Categories
Guide Networking

HAProxy as a TCP reverse proxy with DDNS target discovery and load balancing

HAProxy is an excellent tool for forwarding or load-balancing TCP traffic. It is far more memory-efficient than socat and offers a persistent configuration between reboots, but without requiring net.ipv4.ip_forward to be enabled. Compared to NGINX, HAProxy offers a more comprehensive and user-friendly status page with far more metrics, which can be easily integrated with third-party monitoring services.

Categories
Guide Networking

A Cloudflare DDNS script that uses an API Token instead of your Global API Key

I have been using this simple bash script for a while for my DDNS needs. It is simple enough for quick deployment, and gets the job done. That is until Caddy2’s Cloudflare DNS provider moves away from Global API Key to API Token for the API access. This prompted me to rethink the security implications of using that script.

The Global API Key basically allows for *ALL* access to your entire Cloudflare account, which includes making changes to other domains under your account as well as your account settings. And this key is stored as plain-text within the script, to be placed on a server which you don’t have physical access — sounds a lot like the perfect recipe for a security nightmare. An API Token, on the other hand, is created with specific permissions. You can, for instance, create a Token that only has the permission to make changes to a specific domain, without the ability to add or delete anything.

Categories
Guide

Get Caddy 2.0 now with Cloudflare DNS Provider module for automatic TLS

Caddy 2.0 has finally entered GA since about a day ago, after three Release Candidates which I didn’t use. So now is high time to upgrade all our production servers to the latest and greatest version, because those 1.0.4 installation works really well and life is too boring when everything just works, we need to spice things up a little.

For Debian/Ubuntu distros, Caddy 2 now has an official repository at apt.fury.io/caddy/ which you can add to APT sources and then install it via apt install caddy. However, unlike the slick curl method in Caddy 1.x, it is no longer possible to include modules on-the-fly upon installation. If you need the popular Cloudflare DNS TLS Provider module to be included in Caddy 2, the only option at this point is to build it from source.

Categories
Guide 折腾

修改 ServerStatus-V 探针脚本配合 vnStat 2.x 版本使用

网上常见的改版 ServerStatus 探针里采用的流量统计是根据 python 函数 psutil.net_io_counters() 所返回的数值来显示的。所以每次系统重启就会清零,作为检测小鸡每月流量有没有跑超的实用性不大。后来发现了以 vnStat 流量统计为基础的 ServerStatus-V 项目,用比较科学的自然月流量采集方式补足了原来 ServerStatus 的短板,这也是我一直沿用的版本。

最近适逢 Ubuntu 20.04 LTS 问世,我把手头上一大波的 VPS 系统更新,大致顺利。但后来发现探针监控台里越来越多小鸡的流量报告均为 0 | 0。难道是更新后比较节省流量吗?当然是不存在的。强迫症发作下无可奈何只好研究一下代码…

果然,问题就出现在这行代码里:

Categories
Guide Software VPS

Installing the latest version of Aria2 in Ubuntu 18.04 LTS

Aria2 is a headless (command-line based) multi-protocol downloader. It supports the downloading of HTTP/HTTPS, FTP, SFTP, BitTorrent and Metalink resources. Many frontends exist for Aria2, they are available either as standalone apps, or browser extensions.

Technically Aria2 can function by itself, but I don’t consider its command-line functionalities to be usable for most. Thanks to its frontend-backend separation architecture, Aria2 can easily be deployed on headless servers, such as a VPS, where you can remotely push download tasks to the backend server. Since the actual download takes place on on the backend server and not your frontend device, you don’t have to worry about leaving your devices on or preventing it from entering sleep/suspend states.

Categories
Guide

Protected: NAT小鸡v2.0食用教程

This content is password protected. To view it please enter your password below:

Categories
Gadget Guide

Activating Google Mobile Services on a HUAWEI MediaPad M6 8.4″

My Huawei MediaPad M6 8.4″ tablet has just arrived as a replacement for the everyday tablet that I broke earlier. Shattered glass and shit. Being a super-thin bezels sucker, I find the M6’s sub-S$400 pricetag irresistible. It even has harman/kardon audio… but I was soon disappointed to find out that it doesn’t support aptX codec. In fact, the only Bluetooth codec it supports is SBC. Crap. Being a China-only model, the M6 does not come pre-installed with Google Mobile Services (GMS), which means we will need to deal with the dreaded GMS installation issue.