Integration by me

Then you will know the truth, and the truth will set you free.

How to set charset all text responses on nginx

It’s usual that all text files on a site share the same character encoding. Especially UTF-8 is modern de facto standard. However, the default charset_types does not contain text/css, let alone other non-plain text types e.g. text/markdown.

The default charset_types should be text/* because most of them are parsed in ASCII (us-ascii) by default for backward compatibility. A text/xml response is parsed in ASCII even if BOM and XML declaration tells otherwise. Therefore, we should really use application/xml for XML responses now.

Nevertheless, the charset_types setting checks complete matches only, or we have to resort to the universal match (*). Luckily, nginx has map powered with regex and charset_types accepts a variable.

map $sent_http_content_type $charset {
    ~^text/   utf-8;

charset       $charset;
charset_types *;

This setting would make nginx specify UTF-8 for all text responses, e.g. text/css; charset=utf-8.

Inverted minors considered harmful with strong notrump

I have been researching on Wbridge5, a prominent bridge program. I was confused that it disables inverted minors by default. Recently I came up with conclusion.

By default, Wbridge5 opens strong notrump, so inverted minors is disabled. Wbridge5 includes inverted minors because weak notrump is also available.

Inverted minors originates from Kaplan–Sheinwold. Inverted minors is popular in East and Southeast Asia due to popularity of Precision Club, based on K-S with strong club, inheriting the weak notrump opening.

Nowadays, many ones open strong notrump according to somewhat American. However, some of them still employ inverted minors. Inverted minors has pros indeed, easily found by searching “inverted minors”. Hence, I list its cons as balance.

Garbage 1NT response

Weakness of inverted minors is not on itself but the 1NT response modified because of inverted minors. The 1NT response may have the following meanings:

Constructive 1NT
At least 6 tricks expected if both minimum.
Garbage 1NT
Only 5 tricks expected if both minimum.

When partner opens 1♠, 1, or 1, not to miss a probable game, garbage 1NT is on as the opponent passes.

If inverted minors is agreed, without intervention, garbage 1NT is always on.

If inverted minors is off, a constructive 1NT is ensured over 1♣ opening even if intervened, as there is always a better call i.e. a suit or pass. Respond 2♣ with a weak 3-3-3-4 because the opener often has 4+ clubs.

If 1♣ ensures 3+ clubs
With minimum strength, the probability of only 3 clubs is 21.5%.
If 1♣ can be 4-4-3-2
With minimum strength, the probability of exactly 3 clubs is 20.4%, 4-4-3-2 5.19%.

Weak 4-card support dumped as garbage

Express 5-card support at 3 level preempts, but 1NT with 4-card support is much less preemptive. Is there so much difference between 2 of a minor and 1NT, as 1NT is just one or two bids lower? Let’s consider the following.

  1♣ - 1NT
X1 - -2 ?

The point is not whether to escape, but the positive pass. Notrump sucks for the declarer, 6.06 tricks taken on average. 1NTxS−3 is more tragic than 3NTE= unless favorable vulnerability. In addition, the total notrump tricks may be less than 13.

If 2♣ were responded, east must have had clubs to pass, positive advances elevated onto 2NT. Preemption is force opponents bid high with strong hands. Although 2♣ is only one bid higher than 1NT, pass and cuebid are pushed onto 2NT.

  1. Takeout double 

  2. Convert to business double 

AppArmor configuration for nginx and php-fpm

AppArmor is the default MAC module on Ubuntu. Unlike DAC in Un*x, an AppArmor config lists what a process can access. An enforced process can only access listed paths; a complaining process emits warning when accessing an unlisted path.

However, there is no default config for nginx and php-fpm. To prevent the web server being hacked, causing systemic infection, let’s write configs on our own! The useful tool aa-genprof gets most of the jobs done, but some paths are still missing, especially sockets. Therefore, I publish my settings as reference.

The following is config for nginx.

#include <tunables/global>

/usr/sbin/nginx {
	#include <abstractions/apache2-common>
	#include <abstractions/base>
	#include <abstractions/nis>

	capability dac_override,
	capability net_bind_service,
	capability setgid,
	capability setuid,

	/etc/nginx/** r,
	/etc/ssl/openssl.cnf r,
	/proc/*/auxv r,
	/run/ rw,
	/run/ w,
	/run/php5-fpm.sock rw,
	/srv/www/** r,
	/usr/sbin/nginx mr,
	/var/log/nginx/* w,

The following is config for php-fpm.

#include <tunables/global>

/usr/sbin/php5-fpm {
	#include <abstractions/base>
	#include <abstractions/nameservice>
	#include <abstractions/php5>

	capability kill,
	capability setgid,
	capability setuid,

	/etc/php5/** r,
	/proc/*/auxv r,
	/proc/sys/kernel/ngroups_max r,
	/run/mysqld/mysqld.sock rw,
	/run/ rw,
	/run/php5-fpm.sock w,
	/srv/www/** r,
	/srv/www/html/wp-content/** rw,
	/srv/www/html/wp-content/cache/** rwk,
	/srv/www/magento/media/** rw,
	/srv/www/magento/var/** rwk,
	/tmp/ r,
	/tmp/** rwk,
	/usr/sbin/php5-fpm mrix,
	/var/log/php5-fpm.log* w,