Qualys SSL Labs is a website for testing server SSL functionality, often used as a reference when configuring servers. Typically, we only consider its rating (A+, A, B, C, D, E, F, T), where achieving A+ is considered excellent server configuration. However, SSL Labs also displays sub-scores next to the rating, and my main site hasn't maxed out all of them. What would it take to achieve perfect scores across all SSL Labs subcategories, and what practical significance does it hold? I installed nginx on a VPS not hosting any website and configured it to successfully achieve a perfect score, as shown in the image or here : For comparison, here's this site's rating (also viewable here ):...

Recently, I suddenly noticed that the daily emails from my self-built Baidu Tieba check-in system had stopped, though the check-ins were still happening normally. When I checked the Mailgun interface, the status was all red: The logs showed a long list of bounce messages sent to my Outlook mailbox, such as: The error indicated that Mailgun's entire AS (Autonomous System) had been blacklisted by Outlook. It was now completely unusable. The good news is that many email service providers offer similar services to Mailgun, such as SendGrid. I quickly registered an account on their website, enabled SMTP, and connected my Tieba check-in system, NextCloud, and other services without any issues. The bad news is that my blog uses CommentGun , which I specifically developed for Mailgun,...

OpenSSL provides experimental support for TLS 1.3 in its latest beta version, including a series of performance and security optimizations. The latest nginx 1.13 series has also added relevant options for TLS 1.3. However, since TLS 1.3 is still in draft status, there are some challenges to overcome when using it now: TLS 1.3 currently has three draft versions (18, 19, 20) implemented by OpenSSL and others, but they are mutually incompatible, and no SSL library combines all three. Browsers like Chrome and Firefox widely use draft version 18, but this version of OpenSSL doesn't support TLS extensions, which are required for Certificate Transparency. Although the latest nginx-ct plugin adds Certificate Transparency support for TLS 1.3, due to issue #2,...

2020-03-16 Notice This article has an updated version: see 《 Introduction to the DN42 Experimental Network (2020 Edition) 》. The new version features a more detailed registration process and has been updated to reflect changes in DN42 over the past three years. The following content was written in 2017 and is for archival purposes only. DN42, short for Decentralized Network 42, is a large-scale VPN network. Unlike traditional VPNs, DN42 utilizes technologies commonly deployed on internet backbones (such as BGP), effectively simulating a real-world network environment. Due to its realistic nature, the barrier to entry for DN42 is relatively high. You'll need to act as an ISP (Internet Service Provider): register an ASN number, obtain IPv4 and IPv6 address pools,...

Preface Achieving intercommunication between containers on multiple Docker servers is a challenging problem. If you build your own overlay network, you need to set up services like etcd on one server. But if the server hosting etcd crashes, the entire network goes down. The cheap VPS I use occasionally experiences network interruptions, and I often accidentally crash servers myself, so this approach isn't feasible for me. Docker also has other commercial overlay networking solutions like Weave, but for individual users, these solutions are too expensive (I'm just experimenting for fun), so they're not considered either. In these network architectures, central servers like etcd or Weave record which server each container is on and its internal IP, allowing DNS resolution to any container....

Often, when replying on websites with self-hosted comment systems like WordPress or Typecho, one has to constantly check back to see if their comment has been replied to. However, for most people, this is very inconvenient. A common solution for bloggers is to install an email notification plugin. When a commenter's comment receives a reply, an email notification is sent to alert them. The most widely used plugin on Typecho is CommentToMail, initially developed by DEFE and later maintained by Byends Upd . This plugin sends emails using standard methods like PHP Mail, SendMail, or SMTP. However, instead of registering dedicated email accounts for notifications, bloggers are now adopting email platforms like Mailgun. These platforms provide API-based email sending capabilities,...

Docker is a container management software for Linux. Each container is functionally similar to an OpenVZ VPS, allowing isolation of applications on a server. This isolation enables different versions of the same software or conflicting applications to run on the same server. For example, MySQL 5.7, MySQL 5.6, and MariaDB 10.1 can run simultaneously in three separate Docker containers on one server. However, Docker surpasses OpenVZ in its more flexible Linux kernel version requirements. OpenVZ kernels remain stuck at 2.6.32 (stable) and 3.10 (development), while Docker runs on any Linux kernel above 3.10. My server currently uses Linux kernel 4.9 (for BBR support), which clearly cannot run OpenVZ but works perfectly with Docker....

An introduction to GetIPIntel can be found in this recent article . I've developed a Typecho plugin that blocks visitors using proxies from commenting or sends their comments directly to the spam bin. Features: Multiple mode options (Blacklist only, Quick Check, Full Check) Various handling measures (Manual review, Send to spam bin, Submission failure) Custom threshold The plugin can be downloaded at https://github.com/xddxdd/typecho-getipintel . Simply place the GetIPIntel folder into the usr/plugins directory....

You never know whether the person chatting with you online is a human or a dog. The anonymity of the internet greatly facilitates online fraud. A few years ago, several webmasters in a student webmaster alliance had their email addresses leaked. Troublemakers then used Go^_^Agent to impersonate them, using their common usernames and email addresses to harass other bloggers in the alliance, causing widespread chaos. The widely used Akismet clearly failed to help, and blocking IPs afterward proved ineffective (the troublemaker would hit-and-run). Popular anti-fraud services at the time, like MaxMind, required high fees that ordinary webmasters couldn't afford. But now,...

I wrote a PHP snippet to fetch high-resolution images from the website of the Himawari 8 satellite and combine them into one high-resolution image. The way to fetch satellite images is available here . However... The combined 4d resolution PNG image (2200x2200) is over 7 MB in size, and due to the bad connectivity between China and the US, it takes over a minute to load the image (from my server). Way too slow! Google provided a solution: the WebP image format. WebP is famous for its high compression ratio on lossless compression scenarios. After converting the 7 MB earth photo PNG file to WebP, the resulting file size is less than 700 KB. For a photo with resolution 2200x2200, this is pretty small. But... Some browsers, including IE and Firefox, don't support WebP,...