Cloudflare Shenanigans

An old client of ours managed to convince a telco to zero-rate the data for their app. In order to whitelist it though, we needed to use plain HTTP for domain whitelisting. For HTTPS, they can only whitelist by IP address. Like any good developer, we were using HTTPS. Also, like any good developer, we put our server behind Cloudflare.

Now the problem is that Cloudflare can put you behind any IP they own, which is a huge range. There’s no guarantee that the IP we have now is going to be the same later on. So we did the reasonable thing and asked them to whitelist all of the Cloudflare IPs. And the telco agreed! We were in total disbelief when that happened. But hey, if life gives you free internet, you take it.

We never actually empirically tested whether other sites hosted on Cloudflare were also actually zero-rated. But I like to think that we saved a lot of people on their data costs from browsing Reddit and 4chan. But alas, good things must come to an end.

A few months after we started beta testing the app, Cloudflare added more IPs to their range. Unfortunately, our server got moved to those new IPs which were not whitelisted yet. Apparently, the telco whitelisting process was incredibly convoluted and time consuming. Our client didn’t want to bother asking them to whitelist more IPs. We also tried asking Cloudflare to move us back to the original IP range, but they could only do that if we were in their enterprise tier. We couldn’t really afford that, so we looked for other options.

Since Cloudflare was essentially just a giant reverse proxy, theoretically there should be no distinction between one IP address from another. The specific IP we get is probably just for load balancing. So we tried accessing the IPs in the range directly and just setting the Host header and it worked! But we get SSL errors because the IP itself doesn’t have its own certificate.

After more testing, we figured out that you could actually use any Cloudflare backed domain so long as we properly set the Host header. We just needed to find one still in the old range. Coincidentally, was. Which led to this wonderful commit

commit 123456789abcdef
Author: ~~~~~~
Date:   ~~~~~~

    4chan hack

diff --git a/src/com/client/common/ b/src/com/client/common/
--- a/src/com/client/common/
+++ b/src/com/client/common/
@@ -210,7 +210,8 @@ public class Util {

        public static String getServerAddress(Context context) {
-               String address = "";
+               // String address = "";
+               String address = "";
                if(!isDebug(context)) return address;
                try {
diff --git a/src/com/client/common/logging/ b/src/com/client/common/logging/
--- a/src/com/client/common/logging/
+++ b/src/com/client/common/logging/
@@ -101,6 +101,7 @@ public class APIClient {
        private HttpResponse postInternal(String url, List<NameValuePair> data, boolean forRegistration) throws ClientProtocolException, IOException {
                HttpPost request = new HttpPost(Util.getServerAddress(mContext)+"/api/"+url);
                request.setHeader("X-API-VERSION", apiVersion);
+               request.setHeader("Host", "");

                if(data == null) {
                        data = new ArrayList<NameValuePair>();

Eventually, we did decide to just abandon Cloudflare for the server. We probably weren’t going to be the target of a DDOS or anything. This also allowed us to do more secure things like pinning the server certificate in the application itself. Clearly, this is what we should have just done in the first place, but at the time we just wanted a stopgap solution.

I just still find it funny we were making people’s phones go to everyday for more than a year.

| Comments

TiddlyWiki in the Sky (or TiddlyWeb for TW5)

I’ve always liked TiddlyWiki. Back when it first came out, it was really amazing. A wiki all in one file, that worked in the browser. It didn’t need a backend, it would just save itself as an all new HTML file with all your posts inside. I’ve used it a lot over the years, as a personal wiki/journal and a class notebook. I even had a blog with it at one point using one of the server-side forks.

Now, there’s TiddlyWiki5 which is a rewrite of the original TiddlyWiki that looks a whole lot snazzier, and I assume has better architecture overall. It also has experimental support for all the server-side platforms (particularly TiddlyWeb) that have cropped up.

If you’re just looking for a simple server setup for TiddlyWiki5, it has native support for that on its own. There’s plenty of documentation on the site. But if you’re looking for more advanced features (like storing your posts in git or a database), then you’ll need to use it with TiddlyWeb. The problem is that most of the documentation for TiddlyWeb still refers to the old TiddlyWiki.

To support TiddlyWiki5, we’ll need a version of the wiki which has the TiddlyWeb plugin already installed and configured. After that, some tweaking is necessary to get TiddlyWeb to provide what the wiki requires.

Setting Up TiddlyWiki

TiddlyWiki5 provides a command line tool via npm that allows building custom versions of the wiki. In fact, it comes with templates, called “editions”, that we can use for our setup. Assuming you already have it installed, create the wiki using

tiddlywiki mywiki --init tw5tank          # create wiki from template

This creates a wiki intended for use with Tank, which is built on top of TiddlyWeb. From here, you should look in mywiki/tiddlers/system which contain the entries for SiteTitle, SiteSubtitle, DefaultTiddlers, and tiddlyweb-host. The first 3 should be configured however you want. These are necessary because they’re needed before the wiki can load them from the server. tiddlyweb-host contains the location of the TiddlyWeb server, this should be http://localhost:8080/ if you’re just testing locally. With everything configured, you can build the new wiki by running

tiddlywiki mywiki --build

This will output the wiki to mywiki/output/tw5tank.html. You can now serve it using your favorite local webserver, like python -m http.server.

Setting Up TiddlyWeb

The TiddlyWeb tutorial recommends using tiddlywebwiki which has all the plugins setup for a nice wiki instance for the old TiddlyWiki. It has a lot of features that aren’t really needed, so we won’t go with that. So first, we’ll need to install TiddlyWeb and any plugins we might want to use.

pip install tiddlyweb tiddlywebplugins.status tiddlywebplugins.cherrypy tiddlywebplugins.cors

Next, we’ll need the tiddlyweb configuration in

# A basic configuration.
# `pydoc tiddlyweb.config` for details on configuration items.

import tiddlywebplugins.status

config = {
    'system_plugins': ['tiddlywebplugins.status', 'tiddlywebplugins.cors'],
    'secret': '36c98d6d14618c79f0ed2d49cd1b9e272d8d4bd0',
    'wsgi_server': 'tiddlywebplugins.cherrypy',
    'cors.enable_non_simple': True

original_gather_data = tiddlywebplugins.status._gather_data

def _status_gather_data(environ):
    data = original_gather_data(environ)
    data['space'] = {'recipe': 'default'}
    return data

tiddlywebplugins.status._gather_data = _status_gather_data

The tweaks involved are:

  • using the status plugin which the wiki requires
  • monkeypatching the status plugin for the wiki to use the correct “recipe”
  • using cherrypy server instead of the buggy default one
  • using cors since we’re not hosting the wiki itself on the same server

With that, we just need to create the store that will hold our data

twanager recipe default <<EOF
desc: standard TiddlyWebWiki environment
policy: {"read": [], "create": [], "manage": ["R:ADMIN"], "accept": [], "write": ["R:ADMIN"], "owner": "administrator", "delete": ["R:ADMIN"]}


twanager bag default <<EOF
{"policy": {"read": [], "create": [], "manage": ["R:ADMIN"], "accept": [], "write": [], "owner": "administrator", "delete": []}}

Finally, we can start the TiddlyWeb server

twanager server

Putting it all together

Once you have the TiddlyWeb server running, you can just go to wherever you’re hosting the wiki html and it should work. You can try creating some posts, and the check mark on the sidebar should be red for a while and then turn black. Once that’s done it’s saved. You can refresh your browser and your posts should still be there.

At this point, you can start customizing your TiddlyWeb instance, by changing your store to something like a database, or adding authorization. You can also tweak the server setup so you won’t need CORS anymore.

TiddlyWiki5 is still relatively new. I hope that eventually, support for server-side and the plugin ecosystem grows to be as great as the old TiddlyWiki.

| Comments

Is My Terminal Window Active?

I’ve been working in OSX for almost 3 years now, but I recently switched back to Linux because of all the problems people encountered with Yosemite. There are some things I missed from OSX though. One of which is zsh-notify. It’s a zsh plugin that alerts you if your long-running task is complete, and whether it failed or not.

It’s pretty convenient when you’re compiling something and then go on to browse reddit while waiting. Usually, I spend too much time just reading and forget about the compilation entirely. With the plugin, I get the notification and maybe go back to work.

One nice feature it has is that if you’re currently looking at the terminal window of the job that just finished, it won’t notify you. It only notifies on windows that aren’t currently in focus. To do this, it has to actually talk to or iTerm2 to see if the window and tab are active.

This is alright in OSX since those 2 are the generally most used terminal emulators. On Linux though, everyone has their own favorite terminal. Given that, I figured I could probably rely on talking to X to see if the window is active instead of each single terminal emulator. X can’t tell if the tab is active though, but I don’t use tabs in my current setup so it should still be good.


Preliminary research reveals that we can easily get what the active window is with xdotool. xdotool getactivewindow gives us the X window id of the active one. Now all we need is a way to get the window id of the terminal we’re in.

First Attempt: $WINDOWID

Apparently, xterm and similar terminal emulators define an environment variable called $WINDOWID with the window id of the terminal. Obviously, this is too good to be true. In xterm and konsole the $WINDOWID was correct, but in VTE-based terminal emulators, $WINDOWID had the wrong value. In terminology, it didn’t define $WINDOWID altogether. So $WINDOWID wasn’t going to work.

Second Attempt: xdotool search $MAGIC

My second idea was that you can use zsh to change the window title to a magic number and then just check if the active window is the same one as the window with the magic number. This sort of worked for most terminals, except konsole which does whatever it wants with the window title. There’s also the problem of some zsh configs automatically settings the window title to the current command.

In hindsight, I could probably have just done xdotool search --name xdotool since in most cases, when you run the search, zsh or konsole will set the window name to the current command. Maybe that’s another option I can explore some day.

Third Attempt: $PPID

My third idea was another environment variable called $PPID, which is the process id of the parent of the shell. As it happens, the parent is the window containing the zsh instance. This is actually pretty consistent across most terminals. The only problem was if you launched zsh from another shell since your new zsh’s parent will now be another zsh instance instead of an X window.

At first glance, launching zsh within zsh doesn’t seem like something most people would do, but this is what happens when you run screen or tmux. To work around this, we can actually just save the original $PPID in a different variable and use that instead.

Now that we have the PID of the window from zsh, we can once again use xdotool to get the PID of the current active window with xdotool getactivewindow getwindowpid. We just simply compare that with our $PPID and we can tell if we’re in an active window or not. Overall, this approach worked surprisingly well so that’s the final solution I went with.

| Comments

Removing PLDTMyDSLBiz from the ZyXEL P-2612HNU

I’ve always thought that people were just too lazy to change their SSIDs when I see “PLDTMyDSLBizCafeJapan”. It became apparent when we got our own PLDT line that it was because the bundled router/modem does not allow you to remove the prefix.

This is not the kind of thing you expect as a business customer. Even for home customers, I feel it’s still a bit dishonest. I’d be fine if it was just the default SSID, but forcing people to have it as part of their SSID is like advertising that your company (I mean PLDT) is a douche.

Of course, we couldn’t just leave the SSID prefix there, so we tried a number of things to get rid of it. There are articles for removing it from the Prolink H5004N or the ZyXEL P-660HN-T1A but not for the one we got which was the ZyXEL P-2612HNU-F1F.

We did still try the firebug/inspector tricks, but it seems that there is a server-side check that adds in the “PLDTMyDSLBiz”. We tried a number of things, but the one that ultimately worked (and we had a good laugh about) was to backup the configuration, edit the dumped file and restore it.

The backup is actually just an XML file. You can search for SSID and change the parameter there. It’s a bit annoying because the router has to restart after restoring the configuration, but it works!

A minor note, the router doesn’t seem to support SSIDs with a comma (,) well. It just gets everything before the comma as the SSID for some reason.

| Comments

Console Keymap Switching

At the office, we have some people who use DVORAK. Normally, this isn’t a problem. To each his own after all. It does become a bit problematic though, when we’re dealing with the servers around the office.

We normally leave the servers on QWERTY. After all, most people start off as QWERTY typists and migrate to something else. That said, it’s apparently difficult to stay fluent in both. People tend to forget how to type in QWERTY once they learn DVORAK or something else. While it is true that they can just look a the keyboard while typing, my coworkers would prefer it to just be in DVORAK.

For the console, they’d typically do sudo loadkeys dvorak after logging in. The problem with this is, after they logout, the keymapping is still on DVORAK. This has been quite annoying for a few times since I can’t even login to change the keymap. What I wanted was something like you get in the graphical login screens where you can pick your keymap before logging in. Apparently, there isn’t a readily available thing for the console.

I googled around for solutions and came across a nice idea. You could alias asdf to load the DVORAK mapping and aoeu (the equivalent to asdf in DVORAK) to load the QWERTY mapping. This actually makes sense since you don’t really have to know where the letters are. The only problem is, you once again have to be logged in to change the key mappings.

After some further searching, I found something close to what I wanted. Apparently, Alt+Up sends a KeyboardSignal keycode to the init process, which can act on that. It also works anywhere, even before being logged in. For SysVinit systems, you can just add a line to your inittab for a command to be run when Alt+Up is pressed.

In the office, however, we generally use Arch Linux which uses SystemD. But apparently, it also has a mechanism of accepting the Alt+Up press. It runs the kbrequest target whenever it gets the keypress. is normally aliased to run the rescue service though, so you have to manually create the file in /etc/systemd/system/ and fill it with a description:

Description=kbrequest target

We can then add a service to be run whenever the target is called. Something like /etc/systemd/system/keymap-switch.service:

Description=Keymap Switch Service



After enabling said service, we only need the actual keymap switcher, /usr/local/bin/keymap-switch. The StackOverflow answer provides different ways of detecting the current keymap so we know which one to switch to. Since we’re using SystemD, we can use that instead for managing which keymap we’re actually using. It stores the current settings inside /etc/vconsole.conf. We can also then switch keymaps by using localectl set-keymap.

source /etc/vconsole.conf

if [ "$TERM" = "dumb" ]; then
  if [ "$KEYMAP" = "dvorak" ]; then
    localectl set-keymap us
    localectl set-keymap dvorak

After putting it all together, it works! We can switch keymaps on the fly by simply pressing Alt+Up.

| Comments