A few nights ago at midnight, I was lying in bed idly browsing JD.com when I miraculously caught this perpetually out-of-stock Xiaomi Book Pro 14 2026 top-spec version in stock! The suddenly appearing purchase button was practically waving at me. Although my brain wrestled with the decision for a bit, my hands were very honest and pressed the payment button.

While I missed the launch discount and the original price of 10,499 CNY stung a little, fortunately I could stack some local government subsidies, bringing the actual price down to 8,999 CNY—quite a bargain. Thinking about it carefully, it's not a loss at all. After all, it was time to let my hardworking companion, the ThinkPad T14 Gen2i that I'd been tinkering with for four years, gracefully retire to secondary duty.

Linux Compatibility: A "Gamble" and Testing Plan

This laptop has performed impressively in media reviews over the past month, so I won't elaborate too much. In short, the performance boost and battery life provided by its Panther Lake processor are excellent, and its featherweight 1.07kg made me very excited. The only remaining uncertainty was its Linux compatibility. Since it's a new machine with the extremely low-volume Panther Lake processor, I didn't expect any Linux users to get their hands on it for testing right away. Seeing it was an Intel platform with an Intel network card, I decided to take a gamble. After delivery, I wouldn't activate it directly—I'd use oobe\bypassnro to bypass Microsoft account binding, enter the desktop, disable fast startup, and then pull out a LiveCD for testing.

My plan was this: if I could boot into the LiveCD and after simple testing found no major issues, I'd confirm receipt and activate online; if there were Linux compatibility problems that couldn't be resolved quickly, I'd have to return it, as I'm truly a heavy Linux user.

Test Items and LiveCD Results

The test items were as follows:

• Properly entering the desktop environment
• WiFi
• Bluetooth
• Sound card
• Camera
• Built-in keyboard
• Touchpad

Note: I should mention upfront that for fingerprint recognition and power management (including system sleep, hibernation, and other state transitions), I didn't specifically verify these features in this testing, mainly because I rarely use fingerprint functionality in my daily Linux usage, so I didn't dwell on this aspect.

Fortunately, the test results for the core basic configurations didn't disappoint me. Let me briefly discuss the LiveCD test results:

Solving the Problem: The Almighty Kernel Parameters

From the test results above, you can see that kernel versions 7.0 and above fixed the sound issue. After some searching, I found this blog post that could solve the keyboard recognition and screen artifact problems.

Re-entering the LiveCD, I pressed 'e' at the GRUB interface to enter edit mode, and added i8042.nopnp=1 i8042.dumbkbd=1 xe.force_probe=b081 i915.force_probe=!b081 xe.enable_psr=0 parameters to the end of the linux line, then pressed F10 to boot. After entering the system, the keyboard worked normally and the screen artifact issue no longer appeared. I then connected to WiFi and played several hours of YouTube 8K videos without any obvious problems. Bluetooth, sound card, and camera all tested normally as well.

System Migration and Final Experience

With this, the Linux compatibility of this Xiaomi Book Pro 14 2026 can be said to exceed expectations. During the formal system installation, you only need to add a few kernel parameters to solve the problems encountered in previous testing.

Then came the migration process. I won't expand on this part—in short, it involved creating a new Linux root partition, using rsync to migrate the old system, rebuilding the fstab partition table and GRUB bootloader, and finally adding the aforementioned kernel parameters after system installation. After rebooting, everything worked normally.

The rsync command was roughly like this:

rsync -axHAWXS --numeric-ids <source> <destination>

Summary

Overall, the Linux compatibility of this Xiaomi Book Pro 14 2026 is quite excellent. Although I encountered some issues during initial testing, these problems were effectively resolved by adding kernel parameters. I've now activated the pre-installed Windows system online and confirmed receipt, while also successfully migrating my Linux system. The overall experience is very satisfying.

See Also

• 在 Xiaomi Book Pro 14 (2026) 上运行 Omarchy (Arch + Hyprland)

After getting it, I followed my usual habits and enabled "Google Base Services" in settings, installed "Google Play" and started using it normally. But over these past few months, I discovered that my FCM push notifications—whether Outlook email notifications or a certain instant messaging app that looks like a paper airplane—never seemed to work properly from the start. Their notifications would occasionally pop up suddenly after I unlocked my phone, but more often they just disappeared. I would only receive the backlogged notifications when I manually opened the corresponding apps.

Recently I received an offer from an overseas university and will be going abroad in September to pursue a master's degree, so I wanted to resolve this issue before leaving the country. After all, when living in China, most apps can push messages to me through MiPush, and these FCM-dependent apps weren't my most frequently used ones. I could just open them manually when I woke up each day to receive notifications. Even if my message response time wasn't great, it wasn't a big deal—if there was something urgent, my family and friends knew other ways to reach me faster. But once abroad, FCM push notifications become critically important, so I need to fix this issue quickly, or I'll have to consider switching phones.

Test Environment

• Xiaomi 15 mainland China version, 16GB + 512GB, HyperOS 3.0.7.0.WOCCNXM, the latest version as of this writing
• "Google Base Services" enabled, "Google Play" installed
• Connected to WiFi, with WiFi-routed data exit IP in 🇺🇸 Los Angeles
• MIUI optimization not disabled

Getting FCM Running First

I needed to first resolve the issue of FCM not receiving messages even when the screen is on. In the "Phone" app's dialer, entering *#*#426#*#* opens the FCM Diagnostics interface, which contains logs about FCM connection status.

In this interface, I found that FCM's connection status was actually normal, with no obvious error messages in the logs. So I started suspecting that some of HyperOS's power-saving mechanisms were interfering with FCM's normal operation in the background. Through some searching on Xiaohongshu (Little Red Book), I discovered that enabling "Autostart" permission for apps requiring FCM push in the settings interface, and setting battery optimization to "Don't optimize," seemed to solve this problem.

Testing with an IM app (sending messages from one account to another), I found that with the screen on, FCM could now receive messages normally even when the app was closed in the background.

The Problem of FCM Disconnecting One Minute After Screen-Off

However, after turning off the screen and leaving it idle for a minute, FCM stopped working completely. Whether email notifications or IM messages, none could be pushed to the phone via FCM. Only when I lit up the screen would the backlogged notifications suddenly appear. Checking the FCM Diagnostics interface again, FCM's connection status was either disconnected or had just connected for a few seconds. This indicates that in the lock screen state, FCM's connection gets terminated by the system, preventing message reception.

PS: I discovered that when charging, even with the phone locked, FCM maintains its connection and receives messages normally. This further confirms that HyperOS's power-saving mechanisms are interfering with FCM's normal operation.

Possible Solutions

After searching on Xiaohongshu and Xiaolüshu (CoolApk), I found some attempts and solutions from others:

1. Disable MIUI Optimization

This is my least favorite solution, because MIUI optimization is actually an important reason why I like HyperOS (MIUI). After disabling MIUI optimization, I found that the remaining battery percentage information can't be displayed inside the status bar battery icon—it must appear to the right of the battery icon. This is a huge waste of status bar space after HyperOS introduced the Super Island (Dynamic Island). Of course, there are other features that would be affected, but this is what I care about most.

Additionally, in HyperOS 3's developer mode, the "Disable MIUI optimization" option can no longer be found, though some users report you can make this option reappear through methods like resetting settings status, but I don't think this is a good solution.

2. Freeze "Battery & Performance" App or Replace with International Version

On HyperOS 2, some users reported that tampering with the "Battery & Performance" system app could solve the FCM screen-off disconnection problem. I tried using adb shell to freeze it, but after testing, this wasn't a useful solution, and it might cause some system scheduling anomalies. Also, don't enter ultra power saving mode, because that mode's UI is provided by the "Battery & Performance" app!!

The adb command is as follows:

adb shell pm uninstall --user 0 com.miui.powerkeeper

If you want to restore it, you can reinstall this app with the following command:

adb shell cmd package install-existing com.miui.powerkeeper

Some people also reported that replacing it with the international version of the "Battery & Performance" app could solve this problem, but I couldn't find the installation package for the HyperOS 3 international version's "Battery & Performance" app. After downloading and unpacking the complete ROM for the Xiaomi 15 overseas version, that app's apk couldn't be directly updated or installed via adb either.

3. Use fcmfix and Other Xposed Modules After Unlocking Bootloader

This solution is... forget it. Although I have a level 5 account on the Xiaomi community, I don't have the energy to participate in the "Xiaomi entrance exam" (I heard it's been suspended anyway). Moreover, after unlocking the bootloader, I might face a series of problems like payment apps not working. If I wanted to cover up related traces, I'd have to go through more hassle—it feels like more trouble than it's worth.

4. Use HeartbeatFixerForGCM

This software has been removed from Google Play and hasn't been updated in a long time. Testing shows it cannot prevent FCM from being disconnected by the system in lock screen state on HyperOS 3.

5. Use Gboard to Keep FCM Alive

Although I don't know the principle, some users reported that installing Gboard keyboard allows FCM to maintain its connection and receive messages normally in lock screen state. I tried it too, and indeed after installing Gboard and setting it as the default input method, FCM could maintain its connection in lock screen state.

However, this solution isn't perfect either. After all, I don't like Gboard's input experience, so I can't really accept this solution.

Some Personal Experiments

Although I don't have much experience with Android development—only touching it during a sophomore year course project—the AI era has given me the ability to do vibe coding.

So I also had AI modify some logic for keeping FCM alive based on HeartbeatFixerForGCM's open-source code, roughly following these approaches:

• Input Method Keep-Alive: Continuing Gboard's approach, using the persistent nature of input method services to maintain FCM connection. It could keep FCM alive, but lost the input capability of the input method—pass.
• Notification Listening: NotificationListener as a system listening role to increase persistence probability—no success, pass.
• Foreground Service: Persistent notification + FGS to elevate process survival priority—no success, pass.
• Accessibility Keep-Alive: Accessibility service also as a system listening role to increase persistence probability—no success, pass.
• VPN Keep-Alive: Using VPN service's persistent nature to maintain FCM connection. Don't know if it has any effect, but it did manage to disconnect my phone's network—pass.

In short, none of these attempts succeeded. FCM still gets disconnected by the system in lock screen state.

Seems Like I Found a Viable Solution?

Just when I was at my wit's end and ready to shop for another phone, I saw a Xiaohongshu post mentioning that you could first uninstall updates to "Google Play Services," then update it again to the latest version. The poster's explanation was to first uninstall the mainland-optimized Play Services, then install an un-optimized version from the Play Store, which could solve this problem.

Although you can't directly find the "Google Play Services" app on the Play Store, you can search for "Google Play Services" using your phone's browser, click the link from google.com, and it will automatically jump to the "Google Play Services" app page on the Play Store. You can also click here directly.

I tried it too, and indeed after uninstalling updates to "Google Play Services," FCM could maintain its connection in lock screen state. Although this solution sounds a bit mystical and I can't see the actual principle at work, since it was effective, I didn't dwell on it.

But just when I thought the problem was solved, while writing this article, I tried restarting my phone and found the problem had returned. And after restarting, repeating the above steps of uninstalling updates to "Google Play Services" still didn't solve the problem. This troubled me greatly, so I started recalling the previous operation steps, but I could never reproduce the previous state...

Wait, There Seems to Be a Fallback

While discussing this issue with a seasoned Android enthusiast, he pointed out that mainland OS indeed disconnects FCM's long connection after screen-off to save power, but still maintains a periodic check mechanism. This seems to match some isolated cases I encountered during testing. This periodic check interval is quite long—according to his estimate, around 10-20 minutes. I also conducted a round of testing myself. The process was:

1. Screen off for one minute, use secondary account to send message to main account, wait 6 minutes until main account receives the message, notified by my Xiaomi band's vibration that the message arrived.
2. Immediately use secondary account to send another message to main account, wait for main account to receive the second message, record the time difference between the two messages.

Because the time interval is quite long, I only tested one and a half rounds. The first round's time difference was 28 minutes, and the second round's time difference reached 38 minutes.

Conclusion: In screen-off state, although FCM's connection gets disconnected by the system, the system will automatically wake up FCM approximately every 30 minutes (inaccurate data) to check for new messages. If there are any, you'll receive notifications.

Conclusion

Currently, to receive FCM push notifications on mainland China version Xiaomi phones, you can only choose between using Gboard + real-time push / periodic check mechanism fallback.

The former uses Gboard input method's persistent nature to maintain FCM connection, enabling real-time message reception in screen-off state, but requires sacrificing input experience; the latter uses system periodic FCM wake-ups to check for new messages. While not requiring sacrifice of input experience, there may be delays exceeding half an hour.

References

• 【HyperOS】修復小米陸版通知推送 - Mobile01
• 如何解决原生 Android 续航问题？ - V2EX
• 小米 15/hyperOS 2.0 打开 FCM 通知 - V2EX
• 海外不建議購買內地版小米手機 因為一鎖屏就斷連 FCM， 導致海外 App 收不到消息推送。 亮屏後 FCM，會嘗試重連。 重連成功，才能收到通知。 已開自啟動，電池無限制。 有什麼解決辦法？ 香港澳門| salmon0105
• shaobin0604/HeartbeatFixerForGCM: Tiny application to fix GCM push notification delay issue
• kooritea/fcmfix: [xposed]让fcm唤醒已完全停止的应用
• Various discussions and feedback on social platforms like Xiaohongshu and CoolApk. Since the content is rather scattered and unsystematic, I won't list them all here. Interested readers can search for relevant keywords to view them.

My usual setup is to keep my proxy tool’s TUN mode enabled 24/7. All traffic goes through a virtual network interface first, and then routing rules decide automatically whether it should go through the proxy or connect directly. Most of the time this setup is pretty hassle-free — until recently, when I was rolling updates on Arch Linux with yay and suddenly ran into an SSL connection failure with dl.google.com.

It wasn’t just yay. My browser showed the exact same result:

My first instinct was: did my routing rules break again?
(They’re not written by me, so blaming them first is perfectly reasonable.)

The Rule Is DIRECT — No One Else to Blame

I double-checked the routing rules. Traffic with SNI dl.google.com was explicitly configured as DIRECT.

That made things strange. Logically:

• dl.google.com itself is often directly reachable from domestic networks
• The rule clearly says DIRECT

To be honest, I’d seen this issue before. Back then I had higher-priority tasks, so I just turned off the proxy tool, finished the update, and moved on. This time, though, I had nothing urgent on my plate — so I decided to finally dig into it properly.

It Resolved to an Overseas IP

First, I disabled the proxy tool’s fake-ip mode and switched back to real IP resolution to avoid introducing extra variables. Then I used curl -vv to access a dl.google.com download URL and see where it was actually trying to connect.

Looking back now, I can say with confidence: the resolved IP belonged to Google’s overseas CDN, not a domestic or domestically reachable data center.

For those unfamiliar: when resolving dl.google.com for users in mainland China, DNS often returns domestically reachable IPs (otherwise direct downloads wouldn’t work at all).
The overseas IP returned here was unreachable on my connection. Combined with the fact that I had configured dl.google.com as DIRECT, the result was:

DNS returned an “overseas IP”

• Rules enforced DIRECT = Direct connection to an unreachable destination = TLS handshake failure

So this wasn’t a case of “the direct rule didn’t work”. It was more like:
the rule worked perfectly, but DNS led me straight into a ditch.

Who Is Answering for dl.google.com?

In the Mihomo core, the main DNS-related configuration options are:

1. nameserver: default resolvers (most domains use these)
2. direct-nameserver: resolvers for DIRECT domains (only available in newer versions)
3. proxy-server-nameserver: resolvers for proxy node hostnames (irrelevant here)
4. default-nameserver: used to resolve “domain-form” nameservers in the DNS config itself (not expanded here)

Since dl.google.com was marked as a DIRECT domain, Mihomo should theoretically prefer direct-nameserver. If that isn’t set, it falls back to nameserver.

At the time, my nameserver configuration was:

• https://dns.alidns.com/dns-query

My intuition was simple: if the resolution looked like it came from an overseas CDN pool, I should verify whether AliDNS (DoH) itself was returning that overseas IP.

Querying AliDNS DoH Directly — Overseas Pool Confirmed

AliDNS provides a JSON-based query interface, so I tested it directly with curl:

curl -s 'https://dns.alidns.com/resolve?name=dl.google.com&type=A'

The returned IP was exactly the overseas one I’d seen earlier. At this point, I could confidently conclude:

At least on my current network exit, AliDNS resolves dl.google.com to an overseas IP that is unreachable for me.

This Requires Two Conditions (Both Are Necessary)

It’s important to emphasize something here: this is not simply “AliDNS always resolves it wrong”. After running a bunch of comparisons, I found the conditions to be surprisingly strict:

The issue reliably reproduces only when both “China Mobile broadband” and “AliDNS (including 223.5.5.5 or AliDNS DoH)” are used together.
Remove either condition, and the problem usually disappears.

More specifically:

• Switch to China Telecom or China Unicom broadband: with the same AliDNS, dl.google.com usually resolves correctly
• Stay on China Mobile broadband, but don’t use AliDNS: resolution is usually fine
• China Mobile broadband + AliDNS: high probability of getting an overseas IP pool, and DIRECT connections fail

I also ran nationwide resolution tests on itdog, and the reproduction rate was indeed much higher on China Mobile networks.

Why does this happen? Honestly, I can’t provide a single authoritative explanation. What I can say is that the behavior is extremely consistent, and consistent enough for me to conclude:

The problem isn’t TUN itself — it’s that, under TUN, my DNS choice sent dl.google.com to an address pool that’s unreachable on China Mobile.

How Did I Finally Fix It?

Since the issue was the combination of China Mobile + AliDNS, the solution was straightforward:

Stop letting dl.google.com be resolved by AliDNS.

You can do this by configuring direct-nameserver, using nameserver-policy, switching to another public DNS like 119.29.29.29, or even delegating DNS resolution to your home router.

direct-nameserver:
  - 192.168.8.1

nameserver-policy:
  "dl.google.com": [119.29.29.29]

After this change, yay updates worked normally again, and browsers could directly access dl.google.com without issues.

References

• Minimal anti–DNS-leak configuration for the mihomo core (2025) – Development & Tuning – LINUX DO

First, Let's Look at the Results

Analysis

Testing Approach

Both images show test results from my blog on PageSpeed Insights. The testing steps were:

1. Deploy
2. Run the first test on PageSpeed Insights
3. Wait 120 seconds to prevent PageSpeed Insights from using cached results
4. Run the second test and use those results

The purpose of using the second test results is to ensure that the Vercel CDN node accessed by PageSpeed Insights has completed fetching from origin and cached the content on the CDN node. This way, the second access retrieves results directly from the CDN cache without needing to fetch from origin.

Looking at the test results in Figure 1, does it seem normal? The loading time for a single HTML page reached 450ms. While this doesn't look terribly slow, there's actually a problem when you examine it closely.

Vercel uses Amazon's global CDN network. After our first visit, the CDN node should have already cached the homepage content, so the second visit should retrieve content directly from the CDN node's cache.

What Would Be a Reasonable Duration?

• TCP connection establishment requires 1.5 round-trip times (RTT) for the three-way handshake, plus 1 RTT for TLS 1.3 handshake, totaling 2.5 RTT.
• The HTML file size is 18KB. The initial congestion window (IW) of 10 MSS ≈ 1460 bytes ≈ 14.6KB means it should theoretically be transmitted within two RTTs.

Total: 4.5 RTT.

PageSpeed Insights likely uses a node in the United States for testing. Amazon CDN has extensive coverage in the US, so keeping a single RTT under 5ms is more than adequate. Therefore, the theoretical loading time should be around 22.5ms. Adding DNS resolution time (which shouldn't be much since there was an access two minutes prior, so this isn't a cold start) and some uncontrollable network jitter, it should be completely fine to stay within 50ms.

But the actual measured time was 450ms, nearly 9 times higher—this is very unreasonable.

Now let's look at Figure 2's results. The single HTML loading time dropped to 41ms, which completely meets expectations.

Why is there such a huge difference? The reason lies in Vercel's cache control settings.

Vercel's Cache Control

For websites deployed on Vercel, by default, Vercel sets the following cache control header for HTML files:

cache-control: public, max-age=0, must-revalidate

This setting means:

• public: The response can be cached by any cache, including browsers and CDNs.
• max-age=0: The maximum cache time for the response is 0 seconds, meaning the response expires immediately after being cached.
• must-revalidate: Once the response expires, the cache must validate its validity with the origin server.

Combined, these three directives mean Vercel is essentially telling CDN nodes: you can cache this HTML file, but you must validate its validity with the origin server before using the cache each time. Since max-age=0, the cache expires immediately upon storage, so every request triggers origin validation.

Although cache validation in HTTP/1.1 and HTTP/2 typically uses conditional requests (such as the file's ETag or Last-Modified headers) to save transmission bandwidth, this still requires round-trip communication with the origin server, adding extra latency overhead.

Therefore, under Vercel's default configuration, responses to any request won't be directly cached by CDN nodes. The general flow is as follows:

sequenceDiagram
    participant Client
    participant CDN
    participant Vercel
    Client->>CDN: Request HTML file
    CDN->>Vercel: Conditional request to validate cache
    Vercel->>CDN: Return latest HTML file or 304 Not Modified
    CDN->>Client: Return HTML file

Solution

To solve this problem, we need to adjust Vercel's cache control settings so that HTML files can be cached by CDN nodes for a period of time without needing origin validation every time.

Vercel allows us to create a vercel.json file in the project's root directory to configure various aspects of Vercel's deployment behavior, including HTTP response header configuration.

My blog is built with the Nuxt.js framework, and the generated build artifacts roughly fall into two categories:

1. HTML files: These files' content may change frequently and shouldn't have excessively long cache times;
2. Static resource files: Including JavaScript, CSS, etc. These files typically have hash values in their filenames and can have longer cache times or even be marked as immutable.

In terms of deployment workflow, my blog is first built into static pages in GitHub Actions after each push, then deployed to Vercel. So I created a vercel.json file in my project's public directory (this way the vercel.json file will be in the root of the build artifacts) with the following content:

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        {
          "key": "Cache-Control",
          "value": "public, max-age=0, s-maxage=600, must-revalidate"
        }
      ]
    },
    {
      "source": "/(.*)\\.(css|js)",
      "headers": [
        {
          "key": "Cache-Control",
          "value": "public, max-age=31536000, immutable"
        }
      ]
    }
  ]
}

Here I set max-age=31536000, immutable for all CSS and JS files, so these static resource files can be cached long-term by browsers and CDNs. For all other files (mainly HTML files), I set max-age=0, s-maxage=600, must-revalidate, so HTML files can be cached by the CDN for 10 minutes. Requests within these 10 minutes can retrieve content directly from the CDN node's cache without needing origin validation.

With this modified cache control setting, the request flow for HTML files becomes:

sequenceDiagram
    participant Client
    participant CDN
    Client->>CDN: Request HTML file
    CDN->>Client: Directly return cached HTML file

This greatly reduces request latency and improves page loading speed.

Other Considerations

Vercel's architecture isn't the traditional "origin server - CDN" architecture, but rather closer to a "global multi-region storage + CDN edge cache" architecture. So even for origin requests, Vercel will try to retrieve content from the storage node closest to the user to reduce latency. However, this doesn't mean origin request latency can be ignored, especially when pursuing optimal loading speed—proper cache control remains very important.

References

• Cache-Control headers | Vercel
• Vercel CDN Cache | Vercel
• HTTP caching - HTTP | MDN

On one of my VPS servers with optimized routing, port 443 needs to serve two distinct purposes:

1. Hosting my blog for visitors from mainland China, handling HTTPS encryption/decryption and serving static content
2. Disguising certain special-purpose traffic to mimic HTTPS traffic from well-known, commonly-allowed websites (yes, I'm talking about Reality)

This meant I needed a solution to handle both roles simultaneously on the same port of the same server.

Choosing the Solution

I've long been aware that Nginx's stream directive can achieve Layer 4 (raw TCP stream forwarding) traffic splitting based on SNI recognition. However, as a devoted Caddy user who has written numerous Caddy-related posts, I still prefer Caddy despite Nginx's recent ACME v2 support. The simplicity and usability of Caddyfile keep me coming back.

After some research, I discovered that while the latest Caddy version (v2.10) doesn't natively support Layer 4 traffic proxying, there's a community module called caddy-l4 that provides exactly this functionality. With 1.5k stars on GitHub and active maintenance, it seemed worth trying.

Installation

Although the official Caddy APT repository doesn't include the caddy-l4 module, I recommend first installing the base Caddy version through APT, then using Caddy's official download page to build a custom binary with the modules you need. Download it and replace the system Caddy executable. This approach makes systemd service configuration much easier. Just remember to disable the Caddy APT repository to prevent automatic updates from overwriting your custom build.

For future updates, you can simply run:

caddy upgrade

Caddy will automatically detect the modules included in your current binary, trigger an online build from the official website to generate a new binary with those modules, and perform the replacement. You just need to manually restart the systemd service to complete the update.

If Caddy's online build service fails (it's been somewhat unstable lately), you can follow the documentation to compile Caddy locally using xcaddy:

xcaddy build --with github.com/mholt/caddy-l4

Configuration

Here's my original Caddyfile configuration for the blog:

zhul.in {
    root * /var/www/zhul.in

    encode zstd gzip
    file_server

    handle_errors {
            rewrite * /404.html
            file_server
    }
}

www.zhul.in {
    redir https://zhul.in{uri}
}

Since both zhul.in and www.zhul.in were using ports 80 and 443, I needed to move the HTTPS listeners to a different port and let caddy-l4 handle port 443.

Here's the modified Caddyfile:

http://zhul.in:80, https://zhul.in:8443 {
    root * /var/www/zhul.in

    encode zstd gzip
    file_server

    handle_errors {
            rewrite * /404.html
            file_server
    }
}

http://www.zhul.in:80, https://www.zhul.in:8443 {
    redir https://zhul.in{uri}
}

Next, I added the caddy-l4 configuration:

{
    layer4 {
        :443 {
            @zhulin tls sni zhul.in www.zhul.in
            route @zhulin {
                proxy 127.0.0.1:8443
            }

            @proxy tls sni osxapps.itunes.apple.com
            route @proxy {
                proxy 127.0.0.1:20443
            }
        }
    }
}

The syntax is quite straightforward. First, listen on port 443 within the layer4 block. Then define SNI-based matching rules using @name tls sni domain. Finally, use route @name to specify how to handle traffic matching each rule—here I'm using proxy ip:port to forward the traffic.

Since my special traffic masquerades as Apple iTunes traffic, the SNI signature in the configuration is osxapps.itunes.apple.com. This traffic gets forwarded to local port 20443, where another service handles it.

caddy-l4 offers various other matching methods and routing handlers. Check out their examples on GitHub for more details.

Once configured, restart the Caddy service:

sudo systemctl restart caddy

See Also

• mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy
• Build from source — Caddy Documentation

For most webmasters, site traffic doesn't increase overnight, so our visitors will likely need to go through the complete DNS resolution process. In the previous post, I discussed switching to authoritative DNS servers that are physically closer to visitors to improve speed, but TLD (Top-Level Domain) Nameservers are beyond our control — specifically, the portion highlighted in red in the diagram below.

sequenceDiagram
    autonumber
    participant User as User/Browser
    participant Local as Local DNS<br>Recursive Resolver
    participant Root as Root Nameserver
    participant TLD as TLD Server
    participant Auth as Authoritative DNS Server

    Note over User,Auth: Complete DNS Recursive Query Process

    User->>Local: Query domain www.example.com
    Note over Local: Check cache (MISS)

    Local->>Root: Query .com TLD server
    Root-->>Local: Return .com TLD server address

    %% --- Highlighted section begins ---
    rect rgb(255, 235, 235)
        Note right of Local: ⚠️ Core focus of this article <br> (TLD resolution latency)
        Local->>TLD: Query authoritative server for example.com

        Note left of TLD: Physical distance and Anycast capability<br>determine whether hundreds of ms delay exists

        TLD-->>Local: Return authoritative server address for example.com
    end
    %% --- Highlighted section ends ---

    Local->>Auth: Query A record for www.example.com
    Auth-->>Local: Return IP address (e.g., 1.1.1.1)

    Note over Local: Cache result (TTL)

    Local-->>User: Return final IP address

    User->>Auth: Establish TCP connection / HTTP request

So, if you haven't purchased a domain yet but want to pursue the ultimate first-screen loading time like a true geek (even if you don't have many visitors), which TLD should you choose?

Simple Test

A simple method is to directly ping the TLD's nameserver to see how long it takes for the public DNS server requested by visitors to complete this segment of resolution.

Taking my domain zhul.in as an example, on Linux, you can use the dig command to obtain the Nameservers for the in TLD:

dig NS in.

Then you can pick any Nameserver (public DNS servers actually have a selection strategy based on historical performance) and directly ping that domain:

My network environment here is Hangzhou Mobile. If I run a DNS recursive server on my local network, this result represents the minimum time required for the red portion in the sequence diagram above (the DNS server needs additional time to process the request).

Using multi-location ping latency tests provided by some websites, we can infer in which countries or regions this TLD has deployed Anycast nodes. Below is the result provided by iplark.com.

We can infer that the .in TLD Nameserver has deployed Anycast nodes in at least Japan, Hong Kong, USA, Canada, Europe, Australia, Brazil, India, South Africa, and other locations, while latency within mainland China is relatively high.

As a comparison, we can use the same method to examine the Anycast nodes for the .cn domain's TLD Nameserver.

According to tests by itdog.cn, the .cn domain's TLD Nameserver may only have nodes in Beijing.

A More Advanced Testing Approach

The above testing method is only a simple judgment method. In reality, many external factors affect DNS cold start resolution time:

• Peering exists between public DNS servers and TLD Nameservers, making their communication very fast
• The TLD Nameserver has poor performance, requiring an additional tens of milliseconds to process your request
• Among the TLD's several Nameservers, some are faster than others, and the public DNS server you use can select the faster one based on historical data
• ...

Therefore, we need a testing approach based on actual DNS resolution requests.

Testing DNS cold start has always faced a dilemma — we don't manage public DNS servers and cannot log in to manually clear their cache, so only the first test result may be valid, with subsequent requests hitting the cache. However, this time we're testing the latency between the public DNS server and the TLD Nameserver. With Gemini's reminder, I realized we could test the resolution time for random, non-existent domains across different regions using public DNS, which can reflect differences between various TLDs.

So, the test code is below. You can use bash on common Linux systems to execute this code. Ensure you have the dig and shasum commands installed, and I recommend using tools like screen/tmux to run it in the background, as the entire testing process may last over ten minutes. If your network environment is within mainland China, I suggest changing the public DNS server in the code to 223.5.5.5 / 119.29.29.29, which should better match the usage environment of domestic visitors.

#!/bin/bash

# ================= Configuration Section =================
# CSV filename
OUTPUT_FILE="dns_benchmark_results.csv"

# DNS server
DNS_SERVER="8.8.8.8"

# List of TLDs to test
# Includes: global generic (com), country code (cn, de), popular tech (io, xyz), and potentially slower suffixes
TLDS_TO_TEST=("com" "net" "org" "cn" "in" "de" "cc" "site" "ai" "io" "xyz" "top")

# Number of tests per TLD
SAMPLES=1000

# Interval between queries (seconds), to prevent being flagged as attack by DNS server
# 1000 times * 0.1s = 100s/TLD, total time approximately 15-20 minutes
SLEEP_INTERVAL=0.1
# ===========================================

# Initialize CSV file header
echo "TLD,Domain,QueryTime_ms,Status,Timestamp" > "$OUTPUT_FILE"

echo "============================================="
echo "   DNS TLD Latency Benchmark Tool"
echo "   Target DNS: $DNS_SERVER"
echo "   Samples per TLD: $SAMPLES"
echo "   Output File: $OUTPUT_FILE"
echo "============================================="
echo ""

# Define progress bar function
function show_progress {
    # Parameters: $1=current progress, $2=total, $3=current TLD, $4=current average time
    let _progress=(${1}*100/${2})
    let _done=(${_progress}*4)/10
    let _left=40-$_done

    # Build fill strings
    _fill=$(printf "%${_done}s")
    _empty=$(printf "%${_left}s")

    # \r returns cursor to beginning of line for refresh effect
    printf "\rProgress [${_fill// /#}${_empty// /-}] ${_progress}%% - Testing .${3} (Avg: ${4}ms) "
}

# Main loop
for tld in "${TLDS_TO_TEST[@]}"; do
    # Initialize statistics variables
    total_time_accum=0
    valid_count=0

    for (( i=1; i<=${SAMPLES}; i++ )); do
        # 1. Generate random domain (prevent cache hits)
        # Use date +%N (nanoseconds) for sufficient randomness, compatible with Linux/macOS
        RAND_PART=$(date +%s%N | shasum | head -c 10)
        DOMAIN="test-${RAND_PART}.${tld}"
        TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")

        # 2. Execute query
        # +tries=1 +time=2: try once, timeout 2 seconds, avoid script hanging
        result=$(dig @${DNS_SERVER} ${DOMAIN} A +noall +stats +time=2 +tries=1)

        # Extract time (Query time: 12 msec)
        query_time=$(echo "$result" | grep "Query time" | awk '{print $4}')
        # Extract status (status: NXDOMAIN, NOERROR, etc.)
        status=$(echo "$result" | grep "status:" | awk '{print $6}' | tr -d ',')

        # 3. Data cleaning and recording
        if [[ -n "$query_time" && "$query_time" =~ ^[0-9]+$ ]]; then
            # Write to CSV
            echo "${tld},${DOMAIN},${query_time},${status},${TIMESTAMP}" >> "$OUTPUT_FILE"

            # Update statistics
            total_time_accum=$((total_time_accum + query_time))
            valid_count=$((valid_count + 1))
            current_avg=$((total_time_accum / valid_count))
        else
            # Record failure/timeout
            echo "${tld},${DOMAIN},-1,TIMEOUT,${TIMESTAMP}" >> "$OUTPUT_FILE"
            current_avg="N/A"
        fi

        # 4. Display progress bar
        show_progress $i $SAMPLES $tld $current_avg

        sleep $SLEEP_INTERVAL
    done

    # New line after each TLD completes
    echo ""
    echo "✅ Completed .${tld} | Final Avg: ${current_avg} ms"
    echo "---------------------------------------------"
done

echo "🎉 All Done! Results saved to $OUTPUT_FILE"

Test Results

Disclaimer: The following test results are for reference only, do not constitute any purchase recommendations, and only represent network conditions as of the test date (November 24, 2025), with no follow-up updates planned. DNS cold start has almost no impact on large sites; only small sites need to be concerned. In this test, all testing points within China used 223.5.5.5 as the DNS server, while overseas testing points used 8.8.8.8.

From the data above, we can see that .cn and .top are the fastest domain suffixes for resolution within mainland China among all tested options, but choosing .cn and .top means sacrificing resolution speed for visitors in other regions. Generic domain suffixes like .com, .net, and .org perform well in most regions globally, but their resolution speed within mainland China is relatively slow because they haven't deployed Anycast nodes on the mainland. In DNS cold start scenarios (if your site has few visitors, almost every visit is a cold start), the first screen loading time can increase by 500ms or more.

As reminded by Showfom, a V2EX user (Showfom ), GoDaddy, acting as a registry operator, hosts Anycast nodes within mainland China for the nameservers of certain TLDs under its management—such as .one, .tv and .moe. Additionally, based on my own testing, the .you domain, operated by Amazon Registry Services, also has Anycast nodes within mainland China. You may verify this independently.

You can click here to download the complete test results CSV file for further analysis.

The Myth's Metaphor: The Long Journey of DNS Resolution

To understand the weight of this "stone," we must review the complete path of DNS resolution. This isn't a simple lookup, but a global relay race:

1. Starting Point: Public DNS Server — A user sends a request, and the public DNS server tries to find the answer in its cache.
2. The First "Push": Root Servers — Cache Miss. The public DNS server is directed to one of the 13 root server groups worldwide.
3. The Second Leg: TLD Servers — The root server points to the Top-Level Domain (TLD) server for the specific suffix (like .com).
4. The Third Leg: Authoritative Servers — The TLD server points to the domain's final "steward"—the Authoritative DNS Server.
5. The Finish Line: The authoritative server returns the final IP address, which is then returned to the user by the public DNS server.

sequenceDiagram
    participant User as User/Browser
    participant Local as Local DNS<br>Recursive Resolver
    participant Root as Root Server
    participant TLD as TLD Server<br>(.com, .org, etc.)
    participant Auth as Authoritative DNS Server

    Note over User,Auth: Full DNS Recursive Query Flow

    User->>Local: 1. Query domain<br>[www.example.com](https://www.example.com)
    Note over Local: Check cache<br>Record not found

    Local->>Root: 2. Query for .com TLD server
    Root-->>Local: 3. Return .com TLD server address

    Local->>TLD: 4. Query for example.com authoritative server
    TLD-->>Local: 5. Return example.com authoritative server address

    Local->>Auth: 6. Query for [www.example.com](https://www.example.com) A record
    Auth-->>Local: 7. Return IP address (e.g., 1.1.1.1)

    Note over Local: Cache result<br>(based on TTL)

    Local-->>User: 8. Return final IP address

    Note over User,Auth: Subsequent process
    User->>Auth: 9. Establish TCP connection with IP<br>Start HTTP request

For a first-time or long-unvisited request, this process means at least 4 network round-trips (RTT), and even more in cases involving CNAMEs. For large websites with perfect caching, this stone may have already been pushed to the hilltop by someone else. But for a small site, it is always at the foot of the hill, waiting for its Sisyphus.

A Multiverse: The Mirror Maze of Anycast

"Since the cost of a DNS cold start is so high, can I use a script to periodically visit my own site to 'warm up' the public DNS cache in advance?" — This was a solution I once envisioned.

However, this idea is often futile under the Anycast architecture of the modern internet.

The core concept of Anycast is: the same IP address exists at multiple global nodes simultaneously, and user requests are routed to the "closest" or "most optimal network path" node.

This means that public DNS servers like Google DNS (8.8.8.8), Cloudflare DNS (1.1.1.1), AliDNS (223.5.5.5), and Tencent DNS (119.29.29.29) are not backed by a single, centralized server, but a cluster of nodes distributed worldwide, routed dynamically.

Thus, the problem arises:

• The pre-warming script I run in Shanghai might hit the Shanghai node of 223.5.5.5;
• But a visitor from Beijing will be routed to the Beijing node of 223.5.5.5;
• The caches of these two nodes are independent and not shared with each other.

From a webmaster's perspective, the DNS cache is no longer a predictable entity but has splintered into a "mirror maze" of geographically isolated, ever-changing fragments.

Each visitor is at the base of a different hill, pushing their own stone, as if there are thousands of Sisyphuses in the world, walking their own paths alone.

Uncontrollable Caching and the "Normalization" of Cold Starts

This also explains why even if a small site is visited regularly by a script, real visitors might still experience significant DNS latency. Because "pre-warming" is only locally effective—it warms the cache of one Anycast node, not the entire network. And when the TTL expires or the cache is cleared by the public DNS server's algorithm (like LRU), this warmth quietly dissipates.

From a macro perspective, this traps "low-traffic sites" in a kind of fatalistic loop:

1. Due to low traffic, cache hits are rare;
2. Due to cache misses, resolution time is high;
3. Due to high resolution time, first-paint performance is poor, and users visit less;
4. Due to fewer user visits, the cache is even harder to hit.

The cold start is no longer an occasional "accident," but a passive "new normal."

Can We Make the Stone Lighter? — Strategies to Mitigate Cold Start Impact

The predicament of Sisyphus seems unsolvable, but we are not entirely powerless. While we cannot completely eliminate the DNS cold start, we can significantly reduce the weight of this stone through a series of strategies and shorten the time it takes to be pushed back up the hill after each time it rolls down.

The Art of the Trade-off: Adjusting DNS TTL (Time-To-Live)

TTL (Time-To-Live) is a critical value in a DNS record. It tells recursive resolvers (like public DNS, local caches) how long they can cache a record, although they might still be evicted by an LRU algorithm.

Lengthening the TTL can effectively increase the cache hit rate, reduce DNS cold starts, and keep Sisyphus's stone at the top of the hill for as long as possible.

But lengthening the TTL comes at the cost of flexibility: if you need to change the IP address for your domain for any reason, an overly long TTL might cause visitors to retrieve a stale IP address for a long time.

Choosing a Faster "Messenger": Using the Right Authoritative DNS Server

The "last mile" of DNS resolution—the time it takes to get from the public DNS server to your authoritative DNS server—is equally critical. If the Nameserver service your domain uses responds slowly, has few global nodes, or is too far from the public DNS server the visitor is querying, then the entire resolution chain will still be slowed down by this final link, even if the user's public DNS node is nearby.

If I were writing this blog post in English, I would just say to switch your Nameserver to a top-tier provider like Cloudflare or Google, and be done with it. These large companies offer free authoritative DNS hosting, have numerous nodes around the world, and are very professional and trustworthy in this regard.

But I am currently using Simplified Chinese. According to my blog's statistics, most of my readers are from mainland China, and the public DNS servers they query are most likely also deployed in mainland China. Whereas Cloudflare/Google Cloud DNS have no authoritative DNS server nodes in mainland China, which will slow things down. So if your visitors are primarily from mainland China, you might want to try AliYun (Alibaba Cloud) or Dnspod. Their main authoritative DNS server nodes are within mainland China, which, in theory, can reduce the communication time between the public DNS server and the authoritative DNS server.

Conclusion: The Stone Pusher

There has never been a perfect solution to the problem of DNS cold starts. It's like a fated "poetry of latency" within the internet's architecture—each visitor starts from their own network topology, pushing their own stone step-by-step along an invisible path, until they reach the summit of your server, in exchange for the first pixel lighting up on their screen.

For small sites, this may be the weight of destiny; but to understand it, optimize it, and monitor it, is how we, on this long uphill road, polish the stone's edges to make them smoother.

See Also

• Performance Benefits | Public DNS | Google for Developers
• How do DNS queries affect website latency? - falconcloud.ae

Why HTTP/2 Server Push Could Improve First-Screen Loading Speed

As shown in the diagram below, in traditional HTTP/1.1, the browser first downloads index.html and completes the initial parsing, then retrieves the URLs for CSS/JS resources from the parsed data before making a second round of requests. After establishing TCP/TLS connections, it requires at least two RTTs to retrieve all the resources needed to fully render the page.

sequenceDiagram
    participant Browser
    participant Server

    Browser->>Server: GET /index.html
    Server-->>Browser: 200 OK + HTML
    Browser->>Server: GET /style.css
    Browser->>Server: GET /app.js
    Server-->>Browser: 200 OK + CSS
    Server-->>Browser: 200 OK + JS

    Note over Browser: Browser must wait for HTML to download<br/>and parse before making subsequent requests,<br/>increasing round-trip latency (RTT)

In HTTP/2's vision, the process would look like the diagram below. When the browser requests index.html, the server can simultaneously push CSS/JS resources to the client. This way, after establishing the TCP/TLS connection, it only needs one RTT to retrieve all resources needed for page rendering.

sequenceDiagram
    participant Browser
    participant Server

    Browser->>Server: GET /index.html
    Server-->>Browser: 200 OK + HTML
    Server-->>Browser: PUSH_PROMISE /style.css
    Server-->>Browser: PUSH_PROMISE /app.js
    Server-->>Browser: (Push) style.css + app.js content

    Note over Browser: Browser receives proactive resource push<br/>Reduces request rounds and first-screen latency

To minimize subsequent requests in HTTP/1.1, front-end developers have tried numerous optimization techniques. As Sukka mentioned in "Static Resource Delivery Optimization: HTTP/2 and Server Push":

The concepts of critical resources, critical rendering path, and critical request chain have existed for a long time. Asynchronous resource loading is old news: lazy-loading images, videos, iframes, and even lazy-loading CSS, JS, DOM, and lazy execution of functions. However, the approach to critical resource delivery hasn't changed much.

HTTP/2 Server Push created a new resource delivery paradigm. CSS/JS and other resources don't need to be delivered along with HTML to reach the client within one RTT, and these resources can be cached by the browser without being constrained by HTML's shorter TTL.

Initial Solution

Having understood the advantages of HTTP/2 server push, I prepared to implement the optimization. My blog is purely static, using DNS for traffic splitting between domestic and international visitors: domestic traffic accesses a DMIT VPS with cmin2/9929 network optimization, served through Caddy; international traffic goes directly to Vercel, leveraging Amazon's CDN for global edge acceleration. The network architecture looks roughly like this:

graph TD
    A[Blog Visitors] --> B[Initiate DNS Resolution]
    B --> C[DNSPod Service]
    C -->|Domestic Visitors: Smart Routing| D[Network-Optimized VPS]
    C -->|International Visitors: Smart Routing| E[Vercel Platform]
    D --> F[Caddy]
    F --> G[Return Blog Content to Domestic Visitors]
    E --> H[Return Blog Content to International Visitors]

Caddy can implement HTTP/2 server push through the http.handlers.push module. We can write simple push logic in the Caddyfile—no problem there. However, Vercel doesn't provide configuration options for HTTP/2 server push. Fortunately, since I have a static blog with low platform dependency, I considered migrating to Cloudflare Workers, which developers implemented five years ago.

Client Support Status

Historically, mainstream browser engines (Chrome/Chromium, Firefox, Edge, Safari) widely supported server push technology.

In November 2020, Google announced plans to remove server push functionality from Chrome's HTTP/2 and gQUIC (which later evolved into HTTP/3) implementations.

In October 2022, Google announced plans to remove server push from Chrome, citing poor real-world performance, low adoption rates, and better alternatives. Chrome 106 became the first version to disable server push by default.

On October 29, 2024, Mozilla released Firefox 132, removing support for HTTP/2 server push due to "compatibility issues with multiple websites."

With this, mainstream browser support for HTTP/2 Server Push has completely ended. From initially being viewed as an innovative feature to "reduce round-trip latency and optimize first-screen loading," to its eventual complete deprecation, HTTP/2 push's lifecycle lasted only a few short years, becoming an important experiment in web performance optimization history.

Alternative Solutions

1. HTTP 103 Early Hints

103 Early Hints is the most direct "successor" to server push. It's an informational HTTP status code that allows the server to send an "early hint" response with Link headers before generating the complete HTML response (e.g., status code 200 OK).

This Link header can tell the browser: "Hey, I'm still preparing the main course (HTML), but you can start preparing the side dishes (CSS, JS) first." This way, the browser can utilize the server's "thinking time" to preemptively download critical resources or warm up connections to required origins, significantly reducing first-screen rendering time.

Compared to server push:

• Decision authority lies with the client: Early Hints are just "hints." The browser can decide whether to adopt them based on its own cache status, network conditions, and other factors. This solves server push's biggest pain point—servers cannot know about client caches, leading to redundant resource pushes.
• Better compatibility: It's a lighter mechanism that's easier for intermediary proxy servers to understand and relay.

103 Early Hints is very meaningful for dynamic blogs. Before backend computation, the 103 response can inform the browser about needed resources, allowing the browser to retrieve other resources first while waiting for the backend to return the final HTML. However, for static blogs like mine where everything is pre-built, it has absolutely no meaning. The gateway has enough time to send the 103 response that it could just directly send the HTML instead.

2. Resource Hints: Preload & Prefetch

Even before server push was deprecated, resource hints implemented through <link> tags were already common tools for front-end performance optimization. They declare resource loading hints in HTML, with the browser leading the entire process.

• <link rel="preload">: Tells the browser about resources that the current page will definitely use, requesting immediate high-priority loading without execution. For example, font files hidden deep in CSS or first-screen images dynamically loaded by JS. Through preload, you can ensure these critical resources are discovered and downloaded early, avoiding render blocking.
• <link rel="prefetch">: Tells the browser about pages or resources the user might access in the future, requesting low-priority background downloads during browser idle time. For example, prefetching article page resources that users are most likely to click on the article list page, achieving near-"instant" navigation experience.

Preload and Prefetch completely hand over resource loading control to developers and browsers. Through declarative methods, they allow fine-grained management of resource loading priority and timing. They are currently the most mature and widely applied resource preloading solutions, but still cannot escape the curse of 2 RTTs.

Epilogue: An Elegy for an Idealist

In the end, I couldn't configure HTTP/2 server push for my blog.

HTTP/2 Server Push has effectively "died." I miss it.

In an ideal model, when the browser requests HTML, the server conveniently pushes the CSS and JS needed for rendering along with it, cleanly compressing what would originally be at least two round trips (RTT) into one. This is such a direct, such an elegant solution—almost the "silver bullet" that front-end engineers dream of when facing first-screen rendering latency issues. Behind it lies an ambitious spirit: attempting to thoroughly solve the "critical request chain" latency problem from the server side, once and for all.

But the Web world is ultimately not an ideal laboratory. It's full of caches, returning users, and all kinds of network environments.

The greatest charm of server push lies in its "proactivity," and its greatest regret also stems precisely from this "proactivity." It cannot know whether the browser's cache already quietly holds that style.css file it's preparing to enthusiastically push. For the sake of the ultimate experience for a small portion of first-time visitors, it might waste precious bandwidth for more returning users.

The Web's evolution ultimately chose a more prudent path with a more collaborative spirit. It returned decision-making authority to the browser, which knows the situation best. The entire interaction changed from the server's "I push to you" to the server's "I suggest you fetch," with the browser making its own judgment. This may not be romantic enough, not extreme enough, but it's more universal and more robust.

So, I still miss that ambitious Server Push. It represented a pure pursuit of ultimate performance, a beautiful technical idealism. Although it has quietly faded from the historical stage, the dream about "speed" it pointed toward has long been inherited by 103 Early Hints and preload in a more mature, more balanced way.

See Also

• Remove HTTP/2 Server Push from Chrome | Blog | Chrome for Developers
• HTTP/2 Server Push - Wikipedia
• 静态资源递送优化：HTTP/2 和 Server Push | Sukka's Blog
• Module http.handlers.push - Caddy Documentation
• How to Configure HTTP/2 Server Push on Cloudflare Workers Sites
• Intent to Remove: HTTP/2 and gQUIC server push

For example, here's the Front Matter of the blog post I'm currently writing:

---
title: Array Field Filtering Challenges in Nuxt Content v3
date: 2025-10-20 21:52:59
sticky:
tags:
- Nuxt
- Nuxt Content
- JavaScript
---

My goal was to create a Tag page that lists all articles containing a specific tag (e.g., 'Nuxt').

The Convenience of v2 and the Limitations of v3

In Nuxt Content v2, data was stored based on the file system, and the query approach abstracted file content with a syntax similar to MongoDB's JSON document queries. We could easily use the $contains method to retrieve all articles with the "Nuxt" tag:

const tag = decodeURIComponent(route.params.tag as string)

const articles = await queryContent('posts')
  .where({ tags: { $contains: tag } })  // ✅ MongoDB-style queries in v2
  .find()

However, when using Nuxt Content v3's queryCollection API, we naturally try to use the .where() method for filtering:

const tag = decodeURIComponent(route.params.tag as string)

const { data } = await useAsyncData(`tag-${tag}`, () =>
    queryCollection('posts')
        .where(tag, 'in', 'tags')  // ❌ This will error because the first parameter must be a field name
        .order('date', 'DESC')
        .select('title', 'date', 'path', 'tags')
        .all()
)

Unfortunately, this approach doesn't work. The .where() method signature requires the field name as the first parameter: where(field: keyof Collection | string, operator: SqlOperator, value?: unknown).

Since Nuxt Content v3 uses SQLite as its underlying local database, all queries must follow SQL-like syntax. If the design doesn't provide built-in operators for array fields (such as an SQL equivalent of $contains), the eventual solution often feels somewhat "awkward."

Initial Implementation: Sacrificing Performance with "Fetch All"

Following a "migrate quickly, optimize later" approach, I wrote the following code:

// Initial implementation: fetch all and filter with JS
const allPosts = (
    await useAsyncData(`tag-${route.params.tag}`, () =>
        queryCollection('posts')
            .order('date', 'DESC')
            .select('title', 'date', 'path', 'tags')
            .all()
    )
).data as Ref<Post[]>

const Posts = computed(() => {
    return allPosts.value.filter(post =>
        typeof post.tags?.map === 'function'
            ? post.tags?.includes(decodeURIComponent(route.params.tag as string))
            : false
    )
})

While this method met the requirements, it came with obvious performance costs: bloated _payload.json file sizes.

In Nuxt projects, _payload.json stores dynamic data such as useAsyncData results. With the fetch-all approach, every Tag page loads a _payload.json containing information for all articles, causing data redundancy. Many tag pages only need data for one or two articles but are forced to load information for all articles, severely impacting performance.

A Clever Solution: Leveraging SQLite's Storage Characteristics for Optimization

To reduce the query results returned by useAsyncData, I searched through Nuxt Content's GitHub Discussions and found a "clever" solution proposed during v3.alpha.8.

Since Nuxt Content v3 uses an SQLite database, the tags array originally defined in Front Matter (via z.array()) is ultimately stored as a JSON string in the database (you can view the exact format in the .nuxt/content/sql_dump.txt file).

This means we can leverage SQLite's string operation features by using the LIKE operator with wildcards to perform array containment filtering, essentially querying whether the JSON string contains a specific substring:

const tag = decodeURIComponent(route.params.tag as string)

const { data } = await useAsyncData(`tag-${route.params.tag}`, () =>
    queryCollection('posts')
        .where('tags', 'LIKE', `%"${tag}"%`)
        .order('date', 'DESC')
        .select('title', 'date', 'path', 'tags')
        .all()
)

Below are the file sizes after optimization and regeneration - the reduction is quite significant:

• Tags directory size: 2.9MiB → 1.4MiB
• Individual _payload.json size: 23.1KiB → 1.01 KiB

Through this method, we successfully pushed the query logic down to the database layer, avoided unnecessary full data transfers, significantly reduced the size of _payload.json in individual directories, and achieved performance optimization.

See Also

queryCollection - Nuxt Content

How do you query z.array() fields (e.g. tags) in the latest nuxt-content module (v3.alpha.8) · nuxt/content · Discussion #2955

In July 2024, Let's Encrypt published a blog post disclosing its plans to shut down its OCSP server.

In December of the same year, Let's Encrypt released a timeline for shutting down its OCSP server, with the following key dates:

• January 30, 2025 - Let's Encrypt will no longer accept new certificate issuance requests containing the OCSP Must-Staple extension, unless your account has previously requested such certificates
• May 7, 2025 - Newly issued certificates from Let's Encrypt will include CRL URLs but will no longer contain OCSP URLs, and all new certificate issuance requests with the OCSP Must-Staple extension will be rejected
• August 6, 2025 - Let's Encrypt will shut down its OCSP servers

Let's Encrypt is the world's largest free SSL certificate authority, and this move marks our gradual transition into the post-OCSP era.

OCSP's Dilemma: The Trade-off Between Performance and Privacy

Behind Let's Encrypt's decision lies long-accumulated dissatisfaction with OCSP (Online Certificate Status Protocol). OCSP, as a method for real-time certificate validity queries, had a beautiful initial vision: when a browser accesses a website, it can send a brief request to the CA's (Certificate Authority's) OCSP server, asking whether the certificate is still valid. This seemed much more efficient than downloading a massive CRL (Certificate Revocation List).

However, OCSP has exposed numerous flaws in practical application:

First is the performance issue. Although individual requests are small, when millions of users simultaneously access websites, OCSP servers must handle massive amounts of real-time queries. This not only creates enormous server pressure for CAs but also increases latency for users accessing websites. If OCSP servers respond slowly or even crash, browsers may interrupt connections due to inability to confirm certificate status, or have to "turn a blind eye" for the sake of user experience, both of which undermine OCSP's security.

More seriously is the privacy issue. Each OCSP query essentially reports the user's browsing behavior to the CA. This means the CA can know when a user accessed which website. While OCSP queries themselves don't contain personally identifiable information, by combining this information with data like IP addresses, CAs can completely build profiles of users' browsing habits. For privacy-conscious users and developers, this "silent surveillance" is unacceptable. Even if CAs intentionally don't retain this information, regional laws may force CAs to collect it.

Furthermore, OCSP has security flaws in its design. Due to concerns about connection timeouts affecting user experience, browsers typically default to a soft-fail mechanism: if they cannot connect to the OCSP server, they choose to allow rather than block the connection. Attackers can exploit this by blocking communication between the client and OCSP server, causing queries to always timeout, thus easily bypassing certificate status verification.

OCSP Stapling

Based on these flaws, we have the OCSP stapling solution, which I covered in last year's blog post, feel free to review.

OCSP Must-Staple

OCSP Must-Staple is an extension option when applying for SSL certificates. This extension tells the browser: if it recognizes this extension in the certificate, it must not send query requests to the certificate authority, but should obtain the stapled copy during the handshake phase. If a valid copy cannot be obtained, the browser should refuse the connection.

This feature gave browser developers the courage for hard-fail, but before OCSP faded from history, Let's Encrypt seemed to be the only mainstream CA supporting this extension, and this feature was not widely used.

I originally didn't want to introduce this feature (because literally no one used it), but considering this thing is about to be buried, let's erect a monument for it on the Chinese internet, for more information, refer to Let's Encrypt's blog.

Chromium's Solution: Taking Only a Ladle from Three Thousand Waters

OCSP's privacy and performance issues are no secret, and browser vendors have long begun their own explorations. In 2012, Chrome disabled CRLs and OCSP checks by default, turning to its own self-designed certificate verification mechanism.

It's well known that revocation lists can be extremely large. If browsers needed to download and parse a complete global revocation list, it would be a performance disaster (Mozilla's team mentioned in this year's blog that file sizes from downloading 3000 active CRLs would reach 300MB). Through analyzing historical data, the Chromium team discovered that most revoked certificates belong to a few high-risk categories, such as the certificate authority (CA) itself being compromised, or certificates from certain large websites being revoked. Based on this insight, CRLSets adopts the following strategy:

1. Tiered Revocation: Chromium doesn't download all revoked certificate information, but rather the Google team maintains a streamlined list containing the "most important" revocation information. This list is regularly updated and pushed to users through Chrome browser updates.
2. Streamlined Efficiency: This list is very small in size, currently about 600KB. It contains certificates that would cause large-scale security incidents if abused, such as CA intermediate certificates, or certificates from some well-known websites (like Google, Facebook).
3. Sacrificing Partial Security: The disadvantage of this approach is also obvious—it cannot cover all certificate revocation situations. For an ordinary website's revoked certificate, CRLSets likely cannot detect it. According to Mozilla's blog this year, CRLSets only contains 1%-2% of unexpired revoked certificate information.

While CRLSets is an "imperfect" solution, it has found a balance between performance and usability. It ensures basic security for users accessing mainstream websites while avoiding the performance and privacy overhead brought by OCSP. For Chromium, rather than pursuing an OCSP solution that's difficult to implement perfectly in reality, it's better to concentrate efforts on solving the most urgent security threats.

Firefox's Solution: From CRLs to CRLite

Unlike Chromium's "taking only a ladle" strategy, Firefox developers have been searching for a solution that can guarantee comprehensiveness while solving performance issues.

To solve this problem, Mozilla proposed an innovative solution: CRLite. CRLite's design philosophy is to use data structures like hash functions and Bloom filters to compress massive certificate revocation lists into a compact, downloadable, and easily locally verifiable format.

CRLite's working principle can be simply summarized as:

1. Data Compression: CAs periodically generate lists of all their revoked certificates.
2. Server Processing: Mozilla's servers collect these lists and use techniques like cryptographic hash functions and Bloom filters to encode all revoked certificate information into a very compact data structure.
3. Client Verification: The browser downloads this compressed file, and when accessing a website, it only needs to perform hash calculations on the certificate locally, then query this local file to quickly determine whether the certificate has been revoked.

Compared to CRLSets, CRLite's advantage is that it can achieve comprehensive coverage of all revoked certificates while maintaining an extremely small size. More importantly, it completes verification entirely locally, which means the browser doesn't need to send requests to any third-party servers, thus completely solving OCSP's privacy problem.

Firefox's current strategy performs incremental updates to CRLite data every 12 hours, with daily downloads of approximately 300KB; it performs a full snapshot sync every 45 days, with downloads of approximately 4MB.

Mozilla has opened their data dashboard, where you can find recent CRLite data sizes: https://yardstick.mozilla.org/dashboard/snapshot/c1WZrxGkNxdm9oZp7xVvGUEFJCELfApN

Starting with Firefox Desktop version 137 released on April 1, 2025, Firefox began gradually replacing OCSP validation with CRLite; on August 19 of the same year, Firefox Desktop 142 officially deprecated OCSP verification for DV certificates.

CRLite has become the core solution for Firefox's future certificate revocation verification, representing a comprehensive pursuit of performance, privacy, and security.

Outlook for the Post-OCSP Era

With major CAs like Let's Encrypt shutting down OCSP services, the OCSP era is rapidly drawing to a close. We can see that browser vendors have already begun exploring more efficient and secure alternative solutions.

• Chromium, with its CRLSets solution, has achieved a pragmatic balance between performance and critical security guarantees.
• Firefox, through the technological innovation of CRLite, attempts to find the optimal solution among comprehensiveness, privacy, and performance.

What these solutions have in common is: transforming certificate revocation verification from real-time online queries (OCSP) to localized verification, thereby avoiding OCSP's inherent performance bottlenecks and privacy risks.

In the future, the certificate revocation ecosystem will no longer rely on a single, centralized OCSP server. Instead, a more diverse, distributed, and intelligent new era is arriving. OCSP as a technology may gradually be phased out, but the core security problem of "certificate revocation" that it attempted to solve will forever remain a focus of browsers and the network security community.

See Also

• CRLite: Fast, private, and comprehensive certificate revocation checking in Firefox - Mozilla Hacks - the Web developer blog
• The Slow Death of OCSP | Feisty Duck
• mozilla/crlite: Compact certificate revocation lists for the WebPKI
• OCSP Service Has Reached End of Life - Let's Encrypt
• Ending OCSP Support in 2025 - Let's Encrypt
• Intent to End OCSP Service - Let's Encrypt
• CRLSets - The Chromium Projects
• Google Chrome Will No Longer Check for Revoked SSL Certificates Online | PCWorld
• Chrome does certificate revocation better | ZDNET
• 主流客户端/浏览器证书吊销验证机制技术对与分析 | 帽之岛, Hat's Land
• OCSP 的淡出… – Gea-Suan Lin's BLOG

Compared to GitHub's official runners, Self-hosted Runners offer several key advantages:

• Unlimited Action runtime for private repositories
• Ability to configure more powerful hardware computing power and memory
• Access to internal network environments, facilitating communication with intranet/LAN devices

Configuration and Installation

Since I wasn't sure about the network environment requirements, I directly chose an idle Hong Kong VPS for this test, with specs of 4 cores, 4GB RAM, 80GB disk, and 1Gbps bandwidth. Aside from somewhat lacking disk read/write performance, everything else was maxed out.

The configuration of Self-hosted Runner itself is quite straightforward and clear, following the official guidelines without any issues.

All three mainstream platforms are supported, and if utilized properly, it should cover a range of needs including iPhone app packaging.

Looking at the runner installation file I received, version 2.328.0, the compressed package is around 220MB and includes built-in node20 and node24 runtime environments, two versions each.

After executing config.sh, a svc.sh file appears in the current directory, which can be used to leverage systemd for process management and similar needs.

Refreshing the web page again shows that the Self-hosted Runner is now online.

Specifying Actions to Use Your Own Runner

This step is simple - just change the runs-on field in the original Action's yml file:

jobs:
  run:
+    runs-on: self-hosted
-    runs-on: ubuntu-latest

Real-World Testing

When I excitedly switched the CI workflow from GitHub's official runner to the self-hosted runner, problems quickly surfaced, and this is the main reason I "can't love it." The issues were concentrated in the setup-python GitHub Action Flow, which is maintained by GitHub officially, showing an error that version 3.12 wasn't found.

In GitHub's official virtual environment, these Actions prepare the specified version of the development environment for us. For example, uses: actions/setup-python combined with with: python-version: '3.12' automatically installs and configures Python 3.12.x in the environment. I had grown accustomed to this and considered it an "out-of-the-box" feature. However, on Self-hosted Runner, the situation is somewhat different. The setup-python documentation states:

Python distributions are only available for the same environments that GitHub Actions hosted environments are available for. If you are using an unsupported version of Ubuntu such as 19.04 or another Linux distribution such as Fedora, setup-python may not work.

The setup-python Action only supports the same operating systems used by GitHub Actions, and my VPS's Debian is not supported, hence this error, which also sealed Debian's fate.

The Root Cause: Misunderstanding Self-hosted Runner

I subconsciously believed that Self-hosted Runner merely transferred the computational cost from GitHub's servers to local infrastructure, and that official standard actions like actions/setup-python should elegantly download, install, and configure everything I need, just like in GitHub-hosted Runners. However, the essence of Self-hosted Runner is simply receiving tasks from GitHub and executing instructions within the current operating system environment, without guaranteeing consistency with the runtime environment provided by GitHub's official Runners.

Self-hosted Runner is not an out-of-the-box "service," but rather "infrastructure" that you need to personally manage. You are responsible for server installation, configuration, security updates, dependency management, disk cleanup, and a series of operational tasks. It's more suitable for teams or individuals with advanced CI/CD requirements: such as heavy CI/CD consumers, teams needing specific hardware (like ARM, GPU) for builds, or enterprises whose CI workflows deeply depend on internal network resources. For ordinary developers like me who simply want to provide more local computing resources to gain more Action runtime, the operational mental burden it brings seems a bit heavy.

955 milliseconds of DNS resolution time! This number shocked me. After visitors opened my blog, they had to wait nearly a full second just to determine the image server location—completely negating the benefits of CDN optimization.

Context Note: In China, there's a significant network divide between domestic and international internet access due to the Great Firewall. Many Chinese websites use geo-DNS to serve domestic users from servers within China and international users from overseas servers, optimizing for both speed and accessibility.

Why Didn't I Notice Earlier?

The main culprit was DNS caching. It remembers resolution results for subsequent visits, making both my local tests and return visitor tests appear normal. It wasn't until users reported issues—combined with my recent review of DNS resolution flows for job interview prep (recursive queries, authoritative queries, root domains, TLDs, etc.)—that I pinpointed the problem: first-visit DNS resolution latency.

DNS Resolution Flow Analysis

Let's examine what happens when a visitor accesses static.031130.xyz:

sequenceDiagram
    participant User as Visitor Browser
    participant Local as Local DNS
    participant CF as Cloudflare<br/>(Foreign Authority)
    participant DP as DNSPod<br/>(Domestic Authority)
    participant CDN as CDN Node

    User->>Local: Request static.031130.xyz
    Local->>CF: Query 031130.xyz authority
    Note over Local,CF: Cross-border query, high latency
    CF->>Local: CNAME: cdn-cname.zhul.in
    Local->>DP: Query zhul.in authority
    DP->>Local: CNAME: small-storage-cdn.b0.aicdn.com
    Local->>DP: Query aicdn.com
    DP->>Local: CNAME: nm.aicdn.com
    Local->>DP: Query final IP
    DP->>Local: Return CDN IP
    Local->>User: Return resolution result
    User->>CDN: Connect and download images

Here's the problem: the first two query steps point to Cloudflare's authoritative servers overseas. For domestic Chinese users, even though the final resolved CDN node is within China, the cross-border DNS queries are enough to cripple the first-visit experience. That 955ms latency is mostly spent communicating with foreign DNS servers.

Context Note: DNSPod is Tencent's DNS service provider, widely used in China for its domestic infrastructure and reliability.

Optimization Solutions

To address this issue, I implemented three measures:

1. DNS Prefetch

Added to the blog's HTML <head> section:

<link rel="dns-prefetch" href="//static.031130.xyz">

This way, the browser performs DNS resolution for the image hosting domain while rendering the page. By the time images actually need to load, the DNS results may already be ready.

2. Extended TTL

Increased the TTL (Time To Live) value for the static.031130.xyz CNAME record from a few minutes to several hours or even a day. This allows local DNS servers to cache results longer, enabling subsequent users to directly use cached results and skip authoritative queries.

3. Migrate Authoritative DNS (Core Solution)

Migrated the authoritative DNS servers for the 031130.xyz domain from Cloudflare to DNSPod in China:

graph TB
    subgraph "Before Optimization"
        A1[Visitor] --> B1[Local DNS]
        B1 --> C1[Cloudflare Authority<br/>Overseas]
        C1 --> D1[DNSPod Authority<br/>Domestic]
        D1 --> E1[CDN Node]
        style C1 fill:#ffcccc
    end

graph TB
    subgraph "After Optimization"
        A2[Visitor] --> B2[Local DNS]
        B2 --> D2[DNSPod Authority<br/>Domestic]
        D2 --> E2[CDN Node]
        style D2 fill:#ccffcc
    end

Benefits after migration:

• When recursive DNS queries 031130.xyz, it directly reaches DNSPod in China with fast response
• DNSPod directly returns static.031130.xyz -> small-storage-cdn.b0.aicdn.com without intermediate hops
• The entire DNS resolution chain completes domestically, dramatically reducing first-visit latency

Optimization Results

While DNS caching makes testing difficult, after migrating the authoritative DNS + adjusting TTL + adding prefetch, first-visit DNS resolution time dropped to an acceptable range.

Lessons Learned

1. DNS Location Matters: When optimizing for multiple regions, the geographic location of authoritative DNS servers significantly impacts first-visit latency. Prioritize using domestic authoritative servers for your target audience.

2. First Visits Are Critical: While caching helps subsequent visits, the first-visit experience directly affects user impression. Make good use of dns-prefetch and reasonable TTL settings.

3. Monitoring and Feedback Are Important: Local test environments often benefit from caching; real first-visit experiences need to be discovered through monitoring and user feedback.

Important Warning: Beware of CNAME Flattening

If you need geo-distributed resolution to connect visitors to the nearest CDN node, absolutely avoid CNAME Flattening.

What Is CNAME Flattening?

When an authoritative DNS server (like Cloudflare) sees a CNAME record, it proactively queries the final IP address of the target domain and then directly returns the IP instead of the CNAME.

Why Does This Cause Problems?

Geo-distributed resolution (GeoDNS) is implemented at the authoritative DNS server level. When the authoritative server performs CNAME flattening, it queries the target domain's IP from its own location. If the authoritative DNS is in the US, it gets the optimal US node IP, then returns this IP to all regional queries, including Chinese users. This completely breaks your domestic CDN IP strategy configured for Chinese users.

graph LR
    subgraph "CNAME Flattening Problem"
        A[Chinese User] --> B[Cloudflare Authority<br/>US Node]
        B --> C[Query Target CNAME]
        C --> D[Return US CDN IP]
        D --> A
        style D fill:#ffcccc
    end

The Correct Approach

Honestly use CNAME to point to another domain that supports GeoDNS (such as static.031130.xyz -> cdn-cname.zhul.in, with the latter doing geo-distributed resolution on DNSPod). Only this way can you ensure the routing strategy executes correctly.

If you need geo-distributed resolution functionality, do not enable CNAME Flattening (or similar features like ALIAS, ANAME, etc.) on related domains.

Author's Note: This article reflects the unique challenges of optimizing web services for the Chinese internet landscape, where the network infrastructure divide between domestic and international access requires careful DNS and CDN configuration to provide optimal performance for all users.

In the previous article, we embarked on a performance optimization journey for Markdown rendering. From the most primitive full refresh with v-html, to block-by-block updates, we eventually brought out the "ultimate weapon" - morphdom. By directly comparing and manipulating the real DOM, it updates the view with minimal cost, perfectly solving the performance bottleneck and interaction state loss issues in real-time rendering.

However, a fundamental problem has always existed: in Vue's territory, bypassing Vue's Virtual DOM and Diff algorithm to let a third-party library directly "operate" on the real DOM always feels somewhat "unorthodox." It's like introducing an old master with a hammer and wrench for manual repairs in a precision automated factory. Although the job is done well, it always feels like it disrupts the original workflow and isn't "Vue" enough.

So, is there a more elegant, more "native" approach that allows us to enjoy precise updates while fully integrating with Vue's ecosystem?

With this question in mind, I consulted friends in frontend development groups.

If you're building a renderer, your approach isn't the best practice. Each time you update, you generate the full virtual HTML, then optimize performance by subtracting from the HTML. However, the incremental part of each update is clear - why not directly use this incremental part for addition? The incremental part cannot be directly obtained through markdown-it, but a better approach is to transform at this step: first parse the Markdown structure, then use Vue's dynamic rendering capabilities to generate the DOM. This way, DOM reuse can leverage Vue's own abilities. — j10c

You can use unified with the remark-parse plugin to parse markdown strings into AST, then render based on the AST using render functions. — bii & nekomeowww

New Approach: From "String Conversion" to "Structured Rendering"

Our previous solutions, whether v-html or morphdom, shared a core approach:

Markdown String -> markdown-it -> HTML String -> Browser/morphdom -> DOM

The problem with this pipeline is that starting from the HTML String step, we lose the original structural information of Markdown. We get a bunch of unstructured text that Vue cannot understand its internal logic and can only swallow it whole.

The new approach transforms the process into:

Markdown String -> AST (Abstract Syntax Tree) -> Vue VNodes (Virtual Nodes) -> Vue -> DOM

What is AST?

AST (Abstract Syntax Tree) is a structured representation of source code or markup language. It parses a long string of text into a hierarchical tree-like object. For Markdown, a level-1 heading becomes a node with type: 'heading', depth: 1, a paragraph becomes a node with type: 'paragraph', and the text within the paragraph becomes the children of the paragraph node.

Once we convert Markdown into an AST, we essentially have a "structural blueprint" of the entire document. We're no longer facing a pile of ambiguous HTML strings, but rather a clear, programmable JavaScript object.

Our New Tools: unified and remark

To implement the Markdown -> AST conversion, we introduce the unified ecosystem.

• unified: A powerful content processing engine. Think of it as an assembly line where raw text is the raw material, and you process it through parsing, transformation, and serialization by adding different "plugins."
• remark-parse: A unified plugin specifically responsible for parsing Markdown text into AST (specifically in mdast format).

Step 1: Parse Markdown into AST

First, we need to install the dependencies:

npm install unified remark-parse

Then, we can easily convert a Markdown string into an AST:

import { unified } from 'unified'
import remarkParse from 'remark-parse'

const markdownContent = '# Hello, AST!\n\nThis is a paragraph.'

// Create a processor instance
const processor = unified().use(remarkParse)

// Parse Markdown content
const ast = processor.parse(markdownContent)

console.log(JSON.stringify(ast, null, 2))

Running the above code will give us a JSON object like the following, which is our coveted AST:

{
  "type": "root",
  "children": [
    {
      "type": "heading",
      "depth": 1,
      "children": [
        {
          "type": "text",
          "value": "Hello, AST!",
          "position": { ... }
        }
      ],
      "position": { ... }
    },
    {
      "type": "paragraph",
      "children": [
        {
          "type": "text",
          "value": "This is a paragraph.",
          "position": { ... }
        }
      ],
      "position": { ... }
    }
  ],
  "position": { ... }
}

Step 2: From AST to Vue VNodes

Having obtained the AST, the next step is to actually "construct" this "structural blueprint" into a user-visible interface. In Vue's world, the blueprint for describing UI is the Virtual Node (VNode), and the h() function (i.e., hyperscript) is the brush for creating VNodes.

Our task is to write a render function that can recursively traverse the AST and generate corresponding VNodes for each node type (heading, paragraph, text, etc.).

Here's a simple render function implementation:

function renderAst(node) {
  if (!node) return null
  switch (node.type) {
    case 'root':
      return h('div', {}, node.children.map(renderAst))
    case 'paragraph':
      return h('p', {}, node.children.map(renderAst))
    case 'text':
      return node.value
    case 'emphasis':
      return h('em', {}, node.children.map(renderAst))
    case 'strong':
      return h('strong', {}, node.children.map(renderAst))
    case 'inlineCode':
      return h('code', {}, node.value)
    case 'heading':
      return h('h' + node.depth, {}, node.children.map(renderAst))
    case 'code':
      return h('pre', {}, [h('code', {}, node.value)])
    case 'list':
      return h(node.ordered ? 'ol' : 'ul', {}, node.children.map(renderAst))
    case 'listItem':
      return h('li', {}, node.children.map(renderAst))
    case 'thematicBreak':
      return h('hr')
    case 'blockquote':
      return h('blockquote', {}, node.children.map(renderAst))
    case 'link':
      return h('a', { href: node.url, target: '_blank' }, node.children.map(renderAst))
    default:
      // Other unimplemented types
      return h('span', { }, `[${node.type}]`)
  }
}

Step 3: Encapsulate Vue Component

Integrating the above logic, we can build a Vue component. Given the characteristic of directly generating VNodes, using a functional component or explicit render function is most appropriate.

<template>
  <component :is="VNodeTree" />
</template>

<script setup>
import { computed, h, shallowRef, watchEffect } from 'vue'
import { unified } from 'unified'
import remarkParse from 'remark-parse'

const props = defineProps({
  mdText: {
    type: String,
    default: ''
  }
})

const ast = shallowRef(null)
const parser = unified().use(remarkParse)

watchEffect(() => {
  ast.value = parser.parse(props.mdText)
})

// AST render function (same as renderAst function above)
function renderAst(node) { ... }

const VNodeTree = computed(() => renderAst(ast.value))

</script>

Now it can be used like a regular component:

<template>
  <MarkdownRenderer :mdText="markdownContent" />
</template>

<script setup>
import { ref } from 'vue'
import MarkdownRenderer from './MarkdownRenderer.vue'

const markdownContent = ref('# Hello Vue\n\nThis is rendered via AST!')
</script>

Huge Advantages of the AST Approach

After switching to the AST track, we gained unprecedented superpowers:

1. Native Integration, Excellent Performance: We no longer need the brute force refresh of v-html, nor do we need "external help" like morphdom. All updates are handled by Vue's own Diff algorithm, which is not only highly performant but also fully aligned with Vue's design philosophy - truly "one of our own."

2. High Flexibility and Extensibility: AST, as a programmable JavaScript object, provides a solid foundation for customized processing:

   • Element Replacement: Native elements (like <h2>) can be seamlessly replaced with custom Vue components (like <FancyHeading>), only requiring adjustments to the corresponding case logic in the renderAst function.
   • Logic Injection: Attributes like target="_blank" and rel="noopener noreferrer" can be conveniently added to external links <a>, or lazy-load components can wrap images <img> - such operations are easy to implement at the AST level.
   • Ecosystem Integration: Fully leverage unified's rich plugin ecosystem (such as remark-gfm for GFM syntax support, remark-prism for code highlighting), only requiring the introduction of corresponding plugins in the processor chain (.use(pluginName)).

3. Separation of Concerns: Parsing logic (remark), rendering logic (renderAst), and business logic (Vue components) are clearly separated, resulting in clearer code structure and stronger maintainability.

4. Type Safety and Predictability: Compared to manipulating strings or raw HTML, rendering logic based on structured AST is easier to type-check and reason about.

Conclusion: Evolution from Functional Implementation to Architectural Optimization

Reviewing the optimization journey:

• v-html: Simple implementation, but with performance and security concerns.
• Block updates: Alleviated some performance issues, but the solution had limitations.
• morphdom: Effectively improved performance and user experience, but existed in isolation from Vue's core mechanisms.
• AST + Functional Rendering: Returns to Vue's native paradigm, providing an ultimate solution with excellent performance, flexibility, and maintainability.

By adopting AST, we not only solved specific technical challenges but, more importantly, achieved a paradigm shift - from result-oriented programming (HTML strings) to process and structure-oriented programming (AST). This enables us to dive deep into the essence of content, thereby achieving precise control over the rendering process.

This optimization practice from "full refresh" to "structured rendering" is not only a technical process of performance improvement but also a systematic exploration of deeply understanding modern frontend engineering thinking. The final Markdown rendering solution achieved high standards in performance, functionality, and architectural elegance.

In a recent AI project I took over, I needed to implement a ChatGPT-like conversational interface. The core workflow is: the backend continuously pushes AI-generated Markdown text fragments to the frontend via SSE (Server-Sent Events) protocol. The frontend is responsible for dynamically receiving and concatenating these Markdown fragments, ultimately rendering and displaying the complete Markdown text in real-time on the user interface.

Markdown rendering isn't an uncommon requirement, especially in today's world flooded with LLM-based products. Unlike the React ecosystem, which has a popular third-party library with 14k+ stars—react-markdown—Vue doesn't seem to have an actively maintained Markdown rendering library with significant popularity (at least 2k+ stars). cloudacy/vue-markdown-render last released a year ago but has only 103 stars as of this writing; miaolz123/vue-markdown has 2k stars but its last commit was 7 years ago; zhaoxuhui1122/vue-markdown is even archived.

First Version: Simple and Brute Force v-html

After a quick survey, I confirmed that the Vue ecosystem indeed lacks a robust Markdown rendering library. Since there's no ready-made solution, let's build our own!

Based on most articles and LLM recommendations, we first adopted the markdown-it third-party library to convert Markdown to HTML strings, then passed it through v-html.

PS: We assume here that the Markdown content is trusted (e.g., generated by our own AI). If the content comes from user input, you must use libraries like DOMPurify to prevent XSS attacks and avoid "opening a window" in your website!

Example code:

<template>
  <div v-html="renderedHtml"></div>
</template>

<script setup>
import { computed, onMounted, ref } from 'vue';
import MarkdownIt from 'markdown-it';

const markdownContent = ref('');
const md = new MarkdownIt();

const renderedHtml = computed(() => md.render(markdownContent.value))

onMounted(() => {
  // markdownContent.value = await fetch() ...
})
</script>

Evolution: Chunked Updates for Markdown

While the above approach achieves basic rendering, it has obvious flaws in real-time update scenarios: every time a new Markdown fragment is received, the entire document triggers a full re-render. Even if only the last line is new content, the entire document's DOM gets completely replaced. This leads to two core problems:

1. Performance bottleneck: As Markdown content grows, the overhead of markdown-it parsing and DOM reconstruction increases linearly.
2. Lost interaction state: Full refresh wipes out the user's current operation state. Most notably, if you've selected some text, one refresh and the selection is gone!

To solve these two problems, we found a chunked rendering solution online—splitting Markdown by two consecutive newlines (\n\n) into chunks. This way, each update only re-renders the last new chunk, while previous chunks reuse the cache. The benefits are obvious:

• If the user has selected text in a previous chunk, the selection state won't be lost on the next update (because that chunk hasn't changed).
• Fewer DOM nodes need re-rendering, naturally improving performance.

The adjusted code looks like this:

<template>
  <div>
    <div
      v-for="(block, idx) in renderedBlocks"
      :key="idx"
      v-html="block"
      class="markdown-block"
    ></div>
  </div>
</template>

<script setup>
import { ref, computed, watch } from 'vue'
import MarkdownIt from 'markdown-it'

const markdownContent = ref('')
const md = new MarkdownIt()

const renderedBlocks = ref([])
const blockCache = ref([])

watch(
  markdownContent,
  (newContent, oldContent) => {
    const blocks = newContent.split(/\n{2,}/)
    // Only re-render the last block, reuse cache for others
    // Handle cases where blocks decrease or increase
    blockCache.value.length = blocks.length
    for (let i = 0; i < blocks.length; i++) {
      // Only render the last one, or new blocks
      if (i === blocks.length - 1 || !blockCache.value[i]) {
        blockCache.value[i] = md.render(blocks[i] || '')
      }
      // Reuse other blocks directly
    }
    renderedBlocks.value = blockCache.value.slice()
  },
  { immediate: true }
)

onMounted(() => {
  // markdownContent.value = await fetch() ...
})
</script>

Ultimate Weapon: Precise Updates with morphdom

While chunked rendering solves most problems, it struggles with Markdown lists. Because in Markdown syntax, list items are usually separated by only one newline, so the entire list is treated as one large chunk. Imagine a list with hundreds of items—even if only the last item is updated, the entire list chunk must be completely re-rendered, and we're back to square one.

What is morphdom?

morphdom is a JavaScript library of only 5KB (gzipped), with the core functionality of: receiving two DOM nodes (or HTML strings), calculating the minimal DOM operations needed, and "morphing" the first node into the second, rather than directly replacing it.

Its working principle is similar to Virtual DOM's Diff algorithm, but operates directly on the real DOM:

1. Compare tag names, attributes, text content, etc., between old and new DOM;
2. Execute only add/delete/modify operations on the differences (like modifying text, updating attributes, moving node positions);
3. Unchanged DOM nodes are completely preserved, including their event listeners, scroll positions, selection states, etc.

Markdown treats lists as a whole, but in the generated HTML, each list item (<li>) is independent! When morphdom updates later list items, it ensures earlier list items remain untouched, naturally preserving their state.

Isn't this exactly what we've been dreaming of? Real-time Markdown updates while maximally preserving user operation state, and saving a bunch of unnecessary DOM operations!

Example Code

<template>
  <div ref="markdownContainer" class="markdown-container">
    <div id="md-root"></div>
  </div>
</template>

<script setup>
import { nextTick, ref, watch } from 'vue';
import MarkdownIt from 'markdown-it';
import morphdom from 'morphdom';

const markdownContent = ref('');
const markdownContainer = ref(null);
const md = new MarkdownIt();

const render = () => {
  if (!markdownContainer.value.querySelector('#md-root')) return;

  const newHtml = `<div id="md-root">` + md.render(markdownContent.value) + `</div>`

  morphdom(markdownContainer.value, newHtml, {
    childrenOnly: true
  });
}

watch(markdownContent, () => {
    render()
});

onMounted(async () => {
  // Wait for DOM to be mounted
  await nextTick()
  render()
})
</script>

Seeing is Believing: Demo Comparison

The iframe below contains a comparison demo showing the performance differences between different approaches.

Tip: If you're using Chromium-based browsers like Chrome or Edge, open Developer Tools (DevTools), find the "Rendering" tab, and check "Paint flashing." This way you can visually see which parts get repainted with each update—fewer repainted areas mean better performance!

Progress So Far

From the initial "brute force full refresh," to the "smarter chunked updates," and now to the "surgical precision of morphdom updates," we've progressively eliminated unnecessary rendering overhead, ultimately creating a Markdown real-time rendering solution that's both fast and preserves user state.

However, using morphdom, a third-party library to directly manipulate DOM in Vue components, feels somewhat... not quite "Vue"? While it solves the core performance and state issues, playing this way in the Vue world feels a bit like taking the back door.

Next Episode Preview: In the next article, we'll discuss whether there's a more elegant, more "native" solution in the Vue world to achieve precise Markdown updates. Stay tuned!

• node-sass -> sass (dart-sass)
• Minimize impact, avoid updating other dependency versions unless necessary
• Based on the above two conditions, see if we can upgrade the node.js version

Reasons to Abandon node-sass

• node-sass has been deprecated, dart-sass is the officially recommended successor by Sass
• node-sass installation on Windows is very troublesome, requiring both Python 2 and Microsoft Visual C++ on the development machine during npm installation
• When installing node-sass, resources need to be pulled from GitHub, which has a low success rate in certain network environments

Current Project Dependency Versions

• node@^12
• vue@^2
• webpack@^3
• vue-loader@^14
• sass-loader@^7.0.3
• node-sass@^4

Update Strategy

node.js

Webpack officially doesn't provide the maximum node version supported by webpack 3, and even if webpack officially supports it, related webpack plugins may not. Therefore, whether the node version can be updated can only be determined through testing. Fortunately, although this project's CI/CD runs on node 12, I've been using node 14 for daily development, so I'll take this opportunity to upgrade the node version to 14.

webpack, sass-loader

The webpack version is currently in a "ticking time bomb" state of not updating unless necessary. Based on the current webpack 3 limitation, the maximum supported sass-loader version is ^7 (sass-loader's 8.0.0 version changelog explicitly states that version 8.0.0 requires webpack 4.36.0).

If sass-loader@^7 in the project supports using dart-sass, then there's no need to update sass-loader, and consequently no need to update webpack; otherwise, webpack would need to be updated to 4, and then determine the sass-loader version accordingly.

So does it support it or not? I found this package.json snippet on the webpack official documentation page introducing sass-loader:

{
  "devDependencies": {
    "sass-loader": "^7.2.0",
    "sass": "^1.22.10"
  }
}

This proves that at least sass-loader@7.2.0 already supported dart-sass, so the webpack version can stay at ^3, and sass-loader can temporarily stay at version 7.0.3. If there are issues later, it can be updated to the latest version 7.3.1 in the ^7 range.

dart-sass

I couldn't find the maximum sass version supported by sass-loader@^7. GitHub Copilot confidently told me:

Official documentation quote:

sass-loader@^7.0.0 requires node-sass >=4.0.0 or sass >=1.3.0, <=1.26.5.

Suggestion:

• If you need to use a higher version of sass, please upgrade to sass-loader 8 or higher.

However, I couldn't find any trace of this text on the internet. Moreover, the last version in sass's ~1.26 range is 1.26.11, not 1.26.5. According to common npm versioning principles, releases that only change the patch version while keeping the major and minor versions the same generally only contain bugfixes without breaking changes. It's unlikely that updating from 1.26.5 to 1.26.11 would suddenly become incompatible with sass-loader 7, so this is more likely an AI hallucination or limited training data.

Out of caution, I ultimately decided to use the last version of sass 1.22 mentioned in the webpack official documentation, which is 1.22.12.

Analysis Complete, Let's Update

Step 1: Uninstall node-sass, Install sass@^1.22.12

npm uninstall node-sass
npm install sass@^1.22.12

Step 2: Update webpack Configuration (Optional)

module.exports = {
  // ...
  module: {
    rules: [
      {
        test: /\.(scss|sass)$/,
        use: [
          'style-loader',
          'css-loader',
          {
            loader: 'sass-loader',
+            options: {
+                // In fact, this line doesn't need to be added in most sass-loader versions, sass-loader can automatically detect whether it's sass or node-sass
+                implementation: require('sass')
+              },
            },
          },
        ],
      },
    ],
  },
};

Step 3: Batch Replace /deep/ Syntax with ::v-deep

Because the /deep/ syntax was deprecated in 2017, /deep/ became an unsupported deep selector. node-sass, with its excellent error tolerance, could continue to provide compatibility, but dart-sass doesn't support this syntax. So we need to batch replace the /deep/ syntax with ::v-deep, which, although abandoned in Vue's subsequent RFC, is still effectively supported to this day.

# Something like this, using VSCode's batch replace also works
sed -i 's#\s*/deep/\s*# ::v-deep #g' $(grep -rl '/deep/' .)

Step 4: Fix Other Sass Syntax Errors

During the migration, I found some non-standard syntax in the project. node-sass, with its excellent robustness, silently forced parsing, while dart-sass can't handle this rough work. Therefore, these syntax errors need to be manually fixed based on compilation errors. I encountered two types:

// Extra colon
.foo {
-  color:: #fff;
+  color: #fff;
}

// :nth-last-child without specified number
.bar {
-  &:nth-last-child() {
+  &:nth-last-child(1) {
      margin-bottom: 0;
  }
}

Pitfalls

::v-deep Styles Not Taking Effect

After updating dependencies, everything seemed fine at first glance, so I pushed to the test environment. Less than a day later, a colleague called me - the ::v-deep deep selector wasn't working?

Trying my luck, GPT gave the following answer:

In the Vue 2 + vue-loader + Sass combination, this syntax is correct, provided that your build toolchain supports the ::v-deep syntax (such as vue-loader@15 and above + sass-loader).

Although I still haven't verified why updating to vue-loader@15 is required to use ::v-deep syntax, after updating vue-loader, the ::v-deep syntax did work. While writing this article, I found some clues that might explain this issue:

1. The vue-loader version 14 official documentation simply doesn't have examples of ::v-deep syntax. This example was only added after vue-loader 15.7.0 was released.

2. Someone mentioned in a vue-cli GitHub Issue comment:

   ::v-deep implemented in @vue/component-compiler-utils v2.6.0, should work after you reinstall the deps.

   And vue-loader only added @vue/component-compiler-utils to its dependencies in version 15.0.0-beta.1, and didn't update its @vue/component-compiler-utils version to the required ^3.0.0 until vue-loader 15.7.1.

Can we upgrade to vue-loader 16 or even 17? No. The vue-loader v16.1.2 changelog clearly states:

Note: vue-loader v16 is for Vue 3 only.

vue-loader 14 -> 15 Breaking Changes

When migrating vue-loader from 14 upward, running directly without modifying the webpack configuration will encounter Vue syntax recognition issues. Specifically, even though .vue file naming uses correct and valid syntax, the compiler just won't recognize it during build/development, reporting syntax errors. vue-loader officially has a migration document that needs attention.

ERROR in ./src/......
Module parse failed: Unexpected token(1:0)
You may need an appropriate loader to handle this file type.

// ...
import path from 'path'
+const VueLoaderPlugin = require('vue-loader/lib/plugin')

// ...

  plugins: [
+    new VueLoaderPlugin()
    // ...
  ]

Additionally, in my project, I needed to remove the babel-loader for .vue files in the webpack configuration:

{
  test: /\.vue$/,
  use: [
-    {
-      loader: 'babel-loader'
-    },
    {
      loader: 'vue-loader',
    }
  ]
}

Final Update Status

• node@^12 -> node@^14
• vue-loader@^14 -> vue-loader@^15
• node-sass@^4 -> sass@^1.22.12

All other dependency versions remain unchanged

References

• Switching from node-sass to dart-sass - Juejin
• node-sass migration to dart-sass | Bolg
• sass-loader | webpack Documentation
• Sass: LibSass is Deprecated
• sass - npm
• node-sass - npm
• About semantic versioning | npm Docs
• Make /deep/ behave like the descendant combinator " " in CSS live profile - Chrome Platform Status
• sass-loader/CHANGELOG.md at v8.0.0 · webpack-contrib/sass-loader
• Release v16.1.2 · vuejs/vue-loader
• refactor: use @vue/component-compiler-utils · vuejs/vue-loader@e32cd0e
• chore: update @vue/component-compiler-utils to v3 · vuejs/vue-loader@c359a38
• dart-sass does not support /deep/ selector · Issue #3399 · vuejs/vue-cli
• Scoped CSS · vue-loader v14
• Migrating from v14 | Vue Loader

This story sounds bizarre—even surreal. Half a month ago, while happily coding at my desk (with hotpot and songs in the background 🍲🎤), I stumbled upon a truly uncanny bug. As a bona fide human software engineer, writing bugs is normal—but this one defied all intuition: the moment I opened DevTools (F12) to inspect the relevant DOM structure, the bug vanished. Close DevTools, hit Ctrl+F5 to hard-refresh, and bam—the bug reappeared.

Below is a live demo embedded via <iframe>: demo

This bug left me utterly bewildered. I’m no physicist—why did observer effect from quantum mechanics show up in my frontend code?! 🤯

Observer effect: the act of observation inevitably influences the phenomenon being observed.

In quantum experiments—for example, to measure an electron’s velocity—you might fire two photons at it over a time interval. But the first photon already disturbs the electron’s motion, making the original velocity impossible to determine (Heisenberg’s uncertainty principle). Similarly, rapidly observing a decaying particle can apparently slow its decay rate.

— Wikipedia

Quantum Fog ❌ → Browser Mechanics ✅

Let’s briefly examine the problematic code snippet from the demo:

if (scrollIndex >= groupLength) {
  setTimeout(() => {
    wrapper.style.transition = "none";
    scrollIndex = 0;
    wrapper.style.transform = `translateY(-${scrollIndex * itemHeight}px)`;

    requestAnimationFrame(() => {
      wrapper.style.transition = "transform 0.5s cubic-bezier(0.25, 0.1, 0.25, 1)";
    });
  }, 500);
}

The requirement was to implement an infinite vertical scrolling title list. Three titles are shown at a time; every 2 seconds, the list scrolls up as a group—the top item exits view, and a new item enters from below (again, the demo clarifies this visually).

When reaching the bottom, we disable CSS transitions, instantly relocate (transform) the wrapper back to the “top” of the logical loop (i.e., visually reset to the same three titles), then re-enable transitions—creating a seamless infinite loop illusion.

But here’s the twist: even though we explicitly set transition: none, the jump still exhibited a transition animation.

Frankly, this was the most despair-inducing bug in my short dev career. Not only was the behavior seemingly supernatural, but searching online felt hopeless—I didn’t even know how to phrase the issue!

Out of desperation, I fed the code to ChatGPT-4o—and got a lifeline:

The phenomenon you describe — “a jarring upward jump on the 9th scroll, which disappears when DevTools is open” — is almost certainly due to frame skipping (frame rate fluctuations) or timer precision issues in the browser’s rendering pipeline.

Such bugs commonly arise when combining setInterval-driven animation with improperly timed style switches (e.g., transition toggles), causing transition frame skips. Opening DevTools often forces frame redraws or increases timer resolution, thereby masking the issue.

Great News: requestAnimationFrame to the Rescue! 🎉

window.requestAnimationFrame() tells the browser you wish to perform an animation and requests that the browser call a specified function to update an animation before the next repaint.

— MDN

Here’s the fix suggested by GPT—simple yet highly effective:

if (scrollIndex >= groupLength) {
  setTimeout(() => {
    wrapper.style.transition = "none";
    scrollIndex = 0;
    wrapper.style.transform = `translateY(-${scrollIndex * itemHeight}px)`;

    requestAnimationFrame(() => {
+     requestAnimationFrame(() => {
        wrapper.style.transition = "transform 0.5s cubic-bezier(0.25, 0.1, 0.25, 1)";
+     });
    });
  }, 500);
}

If nested requestAnimationFrame calls feel confusing, here’s an equivalent—but clearer—version:

if (scrollIndex >= groupLength) {
  setTimeout(() => {
    scrollIndex = 0;

    requestAnimationFrame(() => {
      // Frame 1: Apply instant jump (no transition)
      wrapper.style.transition = "none";
      wrapper.style.transform = `translateY(-${scrollIndex * itemHeight}px)`;

      // Enqueue next frame
      requestAnimationFrame(() => {
        // Frame 2: Re-enable smooth transition
        wrapper.style.transition = "transform 0.5s cubic-bezier(0.25, 0.1, 0.25, 1)";
      });
    });
  }, 500);
}

The core idea: we must guarantee that setting the new transform (the “teleport”) and re-enabling transition happen in separate animation frames. Two nested requestAnimationFrame calls ensure exactly that.

Taming the Quantum State: A New Skill for Frontend Developers

With double requestAnimationFrame, we’ve successfully tamed this “quantum” bug. Now, regardless of whether DevTools is open, the animation behaves consistently—no more vanishing acts.

So it turns out: in frontend development, we need not just JavaScript expertise—but perhaps a dash of quantum mechanics, too. 😉 Next time you encounter a bug that “collapses upon observation”, try this “quantum entanglement solution”: double requestAnimationFrame—it might just decohere your bug from a probabilistic “quantum state” into a deterministic “classical state”.

And if you’ve battled even weirder bugs—please share! After all, in the universe of code, we never know what exotic form the next bug will take. Perhaps, that’s precisely where the fun of programming lies. 🐛✨

This article was co-authored with assistance from ChatGPT and DeepSeek—but the bug? Sadly, 100% real (and tearful).

See Also

• Observer Effect — Wikipedia
• Window.requestAnimationFrame() — MDN Web Docs
• A Deep Dive into Web Page Performance — Ruan Yifeng’s Blog"

What Are the Mainstream Compression Algorithms Today?

AV1

As of 2025, AV1 stands as the most compression-efficient mainstream video codec. It has been fully adopted by major platforms such as YouTube, Netflix, and Bilibili, making it the top choice for new deployments. Beyond its superior compression, AV1’s royalty-free status encourages hardware vendors and browser developers to integrate support freely—both in hardware and software.

Unfortunately, Safari still lacks software decoding for AV1. Only Apple devices with M3 (or later) chips and iPhone 15 Pro (or later) support hardware AV1 decoding. Older Apple devices simply cannot play AV1 videos in Safari. (Let’s just say Safari has become the modern-day IE—a clear roadblock to Web advancement.)

Beyond playback compatibility, AV1 encoding is demanding. Among consumer GPUs, only NVIDIA RTX 40-series, AMD RX 7000-series, and Intel Arc A380 (and newer) support hardware AV1 encoding. Apple’s M-series chips still offer no AV1 encoding hardware acceleration whatsoever. On my ThinkPad with an Intel Core i7‑1165G7, software encoding via libaom-av1 crawls at ~0.0025× real-time speed—compressing a 5‑minute 1080p video takes over a full day.

H.265 / HEVC

As the official successor to H.264, HEVC (H.265) has arguably squandered its potential. It is governed by multiple patent pools (e.g., MPEG LA, HEVC Advance, Velos Media), resulting in fragmented and costly licensing terms. These high licensing fees have drastically limited its adoption—especially in open ecosystems and web contexts.

Chromium and Firefox refuse to shoulder HEVC licensing costs, so they do not ship with built-in HEVC software decoders. Browsers today generally follow a “hardware decode if possible; otherwise, give up” policy. Firefox on Linux, however, tries a workaround: if hardware decode fails, it leverages system-installed FFmpeg for software decoding. Fortunately, HEVC—standardized in 2013—has now gained near-universal hardware decode support: Apple treats HEVC as a first-class citizen, supporting it across its entire product lineup.

Uncovered edge cases remain: Chromium/Firefox on Windows 7, and Chromium on Linux (including domestic Chinese distros like UOS and Kylin).

VP9

VP9, introduced by Google in 2013, serves as one of H.264’s successors. Its compression efficiency rivals HEVC—yet its biggest advantage is being completely royalty-free. VP9 was Google’s defiant response to HEVC’s licensing hurdles: “You keep feasting on royalties; I’ll host a free buffet.”

Thanks to its zero-cost licensing and aggressive promotion across Google’s ecosystem (YouTube, WebRTC, Chrome), VP9 quickly became the de facto standard for web video—especially before AV1’s rise. In fact, it even pressured Apple—longtime gatekeeper of proprietary codecs—to add VP9 support to Safari in macOS 11 (Big Sur) and iOS 14 (though WebM container support arrived slightly later).

VP9 enjoys near-universal software decode support: Chromium, Firefox, Edge, and even Safari include native support. Hardware decode support is also widespread: Intel Skylake (6th Gen Core) and later, NVIDIA GTX 950+, and AMD Vega/RDNA GPUs all support full VP9 decode. Unless you're running museum-grade hardware, VP9 playback “just works.”

Encoding remains VP9’s weak point—Google’s reference encoder, libvpx, lags behind x264/x265 in speed. Without hardware acceleration, VP9 encoding can still take hours. Still, compared to AV1, VP9 is far more usable: Intel introduced VP9 hardware encoding as early as Kaby Lake (7th Gen Core), and vendor support has matured significantly since.

H.264 / AVC

H.264—the venerable veteran—remains the undisputed champion of video codecs over the past two decades. Since its standardization in 2003, it has dominated everything: web streaming, Blu-ray, live broadcasts, surveillance, and smartphone recording.

Its unbeatable strength? Universal compatibility. Almost any screen-equipped device can decode H.264. Software decode has been standard in browsers and players for well over a decade; hardware decode dates back to Intel Sandy Bridge, NVIDIA Fermi, AMD VLIW4—and even Raspberry Pis or smart refrigerators can handle it.

While H.264 does involve patents, its licensing is comparatively pragmatic: MPEG LA’s pool is affordable, and free online video streaming incurs no fees. Thus, Chromium, Firefox, Safari, and Edge all ship with H.264 software decode built in.

That said, as a 20‑year‑old codec, H.264 lags far behind VP9, HEVC, and AV1 in compression efficiency. At equivalent quality, H.264 typically needs 30–50% higher bitrates than AV1—making it suboptimal for bandwidth- or storage-constrained scenarios. Yet in today’s pragmatic world—where playability beats perfection—H.264 remains the default fallback, the “reliable old workhorse”.

So even as AV1, HEVC, and VP9 gain ground, H.264 retains its central role in the video ecosystem—so long as some browsers lack AV1 support (looking at you, Safari), servers want to avoid costly transcoding, or users still run legacy devices.

Summary

Browsers can no longer singlehandedly abstract away hardware and OS discrepancies. Real-world edge cases persist beyond what compatibility tables can capture.

How to Choose?

We aren’t a professional video platform like YouTube or Bilibili, capable of offering users multiple resolutions and codec options.

Our final strategy must balance compression efficiency, playback compatibility, and encoding time.

Option 1: AV1 as Primary, H.264 as Fallback

Modern browsers support multiple <source> elements inside <video>, letting the browser pick the first playable one:

<video controls poster="preview.jpg">
  <source src="video.av1.webm" type='video/webm; codecs="av01"' />
  <source src="video.h264.mp4" type='video/mp4; codecs="avc1"' />
  Your browser does not support video playback.
</video>

This approach leverages AV1 for bandwidth savings on modern devices, while H.264 ensures compatibility on older browsers (e.g., legacy Safari). No JavaScript or complex detection logic is needed.

However, this may not be ideal for us:

• My top-end Apple M4 MacBook still lacks AV1 hardware encoding—a 5‑minute encode takes ~3 hours via software.
• Iterative tuning (adjusting CRF, bitrate, etc.) would be painfully slow.
• Even with AV1 decode supported in Chromium/Firefox, older hardware may suffer high CPU usage—leading to fan noise and complaints (as seen during YouTube’s AV1 rollout).

Option 2: VP9 as the Sole Choice

Given AV1’s encoding costs and playback burdens, VP9 emerges as a compelling alternative. Its browser support is robust, eliminating the need for an H.264 fallback. Moreover, VP9 hardware encoding is now widely available on recent CPUs/GPUs—enabling rapid iteration to find the optimal trade-off between file size and visual quality.

Note: While VP9 is most commonly packaged in WebM, the Opus audio codec (standard in WebM) still has spotty Safari support (only since Safari 17.4, March 2024). Consider using AAC audio in an MP4 container for broader compatibility.

Audio Bitrate Too High? Trim It Further

So far, we’ve focused on video compression, but the audio track offers room for savings too.

Stream #0:1[0x2](und): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, stereo, fltp, 128 kb/s (default)

For a product demo video, 128 kbps stereo AAC is excessive. Switching to 64 kbps mono saved an additional ~2 MB—without perceptible quality loss in narration-heavy content.

Final Thoughts

For frontend developers, selecting a video codec is no longer just about “smallest file size”. It’s a balancing act among device capabilities, browser support, user experience, and development overhead.

We must embrace modern codecs like AV1 and VP9 where feasible, yet remain grounded in real-world constraints. HTML5’s <source> fallback mechanism empowers us to deliver elegant, resilient video experiences—even as the underlying codec landscape fragments.

After all, the Web has never lacked possibility—what’s rare is elegance in execution. If codec development is the domain of hardware engineers and video platforms, then those few lines of <source> within a <video> tag? That’s our trench—the frontend engineer’s battlefield.

References

• 网页视频编码指南 - Web 媒体技术 | MDN
• Encoding & Quality - Netflix Research
• How the VP9 Codec Supports Now Streaming to Apple Devices & More | dolby.io
• Audio/Video | The Chromium Project
• AV1 video format | Can I use... Support tables for HTML5, CSS3, etc
• WebM video format | Can I use... Support tables for HTML5, CSS3, etc
• HEVC/H.265 video format | Can I use... Support tables for HTML5, CSS3, etc
• Opus audio format | Can I use... Support tables for HTML5, CSS3, etc
• MPEG-4/H.264 video format | Can I use... Support tables for HTML5, CSS3, etc
• AV1 - Wikipedia
• High Efficiency Video Coding - Wikipedia
• VP9 - Wikipedia
• Advanced Video Coding - Wikipedia
• Encode and Decode Capabilities for 7th Generation Intel® Core™...
• macOS High Sierra - 维基百科，自由的百科全书
• Chrome 70 adds AV1 video support, improves PWAs on Windows, and more [APK Download]
• Firefox for Android 113.0, See All New Features, Updates and Fixes
• 视频网站的“蓝光”是怎么骗你的？——视频画质全解析【柴知道】_哔哩哔哩_bilibili
• “Why 4K Today Looks Worse Than 4 Years Ago” (original video unavailable)

Demo iframe:

demo

When I saw that the table behind was showing through the el-image preview overlay, my first reaction was to ask the student to check whether the z-index was correct—specifically whether the el-image mask overlay had a higher z-index than the table.

After testing locally, I confirmed that the z-index was indeed set correctly. So why were the elements behind showing through? A quick Google search led me to this article:

Simply add the following CSS to el-table:

.el-table__cell {
    position: static !important;
}

Testing locally confirmed that this solution works. But why? This is where Stacking Context comes into play.

What Exactly Is a Stacking Context?

Simply put, a Stacking Context is like a canvas. On the same canvas, elements with higher z-index values appear on top of those with lower values, which is why I initially suggested checking z-index. But the catch is that Stacking Contexts themselves have a hierarchy.

Imagine we have two canvases, A and B. On A, there’s an element with z-index: 1145141919810. This element has a very high priority and should appear at the very top of the browser window. But if canvas B has higher priority than canvas A, all elements on B will be displayed above A (essentially “winning by default”). So how is a canvas’s priority determined?

• Between sibling Stacking Contexts, priority is determined by z-index.
• For Stacking Contexts with the same z-index, elements appearing later in the HTML document have higher priority.

The second rule explains why in the demo, only elements that come after the image cell in the table are showing through.

So Why Do el-image and el-table Clash?

This conflict is mainly caused by two factors:

1. el-table sets position: relative for each cell. When position is set to relative, the element creates a new Stacking Context.

   

   So a table with ten cells actually generates ten canvases, each with z-index: 1. According to the rules above, table cells that appear later in the HTML document have higher priority than the earlier image cell.

2. The overlay used by el-image’s preview feature is placed inside the el-image element itself.

   

   The orange area in the image above is the overlay used during preview. The default behavior of Element Plus is to insert the preview overlay inside the <el-image> tag. This traps the overlay inside a low-priority Stacking Context, allowing content from later table cells to appear on top.

So What’s the Solution?

Changing the position value works

The solution found online, forcing position: static on table cells, works because static does not create a new Stacking Context, avoiding the current problem.

Placing top-layer elements in the highest-priority context is more common

Other component libraries usually handle this by inserting the overlay directly into the body element and giving it a high z-index. This ensures it always appears on top of the screen (same principle used for dialogs, popovers, etc.).

In fact, Element Plus supports this feature:

preview-teleported: Determines whether the image viewer overlay is inserted into the body. Should be set to true if the parent element may modify its properties.

So using :preview-teleported="true" with el-image is a more robust approach, because we cannot guarantee that the parent of el-image (besides el-table cells) won’t create another Stacking Context.

References

• Stacking Context - CSS | MDN
• Completely Understand CSS Stacking Contexts, Levels, Order, and z-index
• Deep Dive into CSS Stacking Context and Stacking Order
• Image | Element Plus
• el-image and el-table display issue

If you try searching for this article's title on a search engine, the articles you find will likely suggest using the following two APIs. I hope your search engine isn't so outdated that it's still recommending Flash-based ZeroClipboard solutions in 2025

document.execCommand

2012 brought us not only the supposed end of the world, but also IE 10. With IE 10's release on September 4th of that year, the execCommand family welcomed two new members—the copy/cut commands (this claim comes from Chrome's blog, while MDN believes IE 9 already supported it). Three years later, when Google Chrome version 42 (released April 14, 2015) added support for execCommand's copy/cut, more and more browser vendors began implementing this standard. Finally, with Safari 10 on iOS released on September 13, 2016, web developers at last obtained the first non-Flash JavaScript solution for copying to clipboard in history.

When document.execCommand's first parameter is "copy", it can copy user-selected text to the clipboard. Based on this API implementation, someone quickly developed what became the most common JavaScript implementation on the web today—first create an invisible DOM element, use JavaScript to simulate user text selection, and call execCommand('copy') to copy the text to the user's clipboard. The rough code implementation is as follows:

// From the article "Pitfalls and Complete Solution for JS Copy Text to Clipboard", with a link at the end of this article

const textArea = document.createElement("textArea");
textArea.value = val;
textArea.style.width = 0;
textArea.style.position = "fixed";
textArea.style.left = "-999px";
textArea.style.top = "10px";
textArea.setAttribute("readonly", "readonly");
document.body.appendChild(textArea);

textArea.select();
document.execCommand("copy");
document.body.removeChild(textArea);

Although this API has long been deprecated by W3C and is marked as Deprecated on MDN, it remains the most common solution in the market. While writing this article, I examined MDN's English original page on archive.org and its change history on Github. This API was first marked as Obsolete in January-February 2020, then first marked as Deprecated in January 2021, with a red background color warning developers that the API may stop working at any time. However, as of this article's publication, all commonly used browsers still maintain compatibility with this API, at least for the copy command.

This API has been widely used on so many sites that removing support for it would cause massive site failures. I believe all browser engines likely have no motivation in the short term to remove this API at the cost of losing compatibility. This means that this (seemingly bizarre) workaround of creating an invisible DOM to replace user text selection and executing execCommand to copy to the user's clipboard has left a significant mark in the history of frontend development.

Clipboard.writeText()

As native JavaScript was gradually enhanced, developers finally completed the Clipboard piece of the puzzle. On April 17, 2018, Chrome 66 took the first step; on October 23 of the same year, Firefox followed with the Clipboard API implementation. Finally, on March 24, 2020, with Apple's Safari 13.4 belatedly joining, frontend developers could finally breathe a sigh of relief, once again obtaining a copying solution that works across mainstream browsers.

So if execCommand already achieved pure JavaScript text copying to clipboard, why do we still need the Clipboard API? Or rather, what advantages does this deliberately implemented Clipboard API actually have?

1. The traditional execCommand solution typically requires creating a temporary invisible DOM, placing text, selecting text with JS, and executing the copy command. Setting aside how inelegant this hacky approach is when writing code, the operation of using JS to select text modifies the user's current text selection state, sometimes leading to decreased user experience.
2. The Clipboard API is asynchronous, meaning it won't block the main thread when copying large amounts of text.
3. The Clipboard API provides more capabilities, such as write() and read() allowing reading and writing more complex data to the clipboard, like rich text or images.
4. The Clipboard API has more modern, explicit permission controls—write operations need to be called by active user actions, while read operations require users to explicitly grant permission in the browser UI. These permission controls give users greater control, so when execCommand exits the historical stage, web security will be further improved.

However, at the current stage, Clipboard.writeText() may not solve all problems. Setting aside old browser compatibility issues, navigator.clipboard is only available on pages accessed via HTTPS (or localhost). If your project is deployed on a LAN and you try to access it directly via 192.18.1.x IP + port, then navigator.clipboard will be in an undefined state.

Additionally, Android native WebView has the problem of not being able to use the Clipboard API because the Permissions API isn't implemented.

For these reasons, many websites now prioritize trying to use navigator.clipboard.writeText(), then fall back to using execCommand('copy') if that fails. The rough code implementation is as follows:

// From the article "Pitfalls and Complete Solution for JS Copy Text to Clipboard", with a link at the end of this article

const copyText = async val => {
  if (navigator.clipboard && navigator.permissions) {
    await navigator.clipboard.writeText(val);
  } else {
    const textArea = document.createElement("textArea");
    textArea.value = val;
    textArea.style.width = 0;
    textArea.style.position = "fixed";
    textArea.style.left = "-999px";
    textArea.style.top = "10px";
    textArea.setAttribute("readonly", "readonly");
    document.body.appendChild(textArea);

    textArea.select();
    document.execCommand("copy");
    document.body.removeChild(textArea);
  }
};

Flash Solution (ZeroClipboard)

Actually, the two APIs above pretty much cover the fundamental principles, but while researching, I discovered that before the execCommand solution, the frontend mostly relied on Flash to implement copying text to clipboard. How could I not mention this?

Currently, the oldest tag that can be found in the ZeroClipboard Github repository is v1.0.7, released on June 9, 2012. I bet this project wasn't the first to implement copying text to clipboard through Flash. Someone must have implemented this functionality using Flash before, just not open-sourced as a separate library.

ZeroClipboard worked by creating a transparent Flash Movie overlaying the trigger button. When users clicked the button, they actually clicked on the Flash Movie. JavaScript then communicated with the Flash Movie through ExternalInterface, passing the text to be copied to Flash, which then wrote the text to the user's clipboard via Flash's API.

In that era's context, this was the only solution that could implement cross-browser text copying to clipboard (although not every computer had Flash installed, and iOS didn't support Flash). The 6.6k star Github repository witnessed that chaotic era when each browser held onto its own private APIs, ultimately falling along with Flash as the execCommand solution rose.

Other Imperfect Solutions

window.clipboardData.setData

This API was mainly used around 2000-2010 and only worked in IE browsers. Firefox didn't support pure JavaScript copying to browser during this period; Chrome's first version wasn't released until 2008 and hadn't yet become mainstream.

window.clipboardData.setData("Text", text2copy);

Giving Up (prompt)

Call a prompt popup to let users copy themselves.

prompt('Press Ctrl + C, then Enter to copy to clipboard','copy me')

Third-Party Library Wrappers

Since the execCommand solution is too abstract and not elegant enough, we have some ready-made third-party libraries that wrap the clipboard copying code.

clipboard.js

clipboard.js is the most renowned third-party library, with 34.1k stars on Github as of this article's completion. The earliest tag version was released on October 28, 2015, one month after Firefox supported execCommand and all three major PC browsers achieved full compatibility.

clipboard.js only uses execCommand to implement clipboard copying. The project owner expects developers to use ClipboardJS.isSupported() to determine whether the user's browser supports the execCommand solution, and arrange success/failure actions based on the command execution's return value.

However, what I find strange is that clipboard.js requires developers to pass a DOM selector (or HTML element/element list) when instantiating. It must have an actual HTML element to set event listeners to trigger the copy operation, rather than providing a JavaScript function for developers to call—although this isn't a limitation from execCommand. Example as follows:

<!-- Target -->
<input id="foo" value="text2copy" />

<!-- Trigger -->
<button class="btn" data-clipboard-target="#foo"></button>

<script>
	new ClipboardJS('.btn');
</script>

Yes, just one line of JavaScript can add listeners to all DOMs with the btn class. Perhaps this is why this repository got 34.1k stars. In 2015, when most people were still writing frontends with vanilla HTML/CSS/JS, clipboard.js could reduce code volume without requiring developers to set up listeners themselves.

clipboard.js also provides many advanced options to meet different developers' needs, such as allowing you to pass a function to get the text you need users to copy, or use Event listeners to provide feedback on whether copying succeeded. In short, the flexibility is sufficient.

copy-to-clipboard

Another third-party library using execCommand, though with only 1.3k stars. The first tag version was released on May 24, 2015, even earlier than clipboard.js. Compared to clipboard.js, copy-to-clipboard doesn't depend on HTML elements and can be called directly in JavaScript, which I personally prefer. In modern frontend frameworks like Vue/React, we generally don't directly manipulate the DOM, so clipboard.js isn't very suitable, but this copy-to-clipboard works well. Additionally, besides the execCommand solution, copy-to-clipboard specifically adapts the window.clipboardData.setData solution for older IE browsers, and calls a prompt window to let users copy manually as a final fallback when both fail.

Example as follows:

import copy from 'copy-to-clipboard';

copy('Text');

Compared to clipboard.js, the usage approach is more intuitive, but unfortunately it was born at the wrong time and isn't as famous as clipboard.js (naming might also be a factor).

VueUse - useClipboard

VueUse's implementation of useClipboard is the one I'm most satisfied with. useClipboard fully considers browser compatibility, prioritizing navigator.clipboard.writeText() when conditions for using navigator.clipboard are met, then falling back to execCommand-implemented legacyCopy when navigator.clipboard isn't supported or navigator.clipboard.writeText() fails. It also leverages Vue3's Composables to implement a copied variable that automatically resets to its initial state after 1.5 seconds, which is quite thoughtful.

const { text, copy, copied, isSupported } = useClipboard({ source })
</script>

<template>
  <div v-if="isSupported">
    <button @click="copy(source)">
      <!-- by default, `copied` will be reset in 1.5s -->
      <span v-if="!copied">Copy</span>
      <span v-else>Copied!</span>
    </button>
    <p>Current copied: <code>{{ text || 'none' }}</code></p>
  </div>
  <p v-else>
    Your browser does not support Clipboard API
  </p>
</template>

React-Related Ecosystem

Unlike Vue's VueUse dominating the scene, React has many available hooks libraries, so let's go through them all.

react-use - useCopyToClipboard

react-use is the largest React Hooks library I could find, with 42.9k stars. The copying solution directly depends on copy-to-clipboard mentioned above, which is the execCommand solution.

const Demo = () => {
  const [text, setText] = React.useState('');
  const [state, copyToClipboard] = useCopyToClipboard();

  return (
    <div>
      <input value={text} onChange={e => setText(e.target.value)} />
      <button type="button" onClick={() => copyToClipboard(text)}>copy text</button>
      {state.error
        ? <p>Unable to copy value: {state.error.message}</p>
        : state.value && <p>Copied {state.value}</p>}
    </div>
  )
}

Ant Design - Typography

ahooks was the first React hooks library mentioned to me. It's maintained by the Ant Design team. However, it doesn't have clipboard encapsulation in the repository, so I looked into Ant Design's Typography implementation of copying capability. Like react-use above, it directly uses copy-to-clipboard, which is the execCommand solution.

usehooks - useCopyToClipboard

I learned about this library from an LLM, and it now has 10.5k stars. What's quite absurd is that all its logic code is implemented in a single file called index.js, which is truly baffling. It first attempts to write using navigator.clipboard.writeText(), then switches to the execCommand solution if that fails. The hooks usage is similar to react-use above.

usehooks-ts - useCopyToClipboard

I wonder if this library was created to solve the lack of TypeScript support in the above one. It only uses navigator.clipboard.writeText() to attempt writing to the clipboard, and directly logs a console.warn error if it fails, with no fallback solution.

Conclusion

From a results perspective, VueUse's encapsulation is undoubtedly the most satisfying to me. It prioritizes trying the best-performing Clipboard API, then falls back to execCommand, while providing multiple reactive variables to assist development, but doesn't presumptuously use prompt as a guarantee, maximizing the operational space left to developers.

Looking back from the vantage point of 2025, the evolution trajectory of frontend clipboard operation technology is clearly visible: from early fragile Flash-dependent solutions, to execCommand's workaround, and finally moving toward the elegant implementation of standardized Clipboard API. This journey is not only a microcosm of technological iteration, but also reflects the unique "art of compromise" in frontend development.

For a long time to come, we may still be finding balance between "elegant implementation" and "backward compatibility," dancing ballet in shackles within the browser sandbox. But those temporary solutions born for compatibility will eventually become precious footnotes witnessing the evolution of frontend history.

References

• Pitfalls and Complete Solution for JS Copy Text to Clipboard
• ZeroClipboard Study Notes | Jiongks
• Cut and copy commands | Blog | Chrome for Developers
• execCommand method (Internet Explorer) | Microsoft Learn
• sudodoki/copy-to-clipboard
• zenorocha/clipboard.js
• useClipboard | VueUse
• Side-effects / useCopyToClipboard - Docs ⋅ Storybook
• document.execCommand - Web API | MDN
• Clipboard.writeText() - Web API | MDN
• Onclick Select All and Copy to Clipboard? - JavaScript - SitePoint Forums | Web Development & Design Community
• How would I implement 'copy url to clipboard' from a link or button using javascript or dojo without flash - Stack Overflow

Thus, this article was born. We can use Caddy (Nginx works too, of course) on our local machine to reverse proxy an APT mirror site, establish port forwarding through an SSH tunnel, allowing the internal network server to access the local Caddy server and thereby reach the external mirror site.

Prerequisites

• Your control machine (your own computer) can directly connect to the computer via SSH (possibly using some network tools), rather than first logging into a jump host via SSH and then logging into the target server from there. The latter situation can certainly achieve our goal using similar methods, but would be more complex.
• Your control machine (your own computer) can connect to public mirror sites while connected to the internal network server (if not, you might want to sync a local mirror in advance to create an offline mirror site).

Reverse Proxying the Mirror Site

I chose Caddy over Nginx here - on one hand, Caddy's configuration files are simpler to write, and on the other hand, Caddy is written in Golang, so it's a single binary that works everywhere, and Windows can directly download and run it.

Using the most common Tsinghua TUNA mirror site as an example, a simple Caddy configuration file looks like this:

:8080 {
    reverse_proxy https://mirrors.tuna.tsinghua.edu.cn {
        header_up Host {http.reverse_proxy.upstream.hostport}
    }
}

Save the above code as a file named Caddyfile, then run it using the caddy command in the saved path:

caddy run --config ./Caddyfile

If there are no errors, you should be able to see the Tsinghua mirror site on your local port 8080:

You may notice that the reverse proxied page differs slightly from Tsinghua's mirror site - it doesn't have Tsinghua's logo. This is probably because the page's JavaScript checks the host, and if it's not Tsinghua or BFSU's page, it won't add the school name. But this doesn't affect our ability to fetch updates from these mirror sites.

Establishing the SSH Tunnel

To establish the tunnel, use the following command:

ssh -R 8085:localhost:8080 root@remote.example.com

The -R flag indicates establishing a reverse tunnel. For other parameter options, you can refer to this blog post "SSH Tunneling Techniques", also written by a Jinghong senior.

At this point, we've established SSH port forwarding from the internal network server's port 8085 to our local machine's port 8080. (I used port 8085 to distinguish it from port 8080; in practice, you can use any available port)

We can test whether we can access it normally on the server using curl. Here I simply accessed a README file in the Debian source root directory:

curl http://localhost:8085/debian/README

Changing Sources

So now we have a reverse proxy of the Tsinghua open source mirror site on the internal network server's port 8085, and we can access all content in the mirror site through port 8085.

First, follow the instructions from Tsinghua Open Source Mirror Site to change sources. Remember to check "Force security updates to use mirror".

Then, we replace all instances of https://mirrors.tuna.tsinghua.edu.cn in the sources with http://localhost:8085:

sed -i 's|https\?://mirrors\.tuna\.tsinghua\.edu\.cn|http://localhost:8085|g' `grep -rlE 'http(s)?://mirrors\.tuna\.tsinghua\.edu\.cn' /etc/apt/`

As you can see, we've successfully implemented APT updates and software installation on the internal network server through an SSH tunnel.

Friendly reminder: SSH tunnels were frequently used in the early 2010s to establish cross-border access, but quickly faded from the scene due to their distinctive traffic characteristics. Therefore, don't use SSH for large amounts of cross-border network transmission, as it's easy to get blocked.

Of course, there are many ways to achieve this goal. Other tools like frp can achieve the same effect, but the SSH tunnel solution can be started and stopped on demand without additional configuration, which is why I primarily recommend it.

Not long ago, I spotted the Cudy TR3000 router I'd been eyeing for a while at a discount price of ¥153 on JD.com. While it wasn't quite the all-time low of ¥130 (or even ¥110 with bundled deals), it was within my acceptable range. So I immediately ordered this Cudy TR3000 mini router I'd been longing for, to help ease my pre-semester anxiety (a mental condition).

This router is powered by Type-C and features one 2.5Gbps WAN port and one 1Gbps LAN port. Additionally, it has a USB port that can be used for printer sharing, mounting external storage, Android phone USB network sharing, and various other purposes. What really attracted me was its compact size, making it perfect for business trips, travel, short-term rentals, and similar scenarios. Considering I might need to rent a place for an upcoming internship, I seized this opportunity to order it.

The official firmware is a customized version of OpenWRT with limited functionality, so I decided to flash the original OpenWRT system to increase its capabilities. On the Enshan wireless forum, I found that someone had already compiled an OpenWRT system based on Linux kernel 6.6. This meets the kernel version requirement (>= 5.17) for dae's Bind to LAN feature, and the 512MB memory size just reaches the recommended minimum. So I definitely had to give dae a try. If successful, this would be my first hardware router running dae.

Starting the Flashing Process

The router's official system management interface is at 192.168.10.1. On first access, you'll be asked to set a password, then just click through the initialization process to reach the main page. My unit has firmware version 2.3.2-20241226. I'm not sure if later versions can still use this method.

Transition Firmware

First, we need to flash the so-called "transition firmware". The purpose of flashing transition firmware is that it can be recognized by the official system's upgrade program, allowing us to proceed with subsequent operations.

The transition firmware filename and MD5 hash:

b8333d8eebd067fcb43bec855ac22364  cudy_tr3000-v1-sysupgrade.bin

Then we can find the firmware upgrade section in the basic settings of the router's management page, and select the transition firmware to upload and update in the local update section.

Flash Firmware to Unlock FIP Partition Write Permission

After flashing the transition firmware, wait about one minute for the router's DHCP to restart, and we can access the transition firmware's management page at 192.168.1.1.

There's no password on first login - you can enter anything to log in successfully. Considering we might need to restore factory settings later, it's recommended to back up the FIP partition at this step.

This time we need to flash the following LEDE firmware to unlock FIP partition write permission. The filename and MD5 are provided below:

4af5129368cbf0d556061f682b1614f2  openwrt-mediatek-filogic-cudy_tr3000-v1-squashfs-sysupgrade.bin

Select flash firmware below, upload the firmware we need to flash, and proceed.

Flash U-Boot

After waiting about another minute for the computer to reconnect to the router, we can access this firmware with unlocked FIP partition write permission. The default password is password.

Select File Transfer in the sidebar and upload the U-Boot to be flashed. The filename and MD5 are below. Note: Extract the zip file first

e5ff31bac07108b6ac6cd63189b4d113  dhcp-mt7981_cudy_tr3000-fip-fixed-parts-multi-layout.bin

Then access the TTYD terminal from the sidebar, enter the default username/password root / password, and execute the command to flash U-Boot:

mtd write /tmp/upload/dhcp-mt7981_cudy_tr3000-fip-fixed-parts-multi-layout.bin FIP

Flash Self-Compiled ImmortalWRT

After flashing U-Boot, power off the router. Ensure the ethernet cable connects the computer to the router's LAN port, then press and hold the reset button while plugging in the power. Hold until the white light blinks four times and turns red, then release the reset button to enter U-Boot.

I compiled a 112m layout, so I need to select the mod-112m MTD layout before uploading and flashing the firmware.

8c9a44f29c8c5a0617e61d49bf8ad45d  112m-immortalwrt-cudy_tr3000-ebpf_by_zhullyb_20250325-squashfs-sysupgrade.bin

Wait again for the computer to reconnect to the router. This is the final system with daed support. Again, there's no default password - just enter anything to access. After connecting to the network, go to System - Software Packages page and update the package list.

Then you can install dae/daed related software. Choose luci-i18n-dae-zh-cn or luci-i18n-daed-zh-cn based on your needs. Other packages will be installed as dependencies. I installed daed here.

After installation, refresh the page and you'll see daed in the Services section of the top bar.

Daed runs normally and can fully utilize my home's 300Mbps downstream bandwidth (single-thread actual test: 250Mbps). CPU usage graph at peak speed is shown below.

Files Mentioned in This Article

https://www.123684.com/s/gfprVv-wEQ8d

https://www.123912.com/s/gfprVv-wEQ8d

References

• Cudy TR3000 Flashing Tutorial Guide
• Using ImmortalWrt+Dae to Configure Transparent Proxy for Windows
• Cudy TR3000 v1 Chinese Three-Partition DHCP U-Boot Second Edition
• Booting Mainline OpenWrt Firmware Using hanwckf/bl-mt798x
• QiuSimons/luci-app-daed