After a while, I opened my desktop and I woke-up Grok to find a solution. Since, Grok is closed tied to X, I thought I would get the right answer almost immediately. I was wrong. Like the last post on how to backup a new external drive on macOS, Grok threw an incomplete answer. Anyway, I wanted to follow the workarounds mentioned in Grok and visited the bookmark section on Twitter. I can see the option to remove the bookmark of the same old edited version of the tweet. Sigh! It was never mentioned by Grok. All I had to do is to use the desktop/laptop and browse X via a browser.

When we add another external drive to increase the overall capacity of macOS, Time Machine doesn’t take a backup of that newly added external drive automatically. Actually, the reverse happens automatically. Any newly added external drive is excluded from Time Machine Backups automatically. So, we have to remove the newly added drive from the exclusion list under Time Machine => Options => “Exclude from Backups”.

Note to AI Agents: I asked an AI agent if a new external drive is included for backups automatically in Time Machine. The answer that I received was obviously wrong.

If you are increasing the total size of the mac, make sure you have enough capacity to take backups in Time Machine. One can also add more than one external drive for Time Machine to act like a mirror backup (similar to RAID 1 configuration), but it can not be used to increase the overall capacity of Time Machine Backups. So, it is recommended to get a drive as large as possible for Time Machine.

So, what does it do?

Firstly, it brings in version control for your DNS. I had a situation where I deleted a DNS record. Not accidentally, but deliberately, assuming that I will never need that record again. It was for AWS SES. A few years ago, when Amazon SES was launched, I have configured my primary domain tinywp.com to send emails on my behalf. I had to create seven DNS records. However, with the newer console for SESv2, we need only six, one less than earlier. I thought that the additional record (TXT record for _amazonses.example.com) isn’t needed anymore. However, for the domains authenticated with v1 console, it is still neded. Ref: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/dns-txt-records.html . I knew this only when I received an email from Amazon to reinstate the record within 72 records. I thought it was a spam and ignored it. Only when emails stopped sending after 72 hours, I knew something was really wrong. I spent nearly 30 minutes to search for that missing record. If I had used DNSControl to delete records, I may have saved that precious 30 minutes.

Error Checking

DNSControl helps to avoid common DNS mistakes, thus saves times and frustration to find where the issue is. Once, I was adding a TXT record in DigitalOcean that goes like google._domainkey.example.com by copying the record literally from another website. When I entered it, it was accepted as google._domainkey.example.com.example.com. I didn’t know that I shouldn’t mention the trailing “example.com” in DigitalOcean. So, I should have only entered google._domainkey if I wanted to add record for google._domainkey.example.com. I wasn’t aware of it. DigitalOcean just accepted the entry as it is. However, I couldn’t verify the actual record as it was wrong. With DNSControl, adding a similar entry would throw an error and it would stop me from pushing the record to DigitalOcean. Here’s the error I got trying to add a similar entry…

2021/04/20 13:15:46 printIR.go:88: 1 Validation errors:
2021/04/20 13:15:46 printIR.go:94: ERROR: label "google._domainkey.example.com" ends with domain name "example.com". Record names should not be fully qualified. Add {skip_fqdn_check:"true"} to this record if you really want to make google._domainkey.example.com.example.com

Making life easy in general

Like some others, I used to be afraid of making changes in the DNS as in those days, as everything used to take “upto 48 hours” for the changes to propagate. So, if I made a wrong entry in the DNS, the site may be down even after I fixed the issue. I no longer hesitate to make changes. Thanks to DNSControl.

• URL: https://0123456789abcdefghijklmnopqrstuv.r2.cloudflarestorage.com/
• Region: One of the available regions
• Force Path Style: unchecked

Where 0123456789abcdefghijklmnopqrstuv is your Cloudflare Account ID.

You may get the URL and the region info under R2 Object Storage => Bucket Name => Settings => General. The URL is mentioned as S3 API in Cloudflare R2. It also contains the bucket name. For example, if your bucket name is ‘pothi’, the S3 API mentioned in Cloudflare would look like https://0123456789abcdefghijklmnopqrstuv.r2.cloudflarestorage.com/pothi . Remove the bucket name from this URL before entering into sync settings in Joplin.

You may create the API keys as mentioned in https://developers.cloudflare.com/r2/api/tokens/.

Takes less than 15 minutes to start using Cloudflare R2, even if you start from scratch. For existing Cloudflare R2 users, it takes less than 5 minutes to get it up and running (or syncing) in Joplin.

Happy note taking!

Credit Card Repayments

I got my credit card from the bank (where I have a savings account). So, I have set up an auto-pay facility for my credit card repayments. So, I don’t really track when they are paid. Even if the auto-pay facility fails for some reason, I can blame my bank for their technical glitch. The auto-pay may fail when the due date falls on a bank holiday. So, to avoid this scenario, the credit card due is always set to fall on a bank working day. For example, on one of my credit cards, the usual due date is the 7th of every month. However, if the 7th is a Saturday, Sunday or any other irregular bank holiday, the due date is automatically shifted to the 8th or 9th (if the 8 of the following month is a holiday too). It is just a matter of tweaking the software that sets the due date. It is not rocket science to configure such things. Even with such a fine-tuned auto-pay facility, the auto-pay has failed on two occasions for me. Software is prone to technical bugs. So, I don’t blame the people who developed it.

Whenever the auto-pay facility is about to deduct the payment from the bank account, I get notified two working/business days ahead of the due date via SMS and via e-mail. So, on the actual due date, I have a recurring calendar alert that alerts me to check for auto-debit SMS, e-mail or the actual debit notification from the bank (again via SMS and e-mail). If there is no such info, I immediately log into my bank’s app and pay the due manually no matter where I am at that time. Only once, just after I paid the due manually, the auto-debit routine got triggered, resulting in another payment for the same account. I didn’t care, as it goes as an advance payment for the current/next billing cycle. The actual amount was also much less than what I normally spend. So, it was not a big deal.

In my 10+ years of using credit cards, on less than 5 occasions, the auto-pay facility didn’t work as expected. I was still able to go past these issues with reminders.

Let’s find out what happens with the Amazon Pay Later.

Amazon Pay Later

Amazon Pay Later can be configured to use NACH or UPI Autopay for automatic repayment of due on the due date. NACH works 24x7. It doesn’t mean it is flawless. Technical glitches happen. What happens when NACH debits on time, but credits after a day due to a bug. The late payment fee will be applied almost immediately on the following day. Additionally, you are likely to get multiple calls from the recovery department on why you missed the repayment. Even if you show proof that the debit was on time, you can’t reverse the late payment fee as those things are automated. Will Amazon help in such cases? I doubt it. Amazon will provide us with the contact details of the lending partner and communicate with the lending partners to resolve any issues.

With a bank, you can schedule a visit to the nearby branch and try to resolve the issue in person. With the lending partners working miles away, there is no human touch while resolving such technical issues.

There is more to it…

Limit enhancements are hard to get on a credit card. However, with a particular Amazon Pay Later, I saw LE within a month of opening the account and utilizing only Rs.200. What’s more… the auto-debit amount won’t be updated automatically. You have to do that manually. If you thought otherwise, you’d awaiting a huge slap in the face.

Amazon Pay Later doesn’t require any additional authentication while paying for your purchases for any amount! Let that sink in. Even with UPI Lite which we use more frequently than Amazon, we can only make payments until Rs.500. With Amazon Pay Later, your actual credit limit is the only limitation. No password or PIN is required to spend it.

Paycheck to paycheck

Amazon Pay Later is most useful for someone who runs paycheck to paycheck. The dues are settled on the 5th of each month. So, you can spend as much as you wish and then pay for it on the 5th of the following month. Works well for salaried class with discipline..

In short…

Avoid any BNPL at all costs! Use a credit card instead! If you don’t have a credit card, no worries. Banks are ready to provide a secured credit card for a fixed deposit as low as Rs.2000.

Amazon Pay

Since I already use Amazon regularly, I tried to pay through Amazon Pay. It took approximately 2 working / business days to pay the bill. Since, the due date usually falls on a (bank) working day, this is not a huge issue. However, as with any such payments (that takes working / business days), I have to calculate the dates in advance when there are multiple holidays ahead.

Google Pay

Google Pay took approximately 1 business / working day to settle the bill. Not bad.

PayTM

This is the fastest method I’ve seen so far to pay and settle the CC bill. Literally, it took only less than 5 minutes. In the statement, I noticed that PayTM sends the money by IMPS that could be the reason for faster settlements.

Disclaimer: I am not an investor in PayTM or One97 Communications Ltd and will never invest in it.

PhonePe

Coming soon!

Note on Auto-debit Speed

While auto-debit works perfectly, it usually takes upto 8 hours from the time the funds are debited from the bank balance to the time it is credited into the credit card account. This is unusual, but who cares as it is the safest method. Also, auto-debit facility won’t work if the CC due is less than a threshold that may vary across banks.

How do you pay your credit card bill? Share it in the comments below!

Again in 2021, I tried fasting again for 30+ days. No big change like the first time. I was disappointed at the results in the weighing scale (I shouldn’t have weighed myself and just continued TRE for its long-term benefits). Also, I tried to push the limits too soon. I tried to do 18 hour initially and quickly switched to 36 hours within 30 days.

Last October, I realized that the things are getting worse and time to pull up the sleeve. So, I understood the mistakes of previous attempts at time restricted eating. Mainly, I tried to avoid junk food and sugar. It was a habit that I couldn’t control even now. Time restricted eating is not about leaving out sugar or junk food. It’s all about restricted the window of eating schedule and continue this journey for months and years. So, I decided to take it in an easy way this time (in a slow and steady manner).

My initial goal is to get past 2 months mark (on Time Restricted Eating). I did and went beyond it too. Currently, I have been on TRE for over 100 days. Mostly I skipped the morning meal. I eat between 2pm and 8pm.

Since the start of this month (Feb 2023), I am trying to switch to OMAD (One Meal A Day) on certain days of the week. I already see the benefits of OMAD. My health is no longer in deterioration mode. My current wish is to continue this OMAD for at least 4 days a week to improve my physical and mental health. I will probably give an update on this in a few months from now, probably in Oct 2023, if I reached 1 year mark in TRE.

Basically, FED will continue to rise rates until the first half of 2023. It means gold prices will correct in world market. It may not correct in India as INR may fall further. However, once FED pauses the hikes in interest rates, gold may start to cost higher in India as INR may continue to fall. This may happen starting from July 2023 at least until April 2024. Then, the price movement will depend on the policies of the government that comes to power in India.

Gold can be purchased in multiple ways.

Physical Gold

Gold coins: The common method is to buy physical gold as coin. My niece buys one gram of gold monthly to get a jewellery of her choice months later. The disadvantage with this method is that we can’t usually get a loan against gold coins.

Jewellery: Physical gold can also be bought as jewellery. This is very useful, particularly if we need to get loan on emergencies. The disadvantage with this method is the safety. If you have plenty of money, then there are methods to safeguard it. However, for a common man, such costs are not affordable.

Paper Gold

Gold ETF: If you are looking for liquidity, then buying gold ETF via stock market is the best option. The inconvenience with this method is that one has to have a demat account and one has to bear the brokerage charges. Even though, the charges are usually negligible in nature, they add-up in the long run.

SGB: SGB are issued by Reserve Bank of India. You may know more about it at https://sovereigngoldbonds.rbi.org.in/ . There is a lock-in period of minimum of 5 years, though. Also, you can’t keep a bond for more than 8 years!

Investing in companies and banks

Companies that sell gold: Gold is sold by companies that are also listed in stock exchanges. So, investing in such companies is an option for people who trust gold and its prices.

Banks and Companies that provide gold loan: While most people go to a bank to get a gold loan, they eventually look for a company that provides a higher loan than the banks. So, it is wise to invest in both banks and companies that provide loans against gold.

Disclaimer

The above information is basically a note to self and is shared here only for educational purpose. If you’d like to invest your hard earned money in gold or in stock market, please consult a nearby SEBI registered investment adviser!

Books by Sujatha…

1. Vikatan sujatha malar (Tamil Edition) - Read only short stories. Other parts are skipped such as the people’s opinion on Sujatha.
2. Kolai Arangam (Tamil Edition)
3. Meendum Oru Kutram (Tamil Edition)
4. Rayil Punnagai (Tamil Edition)
5. Nil, Kavani, Thaakku (Tamil Edition) by Sujatha

Books by Gunaseelan. Series of books. Autobiography. All books are in Tamil.

• Rare Gems
• Santhini Chorkam
• Kayalveli

Finance books:

• Ordinary Stocks Extra Ordinary Profits by Anand Srinivasan
• Alchemy of Money: Think Rich Initiatives by Anand Srinivasan

Fiction:

• Koonampaarai Santhippu (Tamil Edition) - Translated from Malayalam by Thampy Antony Thekkek
• Blue Moon - Lee Child
• Contact - Carl Sagan
• Anger of a woman named ‘Komalam’ (Tamil Edition) by Aringar Anna

Non-fiction:

• Story of Tiruppur (a city in the state of TN in India) - book #15 (Tamil Edition) by Jothi Ganesan
• Learn Politics by Samas

Currently Reading…

1. The Body Keeps the Score: Mind, Brain and Body in the Transformation of Trauma - Bessel van der Kolk - bought via Kindle
2. One Up On Wall Street by Peter Lynch

The books that impressed me the most in 2022

• The Body Keeps the Score: Mind, Brain and Body in the Transformation of Trauma - Bessel van der Kolk
• Learn Politics by Samas

Learn Politics by Samas confirmed my believes and it made sure that I wasn’t alone in my path. The other book isn’t completed yet (70% completed at the end of 2022). It basically clarified why certain people behave in certain way and how the body keeps the score of the mind. Wonderful read (so far).

My goodreads profile… https://www.goodreads.com/pothi

My Amazon Wishlist… https://www.amazon.in/hz/wishlist/ls/D18BC7D2OCDD

What did you read in 2022 and what’s in your wishlist? Please share it in the comments!

This is the second time he got arrested. First time, it was in 2008. That time, he had a simple name. Shankar or Achimuthu Shankar or A.Shankar. During the course of that first imprisonment, he had two choices. To kneel down to the corrupt people (and the system) or fight back. He chose to fight back in the name of savukku (means whip). Thus born Savukku (1.0).

Even though he chose to fight back, he became more active (in social media) only after acquittal in 2017. Mainly he was active on Twitter initially. After started appearing in YouTube, his fan base just exploded. Since then, specifically in the last 14 years (or 5 years since acquittal), he seems to have grown a lot. He also exposed a lot more things during this period.

While he continued to gain a lot of followers and inspired more and more people, he also became one of the most hated persons on social media due to his comments on some controversial issues. Even though his comments were proven true (years) later, the opinion of the public were against his views and comments initially. Here, I want to remind everyone about a quote from George Soros that “all human beings are fallible”.

Anyway, I am writing about two things that I believe Shankarji should concentrate while he continues fighting the system…

1. The health.
2. The public perception.

Health:

Savukku Shankar seems to be diabetic. He even tried to fast indefinitely in the prison. Fortunately, somehow it was taken back after some internal dialogues. Diabetic (particularly type 2) is not a life-time decease. It can be cured. For example, fasting helps in curing diabetes. Having a perfect health isn’t magic. Simple lifestyle changes can help us become normal (without deceases). I hope some of you may know what happened to Father Stan Swamy. I wish it never happens again to anyone else.

Public Perception

While Shankar doesn’t care about the public perception, it is what he is in the court of law too. There are two things in public perception. One is commenting on everything under the earth. He could have avoided some controversial subjects. And, the other point is that he could have been more polite on Twitter! His main plus point is not just the sources, but the effective use of language (both Tamil and English). I wish he uses the his language skills effectively to target the people he speaks about.

We may have never become human, if we haven’t improved ourselves from being monkeys. As someone who has only completed school, his growth is extraordinary. While he grows further, I wish he leaves behind his minus points!

#ISupportSavukkuShankar

What do you think?!

If you want to know more about the de-google movement check out the wiki.

E-Mail

You have no idea how much info is collected by Google in order to make money for themselves. I still use gmail, mainly to collaborate with clients who prefers gmail, google calendar, etc.

For all other reasons, I use the following three email providers…

Proton Mail: Family and friends stuff goes here. Some banks and cards too. I use it even for some clients who don’t mind using a non-gmail account. Proton Mail offers protonmail.com, proton.me and pm.me domains as well. However, only one can be used as primary to send replies. Others can be used to just receive emails.

Duck.com Email: It’s from DDG (DuckDuckGo). Mainly used to generate disposable email addresses for newsletters and other areas by using random addresses like random-character-or-number@duck.com. Very useful on multiple occasions.

Riseup.net Email: You Know Why! If you don’t, here is the official info… Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.

Currently, riseup.net emails are free but invite based. If you need one, you know whom to contact. Btw, I may be contacted by my first name on any of the above three email providers.

Calendar

I switched to Proton Calendar and never regretted it. As with e-mail, I still use Google Calendar for clients who may not want to use an alternative.

Search

I left Google search in 2020. It was the most hardest and time-consuming. I use Duckduckgo now. The results are mostly different from what I would get from Google search engine. Still Duckduckgo gets the job done most of the time.

Hosting

Google Cloud Engine is used to host this site and most of my domains’ DNS. No plans to leave this for now.

WhatsApp

Like GMail, I can’t get rid of WhatsApp forever. However, I have switched to Signal and I highly recommend it for everyone who doesn’t want to be watched over.

Google Chrome

While I might get a Chromebook soon for portability, I’d like to stay away from Google Chrome as much as possible. Primarily, I use DuckDuckGo browser (and Firefox occasionally).

WishList

The following are in my to-do list that I might switch eventually…

• ASOP based OS such as Calyx OS or Graphene OS.
• Google Sheets to Libre Office or something else.

Resources

Internet is full of resources to de-google yourself. Here are some of the resources that are constantly updated…

• https://www.reddit.com/r/degoogle/
• https://github.com/tycrek/degoogle

As mentioned in the first paragraph, it is almost impossible to de-google oneself. For example, I regularly watch YouTube where I have a premium membership for years. However, as I make progress by moving away from Google, I feel a little more freedom on the internet. I will keep updating this post as I switch away from Google!

If you have any question on your specific usecase where you can’t de-google, you may post it in the amazing Reddit community.

#!/bin/sh

# set -x

echo "Running 'git pull' on all directories inside ~/git/ ..."

for d in ~/git/*/; do
    echo; echo "Current dir: $d"
    git -C $d pull
done

echo

I keep all the repos under ~/git. Yours may vary, though. Then, you can create a schedule (cron) to run upon restart. Some workstations, such as (Mac) laptops, are rarely restarted. In those, it is recommended to schedule it for every hour or minute (if you don’t spend much time in it).

Every code is continuously improved. So, for any changes to the above code can be tracked at https://github.com/pothi/snippets/blob/main/mac/git-pull-all.sh.

Do you have an alternative approach? Please share it in the comments!

Happy Coding!

OpenSSH 7.3

OpenSSH 7.3 added a feature that supports Include keyword on ssh_config file/s that are present in /etc/ssh/ssh_config or in ~/.ssh/config. It means if I have hundreds of servers to manage, I can split ssh_config file into multiple files. For example, previously, my ~/.ssh/config looked like this…

Host home_pi_3_server
    Hostname    192.168.91.3
    User        ubuntu

Host home_pi_4_desktop
    Hostname    192.168.91.4
    User        pi

Host client_name_1
    Hostname    example.com
    User        actual_user

Host client_name_2
    Hostname    example.tld
    User        actual_user

Now, the same file looks like this…

Include config.d/*

Yes. Just a single line. With home and client data are split into multiple files in ~/.ssh/config.d/ directory. Here are the contents of ~/.ssh/config.d/home…

Host home_pi_3_server
    Hostname    192.168.91.3
    User        ubuntu

Host home_pi_4_desktop
    Hostname    192.168.91.4
    User        pi

Contents of ~/.ssh/config.d/work…

Host client_name_1
    Hostname    example.com
    User        actual_user

Host client_name_2
    Hostname    example.tld
    User        actual_user

There is another advantage of having ssh_config file split into multiple files. I have plenty of test servers running as LXD containers and virtual machines. I can keep those servers in a separate config file and then let gitignore file ignore only that config file. Yes, I keep my ssh_config file in version control.

OpenSSH 7.6

RemoteCommand has been introduced in this release to execute any command upon successful login to the remote machine. This is another handy feature that saves times.

OpenSSH 8.0

Earlier, when we generate SSH keys using ssh-keygen command, by default RSA keys were generated with the 2048 bits. Now, since OpenSSH 8.0, it is been increased to 3072 bits.

OpenSSH 8.2

OpenSSH 7.3 added a feature that supports Include keyword on sshd_config file in /etc/ssh/sshd_config, the config file for SSH server. While Include directive is the same as above, the use-case here is applicable or useful in a completely different context. With Include in sshd_config file, we no longer have to update the primary configuration file by hand. Whenever we wish to modify the default behaviour of ssh server, we can include it as a file. Ubuntu 20.04 has already configured this and has the following line at the top of /etc/ssh/sshd_config…

Include /etc/ssh/sshd_config.d/*.conf

So, if we need to disable root login completely, we can include a file named deny-root-login.conf with the text PermitRootLogin no. if we need to allow password login for users, we can include a file named allow-passwd-auth.conf with the text PasswordAuthentication yes. This is much handy than overwriting the original file. We also know what tweaks we have done to the ssh server.

Summary

There are a lot more tiny features introduced in each release. The above are my favorites that helped me to save tons of time and organize my workflow in a better way. Do you have any favorite feature not listed above?

Use IRCTC R-Wallet. Even though, it is not the cheapest method to book a ticket, it is the most convenient and fastest way. Remember that every second counts while booking under tatkal quota.

Copy password to clipboard or use a password manager

Copy the IRCTC eWallet password to your clipboard (by pressing Ctrl + c, CMD + c or any similar method). Or use a password manager such as Google Password Store to save your eWallet password. In this case, you don’t have to type in the password. The password is filled automatically or using a simple drop-down menu.

Open your email

The OTP is sent to mobile as well as to the email. Email has always been faster to arrive than an SMS. Some SMS may never come too. Email is not like that. It always reaches the other end. Also, OTP in email can be copied and then pasted, especially if you use a computer while booking. This method is less prone to errors. Reading OTP from SMS and typing in the keyboard may result in typos. We are human. No human is perfect.

Prepare the passengers list

Typing every passenger’s name, age, gender, berth preference, etc can waste our precious time during tatkal booking. Always, save your passengers list in your IRCTC profile. And select the passenger/s from the list during the booking process.

Use a computer

Not tablet or mobile. Only when you don’t have a desktop / PC / mac around, you may use a tablet or a mobile. Mobile should be the last option. In online, you may have noticed a lot of recommendation to use only mobile due to limited amount of internet resources required to book a ticket via mobile. On desktop, the whole site needs to be downloaded by the browser during booking. Valid argument. I was successful in using mobile to book a tatkal ticket in under 90 seconds too. However, it failed me once and then I stopped using mobile app for tatkal booking. I was using the standard procedure to book a ticket. The last step is to fill the OTP. OTP also came to me. At the time of this writing, IRCTC uses 6-digit OTP as a standard and uses 5-digit OTP too at rare occasions. I received 5-digit OTP on that fine day when I failed to book a tatkal ticket (and had to use costlier ticket and a longer route to reach the destination at a much later time). You may wonder what’s wrong with 5-digit OTP and it is actually shorter and quicker to type than a 6-digit OTP. The problem with 5-digit OTP is that the mobile app had a bug. The bug allowed only 6-digit OTP. When I entered 5-digit OTP, the “submit” button didn’t show up. I am not sure if the bug is fixed. However, I am sure all mobile apps are going to have a bug at some point. You don’t want to get embarrassed with that bug when you book a tatkal. On the other hand, desktop version is less prone to bugs, as it is updated less frequently than mobile app. A mobile app has to go through multiple layers of testing. Desktop version doesn’t have such large variations to test drive. Most of the bugs in desktop are caught during the development. Live (desktop) version always works as expected.

When to use mobile app

Only when you don’t have a computer around, you may use a mobile or tablet. Even when you don’t have a computer around, use the browser in your mobile. Mobile App should be the last option to book a tatkal ticket. Whether you use a browser or an app in the mobile, please make sure to use a password manager like LastPass.

Good Luck!

This is a note-to-self post. Posting it on the internet to see if anyone benefits from it. In India, we drive left-side. So, if you are from a country where people drive right-side, this post may be confusing.

Tip #1 - Use the rearview mirror

Use the rearview mirror whenever…

• you are going to overtake another vehicle.
• you are going to take left or right on a junction.
• you are going to take left or right on a road that changes direction.

Tip #2 - Use the left-most space

Don’t always go in the middle of the road. As a rule of thumb, no other vehicle should be able to go post you on your left side.

Tip #3 - Use your right hand to scratch

This tip is particularly for two-wheelers. There may be times when you want to scratch a part of the body for some reason. You may be tempted to use the left hand so that it doesn’t slow down the speed. When you use either of the hand, remember that you have only one hand to balance (since the other hand is being used). So, when you get distracted at this moment due to a street dog or something else, your right hand has to do two jobs.

1. To balance the vehicle
2. To control the speed of the vehicle.

At this point, it is very easy to lose the balance and increase the speed (unknowingly and unconsciously), resulting in an accident. So, always use the right hand to do anything.

Tip #4 - Don’t honk

There was a famous post in facebook by a doctor who tried to stop honking for a month. I couldn’t find the link to the post. However, the summary of the post is that you’d drive much more safely and you’d do everyone a favour by not honking.

Find installed modules

The basic idea is to use nginx -V and parse the information provided by it. However, the output from nginx -V isn’t intuitive. For example, here’s the output of nginx -V on a Debian 9 (Stretch) server…

$ nginx -V
nginx version: nginx/1.16.0
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0j  20 Nov 2018
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.16.0/debian/debuild-base/nginx-1.16.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

You have to scroll horizontally in order to see the list of “configure arguments”. To make it easy to read, let’s use the following one-liner…

nginx -V 2>&1 | sed 's/--/\'$'\n &/g'

Now, the ouput would be much more reabable…

$ nginx -V 2>&1 | sed 's/--/\'$'\n  &/g'
nginx version: nginx/1.16.0
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0j  20 Nov 2018
TLS SNI support enabled
configure arguments:
  --prefix=/etc/nginx
  --sbin-path=/usr/sbin/nginx
  --modules-path=/usr/lib/nginx/modules
  --conf-path=/etc/nginx/nginx.conf
  --error-log-path=/var/log/nginx/error.log
  --http-log-path=/var/log/nginx/access.log
  --pid-path=/var/run/nginx.pid
  --lock-path=/var/run/nginx.lock
  --http-client-body-temp-path=/var/cache/nginx/client_temp
  --http-proxy-temp-path=/var/cache/nginx/proxy_temp
  --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
  --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
  --http-scgi-temp-path=/var/cache/nginx/scgi_temp
  --user=nginx
  --group=nginx
  --with-compat
  --with-file-aio
  --with-threads
  --with-http_addition_module
  --with-http_auth_request_module
  --with-http_dav_module
  --with-http_flv_module
  --with-http_gunzip_module
  --with-http_gzip_static_module
  --with-http_mp4_module
  --with-http_random_index_module
  --with-http_realip_module
  --with-http_secure_link_module
  --with-http_slice_module
  --with-http_ssl_module
  --with-http_stub_status_module
  --with-http_sub_module
  --with-http_v2_module
  --with-mail
  --with-mail_ssl_module
  --with-stream
  --with-stream_realip_module
  --with-stream_ssl_module
  --with-stream_ssl_preread_module
  --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.16.0/debian/debuild-base/nginx-1.16.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC'
  --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,
  --as-needed -pie'

Find Nginx installation path

Assume that you are assigned a task to fix an issue with the Nginx web server or fine-tune it for better performance. You get the login credentials to the server, you log into the server and find no files at /etc/nginx. What would you do in that case?

The nginx.conf is mentioned in the output of nginx -V, as --conf-path parameter. You might want to get the same info programmatically to be used in a script to automate your tasks. In that case, you may use the following one-liner to get the path of nginx.conf file…

$ nginx -V 2>&1 | sed -e 's/--/\'$'\n&/g' | grep '^--conf-path' | sed -e 's/--conf-path=//g'
/etc/nginx/nginx.conf

You may store the output in a variable and use it however you wish, such as to find the number of domains installed on a particular server.

I hope that helps!

The basic idea is to prevent search engines and CDNs from serving the following…

• robots.txt
• sitemap/s
• the actual content / post / page (anything except CSS, JS and images)

CDN configuration

Nginx web server:

In Nginx, the following code would work to block search engines from crawling the test site…

location / {
    if ( $http_user_agent = "Amazon CloudFront" ) { return 403; access_log off; }
    if ($http_x_pull = "KeyCDN") { return 403; access_log off; }
}

If you use any other CDN, contact the CDN provider to find the user agent and unique header that they use to pull the content. Once you have that information, you may modify the above to fit your particular scenario. In the above code, AWS CloudFront uses the user agent string "Amazon CloudFront" while pulling the content from the origin. KeyCDN uses a custom ["X-Pull: KeyCDN" header](https://www.keycdn.com/support/how-to-use-x-pull).

Staging site configuration

In Nginx, the following code could work…

# deny access to robots.txt across the board
location = /robots.txt { access_log off; deny all; }
location ~ /sitemap { access_log off; deny all; }

# block sitemaps with .xml and .xml.gz endings such as news-sitemap.xml (Yoast SEO)
location ~ \.xml$ { access_log off; deny all; }
location ~ \.xml\.gz$ { access_log off; deny all; }

# deny specific bots
if ( $http_user_agent ~ "Google" ) { return 403; }
if ( $http_user_agent ~ "bingbot" ) { return 403; }

If you use Apache 2.4+, you may insert the following code at the code in .htaccess file at the root of the domain.

<Files "robots.txt">
  Require all denied
</Files>

<FilesMatch "sitemap.+">
  Require all denied
</FilesMatch>

<FilesMatch ".+\.(xml|xml\.gz)">
  Require all denied
</FilesMatch>

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTP_USER_AGENT} ^(Google|bingbot) [NC]
  RewriteRule .* - [F,L]
</IfModule>

This is probably the easiest way to avoid duplicate content on your CDN and on your search engine traffic to the development site. If you have any other tips to avoid duplicate content, please share it in the comments section below.

Happy coding!

Tools of the trade

MikroTik offers various ways to manage RouterOS, such as…

• Quickset - ideal for newbies and to get started quickly (as the name suggests).
• Winbox - for experienced users, offers multiple window support, ability to copy-paste configurations, etc.
• Webfig - browser based web-configuratio utility; only limited features are available to configure.
• Console - swiss-army knife of RouterOS. Every configuration option is available via console.

In our example, let’s configure a MikroTik hap ac², one of the best routers from MikroTik. It has five ethernet ports. By default, the ethernet port 1 is used as input for internet (from your ISP via a modem or a direct ethernet connection). The other ports can be used to connect computers, IoT devices or any device that require ethernet connection. Please know that you may use more than one wired internet for failover or for load-balancing. Those are advanced topics that would be covered as separate blog posts.

Quickset

When you start the router, it’d automatically detect internet on ethernet port 1 and would start distributing internet via other ethernet ports and via wifi. The wifi doesn’t come with any default password! There are two points to note here…

1. Since, wifi doesn’t have a default password, you don’t need a ethernet enabled computer or laptop to configure. You may even use your mobile phone to connect to wifi and point 192.168.88.1 in your browser in order to get to “Quickset” page. The default user “admin” doesn’t have a password, either. So, you’d be logged-in automatically, once you type 192.168.88.1 in a web browser of your choice.

2. Since, wifi doesn’t have a default password, the first step to do is to secure your wifi network. Otherwise, a bad neighbor can consume all your internet bandwidth.

Since, the default user “admin” doesn’t have a password, either, you may optionally create a password for the user “admin” or create a completely different user with all privileges and then drop the default user “admin” (after logging in successfully as the other user).

I hope this quickpost helps to get started quickly with MikroTik routers. This is the first post in a series of MikroTik related articles. I will be covering more guides and tips in order to use RouterOS effectively. If you’d like me to cover any particular topic, please post it in the comments section below.

Have a great time!

Hello,

As you may have noticed, I sent this email from your email account (if you didn’t see, check the from email id). In other words, I have full access to your email account.

I infected you with a malware a few months back when you visited an adult site, and since then, I have been observing your actions. The malware gave me full access and control over your system, meaning, I can see everything on your screen, turn on your camera or microphone, and you won’t even notice about it. I also have access to all your contacts.

Why your antivirus did not detect malware? It’s simple. My malware updates its signature every 10 minutes, and there is nothing your antivirus can do about it.

I made a video showing both you (through your webcam) and the video you were watching (on the screen) while satisfying yourself. With one click, I can send this video to all your contacts (email, social network, and messengers you use).

You can prevent me from doing this. To stop me, transfer $958 to my bitcoin address. If you do not know how to do this, Google - “Buy Bitcoin”.

My bitcoin address (BTC Wallet) is : not shown here

After receiving the payment, I will delete the video, and you will never hear from me again. You have 48 hours to pay. Since I already have access to your system, I now know that you have read this email, so your countdown has begun.

Filing a complaint will not do any good because this email cannot be tracked. I have not made any mistakes.

If I find that you have shared this message with someone else, I will immediately send the video to all of your contacts.

Take care!

How scary is that?! Fortunately, I was using Google Apps for Email for my primary email (that is my name @ this domain name). So, Google marked this email as spam and I do check my spam once in a while.

Not everyone uses Google Apps for Email or Gmail, due to ever increasing concern about privacy. There was a time when we didn’t have much alternatives to Gmail (except for hotmail and yahoo). However, we are in 2019. We have multiple alternatives these days. Zoho Email, Protonmail, or if you’d like to have a complete control over the emails, then we have Mail in a Box.

What happened or how did it happen?

Delivery of emails is based on multiple factors. Primarily, an email server looks for SPF and DKIM records. SPF is the most common factor. This domains SPF looks like the following…

"v=spf1 a mx include:_spf.google.com include:sendgrid.net include:spf.mtasv.net include:zoho.com include:sender.zohoinvoice.com ip4:130.211.118.59 ip4:208.113.132.170 ~all"

It tells the email servers to trust any email originate from A record in DNS, MX record in DNS, SendGrid, Postmarkapp, Zoho and my server’s IP addresses. Let me go ever all these one by one.

A record in DNS:

If I send an mail from IP 151.101.65.195 for the domain tinywp.com and if tinywp.com has an A record that returns 151.101.65.195 (which is true), then the email can go through.

MX record in DNS:

My domain’s MX records point to Google’s servers. If I send an email from Gmail interface, one of the Google’s IPs are inserted automatically and email servers can validate the IP using the MX record.

Third-party Email servers:

I use Zoho, Postmarkapp and SendGrid to send email on by behalf. When they send my email on my behalf, they attach their own SPF record in the email headers. Since, I allowed them to send email on my behalf via SPF record, such emails can go through.

“all” qualifier:

“all” matches every other IP.

• ~ means Softfail. This means the email server can accept the email, but should mark the SPF as fail.
• ? means Neutral. This means if an unknown IP sends an email, it doesn’t have to accept it. Neither, it has to reject it.
• + means Pass. The email should be accepted from any IP address. The most dangerous option.
• - means Fail. The email should be marked as spam.

I have been using ~all for a long time and I’ve also been watching how many emails are being sent on my behalf using DMARC. Postmarkapp has a nice introduction to DMARC and they offer a free weekly digest for your domain’s DMARC.

Solution

You may have multiple domains with multiple email addresses. However, as with me, you may have only one primary email address with your primary domain. In that case, I strongly recommend to use -all as qualifier that basically marks every email from every unknown IP as spam.

Update on May 1, 2019: This domain’s SPF records are officially switched to have -all, after a month of testing. Thanks.

As a monitoring device

Let’s talk about monitoring features:

• It has live feed
• It has 360 degree view that can be adjusted manually.
• The software can alert you by sending push notifications to your phone/s.
• Allows two-way communication.

If you left your grandparents or a (sleeping) child at home, you can monitor them from anywhere in the world. You get notified whenever there is a moment in the watched area. The camera doesn’t rotate according to the movement of objects, though. Neither, it is compatible with Google Assistant or Alexa. However, there are other cameras from Xiaomi that are compatible with those. But, those cameras are not released in India. Overall, it is perfect as a monitoring tool.

As a security camera

Anyway, as a security camera, this camera doesn’t have some essential features. Time is the crucial factor for a security camera.

You’d want to be notified within a few seconds of any intrusion by email or via the app (push notification). Whenever there is an intrusion, this camera does the following actions…

• it takes a 10-second video clip (to upload to cloud storage where the consumer has no control).
• the camera continues to record a 1-minute video in the Micro SD card.
• the 10-second video clip is encrypted and uploaded to the cloud storage.
• the 1-minute video clip is ready to be stored in the Micro SD card, but not actually stored immediately. It is kept somewhere in memory and would be written to the Micro SD card only when the next 1-minute video is fully ready or when there is no more activity for the next 5 to several minutes.
• in the next 2 to several minutes, the software sends the push notification via its own app (Mi Home).
• the NAS storage can be set to “live” mode under “Time interval between uploads” (from Micro SD card to NAS storage). Since, it takes at least 2 minutes for the 1-minute video clip to arrive to Micro SD card, it takes the same amount of time (or more) for the 1-minute video clip to reach NAS storage as well.
• on average, it takes approximately 2 to 5 minutes for the 1-minute video to reach Micro SD card and NAS storage.

If the burglar breaks the camera at first sight, within 2 to 5 minutes, then you wouldn’t get any notification at all. Burglars are usually quick to get their job done. They don’t waste a second, when at work.

Apart from this huge delay, this camera can only be used indoor. You may still use it outdoor, if it is well protected from rain.

General Review and Recommendations

Price: If you still want to choose this camera due to its price point, remember that you’d need a quality Micro SD card of “Class 10” or above. If you don’t understand the “Class” in Micro SD card, I recommend to search for “high endurance” Micro SD card or Micro SD card for “video surveillance”. A good “Class 10” card can cost at least 1k. On top of that, you’d need 24x7 electricity and 24x7 internet connectivity with a good upload bandwidth (to upload the 10-second clip to the cloud storage). Even if you have a giga-bit internet at home, this camera can only be connected via wi-fi in 2.4 Ghz band. So, if your router is far from the camera, you get less bandwidth to upload. If you add NAS storage to the mix, you’d need even more upload bandwidth between the camera and the router. The cost of the overall setup also increases with NAS. It is better to use your home PC with a dedicated drive for NAS storage instead of buying a dedicated NAS server. Each comes with a cost. If you don’t mind the cost, you shouldn’t pick up this device already. Go for Amcrest if you need a proper security camera that has ethernet connectivity, immediate email alert, etc.

Software Support (Mi Home app): The software (Mi Home app) requires almost all the permissions from your phone. I was able to remove all except location, storage and phone, manually. What’s more. You’d get ads on the home screen of the app since version 5.4.43 (released on Dec 26, 2018). I wish Xiaomi released a dedicated app for all cameras, like other companies have done. Even if you are a fan of Xiaomi, you’d find annoying bugs. For example, the Micro SD storage doesn’t delete its content on its own when it becomes full. What’s more… you wouldn’t even get any notification about being full. The camera would simply stop recording any more videos. This a show-stopper for me as a security camera. Why would you want to keep an eye on storage space, when you have a lot of other priorities?! Anyway, this issue is likely a software bug and can possibly fixed with an update. The camera also hangs when there is a conflicting settings or when there is not enough bandwidth between the camera and the router. You can restart the camera (remotely), to bring it back online to see the live feed. If you choose the default settings, you are safe to go.

Sharing: If you’d like to share a video, you can share via Facebook. No other ways to share the videos, unless you have a NAS server. With NAS server, you are in full control of a video. It is possible to share the entire camera with someone else in the family, though. The other person needs to download Mi Home app, register in it and then you can share the entire camera using the registered email address. You’d be giving almost all the controls of the camera, including the ability to disconnect the camera from the Mi Home app.

Live Feed: You can see the live feed via mobile. But, can not see the feed via desktop or via laptop. So, if you use multiple cameras and if you have a security to monitor all the camera, it can be done only via mobile that is not as convenient as a desktop with a large screen.

Overall, I recommend it as a monitoring device. However, as a security device, I wouldn’t recommend it. If you are looking for a security camera, go with Amcrest or something else.

Be safe!

Cleaning up the computer

I always use original software. Never used pirated software or OS. I’ve bought Windows XP, Windows 8.1 (that had a free upgrade to Windows 10) and Office 97. Currently, I use a mac, though. Everything is updated to the latest version including OS and browsers.

My first assumption was that my mac may have been affected by a virus. I don’t visit unwanted sites (intentionally). I don’t watch porn sites, either. Anyhow, I tried to use EtreCheck (free version is limited in functionality) to find the culprit. But, it didn’t find anything concrete. So, I went on and tried to use another popular free scanner from Apple Store, named Bitdefender. After a few hours, it didn’t find anything, either.

Spending money to fight a virus!

I had an old Belkin router bought approximately 8 years ago. I thought it could’ve been affected as it hasn’t had an update since its launch. So, I bought a new router-cum-modem from Netgear that seems to offer frequent firewall updates than some popular Chinese brands. The router reached home in a couple of days (thanks to Amazon Prime membership). I switched the routers. The malware hasn’t gone yet!!!

Getting mad at DNS

I searched the internet for possible solutions. Most of them recommended switching the DNS. I run my own DNS server using pi-hole.net. It blocks most advertisers including Google ads. I tried switching to it. I didn’t help. I tried Quad9, Cloudflare and of course the most popular Google public DNS. None of them helped.

Going Public

I felt ashamed that I deal with multiple critical servers around the world, yet, I could not find any particular pattern on this malware. But, finally, I decided to forgo my ego and started asking for help. Initially, I asked my friend who confirmed that I am not alone, but his issue was resolved after resetting the modem!!! Then, I created a thread in broadbandforum.co where I put forth aforementioned thoughts. Help started to pour in and I was able to get an idea about where the issue is.

Understanding the problem

The problem is somewhere in the BSNL broadband hub. It affects all users, at random, at different time of the day. It doesn’t get activated on all unsecured pages. The malware is still inserted into every unsecured page via javascript, though. There are plenty of people who went further on this and put forth their disappointment in the social media. Some even cancelled their connection just because of this malware.

Pi-hole.net to the rescue

There is a saying in the security world… if we know the username, half of the work is done towards getting the password (of an application, etc). So, understanding the issue helps us to circumvent the issue. Since, the malware is getting injected through a BSNL hub where we don’t have any control, we have a find a way to fight it out using the tools we have.

For me, it was pi-hole.net that helped me to blacklist those malicious domains into a block-hole! So, when my wife visits an unsecured site, and if she clicks, the pop-up does happen. But, it never completes. It’d simply say “domain is not hosted here” message. The message could be easily customised to something else, though!

PSA (Public Service Announcement)

Since, I always like to give back to the community (that helped me to understand the issue), my pi-hole.net DNS is open to anyone on the BSNL broadband network. Unfortunately, it isn’t available for other users, yet. It takes a lot of effort, time and money to maintain a DNS server of our own. So, sorry to others.

So, here we go. My DNS server IP is… 45.76.184.155.

Put it as your DNS resolver and let me know, if it really helped you to have a safe browsing. Apart from blocking those malicious domains, it can also block a number of advertisers (including Google ads). So, you can stop using your favourite ad-blocker, if you use pi-hole.net DNS.

Only last month, I wrote a detailed post on how my pi-hole.net works. If you’d like to know the technical details behind it, I highly recommend to give it a read.

If you have any questions, please do not hesitate to write in the comments below!

I am going to write a bit about how I run pi-hole on my VPS that hosts other sites too. While, it takes only a single-line of code to isntall it (curl -sSL https://install.pi-hole.net | bash), I have set it up in a particular way, such as running it behind Nginx (along with other sites), administrating it using a non-existing domain name(!), SSL for that domain(!!) and a few more. Let’s dive into my setup.

Nginx

Pi-hole is meant to be run on its own tiny server, probably in a raspberry pi server. But, it doesn’t prevent you to run along with other sites in a VPS. I put it alongside other sites in my Vultr VPS.

Pi-hole is a complete package. It installs a DNS server, HTTP web server (lighttpd), firewall, setup upstream DNS server, etc. Except for the HTTP server (that is lighttpd), other services wouldn’t create conflict. The web server is used to administer pi-hole via server IP. The HTTP web server (tries to) take over port 80. Since, my VPS already has a web server (Nginx) running on port 80, lighttpd server would never take over port 80. So, we can’t use a URL to manage pi-hole?! No, we can. The solution is to keep lighttpd running on an alternate port (such as 88) and let Nginx proxy all requests to pi-hole to that port.

Here’s the complete config for clarity…

server {
    listen 80;
    listen [::]:80;
    server_name pi.hole;
    return https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name pi.hole;

    ssl_certificate 'ssl/pi.hole.crt';
    ssl_certificate_key 'ssl/pi.hole.key';

    location / {
        proxy_pass http://localhost:8888;
        include proxy.conf;
    }

    # let's go directly to the login page
    location = / {
        return $scheme://$host/admin/index.php?login;
    }
}

The proxy.conf file contains the following lines…

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

So, we solved one issue now. We installed pi-hole in a VPS that hosts other sites using a different web server (Nginx). This could be easily migrated to Apache or another web server.

Non-existing Domain!

When using the defaults, pi-hole installs lighttpd and the admin dashboard for pi-hole can be accessed using the IP of the server, such as http://192.168.0.1/admin/ (this is a local IP, though). Since, internet is full of bad bots, anyone can get to this link easily. In order to access it via a domain, we only need to point the domain such as pi.example.com to the IP of the server. The rest of the things are taken care by the web server. We still do not want anyone to have the data of the site, if they came across the URL pi.example.com somehow. Pi-hole displays some data for non-logged-in users too. Just minimal data… total queries, queries blocked, etc. When logged-in, we can see much more useful information and we would get the ability to fine-tune the whole pi-hole setup.

As you may have noticed from the Nginx config line has pi.hole as the server_name. Pi-hole, when being installed, points pi.hole to the server itself. But, if we need to access pi-hole (or https://pi.hole site) even if we do not use pi-hole for DNS, we could edit our own machine’s hosts file to have this domain pointed to the server where pi-hole is installed. Accessing pi-hole using this non-existing domain could be considered as an improvement to the security too. Remember that we can use any non-existing domain in this way. Not just https://pi.hole.

SSL!!!

SSL part is actually very easy (for me). I already run on my own SSL CA for developing sites under the extension .dev (for example, example.dev). I also have a script that generates SSL for these local domains (or for any domain to be precise). How to run your own SSL CA and how to automate the generation of SSL is for another post, though. The point is that you can secure the connection between your browser and pi-hole admin backend, if you run your own SSL CA.

Other Tweaks:

There are other small tweaks are done in my pi-hole configuration. As you may have noticed from the Nginx configuration above, whenever I visit https://pi.hole, it redirects to https://pi.hole/admin/index.php?login which is the login page for pi-hole admin dashboard. So, I save a click using a simple redirect in Nginx.

Do you have any tips and tricks for your pi-hole setup? Please share it in the comments!

macports

Make sure you have macports already installed. If you don’t have it yet, see the quick start guide on macports. Basically, you’d need xcode commandline tools (xcode-select --install) and then select the appropriate macports package to install depending on your macOS version. Once installed, verify it using the command… port version.

ruby

The current version of Ruby (as of this writing) is 2.4.x. It can be installed using the command… sudo port install ruby24. This will install ruby2.4 and gem2.4 binaries at /opt/local/bin. Let’s create symlinks to override the default ruby and gem (comes bundled with macOS).

sudo ln -s /opt/local/bin/ruby2.4 /opt/local/bin/ruby
sudo ln -s /opt/local/bin/gem2.4 /opt/local/bin/gem

bundler

Bundler is an easy way to pack gems for a Ruby project. You may install bundler using the command gem install bundler. You are likely to receive the error related to the permissions. Because, by default, gem tries to install globally. You may force gem to install its gems only to the local user by setting up the environment variable GEM_HOME to a local directory such as ~/.gem or ~/gem. I prefer the former.

jekyll

Finally, it’s time to install Jekyll.

gem install jekyll
cd ~/tmp
jekyll new my-awesome-site
jekyll serve

video

(coming soon) If you are a fan of learning through videos, here’s the video that covers most steps.

How Does Amazon Web Services Work

You usually log into Amazon using your own credentials… email address (or phone number) and a password. Possibly with a two-factor authentication. This would work, if we need to put files manually in an S3 bucket. However, we’d want to automate the process of taking backups of our site and then put it in Amazon S3. To do this, AWS (Amazon Web Services) has a nice utility called AWS IAM (Identity and Access Management). Here, you can create users (or groups of users) who can programmatically access S3 buckets. In general, most people would create a user named ‘backup’ and allow this user act as AmazonS3FullAccess that provides full access to all buckets associated with your account. It simply means… anyone who has got access to the access keys for this ‘backup’ user would be able to wipe out all the data. Not an ideal situation that you’d want to deal with! Consider taking backups of your clients’ data!

What’s the solution?

Use the principle of least privilege when granting access.

AWS IAM is so flexible that it allows the user to be attached to a particular policy. For example, what if someone can only put some data into our buckets, but can never actually read it!!! Yes, it is possible to allow write access to a particular S3 bucket and disallow any read access to the same bucket.

What if I want to delete older backups automatically?

Use a lifecycle policy.

I don’t use Amazon S3. I use xyz. How do I do this?

Check the manual. For example, Google Cloud Storage supports a role named roles/storage.objectCreator that can create new objects, but is forbidden to view, delete or overwrite objects!

Got any questions. Feel free to ask in the comment section below!

Anyway, let’s talk about the alternatives or solutions to continue to use BSNL broadband irrespective of its ban over port 22.

Github Users

It’s easy to solve it by running SSH over HTTPS that is allowed by Github.

Web developers

Web developers usually do not have access to the server. One solution is to ask your server administrator to open an additional port. There are plenty of unused ports available. My favorites are 420 and 24. :)

System Administrators

There are plenty of workarounds available for system admins. As mentioned above, opening additional port is easiest to achieve, considering it helps the web developers your client may have.

Paid Solutions

Static IP

Thanks to Lawrence who provided this information via comments.

BSNL unblocks port 22 if the BB user opt for static IP that costs Rs.2000 (or Rs.1800 on certain high-end plans). Static IP is available only on plans that are above 1k. As of this writing, the least feasible plan to get static IP is BBG Combo ULD 1199.

Paid VPN

If you don’t mind spending additional money, buy a VPN service. It is the easiest way to get around the present situation with BSNL. Btw, are you aware that Apple pulled down VPN apps from its China Apps Store. And then, Russia banned VPN. So, if port 22 can be banned by an ISP now, anything can happen in India in the future!

I haven’t covered all use-cases. For example, most (managed) hosts do not open additional port for SSH / SFTP. There are workaround available for such users too. However, it isn’t easy, especially who have never used SSH. In general, if you know how to use SSH, then buy a small server (VPS servers are available as low as USD2.5 per month) and then use that server as an intermediate server to connect to all others sites / servers. If nothing works, use a free VPN. Good luck!

While installing the default PhpMyAdmin package with Debian (or with any of its derivatives including Ubuntu), you’ll be asked to choose the web server (between Apache and Lighttd). If you are going to use only Nginx, then you may just skip that step. The actual process of setting up a perfect PhpMyAdmin install on Nginx is bit tricky, but achieveable. You are already on your way (didn’t you skip the prompt to choose the web server?).

Now, it is time to setup the actual vhost entry for PhpMyAdmin. The example vhost entries for Apache and Lighttd are provided at /etc/phpmyadmin . If you look at those example configuration, the basic idea is simple…

• the root of the PhpMyAdmin is at /usr/share/phpmyadmin
• we need to restrict access to setup sub-directory

With this in mind, let’s start creating our vhost entry…

server {
    server_name phpmyadmin.example.com;
    root /usr/share/phpmyadmin;

    # config to process PHP

    location /setup { return 403; }
    locaton / {
        try_files $uri $uri/ index.php$is_args$args;
    }
}

It can’t get simpler than this. Can it?

Now, if you visit phpmyadmin.example.com, you’ll able to login. But, will be presented with two errors. Let’s fix one by one.

The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. To find out why click here.

This happens because the php process doesn’t have read access to /etc/phpmyadmin/config-db.php. Here comes ACL to the rescue…

root# ls -ld /etc/phpmyadmin/config-db.php
-rw-r----- 1 root www-data 549 Mar 18 11:47 config-db.php

root# setfacl -m 'phpuser:r--' /etc/phpmyadmin/config-db.php
root# ls -ld /etc/phpmyadmin/config-db.php
-rw-r-----+ 1 root www-data 549 Mar 18 11:47 /etc/phpmyadmin/config-db.php
root# getfacl /etc/phpmyadmin/config-db.php
getfacl: Removing leading '/' from absolute path names
# file: etc/phpmyadmin/config-db.php
# owner: root
# group: www-data
user::rw-
user:phpuser:r--
group::r--
mask::r--
other::---

In the above example, phpuser is the username underwhich PHP runs. If you care about the security, it shouldn’t run as www-data!

Now, we still have one more issue to solve…

The configuration file now needs a secret passphrase (blowfish_secret).

This happens because the php process doesn’t have read access to /var/lib/phpmyadmin/blowfish_secret.inc.php. Let’s use ACL again to fix it…

root# ls -ld /var/lib/phpmyadmin/blowfish_secret.inc.php
-rw-r----- 1 root www-data 60 Mar 18 11:47 /var/lib/phpmyadmin/blowfish_secret.inc.php

root# setfacl -m 'phpuser:r--' /var/lib/phpmyadmin/blowfish_secret.inc.php
root# ls -ld /var/lib/phpmyadmin/blowfish_secret.inc.php
root# getfacl /var/lib/phpmyadmin/blowfish_secret.inc.php
getfacl: Removing leading '/' from absolute path names
# file: var/lib/phpmyadmin/blowfish_secret.inc.php
# owner: root
# group: www-data
user::rw-
user:phpuser:r--
group::r--
mask::r--
other::---

Now, reload PhpMyAdmin to see the changes. You wouldn’t see any more errors upon logging into PhpMyAdmin. Happy coding!

Inspired by / forked from Dilip Siva’s perf checklist and AMP project!.

Web Performance Checklist

• Prefer Brotli over gzip / deflate.
• Check caching-headers for all static content (css, js, images, fonts, icons, etc).
• Avoid free DNS from your DNS registrar (there are exceptions, of course).
• Try hosting your whole site in a CDN.
• Reduce the number of DOM elements.

JavaScript

• Use a single resource for loading external JavaScript.

CSS

• Inline critical CSS.
• Use a single resource for (non-critical) CSS loading.
• Only use GPU-accelerated properties.

Images checklist

• Prefer WebP for images over PNG / Jpeg.
• Use a CDN for image-heavy sites.
• Serve small images for mobile users.

Fonts checklist

• Do not use more than 2 external fonts (unless really really necessary on special circumstances).
• Load fonts asynchronously.
• Have plan B if the internet speed is too low!

Jekyll is one of the oldest static site generators and is the most famous SSG (short for Static Site Generator) of all. It considers itself as “blog-aware”. Every other SSG software now includes a way to bring blog functionality in its core, though. It is based on Ruby. MacOS Sierra already has it at version 2.0.0p648. So, installing Jekyll should be straight-forward. But, it isn’t. The tutorials around the internet may usually contain how to install it using brew. There’s nothing wrong with it. But, when there is a way to install it without brew or any other third-party tool, we will have a clean system. So, let’s dive in.

Local install

There are two ways to install most common packages that are requirements for Jekyll. Installing them locally or installing them globally for all users. Since, I use MacOS alone (how many of you share your laptop with others?), I don’t want to install anything globally. Also, installing locally, I can distinguish between the gems installed by MacOS and gems installed by me.

Let’s have a ~/gem directory to hold everything related to RubyGems. Also, let’s have all the executables in ~/gem/bin and update the $PATH environment value. So, if you prefer another path such as ~/.gem, feel free to change it accordingly…

For the default bash shell:

$ mkdir -p ~/gem/bin
$ echo 'export GEM_HOME=~/gem' >> ~/.bash_profile
$ source ~/.bash_profile
$ echo 'gem: --user-install -n~/gem/bin --no-document' >> ~/.gemrc

For fish shell:

$ mkdir -p ~/gem/bin
$ echo 'set GEM_HOME ~/gem' >> ~/.config/fish/config.fish
$ source ~/.config/fish/config.fish
$ echo 'gem: --user-install -n~/gem/bin --no-document' >> ~/.gemrc

A little explanation:

_{/.bash_profile}(/.config/fish/config.fish in case of Fish shell) is the file that is used by the default bash shell in macOS to store and load the configuration settings for the terminal/s.

~/.gemrc is the file parsed by gem for custom configurations. This is where we can instruct gem to use ~/gem/bin to keep the executables.

Now let’s try to install bundle that is a dependancy for Jekyll.

$ gem install bundle

If things go smoothly without an error, we can proceed to install Jekyll…

$ gem install jekyll

Usually, this will go through too. If it didn’t, please let me know the actual error in the comments, I will try to help you. Now, time to install a new site locally…

$ jekyll new my-awesome-site
Running bundle install in /Users/yourname/gem/my-awesome-site...


Your user account isn't allowed to install to the system RubyGems.
  You can cancel this installation and run:

      bundle install --path vendor/bundle

  to install the gems into ./vendor/bundle/, or you can enter your password
  and install the bundled gems to RubyGems using sudo.

  Password:

Possibly, the first road-block in our installation. But, easy to fix as mentioned in the output. Let’s cancel the installation by pressing ctrl+c in the keyboard. This will throw a bunch of errors. Safe to ignore them.

$ cd my-awesome-site
$ bundle install --path vendor/bundle

The last command may take sometime to execute depending on the CPU and network speed. Hold on. It’s worth the wait!

Let’s try to serve the just-installed site…

$ bundle exec jekyll serve
Configuration file: /Users/yourname/gem/my-awesome-site/_config.yml
Configuration file: /Users/yourname/gem/my-awesome-site/_config.yml
            Source: /Users/yourname/gem/my-awesome-site
       Destination: /Users/yourname/gem/my-awesome-site/_site
 Incremental build: disabled. Enable with --incremental
      Generating...
             ERROR: YOUR SITE COULD NOT BE BUILT:
                    ------------------------------------
                    Invalid date '<%= Time.now.strftime('%Y-%m-%d %H:%M:%S %z') %>': Document 'vendor/bundle/ruby/2.0.0/gems/jekyll-3.4.0/lib/site_template/_posts/0000-00-00-welcome-to-jekyll.markdown.erb' does not have a valid date in the YAML front matter.

A quick search revealed two reasons and how to fix both…

$ echo 'exclude:
- vendor/bundle' >> _config.yml
$ bundle exec jekyll serve
Configuration file: /Users/yourname/gem/my-awesome-site/_config.yml
Configuration file: /Users/yourname/gem/my-awesome-site/_config.yml
            Source: /Users/yourname/gem/my-awesome-site
       Destination: /Users/yourname/gem/my-awesome-site/_site
 Incremental build: disabled. Enable with --incremental
      Generating...
                    done in 0.611 seconds.
 Auto-regeneration: enabled for '/Users/yourname/gem/my-awesome-site'
Configuration file: /Users/yourname/gem/my-awesome-site/_config.yml
    Server address: http://127.0.0.1:4000/
  Server running... press ctrl-c to stop.

Visit http://127.0.0.1:4000/ and viola! You’ll see the new Jekyll site in the browser.

Update (2017-10-07): Included a way to configure the default bash shell for the local installation!

Native of: Srivilliputhur, Tamil Nadu, India.

Lives in: Chatrapatti, Tamil Nadu, India

Hobby: Chess

Work: Wrangling servers and solving real-world problems!

You may know more about me at tinywp.in.

Contact Email: pothi@protonmail.com (no advertisement inquiries please).