Skip to content

Instantly share code, notes, and snippets.

@gwire
gwire / nginx_405.md
Last active June 14, 2023 21:19
Generating 405 responses in nginx

I have a site where there is no legitmate use of the HTTP POST method (or anything other than GET/HEAD).

limit_except is usually used for method restriction, but only produces 403 responses, not 405. There's a Stack Overflow question that notes this. There's a 2015 blog post that suggests something like the following (which I needed to modify to get the Allow: header to appear):

server {
@gwire
gwire / sorting_arpa_list.md
Created April 22, 2023 16:23
Sorting a list of in-addr.arpa values

I have a process that outputs a list of .in-addr.arpa values. These consist of names with 3 to 6 labels.

161.187.42.143.in-addr.arpa
18.139.243.162.in-addr.arpa
38.51.19.58.in-addr.arpa
136.67.34.in-addr.arpa
16.134.243.162.in-addr.arpa
18.240.203.159.in-addr.arpa
240.54.in-addr.arpa
@gwire
gwire / user_data.yml
Last active April 4, 2023 12:54
Cloud-init config to allow password-less sudo via ssh-agent
#cloud-config
## I want to authenticate sudo via ssh-agent on Ubuntu 22.04
users:
- name: bob
gecos: Bob
shell: /bin/bash
primary_group: bob
groups: sudo
@gwire
gwire / fileprovider_use.md
Created January 31, 2023 13:50
File Provider users

Software on Apple platforms that makes use of the File Provider API

Software Platform Used Notes
Dropbox macOS, iOS yes help
OneDrive macOS yes reddit
Google Drive macOS yes help
NextCloud macOS no in development
@gwire
gwire / mail_gnuttls_x509_fail.md
Last active January 10, 2023 13:04
Mail delivery failure due to GnuTLS X.509 validation

I quite commonly see undelivered mail to bounce@tweet.twitter.com on the outgoing mail queue. (DSNs and out-of-office replies with empty senders - so not critical mail.)

(The Twitter mail is recieved by en25.com/eloqua.net which is infrastructure for "Oracle Eloqua Marketing Cloud".)

This isn’t a new issue, but I thought I’d drop a note in public about it.

If I run exim4 -v -M on a delivery attempt I can see that it disconnects immediately after attempting to establish a STARTTLS session, so falls back to retrying without TLS.

  SMTP<< 220 P01SNJ018.eloqua.net Microsoft ESMTP MAIL Service, Version: 10.0.14393.4169 ready at  Tue, 10 Jan 2023 05:50:33 -0500
@gwire
gwire / wordpress_login_throttle_nginx.md
Created December 13, 2022 22:43
Rate-limiting WordPress login attempts with nginx

One annoyance of running a publically-accessible WordPress site is the bots that attempt to rapidly try thousands of login attempts via /wp-login.php.

Even if none of the guesses are ever likely to work, the site will waste resources running PHP and SQL to confirm that to be the case.

A barrier to these drive-by hack attempts can be added using nginx's http_limit_req, where rate limiting is applied only to POST requests for the login page, not affecting the rest of the site.

  1. In /etc/nginx/conf.d/login-limit.conf we create the zone LOGINLIMIT. 1m is the size of the shared memory zone for tracking requests, and 15r/m limits to 15 requests per minute (ie 1 every 4 seconds).

@gwire
gwire / download_missing_avatars.rb
Last active December 2, 2022 18:19
Download missing mastodon avatars to the cache
#!/usr/bin/env ruby
# Remote mastodon accounts can be refreshed with the command
# tootctl accounts refresh --all
# https://docs.joinmastodon.org/admin/tootctl/#accounts-refresh
# however, tootctl was having issues, so I ended up writing a this
# helper script to scan a mastodon cache for missing avatar/header images
# prioritising recently active accounts, and download directly
#
@gwire
gwire / wordpress_social_rel.php
Last active November 21, 2022 10:24
Adding rel="me" to WordPress social link block items
<?php
/**
* Mastodon accounts can be verified by adding a rel="me" link in the basic rendered html.
* While a <link/> could be added, it seemed like the existing social-links block should be
* the place to add it, but there's currently no way to specify "rel" values in the UI.
*
* Currently only adds to "mastodon" links, but could probably be added to others.
*/
add_filter('render_block', 'social_rel_me', 10, 2);
function social_rel_me($block_content, $block) {
@gwire
gwire / nginx_webfinger.md
Last active November 19, 2022 10:34
A simple webfinger service using nginx

My assumption is that you should be able to discover Mastodon accounts by searching for email addresses, which should in turn query webfinger.

So for a domain that isn't hosting Mastodon, you can set up a webfinger server. Or you can just hand code some json files and serve them using nginx.

Rather than look into installing a webfinger server, I just initially want to serve up the json files directly from nginx.

  • Set up a redirect under example.com (as suggested in RFC 7033)
  location = /.well-known/host-meta {
@gwire
gwire / outlook_mid_values.md
Last active November 4, 2022 10:13
Decoding Outlook Message-Id values

Email Message-Id: headers generated by Outlook servers use domains that appear to incorporate

  • AAA: a three character geographic region
  • PPPP: either "PRXX" when appended to city, "PRDXX" appended to region where XX is a small value 01-99
  • ...or PXXX where XXX appears to be a unique value 001-999
  • BB: a two character "city" code
  • C: a value appended to BB 0-9 or A-Z
  • MM: "MB" or "01MB", not sure what this is
  • DDDD: a value 0001-9999 server identifier? customer?
  • X: seemingly random value 0-9a-z (which you'd expect in a Message-Id)