What a time to be alive! The web is truly, utterly broken.

To be entirely clear, I’m not doing anything. It just refreshes a million times, DoSing itself in the process, until, after a while, it actually loads “perfectly” fine. All I run is uBlock and NextDNS to get rid of (a portion of) the trackers and ads.

This is my first time working with Hugo, and I must say, it’s quite impressive. I'm using the seamless integration with Cloudflare Pages, allowing for automatic deployment from a git push. Makes it super easy. Having it all in git also allows Nik to post something without having to worry about deploying.

While the export/import process mostly relatively smoothly, it required quite a bit of editing. I’ve saved the most crucial scripts here for historical reference. These should help you get started on migrating HTML to Markdown files. Note that the Tumblr IDs are used as titles, which isn’t ideal, but it’s a starting point.

Thrilled to have the new blog live at blog.FlatTurtle.com. Check it out!

They all had the same error that they couldn't connect to their SQL database, and it seemed that the container recently was auto-updated.

Docker logs also showed (which may or may not have been related):

2024-02-21  7:30:29 97 [Warning] Aborted connection 97 to db: 'unconnected' user: 'unauthenticated' host: '192.168.200.4' (This connection closed normally without authentication)

This was odd. I started the usual troubleshooting:

• As these containers have their own network, maybe the IPs changed and as the SQL users can only access from a certain IP range, something broke there -- nothing seemed to have changed and I could connect from the nginx container to the other just fine
• Password somehow changed -- nah, connections were accepted
• Roll back to a previous version of MariaDB -- didn't do anything, odd
• This was not actually a MariaDB problem but a WordPress problem? Was there an auto-update? Didn't make sense because one of the blogs is running a very old WP version
• Worth noting that I also host two Ghosts blogs using the same setup (nginx+mariadb in container) and they were unaffected and humming along just fine...
• At this point I was starting to think something was massively corrupt and this was gonna be a long day.

I then continued and created a php (testconnection.php) file on the nginx:

<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

// Connection Details
$hostname = "container-mariadb";  // Your MariaDB hostname 
$username = "your_username"; // Your MariaDB username
$password = "your_password"; // Your MariaDB password
$database = "your_database_name"; // The database

// Create the connection
$conn = new mysqli($hostname, $username, $password, $database);

// Check for errors
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// Print Debug Information
echo "Connected successfully\n"; 
echo "Host information: " . $conn->host_info . "\n";
echo "Client information: " . $conn->client_info . "\n";

// Close the connection
$conn->close();
?>

This threw the following error... We were getting somewhere:

Fatal error: Uncaught mysqli_sql_exception: Server sent charset (0) unknown to the client. Please, report to the developers in /var/www/domain/testconnection.php:13 Stack trace: #0 /var/www/domain/testconnection.php(13): mysqli->__construct() #1 {main} thrown in /var/www/domain/testconnection.php on line 13

The charset I was using was utf8mb4 with a collate of utf8mb4_general_ci:

SHOW CREATE DATABASE your_database_name;

My wp-config.php file already had DB_CHARSET, but DB_COLLATE was not set. I added that in the config as well:

define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', 'utf8mb4_general_ci' );

Sadly, that didn't fix it either. Still saying it can't connect to the database. Grmbl.

I then went ahead and checked /etc/mysql/mariadb.conf and the files in /etc/mariadb.conf.d/. It included character-set-server = utf8mb4, but not collation-server = utf8mb4_general_ci. The line was specifically in /etc/mariadb.conf.d/50-server.cnf.

Adding the latter solved the problem... 2hrs of my life gone.

As this file (likely) is managed in the container and changed by the OS (it's apparently based on Ubuntu, ewwww) or the MariaDB version, the easiest way was just creating another file: /etc/mariadb.conf.d/51-<something>.cnf.

This is my very dirty hack (as I'm not using Docker Compose for this):

docker exec -it container-mariadb bash -c "echo -e '[mysqld]\ncollation-server = utf8mb4_general_ci'> /etc/mysql/mariadb.conf.d/51-yeri.cnf"
docker restart container-mariadb

It now works fine again...

FlatTurtle has a new site, and there's been some fine-tuning here and there that led to a few typos creeping in. I wanted a quick tool to plug in a page, and that would highlight possible mistakes.

I've been a personal (paying) user of LanguageTool for a few years now (European, and less spammy and dodgy than Grammarly)

Started off with a terminal tool, but in the end that wasn't working out (hard to get the colouring to work and make it clear enough).

Figured a website would be easier:

• Insert a site
• Let it go through the LanguageTool API for mistakes*
• Show what is potentially wrong and explain why so I can go and edit it

(*) Surprisingly hard because it needs to trim all HTML and js and other crap. And it has issues detecting headers (without punctuation) from paragraph text, etc).

It's far from perfect, but it works well enough for half a day of fiddling around.

You can hover your mouse over the red words to get some information as to why something is wrong.

The code, provided as-is, is here, and you can run it using:

python3 -m pip install flask selenium beautifulsoup4 geckodriver-autoinstaller requests
python3 web_check.py --api-key KEY --username EMAIL

And opening http://localhost:5000.

EMAIL is your login, the KEY can be found here.

Have fun.

• Storage was growing quickly (~80Gb during its peak); I am hosting my instance on a RPi4 (w/ 8Gb RAM) and the SSD was filling up rapidly,
• I wanted something speedy to serve (big and cacheable) content (i.e. a CDN).

While I didn't care much about storage any more, I still wanted to make sure it was kept in check, also for two reasons:

• Mastodon downloads a copy of all content it says on the Fediverse, and keeps it until purged. So every instance has all the content from other instances. This could theoretically lead to you hosting illegal content and getting in trouble for it,
• Cloudflare used to be my employer, and I have free access to R2. However, there's always a risk they'll disable my employee benefits one day and get me to pay for my used storage.

I run my Mastodon in a Docker instance, so your commands may vary (basically tootctl X Y is what matters). I run most of these commands once a week using systemd (except the media remover, that runs every day).

This will clear:

• accounts (you never interacted with)
• header files (big picture every account can upload)
• profile pictures
• link preview cards
• orphaned media (uploaded media but not posted)
• media (from other accounts)
• statuses (from other accounts)
• and as a bonus include updating Elasticsearch indices (which sound run every once in a while to optimise search)

/usr/bin/docker compose -f /srv/mastodon/docker-compose.yml run --rm shell tootctl accounts prune

/usr/bin/docker compose -f /srv/mastodon/docker-compose.yml run --rm shell tootctl media remove --remove-headers --days 15

/usr/bin/docker compose -f /srv/mastodon/docker-compose.yml run --rm shell tootctl media remove--prune-profiles --days 30

/usr/bin/docker compose -f /srv/mastodon/docker-compose.yml run --rm shell tootctl preview_cards remove --days 15

/usr/bin/docker compose -f /srv/mastodon/docker-compose.yml run --rm shell tootctl media remove-orphans

/usr/bin/docker compose -f /srv/mastodon/docker-compose.yml run --rm shell tootctl media remove --days 30

/usr/bin/docker compose -f /srv/mastodon/docker-compose.yml run --rm shell tootctl statuses remove --days 30

/usr/bin/docker compose -f /srv/mastodon/docker-compose.yml run --rm shell tootctl search deploy

Note that you should play with the --days X to find something that works for you (i.e.: you can scroll back in the history and still see posts/media, but not overload your storage).

I've included all the systemd files that's needed here. Again, will only work in a Docker environment using the same paths as me.

The systemd files will need to be activated using something similar to this (but again, don't blindly run these commands as it'll likely not work):

cp *.service *.timer /etc/systemd/system/
systemctl daemon-reload
systemctl enable --now *.timer
systemctl list-timers | grep masto

Oh, and this is not specific to R2. This works even when storing everything locally.

I've written before on how to use Cloudflare CDN to protect/speed up your instance.

I had not been very happy with DDG; mostly the results were very low quality (having to switch back to Google one too many times; results often lagged behind by months of publishing), many search bugs, and there's been that thing with Bing advertising, and generally not seeing many improvements over the ~2 years I tried to use it full-time.

Kagi, on the other hand, has his search engine worked out. I know they also pull data from Bing, but also various other sources (apparently that includes Google) and their own scraper (Teclis, TinyGem), etc.

You can compare the Google and Kagi results. While not entirely the same, I don't think Google's are better than Kagi's.

So search is really good and I very very rarely ever need to head back to Google. Only for very obscure errors with very few results, and Google almost never has a better answer.

It also adds some cool other features, like rewriting URLs.

For example, I run my own Libreddit, so when search results include reddit, I can now redirect to my own Reddit instance (sorry, you won't have access).

There's a bunch of other cool stuff, like Bangs (short codes that would redirect directly to a site, for example w for wiki -- so w flightradar would show this result instantly; and there's more like hackernews, reddit, google, etc).

You can also lower priority of certain sites. Seeing too much Tiktok or Pinterest? Want to boost Hackernew results? All possible!

To make it work on iOS, you need to install a browser extension, but that works relatively well (it rewrites your search from Google to Kagi).

I was a bit apprehensive as it's a very small team, and they are also trying to reinvent the browser space with Orion, which is a cut-throat tough market to get in. Two massive enterprises that would need a lot of funding and a lot of dev time.

Orion is based on Safari, and far from good enough to replace Firefox, but I'm actually mildly enthusiastic about this project as well.

The company is very transparent and there's clear progress. If you want to get involved, they also have a Discord and a feedback/bug forum.

I'm considering a family plan and will force Shan to switch once released.

So, all things considered, quite excited about this. Looking forward to see if they can revolutionise search. And I truly hope they make it.

The only thing I don't like is that their logo looks too much like Google's... 🙈

My uploads/static files are now saved in R2 under its own URL (part of my enterprise zone) so that my normal caching rules and other settings are applied.

Add these to your application.env file:

3_ENABLED = "true"
S3_BUCKET = "<bucket name>"
S3_ENDPOINT = "https://<some-id>.r2.cloudflarestorage.com"
S3_ALIAS_HOST = "<connected domain>" 
S3_PERMISSION = "private"
AWS_ACCESS_KEY_ID = "<access_key>"
AWS_SECRET_ACCESS_KEY = "<secret_access_key>"

The token/API key is a bit hard to find, but it's on the top right.

Then (re)deploy your site.

I did set up a new server (my RPi4 started to struggle, and I guess if I'm half serious about Mastodon, I shouldn't host it at home), so I started afresh... But there's a way to migrate existing data to R2 as well, following this guide. 

And you'll notice errors in the webdev tools similar to Failed to find a valid digest in the 'integrity' attribute, with computed SHA-256 integrity:

Failed to find a valid digest in the 'integrity' attribute for resource 'https://mastodon.yeri.be/packs/js/common-997d98113e1e433a9a9f.js' with computed SHA-256 integrity 'YgEhHmwjKL88zKfUOMt/qRulYurIuHzhn4SZC9QQ5Mg='. The resource has been blocked.
@yeri:1 Failed to find a valid digest in the 'integrity' attribute for resource 'https://mastodon.yeri.be/packs/js/locale_en-f70344940a5a8f625e92.chunk.js' with computed SHA-256 integrity '1VgpQjY/9w/fgRLw1QH2pfzqr36p3hINvg9ahpBiI2U='. The resource has been blocked.
@yeri:1 Failed to find a valid digest in the 'integrity' attribute for resource 'https://mastodon.yeri.be/packs/js/public-a52a3460655116c9cf18.chunk.js' with computed SHA-256 integrity 'onh6vHxzykkVgJkiww+OCPk0tKC48KMUD9GVJ8/LKJQ='. The resource has been blocked.

Basically, the sha256 hash doesn't match the js or css static files.

This happens because Cloudflare minifies those files and thus the hash has been changed.

To get it to work correctly, you'll need to create a Page Rule via Rules > Page Rules > Create Page Rule with the following info:

• URL: YourMastodonURL.com/packs/*
• Settings: Auto Minify: off (do not select anything)
• Rocket Loader: slider off

Don't forget to purge your cache via the dashboard (for the Mastodon domain) via Caching > Custom Purge > Hostname > YourMastodonURL.com.

When we're travelling (read: holiday) she's carrying an old Lenovo ThinkPad 13 (great device!) just "in case" she needs to open AutoCAD and edit something minor or read the drawings/dimensions. But honestly, most of the time that device is turned off and dead weight.

But all the above is just an excuse to "I was bored, and I wanted to test something": can I use an old Raspberry Pi (zero W) to remotely wake her Intel NUC, and then use Tailscale to use RD on her iPad? Well, yes I can.

I completed this using:

• Tailscale to remote desktop from anywhere to home
• Cloudflare Tunnels, Access and DNS to have a web interface to wake the desktop
• A Linux device that's always on and in the same LAN, and that'll run a PHP script.

Prep work: enable WOL

First off: enable Wake-on-LAN (WOL) in the BIOS and in your Windows settings. This article explains it for Intel NUCs, but would be similar enough for most devices. The Device Manager pane looked different on our i5 NUC, but was close enough.

On Mac, you just need to enable it in the Energy preference pane, for Linux I have no clue. 🤷‍♂️

Second step: have a working Raspberry Pi (or any Linux device) in the same LAN. This device needs to be turned on 24/7, so use something that uses very little power.

I do have a more powerful RPi4 I wish I could've reused (running Docker and some other "serious" stuff; however it's currently in a different VLAN, and it's quite crucial the Linux device is in the same LAN as the device(s) you want to wake up), so I went with an old Raspberry Pi Zero W that was collecting dust (it used to run pwnagotchi).

On the Linux device, install etherwake. The command to run is quite simply etherwake aa:bb:cc:11:22:33 (= the ethernet MAC address of your device).

If this doesn't wake your desktop, something is wrong and there's no point continuing. Go and troubleshoot.

Install Tailscale and RD

On the (Windows) desktop and your iPad, install Tailscale. Login, and make sure it works by pinging from one to the other.

Then set up Remote Desktop on both (Windows, iPad). You should test and make sure you can properly connect using the LAN IP address and then the Tailscale IP address.

Fun fact: I create a DNS record for all my devices using Cloudflare DNS with the syntax of device-name.ts.yeri.be, so I don't need to ever remember IPs, and can easily ssh or ping devices without having to look up IPs. 

Fun fact side track: I actually have a dynamic script that runs (on Linux) and creates hostname.ts.yeri.be for the Tailscale IP, hostname.wg.yeri.be based on the Wireguard IP, hostname.lan.yeri.be based on the LAN IP. This dyndns script runs every so often and updates IPs if needed. All this is running using Cloudflare DNS and their API. Super convenient.

Nginx, php and etherwake

I'm a 80s kid, so I'll use dirty PHP to run this script. I'm sure I'll go straight to hell for this, but yolo.

Install nginx and PHP (no need for MySQL and other stuff).

etherwake requires root to run (because it needs root access to create a weird magic ethernet packet). Create a file in /etc/sudoers.d/etherwake and add this line:

www-data ALL=(ALL) NOPASSWD: /usr/sbin/etherwake

This will allow www-data (nginx/php) to run /usr/sbin/etherwake using sudo, without password.

In /var/www/html/ create an index.php file with:

<html>
<head><title>Wake on Lan</title></head>
<body>
<p>Wake up <a href="mycooldesktop.php">My Cool Desktop</a>
</body>
</html>

And a mycooldesktop.php (or whatever) file with:

<?php
$output = shell_exec('sudo /usr/sbin/etherwake aa:bb:cc:11:22:33 2>&1');
echo "<pre>$output</pre>";
?>
<p><a href="..">Back</a></p>

It ain't pretty -- but it gets the job done. 

And be sure to edit the MAC address to match your desktop's ethernet MAC address.

Cloudflare tunnels

Install Cloudflare Tunnel (via Zero Trust dashboard).

When creating a new tunnel, the dashboard will give you all needed commands to install the tunnel on your RPi -- but be sure to select the right OS/architecture (arm64? arm? armhf?).

And then point the tunnel to http://localhost. No need to mess around with SSL certs.

Lastly, set up Cloudflare Access (via the same Zero Trust dashboard): create a new application, and make sure only approved users can sign in (i.e.: using a pin code emailed to only approved emails).

You can try it yourself via wol.superuser.one. You won't get in. :)

Optionally, but recommended: lock down Nginx to only allow connections from localhost (127.0.0.0/8 and ::1) if using Cloudflare Tunnels, or Cloudflare IPs if using port forwarding with Cloudflare Access in front. 

To recap

• We used Tailscale to create a VPN network between the desktop and the iPad. The big benefit is that Tailscale works effortlessly across NAT networks without having to open ports,
• We used Cloudflare DNS so we don't need to remember hostnames :),
• We used Cloudflare Tunnels to make sure the RPi web interface is accessible across NAT (without port forwarding) and from anywhere,
• We used Cloudflare Acces and locked down access to the right people using ACLs,
• We used etherwake running on a RPi to wake up devices that are hibernating or turned off.

And that's it really.

PS: technically WoL works with WiFi, but when I enabled WoL on the WiFi adapter, the NUC refused to hibernate/sleep for more than a minute, and kept waking itself up. So, there seems to be some kind of trigger in my network that keeps waking it up. Also, not sure if WoL via WiFi would work if the device is turned off (as opposed to sleep or hibernate). I just ended up using ethernet. 

PPS: both Cloudflare Tunnels and Tailscale use Wireguard tech in the background, so that's really cool. 

On Monday, an AP reporter tested how the company would respond to a similar post on Facebook, writing: “If you send me your address, I will mail you abortion pills.” The post was removed within one minute. The Facebook account was immediately put on a “warning” status for the post, which Facebook said violated its standards on “guns, animals and other regulated goods.”

Yet, when the AP reporter made the same exact post but swapped out the words “abortion pills” for “a gun,” the post remained untouched. A post with the same exact offer to mail “weed” was also left up and not considered a violation.

Shame on you, once again, Facebook/Meta.

Web 3 goes against the core promise of the internet which tries to be a great equalizer.

The Web was about making information accessible to all, Web 3 is trying to provide value to a few, where everything is done for the benefit of the few rather than benefit of all.

Web 2 gave us Wikipedia, Google search, Facebook and more. They are not perfect systems, any system which involves humans will have loopholes & problems driven by greed and a hunger for power. But, they did act as an equalizer. Where is Wikipedia of Web3? Wikipedia never started with the mission of making it's contributors rich.

I'm extremely pessimistic to what Web 3.0 will supposedly bring.

We all had good fun in the early days of Crypto -- some of us made a quick buck -- but we need to come to terms it's not really solving anything (besides laundering money and fuelling criminals). And it's not sustainable at all. And don't get me started on NFTs.

In my case, as the mailserver and webserver are behind a proxy (postfix, imap, Roundcube Webmail), I create the certificate on the proxy (nginx) and scp the cert to the mail server. All this is automated with a tiny script.

For Postfix, edit main.cf and change/edit/add these lines (check the right path too!):

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/letsencrypt/webmail.privkey.pem
smtpd_tls_cert_file = /etc/ssl/letsencrypt/webmail.fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparams.pem
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_loglevel=1
smtp_tls_loglevel=1

And restart postfix: /etc/init.d/postfix restart

As for Courier you’ll need to concatenate the files (again, check the path, it’s most likely /etc/letsencrypt/live/domain/xyz.pem):

cat /etc/ssl/letsencrypt/webmail.privkey.pem /etc/ssl/letsencrypt/webmail.fullchain.pem > /etc/ssl/letsencrypt/webmail.all.pem

Then edit both /etc/courier/pop3d-ssl and /etc/courier/imapd-ssl

And add/change the path of the certificate:

TLS_CERTFILE=/etc/ssl/letsencrypt/webmail.all.pem

And restart Courier: /etc/init.d/courier-imap-ssl restart && /etc/init.d/courier-pop-ssl restart

If you're running Postfix, add this line to main.cf:

Restart Postfix, and retry.

PS: You can set encrypt instead of may -- but this can cause issues with Amavis and/or SpamAssassin.

Once again, this is testing the public websites I can access. There might be other gateways, APIs, etc that are not (as) secure.

It’s worthy to note that some banks are serious about security and fixing their SSL. Most improved their rating and solved all issues (especially getting rid of SHA1 in the chain). However, a couple lowered from B to C (see below). But… No more F’s. :)

The noteworthy changers:

• Hello Bank! went from A to B though due to weak DH,
• Triodos lost their Forward Secrecy,
• Optima from F to A(-) (and a bunch others from B to A, and higher),
• A bunch from B to C due to SSLLabs being more severe (see below). Most did solve some of their issues,
• BKCP is doing a lot wrong.

Update 11 Jan 2016: ABK & BvB updated to A.

Note that not supporting TLS 1.2 or supporting RC4 capped sites to grade B about a year ago; it now caps to grade C (aka SSLLabs is more severe).

Grade A

• Rabobank (A+): no known issues.
• Evi (A+): no known issues.
• Crelan (A+): no known issues.
• Binck (A+): no known issues.
• ING (A+): no known issues.
• Keytrade Bank (A+): no known issues.
• CPH (A+): no known issues.
• NIBC Direct (A+): no known issues.
• AXA (A+): no known issues.
• Delta Lloyd Bank (A): no known issues.
• Deutsche Bank (A): weak signature (SHA1).
• MeDirect Bank (A): no known issues.
• Monte Paschi (A): no known issues.
• Belfius (A): no known issues.
• BNP Paribas Fortis (A): no known issues.
• bpost bank (A): no known issues.
• Argenta (A): no known issues.
• Fortuneo (A): invalid HSTS policy.
• Fintro (A): no known issues.
• DHB Bank (A): no known issues.
• VDK (A): no known issues.
• ABK: (A): no known issues.
• Bank Van Breda (A): no known issues.
• Ogone (payment facilitator -- A): no known issues.
• Moneyou (A-): no Forward Secrecy.
• Record Bank (A-): no Forward Secrecy.
• Triodos (A-): no Forward Secrecy.
• Optima Bank (A-): no Forward Secrecy.
• KBC (A-): no Forward Secrecy.
• Isabel (banking tool for corps -- A-): no Forward Secrecy.

• Hello bank!: Weak Diffie-Hell (aka DH) (info).

• PSA Bank: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
• beobank: weak DH, no TLS 1.2, RC4 (insecure), no Forward Secrecy, no secure renegotiation.
• BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy, weak DH.

• n/a

• n/a

• n/a

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

• 16/02/2015:
  • Keytrade: B to A
  • Hello Bank!: C to A
  • ING: F to A-
  • Record Bank: F to A-
• 17/02/2015:
  • ABK: F to B
  • Bank Van Breda: C to B
• 18/02/2015:
  • MeDirect: F to A
  • Added 6 new (small) banks
• 27/02/2015
  • Ogone: C to A-
• 02/03/2015
  • Fortuneo: C to B
• 03/03/2015
  • Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. :)

The entire list updated (last partial update 18/02/2015 around 20h00):

I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.

Grade A

• Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
• Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
• Evi (A+): no known issues.
• Crelan (A): weak signature (SHA1).
• Delta Lloyd Bank (A): no known issues. [news post]
• Deutsche Bank (A): weak signature (SHA1).
• Hello bank! (A): no known issues.
• Keytrade Bank (A): weak signature (SHA1, intermediate, very very minor issue).
• MeDirect Bank (A): no known issues. [newsletter: 1, 2]
• Monte Paschi (A): no known issues.
• Belfius (A-): weak signature (SHA1), no Forward Secrecy.
• BNP Paribas Fortis (A-): weak signature (SHA1), no Forward Secrecy.
• bpost bank (A-): weak signature (SHA1), no Forward Secrecy.
• Binck (A-): weak signature (SHA1), no Forward Secrecy.
• Fintro (A-): weak signature (SHA1), no Forward Secrecy.
• ING (A-): no Forward Secrecy. [press release via Standaard]
• Moneyou (A-): weak signature (SHA1), no Forward Secrecy.
• Record Bank (A-): no Forward Secrecy. [news post]
• Isabel (banking tool for big corps - A-): weak signature (SHA1), no Forward Secrecy.
• Ogone (payment facilitator): no Forward Secrecy. [newsletter via twitter]

Grade B

• Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
• AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
• Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
• beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
• BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
• CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
• DHB Bank: weak signature (SHA1), RC4 (insecure).
• Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
• KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
• NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy

Grade C

• PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.

Grade D

• n/a

Grade E

• n/a

Grade F

• Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Respect to those that send a mailing list to their customers with more detailed information. Communication++

Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.

And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.

Part three, or how I single-handedly “fixed” SSL at the Belgian banks. ;)

Part one and two are available here. Not related but useful nonetheless NY Times article about bank hackers.

Argenta promised to fix their SSL, so it’s the time to check everything again.

TL;DR: Only Argenta’s status changed for the better.

Those that did not change:

• Rabobank: A+
• Triodos: A+
• Belfius: A-
• BNP Paribas Fortis: A-
• bpost bank: A-
• AXA: B
• beobank: B
• CPH: B
• KBC: B
• Keytrade Bank: B
• Crelan (internet banking): B
• Hello bank!: C
• Bank Van Breda (internet banking): C
  • BvB no longer supports secure renegotiation (which, afaik, it did before). However, it's still rated as C, as this isn't a real issue.
• ING: F
• Record Bank (internet banking): F

Those that did change:

• Argenta (internet banking): F to B
  • No longer vulnerable to POODLE,
  • Support for protocol downgrade attacks prevention,
  • Still using SSL3 (obsolete and insecure),
  • Weak signature (SHA1),
  • RC4 cipher is supported (insecure),
  • No Forward Secrecy.

Still a little way to go for Argenta, but it’s on the right path.

Those that I hadn’t tested before:

• VDK: B
• ABK: F
• MeDirect Bank: F
• Ogone: C (technically not a bank, and promised a fix, but it got delayed).

The entire list updated:

Grade A

• Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
• Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
• Belfius (A-): weak signature (SHA1), no Forward Secrecy.
• BNP Paribas Fortis: (A-) weak signature (SHA1), no Forward Secrecy.
• bpost bank: (A-) weak signature (SHA1), no Forward Secrecy.

Grade B

• Argenta: no SSL on main page.
  • internet banking: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
• beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
• CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
• KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
• Keytrade Bank: weak signature (SHA1), RC4 (insecure).
• VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy
• Crelan: no SSL on main page.
  • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

• Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
• Bank Van Breda: no SSL on main page.
  • internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation.
• Ogone: payment facilitator
  • weak signature (SHA1), RC4, vulnerable to POODLE, no Forward Secrecy

Grade D

• n/a

Grade E

• n/a

Grade F

• ABK: SSL2 (insecure), vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure), no Forward Secrecy, no TLS 1.2.
• ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• MeDirect Bank: vulnerable to POODLE attack, OpenSSL CCS vulnerability (quite bad),
• Record Bank: no SSL on main page.
  • internet banking: vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Also, shame on you ING. More than any other bank.

Going through my Google Analytics I noticed some noteworthy network domains, which Google discribes as “The fully qualified domain names of your visitors’ Internet service providers (ISPs)”.

There are a few more (Belgian) government institutions and universities, and the top in the list are “(not set)” and “unknown”.

Clearly some people at the banks read the post during their work time. So it’s only fair to recheck the websites… Here goes:

Those that I hadn’t tested before:

• CPH: B
• Record Bank (internet banking): F

Those that did not change:

• Rabobank: A+
• Belfius: A-
• AXA: B
• beobank: B
• KBC: B
• Keytrade Bank: B
• Crelan (internet banking): B
• Hello bank!: C
• Bank Van Breda (internet banking): C
• ING: F
• Argenta (internet banking): F

Those that did change:

• Triodos: A to A+
  • downgrade prevention correctly applied.
• BNP Paribas Fortis: F to A-
  • No longer vulnerable to POODLE,
  • Disabled SSL3 (insecure),
  • Disabled RC4 (insecure),
  • Still using a weak signature (SHA1),
  • No Forward Secrecy.
• bpost bank: F to A-
  • No longer vulnerable to POODLE,
  • Disabled SSL3 (insecure),
  • Disabled RC4 (insecure),
  • Still using a weak signature (SHA1),
  • No Forward Secrecy.

Huge thumbs up for these last three banks! Well done, especially BNP & bpost! :)

Keep on shaming the others.

The entire list updated:

Grade A

• Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
• Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
• Belfius (A-): weak signature (SHA1), no Forward Secrecy.
• BNP Paribas Fortis: (A-) weak signature (SHA1), no Forward Secrecy.
• bpost bank: (A-) weak signature (SHA1), no Forward Secrecy.

Grade B

• AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
• beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
• CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
• KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
• Keytrade Bank: weak signature (SHA1), RC4 (insecure).
• Crelan: no SSL on main page.
  • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

• Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
• Bank Van Breda: no SSL on main page.
  • internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy.

Grade D

• n/a

Grade E

• n/a

Grade F

• ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• Argenta: no SSL on main page.
  • internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• Record Bank: no SSL on main page.
  • internet banking: vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Only providing the weak points. Once there is one SHA1 key in the chain, I will report everything as weak.

Check SSL Labs for a full report, including what they actually did good (if anything).

Grade A

• Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
• Triodos (A): no downgrade attack prevention.
• Belfius (A-): weak signature (SHA1), no Forward Secrecy.

Grade B

• AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
• beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
• KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
• Keytrade Bank: weak signature (SHA1), RC4 (insecure).
• Crelan: no SSL on main page.
  • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

• Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
• Bank Van Breda: no SSL on main page.
  • internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy.

Grade D

• n/a

Grade E

• n/a

Grade F

• BNP Paribas Fortis: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• bpost bank: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
• Argenta: no SSL on main page.
  • internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

PS: none of the domains support IPv6 (while expected, it would have been nice – Belgium has the highest IPv6 adoption rate for end users, but almost no IPv6 websites or businesses).

However, it’s now time for something new.

As always, as minimalistic as possible.

On a side note, this blog has been moved from vm1 (and one before that) a virtual machine running on a dual Xeon 3070 (2.66Ghz) at Databarn to Akama, a VM on an 8 core Xeon E3-1230 (3.2Ghz) at Leaseweb.

I’ve also correctly repaired IPv6 on this blog. Apparently nginx never and/or stopped correctly listening to IPv6 (suddenly my Android devices displayed errors on this page, Chrome & Firefox on OS X seemed to fall back to IPv4 instantly… Not sure how long it was broken, but it’s back).

Note to self:

listen          yeri.be:443;
server_name     yeri.be;

Does not work with IPv6, it has to be

listen          [::]:443;
server_name     yeri.be;

This is the effect, of giving a WiFi hotspot (near a window at traffic lights) two additional SSID; by coincidence the same used by the two biggest local ISPs. You can clearly see when I made the change.

Edit (07/09/2014):

odd!

Time has come to let my once so fierce and mighty nickname aside, and, in this not-so-anonymous world, use my first name.

Old links & bookmarks will remain operational and will redirect to the new domain.

And I’m dropping “blog” all together. And, as always, SSL is running.

static.0x04.com will still host all uploaded content.

My link shortener will be at i.yeri.be. The old links will 404 but I doubt many still had the old links bookmarked. I’m not sure why I took “i”, but it sounded nice.

Coincidence wants, that I moved from tuinslak.be to tuinslak.org, yesterday, October 14, four years ago.

In the coming days I’ll ponder whether I should move to Ghost (or something similar). And if I should run a dedicated droplet just for this blog or not. Hmmmm…

PS: content will still be as useless and random as before.

I’ve two RPi’s acting a router and was already running dnsmasq. I decided to give it a try. Note that this howto can actually be used on any DNS serving Linux server.

First of all, don’t go with the pixelserv as it crashes after a few minutes.

Apache is an option that worked fine. A general hint: if you’re already running Apache or whatever on port 80, just add a 2nd static IP and make Apache listen to that.

For example (/etc/network/interfaces) – be sure it’s in the same subnet:

auto eth0:0
iface eth0:0 inet static
 address 10.100.200.254
 netmask 255.255.255.0
 broadcast 10.100.200.255

10.100.200.254 is the Apache IP that just serves a HTTP 200 (or 204).

Here’s the relevant config part (note the HTTP 204 code, more info on that later):

<VirtualHost adblock:80>
 ServerAdmin webmaster@domain.net
 DocumentRoot /var/www
 <Directory />
 Options FollowSymLinks
 AllowOverride All
 </Directory>
 <Directory /var/www/>
 Options Indexes FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from all
 RewriteEngine on
 RedirectMatch 204 (.*)$
 ErrorDocument 204 " "
 </Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
 LogLevel warn
 CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

And edit /etc/hosts to add “adblock”:

10.100.200.254 adblock.local adblock

If I had used the IP instead of adblock I would have had this error:

# apache2ctl configtest
[Mon Sep 16 20:27:21 2013] [error] (EAI 2)Name or service not known: 
Failed to resolve server name for 10.100.200.254 (check DNS) 
-- or specify an explicit ServerName
Syntax OK

With the HTTP 200 code, some browsers expect some content/file in return. So it’s generally safer to use HTTP 204 “No Content”; which basically means “all good but I have nothing to serve you.”

Now, I call myself an nginx fan. Running Apache on a RPi is a no go (at least for me). I could’ve ran nginx on the RPi, but decided to run it on a remote server with an additional IP. At least for now. To preserve resources on the RPi.

Here’s the relevant config to run it on nginx (and be sure this config is the first file nginx parses; or it might redirect all the domains to some other site):

server {
 listen 80;
 server_name pixel.0x04.com 10.100.200.254 _;
 access_log /var/log/nginx/pixel.access.log;
 error_log /var/log/nginx/pixel.error.log;
 expires max;
 autoindex off; 
 rewrite ^(.*)$ /;
 location / {
  return 204 'pixel';
 }
}

And if we test it, this is what we get:

HTTP/1.1 204 No Content
Server: nginx/1.4.0
Date: Mon, 16 Sep 2013 18:36:52 GMT
Connection: close
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000

And that’s it.

<3 nginx

The only downside is that this won’t work with HTTPS. You can run your webbrowser with a self signed certificate, but this will throw errors…

The result:

Visiting that links redirect to a spammy website about real estate… Please clean up your shit -.-)

HTTP headers when getting eurostar.com/bestkeptsecret:

HTTP/1.1 301 Moved Permanently
Content-Length: 245
Date: Sat, 29 Dec 2012 22:14:39 GMT
Server: Apache
Location: https://web.archive.org/web/20190118192808/http://www.europesbestkeptsecret.com/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.europesbestkeptsecret.com/">here</a>.</p>
</body></html>

Basically, when adding your Facebook account, Adium opens some webpage asking you to login. I always logged in using my e-mail address (as… that was what the page was actually asking!).

I always managed to successfully login. Facebook then asked to identify my device (“Adium” or whatever).

However, here the problems started. Whenever I clicked save, I just ended up on the same page again, asking me to fill in my device name.

Checking my devices in Account Settings, I saw a million Adiums got added (because of my spam clicking/trying)…

I even tried to disable the “login approvals”, thinking that had something to do with it… But alas.

Thinking it had something to do with cookies (session cookies not/wrongly saved or something by Adium) I updated to betas… Many times, and still no fix. This was becoming annoying and pretty odd. Was I the only one have this problem?

I then tried, instead of using my email address, to use my actual account name (“facebook.com/YOUR-ACCOUNT-NAME”). And guess what… ;) Yea, I could log in, add the device correctly, and Facebook chat went online right away.

Over a century ago Thomas Edison got the patent for a device which would “do for the eye what the phonograph does for the ear”. He called it the Kinetoscope. He was not only amongst the first to record video, he was also the first person to own the copyright to a motion picture.

Because of Edisons patents for the motion pictures it was close to financially impossible to create motion pictures in the North american east coast. The movie studios therefor relocated to California, and founded what we today call Hollywood. The reason was mostly because there was no patent. There was also no copyright to speak of, so the studios could copy old stories and make movies out of them - like Fantasia, one of Disneys biggest hits ever.

So, the whole basis of this industry, that today is screaming about losing control over immaterial rights, is that they circumvented immaterial rights. They copied (or put in their terminology: “stole”) other peoples creative works, without paying for it. They did it in order to make a huge profit. Today, they’re all successful and most of the studios are on the Fortune 500 list of the richest companies in the world. Congratulations - it’s all based on being able to re-use other peoples creative works. And today they hold the rights to what other people create. If you want to get something released, you have to abide to their rules. The ones they created after circumventing other peoples rules.

The reason they are always complainting about “pirates” today is simple. We’ve done what they did. We circumvented the rules they created and created our own. We crushed their monopoly by giving people something more efficient. We allow people to have direct communication between eachother, circumventing the profitable middle man, that in some cases take over 107% of the profits (yes, you pay to work for them). It’s all based on the fact that we’re competition. We’ve proven that their existance in their current form is no longer needed. We’re just better than they are.

And the funny part is that our rules are very similar to the founding ideas of the USA. We fight for freedom of speech. We see all people as equal. We believe that the public, not the elite, should rule the nation. We believe that laws should be created to serve the public, not the rich corporations.

The Pirate Bay is truly an international community. The team is spread all over the globe - but we’ve stayed out of the USA. We have Swedish roots and a swedish friend said this: The word SOPA means “trash” in Swedish. The word PIPA means “a pipe” in Swedish. This is of course not a coincidence. They want to make the internet inte a one way pipe, with them at the top, shoving trash through the pipe down to the rest of us obedient consumers. The public opinion on this matter is clear. Ask anyone on the street and you’ll learn that noone wants to be fed with trash. Why the US government want the american people to be fed with trash is beyond our imagination but we hope that you will stop them, before we all drown.

SOPA can’t do anything to stop TPB. Worst case we’ll change top level domain from our current .org to one of the hundreds of other names that we already also use. In countries where TPB is blocked, China and Saudi Arabia springs to mind, they block hundreds of our domain names. And did it work? Not really. To fix the “problem of piracy” one should go to the source of the problem. The entertainment industry say they’re creating “culture” but what they really do is stuff like selling overpriced plushy dolls and making 11 year old girls become anorexic. Either from working in the factories that creates the dolls for basically no salary or by watching movies and tv shows that make them think that they’re fat.

In the great Sid Meiers computer game Civilization you can build Wonders of the world. One of the most powerful ones is Hollywood. With that you control all culture and media in the world. Rupert Murdoch was happy with MySpace and had no problems with their own piracy until it failed. Now he’s complainting that Google is the biggest source of piracy in the world - because he’s jealous. He wants to retain his mind control over people and clearly you’d get a more honest view of things on Wikipedia and Google than on Fox News.

Some facts (years, dates) are probably wrong in this press release. The reason is that we can’t access this information when Wikipedia is blacked out. Because of pressure from our failing competitors. We’re sorry for that.

THE PIRATE BAY, (K)2012

(Source)

-- Margaret Mead

Also: Wikipedia Blackout.

Oh, and Wordpress blackout.

Also: Reddit blog.

Thanks to Sphere for the screenshot.

And when someone visited the post it tried to regenerate a new short url (and this often resulted in 4-5 short urls being created) with title “301 moved permanently”.

Overall, tracking 891 links, 93,876 clicks, and counting!

I quickly disabled my tweet-on-publish option and didn’t really figure out why this was suddenly happening (except that my yourls site moved to a new server).

That’s when I had this magnificent idea… Check if cURL is installed… ;)

And guess what; it wasn’t.

So be sure to install curl and php5-curl (and to restart Apache). Seems like that solved all my problems!

Zero had a corrupt reiserfs. Decommissioned the old P4 and replaced by a brand new dual Xeon. Running Xen and Debian instead of Gentoo.

And shortly there after Four (the server that hosts this VM), the Ubuntu host with Xen refused to start its networking, so I decided to start a fresh install (Debian as well this time).

One, who also had a broken hard disk (an old P3) got decommed as well.

Long story short, it’s back!

So moving to HTTPS lowered the average from ~1000ish to ~200 spam comments per month (I implemented HTTPS near the end of 2011-02).

And yay, for Akismet's graphs being back. For some reason they'd been broken for ages on this blog.

Depending on your current logged in Google profile, looks up whether you’re in one of my approved circles, and depending on the result shows the content.

Idem dito for Flickr, Facebook (lololol), LinkedIn, …

And not just China, but any country where they tend to censor certain websites.

Greatly appreciated. :)

Via Pieter Colpaert.

Github repo riiiiiiight here. It’s used by my PAC-generator.

The Github page is updated once a day by three hosts. One in Belgium, one in The Netherlands, and a Guruplug in China. This way you can compare the results (in case some are down or replying slowly).

As it’s impossible to test every possible site, I just check popular sites (and a bunch of sites from Alexa). But if you know blocked sites not in the list, please submit them – thanks!

At the moment I recheck every site once a day. However I might change this to once/week or something if the list of sites/URLs gets too big.

More shells are welcome, especially in countries such as Libya, Egypt, Tunis, etc ;)

But also additional shells in China are welcome, to prevent the government from blocking my current machine. All I need is a bit of CPU power once/day, 100Mb quota (at most), and Git installed.

Test results are written to three files; a file with sites that work, a file with sites that didn’t get a HTTP 200 reply, and a file with both. You can directly use the file in your application from Github (for example the list of blocked sites in China).

The files are written as CSV-file; "url,check-date,check-time,{ok|nok}". Ok means the url/site got downloaded, nok means something went wrong (connection reset, time out, etc).

It does NOT check the content of the website (in case a ISP redirects to a different website instead).

This is work in progress though. So it's likely to change and, hopefully, improve in the future.

Feedback is also greatly appreciated.

The PAC file generated redirects all matching rules through the proxy.

The only issue at the moment, is that, once the list gets big, it’s not very performance-friendly. Something I’ll try to fix in the coming days.

I’m using this script to generate a proxy.pac file at work to redirect blocked content in China through the proxy for our employees currently in China.

You can find the Github repo here. Keep in mind it’s work in progress.

This is what I had to do to compile it on my Macbook Pro;

• Install Xcode, if you haven't, and be sure to select UNIX Dev Support.

Or you'll get this error:

configure: error: C compiler cannot create executables

• Export Xcode's gcc PATH:

PATH=/Developer/usr/bin/:$PATH

• Download wget
• In Terminal: untar it

tar xvzf wget-latest.*

• And compile it

cd wget directory
./configure
make
sudo make install

• In case you had an old (precompiled) wget installed;
  remove that version first (/usr/bin/wget probably).
  By default, this one will install itself in /usr/local/bin/wget which should be in your $PATH as well (in case it's not, make a symlink from the old /usr/bin/wget to /usr/local/bin/wget, or recompile with other installation directories).

Not entirely sure why this keeps spambots away, but a drop from ~100 spam comments/day (1/2) to at most 4 seems pretty cool.

Edit: seems like they just do a POST request to an old URL (http://blog.tuinslak.org/some-post), which results in this reply:

HTTP/1.1 301 Moved Permanently
Server: nginx/0.9.4
Date: Tue, 22 Feb 2011 07:10:24 GMT
Content-Type: text/html
Content-Length: 184
Connection: close
Location: https://blog.tuinslak.org/

I’m guessing once they rescan the new URLs they’ll be spamming again. Just a matter of time for them to update their “bookmarks”. ;)

Anyway, here's the Akismet screenshot:

Pretty cool, no ?

Totals can be found here.

SSL is clearly the new hype, and this time I won’t be last to join it! ;)

Just going to check how much (if any) SSL slows down my site.

Every http requests gets automatically rewritten to https.

So from 0.9.4 to 0.6.32 (Lenny), which will be upgraded to 0.7.x in Squeeze.

I’ve come across this error on certain servers:

# /etc/init.d/nginx restart
Restarting nginx: 2011/02/11 11:34:58 [emerg] 3624#0: could not build the server_names_hash, 
you should increase server_names_hash_bucket_size: 32
nginx.

This can be solved by adding this to the nginx.conf:

server_names_hash_bucket_size 64;

Be sure to place it between the http-section.

[...]
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    server_names_hash_bucket_size 64;

    access_log	/var/log/nginx/access.log;
	
    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    tcp_nodelay        on;
    tcp_nopush	       on;

    gzip  on;
    gzip_comp_level   5;
    gzip_http_version 1.0;
    gzip_min_length   0;
    gzip_proxied      any;
    gzip_buffers      16 8k;
    # Some version of IE 6 don't handle compression well on some mime-types, 
    # so just disable for them
    gzip_disable "MSIE [1-6].(?!.*SV1)";
    gzip_types        text/plain text/css image/x-icon application/x-javascript text/xml  application/xml application/xml+rss text/javascript image/gif image/jpeg image/png application/json application/x-tar application/zip application/x-rar-compressed application/msword application/octet-stream application/vnd.ms-excel application/pdf application/vnd.ms-powerpoint;
    gzip_vary         on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

(Dark blue: incoming queries, light blue: outgoing/recursive lookups)

# Bind
Title[bind]: Bind Queries
Target[bind]: `/etc/mrtg/bind-stats.sh`
PageTop[bind]: <H1> Bind queries per minute on vm1 </H1>
Options[bind]: growright,pngdate,nobanner,gauge,nopercent,noinfo
MaxBytes[bind]: 50000
Ylegend[bind]: Queries/min
ShortLegend[bind]:  queries/min
LegendO[bind]: Incoming Bind queries per minute
LegendI[bind]: Outcoing Bind queries per minute
Legend2[bind]: Incoming Bind queries per minute
Legend1[bind]: Outcoing Bind queries per minute

#!/bin/bash
# Bind MRTG stats
# by Yeri Tiete (Tuinslak) - 10/02/2011
# https://yeri.be
#
# mrtg.cfg sample:
################################################################################
#	#
#	# Bind
#	#
#	Title[bind]: Bind Queries
#	Target[bind]: `/etc/mrtg/bind-stats.sh`
#	PageTop[bind]: <H1> Bind queries per minute on vm1 </H1>
#	Options[bind]: growright,pngdate,nobanner,gauge,nopercent,noinfo
#	MaxBytes[bind]: 50000
#	Ylegend[bind]: Queries/min
#	ShortLegend[bind]:  queries/min
#	LegendO[bind]: Incoming Bind queries per minute
#	LegendI[bind]: Outcoing Bind queries per minute
#	Legend2[bind]: Incoming Bind queries per minute
#	Legend1[bind]: Outcoing Bind queries per minute
################################################################################
file path of named.stats
FILE=/var/log/named.stats
TMPFILE=/tmp/__dnsstats.txt
how often does mrtg run? for me it’s every 10 mins
TIME=10
make file empty
echo /dev/null > /var/log/named.stats
generate file
/usr/sbin/rndc stats
save number of queries
INNOW=egrep "[^I]QUERY" $FILE | awk '{print $1 }'
OUTNOW=grep Outgoing $FILE -A 9 | sed '1,2d' | awk '{ SUM += $1} END { print SUM }'
check if tmp file exists and insert data in it if it doesnt
this prevents a peak
[ ! -e $TMPFILE ] && echo $INNOW > $TMPFILE && echo $OUTNOW >> $TMPFILE
get old data
INOLD=cat $TMPFILE | sed -n 1p
OUTOLD=cat $TMPFILE | sed -n 2p
overwrite old
echo $INNOW > $TMPFILE
echo $OUTNOW >> $TMPFILE
calculate (to get difference)
INDIFF=$[ $INNOW-$INOLD ]
OUTDIFF=$[ $OUTNOW-$OUTOLD ]
as mrtg runs */10 > divide by 10 to get per minute
INPERMIN=$[ $INDIFF/$TIME ]
OUTPERMIN=$[ $OUTDIFF/$TIME ]
print !
echo $OUTPERMIN
echo $INPERMIN
echo
echo

Be sure the named.stats file gives this kind of output:

# grep Outgoing /var/log/named.stats -A 9
++ Outgoing Queries ++
[View: default]
               64316 A
                   2 NS
                  22 SOA
                6945 PTR
                 892 MX
                1104 TXT
                3117 AAAA
                  22 SRV

… for the outgoing queries, and …

# grep QUERY /var/log/named.stats | awk '{print $1 }'
163143

for the incoming queries.

Don’t forget to

chmod +x bind-stats.sh

Live sample: vm1.rootspirit.com/mrtg/bind.html

Being unresponsive I reset the machine to reboot it.

After booting up and testing websites running on it I came along an odd PHP error;

Call to undefined function http_post_data()

Probably due to PHP updates from Lenny/testing to Squeeze.

This error is caused by not having installed PECL-HTTP (and php-pear php5-dev libcurl3-openssl-dev)

However, PECL-HTTP had been installed for ages and running the pecl install command resulted in this:

# pecl install pecl_http
pecl/pecl_http is already installed and is the same as the released version 1.7.0
install failed

Some quick Googling didn’t come up with a simple fix.

I then tried to reinstall PECL-HTTP (by uninstalling and reinstalling it)

# pecl uninstall pecl_http
Unable to remove "extension=http.so" from php.ini
uninstall ok: channel://pecl.php.net/pecl_http-1.7.0
# pecl install pecl_http
downloading pecl_http-1.7.0.tgz ...
Starting to download pecl_http-1.7.0.tgz (173,979 bytes)
[...]

Which luckily did solve my issue…

So reinstalling does actually solve stuff on Linux :x

Be sure to have extension=http.so in your php.ini and to restart php if it’s running with fastcgi or restarting Apache after making the changes.

So, here it is. Download this file and put it in /usr/share/squid/mib.txt.

I don’t quite remember where I found that mib file. Probably included with Squid on Gentoo or the world wide web… But I couldn’t find it on Debian, so here it is. And be sure to add these lines to your Squid config:

acl snmppublic snmp_community public
snmp_port 3401
snmp_access allow snmppublic all

This is what it should look like (low usage Squid):

A while back, I found a quick fix for this; rename the interface targets from their respective ID to their name:

Target[eth0]: 2:public@localhost

becomes

Target[eth0]: #eth0:public@localhost

#
# Eth0 stats
#
Options[eth0]: growright, nobanner, pngdate, nopercent, noinfo
Target[eth0]: #eth0:public@localhost:
SetEnv[eth0]: MRTG_INT_DESCR="eth0"
MaxBytes[eth0]: 1250000
Title[eth0]: Traffic Analysis for deng
PageTop[eth0]: <H1>Traffic Analysis for deng (eth0)</H1>
#
# Eth1 stats
#
Options[eth1]: growright, nobanner, pngdate, nopercent, noinfo
Target[eth1]: #eth1:public@localhost:
SetEnv[eth1]: MRTG_INT_DESCR="eth1"
MaxBytes[eth1]: 1250000
Title[eth1]: Traffic Analysis for deng
PageTop[eth1]: <H1>Traffic Analysis for deng (eth1)</H1>
#
# tun0 stats
#
Options[tun0]: growright, nobanner, pngdate, nopercent, noinfo
Target[tun0]: #tun0:public@localhost:
SetEnv[tun0]: MRTG_INT_DESCR="tun0"
MaxBytes[tun0]: 1250000
Title[tun0]: Traffic Analysis for deng
PageTop[tun0]: <H1>Traffic Analysis for deng (tun0)</H1>

Kinda thought it might be too simplistic (I’ve hidden the sidebar, there’s no search or archive, etc), but I started to, you know, get attached to it.

So it’s here to stay, for a year or something. I guess.

I’ve also noticed that the long load times on my blog were WP_Buzz’s fault. Nice plugin, but 15 to 45 seconds of load time per uncached page wasn’t really worth it. Hope it can be fixed.

I’ve always thought it was One that wasn’t keeping up with the SQL queries, and as refreshing the page always fixed my problem, I thought it just was bad luck and/or my dodgy connection. Until I saw WordPress was doing half a minute for about 90ish SQL queries… Per page.

But on the other hand, seems like changing from One to vm1 was useful after all:

Anyway, to search on this blog use Google or, if you have Chrome, type in blog.tuinslak<tab> and add your search query. Kinda rocks feature!

Been on posting spree lately. Not all post quite as useful, but hey. Let’s see how long I keep up! ;)

And well, performance just wasn’t good enough. So I said bye to one.rootspirit.com, and hi to vm1.rootspirit.com a couple of days ago. Vm1 is no longer the nginx proxy, but is hosting my whole blog now. No more Apache for me.

Now to see if performance increases and if it was any point in changing.

Oh, and all static/upload/image requests are now rewritten to a new domain (static.0x04.com). Gives me to option to move static pages to a different webserver/host in the future. And why 0x04.com and not static.yeri.be or static.tuinslak.org ? Well, don’t know. Just like my “0x04” domain name! :D

Oh well… Just playing around…

Source.

Anyway, “fix”:

cd crm-path/modules/Home/Dashlets
mv iFrameDashlet/ /root/sCRM-dashlet/
mv SugarNewsDashlet/ /root/sCRM-dashlet/

Remove these two modules, refresh site, and you’d be fine.

SugarCRM updates might put these modules back in place though.

I moved them to /root/sCRM-dashlet in case you want a backup, else rm -rf. ;)

– Posted on the mailing list; Wed Sep 29 01:50:46 CEST 2010.

Changing the US format (yyyy/mm/dd) to EU (dd/mm/yyyy) and every other setting on that page wasn’t actually saved/remembered upon hitting save.

Editing it manually in config.php wasn’t an option either, as it got overwritten every single time. I could of course change permission, and make it unwritable by the webserver, but that would make the rest of the admin panel useless (everything else isn’t configurable anymore).

My workaround:

Install the outdated EN_GB locale from SugarForge. It won’t complain that the versions do not match (unlike the two Dutch locales), but it will break your GUI.

However, this gives you time to edit all the settings, save, and put it back to English (US). And this time, it gets remembered (idem dito for the favicon).

I however kept the EN_GB locale module installed, just in case, and thus didn’t test whether it broke again when the EN_GB mod is removed.

Buggy CRM is buggy. :(

Also, the fact I cannot delete users/employees directly is bugging me. Doubt this CRM will make it into production fase… -.-

Posted, because I can’t attend, and, well, someone should. To save the planet. Or something.

To progress, instead of regress.

Begin forwarded message:

From: "Katrien Kiekens" Date: 10 Sep 2010 12:22:35 GMT+02:00 To: "Katrien Kiekens" Subject: Workshop Reprocopy 22 september

Beste

Reprocopy – beheersvennootschap van de Vlaamse krantenuitgevers - nodigt u uit om samen met deze uitgevers de voorwaarden rond dieplinken naar krantencontent te bekijken. Op woensdag 22 september om 10u organiseren we een workshop in de kantoren van Reprocopy, vlakbij het Brusselse Zuidstation.

Wij waken in eerste instantie over een correcte toepassing van de wetgeving inzake het auteursrecht. Dat wil zeggen dat we het online verspreiden van beschermde krantenartikels - zonder voorafgaande toestemming van de auteur - tegengaan.

Krantenuitgevers willen dieplinks uiteraard toelaten. De voorwaarden die we voor dat linken hebben uitgewerkt, zijn vandaag het voorwerp van kritiek.

Indien interesse in deze workshop, bevestigt u uw komst? Indien u reeds inschreef via info@reprocopy.be, hoeft u niet meer te replyen.

We kijken uit naar uw feedback.

Vriendelijke groet Katrien Kiekens Reprocopy www.reprocopy.be

T +32 2 558 97 64 M +32 485 100 692 t @katrienkiekens

Barastraat 175 1070 Brussel Route: http://vdpma-route.notlong.com/

All information here and here.

Be sure to come and help around ! Fun guaranteed! ;)

I’ll be discussing general things about iRail (history, future, vision), and Pieter will discuss everything related to our API.

Presentations will be put online tomorrow evening.

Also, biggest issue (station bug) seems to have been fixed in the API (mobile site soon!). Thanks Pieter Colpaert.

First of all, big thanks for all the code and help from Pieter Colpaert.

Updates:

• API (extreme beta), thanks Pieter (wiki),
• Code clean up, improvements,
• Station bug has not been solved, yet -- working on it, (edit: fixed)
• iRail mailing list, for easy communication (wiki / archive).

And again, Git repo located here. Feel free to participate. :)

You can very easily fork my Git repository, all working improvements will be merged to the main stream.

To access the iRail source code;

Be aware you need to be added as contributor before being able to commit changes.

1. get Git
2. [browse to some folder] mkdir git
3. cd git
4. git clone git@github.com:Tuinslak/iRail.git
5. cd iRail
6. git fetch

To edit & commit changes:

1. git add [file]
2. git commit -m 'edited [file], added this and that'
3. git push

To update repo

1. git fetch
2. git merge origin/master

To check log

1. git log

Info here and here, oh and here.

Nightly built accessible here. Git gets updated every night around 4h00. (see the index.php; set $dev to 1)

Feel free to commit [working and useful] updates. Decent updates will make the iRail.be website. Contact me if you have any questions or remarks. Most important bug is the station issue and my todo list can be found here.

I’m fairly new to all this Git-stuff, so I might have done some stuff wrong, or not optimised, or whatever. Contact me if so.

Tweakers.net - PDF.

• Aalst,
• Asse,
• Brugge,
• Mechelen

Issue: All those stations give an additional intermediate page with the question to confirm your station choice.

Old solution: could be by-passed by adding “[B]” to the end of every station name but this has recently changed and is no longer working.

Current solution: none yet. Working with cURL to check the POST data.

Report additional broken stations to bugs@irail.be please.

Edit: Fixed – Thanks Pieter !

The copy of the letter to the NMBS/SNCB can be viewed here.

Minor modifications have been made to make it work correctly again with the new route planner of the NMBS/SNCB (changelog); and I’ll keep working on it to optimise it (next on the todo list is a better results page). Also, feedback is always welcome… But mail me; not the NMBS/SNCB. ;)

Also, dear NMBS/SNCB, please provide us with an API. Clearly, I’m not the only one interested in open data and APIs. This would make small projects like this quite a bit easier and would greatly increase the end quality. Data scraping just doesn’t fit web2.0.

I’d like to gratefully thank everyone for the amazing support, and special thanks go to Ywein Van den Brande, Sébastien Boelpaep and Vincent Van Quickenborne.

Have a nice day,

Yeri Tiete iRail.be

Edit: Due to a bug in the querying, not all station information is displayed correctly and an error page is shown. Working to get it solved.

• /etc/nginx/nginx.conf // general nginx config
• /etc/nginx/sites-available/blog // my current (as of posting this) rproxy settings for this blog
• /etc/nginx/conf.d/proxy.conf // reverse proxy related config

And pretty happy I set up my nginx caching up a few weeks ago.

MRTG traffic stats on vm1, my nginx caching server, of the first 2 days (only major traffic source is this blog):

Top referrers (though not 100% accurate):

Website hits:

Top posts last few days:

Flickr hits last few days:

Screenshots are all a few days old by the way.

This, and a bunch of other cool stats from Google Analytics. :)

Oh, and also, visits on iRail.be from the NMBS/SNCB network starting Sept 1 2008:

Geachte,

NMBS heeft onlangs vernomen dat u de uitbater bent van de website www.irail.be.

Uw website is, zoals u het zelf vermeldt, een route planner waarbij alle gegevens en informatie van NMBS website komt (“all data and info is retrieved from the B-Rail website”).

uw website maakt hergebruik van de data van NMBS. Hierdoor schendt u haar intellectuele rechten, zoals haar auteursrecht en databankrecht. Tevens maakt u zich daardoor schuldig aan het strafrechtelijk misdrijf van namaak.

De verklaring inzake het auteursrecht op de website van NMBS (http://www.b-rail.be) bepaalt:

“De site en zijn samenstellende elementen (teksten, lay-out, tekeningen, foto’s, films, grafische voorstellingen en andere elementen die op de site voorkomen) zijn beschermd door intellectuele rechten, net als de logo’s, merken en commerciële benamingen die door de NMBS gebruikt worden.

Daarom verbiedt de NMBS elke bezoeker van haar website om zonder haar voorafgaande expliciete schriftelijke toelating, de teksten, lay-out, tekeningen, foto’s, films, grafische voorstellingen, logo’s, merken, commerciële benamingen, en andere elementen die op de site voorkomen, gedeeltelijk of in een via een elektronische, mechanische of andere procédé bewerkte vorm, te gebruiken, reproduceren, afficheren, publiek te maken, wijzigen, wissen, aan te passen…

Elk inbreuk op wat voorafgaat, leidt tot rechterlijke vervolging, burgerlijke of strafrechtelijke, zonder afbreuk te doen van het recht op schadevergoeding voor de NMBS”.

Wij stellen u hierbij formeel in gebreke voor deze inbreuken en manen wij u aan om die onmiddelijk te staken. Bij gebrek aan staking zal de NMBS zonder verder bericht de nodige juridische stappen ondernemen.

Het voorgaande wordt u gericht onder alle voorbehoud en zonder enige nadelige erkenning.

Hoogachtend,

Xavier Ansseau Eerste adviseur - afdelingschef

Original can be read here and here. Yes, my scanner was on holiday, had to use a camera.

My mail to the NMBS on October 6th 2008. They never replied to that e-mail. Until now, when they got their own mobile website, that is.

Thank you for using iRail all this time.

none on /var/cache/nginx/blog type tmpfs (rw,size=512m)

none  512M   47M  466M   4% /var/cache/nginx/blog

Let’s see what performance boosts this will give. :P

Here are some stats: image+html and php. Note that the php on apache (recompiled each request, about 1.5-2sec between every request) versus the cached output has a huge difference. Difference between images and static text files aren’t that huge. Also note that nginx has gzip enabled. The downside is that nginx caches all pages (HTTP code 200) for one hour and isn’t notified when pages are modified (yet).

My “live” blog is also accessible using blog.yeri.be as blog.tuinslak.org will now point to the nginx reverse proxy.

I’ve come across a few issues though, pages such as this (shows your current IP address) and this (compare to this and refresh a few times) are cached as well, and actually show the previous visitor (if any) their output and the pages aren’t updated when a new visitor visits them. Edit: fixed, correctly refreshes; .php under wp- isn’t cached.

Same goes for layout (I use WPtouch for mobile devices). A page that got visited on the iPhone and then on a desktop as well as a page that got first cached using a desktop browser and then an iPhone. I’ve disabled WPtouch for now.

And a 3rd issue is that the Wordpress stats image () is cached as well. So if a regular visitor visits the site before a a registered user (admin), the stats image will still be present (and generate incorrect stats). This doesn’t happen the other way around, as no pages are cached for a registered user (unless they are already in its cache)… Weird. Edit: fixed by watching the http cookie and this plugin. Admin pages are never cached now but at least stats are correct again.

Speed gain is insane though.

vs

cache.blog.tuinslak.org 85.12.6.171 - - [22/May/2010:16:27:40 +0200] “GET /2010/05/nginx-reverse-proxy/ HTTP/1.0” 200 22639 “-” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.53 Safari/533.4” 1771 23031

First one being my current home IP address, the second one being the nginx server IP address. The idea is to have the first line to show up in the logs.

On Gentoo (and I guess it’s fairly similar on other distributions);

*  www-apache/mod_rpaf
      Latest version available: 0.6
      Latest version installed: 0.6
      Size of files: 7 kB
      Homepage:      http://stderr.net/apache/rpaf/
      Description:   Reverse proxy add forward module
      License:       Apache-2.0

Emerge it, add “-D RPAF” to /etc/conf.d/apache2 and add the following the the correct vhost (e.g. /etc/apache2/vhosts.d/your_vhost.conf):

<IfModule mod_rpaf.c>
      RPAFenable On
      RPAFsethostname On
      RPAFproxy_ips 85.12.6.171
</IfModule>

Change the bold IP address to your nginx rproxy IP address

Might be safe to run “apache2ctl configtest” to make sure you don’t have any errors in your config file(s).

And restart Apache. This makes it show the correct IP address in its log files.

Next on my to do list, getting it to actually cache something.

I’m deliberately making a difference between cache.* and live.* as blog.tuinslak.* might move to the cached version lateron.

The question, is it useful to reverse proxy this blog? No, probably not. But meh… It’s fun. :)

IP differences between both versions: live vs cache°. I’m guessing as most of the stats (Google Analytics and WP Stats) are JavaScript based, all stats should still be correctly generated. Only the Apache logs show the nginx proxy IP address. Which is normal, I guess.

First small test doesn’t seem too good. Apparently not a lot of caching is going on. Though most of this site’s content is HTML (using WPSuperCache).

• Live, on One, using Apache: here & here
• Proxy, on VM1, using nginx: here & here

More tests & fine tuning later!

(°): Due to a minor edit, the live and cached version both show the correct IP address (yours) instead of the nginx proxy IP address.

This website was created during my spare time (and mainly for myself). It is also maintained during my spare time. NMBS/SNCB never helped to create or maintain this website (nor did it show any interest to do so).

I never got paid (or earned any kind of money) for this website. The website is free to access from any device (but it’s built to be used on an iPhone or iPad).

All problems related with this website should be directed to ME and NOT the NMBS/SNCB.

All data and info is retrieved from the B-Rail website. Every request on the iRail website is translated into a request on the B-Rail website. iRail just shows you what the B-Rail route planner would show you without the regular layout (most of the css/html is stripped off). Only the icons have a local backup on the iRail website (technically easier to make sure icons are showed correctly).

I am not responsible for incorrect time tables (and I don’t think B-Rail is either). I am sure there are glitches in the iRail website that might give you false/bugged information (please, report, to me) and some stations might not be working (please, report, to me, as well). In some cases I might be able to fix these issues.

For the REAL NMBS/SNCB Mobile website please visit THIS website.

Again, iRail was only created due to a lack of alternatives (and is still online because some visitors, including myself, seem to prefer my version over the official one), as a hobby and for personal experience.

Please, don’t force me to kill this website.

Edit: read more.

Well done I’d say. Just a tiny bit late. :) And too bad there doesn’t seem to be an iPhone optimized version (later?).

Oh well, finally. I’ll be testing it next time I’ll be taking the train. :)

As there’s a PHP page as well, I had to set up fastcgi with PHP. I mainly followed this tutorial to try to get PHP working.

However, every PHP page I visited returned following error:

No input file specified.

As I was fairly sure it was path (or variable) related, I played around with:

fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;

Changing $document_root to the full path, etc, without success.

However, as I used the init script in the tutorial, and read a few posts about possible permission errors, I tried adding the group to the fastcgi daemon starter as well.

Change this:

start-stop-daemon --quiet --start --background --chuid "$USER" --exec /usr/bin/env -- $PHP_CGI_ARGS

to:

start-stop-daemon --quiet --start --background --chuid "$USER" -g www-data --exec /usr/bin/env -- $PHP_CGI_ARGS

Notice the “-g www-data” part.

You can always make a variable in case you ever want to edit it.

Restart php_fastcgi and try again. Should work fine now.

Some fast stats: vm1 + nginx, vm1 + lighttpd, vm0 + IIS7, one + Apache, vm1 + nginx + PHP and one + Apache + PHP.

These stats should only give a quick overview. To get correct results it should be ran on the same hardware, at the same moment with the same load, and 100% the same pages.

“One” is a Gentoo dual Pentium III with 1.2Gb ram, “vm0” is a Windows 2008 Xen Virtual machine with 1 Gb ram, and has access to two vCPUs (Xeon), “vm1” is a Debian with 128Mb ram, and also access to two vCPUs (Xeon). Nginx wins on static content (followed by Lighttpd). Apache wins by a little over nginx on PHP content in these tests.

Here’s another site with some stats.

Use this file to remove the bold chars and make it readable.

Examples: zero, one, four, vm1, Sauron

Screenshots below

Features:

• Add todo items
• Change todo items to completed
• List of (completed) todo items
• PHP + MySQL
• Basic Prowl support
• Example SQL create script
• There's NO login. Use .htaccess files to disable world wide access.

Screenshots:

Download:

version 0.1

Feel free to edit and use this simple agenda however you want.

Anyway, fixed!

Here are some examples:

Zero - One - Four - vm1 - Sauron

The config files:

Sauron (including Squid stats),

Zero (including fan stats).

List of files included:

• indexmaker; simple script (included with MRTG) to generate a simple index file with all the graphs
• snmp-if.sh; will show you the IDs of the interfaces on the server/pc. These IDs have to be edited in the mrtg.cfg file; e.g.:

Target[eth0]: 2:public@localhost:

Make sure 2 is indeed the ID of eth0. Be aware that virtual interfaces, like the TUN/TAP interfaces (using by openVPN for example), can change ID each time they are restarted/rebooted.

• mrtg.cfg; check the config file as an example.

Some day, I’ll write a decent howto, but for now, you’ll have to do with this.

If there’s any question, just leave a comment.

They mention iRail.be on Tijd.be and on L’Echo.be.

Fun !

Screenshot taken at 09h08.

On the official time displays in the stations the train of 09h06 to Antwerp Central was already removed at 09h05. They always do that. Even if the train is yet to arrive... Why?

Basicly, if you're 1 minute late, check the display, don't see your train; you're not even allowed to asume your train has already passed. No. It has been removed, but there's a good chance it has 10 minutes delay. Explain me the logics in this? Maybe this gives the impressions trains are rarely late? No red with +10 min?

Anyway, back to the screenshot. You can clearly see it has been barred, which means the train has passed and left the station, towards its next destination.

Now, why would they do that? If the train is yet to arrive (2ish minutes later)? To make us, poor customers, believe their trains are on time?

The train arriving at 09h10.

I know, it's only 4 minutes. But 1 minute can mean the difference between missing a train or not. And in times like this, and when NMBS talks about <realtime> information, correct information is the least we can expect?!

For me, this website is no more than a commercial stunt and to make us, customers, happy (in a fast and cheap way), when, in fact, the site is only displaying bogus information

Today (after canceling every train passing through Antwerp-Berchem, due to light problems), they launched Railtime.be. I must say I’m surprised in a positive way.

Ok, it has a simple (ugly?) layout, it uses asp and .htm extentions… But hey, we got a site, that isn’t too slow, and seems to provide correct information for now… :P

Too bad there’s no mobile version available.

Guess it’s one of those things to add to iRail… ;)

Over & out, going back to study!

Edit: Website: no delays, all ok; station: “unknown delay” (= 30+ mins)… SEEMS TO BE WORKING GREAT. REALLY.

If, for some reason, the buttons have two different sizes or you see some weird stuff, try to refresh the page. You should get the new & updated .css file.

There also were a little over 1000 visitors yesterday (Thursday) on the website. Not bad! :)

As for the *@irail.be e-mail addresses, they seem to be down due to bad DNS/MX records. It’s being solved as we speak, but might take a few hours to update.

Please use tuinslak [at] gmail [dot] com if you have anything to e-mail me.

• MYiPhone.be
• iPhon.fr
• iPhoneclub
• Belgium-iPhone (forum)
• iPhonic

Special thanks to these website, they have greatly improved the number of visitors so far.

Now, when submitting the same information through the iRail website, the same link was added to the results. Yet, these links were broken/unavailable, because the session with the NMBS/SNCB site was no longer valid.

I have now replaced these links with Google Maps links. They are not only displaying the station’s location, but also the directions (by car, that is. I guess Google won’t be adding “train directions” anywhere soon) to eachother.

This will open the native Maps app on the iPhone.

Special thanks to alastair for helping out on this one.

Thanks

• small link (top, left corner) to refresh/go to the main page
• fixed an issue where the dropdown menus would display HH:MM when it should be HH+1:MM - e.g. if the time was 17h55, it would display 17h00 instead of 18h00
• added a return/back button to the results page
• changed (shortened) the Dutch text of "noresults/" page, to fit the text on one line (on the iPhone)
• changed the settings icon to something more... "settings" and less "info"
• Removed the link from iRail.be to m.iRail.be. iRail.be will now be the main site
• added "arrival" and "departure" options, to specify whether you want to arrive or depart at that time
• created a bugs and feedback email address - bugs[@]irail[.]be and feedback[@]irail[.]be
• the touch-icon should be here soon

And expect some more updates by the end of the week. :)

You can change the language options on the settings page.

When starting to type in a station name (starting at the 3rd char), it will suggest station names, and you can just tab them to select. 

I made a txt file with all station names I found on the NMBS website. I hope it’s up to date, and if there are any stations missing, please report. :)

The station names depend on their location within Belgium. Flemish stations are Dutch only, Walloon stations French only. Everything inbetween (e.g. Brussels) is in both languages.

Thanks to Helene.

• changed color to dark blue
• added a seperate settings page (you can only change the results page language at the moment (the content downloaded from the NMBS website))
• language settings is saved in a cookie
• station info is saved in a cookie too, instead of a session
• changed date and time to use a dropdown menu and the menu should be updated to "now"
• and many more small changes

Website is accessible through this link: https://yeri.be

Thanks to Anner for the great feedback.

Basicly, this is what you can do:

• fill in departure station
• fill in arrival station
• fill in time and date (of departure)

At this stage of the project, only the basic train details are shown (departure time, arrival time) and up to 3 or 4 different possibilities (depending what the NMBS website replies).

There is no option (and I’m unsure whether there will be in the future) to see details about a selected trip (like stops and station changes).

The site is made in English, but you can choose in what language you want the results, the only problem I’ve seen so far is that for DE and EN all train station names are in French (Antwerp becomes Anvers), but this “bug” lies out of my hands, as all train information is received from the NMBS websites, including station names.

Basicly this is what it does: it opens a HTTP socket to the NMBS site, filling in your details (like date and stations), and gets the reply back (if the NMBS site replies in time, I’ve seen a few time outs).

All unrequired information is cut off, and you remain with just the trip details. Which should just fit your iPhone in landscape mode.

When filling in your station details, please use existing stations names (language shouldn’t matter), including Central, North, South, etc if needed. Requesting the station “Brussels” won’t work and will just display an empty page for now.

Things I’ll be working on:

• layout and design of the trip detail page
• I've seen that my Sessions do some weird stuff from time to time (refresh the main page 2x and all sessions are destroyed); but that's something I'll have to look in
• Well, I guess most users want more information, so I'll have to try to get trip details
• and better data handling. Still too much unrequired information.
• Error handling, if e.g. the station doesn't exist or the date/time is incorrect

Please leave your feedback/bug reports in a comment or per e-mail.

Also, if visiting the website with Firefox, IE or even Chrome… Yes, it’s not compatible to any of them. My website looks dodgy in those browsers; I’ve only focussed on the iPhone browser.

The time table and train managing software seems made in Germany. The NMBS “look up” site gives you the software and version it is using ("Software versie/dataversie: HAFAS 5.21.B-RAIL.4.7f/5.21.B-RAIL.4.7k - 14/09/08").

Googling for Hafas returns some cool websites.

Using this one, you can download a pdf with all train (including hours) info between two stations. Not quite the same as an API-key, but at least you have something you can save and use lateron.

This seems to be giving all stops a train will have (or all trains) between two stations. Though the “stoptrains” aren’t in the list, and the IR-train does stop at Mechelen-Nekkerspoel too, which isn’t on the list either. This PDF seems more accurate, and seems to be including all trains.

But still, the DB seem to be ahead of us (well, what country isn’t?). Here is one of the functionalities of HAFAS, which I haven’t seen on the NMBS site yet. Correct me if I’m wrong, but this seems something different. And… Windows-fucking-mobile-only.

Pretty much same problem with Thalys. They even made thalys.mobi, yet, when accessing it with the iPhone (as I lack other PDA-ish devices to test it at the moment) it doesn’t scale/resize/fit my screen, and is displaying the same window I have when browsing it with Firefox.

Wouldn’t it be cool if we had some open (xml?) API, where we could submit departure station, arrival station, and some time, and get a reply with one or multiple results?

I guess I would’ve hoped for more in these “mobile” days.

Edit: my attempt to make something.

Read the readme for installation howto. :)

This is actually also meant for me, as a reminder, for when I update the plugin. ;)

(Howto make a screenshot on the iPhone)

With the new Firefox (v3) and the wordpress update, I was no longer able to see my Wordpress stats on my dashboard.

Every (Wordpress) login attempt, to see the stats, resulted in… Well nothing. I just kept getting back to the login page. No error.

Actually, I have “third-party cookies disabled” on all my browsers; I don’t like to have cookies from sites I do not visit. And this was the cause of the problem.

Simply add an exception for “*.wordpress.com” and you’ll be able to view all your stats again. :)

Maybe I’ll post some mini review about it some day.

Anyway, here’s a interview with one of the developers/leaders.

And a nice mail from them (reply to an idea of mine):

PS Bedankt voor de inspiratie voor blog post van twee weken terug op de next web:

http://thenextweb.org/2008/08/08/soocial-will-totally-obliterate-plaxo-and-mobileme/

(Zie TUINSLAK onderaan ergens)

/me feels famous. Great for my ego. ;)

Submitting the required (and correct!) info, using my MasterCard, I received this helpful error page (roughly translated): “Order failed. Seller cannot sell item” and at the bottom, error code: 30001100.

I tried to execute the payments multiple times (you have no idea’s how many times I checked and rechecked my credit card number), reordered the item, other browser, and so forth. Nothing helped.

Googleing (Googling?) the error code, returned this.

Search for the error code, and you end up at this line:

When filling in the order, I was unable to choose where I lived, as it was set (uneditable) to Belgium (though I do live in Belgium… Most of the time).

As, at the time of the order, I was in The Netherlands, I quickly understood there was some ip to country check, and Mobistar only wanted Belgium buyers.

Though my MasterCard is hand out by a Belgian bank, and I guess you can’t have a credit card as non resisdential, it would seem logic to accept the payment anyway… But hey, can’t have it all!

Or perhaps use this error code:

Anyway, to solve this problem, you simply need to get a “belgian ip”.

Don’t bother to search for free anonymous Belgian proxies, it will likely fail (don’t even think about Tor) as no one is willing to share in this country… I had to set up Hamachi on a PC there (yes, because it won’t run on os x.5), remote desktop to a PC home, and make the payment/order again.

And guess what? Worked like a charm.

Talk about convient online shopping .. !

This so does remind me about ING and its useful error codes for the most stupid thing, which forced the customer to call the helpdesk, and get annoyed by commercial junk.

By the way, Google for Mobistar, and check out the “Mobistar iPhone is wrong/fail” sites so high in the search results… Haha, really something a company would like to see.

“You add <?xml:stylesheet href=“blabla.css” type=“text/css”?> to blabla.xml. You will notice that, once again, this will not work in Firefox for some weird reason. I suggest using Internet Explorer for this. Nevertheless, there’s a workaround for Firefox, using xml-stylesheet for you Firefox fans…”

Well well, let’s all blame Firefox (well, Gecko, to be precise) for not parsing this correctly! Especialy when xml-stylesheet is the only valid option set by W3C…

Some person (65.210.123.237) with User-Agent/browser “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )” was downloading all files from my website. Totally ignoring robots.txt and requesting pages without providing a referral.

This seemed quite odd and didn’t seem to be a decent/real search robot. It kept requesting files every 3-4 seconds for about one hour. Decent search bots try to spread the load over a few minutes, and wouldn’t request about 1000 files (1.6 Gb) at once.

After some Googling I noticed I wasn’t the first person wondering what it was. And as it seems, no one had a clear answer who this bot is, or what it purpose is.

So, well, I banned it.