IPv6 PAC Support

If you’re not familiar with a Proxy Auto-Configuration (PAC) file, it’s a JavaScript function that determines whether web requests should be forwarded to a proxy server or not.

There’s a minimal set of JavaScript functions defined that you can use to conditionally send your web traffic through a proxy. One of those functions, isInNet(), returns true if an address (an IPv4 address) is included in a given network range. Unfortunately there are no functions in this standard set that provide similar support for IPv6 addresses.

There are many IPv6 parsing libraries on GitHub, but all of them depend on at least a few npm packages. I’m normally not one to complain about npm dependencies, but this is once instance where the dependency model is not really tenable.

Here I’ve put together a copy/pastable inIPv6Range() function that provides limited functionality for determining whether a given IPv6 address is in a predetermined range.

function expandIPv6( ipv6 ) {
	const parts = ipv6
		.replace( '::', ':' )
		.split( ':' )
		.filter( p => !! p );
	const zerofill = 8 - parts.length;

	// Fill in :: with missing zeros
	return ipv6
		.replace( '::', `:${ '0:'.repeat( zerofill ) }` )
		.replace( /:$/, '' );
}

function parseIPv6( ipv6 ) {
	ipv6 = expandIPv6( ipv6 );

	// Check is valid IPv6 address
	ipv6 = ipv6.split( ':' );
	if ( ipv6.length !== 8 ) {
		return false;
	}

	const parts = [];
	ipv6.forEach( function( part ) {
		let bin = parseInt( part, 16 ).toString( 2 );
		while ( bin.length < 16 ) {
			// left pad
			bin = '0' + bin;
		}

		parts.push( bin );
	});

	const bin = parts.join( '' );
	return parseInt( bin, 2 );
}

function inIPv6Range( ipv6, low = '::', high = 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' ) {
	ipv6 = parseIPv6( ipv6 );
	low = parseIPv6( low );
	high = parseIPv6( high );

	if ( false === ipv6 || false === low || false === high ) {
		return false;
	}

	return ipv6 >= low && ipv6 <= high;
}

If you clean this up or add CIDR support, let me know!

CSS Dark Mode

MacOS Mojave introduced Dark Mode, which allows MacOS users to enable a darker interface. According to Apple:

In Dark Mode, the system adopts a darker color palette for all windows, views, menus, and controls. The system also uses more vibrancy to make foreground content stand out against the darker backgrounds.

In Safari Technology Preview 68, they’ve also added support for websites to add support for Dark Mode with a new media query:

@media (prefers-color-scheme: dark)

I’ve added support to my theme, which now looks like this in the latest Safari Technology Preview if you’ve got Dark Mode enabled:

Pi-hole

I’ve been running Pi-hole, the “black hole for Internet advertisements” for a while now. It started out as an excuse to get a Raspberry Pi, but I consider this a somewhat important security appliance now. One of the nice things about Pi-hole is, like Ghostery, it’s easy to see what’s being blocked. Unlike Ghostery, though, it works for the entire network. So things like the Xbox and smart TV are included. For example, I noticed that TCL TVs track what you’re watching even if you “Limit ad tracking”.

I think we should stop calling them ad blockers. This is a security device. Most of these aren’t “ads”. It’s the junk that comes along with the ads. pic.twitter.com/SVN7YvKUgk
— Josh Betz (@jshbz) September 24, 2018

I also run Unbound on the Raspberry Pi, which forwards to Cloudflare and OpenDNS over an encrypted connection. The Docker configuration I use for Unbound is on Github.

Nginx Cache WordPress

There are tons of caching options for WordPress. Some of the popular plugins are Batcache, WP Super Cache, and W3 Total Cache. There are also services like Cloudflare and Fastly. On VIP Go, we use Varnish instances distributed across the world and route traffic to the nearest server over our Anycast network.

I’ve used almost everything on my blog over the years, but this time I wanted to keep it simple. Since I already use Nginx for SSL termination and proxying to a Docker container, I decided it would be easiest to cache the HTML there.

https://gist.github.com/joshbetz/63f08fc2f37e5e267d14f219d0f5b4ed

The configuration is pretty basic:

404s are cached for 30 seconds
301s (permanent redirects) are cached for 24 hours
Everything else is cached for 5 minutes

Pages are only cached if they’ve been accessed 3 times to avoid filling the cache unnecessarily. If you’re logged in or have a cookie that looks like it could be valid, you bypass the cache completely to avoid caching logged in data. One of my favorite parts is that I can serve stale content if there’s a server error. So if I break the Docker container, ideally people won’t notice 🙂

Ultimately this is easier to maintain than any of the other things I’ve tried and just as effective.

The full configuration is on Github.

Why I’m Switching Back To Firefox

Not me, I still use a combination of Safari and Chrome Canary.

Firefox greets me with a page explaining my rights as a user of open source software. Chrome greets me with… sigh… Chrome greets me with a fucking advertisement for a Chromebook.

It’s an interesting article though.