What is Vaultwarden

Vaultwarden is an alternative implementation of the Bitwarden server API, written in Rust and compatible with upstream Bitwarden clients. It is perfect for self-hosted use when using the official, resource-intensive service is not ideal.

We can install it as follows:

$: pkg install vaultwarden

Then we copy the sample configuration:

$: cp /usr/local/etc/rc.conf.d/vaultwarden.sample /usr/local/etc/rc.conf.d/vaultwarden

However, before we change our Vaultwarden configuration, we need an admin token, which we can create with the following command:

$: openssl rand -base64 48

We now copy the created token and change the configuration.

Note: If we want to use the web interface, we have to set SIGNUPSALLOWED to true. Under ADMINTOKEN we paste our copied token. Furthermore, we can change our email server configuration here.

$: nano /usr/local/etc/rc.conf.d/vaultwarden =>

ROCKET_ADDRESS=127.0.0.1
export ROCKET_ADDRESS

ROCKET_PORT=4567 # your port here
export ROCKET_PORT

# ROCKET_TLS='{certs = "/ssl/fullchain.pem", key = "/ssl/key.pem"}'
# LOG_FILE='/data/bitwarden.log'

SIGNUPS_ALLOWED='true'
export SIGNUPS_ALLOWED

DOMAIN='https://vaultwarden.domain'
export DOMAIN

ADMIN_TOKEN= # generate one with ~$ openssl rand -base64 48
export ADMIN_TOKEN

SMTP_HOST=localhost
export SMTP_HOST

SMTP_FROM=noreply@localhost
export SMTP_FROM

SMTP_PORT=25
export SMTP_PORT

SMTP_SSL=false
export SMTP_SSL

# SMTP_USERNAME=
# export SMTP_USERNAME

# SMTP_PASSWORD=
# export SMTP_PASSWORD

Now that we have changed our configuration, we can enable the Vaultwarden service and start it for the first time.

$: service vaultwarden enable
$: service vaultwarden start
$: service vaultwarden status

To be able to use the web interface, we will use Nginx as a reverse proxy. To complete this, we first create the Nginx configuration:

$: nano /usr/local/etc/nginx/vhosts/vaultwarden.conf =>

server {
	listen 80;

    server_name vaultwarden.domain;

    # Allow large attachments
    client_max_body_size 128M;

    location / {
        proxy_pass http://127.0.0.1:4567;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
       proxy_pass http://127.0.0.1:4567;
    }
}

We need another entry in our host's file:

$: nano /etc/hosts =>

127.0.0.1 vaultwarden.domain

Since it's more secure to deploy Vaultwarden over HTTPS, and we still need let's-encrypt certificates for that, we simply run the “certbot” command in our terminal and let it automatically create a certificate for our new domain.

Finally, we restart the Nginx once.

$: service nginx restart

Now we can open our freshly installed Vaultwarden service via the web browser.

Here, we can create a new user and manage our passwords securely in the future.

Discuss...

What is Navidrome?

Navidrome is an open-source web-based music collection server and streamer. It gives us the freedom to listen to our music collection from any browser or mobile device. It's like our own personal Spotify!

Furthermore, it offers the following feature:

• Manages huge music collections
• Streams virtually any audio format available
• Reads and uses all of our beautifully curated metadata
• Great support for compilations (various artists' albums) and box sets (multi-disc albums)
• Multi-user, each user has their playlists, favorites, etc.
• Very low resource consumption
• Automatically monitors your library for changes, imports new files, and reloads new metadata
• Modern and responsive web interface based on Material UI
• Compatible with all Subsonic/Madsonic/Airsonic clients
• Transcoding on the fly. It can be set per user/player. Opus encoding is supported.

How can we install it?

Installation is simple, we just need to run the following command:

$: pkg install navidrome

After the installation is through, we can then edit the corresponding configuration file.

$: nano /usr/local/etc/navidrome/config.toml

You can have a look at it. You will find a lot of configuration options. What is important is that you set the path to your music collection correctly.

If you have configured the whole thing according to your wishes, we still have to activate the RC service and then start it once.

$: servive navidrome enable
$: servive navidrome start

Nginx configuration

We use Nginx as a reverse proxy server. Likewise, we now create the following file under /usr/local/etc/nginx/vhosts:

$: nano /usr/local/etc/nginx/vhosts/navidrome.conf  ⇒

server {
    server_name navidrome.domain;

    location / {
        proxy_pass http://127.0.0.1:4533;
        proxy_http_version 1.1;
        proxy_cache_bypass $http_upgrade;

        # proxy headers
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-forwarded-port $server_port;

        # proxy timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

In our /etc/hosts, we add the following line.

$: nano /etc/rc.conf ⇒

127.0.0.1 navidrome.domain

Then we restart the Nginx.

$: service nginx restart

We can now open Navidrome via the web browser.

Discuss...

What is Airsonic?

It's a free, web-based media streamer that provides ubiquitous access to our music. Airsonic was developed for huge music collections. Although it's optimized for MP3 streaming, it works for any audio or video format that can be streamed over HTTP, such as. B. AAC and OGG. Using transcoder plug-ins, Airsonic supports direct conversion and streaming of virtually all audio formats including WMA, FLAC, APE, Musepack, WavPack and Shorten.

Installation

We first install wget, openjdk11 and ffmpeg with the following command:

$: pkg install wget openjdk11 ffmpeg

Next, we create the required directories with the next commands and change them to the directory /usr/local/airsonic:

$: mkdir /var/airsonic/

$: mkdir /usr/local/airsonic

$: cd /usr/local/airsonic

Now we can download Airsonic from their GitHub site with wget.

$: wget https://github.com/airsonic/airsonic/releases/download/v10.6.2/airsonic.war

Note: We can find the latest version here. Meanwhile, there is also a fork called Airsonic Advanced, which is a more modern implementation of Airsonic. More information can be found here.

Then we have to set a system link so that Airsonic can find the FFmpeg transcoder.

$: ln -s /usr/local/bin/ffmpeg /var/airsonic/transcode/ffmpeg

We can now start Airsonic on a test basis via the command line.

$: /usr/local/bin/java -jar /usr/local/airsonic/airsonic.war

Create a FreeBSD RC script

Next, we want to create an rc.d script for Airsonic.

$: nano /etc/rc.d/airsonic =>

#!/bin/sh
#
# $FreeBSD: airsonic $
#
# PROVIDE: airsonic REQUIRE: LOGIN KEYWORD: shutdown
#
# Configuration settings for airsonic in /etc/rc.conf:
#
# airsonic_enable (bool):
# Set to "NO" by default. Set it to "YES" to enable airsonic.
#
# airsonic_home (str):
# Set to "/var/airsonic" by default.
#
# airsonic_host (str):
# Set to "0.0.0.0" by default. Specify which IP address to listen to.
#
# airsonic_port (int):
# Set to "4040" by default. Specify which port to listen on for HTTP(S).
#
# airsonic_context_path (str):
# Set to "/" by default. Specify the last part of the airsonic URL, typically "/" or "/airsonic".
#
# airsonic_init_memory (int):
# Set to "192" by default. Specify the memory initial size (Java heap size) in megabytes.
#
# airsonic_max_memory (int):
# Set to "384" by default. Specify the memory limit (Java heap size) in megabytes.
#

. /etc/rc.subr

export LANG=en_EN.UTF-8

name=airsonic

desc="Airsonic is a free, web-based media streamer, providing ubiquitous access to your music"

rcvar=${name}_enable

pidfile="/var/run/${name}.pid"

load_rc_config "${name}"

: ${airsonic_enable:="NO"}
: ${airsonic_user:="root"} #: ${airsonic_user:="media"}
: ${airsonic_group:="wheel"} #: ${airsonic_group:="media"}
: ${airsonic_home:="/var/airsonic"}
: ${airsonic_address:="0.0.0.0"}
: ${airsonic_port:="8080"}
: ${airsonic_ssl:="NO"}
: ${airsonic_context_path:="/"}
: ${airsonic_init_memory:="1024"}
: ${airsonic_max_memory:="2048"}
: ${airsonic_chdir:="/usr/local/airsonic"}

start_cmd=airsonic_start
stop_cmd=airsonic_stop
restart_cmd=airsonic_restart
status_cmd=airsonic_status
start_precmd="export LC_CTYPE='en_US.UTF-8'"

# -Dairsonic.defaultMusicFolder=${airsonic_home}/artists 
# -Dairsonic.defaultUploadFolder=${airsonic_home}/incoming 
# -Dairsonic.defaultPodcastFolder=${airsonic_home}/podcasts 
# -Dairsonic.defaultPlaylistImportFolder=${airsonic_home}/playlists/import 
# -Dairsonic.defaultPlaylistExportFolder=${airsonic_home}/playlists/export 
# -Dairsonic.defaultPlaylistBackupFolder=${airsonic_home}/playlists/backup \

command="/usr/sbin/daemon -p ${pidfile} -f -u ${airsonic_user}"

procname="/usr/local/bin/java"

command_args="-Dairsonic.home=${airsonic_home} -Dserver.address=${airsonic_address} -Dserver.port=${airsonic_port} -Dserver.context-path=${airsonic_context_path} -Xms${airsonic_init_memory}m -Xmx${airsonic_max_memory}m -Djava.awt.headless=true -jar ${airsonic_chdir}/airsonic.war"

command_args1="-Dairsonic.home=${airsonic_home} -Dserver.port=${airsonic_port} -jar ${airsonic_chdir}/airsonic.war"

airsonic_start() {
echo "Starting Airsonic"
echo "${command} ${procname} ${command_args}"
cd ${airsonic_chdir}
${command} ${procname} ${command_args}
}

airsonic_stop() {
echo "Stopping Airsonic"
kill `cat ${pidfile}`
rm ${pidfile}
}

airsonic_restart() {
airsonic_stop
sleep 1
airsonic_start
}

airsonic_status() {
if airsonic_check; then
echo "Airsonic running"
return 1
else
echo "Airsonic not running"
return 0
fi
}


airsonic_check() {
if [ -f ${pidfile} ]; then
return 0
else
return 1
fi
}

run_rc_command "$1"

We then have to make the script executable.

$: chmod +x /etc/rc.d/airsonic

We will now activate and start Airsonic.

$: service airsonic enable
$: service airsonic start

NGINX configuration

We use NGINX as the reverse proxy server. Likewise, we now create the following file under /usr/local/etc/nginx/vhosts:

$: nano /usr/local/etc/nginx/vhosts/airsonic.conf =>

server {
    listen 80;
    server_name music.<<domain>>;

    # Proxy to the Airsonic server
    location / {
        proxy_pass 							http://127.0.0.1:8080;
        proxy_http_version                 1.1;
		    proxy_cache_bypass                 $http_upgrade;

	      # Proxy headers
		    proxy_set_header Upgrade           $http_upgrade;
		    proxy_set_header Connection        "upgrade";
		    proxy_set_header Host              $host;
		    proxy_set_header X-Real-IP         $remote_addr;
		    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
		    proxy_set_header X-Forwarded-Proto $scheme;
		    proxy_set_header X-Forwarded-Host  $host;
		    proxy_set_header X-Forwarded-Port  $server_port;

		    # Proxy timeouts
		    proxy_connect_timeout              60s;
		    proxy_send_timeout                 60s;
		    proxy_read_timeout                 60s;
	  }
}

In our /etc/hosts, we add the following line.

$: nano /etc/rc.conf =>

127.0.0.1	music.(domain)

Then we restarted the NGINX.

$: service nginx restart

If we now call up the address http://music.(domain), we see the Airsonic login screen.

Discuss...

MySQL is one of the most popular relational database management systems in the world.

So that we can install the MySQL database under FreeBSD, we need the packages mysql80-server and mysql80-client.

We'll install the whole thing with the following command:

$: pkg install mysql80-server mysql80-client

We will now activate the MySQL server and start it for the first time:

$: service mysql-server enable
$: service mysql-server start

By default, no root password is set.

$: mysql -u root

mysql$: alter user 'root'@'localhost' identified by 'your password'; flush privileges; exit;

As a final test, we will log into the newly installed MySQL server with the following statement:

$: mysql -u root -p

phpMyAdmin

phpMyAdmin is a free web application for the administration of MySQL databases and their fork, MariaDB. The software is implemented in PHP, hence the name phpMyAdmin.

We will install the phpmyadmin package with the following command:

$: pkg install phpMyAdmin-php80

The following hostname is entered /etc/hosts:

127.0.0.1 phpmyadmin.domain

We will use NGINX as the web server. So that phpMyAdmin runs under NGINX, the following file is created under /usr/local/etc/nginx/vhosts/ under the name phpmyadmin.conf with this content:

Server {
    listen 80;
    server_name phpmyadmin.domain;

    root /usr/local/www/phpMyAdmin/;
    index index.php;

    location ~\.php$ {
        try_files $uri = 404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        include fastcgi_params;
    }
}

Discuss...

PHP, which stands for “PHP: Hypertext Preprocessor”, is a widely used open source, general-purpose scripting language that is particularly suitable for web development and can be embedded in HTML. The syntax is based on C, Java, and Perl, and is easy to learn.

This is a tutorial on how to use PHP on FreeBSD. We will install the following packages:

• php80
• php80-dom
• php80-gd
• php80-phar
• php80-ctype
• php80-filter
• php80-iconv
• php80-curl
• php80-mysqli
• php80-pdo_mysql
• php80-sqlite3
• php80-pdo_sqlite
• php80-tokenizer
• php80-readline
• php80-session
• php80-simplexml
• php80-xml
• php80-zip
• php80-zlib
• php80-bcmath
• php80-xmlwriter
• php80-posix
• php80-openssl
• pecl-redis
• php80-fileinfo
• php80-soap
• openssl

For this, we will run the following command:

$: pkg install php80 php80-dom php80-gd php80-phar php80-ctype php80-filter php80-iconv php80-json php80-curl php80-mysqli php80-pdo_mysql php80-sqlite3 php80-pdo_sqlite php80-tokenizer php80-readline php80-session php80-simplexml php80-xml php80-zip php80-zlib php80-bcmath php80-xmlwriter php80-posix php80-openssl php80-pecl-redis php80-fileinfo php80-soap openssl

Then we copy the php.ini-production template:

$: cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

We will next edit the www conf:

$: nano /usr/local/etc/php-fpm.d/www.conf ⇒

listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660

In the /usr/local/etc/php.ini file, we need to find a section that configures the behavior of cgi.fix_pathinfo. It is commented out and set to “1” by default. We have to comment this out and set it to “0”. This prevents PHP from attempting to execute parts of the path if the file passed to process is not found. This could be used by malicious users to execute arbitrary code.

$: nano /usr/local/etc/php.ini ⇒

cgi.fix_pathinfo=0

Finally, we will activate PHP and start the PHP service:

$: service php-fpm enable
$: service php-fpm start

PHPUnit

PHPUnit is a free framework written in PHP for testing PHP scripts, which is particularly suitable for automated tests of individual units.

So that we can use PHPUnit under FreeBSD, we install the package phpunit8 with the following command:

$: pkg install phpunit8-php80

Composer

Composer is an application-oriented package manager for the PHP programming language. Composer executed via the command line and installs dependencies of a PHP program.

We install php-composer2 with the following command:

$: pkg install php80-composer2

Xdebug

Xdebug helps us debug our PHP scripts by providing a lot of valuable debug information.

We installed the pecl-xdebug extension with:

$: pkg install php80-pecl-xdebug

Then we add the following instructions to php.ini:

$: nano /usr/local/etc/php.ini ⇒

xdebug.remote_enable=1
xdebug.remote_port=9000

Finally, we restart the PHP service:

$: service php-fpm restart

Discuss...

The port's system is one of FreeBSD's greatest advantages for users who want flexibility and control over their software. It enables administrators to easily create and manage source-based installations using a system that is robust and predictable.

While the benefits of this feature are great, some of the most common complaints against port-based management are the time and resources it takes to compile each software program. This becomes even more of a problem when you manage many servers, each compiling its ports. While FreeBSD packages offer an alternative that speeds installation, they sacrifice control that ports allow.

To resolve this issue, administrators can use an application called Poudriere to create and manage custom packages. While technically designed to package a wide variety of architectures, Poudriere is often used as a packaging environment to package and host an entire infrastructure of FreeBSD servers.

Install the required packages

In the beginning, we will install all the required ports.

First, we have to install Poudriere.

$: pkg install poudriere

Finally, we also want to install a web server. This will serve two purposes. First, this will be the method by which our machines will be able to download the packages that we will be compiling. Second, Poudriere provides a web interface, so we can track the build process and monitor logs. In our case, we use the NGINX web server:

$: pkg install nginx

Create an SSL certificate and key

When we build packages with Poudriere, we want to be able to sign them with a private key. This ensures that all of our machines legitimize the packets created and that nobody intercepts the connection to the built computer to send malicious packets.

We're going to make sure we have an SSL directory that has two subdirectories called keys and certs. We can do this in one command by typing:

$: mkdir -p /usr/local/etc/ssl/{keys,certs}

Our private key, which must be kept secret, is stored in the key directory. This will be used to sign the packages we are going to create. We can lock the directory so that users without root or sudo privileges cannot interact with the directory or its contents:

$: chmod 0600 /usr/local/etc/ssl/keys

Next, we create a 4096-bit key, called poudriere.key, and place it in our key's directory by typing:

$: openssl genrsa -out /usr/local/etc/ssl/keys/poudriere.key 4096

After the key has been generated, we can create a public certificate from it by typing:

$: openssl rsa -in /usr/local/etc/ssl/keys/poudriere.key -pubout -out /usr/local/etc/ssl/certs/poudriere.cert

We now have the SSL components we need to sign packets and verify the signatures. Later, we will configure our clients to use the generated certificate for package verification.

Configuring Poudriere

Now that we have our SSL certificate and key, we can start configuring Poudriere.

The main configuration file located at /usr/local/etc/poudriere.conf. We open this file:

$: nano /usr/local/etc/poudriere.conf

The Poudriere configuration file is very well commented and most of the settings must be predefined. We'll be making some specific changes, but leaving the majority of them intact.

If we use UFS as the file system, the following option must be commented out:

NO_ZFS=yes

On the other hand, if our server uses ZFS, we can configure Poudriere to use a specific pool by setting the ZPOOL option. In this pool, we can specify the trunk that Poudriere should use for packets, protocols, etc. with the ZROOTFS option. Note that these two options should not be set when the NO_ZFS option is set to “yes”:

# NO_ZFS=yes
ZPOOL=tank
ZROOTFS=/poudriere

When building software, Poudriere uses some type of jail to separate the build system from the main operating system. Next, we need to fill in a valid host where the build machine can download the software it needs to do the jails. This is configured via the FREEBSD_HOST option.

This option should already exist, even though it is not currently set to a valid host. We can change this to the default path. ftp://ftp.freebsd.org or use a narrower mirror if we know one:

FREEBSD_HOST=https://download.freebsd.org

Next, we want to be sure that our data directory is set correctly within the Poudriere root. This is controlled with the POUDRIERE_DATA option and should be set by default. However, we'll comment on the option to be certain:

POUDRIERE_DATA=${BASEFS}/data

The next options that we should comment on are the CHECKCHANGEDOPTIONS and CHECKCHANGEDDEPS options. The first option tells Poudriere to rebuild packages if the options for them have changed. The second option tells Poudriere to rebuild packages if dependencies have changed since the last compilation.

Both options exist in the form we want in the configuration file. We just have to comment them out:

CHECK_CHANGED_OPTIONS=verbose
CHECK_CHANGED_DEPS=yes

Next, we're going to point Poudriere at the SSL key we created so that packages can be signed during the build. The option used to specify is called PKGREPOSIGNING_KEY. We will uncheck this option and change the path to reflect the location of the SSL key we created earlier:

PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key

Finally, we can set the URL_BASE string to the domain name or IP address where our server can be reached. This is used by Poudriere to create links in the output that can be clicked. We should include the log and end the value with a slash:

URL_BASE=http://server_domain_or_IP/

When we're done making changes, we'll save and close the file.

Create the built environment

Next, we need to design our built environment. As mentioned earlier, Poudriere will build ports in an isolated environment with jails.

For our purposes, our jails build command looks like this:

$: poudriere jail -c -j 13-0x64 -v 13.0-RELEASE

This will take a while, so be patient. When done, we can see the one installed by typing:

$: poudriere jail -l

Output:

JAILNAME        VERSION         ARCH  METHOD TIMESTAMP           PATH

13-0x64 13.0-RELEASE-p2 amd64 ftp    2021-01-06 20:43:48 /usr/local/poudriere/jails/13-0x64

Once we've created a jail, we need to install a port structure.

We can use the -p flag to name our ports tree. We will name our tree HEAD because it summarizes exactly using this tree (the “head” or the most current point of the tree). Likewise, we will update it regularly so that it corresponds to the most current version of the available ports structure:

$: poudriere ports -c -m git+https -B main -p HEAD

This procedure will also take a while because the entire port structure has to be fetched and extracted. When this is done, we can view our port's tree by typing:

$: poudriere ports -l

Now that this step is complete, we have the structures to compile our ports and build packages. Next, we can start by putting together our list of ports to create and configure the options we need for each software.

Create a port building list and set port options

We are going to make a list of ports that we can pass directly to Poudriere.

The file should list the port category followed by a slash and the port name to reflect its position in the ports tree:

port_category/first_port
port_category/second_port
port_category/third_port

All necessary dependencies are also created automatically. So, we don't need to track down the entire dependency structure of the ports that we want to install. We can create this file manually, but if our base system already has most of the software installed, we can create the file automatically.

Before we do this, it is usually a good idea to remove any unnecessary dependencies from our system to keep the port list as clean as possible. We can do this by typing:

$: pkg autoremove

Thereafter, we can get a list of the software that we have explicitly installed on our build system:

$: pkg query -e "%a==0" "%o" | sort -d | tee /usr/local/etc/poudriere.d/port-list

If there are ports that we don't want to add, we'll remove the associated line. This is also an opportunity to add additional ports that we may need.

If we use certain make.conf options to create our ports, we can create a make.conf file for each jail within our /usr/local/etc/poudriere.d directory. For example, we can create a make.conf file for our jail with this name:

$: nano /usr/local/etc/poudriere.d/13-0x64-make.conf

I prefer to create a global make.conf that is valid for all jails.

$: nano /usr/local/etc/poudriere.d/make.conf

Inside, we can specify all the options we want to use when creating our ports. For example, if we prefer not to build documentation, samples, native language support, or X11 support, we can specify:

OPTIONS_UNSET+= DOCS NLS X11 EXAMPLES

We can also specify Default_Versions. In my case, it looks like this:

DEFAULT_VERSIONS+= mysql=8.0 php=8.0

In this case, all packages and/or their dependencies are built with the specified version.

Subsequently, we can configure any of our ports that will create files with the options selected.

We can configure anything that has not yet been configured with the options command. We should pass both the port tree we created (with the -p option) and the jail for which we set these options (with the -j option). Not only that, but we also need to provide the list of ports we want to configure with the -f option.

$: poudriere options -j 13-0x64 -p HEAD -f /usr/local/etc/poudriere.d/port-list

We see a dialog for each of the ports in the list and all dependencies for which no corresponding options are set in the -options directory. The information in our make.conf file is preselected in the selection screens. We'll select all the options we want to use.

If we want to reconfigure the options for our ports in the future, we can run the above command again with the -c option. This will show us all the available configuration options, regardless of whether we have made a selection in the past:

$: poudriere options -c -j 13-0x64 -p HEAD -f /usr/local/etc/poudriere.d/port-list

Build the ports

Now we're finally ready to start building ports.

We enter the following to update the jail:

$: poudriere jail -u -j 13-0x64

Then we enter the following to update the ports structure:

$: poudriere ports -u -p HEAD

Once that is done, we can start the build process.

Note: this can be a very long process. If we are connected to the server via SSH, we recommend installing the screen package and starting a session:

$: pkg install screen
$: rehash
$: screen

To start the build, we just need to use the bulk command and point to all of the individual parts that we have configured. If we've used the values in this guide, the command looks like this:

$: poudriere bulk -j 13-0x64 -p HEAD -f /usr/local/etc/poudriere.d/port-list

This starts with many workers (depending on our poudriere.conf file or the number of CPUs available) and starts building the ports.

At any time during the creation process, we can get information about the progress by holding down the CTRL key and pressing t.

Certain parts of the process produce more output than others.

Setting up NGINX for providing the front end and the repository

For this step, the NGINX must be set up with virtual hosts.

The following hostname entered /etc/hosts:

127.0.0.1 bsd. «Domain»

For Poudriere to run under NGINX, the following file created under /usr/local/etc/nginx/vhosts/ under the name poudriere.conf with this content:

server {
  listen 80 default;
  server_name bsd.><domain>>;
  root /usr/local/share/poudriere/html;

  location /data {
    alias /usr/local/poudriere/data/logs/bulk;
    autoindex on;
  }

  location /packages {
    root /usr/local/poudriere/data;
    autoindex on;
  }
}

Then restart the NGINX:

$: service nginx restart

Next, we're going to make a small change to our mime.types file. If we click on a log in the web browser with the current settings, the file is downloaded and not displayed as normal text. We can change this behavior by marking files with the extension .log. as plain text files.

We open the file mime.types in our text editor:

$: nano /usr/local/etc/nginx/mime.types

We find the entry indicating the text / plain content type, and append the log to the end of the current list of file types separated by a space:

text/mathml                         mml;
text/plain                          txt log;
text/vnd.sun.j2me.app-descriptor    jad;

Now, we can display the Poudriere web interface by going to the domain name or the IP address of our server in our web browser, bsd.«domain».

Configure package clients

Now that we have created packages and configured a repository to host our packages, we can configure our clients to use our server as a package source.

Configure the build server to use the own package repo

We can start by configuring the build server to use the packages it built.

First, we need to create a directory for our repository configuration files:

$: mkdir -p /usr/local/etc/pkg/repos

In this directory, we can create our repository configuration file. It must end in .conf, so we'll call it poudriere.conf to make its purpose cleaner:

$: nano /usr/local/etc/pkg/repos/poudriere.conf =>

poudriere: {
  url: "file:///usr/local/poudriere/data/packages/13-0x64-HEAD",
  mirror_type: "srv",
  signature_type: "pubkey",
  pubkey: "/usr/local/etc/ssl/certs/poudriere.cert",
  enabled: yes,
  priority: 100
}

If we only select packages that we have created ourselves (the more secure option), we can omit the priority setting, but we should disable the default repositories. We can do this by creating another repo file that will overwrite the default repository file and disable it:

$: nano /usr/local/etc/pkg/repos/freebsd.conf =>

FreeBSD: {
  enabled: no
}

Regardless of our configuration choices, we should now be ready to use our repository. We'll update our package list by entering:

$: pkg update

Now, our server can use the pkg command to install packages from our local repository.

Configure remote clients to use your build machine's repository

One of the most compelling reasons to set up Poudriere on a build machine is to use that host as a repository for many other machines. All we have to do to get this working is to download the public SSL certificate from our build machine and set up a similar repository definition.

To connect to our build host from our client computers, we should start an SSH agent on our local computer to store our SSH key credentials.

We need to add our SSH key by typing:

$: ssh-add

Then, we first have to create the directory structure (if it doesn't exist) so that we can save the certificate. We'll go ahead and create a directory for keys so we can use it for future tasks:

$: mkdir -p /usr/local/etc/ssl/{keys,certs}

Now we can connect to our build machine with SSH and send the certificate file back to our client machine. Since we've forwarded our SSH credentials, we should be able to do this without asking for a password:

$: ssh user@server_domain_or_IP 'cat /usr/local/etc/ssl/certs/poudriere.cert' | tee /usr/local/etc/ssl/certs/poudriere.cert

This command connects to the build machine from our client computer using our local SSH credentials. As soon as the connection is established, it shows the content of your certificate file and directs us through the SSH tunnel back to our remote client computer. From there, we use the tee combination to write the certificate into our directory.

Once this is done, we can create our repository directory structure, like on the build machine itself:

$: mkdir -p /usr/local/etc/pkg/repos

Now, we can create a repository file similar to the one used on the build machine:

$: nano /usr/local/etc/pkg/repos/poudriere.conf =>

poudriere: {
  url: "https://server_domain_or_IP/packages/13-0x64-HEAD/",
  mirror_type: "https",
  signature_type: "pubkey",
  pubkey: "/usr/local/etc/ssl/certs/poudriere.cert",
  enabled: yes,
  priority: 100
}

If we just want to use our compiled packages, the file should look something like this:

poudriere: {
  url: "https://server_domain_or_IP/packages/13-0x64-HEAD/",
  mirror_type: "https",
  signature_type: "pubkey",
  pubkey: "/usr/local/etc/ssl/certs/poudriere.cert",
  enabled: yes
}

If we only want to use our packages, we must remember to create a different repository configuration file to override the default FreeBSD repository configuration:

$: nano /usr/local/etc/pkg/repos/freebsd.conf =>

FreeBSD: {
  enabled: no
}

After we're done, let's update our pkg database to start using our custom compiled packages:

$: pkg update

Cron job

So that Poudriere automatically updates the jails and builds the packages, we will set up a cron job.

We create the following file under /usr/local/etc/poudriere.d/scripts:

$: mkdir /usr/local/etc/poudriere.d/scripts

$: nano /usr/local/etc/poudriere.d/scripts/poudriere-cron.sh =>

#!/bin/sh

SCRIPTNAME=`basename "$0"`

# check for running script
STATUS=`ps ax | grep "$SCRIPTNAME" | grep -v grep | wc -l`

# compare to 2 because the ` create a subprocess
if [ "$STATUS" -gt 2 ]; then
  echo "already running ... exit"
  exit 0
fi

# The build
POUDRIERE="/usr/local/bin/poudriere"
PORTLIST="/usr/local/etc/poudriere.d/port-list"
JAILS="13-0x64"
REPOS="HEAD"
URL="https://bsd.<<domain>>"

poudriere_build() {
    for JAIL in $JAILS; do
      for REPO in $REPOS; do
        echo "Started $JAIL / $REPO / $SET ("`/bin/date | /usr/bin/tr -d '\n'`")"
        "$POUDRIERE" bulk -j "$JAIL" -z "$SET" -p "$REPO"  -f "$PORTLIST" > /dev/null
        echo "    Cleaning $REPO ("`/bin/date | /usr/bin/tr -d '\n'`")"
        "$POUDRIERE" pkgclean -j "$JAIL" -z "$SET" -p "$REPO" -f "$PORTLIST" -y > /dev/null
        echo "    Finished $REPO ("`/bin/date | /usr/bin/tr -d '\n'`")"
      done
    done
}

repos_update() {
  echo "[$SCRIPTNAME] Updating ports tree..."

  for REPO in $REPOS; do
    echo "[$SCRIPTNAME] Updating ports tree... $REPO"
    "$POUDRIERE" ports -p "$REPO" -u > /dev/null

    if [ $? -ne 0 ]; then
      echo "    Error updating ports tree."
      exit 1
    fi

  echo "    Ports tree has been updated."
  done
}

echo "This is a log of poudriere. Details: $URL"
echo ""

repos_update
poudriere_build

echo "[$SCRIPTNAME] Cleaning distfiles..."
"$POUDRIERE" distclean -p "$REPOS" -f "$PORTLIST" -y > /dev/null

echo "[$SCRIPTNAME] Finished. ("`/bin/date | /usr/bin/tr -d '\n'`")"
exit 0

Then make it executable:

$: chmod +x /usr/local/etc/poudriere.d/scripts/poudriere-cron.sh

Then we should run the script once to test whether everything works correctly.

If everything fits, we can include it in the /etc/crontab as follows:

§: nano /etc/crontab =>

10      0       *       *       *       root    /usr/local/etc/poudriere.d/scripts/poudriere-cron.sh

The build process will then run every night. If we have packages such as Chromium where the build takes longer than 24 hours, it can be adjusted here.

Command list

Poudriere make.conf

$: nano /usr/local/etc/poudriere.d/make.conf

Poudriere conf

$: nano /usr/local/etc/poudriere.conf

Portlist

$: nano  /usr/local/etc/poudriere.d/port-list

Create a new jail

$: poudriere jail -c -j 13-0x64 -v 12.0-RELEASE

Update a jail

$: poudriere jail -u -j 13-0x64

Update ports

$: poudriere ports -u -p HEAD

Remove unused packages

$: poudriere pkgclean -j 13-0x64 -p HEAD -f /usr/local/etc/poudriere.d/port-list

Set options for the port list

$: poudriere options -c -j 13-0x64 -p HEAD -f /usr/local/etc/poudriere.d/port-list

Set options for a package

$: poudriere options -c -j 13-0x64 -p HEAD  databases/mariadb103-client

Build packages without a cronjob

$: poudriere bulk -j 13-0x64 -p HEAD -f /usr/local/etc/poudriere.d/port-list

When upgrading the system, copy the options to the new version

$: cp -R /usr/local/etc/poudriere.d/12-2x64-HEAD-options/**.* /usr/local/etc/poudriere.d/13-0x64-HEAD-options/

Discuss...

NGINX is a powerful edge web server with the lowest memory requirements and the most important functions for building a modern and efficient web infrastructure.

Here is a brief description of how the NGINX web server is installed on FreeBSD.

$: pkg install nginx-full
$: service nginx enable
$: service nginx start

Next, the following directory is created where the virtual host's files are saved.

$: mkdir /usr/local/etc/nginx/vhosts/

For the vhost to be integrated, we have to add this line to our nginx.conf at the end of the http block:

$: nano /usr/local/etc/nginx/nginx.conf =>

"include /usr/local/etc/nginx/vhosts/*";

GZIP compression

GZIP compression allows us to shrink files, reducing the time it takes to transfer a resource from the server to a browser. In today's web environment, many browsers and servers support GZIP compression. The ability to reduce the file size by up to 70% is a great incentive to use this compression method. Enabling GZIP compression is considered a high-priority recommendation by the website speed test tools because, without this option, we will unnecessarily increase the loading time of our website.

To enable GZIP compression, we will edit the file /usr/local/etc/nginx/nginx.conf and add the following to the server block:

gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;

Then we restart NGINX: service nginx restart

We can test with curl whether the compression method works:

$: curl -H 'Accept-Encoding: gzip' -I https://<webseite> => 

HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Sun, 18 Aug 2019 19:38:45 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Sun, 18 Aug 2019 18:27:06 GMT
Connection: keep-alive
ETag: W/"5d59987a-39e7"
Content-Encoding: gzip

Brotli compression

Brotli compression is a new open-source compression algorithm developed by Google to further reduce file size. In 2013, Google released another compression algorithm called Zopli to perform “perfect but slow deflate or Zlib compression”. Based on a compression algorithm study carried out at Google, Brotli could achieve significantly faster performance with a compression rate that was 20 to 26% higher than Zopli.

To activate the Brotli compression, we will edit the file /usr/local/etc/nginx/nginx.conf and add the following in the server block:

brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types text/plain text/css application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/vnd.microsoft.icon image/bmp image/svg+xml;

And at the beginning of the configuration file:

load_module  /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module  /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;

Then we restart NGINX: service nginx restart

We can test with curl whether the compression method works:

$: curl -H 'Accept-Encoding: br' -I https://<webseite> => 

HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Sun, 18 Aug 2019 19:38:45 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Sun, 18 Aug 2019 18:27:06 GMT
Connection: keep-alive
ETag: W/"5d59987a-39e7"
Content-Encoding: br

Certbot

To create SSL certificates from Let's encrypt and automatically provide them for NGINX, we will use the two packages py-certbot and py-certbot-nginx with the following command:

$: pkg install py39-certbot py39-certbot-nginx

Then, with the command, certbot SSL certificates can automatically be created for all domains that are created in, etc/hosts. With the instruction certbot renew, the expired certificates can be automatically updated.

Every night, cronjob checks whether the certificates are up-to-date or whether they need to be renewed. The following entered the /etc/crontab:

30      23      *       *       *       root    certbot renew

Discuss...

QT5 and GTK are used to create the graphical user interface for applications. They each have their appearance, depending on the theme and symbols installed.

So installing a dark GTK theme doesn't change the look of QT5 applications like VLC and QBittorrent.

To create a more consistent look and feel for applications, we'd like both gtk and qt5 to use a dark theme.

We installed the package gtk-arc-themes, which contains the theme adwaita-dark, and the packages lxappearance to set the dark theme for GTK applications.

$: doas pkg install gtk-arc-themes lxappearance

We open now lxappearance and we can choose the arc-dark here.

Next, we need the ports

• adwaita-qt5
• qt5-style-plugins
• qt5ct

$: doas pkg install adwaita-qt5 qt5-style-plugins qt5ct

Install and activate the dark theme for qt5-based applications.

We then add the following code to our .xinitrc-this is needed for the qt5ct program which we can use to configure which theme qt5 applications use.

$: nano ~/.xinitrc =>

export QT_QPA_PLATFORMTHEME=qt5ct

Now we need to restart the computer. If we open the qt5ct program before restarting, the variable will not be recorded, and we will not be able to change the subject.

After the restart, we open the qt5ct program and change the design to the qt5 version of adwaita-dark.

We can open the qt5ct program with an application launcher like dmenu or rofi when you use it.

We'll use the Appearance tab, the drop-down menu, next to the word style. Likewise, we'll select Adwaita-Dark, then click Apply.

Let's go to the Fonts, tab and we'll change the font to Sans Serif 10. We click Apply and OK to close qt5ct.

Now, when we open qt5-based applications like vlc and qbittorrent, the Adwaita Dark theme is used just like gtk applications.

Discuss...

KeepassXC is a community branch of KeePassXC—a native cross-platform port of KeePass Password Safe to add new features and improve it and bug fixes for a feature-rich, cross-platform and modern feature rich Open-source password manager.

Main features:

• Secure storage with AES, Twofish, or ChaCha20 encryption
• File format compatibility with KeePass2, KeePassX, MacPass, KeeWeb, and many others (KDBX 3.1 and 4.0)
• SSH agent integration
• Sync passwords with KeeShare
• Auto-Type to automatically fill out registration forms
• Support for key files and YubiKey-Challenge-Response for additional security
• TOTP generation (including Steam Guard)
• CSV import from other password managers (e.g., LastPass)
• Command-line interface
• Custom icons for database entries and downloading website favorites
• Functionality to merge databases
• Automatic reload of the database has changed externally
• Browser integration with KeePassXC browser for Google Chrome, Chromium, Vivaldi, and Mozilla Firefox.

Install KeepassXC

$: doas pkg install keepassxc

How do I use KeepassXC

I will briefly show you how to set up KeepassXC and how to use it. When we start KeepassXc for the first time, we see the main screen.

Then we will create a new database. A new screen opens, and we can assign a database name here and optionally assign a description.

On the next screen, we can make encryption settings. Here we can, for example, set the encryption time and select the database format.

We can also make advanced settings. For example, we can make the following settings here:

• encryption algorithm
• Key derivation function
• Encryption passes
• memory usage

In the next step, we can now assign a password, with which the password database is encrypted. What I can recommend is to also create a key file which is then saved on an external USB stick or in an encrypted cloud service. This means that the database backed up twice.

We have now created an encrypted database so that we can use KeepassXC; with Firefox, we must first activate the browser integration in the KeepassXC settings. We then select Firefox and can then set additional settings. I leave that to you, which you want to set.

For the actual integration, we use the KeeepassXC-Browser extension.

Discuss...

Mozilla Firefox is a free, open-source web browser. It's small, fast, and easy to use, and has many advanced features:

• Pop-up blockers
• extensions
• customizable appearance
• improved security

We can installthe Firefox browser with the following command:

$: doas pkg install firefox

Improve privacy

The Firefox browser is inherently privacy-conscious. But I'll show you how to get even more security and privacy out of Firefox.

about:preferences

First, we enter “about:preferences” in the address line, and this brings us to the settings.

Generally

In the general settings, we will deactivate the following options:

• Recommend extensions while browsing
• Recommend functions while browsing

Home

Here, we will disable the following options:

• Important pages
• Recommended by Pocket
• overview
• Brief information

search

We will remove all existing search engines and use Searx as the only standard search engine.

But what is SearXNG? It is a free metasearch engine that protects users' privacy. To complete this, Searx does not share users' IP addresses or search history with the search engines from which it collects results. Here; you can find more information about SearXNG.

To add Searx as a search engine, we search here, an instance that we want to use and open it.

Then, we click with the right click in the address bar, and we select the Add Search Engine option from the menu.

Now, we can set SearXNG as the default search engine in the search settings.

Another great alternative are:

• Qwant is a search engine with no user tracking and no filter bubble
• Startpage is a search engine that provides Google search results with complete privacy protection

Privacy

Under the item improved protection against activity tracking, we will select the Custom option and set the following settings.

• Cookies: all third-party cookies (some websites may no longer work)
• Activity tracking content: in all windows
• Secret digital currency calculator (crypto miner)
• Identifier (fingerprint)

When websites send “Do Not Track” information that their activities should not be tracked, we always set this option.

Under Cookies and website data, we will activate the following:

• Delete cookies and website data when you quit Firefox

In the next step, we will deactivate the option to save access data and passwords.

And finally, we will deactivate the following options under Data collection by Firefox and its use:

• Allow Firefox to send data on technical details and interactions to Mozilla
• Allow personalized extension recommendations through Firefox
• Allow Firefox to install and run studies

about:config

Next, we go to the about:config page, then we can set further security-relevant options.

We type “about:config” in the Firefox address bar and press Enter. Then we press the “Accept risk and continue” button.

To change settings here, we copy the following settings (e.g., “webgl.disabled”), paste them into the search bar and set them to the specified value (e.g., “true”).

Disable telemetry

With the following changes, we will disable the Firefox telemetry:

• browser.newtabpage.activity-stream.feeds.telemetry = false
• browser.ping-centre.telemetry = false
• browser.tabs.crashReporting.sendReport = false
• devtools.onboarding.telemetry.logged = false
• toolkit.telemetry.enabled = false
• Delete the URL for toolkit.telemetry.server, and leave it empty
• toolkit.telemetry.unified = false

Disable Pocket

If we don't use Pocket, or we don't want Firefox's Pocket integration, make the following changes:

• browser.newtabpage.activity-stream.section.highlights.includePocket = false
• extensions.pocket.enabled = false

Disable JavaScript in PDF

While there are legitimate uses for JavaScript in PDF (such as form validation), such uses are not very common. In addition, it could be used for malicious purposes, so it's generally a good idea to disable this feature.

pdfjs.enableScripting = false.

security.ssl.requiresafenegotiation = true

Making these changes will disable insecure SSL ciphers and force safe negotiation:

privacy.trackingprotection.fingerprinting.enabled = true

This option has been available since Firefox version 67, and it blocks fingerprinting.

privacy.trackingprotection.cryptomining.enabled = true

This option has been available since Firefox version 67 and this blocks CryptoMining.

privacy.trackingprotection.enabled = true

This is Mozilla's new built-in tracking protection. One of the benefits is to block tracking (i.e., Google Analytics) on privileged pages that have add-ons that normally do this disabled.

Privileged pages are those web pages that browser developers consider legitimate web pages, on which extensions tasked not to work / whose functionality has been completely stopped.

In Firefox, for example:

• accounts-static.cdn.mozilla.net
• accounts.firefox.com
• addons.cdn.mozilla.net
• addons.mozilla.org
• api.accounts.firefox.com
• content.cdn.mozilla.net
• content.cdn.mozilla.net
• discovery.addons.mozilla.org
• input.mozilla.org
• install.mozilla.org
• oauth.accounts.firefox.com
• profile.accounts.firefox.com
• support.mozilla.org
• sync.services.mozilla.com
• testpilot.firefox.com

browser.send_pings = false

The attribute is useful for websites to keep track of visitor clicks.

browser.urlbar.speculativeConnect.enabled = false

By doing this, we disable the preloading of autocomplete URLs. Firefox preloads URLs that are autocomplete when a user types in the address bar. This is a problem when suggesting URLs that we don't want to connect too.

dom.event.clipboardevents.enabled = false

We disable that websites can receive notifications when we copy, paste or cut something from a website. This will tell you which part of the page has selected.

media.eme.enabled = false

Disables playback of DRM-controlled HTML5 content. When this option enabled, the Widevine Content Decryption Module provided by Google Inc. will be downloaded automatically.

media.navigator.enabled = false

Websites can track the microphone and camera status of our device.

network.cookie.cookieBehavior = 1

Disable cookies

• 0 = Accept all cookies by default
• 1 = only accept from the original website (block third-party cookies)
• 2 = Block all cookies by default

network.http.referer.XOriginPolicy = 2

We only send the referer header if the full host names match. (Note: if we notice a significant fraction, we can try 1 with a XOriginTrimmingPolicy optimization below.)

• 0 = send referrer in all cases
• 1 = send referrer to the same eTLD sites
• 2 = only send referrer if full host names match

network.http.referer.XOriginTrimmingPolicy = 2

When we send the referrer across origins, we only send the schema, host, and port in the referer header of cross origins requests.

• 0 = send complete URL in the referrer
• 1 = send URL without query string in referrer
• 2 = Send only the scheme, host, and port in the referrer

webgl.disabled = true

WebGL is a potential security risk.

browser.sessionstore.privacy_level = 2

This setting controls when to save additional information about a session: form, content, scrollbar positions, cookies, and POST data.

• 0 = save additional session data for any site. (Standard from Firefox 4.)
• 1 = save additional session data only for unencrypted (not HTTPS) sites. (Default before Firefox 4.)
• 2 = never save additional session data.

beacon.enabled = false

Disabled sending additional analysis to web servers.

browser.safebrowsing.downloads.remote.enabled = false

Prevents Firefox from sending information about downloaded executables to Google Safe Browsing to see if they should be blocked for security reasons.

We're turning off the Firefox prefetch pages, which we expect to visit next:

Even though prefetching may speed things up a bit, it may connect to servers without user intervention (which can be a privacy issue) and its performance benefits are minimal. Making these changes will disable prefetching:

• network.dns.disablePrefetch = true
• network.dns.disablePrefetchFromHTTPS = true
• network.predictor.enabled = false
• network.predictor.enable-prefetch = false
• network.prefetch-next = false

network.IDNshowpunycode = true

Unless we render IDNs as punycode equivalent, we are open to phishing attacks, which are very difficult to detect.

extensions.pocket.enabled = false

This deactivates the Pocket Service.

identity.fxaccounts.enabled = false

We will disable the Firefox Sync Service. I will introduce you to better alternatives. We could also use a self-hosted sync server—the code is available on GitHub. But the service is currently still using outdated Python 2.7 code, and the service has ported to Rust meanwhile. And the other problem is that the self-hosted service does not currently work with mobile Firefox.

identity.fxaccounts.toolbar.enabled = false

We're removing the Firefox Accounts icon from the toolbar.

disable WebRTC

WebRTC can potentially expose your real IP address, changing the following disables it

We can change the following value to be sure that every WebRTC-related are really disabled.

• media.peerconnection.turn.disable = true
• media.peerconnection.usedocumenticeservers = false
• media.peerconnection.video.enabled = false
• media.peerconnection.identity.timeout = 1

Hint: This will break any site that uses real-time audio/video communication, which includes almost all real-time chat and conferencing apps.

Add-ons

In this section, I would like to introduce you to a few useful add-ons for Firefox.

uBlock Origin

An efficient blocker: low memory footprint and low CPU load, yet thousands more filters applied than other popular blockers.

xBrowserSync

xBrowserSync synchronizes bookmarks between devices and browsers with end-to-end encryption. Data encrypted and decrypted on the device—nobody but us can read it. No registrationrequired. We just enter a randomly generated ID or QR code on all of our devices. There are different servers available, which can also be self-hosted.

CanvasBlocker

This add-on enables us to prevent websites from identifying us via Javascript APIs. We can choose whether the APIs completely blocked on certain or all pages (this will impair the functionality of some pages) or to fake wrong values for the identification-friendly readout functions.

Chameleon

With this add-on, we falsify our browser profile. It includes some privacy enhancement options.~~~~

LocalCDN

This add-on emulates external frameworks (e.g., jQuery, Bootstrap, AngularJS) and makes them available as a local resource. It prevents unnecessary third-party requests like Google, StackPath, MaxCDN, and more. It contains prepared rules for uBlock Origin / uMatrix.

Redirect AMP to HTML

Automatically redirects all AMP (Accelerated Mobile Page) pages to their regular HTML equivalent.

When we see an AMP page, we are likely seeing a page served directly by Bing or Google that can pull up information about what we're doing on that page. We keep the web decentralized, and we say, “No!” to search engines that want to take control of the web.

AMP pages designed for devices with a small screen and often do not translate well to larger screens. The extension can be especially useful when we receive links from people who are on their mobile devices while we are on our desktop computer.

AdBlocker for YouTube

This add-on removes all annoying ads from YouTube.

Important functions:

• Removes video and display ads from YouTube
• Loads the YouTube website and videos faster
• Supports both Firefox desktop and mobile (Android)

YouTube NonStop

Tired of seeing the “Video paused. Continue watching?” Confirmation dialog? This extension will automatically click it, so you can listen to your favorite music without interruption.

The add-on works with YouTube and YouTube Music!

Discuss...