Just a few days ago, HE.NET Tunnelbroker's French server experienced an outage. When I configured my Kimsufi server, I assigned the native IPv6 addresses to ESXi for exclusive use (as described in this article ), leaving pfSense with only native IPv4 and obtaining IPv6 addresses through Tunnelbroker. Consequently, all virtual machines on the server lost IPv6 connectivity. More critically, since I had set up a NAT64 service on the server following this article , and configured pfSense's DNS resolution to prioritize Google DNS's NAT64 servers (2001:4860:4860::64 and 2001:4860:4860::6464) with IPv4 as fallback, DNS resolution almost completely failed due to the IPv6 outage combined with pfSense's long DNS timeout settings. To prevent such cascading failures from recurring,...

My various servers host different services, each with its own username/password system, making unified management difficult. If my password were compromised in the future, changing them individually would be extremely tedious. Therefore, I want to use a dedicated service to manage usernames and passwords, with all other services obtaining authentication information from it. LDAP is one of the commonly used authentication protocols. Not only do many applications natively support it (including Jenkins, pfSense, etc.), but through plugins, nginx can also support it, adding unified authentication management to any web-based service. Adding the Plugin If your nginx is compiled from source, adding the LDAP plugin only requires three steps: apk add openldap-dev git clone https://github....

2020-10-11 Update Now a better way exists that doesn't involve a bunch of Docker containers. Please refer to Writing Stories in Traceroute, Elegantly . Intro Traceroute is one of the popular tools for network inspection. It shows the IP addresses of routers on the route from your computer to a destination server, similar to: Domains are shown on the last 2 hops, which is the IP's reverse DNS record. Reverse DNS records exist as PTR records in the format of 4.3.2.1.in-addr.arpa . For more information, you may refer to Setting IP Reverse Records in DN42 . However, PTR records need not be real domains. They can be any string that "looks like" a domain. With this, we can write one sentence on each hop of a Traceroute path to make a story: This story is set up in DN42....

Typically, Docker images are created by running specified commands step-by-step within an existing image. This process poses no issues for most users on x86 architecture computers, as the architectures are compatible. Images built on one machine can usually run directly on others, unless the programs within the image use newer instruction sets like AVX. However, there are ARM-based hosts that can run Docker and execute specially compiled ARM architecture images. These include Raspberry Pi series and similar boards like Cubieboard, Orange Pi, Asus Tinker Board, etc. Additionally, hosting providers like Scaleway offer ARM-based dedicated servers. Since ARM architecture systems cannot run on x86 computers, you can't directly generate ARM architecture images via Dockerfile on x86 machines....

Since switching from OpenVZ-based VPS to KVM-based VPS, I've been using Docker to deploy essential services like nginx, MariaDB, and PHP for my websites. This approach not only simplifies restarting and managing configurations for individual services (by mapping all configuration directories together using volumes) but also streamlines service upgrades. For example, my blog's VPS has limited resources, with memory usage consistently around 80% recently. When updating nginx or adding modules, compiling directly on this VPS would be slow and risk crashing the site due to insufficient memory. With Docker, I can build images on other resource-rich VPS machines or my local computer, push them to Docker Hub, then pull and run them on the production VPS. However,...

It has been 11 months since I last enabled TLS 1.3 for nginx. After nearly a year, many nginx-related programs and patches have undergone significant changes: OpenSSL has released beta versions of 1.1.1, with the latest being 1.1.1-pre8 (Beta 6) at the time of writing. nginx has been updated to version 1.15.1. Bugs in nginx's HPACK patch (HTTP header compression) have been fixed by subsequent patches. Using the original HPACK patch causes abnormal website access, manifesting as protocol errors when attempting to load subsequent pages after the first. A developer has released an OpenSSL patch enabling the latest OpenSSL to simultaneously support TLS 1.3 draft versions 23, 26, and 28. Lets Encrypt certificates now include Certificate Transparency information by default,...

Kimsufi is a budget brand under French company OVH, specializing in renting high-performance servers at extremely affordable prices. I personally rent the KS-4C model, featuring an i5-2400 processor, 16GB RAM, 2TB HDD, 100Mbps unmetered bandwidth, for just 13 euros/month. Its exceptional value makes it perfect for running virtual machines for experiments. VMware ESXi (now also called vSphere Hypervisor) and Proxmox VE are two popular operating systems specifically designed for virtualization, both available for free. Crucially, Kimsufi's control panel offers one-click installations for both systems. However, during my usage, I found that Proxmox VE frequently suffered from unresponsive remote VM connections (VNC black screens) or keystroke loss (especially critical during password entry)...

Many people have set up email systems on their own domain names. I also use Zoho's domain email service for my main site lantian.pub. However, a major drawback of using domain email is that it's difficult to remember server addresses for POP3, IMAP, SMTP, etc. When reinstalling systems or email clients requires reconfiguration, you have to log back into the email system to check server addresses, which is quite troublesome. If you use the Thunderbird email client, you may notice during account setup that Thunderbird has a "Retrieve settings from email provider" process. This essentially requests an XML document from the domain's web server containing email server configurations. By manually creating this configuration file and hosting it on your web server,...

DN42, short for Decentralized Network 42, is a large-scale VPN network. Unlike traditional VPNs, DN42 utilizes technologies commonly deployed on internet backbones (such as BGP), making it an excellent simulation of a real-world network environment. In a previous article , I joined the DN42 network, registered my own domain in another article , and set up my own DNS server. Later, in this article , I configured IPv4 reverse DNS. At that time, due to some outdated information on the DN42 Wiki, I mistakenly believed IPv6 reverse DNS couldn't be configured. However, I've since confirmed it's possible through experimentation. Since the setup process is largely similar, this article will share significant overlap (copy-pasted content) with the earlier IPv4 guide....

DN42, short for Decentralized Network 42, is a large-scale VPN network. Unlike traditional VPNs, DN42 utilizes technologies commonly deployed in internet backbones (such as BGP), effectively simulating a real-world network environment. In a previous article , I joined the DN42 network, and in another article , I registered my own domain and configured my DNS server. With a DNS server in place, we can now set up reverse lookup records for our IP addresses. Reverse lookup primarily aids in spam prevention and improves the appearance of outputs in network tools like ping and traceroute. Setting Up the Resolver for IP Ranges The first step is to delegate reverse resolution for your IP ranges to your DNS server. My servers are ns[1-3].lantian.dn42. While all could theoretically be specified,...