Skip to content

Instantly share code, notes, and snippets.

View jamesmacwhite's full-sized avatar

James #FFFFFF jamesmacwhite

View GitHub Profile
@jamesmacwhite
jamesmacwhite / update_notifications.yaml
Created May 29, 2024 19:01 — forked from mdegat01/update_notifications.yaml
Update Notifications Automation Blueprint
blueprint:
name: Update notifications
description: Send notifications for new updates and install or skip on action
homeassistant:
min_version: 2022.4.0
domain: automation
input:
update_entities:
name: Update entities
description:
@jamesmacwhite
jamesmacwhite / Aquiss FTTP OpenWrt guide.md
Last active September 19, 2024 19:42
Aquiss FTTP with OpenWrt

Aquiss FTTP with OpenWrt

A guide for configuring an Aquiss FTTP connection on OpenWrt. There isn't much information specifically for Aquiss broadband and OpenWrt. The good news is that the setup is a typical PPPoE/DHCPv6 configuration.

  • Router used: Linksys WRT3200ACM
  • OpenWrt version tested: 21.02.3 r16554-1d4dea6d4f

ℹ️ This information has also been provided to Aquiss for inclusion in their customer knowledgebase for anyone else who uses a router running OpenWrt.

Prerequisites

@jamesmacwhite
jamesmacwhite / README.md
Last active February 27, 2022 15:02
Protect Sonarr calendar feed requests when authentication is disabled

Protecting Sonarr Calendar feed requests

It was recently discovered that Sonarr does not protect Calendar feed requests when authentication is disabled. This discovery has identified a slightly misleading behaviour because the calendar feed URL appends the apikey parameter in the UI, which could lead you to assume means it can only be accessed with the API key parameter set in the URL to your Sonarr API. This is however not the case. With authentication disabled, the calendar feed path does not require anything related to the API key to access and in fact you can access it without any URL parameters at all. What is slightly more confusing is other apps like Radarr have changed this behaviour to require the API key.

While having the calendar feed URL publicly available isn't too much of an issue in terms of security (given it's read only), it does mean that anyone can use it and this might not be desirable.

Authentication should typically not be disabled

@jamesmacwhite
jamesmacwhite / DotNetFrameworkTlsSettings.reg
Created January 23, 2022 11:18
Configure .NET Framework to support strong cryptography and allows .NET to use the OS configuration for TLS
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
@jamesmacwhite
jamesmacwhite / schannel_enable_tls1.2.reg
Last active August 9, 2024 15:33
Reg file for disable anything below TLS 1.2 for both servers and clients via SCHANNEL. This will also enable TLS 1.2 for server and client.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
@jamesmacwhite
jamesmacwhite / apc-powerchute-business-edition-log4j-CVE-mitigation.bat
Last active January 1, 2022 21:15
APC PowerChute Business Edition 10.x Log4j CVE mitigation (CVE-2021- 44228 CVE-2021- 45046)
:: CVE-2021-44228 and CVE-2021-45046 mitigation for APC PowerChute Business Edition 10.x
:: Reference: https://www.se.com/ww/en/download/document/SESB-2021-347-01/
:: This batch script must be run as administrator and have 7-Zip installed.
@echo off
cd "C:\Program Files (x86)\APC\PowerChute Business Edition\agent\lib"
net stop apcpbeagent
"C:\Program Files\7-Zip\7z.exe" d log4jcore-2.14.1.jar JndiLookup.class -r
net start apcpbeagent
@jamesmacwhite
jamesmacwhite / README.md
Last active May 18, 2024 18:26
Andrews and Arnold (AAISP) L2TP on OpenWrt

Andrews and Arnold (AAISP) L2TP tunnel setup on OpenWrt

This is a guide for setting up the L2TP service from AAISP on an OpenWrt router. AAISP have an official OpenWrt guide for this but it is outdated and looks to have been originally written for OpenWrt 15.01/15.05 (Chaos Calmer), which is a long unsupported firmware build.

I have previously contacted AAISP about their documentation being out of date, however it has not been changed. It is technically not wrong, but under newer versions of OpenWrt you can simplify some of the configuration compared to the official documentation and there are also a few potential issues you might come across in OpenWrt land which are worth mentioning and saving someone else from bashing their head against a wall for hours, until you realise that the Linux kernel just hates you.

This has been tested on the latest stable OpenWrt 19.07 release branch.

Required packages

@jamesmacwhite
jamesmacwhite / README.md
Last active September 19, 2022 20:30 — forked from hazcod/apache-plex-reverse-proxy.vhost
Apache 2.4 reverse proxy VirtualHost configuration for Plex. Requires modules ssl, proxy, wstunnel

I no longer use Apache as a reverse proxy and moved to NGINX. No further updates will be made to this configuration. It may or may not work in the future, no warranty or support will be provided.

Apache 2.4 reverse proxy configuration for Plex Media Server

This VirtualHost configuration has been tested with the minimum requirements of Plex Media Server Version 1.16.5.1488 and Web Version: 3.108.2.

The TLS configuration only allows clients that support TLS 1.2+, this may cause issues for legacy clients. You may need to adjust this if specific clients have issues connecting. If however you are OK with having just TLS 1.2+ support, you can also enable the "Disable weak TLS versions" setting on your Plex server, given the reverse proxy will prevent a successful TLS negotiation for such clients anyway.

Requirements

@jamesmacwhite
jamesmacwhite / README.md
Last active December 5, 2020 09:44
Modifying Google Chrome policies with examples for Windows and MacOS

How to override Google Chrome Cloud policies

Google Chrome Managed by somecompany.com? Is your organisation forcing extensions or specific Chrome settings in your work profile that are just getting in the way? NOT ANYMORE. Time to fight the cloud with machines policies!

It should be obvious, but you will need either full administrator or sudo rights to do this. Obviously if you are trying to do this on a managed machine controlled by your organisation, don't be a noob. If however you find some organisation policies creeping in on personal or non managed devices. RISE UP. Follow the guidance below, depending on your environment, the instructions and payload needed differ.

DISCLAIMER: If you get in trouble or your arse fired for subverting organisational policies, RIP, but these are just the tools required, you have to use them, so it is on you. BUT YOU WANT THAT SWEET INCOGNITO MODE THO RIGHT?

Why do organisations typically block incognito mode? Well... Because Google Chrome extensions can't track

@jamesmacwhite
jamesmacwhite / README.md
Last active May 1, 2024 07:25
An example and overview of mwan3 IPv6 configuration with NAT6 (sorry anti IPv6 NAT people)

Deploying mwan3 with IPv6 (using NAT6)

I'm a user of mwan3 and contribute to its development in a small way by mainly providing feedback with my multi WAN setup and maintaining the beast of it's documentation on the OpenWrt wiki (feedback and contributors welcome).

This setup ultimately requires the use of a NAT6 firewall script. NAT6 is currently broke with fw3 and LuCI, so this is an important helper script to workaround this current limitation.

The NAT6 configuration requirements are explained in more detail on the OpenWrt wiki.

This gist is aims to document my configuration for others.