All posts by Roman

Nginx

Configuration

# HTTP to HTTPS
if ($scheme = http) {
    return 301 https://$host$request_uri;
}

# Proxy
location / {
    include /etc/nginx/proxy_params;
    proxy_pass http://127.0.0.1:5000/;
}

# Custom robots.txt
location = /robots.txt {
    add_header Content-Type text/plain;
    return 200 "User-agent: *\nDisallow: /\n";
}

# Activate HTTP2 (1.9.5+)
listen 443 ssl http2;

Rate limiting

# Use $http_cf_connecting_ip instead of $binary_remote_addr when behind Cloudflare
limit_req_zone $http_cf_connecting_ip zone=php_limit:10m rate=10r/s;
limit_req_log_level warn;

location ~ \.php$ {
    limit_req zone=php_limit burst=50;
}

# Test using bash
for i in $(seq 1 30); do curl -I -s "https://[HOST]/" | head -n 1; done

Real IP

To get current IPv4 Cloudflare ranges see the official list.

# Get Real IP from Cloudflare
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header CF-Connecting-IP;

AutoMySQLBackup

Configuration

```
# Set rotation of daily backups. VALUE*24hours
# If you want to keep only today's backups, you could choose 1, i.e. everything older than 24hours will be removed.
CONFIG_rotation_daily=6

# Set rotation for weekly backups. VALUE*24hours
CONFIG_rotation_weekly=30

# Set rotation for monthly backups. VALUE*24hours
CONFIG_rotation_monthly=90
```

Apache

CLI

# Enable modules
a2enmod ssl
a2enmod rewrite

# Disable autoindex
a2dismod autoindex

# Enable default SSL config
a2ensite default-ssl

Configuration

# HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

Upgrade Debian 12 to Debian 13

I use those steps on LXC virtual in Proxmox:

  1. Make sure all packages are upgraded: apt update && apt upgrade
  2. Backup container in Proxmox
  3. Edit release version: sed -i'.bak' 's/bookworm/trixie/g' /etc/apt/sources.list
  4. Update other configuration files in /etc/apt/sources.list.d/ appropriately
  5. Update packages index: apt update
  6. Do minimal system upgrade: apt upgrade --without-new-pkgs
  7. Do full upgrade: apt full-upgrade
  8. Restart the system: reboot

Connect to Proxmox SPICE console (virt-viewer) on MacOS

Install virt-viewer using brew:

brew tap jeffreywildman/homebrew-virt-manager
brew install virt-viewer

After installation open new terminal session. You should be able to open pve-spice.vv using CLI.

remote-viewer pve-spice.vv

The command should be located in /opt/homebrew/bin/remote-viewer.

You can also use MacOS Automater to create a redirector that can be used to open the .vv files from browser.

/opt/homebrew/bin/remote-viewer "$@"

When you click Open on the pve-spice.vv you can Choose pve-spice-launcher that we created earlier.

Stream TVHeadend using TiviMate

I used to install Kodi with TVHeadend plugin. But on a new Google TV I had issues with Kodi not starting under child profile, because of some bug with permission issues to the storage.

TiviMate seams to be working fine, you just need to add Playlist URL and EPG URL.

http://tvheadend:9981/playlist/channels.m3u
http://tvheadend:9981/xmltv/channels

Systemd configuration for Bitwarden

If you run Bitwarden eg. in Proxmox LXC you need to make sure Bitwarden start automatically. Create a configuration file in /etc/systemd/system/bitwarden.service with the following contents.

[Unit]
Description=Bitwarden
Requires=docker.service
After=docker.service

[Service]
User=bitwarden
Restart=on-failure
ExecStart=/opt/bitwarden/bitwarden.sh start
ExecStop=/opt/bitwarden/bitwarden.sh stop

# Script starts docker images and ends
Type=oneshot
RemainAfterExit=true

[Install]
WantedBy=default.target

Enable it, start it and check the logs.

systemctl daemon-reload
systemctl enable bitwarden
systemctl start bitwarden
journalctl -f -u bitwarden