merging commits to the `master` branch.
```
$ hexo generate
@ -67,7 +67,7 @@ $ git push -u
3. The config now has two parts. To use in gitlab page, simply uncomment the second part and comment out the first part.
4. Make sure you {% post_link validity-gitlab-ci-config 'double-check' %} the CI config before you push.
8. Check the build status by going to your project `CI /CD -> Pipelines`. Due to the limitation of `hexo`, the build will always pass even when there is error. Check the Jobs log, look for any error after `$ hexo deploy`.
8. Check the build status by going to your project `CI /CD -> Pipelines`. Due to the limitation of `hexo`, the build will always pass even when there is error. Check the Jobs log, look for any error after `$ hexo deploy`.
9. If there is no error, the generated website can be accessed on `<your-username>.gitlab.io/` or the link shown on your project `Settings -> Pages`.
## Writing
@ -109,8 +109,8 @@ Change the theme's setting:
menu:
GitLab: <your-gitlab-project-link>
# Customize /about page
nickname:
description:
nickname:
description:
```
### Favicon
@ -131,7 +131,7 @@ If you prefer to have a project page on GitLab:
1. Commit and push.
### Remove fork relationship
If you don't have any plan to send merge requests to the upstream, you can remove fork relationship permanently by going to `Settings -> General -> Advanced -> Remove fork relationship`.
If you don't have any plan to send merge requests to the upstream, you can remove fork relationship permanently by going to `Settings -> General -> Advanced -> Remove fork relationship`.
## Useful links:
Configuration files for this blog deployment:

9
source/_posts/how-to-remove-windows-10-default-apps.md
View File

@ -33,9 +33,9 @@ Stop included games like Candy Crush and Minecraft to reappear after you remove
## Uninstall all preinstalled apps
This is the easiest method to remove all preinstalled apps. Note: this will remove **ALL** apps listed at the next [section](#Uninstall-specific-preinstalled-app).
This is the easiest method to remove all preinstalled apps. Note: this will remove **ALL** apps listed at the next [section](#uninstall-specific-preinstalled-app).
1. Launch PowerShell as administrator (right click `Run as administrator`).
1.1. Windows 10 Home user might not have it, install [here](https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-powershell-core-on-windows?view=powershell-6).
1.1. Windows 10 Home user might not have it, install [here](https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-powershell-core-on-windows?view=powershell-6).
2. Run the following command:
```
Get-AppxPackage -AllUsers | Remove-AppxPackage
@ -95,7 +95,7 @@ Your Phone | yourphone
## Prevent removed default apps from returning during an update
1. No, you are not done yet. Those removed apps can return during an update.
2. To make sure they stay removed, create a registry `.reg` file ([how-to](#Windows-10-Home)). Remove any entry to keep the app.
2. To make sure they stay removed, create a registry `.reg` file ([how-to](#windows-10-home)). Remove any entry to keep the app.
```
Windows Registry Editor Version 5.00
;1709 Registry Keys
@ -187,8 +187,7 @@ On a side note, version 1809 (October 2018 Update) is able to uninstall:
- Tips
- Weather
**Update (*01/03/2019*):** Windows 10 version 1809 (released in October 2018) includes Your Phone app. [Instruction](#Uninstall-specific-preinstalled-app) has been updated.
**Update (*01/03/2019*):** Windows 10 version 1809 (released in October 2018) includes Your Phone app. [Instruction](#uninstall-specific-preinstalled-app) has been updated.
Source: [1](https://www.howtogeek.com/224798/how-to-uninstall-windows-10s-built-in-apps-and-how-to-reinstall-them/), [2](https://www.addictivetips.com/windows-tips/remove-default-windows-10-apps-using-powershell/), [3](https://docs.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update), [4](https://docs.microsoft.com/en-gb/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)

8
source/_posts/i2p-eepsite-nixos.md
View File

@ -74,7 +74,7 @@ To join the I2P network, I'm using [i2pd](https://i2pd.website/), an (unofficial
* There is no need to grant CAP_NET_BIND_SERVICE capability nor open port 80.
5. `address` is location of your server where the Eepsite is hosted. For most use cases, set it to the loopback **127.0.0.1** (default). In my case, it is the IPv6 loopback "::1".
6. `destination` is the location of your website where Eeepsite will forward the request to. It can be a loopback (if website and Eepsite are hosted within the same server), an IP address, a domain or even another eepsite.
* You can even set your domain here and skip the rest of the sections. However, this can double the latency, especially if the website is behind a CDN. For separation of privilege, it is recommended to have a web server that is dedicated for Eepsite only. The [next section](#caddyI2p.nix) shows how to set up the web server.
* You can even set your domain here and skip the rest of the sections. However, this can double the latency, especially if the website is behind a CDN. For separation of privilege, it is recommended to have a web server that is dedicated for Eepsite only. The [next section](#caddyi2pnix) shows how to set up the web server.
7. `port` is the port number that your web server listens to.
8. `enableIPv4` and `enableIPv6` are optional. I enable both.
9. (Optional) If your website is not behind a CDN, meaning the server's IP address is publicly known (in DNS A/AAAA record), I recommend setting both `inbound.length` and `outbound.length` to 1 (from the default 3). This can significantly decrease the latency of your Eepsite by reducing the hops. This [diagram](https://geti2p.net/en/faq#slow) illustrates the effect of hops.
@ -113,7 +113,7 @@ $ head -c 391 <name>-keys.dat | sha256sum | cut -f1 -d\ | xxd -r -p | base64 |
## caddyI2p.nix
I set up another Caddy-powered reverse proxy which is separate from the {% post_link caddy-nixos-part-3 "mdleom.com's" %}. It's similar to [caddyTor.nix](/blog/2020/03/16/tor-hidden-onion-nixos/#caddyTor.nix) (which in turn is based on [caddyProxy.nix](/blog/2020/03/14/caddy-nix-part-3/#caddyProxy.nix)), except I replace "caddyTor" with "caddyI2p". This Nix file exposes `services.caddyI2p` so that I can enable the I2p-dedicated Caddy service from "configuration.nix".
I set up another Caddy-powered reverse proxy which is separate from the {% post_link caddy-nixos-part-3 "mdleom.com's" %}. It's similar to [caddyTor.nix](/blog/2020/03/16/tor-hidden-onion-nixos/#caddytornix) (which in turn is based on [caddyProxy.nix](/blog/2020/03/14/caddy-nix-part-3/#caddyproxynix)), except I replace "caddyTor" with "caddyI2p". This Nix file exposes `services.caddyI2p` so that I can enable the I2p-dedicated Caddy service from "configuration.nix".
``` plain /etc/caddy/caddyI2p.nix
{ config, lib, pkgs, ... }:
@ -227,9 +227,9 @@ http://ggucqf2jmtfxcw7us5sts3x7u2qljseocfzlhzebfpihkyvhcqfa.b32.i2p:8081 http://
}
```
Update the B32 address as per the value derived from the [previous section](#B32-address). `mdleom.i2p` is my I2P domain that I registered with a jump service as a shortcut to my B32 address (see [next section](#Register-domain-i2p) for guide). HTTPS is disabled by specifying `http://` prefix, HTTPS is not applicable since Eepsite already encrypts the traffic. No CA is going to validate your .i2p anyway. `strict-transport-security` (HSTS) needs to be removed to prevent the browser from attempting to connect to HTTPS. It binds to IPv6 loopback so it only listens to localhost, use `bind 127.0.0.1 ::1` if you need IPv4.
Update the B32 address as per the value derived from the [previous section](#b32-address). `mdleom.i2p` is my I2P domain that I registered with a jump service as a shortcut to my B32 address (see [next section](#register-domaini2p) for guide). HTTPS is disabled by specifying `http://` prefix, HTTPS is not applicable since Eepsite already encrypts the traffic. No CA is going to validate your .i2p anyway. `strict-transport-security` (HSTS) needs to be removed to prevent the browser from attempting to connect to HTTPS. It binds to IPv6 loopback so it only listens to localhost, use `bind 127.0.0.1 ::1` if you need IPv4.
The rest are similar to "[caddyTor.conf](/blog/2020/03/16/tor-hidden-onion-nixos/#caddyTor.conf)" and "[caddyProxy.conf](/blog/2020/03/14/caddy-nix-part-3/#Complete-Caddyfile)". Content of "common.conf" is available at [this section](/blog/2020/03/14/caddy-nix-part-3/#Complete-Caddyfile).
The rest are similar to "[caddyTor.conf](/blog/2020/03/16/tor-hidden-onion-nixos/#caddytorconf)" and "[caddyProxy.conf](/blog/2020/03/14/caddy-nix-part-3/#complete-caddyfile)". Content of "common.conf" is available at [this section](/blog/2020/03/14/caddy-nix-part-3/#complete-caddyfile).
``` plain /etc/caddy/caddyI2p.conf
import common.conf

2
source/_posts/json-splunk-uf.md
View File

@ -74,7 +74,7 @@ TIME_FORMAT = %s
# MAX_DAYS_AGO = 3560
```
The directive name should be the **sourcetype** value specified in the [inputs.conf](#App-specific-inputs-conf). The following configs apply to the universal forwarder is because [`INDEXED_EXTRACTIONS`](https://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata#Field_extraction_settings_for_forwarded_structured_data_must_be_configured_on_the_forwarder) is used.
The directive name should be the **sourcetype** value specified in the [inputs.conf](#uf-inputsconf). The following configs apply to the universal forwarder is because [`INDEXED_EXTRACTIONS`](https://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata#Field_extraction_settings_for_forwarded_structured_data_must_be_configured_on_the_forwarder) is used.
- LINE_BREAKER: Search for string that matches the regex and replace only the capturing group with newline (\n). This is to separate each event into separate line.
- `}(,){\"datetime\"` searches for `},{"datetime"` and replaces "," with "\n".

6
source/_posts/nixos-oracle.md
View File

@ -9,7 +9,7 @@ tags:
- oci
---
> Skip to [first step](#Build-a-kexec-tarball)
> Skip to [first step](#build-a-kexec-tarball)
A few weeks ago, there was an active discussion on [HN](http://news.ycombinator.com/item?id=26239711) about the [Free For Dev](https://free-for.dev/) page which compile a list of free tier (or at least free _trial_) resources that are useful for developers. The page mentioned Oracle Cloud provides two _always free_ VMs ([specification](https://docs.oracle.com/en-us/iaas/Content/FreeTier/resourceref.htm#ariaid-title2)), whereas big three only offer one VM for a year. While I knew about this offering for a while, but I've always been sceptical about it.
@ -205,7 +205,7 @@ ssh root@somehost
## Installation
This installation is slightly different from the [usual steps](/blog/2020/02/23/caddy-nixos-part-1/#Installation).
This installation is slightly different from the [usual steps](/blog/2020/02/23/caddy-nixos-part-1/#installation).
### Partition
@ -242,7 +242,7 @@ Type: uefi
# Verify
Command: p
Disk /dev/sda: 46.58 GiB, 50010783744 bytes, 97677312 sectors
Disk model: BlockVolume
Disk model: BlockVolume
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 1048576 bytes

8
source/_posts/secure-node-modules-snyk.md
View File

@ -11,9 +11,9 @@ tags:
---
## Intro
> Click [here](#Installation) to go straight to installation guide.
> Click [here](#installation) to go straight to installation guide.
Node.js is infamous for the [left-pad](https://medium.com/commitlog/the-internet-is-at-the-mercy-of-a-handful-of-people-73fac4bc5068) [controversy](https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm), removing just a single package can break many websites.
Node.js is infamous for the [left-pad](https://medium.com/commitlog/the-internet-is-at-the-mercy-of-a-handful-of-people-73fac4bc5068) [controversy](https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm), removing just a single package can break many websites.
The package dependency can also cause security issue ([example 1](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes), [example 2](https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies), [example 3](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm)).
@ -37,10 +37,10 @@ So, you fork, fix it and republish with a new name. Cool. Here comes the fun par
Practically, you can use Snyk to patch it, *if* possible like this [hexo-all-minifier](https://snyk.io/test/npm/hexo-all-minifier). Snyk is [free](https://snyk.io/plans) for open-source projects. Much like any other security products, Snyk is not a silver bullet to the NodeJS issue. Some like [hexo-fs](https://snyk.io/test/npm/hexo-fs) can't be fixed (at the time of writing).
1. [Sign up](https://app.snyk.io/signup) for a new Snyk account.
2. Snyk only supports [SSO](https://en.wikipedia.org/wiki/Single_sign-on), no e-mail sign up. You need to have GitHub, Bitbucket, or Google account. It can be a separate account from your current GitHub account. Linking your current GitHub repo to Snyk is *optional*.
2. Snyk only supports [SSO](https://en.wikipedia.org/wiki/Single_sign-on), no e-mail sign up. You need to have GitHub, Bitbucket, or Google account. It can be a separate account from your current GitHub account. Linking your current GitHub repo to Snyk is *optional*.
3. Once you signed up, go to your account setting, grab the API token and save it in your password manager (or somewhere safe).
![Snyk API token](20181001/snyk-api.png)
4. Install Snyk,
4. Install Snyk,
```bash
$ npm install snyk
# Add 'node_modules/.bin' to $PATH, if you haven't done so. Check ~/.profile before running the following command.

2
source/_posts/splunk-lookup-malware-filter.md
View File

@ -189,7 +189,7 @@ index=proxy [| inputlookup urlhaus-filter-splunk-online.csv | fields host, path
### Matching individual and multiple fields
A lookup file may have rows with empty `path` to denote a `domain` should be blocked regardless of paths, while also having rows with both `domain` and `path` to denote a specific URL should be blocked instead. The syntax is the same as what was shown in the [previous section](#Matching-multiple-fields) because Splunk will only match **non-empty** values, empty values will be ignored instead.
A lookup file may have rows with empty `path` to denote a `domain` should be blocked regardless of paths, while also having rows with both `domain` and `path` to denote a specific URL should be blocked instead. The syntax is the same as what was shown in the [previous section](#matching-multiple-fields) because Splunk will only match **non-empty** values, empty values will be ignored instead.
```spl
index=proxy

8
source/_posts/ssh-certificate-cloudflare-tunnel.md
View File

@ -93,7 +93,7 @@ Navigate to **Access** -> **Tunnels**
**Route tunnel** tab,
- Public hostname: test.yourdomain.com
- This is the application domain in the [Add an application](#Add-an-application) step.
- This is the application domain in the [Add an application](#add-an-application) step.
- Service
- SSH type: URL = localhost:22
- Replace 22 with the custom SSH port you are going to use.
@ -202,9 +202,9 @@ Save the output to `$HOME/.ssh/config`.
Now, the moment of truth.
`ssh loremipsum@test.yourdomain.com` (replace the username with the one you created in [Create a test user](#Create-a-test-user) step.)
`ssh loremipsum@test.yourdomain.com` (replace the username with the one you created in [Create a test user](#create-a-test-user) step.)
The terminal should launch a website to _team-name_.cloudflareaccess.com. Enter the email you configured in [Add an application](#Add-an-application) step and then enter the received 6-digit PIN.
The terminal should launch a website to _team-name_.cloudflareaccess.com. Enter the email you configured in [Add an application](#add-an-application) step and then enter the received 6-digit PIN.
Back to the terminal, wait for at least 5 seconds and you should see the usual SSH authentication.
@ -212,7 +212,7 @@ Back to the terminal, wait for at least 5 seconds and you should see the usual S
## Browser-based shell
As a bonus, head to test.yourdomain.com (see [Add an application](#Add-an-application) step) which will redirect you to a login page just the previous step. After login with a 6-digit PIN, you shall see a browser-based shell.
As a bonus, head to test.yourdomain.com (see [Add an application](#add-an-application) step) which will redirect you to a login page just the previous step. After login with a 6-digit PIN, you shall see a browser-based shell.
## Usage monitoring

8
source/_posts/tor-hidden-onion-nixos.md
View File

@ -68,7 +68,7 @@ The first step is to bring up a Tor hidden service to get an onion address. Add
* There is no need to grant CAP_NET_BIND_SERVICE capability nor open port 80. Tor has NAT traversal capability and can function without opening any inbound port.
* Add port 443 if your onion service is also available in HTTPS; I wrote {% post_link ecdsa-tls-tor-caddy 'a guide' %} on purchasing a .onion SSL certificate and the subsequent configuration.
5. `toHost` is location of your web server. In my case, it is the IPv6 loopback **[::1]**. If your server supports IPv4 (mine doesn't), you can set it to "127.0.0.1" or "localhost". If it's an IPv6 address, you need to wrap the address with square brackets **[]**.
* You can even set your domain here and skip the rest of the sections. However, this can double the latency, especially if the website is behind a CDN. Tor recommends to have a separate web server that is dedicated for Tor hidden service only. The [next section](#caddyTor.nix) shows how to set up the web server.
* You can even set your domain here and skip the rest of the sections. However, this can double the latency, especially if the website is behind a CDN. Tor recommends to have a separate web server that is dedicated for Tor hidden service only. The [next section](#caddytornix) shows how to set up the web server.
6. `toPort` is the port number that your web server listens to.
7. `extraConfig` is optional. The options I use here are only applicable if the server is IPv6 only.
@ -82,7 +82,7 @@ Run `# nixos-rebuild switch` and three important files will be generated in the
## caddyTor.nix
I set up another Caddy-powered reverse proxy which is separate from the {% post_link caddy-nixos-part-3 "mdleom.com's" %}. It's similar to [caddyProxy.nix](/blog/2020/03/14/caddy-nix-part-3/#caddyProxy.nix), except I replace "caddyProxy" with "caddyTor". This Nix file exposes `services.caddyTor` so that I can enable the Tor-related Caddy service from "configuration.nix".
I set up another Caddy-powered reverse proxy which is separate from the {% post_link caddy-nixos-part-3 "mdleom.com's" %}. It's similar to [caddyProxy.nix](/blog/2020/03/14/caddy-nix-part-3/#caddyproxynix), except I replace "caddyProxy" with "caddyTor". This Nix file exposes `services.caddyTor` so that I can enable the Tor-related Caddy service from "configuration.nix".
``` nix /etc/caddy/CaddyTor.nix
{ config, lib, pkgs, ... }:
@ -204,9 +204,9 @@ http://xw226dvxac7jzcpsf4xb64r4epr6o5hgn46dxlqk7gnjptakik6xnzqd.onion:8080 {
}
```
Update the onion address to the value shown in "[/var/lib/tor/onion/myOnion/hostname](#configuration.nix)". HTTPS is disabled by specifying `http://` prefix, HTTPS is not necessary as Tor hidden service already encrypts the traffic. Let's Encrypt doesn't support validating a .onion address. The only way is to purchase the cert from [Digicert](https://www.digicert.com/blog/ordering-a-onion-certificate-from-digicert/). Since HTTPS is not enabled, `strict-transport-security` (HSTS) no longer applies and the header needs to be removed to prevent the browser from attempting to connect to `https://`. It binds to IPv6 loopback so it only listens to localhost, specify `bind 127.0.0.1 ::1` if you need IPv4.
Update the onion address to the value shown in "/var/lib/tor/onion/myOnion/hostname". HTTPS is disabled by specifying `http://` prefix, HTTPS is not necessary as Tor hidden service already encrypts the traffic. Let's Encrypt doesn't support validating a .onion address. The only way is to purchase the cert from [Digicert](https://www.digicert.com/blog/ordering-a-onion-certificate-from-digicert/). Since HTTPS is not enabled, `strict-transport-security` (HSTS) no longer applies and the header needs to be removed to prevent the browser from attempting to connect to `https://`. It binds to IPv6 loopback so it only listens to localhost, specify `bind 127.0.0.1 ::1` if you need IPv4.
The rest are similar to "[caddyProxy.conf](blog/2020/03/14/caddy-nix-part-3/#Complete-Caddyfile)". Content of "common.conf" is available at [this section](/blog/2020/03/14/caddy-nix-part-3/#Complete-Caddyfile).
The rest are similar to "[caddyProxy.conf](blog/2020/03/14/caddy-nix-part-3/#complete-caddyfile)". Content of "common.conf" is available at [this section](/blog/2020/03/14/caddy-nix-part-3/#complete-caddyfile).
``` Caddyfile /etc/caddy/caddyTor.conf
import common.conf

2
themes/chameleon/scripts/heading-link.js
View File

@ -9,7 +9,7 @@
const { slugize, stripHTML, unescapeHTML: unescape } = require('hexo-util')
const anchorId = (str, transformOption) => {
return slugize(stripHTML(unescape(str)).trim(), { transform: transformOption })
return slugize(stripHTML(unescape(str.replace('.', ''))).trim(), { transform: transformOption })
}
hexo.extend.filter.register('marked:renderer', function (renderer) {