Taipei Forcing Club – Page 2 – Computer science and contract bridge

How to set charset of all text responses on nginx

All text files on a site usually share the same character encoding. Especially UTF-8 is the modern de facto standard. However, the default charset_types does not contain text/css, let alone other non-plain text types like text/markdown.

The default charset_types should be text/* because most of them are parsed in ASCII (us-ascii) by default for backward compatibility. A text/xml response is parsed in ASCII even if BOM and XML declaration tells otherwise. Therefore, we should use application/xml for XML responses now.

Nevertheless, the charset_types setting checks complete matches only. Luckily, the map directive knows regex, and charset_types accepts a variable.

map $sent_http_content_type $charset {
    ~^text/   utf-8;
}

charset       $charset;
charset_types *;

This setting would make nginx specify UTF-8 for all text responses, such as text/css; charset=utf-8.

Inverted minors considered harmful with strong notrump

I have been researching on Wbridge5, a prominent bridge program. I used to be confused that it disables inverted minors by default. Recently I came up with a conclusion.

Wbridge5 opens strong notrump by default, so this treatment is disabled. Wbridge5 still includes inverted minors because weak notrump is a choice.

Inverted minors originated from Kaplan–Sheinwold. It is popular in East and Southeast Asia because of Precision Club, a bidding system based on K-S with the strong club that inherits the weak notrump opening.

Nowadays, many players open strong notrump according to something American. However, some of them still employ inverted minors. It has pros easily found by searching “inverted minors.” Hence, I list its cons as a balance report.

Garbage 1NT response

The weakness of inverted minors is not on itself but the 1NT response adjusted by the inverted minors. The 1NT response shows either of the following:

Constructive 1NT: Expected 6+ tricks if both minimum.
Garbage 1NT: Expected only 5 tricks if both minimum.

When the partner opens 1♠, 1♥, or 1♦, not to miss a probable game, the garbage 1NT is on. Overcalls invalidate inverted minors, so their counteractions fall out of the topic.

Without inverted minors, a 1NT response to 1♣ is always constructive. Respond 2♣ with a weak 3-3-3-4 because the opener often has 4+ clubs.

If 1♣ ensures 3+ clubs: With minimum strength, the probability of mere 3 clubs is 21.5%.
If 1♣ can be 4-4-3-2: With minimum strength, the probability of mere 3 clubs is 20.4%, 4-4-3-2 5.19%.

Weak 4-card support dumped as garbage

Express 5-card support as 3 level preempts. Nevertheless, 1NT with weak 4-card support is much less preemptive. Is there so much difference between 2 of a minor and 1NT, as 1NT is just one or two bids lower? Let’s consider the following.

W	N	E	S
	1♣	-	1NT
X¹	-	-²	?

The point is not whether to escape, but the positive pass. Notrump is awful for the declarer, with 6.06 tricks taken on average. 1NTxS−3 is more tragic than 3NTE= without favorable vulnerability. Besides, the total notrump tricks may be less than 13.

If we responded 2♣ instead, east must have clubs to pass, and the lowest positive advance becomes 2NT. Preemption is force opponents to bid strong hands high. Although 2♣ is only one bid higher than 1NT, it pushes pass and cuebid onto 2NT.

Takeout double ↩
Convert to business double ↩

AppArmor configuration for nginx and php-fpm

AppArmor is the default MAC module on Ubuntu. Unlike DAC in Un*x, an AppArmor config lists what a process can access. An enforced process can only access listed paths; a complaining process emits warnings when accessing unlisted files.

However, there is no default config for nginx and php-fpm. To prevent the webserver from being hacked, causing systemic infection, let’s write configs on our own! The useful tool aa-genprof gets most of the jobs done, but some paths, especially sockets, are still missing. Therefore, I publish my settings as a reference.

Document roots are at /srv/www/*/.
I prefer Unix domain sockets to [TCP sockets].

The following is my config for nginx.

#include <tunables/global>

/usr/sbin/nginx {
	#include <abstractions/apache2-common>
	#include <abstractions/base>
	#include <abstractions/nis>

	capability dac_override,
	capability net_bind_service,
	capability setgid,
	capability setuid,

	/etc/nginx/** r,
	/etc/ssl/openssl.cnf r,
	/proc/*/auxv r,
	/run/nginx.pid rw,
	/run/nginx.pid.oldbin w,
	/run/php5-fpm.sock rw,
	/srv/www/** r,
	/usr/sbin/nginx mr,
	/var/log/nginx/* w,
}

The following is my config for php-fpm.

#include <tunables/global>

/usr/sbin/php5-fpm {
	#include <abstractions/base>
	#include <abstractions/nameservice>
	#include <abstractions/php5>

	capability kill,
	capability setgid,
	capability setuid,

	/etc/php5/** r,
	/proc/*/auxv r,
	/proc/sys/kernel/ngroups_max r,
	/run/mysqld/mysqld.sock rw,
	/run/php5-fpm.pid rw,
	/run/php5-fpm.sock w,
	/srv/www/** r,
	/srv/www/html/wp-content/** rw,
	/srv/www/html/wp-content/cache/** rwk,
	/srv/www/magento/media/** rw,
	/srv/www/magento/var/** rwk,
	/tmp/ r,
	/tmp/** rwk,
	/usr/sbin/php5-fpm mrix,
	/var/log/php5-fpm.log* w,
}