Alexandre Kalatzis alpha14

Usage

# Setup the service
curl -sSL https://gist.githubusercontent.com/VibroAxe/80d55cc32b5c3290d7ee8b44b9d9a8cd/raw/[email protected] | \
  sudo tee /etc/systemd/system/[email protected]

sudo useradd -g nogroup -s /bin/false -m autossh
sudo -u autossh mkdir -p /home/autossh/.ssh  # and copy your private key here
sudo -u autossh ssh-keygen -t ed25519 # Generate a new private key

Platform server side static redirects comparison

Feature	Gitlab	Cloudflare	Netlify	Example
Redirects	✔️ Yes `200`, `301`, `302`	✔️ Yes `301`, `302`, `303`, `307`, `308`	✔️ Yes	`/wardrobe.html /narnia.html 302`
Rewrites	✔️ Yes	✔️ Yes	✔️ Yes	`/* / 200`
Rewrites (other than `200`)	❌ No	❌ No	✔️ Yes	`/en/* /en/404.html 404`
Splats	✔️ Yes	✔️ Yes	✔️ Yes	`/news/* /blog/:splat`
Placeholders	✔️ Yes	✔️ Yes	✔️ Yes	`/news/:year/:month/:date /blog-:year-:month-:date.html`
Query parameters	❌ No	❌ No	✔️ Yes	`/store id=:id /blog/:id 301`

OpenSSL Cheat Sheet 🔐

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl

Exporting your 2FA tokens from Authy to transfer them into another 2FA application

IMPORTANT - Update regarding deprecation of Authy desktop apps

Past August 2024, Authy stopped supported the desktop version of their apps:
See Authy is shutting down its desktop app | The 2FA app Authy will only be available on Android and iOS starting in August for details.

And indeed, after a while, Authy changed something in their backend which now prevents the old desktop app from logging in. If you are already logged in, then you are in luck, and you can follow the instructions below to export to tokens.

If you are not logged in anymore, but can find a backup of the necessary files, then restore those files, and re-install Authy 2.2.3 following the instructions below, and it should work as expected.

Setting up an autossh reverse tunnel

1. Set up sshtunnel user

Follow this tutorial until step five-ish

If the test does not work because of "public key" issues, run sudo passwd sshtunnel on the server to change the password of the user. (If sudo tail -f /var/log/auth.log says the account is locked, this will be the issue.)

authorized_keys should look a little like:

Note (December 16, 2021): These example files haven't been updated since 2016. In either 2019 or 2020, our onion domain was changed to a longer v3 onion address (p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion). The examples below don't reflect this, but the configuration portions remain accurate regarding how we currently serve the onion site. (Tor Browser dropped support for v2 addresses, such as propub3r6espa33w.onion, in the second half of 2021.)

These files contain the base configuration for ProPublica’s Tor hidden service mirror.

Of note:

We're using the nginx "subs_filter" and "headers more" modules to allow us to rewrite content and update headers, so that we can convert clearnet links into onion links, where possible.

UFW

I use Ubuntu’s Uncomplicated firewall because it is available on Ubuntu and it's very simple.

Install UFW

if ufw is not installed by default be sure to install it first.

	#!/boot/bzImage

	# Linux kernel userspace initialization code, translated to bash
	# (Minus floppy disk handling, because seriously, it's 2017.)
	# Not 100% accurate, but gives you a good idea of how kernel init works
	# GPLv2, Copyright 2017 Hector Martin <[email protected]>
	# Based on Linux 4.10-rc2.

	# Note: pretend chroot is a builtin and affects the current process
	# Note: kernel actually uses major/minor device numbers instead of device name

	import time

	import psycopg2

	from iter_file import IteratorFile

	conn = psycopg2.connect(host="localhost", database="test")

	# args = [(1,2), (3,4), (5,6)]
	args = [(i,i+1) for i in range(1,110*4,2)]

	openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem
	chmod 600 id_rsa.pem