fluxcoil wiki

Notes on various services I run for myself.

• DNS:
  • hosting: bind
  • upstream registration: gandi.net
  • secondary server: https://ns-global.zone/ offers these publicly, not yet tried
• SMTP:
  • verification tools:
    • send a mail to echo@univie.ac.at and get a reply with all headers
    • site https://mxtoolbox.com/ to verify if you run an open relay, and DNS settings
    • verify which TLS modes your system offers:
      • https://cryptcheck.fr/
      • https://www.checktls.com/
      • https://www.immuniweb.com/ssl/
  • As of 2020-12-28, t-online does not accept mails from me with: 554 IP=45.136.30.123 - A problem occurred. (Ask your postmaster for help or to contact tosa@rx.t-online.de to clarify.) (BL)
  • Communication with tosa@rx.t-online.de brought up that t-online has apparently setup own rules which are not backed by RFCs. The requirements I got:
    • request: Have a system with a name like 'mail.<domain>' deliver mail to t-online.
    • comment: That makes no sense. google would then start to request me to deliver from 'foobar.<domain>', so what should I do then? The RFC allow me to deliver plainly from <domain>. I have also all DNS things like dmarc in order, I am reacting to mails to postmaster@domain and so on.
    • request: Your whois record does not have your full contact details (that's because of new data protection laws). Providing these details via https from the same domain would be acceptable.
    • comment: I already have my name and various ways to reach me described on https://fluxcoil.net . My site is not commercial, I do not need an “impressum” as per German law. This is an arbitrary request from t-online. If such a request is valid, it should be discussed in the community and find its way into RFCs. Otherwise, everybody on the internet can start to setup such “own rules”.
  • ⇒ For now, I send mails to t-online from a different mail account, and notify the recipients that their provider is “special”.
• http/https:
  • verification tools:
    • https://www.immuniweb.com/ssl/
    • https://www.ssllabs.com/
  • nginx, let's encrypt cert
  • nginx 1.15.4 will have ssl_early_data, Debian Bullseye was the first stable Debian release providing that
  • understand page load time: run firefox, press <ctrl>+<shift>+<i>, then “network”, disable cache, load a page
    • high latency to Japan, ~260ms
    • `time curl https://fluxcoil.net –tlsv1.3 >/dev/null` takes 1.4sec from Japan, and 0.022sec directly on the server
    • `time curl https://fluxcoil.net/files/ –tlsv1.3 >/dev/null` takes 0.83sec from Japan, 0.016sec directly on the server
  • sitemap validator: link
  • Are handed out svg files getting compressed? With default settings, nginx on Debian/Bullseye is not encrypting mime type 'image/svg+xml'.
    • Test if a svg file is handed out compressed: “curl -I -H 'accept-encoding:gzip, deflate' https://fluxcoil.net/static/20210224_minder5.svg”
    • activate compression for svg in nginx.conf: “gzip_types text/plain [..] image/svg+xml;”
• video/audio chat:
  • Jitsi

• availability monitoring:
  • https://www.wyae.de/software/moshel/ , availability monitoring script directly running on the server
• performance monitoring:
  • PCP with grafana for graphics. Network bandwidth, latency to some other servers on the internet, bind and postfix statistics and so on

• Remote desktop control
  • https://github.com/rustdesk/rustdesk
  • https://github.com/rustdesk/rustdesk-server-demo
• https://rport.io/ - opensource remote control. In go, server and client components. froscon2021 video exists.
• https://github.com/slackhq/nebula - mesh networking. Think of wireguard, but with the nodes directly talking with each other
• https://github.com/m1k1o/neko - browser/video sharing for multiple clients, i.e. for watching a video together