Notes by the day

2022-12-22

• To ignore audio from other applications when streaming with OBS you can create a virtual sink in pulse audio, set the applications you want to broadcast to output to that virtual sink, then use that sink as an audio source.

pacmd list-sinks

# revised: module-virtual-sink -> module-remap-sink
pacmd load-module module-remap-sink #master=<index or name of sink to filter>

2022-05-22

• The new Cloudflare Wrangler 2.0 removed the ability to eject their webpack config to add custom loaders for dynamic file importing thus ruining my entire day.

2022-05-21

• docker contexts can be used to deploy to other hosts instead of pushing to a registry, saving/loading, or copying the files and building on the other host.

$ docker save <image> | ssh user@host "docker load" # old method
$ docker context create <contextName> --docker "host=ssh://user@host"
$ docker context use <contextName>
$ docker compose up -d # no need to copy env files to host

2021-10-15

• git sets the LESS environment variable to FRX if it's unset

2021-08-07

• Spring Security will add CSRF protection to POST/PUT/any non-idempotent HTTP requests and return a 403 error. For web frameworks (e.g. angular) that have built-in CSRF support you need:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
   @Override
      protected void configure(HttpSecurity http) throws Exception {
         http.csrf().csrfTokenRepository(csrfTokenRepository());
      }

   @Bean
      public CsrfTokenRepository csrfTokenRepository() {
         // reads X-XSRF-TOKEN header and sets XSRF-TOKEN cookie
         final CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository();
         
         // js needs to read the cookie value to set the header
         repository.setCookieHttpOnly(false);
         return repository;
      }
}

2021-02-19

• IDRAC6 JNLP virtual console requires an old JRE (tested with 7u79)

2021-01-08

• JS mnemonic: btoa is Binary string to Base64-encoded ASCII string. Not Base64 to Anything

2020-12-30

• The pipe character can separate vim Ex commands like text wrapping and color column with :set tw=72 | set cc=72
• Added a simple markdown renderer in my cloudflare worker that takes markdown text, submits the content in a form POST or base64 encoded content GET request search parameter, then returns the HTML page rendered by marked.

2020-12-23

• Browsers can prefer dark themes with @media (prefers-color-scheme: dark) and user_pref("ui.systemUsesDarkTheme", 1); in firefox.

2020-12-21

• Cloudflare wrangler has an misleading error message when running wrangler dev that there are No deployments specified! if the CF_ZONE_ID is not exported or zone_id is not set in the wrangler.toml

2020-11-02

• mtr expects ICMP error messages and linux rate limits ICMP messages by IP so multiple instances of mtr from the same host can erroneously report packet loss at a host (e.g. linux gateway).

2020-09-01

• Realtek RTL8125 isn't supported out of the box yet (kernel 5.9?) so I had to install the r8125 driver for networking to work.

2020-08-30

• Switched serverless markdown rendering to cloudflare worker
• Registered a domain on cloudflare so I could point this domain -> cloudflare domain -> .workers.dev. Cloudflare requires that my reverse proxy sets the Host header to the name of the workers.dev domain rather than my registered domain name. I'm already terminating SSL (as you can see) at the load balancer so I need to proxy to port 80.

backend cloudflare
        http-request replace-header Host .* <worker-name>.workers.dev
        server cloudflare-worker <my-domain-name>:80

• Vim :DiffOrig has different capitalization than other diff commands (why?) so if you don't set ignorecase it won't autocomplete with other :diff* ex commands.

2020-08-02

• When you need to manage multiple SSH keys (e.g. some services require passwords and some forbid them) you can create ~/.ssh/config and specify identity files and other service specific options on a host-specific level.

  Host git.sr.ht
     User git
     IdentityFile ~/.ssh/sourcehut_id_rsa
  
  Host github.com
     User git
     IdentityFile ~/.ssh/id_rsa
  

2020-08-01

• Kubeadm iptables rules adds fwmark that may need to be added to wireguard in order to allow packets through

2020-07-26

• My HAProxy config terminates TLS at the load balancer and proxies to my VPS but also proxies via TCP to the on-premise applications over wireguard depending on the host. With only a single public IP address I needed to create something like a TCP-to-HTTP loop

  1. Listen for everything on the TCP frontend
  2. use SNI to check the host
  3. Pass the connection to the on-premise backend or the "virtual" backend
  4. The "virtual" backend passes the connection to a frontend on a different port
  5. The new frontend passes the connection to the VPS on the original port

frontend ericleedev
        bind :443
        mode tcp
        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 }
        acl host_ericleedev req.ssl_sni -i ericlee.dev
        use_backend tcp-to-http if host_ericleedev
        use_backend site if !host_ericleedev

frontend terminate-ssl
        bind :8443 ssl crt ericlee.dev.pem
        use_backend cloud

backend tcp-to-http
        mode tcp
        server tcp-http 127.0.0.1:8443

backend cloud
        mode http
        server cloud-vps ericlee.dev:443 ssl verify none

backend site
        mode tcp
        server wireguard 10.8.0.3

• In nginx $request_uri exposes the request path to the response context. In HAProxy the equivalent would be to get the path sample in the http-request statement, set it on a variable on the txn scope, then reference the variable in the http-response statement. The available scopes are (proc, sess, txn, req, res) and the variable name needs to be prefixed with the scope.

  http-request set-var(txn.path) path
  http-response set-header X-Path-Example "%[var(txn.path)]"
  

• I figured out sourcehut build secrets. Need to set +x before sourcing the secret variables because of the default build environment

2020-07-25

• I updated this server to deploy through a sourcehut build trigger so there should be less friction between me remembering something and documenting it here.
• I can't figure out how to add secret environment variables on sourcehut without exposing them through VCS or using SSH/GPG. I tried to read file-based secrets and export though in the build script but it still prints them to the build console output which is public for unauthenticated users
• This should be an older note but sourcehut is noticeably faster than any other git hosting provider

2020-07-24

• My nameserver at he.net doesn't have an API to update TXT records for cert renewal but I can use acme.sh DNS alias mode so to delegate to another dummy domain with an API
• the Onion-Location header can be used to advertise your onion service directly to the browser in the URL bar

2020-07-14

• HTTP/2 might suck

2020-07-13

• Newer versions of NodeJS bind the unspecified IPv6 address by default which I keep forgetting about when I'm trying to diagnose why I can't connect to my server

2020-07-07

• Adding an IPv6 address to a wireguard interface with net.ipv6.conf.all.disable_ipv6 = 1 will throw an RTNETLINK answers: Permission denied error and remove the interface regardless of any other successfully added IPv4 addresses
• If the iDRAC web server fails you can restart it through ssh with the same login credentials and racadm sslresetcfg or racadm racreset to reset the entire controller. racadm racresetcfg will reset the controller to factory defaults
• kubeadm reset doesn't delete the $HOME/.kube/config file so even though worker nodes can join the cluster a new x509 cert will be generated you the kubectl get nodes will fail to verify

2020-06-24

• nginx can't mix/match proxy protocol between different server blocks despite some stackoverflow posts and blogs claiming otherwise https://trac.nginx.org/nginx/ticket/886
• Google Cloud Platform MTU is limited to 1460 bytes as opposed to the usual 1500 bytes for ethernet. I run a WireGuard VPN from a compute instance HAProxy reverse proxy to the server hosting this site so I had to reduce the MTU by the wireguard overhead.
• Wireguard needs to set a persistent-keepalive value if the connection is tracked behind a firewall or NAT so it doesn't timeout

2020-06-21

• GitHub content security policy might be exploitable for XSS default-src 'none'; img-src data:; style-src 'unsafe-inline'
• Loading images from firebase hosting is slow for some reason
• SVG image tag can be used to reference external resources

2020-06-18

• markdown can be converted to xhtml/html pretty easily in perl and js
• this markdown is rendered to HTML with a serverless GCP function
• grep has no way to read patterns from a file and output matching results in the same order
• ls --sort=size