C:>ping www.google.com

Pinging www.l.google.com [2001:4860:800c::93] with 32 bytes of data:
Reply from 2001:4860:800c::93: time=29ms
Reply from 2001:4860:800c::93: time=32ms
Reply from 2001:4860:800c::93: time=68ms
Reply from 2001:4860:800c::93: time=28ms

Ping statistics for 2001:4860:800c::93:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 28ms, Maximum = 68ms, Average = 39ms

C:>ping www.facebook.com

Pinging www.facebook.com [2620:0:1c00:0:face:b00c:0:2] with 32 bytes of data:
Reply from 2620:0:1c00:0:face:b00c:0:2: time=102ms
Reply from 2620:0:1c00:0:face:b00c:0:2: time=125ms
Reply from 2620:0:1c00:0:face:b00c:0:2: time=94ms
Reply from 2620:0:1c00:0:face:b00c:0:2: time=95ms

Ping statistics for 2620:0:1c00:0:face:b00c:0:2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 94ms, Maximum = 125ms, Average = 104ms

More Information

My ISP timewarner cable does not support native ipv6 yet, so I am still using he tunnelbroker for my home connection. Nonetheless it works pretty well.

Both most recent Tomato Firmware and Openwrt trunk version have built-in 6in4 and 6to4 support.

Update 1: http://test-ipv6.com/

Update 2: http://ipv6-test.com/

The solution is policy based routing with IPv6. There are two related options in kernel configure, so make sure they are enabled. If not, you will encounter an error.

First install iproute2 and add a new route table.

echo "200 to4" >> /etc/iproute2/rt_tables

Then you can add source based rules and routes to this table.

ip -6 rule add from 2002::/16 table to4
ip -6 route add 2002::/16 dev 6to4 table to4
ip -6 route add default via ::192.88.99.1 dev 6to4 table to4

One thing I am still not sure is whether to delete the 2002::/16 from main route table.

ip -6 route del 2002::/16

I think this can solve some stateful firewall problem, but not necessary.

{block:posts}
<img src="http://chart.apis.google.com/chart?cht=qr&chs=116x116&chl={ShortURL}"/>
{/block:posts}

Here is an Example on my tumblr.

The setup process is very easy. You only need to change DNS server from domain registry. Setup wizard will automatically import old DNS setting. However multi tiered sub domain won’t be detected. Both CNAME and A host will be proxyed through by default.

Once DNS change finished, your website will be severed with transparent proxies. Unwanted visitor will be screened and static assets will be cached.

Here is the page loading timeline of my test page
Without CloudFlare

With CloudFlare

The page is very simple, but still it clearly shows there’s no measurable latency with dynamic contents and notable improvement with static assets. However text assets like html, css and js have slightly bigger size. My original is compressed with gzip -9.

Pro:

• Anycast GeoDNS hosting
• Vistor security screen
• Slick analytics
• Transparent caching around world
• Basic account is free
• Very easy to setup

Con:

• Http only, no video streaming
• Slow in Asia
• Suboptimal gzip compression ratio

Overall I am very impressed with the free features and performance.

I used user api to do the real login.

Here is source code.

The idea is very simple. Instead of redirecting main page, I use javascript to popup a small page. Most providers have webpage optimized for popup. Then this page will detect callback and refresh main page and close itself. A hidden iframe will also try previous login url if available.

With tumblr‘s custom HTML theme, you can integrate open graph protocol in your theme. When user click on a like button, facebook will display your real site name instead of domain itself. If it is a photo post, in activity stream a nice thumbnail will be displayed.

My test page

Here is a tumblr theme fragment which includes required items. I also uploaded images for all post types.

{block:IndexPage}
    
    
    
    
{/block:IndexPage}
{block:PostSummary}
    
{/block:PostSummary}
{block:Permalink}
  
  
  {block:Posts}
      {block:Text}
        
      {/block:Text}
      {block:Photo}
        
      {/block:Photo}
      {block:Photoset}
         
      {/block:Photoset}
      {block:Quote}
        
      {/block:Quote}
      {block:Link}
        
      {/block:Link}
      {block:Chat}
        
      {/block:Chat}
      {block:Video}
        
      {/block:Video}
      {block:Audio}
        
      {/block:Audio}
      {block:Answer}
        
      {/block:Answer}
    {/block:Posts}
{/block:Permalink}

If you use Disqus comments system, you probably already have a facebook app id. You can find out both your app id and user id on facebook insights page. When you click “Insights for your Domain”, you will see a list of your apps and yourself. If you select any of them, the correct meta tag will be displayed.

It turns out the stage2 file only has the relative path from root if you use grub-install script. So all you have to do is to embed a absolute path in prefix. Here is the brief step to make a direct bootable stage2.

grub-mkimage --output=/boot/grub/core.img --prefix=(hd1,2)/boot/grub 
         biosdisk part_msdos ext2
cat /boot/grub/lnxboot.img /boot/grub/core.img > g2ldr

Now copy g2ldr to your windows’ partition. Make a grub4dos stage1 file

grubinst.exe -o -b=g2ldr g2ldr.mbr

You can find grubinst.exe from grub4dos website.

Add it to windows bootmgr with bcdedit

bcdedit /create /d Linux /application BOOTSECTOR
bcdedit /set {ID} device partition=c:
bcdedit /set {ID}  path g2ldr.mbr
bcdedit /displayorder {ID} /addlast

Here is a step by step guide on how to setup a linux container on top of EC2. Since EC2 itself is virtual environment, it is almost impossible to run other vm technology on top of it. You can read these general guide [1] [2] on how to setup a linux container.

Step 1: Host VM

In order to run lxc, the host will need to support cgroup and namespace. Ubuntu 10.4 lucid or newer includes them. I also made two public archlinux AMIs which support all these features, you can find them here.
Mount up /cgroup,

mkdir /cgroup
mount -t cgroup none /cgroup

In order for network to work you will need these two packages: iptables and bridge-utils. Ubuntu has lxc package, but on archlinux you will need to build it from aur.

Bring up the virtual network interface, you only need one here for all your lxc.

brctl addbr br0
ifconfig br0 192.168.3.1 up

Of course, you can pick other network address. You should skip the step mentioned in other guide to add your physical network such as “brctl addif br0 eth0”, because amazon will not route your private packet.

Step 2: Filesystem

Lxc installation should already include templates for some popular linux distribution. You can read the guide I mentioned above. For archlinux you can use my chroot script and patch.
I am not sure how to manually setup network for other distribution. You can also setup a dhcpd on host for the container.
On archlinux you can disable the eth0 setup but enable the default route like this in rc.conf,

INTERFACES=()
gateway="default gw 192.168.3.1"
ROUTES=(gateway)

Here I assume your new root filesystem inside /mnt/mini. You LXC config file should look like this

lxc.utsname = mini
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.3.20/24
lxc.mount.entry = none /mnt/mini/dev/pts devpts newinstance 0 0
lxc.mount.entry = none /mnt/mini/proc    proc   defaults 0 0
lxc.mount.entry = none /mnt/mini/sys     sysfs  defaults 0 0
lxc.mount.entry = none /mnt/mini/dev/shm tmpfs  defaults 0 0
lxc.rootfs = /mnt/mini
lxc.tty = 3
lxc.pts = 1024

Step 3: Container network

For network inside container to work, you still need to do two more things.

cp /etc/resolve.conf /mnt/mini/etc

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

Now you can start your container.

lxc-create -f /mnt/config -n mini

lxc-start -n mini

If there is no error during container boot, you can proceed to enter your container.

lxc-console -n mini

Login as root with no password.

ping www.google.com

If you are lucky, you should see ping go through. It may take a second to discover the new route inside container.

Step 3: Run service inside container

The main reason for most people to setup a container inside an EC2 is probably for jailing network daemons. But your container only have non reachable private address, so do it home router style using port forwarding with iptables.
For example, start your httpd daemon inside container as usual, then run this on host

iptables -t nat -A PREROUTING -i eth0 -p tcp 
   --dport 80 -j DNAT --to-destination 192.168.3.20

Now you should be able to reach your container from public ip.

I tested them to copy a Linux kernel source tree. Each command I tested twice and keep the lower result.
The original directory size is 639660032 bytes. All methods generate exact same size of 675446784 bytes without sparse option.

Time used and destination size:

Concolusion:
For non sparse copy, rsync is the fastest. For sparse copy, rsync and cpio have the best space efficiency, but slow.

Table of Content

1. Ziproxy
2. Ad Block
3. PPTP VPN
4. Client Configure

1. Ziproxy

Ziproxy is free opensource non-cache proxy to reduce webpage size by recompress image files.
I run a simple test on some of my favorite websites by measuring full page loading size. These data are measured by Firefox, so the flash is included. Images have visible compression artifact at normal viewing distance, but that’s the price you have to pay for saving bandwidth. Ads are stripped away in proxy testing, see next section.

Install ziproxy or from package manager.
Modify /etc/ziproxy/ziproxy.conf

Port = 3128
RunAsUser = "nobody"
RunAsGroup = "nobody"
PreemptNameRes = true
ImageQuality = {65,65,65,65}
URLReplaceDataCT = "/etc/ziproxy/replace_ct.list"
URLReplaceDataCTList = {"image/jpeg", "image/gif", "image/png", "application/x-shockwave-flash"}

Don’t use VPN end point address here, because it doesn’t exist before VPN established. Depends on how you setup VPN, you can either limit access from iptables or binding address. You can also start ziproxy from ppp if-up script to avoid binding address problem.
65% compression has a good balance between quality and size. URLReplaceDataCT will be used for adblocking to further reduce bandwidth usage.

Update: I did some real test on iPad. I used the traffic number on VPN interface to measure the total bandwidth usage to visit all above website once. I also measured multiple times to make sure data convergent. Here is the result
No Proxy: TX 13.3MB RX 1.6MB
With Ziproxy: TX 8.2MB RX 1.5MB
Total: 35% Bandwidth save before VPN overhead.

2. Ad Block

There are several ways to block ads.
First, VPN configure of your iPad or iPhone supports proxy autoconfigure. You can use a special proxy.pac file to block ads. It will redirect urls to a fake proxy.

You can also chain privoxy to your ziproxy.

Another way is url block list used by ziproxy
/etc/ziproxy/replace_ct.list

http://*.yimg.com/*/promotions/*
http://*.doubleclick.net/*
http://*.2mdn.net/*
http://*.serving-sys.com/*
http://*.adtechus.com/*
http://*.eyewonder.com/*
http://*.atdmt.com/*
http://*.fbcdn.net/ads*/*
http://*.advertising.com/*
http://*.smartadserver.com/*
http://*.mediaplex.com/*
http://*.zedo.com/*
http://*.tumri.com/*
http://*yieldmanager*
http://*.checkm8.com/*
http://*.pointroll.com/*
http://*.tubemogul.com/*
http://*.intellitxt.com/*
http://*.crispwireless.com/*
http://*.condenet.com/*
http://*.eyereturn.com/*
http://*.linkstorm.net/*
http://*.optmd.com*
http://*.tcgmsrv.net*
http://*.videoegg.com*
http://adserver.*
http://ads.*
http://ad.*
http://*/ads/*
http://*adsfile*
http://*adfile*
http://*ad_file*
http://*ads_file*
http://*banner*
http://*banners*
http://*sponsor*
http://*sponsor*
http://*/adRequest/*
http://*Advertising*
http://*/adx/*
http://*marketing*
http://*adspace*
http://*adimage*
http://*ad_*
http://*AdManager*
http://*adscontent*
http://*adcontent*

These are urls I found in my testing website.

3. PPTP VPN

Poptop is a PPTP server. Most linux should include it in ppp package.
Here is some sample configure, you can use
/etc/pptpd.conf

option /etc/ppp/options.pptpd
localip 192.168.x.1
remoteip 192.168.x.234-238,192.168.x.245

/etc/ppp/options.pptpd

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128

/etc/ppp/chap-secrets

user pptpd password *

If you want to enable “Send All Traffic” option on your iDevice, you also need to enable nat and ipv4 forwarding. This is only needed if you want to use application which does not support normal proxy. I use shorewall for NAT setup.

As I mentioned in previous section, you can enable ad block in VPN setting with proxy.pac file.

4. Client Configure

Here is example setting for vpn and proxy.

If you don’t need ad block. Here is a simple proxy.pac, or you can use manual proxy setting.

function FindProxyForURL(url, host) {
         if ( url.substring(0, 6) == "https:" ) { return "DIRECT"; }
         return "PROXY 192.168.x.1:3128; DIRECT";
}