Forcing apt-get to use IPv4

When or if you run into trouble with apt-get and IPv6 connections timing out or not resolving properly at all, it may be a good idea to simply prevent apt-get from using IPv6.

Use

-o Acquire::ForceIPv4=true

when running apt-get, or create /etc/apt/apt.conf.d/99force-ipv4 and put

Acquire::ForceIPv4 "true"

in it.

If this does not work for you, you may want to have a look at /etc/gai.conf (this will, however, affect your system on a deeper level for IPv4 vs IPv6 connectivity). If you’re not interested in IPv6, it should cause no problems.

See more from @geek1968 on Instagram

Please use proper message headers (FFS)

Writing software that deals with automated message processing on the Internet is, in a word, painful. The number of people who cannot seem to read simple specifications and/or proposals is staggering.

And one would think that if you can’t read specifications, you’d at least bother to “View message source” on a few thousand e-mail message to get a feel for how some other (well known) companies are doing it, INSTEAD OF INVENTING YOUR OWN STANDARD.

So, if you’re sending out automated e-mail messages, for example, please add one of these headers:

auto-submitted
x-auto-response-supress
precedence
feedback-id
x-autoreply

I’ll leave it as an exercise for the reader to look them up … and if you’re doing some kind of mailing list stuff, please add:

list-id
list-unsubscribe

Thank you!

You may now resume sleep mode.

Using Thunderbird with Gmail and OAuth2

I’ve been using the Mozilla Thunderbird e-mail client for … a long time. Google has had a “Less secure apps” policy, where you explicitly have to enable a setting to allow external access to things like e-mail over IMAP, and so on. Google has also been warning their users about upcoming changes, where clients that cannot authenticate using “secure methods” (such as OAuth2), will no longer be able to access things like e-mail over IMAP.

Fortunately (for me), Mozilla Thunderbird can handle this just fine 🙂

Incoming settings

Make sure you are using IMAP and not POP3. Go to your account settings. Go to server settings. You should see the IMAP settings (imap.gmail.com:993, etc). Make sure connection security is set to SSL/TLS. Set the authentication method to OAuth2 and re-start Thunderbird. You will be prompted with a Google Login Page. Enter your credentials for the account. Once Google has successfully verified the credentials, it will tell you that Thunderbird wants to access certain things. Allow this, and … you’re done. To verify that everything worked out as it should, re-start Thunderbird once more. You should not be getting any prompts this time.

Outgoing settings

To access settings for outbound e-mail using Gmail, click on the account name in the list to the left of the Account settings window. At the bottom, to the right, you will see Outoing Server (SMTP). Choose to Edit SMTP Server. Again, check your settings to be smtp.gmail.com (587), STARTTLS, and set the Authentication method to OAuth2, just like you did for IMAP. Re-start Thunderbird.

Repeat this procedure for all your Gmail accounts configured in Thunderbird.

Troubleshooting WordPress re-directs (301)

While trying to configure some internal URL re-writing in nginx for a WordPress site, I ran across an annoying issue:

Regardless of my re-writing efforts, WordPress would issue a re-direct (301) header (?!)

This wouldn’t have been such a big deal if I didn’t want the URL to stay the same in the browser’s address bar. If I didn’t have that requirement, I would naturally have used a simple re-direct.

After spending some time troubleshooting this, and making sure nginx was actually doing what I wanted it to do, I ran across a few posts talking about disabling “canonical redirects” (sic) in WordPress. So adding this snippet to the end of the active theme’s functions.php:

remove_filter('template_redirect','redirect_canonical');

got rid of WordPress re-directs. Unfortunately, another plugin “stepped in” and started doing it instead (this time, it was the Polylang plugin). I’m sure there are a number of other plugins that exhibit this behavior, and it may be possible to circumvent this in many/most/all of them by using something similar to the above snippet, but I still haven’t solved the actual problem.

Using cURL to debug URL re-writing and URL re-direction can save you a lot of time, like this:

curl -I https://yourwebsite.foo

(Please note that the issues I have experienced here are not related to nginx. This would happen in Apache too as the re-directs are issued by the WordPress stack. Once control is handed off to PHP, there’s little the web server can do.)

If you’re playing with nginx, PHP-FPM, and URL re-writing, you may also find this post of interest: URL re-writing with nginx, PHP, and WordPress

URL re-writing with nginx, PHP, and WordPress

There are many posts about nginx, re-directs, PHP, and WordPress. There are somewhat fewer posts that talk about (internal) re-writes, where the request by the web browser is mangled to be served by another resource than the one requested.

For example, I may want a request for https://mysite.foo/cool/penguin to actually be served by https://mysite.foo/coolstuff.php?id=penguin, or simply setup an alias such as https://mysite.foo/cool/penguin to be served by https://mysite.foo/cool/linux, but preserve the URL in the browser address bar.

With PHP-FPM and nginx, you run into an additional problem, which is the fastcgi_parm variables that are passed from nginx to PHP-FPM. So even if you have really fancy URL re-writing configured (and working), the end result may not be passed on to PHP-FPM from nginx.

So solve this, you should look into this construct, which is present in many nginx configurations as a default setup:

fastcgi_param REQUEST_URI $request_uri;

Since your needs probably differ from mine, I wont make this post any longer than it has to be, but that fastcgi_param line above may be a good starting point if you’re experiencing problems with nginx, PHP-FPM, and URL re-writing.

Good luck!

FrontDoor Inbox, med information på svenska

FrontDoor InboxNu finns det även information om FrontDoor Inbox på svenska här: frontdoorinbox.se.

FrontDoor Inbox är okomplicerad GDPR-säker ärendehantering som arbetar för er och hjälper er organisation förbättra arbetsflödet i konversationer med kunder och blivande kunder.

Utvecklat i Sverige. Driftat i EU. Support på svenska.

Hello FrontDoor Inbox!

FrontDoor InboxAfter years of internal use, we decided it was time to turn the FrontDoor Inbox Ticket system into a SaaS, or Software-as-a-Service at WebbPlatsen. For people that know some of my background, the name comes as no surprise, and I have to admit it does make sense when you think about it.

We played with quite a few “ticket systems” or “Helpdesk software” before putting down the first few lines of code for FrontDoor Inbox, and the biggest reason was, and still remains, simplicity. When the decision was made to go ahead and develop our own software to somehow get a grip of our the e-mail chaos, we simply couldn’t find anything affordable that did what we wanted it to do.

So if your company, or your organization, be it small or less than huge, need a service that’ll help you keep track of support conversations in a safe, GDPR-compliant, efficient, and rather straightforward way, you may want to check out FrontDoor Inbox.

The first lines of code were written in 2008, and during the eleven years that have passed since then, it has been rewritten a number of times, and we and our clients have been using it to handle hundreds of thousands of support tickets and e-mail inquiries. The current release is 2019.3 and it will help you turn chaos into order.

Keep track of FrontDoor Inbox on Twitter (@frontdoorinbox), or head on over to frontdoorinbox.com for more information.

What’s My IP?

There are a number of ways to figure out your public IP address automatically, which can be extremely useful for Dynamic DNS (DDNS) situations or other automation ventures, these are some of them:

dig +short @resolver1.opendns.com ANY myip.opendns.com
curl https://ifconfig.co
curl http://whatismyip.akamai.com/

It would be nice if the Cloudflare DNS service (1.1.1.1) supported this too!

Your “cookie disclaimer” is not enough

With various legal directives in place throughout the world, website owners are “off the hook” by providing a cookie disclaimer and the possibility for the visitor to “opt out”. Some websites have a rather odd approach where they refer you to a page with a vast amount of information abou their “data partners” and invite you to “opt out” on their partners’ page(s). It goes without saying that many people don’t bother because it’s just too much work (which is exactly the purpose).

But when your website designer relies on “web fonts” and/or resources from a content distribution network (CDN) like Javascript libraries, you are also, indirectly leaking some visitor data to the companies hosting such resources. Granted, you’re not “leaking as much data”, but with analytical AI and the huge amounts of data many of these “analytical companies” already have on your visitors, you’re simply providing one more piece of the puzzle to them. Free of charge.

The cost of free is perhaps hard to measure for you and me, but Google and others know exactly how much the data about your visitors is worth.

Ain’t that something.

New Cookie Disclaimer-proposal:

“By continuing to our site, you are agreeing to the collection of data about yourself beyond your wildest imagination and possible comprehension. We could explain it, but you wouldn’t get it anyway.  [OK]”

PS. Hosting external libraries and web fonts on CDN is not always such a grand idea when it comes to website performance. For each and every different such external “site address”, a new session handshake (SSL/TLS/etc) between the visitor’s web browser and the CDN is required.

Cookies in the jar turns into whiskey in the jar

For almost as long as “cookies” have existed on the Internet, companies have made a habit out of using them to track you, your “behavior” on the Internet, and to turn you into something “measurable”. For almost as long, there have been countermeasurements: “cookie blockers”, “ad blockers”, “privacy shields”, and so on. Cookies are, of course, only one of many data points being collected about you while using the Internet.

Companies using third-party service for anything from payment solutions to advertising and the collecting of statistics often don’t fully understand the implications of their choosing one service over another. And for the past several years, this has turned into a rat race.

On one side of the fence, there are companies like Facebook, Google, Quantcast, Amazon, Cambridge Analytica, and other, that want to know everything about you at almost any cost, and on the other side of the fence we have tools to “protect our privacy” during our online experience such as VPN, “ad blockers”, “privacy shields”, “Facebook containers”, “Privacy Badger”, and so on. (None of these tools will prevent you from being tracked by those to make it their business to track you, they are way ahead of such trivial attempts.)

So now people are blocking sites, all kinds of sites without necessarily understanding the implications of their actions. What makes it harder to distinguish “good sites” from “bad sites” is that quite a few of these “trackers” and “cloud asset sites” use sub-domains, like aj38305.trackyourcookies.com, so we end up blocking everything from “*.trackyourcookies.com”.

A company’s e-commerce site using third-party services to collect statistics and “web insights” can quite easily shoot itself in the foot, as the same services are also used in the payment verification process. I have had countless “Verfied by Visa” and “Secure Checkout” transactions fail because I choose to block certain sites, or prevent them from setting cookies. So this actually leads to poor sales performance, rather than enhancing it.

Companies using third-party services for e-commerce checkout solutions need to ask the service provider the question: Will your payment solution work with “ad blockers” and “privacy shields” before using them, or risk losing customers who find far less privacy intrusive services.