Off the Goolag (2): Low cost shared hosting

For absolutely privacy, avoid using email (say, talk on Signal instead). Unless it’s inter-server mail in zero-knowledge encrypted providers like ProtonMail that also encrypt the message headers (meta-data, especially who’s sending to who), expect determined people with enough social engineering or authority can see it naked. It’s the same deal as snail mail where people in the post office can see what’s written on the envelope.

For big files like photos and typical cloud storage, which you should self-host these at home anyway. If you are worried about slow internet connection and downtime, you can pay for Zero-Knowledge cloud storage (which the server owners don’t have the master keys to your files) to add redundancy.

The next step down is to self-host your email, contacts, calendar, tasks (productivity suite) which you physically own so nobody can peek into it as long as you guard your home.

Hosting these services from home might be more work and risks (downtime), especially when it’s possible that your ISP’s IP address block is on the spammer’s list or if your ISP blocks the ports needed. The less secure alternative is to pay for extremely cheap shared web hosting services (we are talking about <$4/mo regular price and <$2 for the first year) which

  • you can make as many email accounts as you wanted
  • each email account comes with contacts, calendar, tasks as a bundle
  • use your own domain name
  • also host your own webpage and wordpress site

With Google, Microsoft, Apple and other big providers, they have big security teams to protect your data from hackers, but because of their centralized nature, it’s much more rewarding for hackers to breach one big provider than going after little accounts spread across different servers and IPs. Unless you are a high profile person or expect to be specifically targeted, you are better off managing your own productivity suite’s hosting/storage.

More importantly, it feels creepy when Google harvest my email and suggest I allow them to automatically register my appointment on my calendar. Random staff might not be reading our emails, but bots are and god knows what else they can do just by updating their code if they someday want to turn on us. They’ve become so powerful that with enough bankroll, they can make our politicians look the other way so there’s no way to stop them if we become dependent on their platforms.


The instructions below assumes your shared hosting provider adopted cPanel as the account management interface which you have access to.

Like Google, your Gmail (email) account is also your account for a variety of productivity services (contacts, calendar, tasks). You can set it up by logging into cPanel, often https://(your server here)/cpanel.

There are a few naming conventions in cPanel that are different from Google’s ecosystem:

  • Login name is your ENTIRE email address because you can have different domains attached to the same hosting storage so you must enter the domain name after the @ sign for it to tell the accounts apart


In modern times, I’d stick with IMAP for email (which is enabled by default in cPanel). Since Google would like to keep you in their ecosystem as much as possible, IMAP is not enabled by default for Gmail.


Web email interface (you have a choice between Horde or RoundCube) is at port 2096. You can access it by

https://{name or IP to the shared host server assigned by your provider}:2096


https://{name or IP to the shared host server assigned by your provider}/webmail
(which will redirect you to port 2096 above)

In most cases, your domain name attached to the hosting points to the actual underlying shared hosting server assigned by your provider. I’d prefer not to use the underlying server address/IP because it might change when you move between hosting plans.

Also, per security design, WebMail doesn’t warn you when you enter non-existent email addresses (login). I’ll just silently loop you back to the login page again without explanation if you got any part of the login or password wrong.

DavX5 for calendar/tasks (CalDAV) and contacts (CardDAV)

In Android, calendar and contacts (also known as address book) are stored in a standard place shared by apps that picks them up from the system (email storage is per app, since POP3 and IMAP itself already does things very differently)

The default Calendar/Contacts app made it look like you have to use Google Calendar/Contacts to set up an online account (by default it came with Device/Local and Google accounts as option), but you can inject CalDAV/CardDAV accounts into the Android’s calendar/contacts system with an app called DAVx5.

The App is FREE if you download it from F-droid but costs $5.99 if you download it from Google Play. It’s not a loophole, but the authors want people to move away from Google Play and use F-droid, a Free-and-Open-Source (FOSS) app store.

DAVx5 works in a little unusual way that accounts are NOT added through calendar/contacts app but instead you register your CalDAV/CardDAV accounts, select the folders to sync, SYNC IT, then each sync’ed FOLDER (you hear me right) will show up as standard Android Accounts (just like Google/Samsung Accounts) which will work with any standard Calendar/Contacts app. All management (add/removal) happens in DAVx5.

When you set up an CalDAV/CardDAV account, remember NOT to use the first option “Login with email address”! You must enter the URL which points to Port 2080 of the shared hosting server

If you forget to enter the port number, the account will be set up with CalDAV/WebCAL, without CardDAV!

Select “Groups are separate vCards“:

Help - Davx5 (Davdroid): How do I use the Posteo address book and the  Posteo calendar on Android devices? -

Basically CardDAV is just a folder storing each contact as VCF (vCARD) file and CalDAV is just a folder storing each event/task as an ICS file. Basically it’s just a primitive HTTP file manager hosted with HTTPS login and apps are supposed to find the folder using a consistent naming scheme.

 1 total views

DBeaver connecting to MySQL in Namecheap Shared Hosting

Namecheap already provided instructions to connect MySQL Workbench client for its shared hosting, which involves SSH-tunneling because they disallowed direct MySQL connection out of security concerns.

So here’s basically the logistics:

  1. SSH to your namecheap hostname (can use your domain name) at SSH port 21098
  2. Tunnel listens to Port 5522 and forward it to localhost (the client itself) at MySQL Port 3306
  3. Instead of connecting directly to the {namecheap shared hosting server}:3306, connect to the localhost:3306

It’s a little confusing on how to do it on DBeaver because “Advanced settings” is hidden by default which you will need. The name ‘local client’ (source) vs ‘remote’ (destination) in the dialog box is confusing. It’s actually equivalent to

ssh -L ["Local host":]"Local port":"Remote host":"Remote port"
ssh -L [bind_address:]port:host:hostport

bind_address can be left blank. If you are paranoid and don’t want other machines to use your current MySQL client machine as a gateway (they tunnel into your machine to use the tunnel you are currently establishing), set (aka bind) it to localhost, or you can bind it to the client’s network adapter’s IP which you want to allow machines on a trusted network to use this MySQL client computer as a gateway.

For some reason (I suspect it’s IPv6), “Remote host” needs to be set to the loopback adapter (cannot use the special hostname ‘localhost‘).

Remember MySQL’s username and password is the special database-only login credentials you created at cPanel.

 6 total views

Aria2 WebUI Notes

Aria2 is a convenient command line downloader that works like curl/wget on http/ftp, but it also support many other protocols, and it aria2 natively multipart download!

Instructions for Aria2 on Entware hosted by Lighttpd (defaults to Port 81):

Instructions for Nginx on Entware (defaults to Port 82):

Instructions for Aria2 on Entware:

There are some minor details that changed.

# Install the base (core) software first
# This example is for entware
opkg install aria2

# Download the package from Github zip to /opt/tmp
wget -c -O /opt/tmp/ --no-check-certificate

# Make sure you have some web server installed (nginx, httpd, apache, etc.)
# Nginx HTTP server instructions
# Make sure you know what {Webroot} is
# for Nginx, {Webroot} is /opt/share/nginx/html

# Unpack to the zip file at /opt/tmp and clean up the zip
unzip /opt/tmp/ -d /opt/tmp/ && rm /opt/tmp/
# Move/rename to desired location
mv /opt/tmp/webui-aria2-master {Webroot}/aria2

Nginx defaults to port 82 (change it to where you set your web server). The WebUI can be accessed at http://your_server_here:82/aria2/docs.

/doc is inconvenient, so I created a redirection by placing this index.html under aria2’s root folder:

<meta http-equiv="Refresh" content="0; url='./docs'" />

The RPC host breaks out of the box because the you’ll need to make a few adjustments to /opt/etc/aria2.conf before you can start the service without crashing it (so the WebUI of course will complain with a lot of cryptic error messages):

# Basic Options
dir={Change it to a viable folder that has enough space if /opt/var/aria2/downloads
 is is not big enough}

# RPC Options
# Unless you want to get a certificate, you'll need to use unsecure mode:
# Change your rpc-secret to be matched in "Connection Settings" in the WebUI

After you get the config file correct

# Start the installed aria2 service 
$ (the package already have a service wrap over aria2c)
# aria2 seem to assume it's port 81 so the init.d script has a "S81" prefix, but aria2 does not control the port, where you put the WebUI in http. So it's just a cosmetic filename naming convention.
/opt/etc/init.d/S81aria2 start

If the service wouldn’t start (some bad configs might have the service reported as “done” and after you check again in a second with “S81aria2 check“, it’ll report as “dead”. You can debug by looking at what went wrong at /opt/var/log/aria2.log. That’s how I figured I need to turn off “rpc-secure” parameter.

 74 total views

Mailpile Installation Notes

There’s a powerful Gmail web interface replacement for your regular mail hosted anywhere called Mailpile. Think of it as Thunderbird but hosted like a web page. There are a few things I liked about in the process of freeing myself from Gmail:

  • Free to use any email (storage) services and not tie your client to it
  • View multiple accounts at the same time (NextCloud won’t do it)
  • Very clean, concise interface that makes sense (Gmail users will be comfortable with it)
  • Very security and privacy conscious with attention to details! It even encrypts your local email cache and search index if you want to (performance penalty)
  • Excellent email setting autodetection. Just type your email account and everything’s set up for you!

The only downside is that the documentation is a little lacking. There are a few concepts that are not explained that’d confuse and scare users away. That’s why I’m explaining it here.

  • This is a headless service where the interface is webpage you access on a web browser.
  • It’s originally designed to install and run as a local web server where you access mailpile.
  • Call mailpile (can create a shortcut) and it’ll try to launch the correct page for the mailpile client.
  • Mailpile does not maintain a separate user registry: it uses the hosting computer’s native user manager
  • Log into your mailpile using the user account name of the computer where mailpile is installed!

Advanced concepts

  • Install multipile instead if you want other computer to access the headless service
  • You’ll need login to the computer that hosts the headless mailpile and run mailpile AS the user you want to setup once to establish the account before use.

Download and installation instructions:

# Currently there's only Debian-like distributions (because it uses apt-get)
# These instructions do not assume direct root account. Use sudo instead

# Install pre-requisite packages: curl apt-transport-https gnupg
sudo apt-get update && sudo apt-get install curl apt-transport-https gnupg

# apt-key add {contents of the package signing key provided by
curl -s |sudo apt-key add -

# Register's package server with Debian apt package manager
echo "deb release main" |sudo tee /etc/apt/sources.list.d/000-mailp.list
# NOTE: Official instruction says 000-mailp instead of 000-mailp.list 
#       You need to have some file extension as apt-get checks

# Multipile (mailpile-apache2) = Mailpile + (allowing access from other computers through apache)
sudo apt-get update && sudo apt-get install mailpile-apache2

# You'll need to run mailpile as the user once to establish your account with mailpile before use
# If you are on terminal interface instead of web interface, enter 'setup' at mailpile prompt:
> setup
# Follow the instructions on the web interface for setup if you do not use terminal mailpile client interface

Additional Resources:

 72 total views

Off the Matrix Notes

Namecheap Shared Hosting

  • Free Dynamic DNS with domain (Namecheap has a free Windows client. Use zoneclient for Linux)
  • Email (IMAP): usese Maildir (for those who need migration)
  • Contacts: CardDav (use DavX5 adapter on Android)
  • Calendar: CalDav (use DavX5 adapter on Android)
  • Notes/Tasks: NextCloud (can sync with NextCloud’s built-in CalDav server)
  • Blog: WordPress
  • And of course, your own website!

VPS Hosting

  • NextCloud has File-On-Demand (like OneDrive) called Virtual File System (VFS)
  • YunoHost: easy to use modular self-hosting
  • UBOS Linux: distro for self-hosting. Even works for Raspberry Pi
  • Awesome-Selfhosted: has many free web services packages

Phone (Android only)

  • De-google your phone with microG Project
  • Play store: F-droid (Bonus: many open source apps that are paid apps on Google store offer the full version for free on F-droid to encourage you to move away from Google Play), Yalp Store


  • Rob Braxman Tech (He knows about the nasty dictators like the Chinese Communist Party. Don’t think you are safe in America. The reach of the Chinese Communist Party Mafia, formerly known as the Chinese SOVIET Republic) is beyond our imagination.

Alternatives to Big Tech respecting privacy (for now)

  • Search (Google): DuckDuckGo
  • Browser (Chrome): Brave
  • Email (Gmail): see above (self-host) or ProtonMail (zero knowledge encryption)
  • Cloud (Google Drive, OneDrive, Dropbox, etc): see above (self-host) or use zero-knowledge encryption
  • Text/Chat (Whatsapp, Line): Signal App
  • Calling: Telegram has better voice quality than signal, but sometimes it has weird behavior on certain phones. Telegram does not have zero-knowledge proof, so it’s up to Pavel Durov (he’s usually good at not bending to totalitarians).

Alternatives to Big Tech that refuses to censor and manipulate users (for now)

  • Video (Youtube): Odysee (LBRY), Rumble
  • Facebook: MeWe
  • Twitter: Gab, Safechat, CloutHub has a crappy search feature, Parler now has PC bots patrolling and misfiring

Zero-knowledge encryption means the server have no access to the info you put in there as they are all encrypted and protected by a password which only you have (preferably use zero-knowledge proof so the owner of the server do not have any master keys to see your data: you lost the key and the data is practically gone forever)

 81 total views

NextCloud setup notes

Free Horde Webmail client was ugly so I was looking for alternatives to view my email, calendar, contacts and notes. After a bit of research, I decided to try NextCloud.

NextCloud hosts calendar/tasks (CalDav) and contacts (CardDav) as a server, but do not store emails. Use any email provider (from your ISP or free email services as long as they do IMAP/POP and SMTP).

  • Default welcome/demo files are under /core/skeleton (you can change this by editing /config/config.php)
  • If you move the folder, you have to edit the database and root location paths in /config/config.php
  • Need to setup MySQL first. Avoid PostgreSQL option as it does not work out of the box.
  • Disable sqlite3 PHP extension
  • If installed on shared hosting, install without featured app because it will install CODE which is a can or worms.
  • Collabora Online is a can of worms. See below

Collabora Online (LibreOffice engine to edit documents live on web browsers) require special handling:

  • There’s a free community edition called CODE (Collabora Online Development Edition)
  • Do NOT install the BUILT-IN CODE server Nextcloud App if you NextCloud is on a shared hosting because this will appear as a rogue app that slows Nextcloud to a crawl, exhausting entry processes (aka concurrent Apache requests), and still it’ll timeout opening a document. Probably malfunctioning due to some permission issues on shared hosting.

Ports that need to be opened (more accurately port-forwarded to the CODE server) for Collabora:

  • 443 (HTTPS)

Turns out port 80 (HTTP that starts with Univention administration interface) is not necessary. It just redirects to port 443 (HTTPS) if you forgot to type the URL starting with https:// (it’s http:// by default when you type in the address bar of your browser).

Since the URL of Collabora Online-server in NextCloud settings uses only HTTPS and a HTTP URL is going to be redirected to HTTPS anyway, don’t bother with forwarding Port 80 (HTTP) and enter https:// in the Collabora Online-server URL instead.

You don’t need to forward 9980 (WOPI) either. Somebody mentioned it in Nextcloud forum but that’s not the cause.

Well, the next part is the hairiest. Turns out even the Collabora server checks out with NextCloud, the documents won’t open (some weird error messages):

The webpage at https://<Collabora Server>/loleaflet/23e6a73/loleaflet.html?WOPISrc=https%3A%2F%2F<Collabora Server>%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F2180_octqxsu7tnwz&title=<Filename of document to edit>&lang=en&closebutton=1&revisionhistory=1 might be temporarily down or it may have moved permanently to a new web address.

Of course, substitute <Collabora Server> and <Filename of document to edit> with your scenario.

I tried going to https://<Collabora Server> and noticed this NET::ERR_CERT_AUTHORITY_INVALID error:

Turns out given my server do not have the SSL certificate installed yet (and I got around it by “Disable certificate verification” in Collabora Online setup), my users/clients has to manually visit the Collabora (NOT NextCloud) server and click through the security warning to accept the Collabora site that do not have a valid SSL certificate. After that the Collabora Online works properly!

In other words, if you run into certificate issues with Collabora server, NextCloud won’t tell you when it calls Collabora server (with REST API) to open the document, instead it’ll just appear as a fail HTTPS call without warning or giving you a chance to correct the certificate issue.

 112 total views

NextCloud quirks – moving folder breaks the site

I changed the folder of where my NextCloud files is and got this error.

Adding the “.ocdata” dummy file there doesn’t work. The message is cryptic. I tried to run occ at the root folder (hoping it’s some sort of management tool) by running this at the command/SSH prompt:

php ./occ

and it spits out:

Your data directory is invalid
Ensure there is a file called ".ocdata" in the root of the data directory.

An unhandled exception has been thrown:
Exception: Environment not properly prepared. in 
{New Folder}/lib/private/Console/Application.php:168
Stack trace:
#0 {New Folder}/console.php(99): ...

I replaced my actual path for the new location of the NextCloud files with {New Folder}, so you get the idea.

I also noticed the old path was regenerated with just a /data folder with two files

This means some programmer got lazy and hard-coded the path somewhere!

Line 99 of console.php didn’t give too much hint so I looked at the code around for some sort of config-related operations before. Then I noticed this:

So I searched for config.php and found it’s located in /config/config.php. Bingo!

$CONFIG = array (
  'trusted_domains' => 
  array (
    0 => '{Old URL}',
  'datadirectory' => '{Old Path}/data',
  'overwrite.cli.url' => 'https://{Old URL}',

And to my horror the SQL password is stored in plain text in config.php! WTF! I’ll choose a password that’s dedicated to one use and not shared!

I recalled a when I rename WordPress databases, I have to manually edit the changes in wp-config.php. Turns out nobody warned us about that for NextCloud! That config file also contain database settings, so I bet if I change the database names or database usernames, I’ll have to come back and edit it manually too.

The site is working after I made the migration changes, all in /config/config.php.

 112 total views

Take back control over your data (1) – Email, Calendar & Tasks, Contact

One thing that 2020 and 2021 taught us is that we’ve foolishly surrendered our data to private companies for harvesting and subjected ourselves to being manipulated (behavior conditioned) by bots (artificial intelligence studying our habits), in exchange for a little convenience having big companies hosting our data (on the cloud) for free.

The conventional wisdom is that something is free without the pains (either hard to use or has advertisement), you are the product to be monetized.

Data is today’s new currency for world domination.

Their house, their rules.

Not only the big data companies know us better than we do, they also have the power to censor us at their own whims.

They are the ones who wrote the law, interpret the law, and enforce the laws. The unholy trinity has fused the 3 traditionally separated powers in democracies and became THE almighty.

Like it or not, private companies are dictatorships in all relationships: vendor, customers, employees.

Of course they bear the consequence of their actions, depending on how much de facto leverage they actually have, which is increases with their size. They are already effectively controlling the government with their extensive lobbying budgets.

We are all at the mercy of the big tech if we become dependent on their products.
THEY OWN US if we don’t own our data.

Not to mention that we are also rely on their IT security department that are constantly under attack since a centralized target provides a high return on investment in hacking attempts. Bad people only need to hack a big corporation once to steal 100 million+ user data. If the 100 million+ users’ data are scattered on many different servers with different software, configurations and locations, each attack will be much less worthwhile.

In some sense, it’s much safer for less attractive targets (nobodies) to risk security flaws in their own setups because nobody cared to go after them. More importantly, I don’t want to feed a monster with my data that they are going to bite me or other people I support whenever they wanted to.

Here are the basic minimum web services that we’ve become reliant on in our daily lives.

  • Email
  • Calendar & Tasks
  • Contact List (e.g. Phonebook)

In Google ecosystem:

  • Gmail
  • Google Calendar & Google Tasks
  • Google Contacts

Apple (iCloud) uses the standard protocols

  • Email: IMAP/SMTP
  • Calendar & Tasks: CalDav
  • Contact List: CardDav

If you are paranoid about full control over your data that nobody (including tech support) can see, you should host your own server (based on the protocols above). But if you are concerned about up-time, these services come pretty standard with most cheap (shared) web hosting plans at around $2/mo.

If your provider uses cPanel (e.g. namecheap), each email account comes with Calendar/Task (CalDav) and Contact List (CardDav) sync services. They typically come with a webmail client like horde/roundcube.

Namecheap has their own dedicated email service, but I think their shared hosting plan is a much better deal unless you really need the ActiveSync (Outlook, but you can do it for free with CalDAVsynchronizer) and the Open-Xchange productivity suite (which looked better than horde webmail client). You can also host websites and WordPress (blogs) with the hosting plan and have a FTP server for your files.

cPanel is the most popular admin panel for shared hosting, but there are companies like Dreamhost that doesn’t use cPanel and do not offer calendar/task and contact sync services natively so watch out.

In Android, I recommend the following setup after trial and error

  • Email: FairEmail or stock Email client
  • Calendar: Simple Calendar Pro (by Simple Tools) or stock Calendar
  • Tasks:
  • Contact List: Stock android contacts (phonebook)
  • CalDAV/CardDAV sync adapters (needed for Calendar & Contacts above): DavX5

These are ALL open-source free software (privacy respecting) available from, which do not require login/purchases (please donate). You might see the paid version on Play Store, but it’s just taxing the less adventurous people.

Many fancy email apps that autoconfigures the server for you often harvest your data or do analytics. Be very careful of that. As far as I know FairEmail is the only one that has advanced features comparable to Gmail and doesn’t harvest your data nor charge you.

Remember to turn on Push-IMAP in your email client so it’ll be as responsive as Gmail. In Fairmail, it’s under Settings -> Receive -> When -> Automatically Optimize ON + Always.

I’ve tried a few other Calendar and Tasks app on Google store (such as BusinessCalendar and aCal), and so far the stock Calendar app and Simple Calendar Pro’s built in refresh works correctly with DavX5 sync adapters. The refresh button for the rest did nothing so I had to open DavX5 to manually initiate a refresh if I don’t want to wait 15 minutes (fastest update rate allowed by DavX5).

As for app, it doesn’t use the sync adapter. Instead we directly enter the CalDAV login info with the server link provided by your hosting provider

 108 total views

Namecheap Dynamic DNS Update Service

If you have a domain registered under Namecheap, you dynamically update the IP address to a remote computer at no extra costs. If you use, you have to pay $29.95/yr to use your own domain name.

However, the process is not entirely trivial because Namecheap only offers the dynamic update through its BasicDNS nameserver, which has a few implications

  • BasicDNS nameserver means you configure the DNS records directly Advanced DNS tab when you manage your domain name. DNS records in the Zone Editor in cPanel is not active with BasicDNS nameserver
  • If you use the domain name with Namecheap hosting services, you can no longer have everything configured for you (managed in cPanel’s Zone Editor) by choosing Namecheap Web Hosting nameserver. You have to transfer the DNS record in Zone Editor (cPanel) manually to Advanced DNS tab (Namecheap). At minimum, get the IP address of the HTTP server and enter it as the ‘A Record’ for the main/sub-domain.
  • Setting up subdomain name or root domain name to be used with Dynamic DNS update service is simply entering ‘A Record’ with an any IP address as seed ‘Value’ (subdomains entered as ‘Host’). The value (IP address) will be overwritten by the update service/client.

Namecheap also offer an eye candy called ‘A + Dynamic DNS Record’ which is exactly the same thing but makes it easier for you to remind yourself that the ‘A Record’ is specifically used for dynamic DNS update.

It’s a daunting task if you haven’t done the work to understand how DNS record works since there are lots of new terms to learn.

However, it’s not that hard after you understand what ‘A Record’ does: map the domain name (or its subdomains) to an IP address. All Namecheap did is providing a web server (using REST API that accepts user inputs with certain syntax in the URL) that updates your ‘A Record’ (domain to IP address map).

 129 total views

Lantern-VPN Free for Hong Kong & China (香港已經開始局部封網,快裝免費 VPN 藍燈 翻牆軟件)

網站「香港編年史」 已經被香港政府封。已經證明香港通訊設施已經被某支蝗軍直接管轄。封得一個,而後 Youtube 同 大紀元 都封得。大家準備翻牆。

Lantern 藍燈 快裝工具 VPN 非常容易用。無需登記,對香港地區用家完全免費。下載:

Android 版本只有一個開關掣。Windows 版本不用 管理員Admin 權限,直接裝到用戶的個人資料夾,沒有複雜的設定。一機多人用的話每個用戶自己裝一次,不會弄到一個人上VPN,其他也要一起。


還有一個由開放網路基金會贊助的翻牆軟件 賽風 (Psiphon)。我未親身試過,教學可以到。對獨裁惡魔淪陷區用戶也是完全免費。

 230 total views