• Allowing File Uploads direct from Dropbox

    It's been over 3 months since Dropbox announced the availability of 'Chooser', a simple way to allow users to upload files to your site direct from their Dropbox, but I've not seen it in use anywhere. That's a little dissapointing really, partially because it's incredibly simple to use and implement, but also because I was really hoping it might prompt some of Dropbox's competitors to create something similar.

    It makes life a lot easier for your users (especially those who want to upload from a *cough iOS* device with file uploads disabled ) and the hassle of setting it up is minimal.

    In this post, I'll be showing how to implement the Dropbox chooser into a simple PHP site

  • Asus Nexus 7 Charger Port Repair

    The ASUS/Google Nexus 7 suffers from an issue where the USB charging port wears out, so the charger no longer makes proper contact and the device won't charge. The headphone socket (which is on the same board) can also fail.

    In order to repair this, a small board must be replaced (which will mean replacing the headphone port as well). Replacement boards are available on Amazon for about £8. It's a pretty straightforward process, and doesn't require any special tooling.

    This documentation will walk you through the necessary steps (there's a video at the bottom for those who'd prefer a video guide) to remove the old USB charging port and install a new one.

  • Building a DNS over TLS (DoT) server

    I previously posted some documentation on how to build a DNS over HTTPS (DoH) Server running Pi-Hole and/or Unbound.

    There's another standard available, however - RFC 7858 DNS over TLS (DoT)

    DoT isn't as censorship resistant as DoH (as it's easier to block), but does provide you with additional privacy. It also has the advantage of being natively supported in Android Pie (9), so can be used to regain control of your queries without needing to run a dedicated app link Intra, with all the issues that might entail.

    In this documentation we're going to trivially build and place queries against a DoT server.

  • Building and running your own DNS-over-HTTPS Server

    There's been a fair bit of controversy over DNS-over-HTTPS (DoH) vs DNS-over-TLS (DoT), and some of those arguments still rage on.

    But, DoH isn't currently going anywhere, and Firefox has directly implemented support (though it calls them Trusted Recursive Resolvers or TRR for short).

    Although DoH offers some fairly serious advantages when out and about (preventing blocking or tampering of DNS lookups by network operators), when left with default configuration it does currently come with some new privacy concerns of it's own. Do you really want all your DNS queries going via Cloudflare? Do you want them to be able to (roughly) tell when your mobile device is home, and when it's out and about (and potentially, also your employer - if they own the netblock)? The same questions of course go if you use Google's DNS too.

    That, however, is addressable by running your own DNS-over-HTTPS server. This also has advantages if you're trying to do split-horizon DNS on your LAN, so I'll discuss that later too.

    The primary purpose of this documentation is to detail how to set up your own DoH server on Linux. The main block of this documentation is concerned with getting a NGinx fronted DoH server backed by Unbound up and running, but will also discuss the steps needed to add Pi-Hole into the mix.

    Unless otherwise noted, all commands are run as root

  • CentOS: Using NGinx as an SSL Reverse Proxy for Apache

    A little while ago, I published a guide to configuring NGinx to act as a Reverse Proxy for Apache. Although it was briefly mentioned, we never went through the steps necessary to configure NGinx to work in this manner for SSL connections - we simply left Apache listening on port 443.

    This documentation details how to go about configuring NGinx to handle your SSL stuff as well. It assumes you've already generated CSR's and got the SSL certificate to use (presumably because they're already being used by Apache).

  • Communicating with HomePlugAV Devices using Python

    I've got a couple of pairs of ON Networks' PL 500 HomePlugAV Powerline Adapters and have been playing around with them to see how they compare to the Computrend 902 devices I played around with 5 years ago.

    I'm still playing around with the kit, but thought I'd document a very basic example of how to send commands to the devices using Python - the instructions should work for any kit based on Qualcomm's INT6x00 and AR7x00 chipsets (mine use the AR7420/QCA7420) - we'll be changing one of the encryption keys (the NMK) that the devices use

  • Configuring LetsEncrypt on a CentOS 6 NGinx Reverse Proxy

    For those who haven't come across it, LetsEncrypt allows you to obtain free DV SSL Certificates but requires a server side script to be run periodically in order to renew the certificates (for better or worse, a 90 day expiration period has been used).

    Although the provided script has plugins to allow support for automatically generating SSL certs based on NGinx and Apache configurations, the script assumes that the server is the origin and that the relevant docroot is available for writing to.

    In the case of a reverse proxy - this won't be the case. We want the certificate on the Reverse Proxy (being the endpoint the client connects to) but the websites files are hosted on another server.

    This documentation details a simple way to work around that on a NGinx reverse proxy (it should be possible to adjust the config for Apache's mod_proxy if needed).

  • Configuring Pi-Hole to update blocklists more regularly

    By default Pi-Hole updates it's block lists once a week.

    Broadly speaking, this is fine for blocking Ad domains (although the recent trend towards advertisers generating new domains does undermine that a bit).

    But, if you've added a Phishing block list (as detailed in Building Your Own DNS over HTTPS Server), this is far less optimal - Phishing domains tend to do the majority of their damage during the first 24 hours, so only getting an update into the blocklist (potentially) 7 days later isn't much use.

    In this post we'll walk through the (simple) procedure to have Pi-Hole update the gravity lists more frequently

  • Configuring Postfix to block outgoing mail to all but one domain

    This is so simple to do, but I have to look it up every time I need it (not something that comes up regularly!);

    When configuring a development server, you may find you have a need to ensure that emails will not be sent to any domain except those you explicitly permit (for example if you're using real-world data to do some testing, do you want to send all those users irrelevant emails?).

    This documentation details how to configure Postfix on a Linux server to disregard any mail sent to domains that are not explicitly permitted.

  • Copying a Linux Kernel From One System to Another

    There may be occasions where, for testing purposes, you want to copy a kernel from one machine to another.

    There are some fairly self-explanatory caveats:

    • The donor and target system must be running on the same architecture
    • The target machine shouldn't have any (important) hardware that's unsupported by your donor kernel

    Obviously, you'll ideally want to make sure that the hardware is as close to identical as possible (otherwise your testing may be invalid) so the above should be considered a minimum

  • Creating a virtual Network Interface in CentOS 6

    Sometimes you need to assign more than one IP to a server, even if it only has one NIC. To do so, you create a virtual interface, attached to the physical NIC.

    This documentation details how to do this in CentOS 6

  • Creating a Virtual Network Interface in Debian

    There are times when you might want to assign more than one IP to a system, even if it only has a single physical NIC. This documentation details how to create a virtual network interface (known as aliasing) under Debian (see here for how to alias in Centos 6).

  • Gameboy Cartridge Battery Replacement

    Pokemon has been around for years, and it's awesome to see kids fall in love with something I played when I was younger (though I never developed quite the obsession with it that some did).

    For many, Pokemon on the Gameboy was the most memorable. Unfortunately, those cartridges have been doing the rounds for two decades now and are often in need of a little rescue.

    Within the cartridge is a CR2032 battery which maintains a charge to the SRAM so that things like save files are retained. There are sometimes some early signs of failure (like the clock going out of sync), but once the battery goes flat you'll generally find that save files will be lost whenever the cartridge is removed.

    Changing the battery is relatively straightforward, though you will need to make or obtain a special tool for it. This documentation details the process.

    I've used a Pokemon Red cartridge for this example, but have just been through the process for Red, Blue, Crystal, Green, Gold, Silver & Yellow. Once you've done one, the others follow on quite easily.

  • Google Nexus 7: Replacing Headphone and Charger Socket

  • Short video detailing how to remove the back cover from a Google Nexus 7 in order to replace the USB charger port and headphone socket to resolve issues around it not charging. The written process can be found here

  • Honda Civic EGR Valve Replacement

    This documentation details how to remove and replace the EGR Valve on a 2004 Honda Civic 1.6 with a Petrol engine.

    You may need to do this if you're getting an engine management light (MIL) with diagnostic code P0401 (EGR Flow Insufficient). Some people prefer to start by cleaning the valve rather than replacing it - the process is exactly the same as detailed here, just that you'll put the old one back on after cleaning it (remember to order a new EGR gasket though).

    Honda used a variety of engines in different models of the civic though, so your EGR may be different. Before starting, pay close attention to the first picture in this document to check that your EGR location is the same (the EGR valve is the thing within the blue sticker on it in the photo).

  • Hosting TOR Hidden Services (.onions)

    The level of effort required to set up a TOR Hidden Service (known as a .onion) largely relates to the amount of paranoia you need to exercise regarding your anonymity.

    Whilst the ins and outs of Operational Security (Op-Sec) are a little too intricate for a single post, this documentation will take you through the steps required to configure a Debian server to host a .onion site with reasonable protections in place.

  • Installing iRedMail on Debian (Jessie) 8

    I've run my own mail server for quite some time, but it's started to reach the point where a refresh is probably in order.

    Normally, I'd prefer to build from scratch, but I thought, this time, I'd have a look at some of the "off-the-shelf" solutions that now exist. Mailinabox was quickly discounted because there's no real configurability, which doesn't sit well with me (it does simplify installation, but makes long-term management that much harder).

    iRedMail seems to have a reasonable following, and a scan of it's website and documentation suggested that it is, at least, reasonably sane.

    This documentation details the process I followed to install iRedMail on Debian 8 (Jessie). I used Jessie rather than Stretch (9) because that's what the VM I was repurposing was imaged with.

  • Keeping Hitcounts accurate when using an NGinx Caching Proxy

    In previous documentation, we've configured sites to use NGinx as a Reverse Caching Proxy, leading to hugely improved response times on popular content. We've also implemented a custom configuration so that we can refresh the cache periodically, ensuring that dynamic content (such as Twitter modules) updates.

    One thing we haven't done as yet, though, is to address the issue of internal hitcounts. We've looked specifically at using NGinx with Joomla, and noted that a side effect would be inaccurate hitcounts displayed within Joomla (which remains true even when using the internal page caching).

    In this documentation, we'll be implementing a small script to ensure that hits served from the cache are still recorded within Joomla (or Wordpress, Drupal - whatever you happen to be using), albeit a little while after they happen.

  • Linking a Git Repo with Pivotal Tracker

    Everyone seems to use GitHub nowadays, but occasionally you want a private repo (without paying), so you set up a local Git repo instead. The problem being, you often lose the integration with the other tools that you use to manage projects. Git has the ability, but it is somewhat reliant on you having the relevant scripts available (such as post-receive).

    This documentation details how to configure your Git repo to link up with Pivotal Tracker.

  • Making your Joomla Site Fly with NGinx Reverse Proxy Caching

    I've written previously about configuring NGinx to act as a reverse proxy for Apache, as well as some of the specific tweaks you need to make if you're serving a Joomla! based site. In this documentation, we're going to look at how to use NGinx's Reverse Proxy caching feature to make your site really fly.

    There are a small number of technical hurdles which we'll overcome to ensure that the user is experience is fast and smooth without losing interactivity on those sites which demand it.