Category Archives: Web

Get the scope right in Authentik

I set up Authentik in front of some of my self-hosted services recently. Authentik allows you to use 2-factor auth when logging into other services that support OpenID. The first one I tried was Immich, and the docs are pretty good.

Authentication settings in Immich

The one thing they forgot to mention was that you had to set the scope in Authentik too. In the provider configuration, make sure that all of openid, email, profile are allowed.

Also, if you use Cloudflare to proxy your services, make sure Authentik isn’t proxied, or it will try to rewrite some of the HTTP headers used. Make sure your reverse proxy generates its own SSL cert too. You might be using a Cloudflare cert if everything is going through there.

Who said self-hosting was fun, eh?

I’m an AI source

Screenshot of a Perplexity AI search results page displaying the query "How do I set up the Godox TT685 as a remote flash with the X1T-S." The page shows a step-by-step guide for setting up the Godox TT685 (Sony version) as a remote flash using the Godox X1T-S transmitter. The instructions include powering on the TT685, entering wireless (radio) slave mode by pressing the wireless selection button until the radio slave icon appears, and preparing the flash to receive signals from the X1T-S. The top of the page features related video and website links.

A few weeks ago, I was attending a birthday party and wanted to take some photos. I have a Godox flash, and a remote, but I couldn’t get them to talk to each other and remembered it was a bit finicky.

Being in a hurry, I asked Perplexity how to set up the Godox TT685 as a remote flash with the X1T-S and I spotted this blog among the sources. This post about the Godox TT685 was there, and the AI summarised it pretty well, and I got the settings fixed.

One thing I hadn’t forgotten was keeping the TEST button on the X1T-S down while turning it on so it would work in “close range” mode. That was painful enough figuring that out.

Is the web dead yet? We’ve had walled gardens for decades, and they’re growing taller, and now AI agents are slurping down all our content. Apparently, adding the word “fucking” to a Google search query stops them showing a summary. What if I add “fucking” to every post when I detect an AI bot visiting? “I’m a fucking AI source” now am I?

Yes, yes, I used an AI to ask a question and found my blog there. I’m still complaining about it. Humans are weird.

Press F to pay respect

I only recently found out why people sometimes comment “F” on Reddit threads. It comes from Call of Duty: Advanced Warfare (2014).

At one point, you walk up to a casket at a funeral and have to press F to pay respects to the fallen soldier.

As others on that Reddit thread said, I thought it had something to do with following a thread to get notifications. Just to prove how out of touch I am, it even has a Wikipedia page where the viral meme is described as iconic, but the authors of that page describe it well:

Press F to pay respects” is an Internet meme that originated from Call of Duty: Advanced Warfare, a 2014 first-person shooter in Activision’s Call of Duty franchise. It originated as a set of instructions conveyed during an in-game quick time event at a funeral service. Widely mocked by critics and players due to its forced element of interactivity that was not perceived to be tastefully executed, the phrase would later become a notable Internet meme in its own right. It is sometimes used by Internet commenters to convey solidarity and sympathy, either sarcastic or sincere, in response to unfortunate events.

I never thought I’d be tagging a post with “Call of Duty” again, but here we are in 2025!

The Netnewswire Reader View rocks

Netnewswire is an RSS reader for macOS and iOS devices. You know podcasts? Like that, but for reading.

RSS readers have been around for a long time, long before social media sites like Twitter and Facebook. They allow you to follow updates on your favourites sites, which could also include the personal sites of people you know. Twitter used to have RSS feeds, Facebook never did (AFAIR), but Mastodon sites (and other Fediverse services) do.

This blog has an RSS feed. You can follow my interesting posts there. Chances are, if you’re reading this, you already know all this.

Anyway, Netnewswire has a “Reader View” that will load entire posts in the reader, which is very useful if a site only shares extracts of their articles. Sometimes it doesn’t load the entire article, so you’ll need to visit the site anyway. It’s a convenient way to read without leaving the app when it works.

Oher RSS readers include the WordPress.com Reader, Feedly and many more. Wired has an overview of some, as does Zapier.

RSS won’t replace social media, it’s just another way to read the news.

When you move IP, move all the IPs

I recently moved the server hosting this site and my photoblog to a new Linode. About time too as the old one was full of cruft built up over a decade of upgrades. It had finally reached the point where I had trouble finding new dpkg files for software that wasn’t as ancient as my installation. Updates would stop in the next year or two as well, which was a huge problem.

When I did move, I pointed the DNS at my new server and all seemed fine. That is, until I saw an email from Google on Friday saying a new user had been added to the search console for www.inphotos.org!

I don’t use the www hostname on any of my sites, and didn’t actually have a search console property set up on that site. I don’t remember now if I had to create one, but when I eventually logged into it, I found an “Ian Trader” already in there. He was a validated user, too.

He had been allocated the IP address of my old server. He saw that www.inphotos.org still pointed at it and asked Google to validate his ownership by uploading a HTML file to his server.

A screenshot from the Google search console showing the ownership verification details of the attacker who created a validated account on www.inphotos.org
A screenshot of my browser showing the validation file the attacker used to gain access to the search console for www.inphotos.org

Yikes! Quick as I could, I checked the DNS and found that yes, www.inphotos.org was still pointing at my old IP address! Damn.

Fixing it was fairly easy, I thought. I removed that user, and removed the www hostname.

However, Ian had one more trick up his sleeve. He had put a sitemap on www.inphotos.org, and it led to 129,864 fake links that Google could not index.

Screenshot of the "page indexing problems" chart from Google Search Console showing 129,984 problematic pages since last Wednesday.

It looks like he was setting up a malware server with the names of books on each page:

/c/pdf/upload?PUB=new_apostolic_church_hymn_collection_songs&blackhole=017
/c/pub/go?EPUB=hawker_battery_charging_instruction_manual&daily=034
/c/pub/list?BOOK=a_shade_of_vampire_7_a_break_of_day&dua=047
/c/pub/list?EPUB=ib_vietnamese_past_paper_2013&monument=094
/c/pub/list?PDF=lowepro_user_manual&codevember=001
/c/pub/list?PDF=suzuki_swift_owners_manual_2009&bubbley=087
/c/pub/upload?PUB=caravaggio_ediz_illustrata&particles=015
/c/pub/upload?PUB=mi5_and_me_a_coronet_among_the_spooks&sassy=021
/c/pub/url?BOOK=radiation_detection_and_measurement_solutions_manual&delapan=081
/c/pub/visit?EBOOK=mercruiser_hp_engine_manual&daily=009
/d/book/data?PUB=gossie_and_gertie_gossie_friends&particle=016
/d/book/file?DOC=engine_repair_manual_for_f550&dribbble=005

I fixed those with some simple mod_rewrite rules, so visiting those URLs should take you back to the homepage. Google is validating my fix now. Besides, that fake sitemap is gone, so I expect Google to forget about them soon, I hope.

So, when you’re moving websites around, make sure you update all the DNS records for your sites. I may not have noticed for a good while if he had set up the redirect scripts on his server correctly and didn’t go into the search console.

Bye bye Pebble!

Pebble, aka t2.social, was a short lived social network like Twitter. Last week they sent out emails to all their users to tell them that the site was shutting down on November 1st. I first came across it thanks to Topgold, but it was always a small site. In a crowded section of the Internet, another Twitter clone would have a tough time competing.

I hadn’t posted much there and wasn’t going to download my data, but this post by Eugen Rochko caught my attention and reminded me to go visit.

If was part of the social web, they would have had a network of 1.8M active users, not 1,000, and perhaps wouldn’t have had to shut down.

Eugen Rochko

Maybe it would have survived, but it would have had to be extra special and offer some compelling features to compete with all the “free” Fediverse servers out there. The Activity Pub plugin for WordPress recently hit version 1.0 and was launched on WordPress.com too, so potentially millions of new Fediverse sites are coming online, all of which are on more mature software.

I moved on over to Fastmail

For many years, I hosted my email here on my own server, but it was far from ideal. I used Postfix to run the server. I forwarded the email to my Gmail account using Procmail recipes. I read my email on Gmail, and sent email from there too.

That worked most of the time, but if an email had any kind of domain protection such as DKIM or SPF then Gmail was likely to reject the email and unless I was looking at /var/log/mail.log I probably wouldn’t notice. To combat that, I left a copy of every email on this server. Once I knew that email from a domain could get through to Gmail, I added a Procmail rule that forwarded it without backing it up (hint: the vast majority of domains do not have this protection). I installed mutt and learned how to use that through an ssh connection to my server, and I read those emails in a text mode application like some sort of 90’s retro hacker man. Queue up the GIF, please..

I had Postgrey installed to weed out silly attempts at spamming me, and SpamAssassin to stop everything else. It did a good job until it didn’t, and let through too many spams. Various RBLs helped, until they shut down. Then Gmail got pissed and would reject my emails until I put in place Procmail rules to filter out persistent spammers. So, I got pretty good at Procmail too. 🙂

Anyway. After all that I couldn’t send an email from any of my domains without tricking my free Gmail account into accepting email from them, but not really doing it. The details are hazy, but I was able to send from an user@example.com address. A single one per domain. That wasn’t very useful.

So, this summer, I moved my email domains over to Fastmail. The domain hosting this blog hasn’t been moved over, but the email from this server gets sent through there. It works quite well too! I can even send email from any of my wildcard email addresses. It feels wild that I can do that!

There are pretty good filtering rules that let you do all sorts of things. You can even do regular expression matching, which is handy for wildcard addresses containing a specific string. One of my domains gets a TON of spam. I used it in years past to comment on blogs, sign up on various services, and ask for feedback on websites, so it’s been indexed to death by spammers. I still use it though, and with a prefix string, it’s still useful.

In Fastmail, go to Settings->Mail rules->Create rule and then click on “Switch to no-preview rules”. I was able to set up a rule there that matched my prefix string at my domain (for example: john..*@example.com) and labelled any matching emails the way I wanted.

I created another rule using “The spam score” “is at least” 5 (which puts in the spam folder) from that domain to mark those emails read, but that didn’t work. I’ll get in touch with support and ask them about it. It seems that if an email is spammy, then no rules run on it. Boo.

Setting up DKIM and SPF records was simple. I’m thrilled with it and paid up for the next year. Imagine that, paying for email! It’s so nice that Google doesn’t know when I’m going travelling, too.

I discovered today, while digging around in the filtering rules, they have a referral program. If you join up through this Fastmail link you’ll get 10% off your first year. I should have asked someone at work for their referral link. A few people there already use them!

Edit: I contacted support about marking spam as read, for one domain, and they replied overnight. There’s a default setting to enable spam detection. You have to set that to custom, and then add a rule wherever you want spam email to be dealt with. So, if I want email from a certain domain, with a spam score higher than 5 to be marked read before marking it as spam, I can do that now, and it works nicely! Here’s what they said:

This is a result of the order in which Spam filtering and rule application is executed in. You’ll note that in the Settings ? Mail rules menu screen, from top to bottom it reads “Blocked senders, Spam protection, Rules”. This is the same order in which these checks are applied. Spam filtering is applied before mailing rules, and mailing rules are only applied to messages that are being delivered into the Inbox (and so not those marked as Spam).

That said, I can suggest a workaround that will allow you to choose when spam filtering is done. Instead of using the standard spam filter, you can convert the spam filter itself into a rule. That way you can manage it like any other rule moving it to your desired position to execute before or after or in between your rules. You can use the combination of custom spam protection and the filter rules to achieve this:

  • Go to the Settings ? Spam Protection? screen to change your Spam Protection level to “Custom”.
  • Turn off the “Move messages with a score of X or higher to Spam”.
  • Create a new rule in the Settings ? Filters & Rules? screen:
  • Click on Create Rule button.
  • Switch to no-preview rules.
  • Select The spam score (is at least) from the options and put in the number 5 (or whatever other cut-off score you desire).
  • Click Add Condition and make it A header called X-Spam-known-sender does not match glob pattern yes*.
  • Click Continue.
  • Set the action to Send to spam.
  • Give it a Name “Spam filtering” (or anything of your choice to easily identify).
  • Save.

After following these steps, your Spam filter will now just be treated like another rule. The rules in your list are again executed in the order they’re presented, from top first to bottom last, so you can drag and drop this new spam rule to control which rules execute before and after it.

Fastmail support

Backup your social media accounts

I’ll keep this short. You should download your Twitter data, Facebook data, and as you probably have that too, your Google data. You never know when you might be banned from using them, even accidentally.

After you’ve saved that data, go to Instagram and Reddit and do the same!

Twitter

Download your data from Settings->Your Account->Download an archive of your data.

Facebook

Download your Facebook data from Settings->Privacy->Your Facebook Information->Download your information. I like that they offer HTML and JSON options.

Google Takeout

Google Takeout is where you download your Google data. There is a lot there. At the time of writing, it shows 53 products, which includes YouTube, Gmail and Google Photos.

Instagram

Download your Instagram data from their Privacy and Security page where you will find the request page.

Reddit

And finally, Reddit. You can download your data from their data-request page.

Keep that data safe. Don’t leave it in your download directory. It potentially has lots of private information you won’t want to be shared with anyone who uses your computer.

Google lets you schedule up to 6 data downloads per year, but it might be worth setting a calendar reminder to do this at least once a year. Store your downloads in dated directories to make it easy to keep track of when they were downloaded.

Firefox printing with no headers and footers

First it was Netscape, then Chromium, on to Chrome and now (back) to Firefox, but the paperless office is still a pipe dream for me and most people.

Printing from Firefox can be annoying. I don’t like seeing the title, URL, current time, etc in the headers and footers so I would change those settings each time. Since I don’t print that often I’d always forget to find out how to save those settings, until today.

Turns out it’s quite easy, but it does require some tinkering with internal Firefox settings!

In Firefox, type about:config.

  1. Search for print.print and list of entries will appear.
  2. Look for:
    • print.print_headercenter
    • print.print_headerleft
    • print.print_headerright
    • print.print_footercenter
    • print.print_footerleft
    • print.print_footerright
  3. Double click on each one and remove the text in the (value) box.

This will remove the header and footer information when you print.

Next time I tried to print a page the headers and footers were both blank!

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Here are a few options.

  • uBlock Origin is a free, open source, ad blocker for your browser.
  • Use pi-hole if you have a spare Raspberry Pi on your network.
  • Set the private DNS settings on your phone to dns.adguard.com to block adverts and trackers.