Zhipeng "Zippo" He - 何志鹏

Code is Cheap. Show me the Prompts

2025-06-26T17:26:00+10:00

The New Currency of Development

I spent three hours last week debugging a GitHub Actions workflow that kept failing silently. You know the drill—digging through YAML syntax, checking environment variables, cursing at indentation. Then I tried something different: I pasted the broken workflow into Claude Code and said “This GitHub Action isn’t working, fix the deployment script and explain what was wrong.” Two minutes later, I had a working solution and learned that my Docker context was misconfigured.

Linus Torvalds' famous quote gets an AI makeover: "Code is cheap. Show me the prompts."

The phrase “code is cheap” has never been more accurate, but there’s a twist: the real value now lies in knowing how to communicate with AI. As AI becomes increasingly sophisticated, the bottleneck is no longer writing code—it’s crafting the right prompts to get AI to write it for you.

This isn’t just about faster development—it’s about fundamentally different skills. The developers who are thriving now aren’t necessarily the ones who can write the most elegant algorithms or memorize framework APIs. They’re the ones who can break down complex problems into clear, specific instructions that AI can understand and execute. It’s like being a really good technical writer, except your audience is a machine that can code better than most humans but needs explicit guidance on what to build.

Core Prompting Skills

Learning to work with AI isn’t rocket science, but it does require unlearning some bad habits. Most developers are used to diving straight into implementation details. With AI, you need to step back and think like a project manager first—define the what, why, and how before asking for code.

Context is everything. The difference between “create a login form” and “create a login form for this Next.js TypeScript project using our existing shadcn/ui components, integrate with our Supabase auth, and match the design system in components/ui/” is the difference between generic boilerplate and code that actually fits your project. I learned this the hard way after getting beautiful React components that used completely different styling libraries than the rest of my app.

Specificity saves time. Vague requests lead to back-and-forth iterations that could have been avoided. Instead of “make this faster”, try “optimize this database query that’s taking 3+ seconds on tables with 100k+ rows, focus on indexing and avoiding N+1 queries.” The AI can’t read your mind, but it can work miracles when you’re explicit about constraints, performance requirements, and edge cases you’re worried about.

Think in steps, not solutions. When tackling complex problems, resist the urge to ask for everything at once. Break it down: “First, analyze this messy legacy code and identify the main architectural issues. Then suggest three refactoring approaches with pros and cons. Finally, implement the safest approach with proper error handling and tests.” This step-by-step approach not only gets better results but also helps you understand the AI’s reasoning process.

Ask for the plan before the code. Before diving into implementation, get the AI to think through the architecture first. Try “Plan out how to add real-time notifications to this app - what components need to change, what new APIs are required, and how should we handle state management?” Once you approve the approach, then ask for the actual code. This prevents those moments where you realize the AI built something elegant but completely wrong for your use case.

Prompt Templates That Actually Work

After months of trial and error, I’ve collected a set of prompt patterns that consistently produce good results. Think of these as your starter templates—modify them for your specific context, but the structure works across different tools and scenarios.

Architecture Decisions

“Design a [system/component] for [specific use case] that needs to handle [requirements like scale, performance, security]. Current tech stack is [languages/frameworks]. Consider [specific constraints like budget, timeline, team skills]. Provide 2-3 approaches with trade-offs and recommend the best option with reasoning.”

This template works because it forces you to define the problem scope, constraints, and decision criteria upfront. I used this recently for designing a caching layer and got three solid approaches I hadn’t considered, complete with implementation complexity analysis.

Code Review

“Review this [language] code for [specific concerns like security vulnerabilities, performance bottlenecks, maintainability issues]. Focus on [areas of concern]. For each issue found, provide the problematic code snippet, explain why it’s problematic, and show the improved version with explanation.”

The key here is being specific about what you’re worried about. Generic “review this code” gets generic feedback. But asking for security review of authentication logic gets you detailed analysis of timing attacks, input validation, and session management issues you might miss.

Refactoring

“Modernize this [legacy technology/old pattern] code to use [new framework/modern patterns]. Maintain the same functionality and API contracts. Improve [specific aspects like type safety, error handling, performance]. Show the transformation step-by-step and explain each change.”

I am using this template to migrate my Jekyll blog components to Next.js, converting Liquid templates to JSX components while preserving the same styling and functionality. The “step-by-step” part is crucial—it helps you understand the changes and makes the refactoring easier to review and test.

Test Generation

“Generate comprehensive tests for this [component/function/API] covering happy path, edge cases, and error conditions. Use [testing framework like Jest, pytest, RSpec]. Include setup/teardown code, mock external dependencies, and test for [specific scenarios like race conditions, invalid inputs, network failures]. Aim for [coverage percentage] code coverage.”

This template has saved me countless hours of thinking through test scenarios. I recently used it for testing a payment processing function and got tests for edge cases I’d never considered—like what happens when the payment gateway returns a success response but the database write fails.

Debugging/Troubleshooting

“This [language/framework] code is throwing [specific error]. Here’s the error message: [paste error]. Here’s the relevant code: [paste code]. Help me identify the root cause and provide a fix with explanation of why this happened.”

The magic is in providing both the error message and the actual code. I’ve wasted too many hours getting generic debugging advice because I only shared the error message. When you include the problematic code, AI can spot issues like variable scope problems or async/await misuse that the error message doesn’t make obvious.

Performance Optimization

“This [function/query/component] is performing slowly under [specific conditions]. Current performance is [metrics]. Analyze the bottlenecks and suggest optimizations. Focus on [specific areas like database queries, memory usage, rendering].”

Including actual performance metrics makes all the difference. Instead of getting generic advice like “use indexes,” you get targeted solutions. When I mentioned my ML model inference was taking 800ms per request, I got specific suggestions about batch processing and model quantization that cut the response time to under 200ms.

Documentation Generation

“Generate comprehensive documentation for this [codebase/module/API]. Include overview, installation steps, usage examples, API reference, and common troubleshooting. Target audience is [developers/end-users]. Follow [documentation style like JSDoc, Sphinx].”

This template works because it defines the scope and audience upfront. Documentation for end-users is completely different from developer docs. I’ve used this to generate API documentation that was actually usable, not just a wall of technical jargon.

API Integration

“Help me integrate with [API name] to [specific goal]. I need to [specific actions like authenticate, fetch data, handle webhooks]. Handle rate limiting, error responses, and provide proper TypeScript types. Use [HTTP library].”

The key is being explicit about error handling and types. Generic API integration examples rarely handle real-world issues like rate limiting or webhook verification. This template gets you production-ready code that won’t break when the API returns unexpected responses.

The Shift is Real

Code is getting cheaper to produce, but knowing how to communicate with AI is becoming more valuable. Master the prompting skills, try the templates, and see what works for your workflow. The tools will keep evolving, but the fundamentals of clear communication with AI will remain.

Start small, be specific, and remember: the best prompt is the one that gets you exactly what you need.

Bypassing Image Anti-Hotlinking with Nginx Reverse Proxy

2025-06-15T16:04:00+10:00

15 JUNE PM 04:04

⚠️ Usage Warning

This technique should only be used for legitimate aggregation of publicly available RSS content. Do not use it for bypassing paywalls, accessing private content, or commercial redistribution.

When setting up my Glance dashboard to display feeds from various content platforms, I ran into a frustrating problem: images weren’t loading. Instead of the expected thumbnails and cover images that make a dashboard visually engaging, I was seeing broken image placeholders scattered throughout my feeds.

The Problem

Opening the browser’s developer console revealed the culprit immediately. Error messages like this were appearing repeatedly:

GET https://cdn.example.com/images/photo.jpg 403 (Forbidden)
Failed to load resource: the server responded with a status of 403 (Forbidden)

These 403 Forbidden errors were blocking external images from RSS feeds, yet the same URLs worked when opened directly in the browser. The image servers’ referrer policy of strict-origin-when-cross-origin was causing them to reject requests coming from my domain, triggering anti-hotlinking protection.

Understanding the Root Cause

The problem stemmed from how content platforms protect their images from unauthorized use. Most platforms implement anti-hotlinking protection by checking the Referer header in image requests. Here’s what was happening:

Referrer checking: When my dashboard requested an image, the CDN server would examine the Referer header.
Domain mismatch: Since requests came from my dashboard’s domain rather than the platform’s own website, the server treated them as unauthorized.
Inconsistent blocking: Different CDN subdomains had varying levels of protection, explaining why some images loaded while others didn’t.

This was particularly maddening because the same images would load perfectly when I opened them directly in a new browser tab, but they’d fail when embedded in my dashboard. The RSS feeds themselves parsed correctly with all the text content intact, but without the visual elements, my dashboard looked broken.

Cloudflare Workers: From Perfect Solution to Dead End

My first instinct was to reach for Cloudflare Workers—it used to be the perfect solution for this kind of proxy problem. I could write a simple function to intercept image requests, fetch them with the proper headers, and return them with CORS headers enabled. The edge computing model would even provide great performance with global distribution.

However, when I checked Cloudflare’s current Terms of Service (last updated December 3, 2024), I discovered a clause in section 2.2.1 that stopped me in my tracks:

“(j) use the Services to provide a virtual private network or other similar proxy services.”

This restriction effectively rules out using Workers for image proxying, as it would fall under “similar proxy services.” While this clause may have existed before, Cloudflare has been increasingly strict about enforcing it.

The risk simply wasn’t worth it. Getting my account suspended would affect not just this dashboard project, but potentially other services I was running on the Cloudflare. I needed a solution that was both effective and compliant with current service terms.

Self-Hosted Nginx Reverse Proxy: The Solution

Since I was already running Glance on my own VPS, I decided to implement a reverse proxy using Nginx on the same server. This approach would give me complete control while avoiding any third-party terms of service violations. The beauty of this solution is that it uses my existing infrastructure without requiring additional hosting costs.

Setting Up Server-Side Caching

I added a server-side cache to the Nginx configuration to improve performance and reduce load on the external CDNs. This cache stores images for 14 days (336 hours), ensuring that frequently viewed images load instantly on subsequent visits.

# /etc/nginx/nginx.conf
http {
    ##
    # Cache Settings
    ##
    proxy_cache_path /var/cache/nginx/images
                     levels=1:2
                     keys_zone=images:10m
                     max_size=1g
                     inactive=336h
                     use_temp_path=off;

    # ... rest of http config
    include /etc/nginx/sites-enabled/*;
}

Configuring the Image Proxy

Then I configured the image proxy in my site configuration. The key insight was using dynamic DNS resolution to handle multiple CDN providers through a single proxy path. Here’s the configuration I added to my existing server block:

# /etc/nginx/sites-available/dashboard.example.com
server {
    server_name dashboard.example.com;

    # DNS resolver for dynamic proxy
    resolver 127.0.0.53 valid=300s;
    resolver_timeout 5s;

    # Existing Glance application
    location / {
        proxy_pass http://localhost:8080;
        # ... existing headers
    }

    # Image proxy for external CDNs
    location ~ ^/img-proxy/([^/]+)/(.*)$ {
        set $backend_host $1;
        set $backend_path $2;

        # Enable proxy caching
        proxy_cache images;
        proxy_cache_valid 200 336h;
        proxy_cache_key "$backend_host$backend_path";
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;

        # Proxy to external CDN
        proxy_pass https://$backend_host/$backend_path;

        # Essential headers for bypassing anti-hotlinking
        proxy_set_header Referer "https://$backend_host/";
        proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
        proxy_set_header Host $backend_host;

        # SSL configuration
        proxy_ssl_verify off;
        proxy_ssl_server_name on;

        # Add CORS and cache headers
        add_header Access-Control-Allow-Origin "*" always;
        add_header Cache-Control "public, max-age=1209600" always;
        add_header X-Cache-Status $upstream_cache_status always;

        # Basic protection against abuse
        valid_referers none blocked dashboard.example.com;
        if ($invalid_referer) {
            return 403;
        }
    }

    # ... existing SSL configuration
}

The magic happens in the regex location block. By capturing the hostname and path in separate variables, I could support any external CDN domain through my proxy. The URL transformation is clean:

Original:  https://cdn.platform.com/images/photo.jpg
Proxied:   https://dashboard.example.com/img-proxy/cdn.platform.com/images/photo.jpg

After setting up the configuration, I created the cache directory:

sudo mkdir -p /var/cache/nginx/images
sudo chown -R www-data:www-data /var/cache/nginx/images
sudo chmod -R 755 /var/cache/nginx/images
sudo nginx -t && sudo systemctl reload nginx

Automating Image URL Conversion

With the Nginx proxy in place, I needed a way to automatically convert external image URLs in my Glance dashboard. Rather than manually updating every RSS feed configuration, I wrote a client-side script that would handle the conversion transparently.

I added this JavaScript to my Glance configuration as a custom .js file:

(function () {
  // CDN domains that commonly implement anti-hotlinking
  const BLOCKED_DOMAINS = ["cdn.example.com", "images.platform.com", "static.service.net"];

  function convertExternalImages() {
    const selector = BLOCKED_DOMAINS.map((domain) => `img[src*="${domain}"]:not([data-converted])`).join(",");

    document.querySelectorAll(selector).forEach((img) => {
      try {
        const originalSrc = img.src;
        const proxySrc = originalSrc.replace(/https?:\/\/([^/]+)\//g, "/img-proxy/$1/");

        img.src = proxySrc;
        img.setAttribute("data-converted", "true");
        console.log("Converting:", originalSrc, "→", proxySrc);
      } catch (error) {
        console.error("Failed to convert image:", error);
      }
    });
  }

  if (document.readyState !== "loading") {
    convertExternalImages();
  } else {
    document.addEventListener("DOMContentLoaded", convertExternalImages);
  }

  // Check for new images every 3 seconds
  setInterval(convertExternalImages, 3000);
})();

The script maintains a list of problematic CDN domains and only processes images from those sources. When it detects a blocked image, it uses regex to rebuild the URL to route through my proxy. This focused approach avoids wasting resources on images that already load fine.

Results and Testing

After implementing both components, I tested the setup:

// Test in browser console
fetch("/img-proxy/cdn.platform.com/images/test.jpg")
  .then((response) => console.log("Status:", response.status, response.statusText))
  .catch((error) => console.error("Error:", error));

The test returned Status: 200 OK, confirming the proxy was working correctly with proper CORS headers.

With the proxy confirmed working, the dashboard transformation was impressive. Images that had been broken placeholders now loaded correctly throughout my feeds. RSS content became visually rich with thumbnails and cover images that made the dashboard much more engaging.

The JavaScript automatically converts problematic image URLs as new RSS content loads. When fresh content appears, any images from blocked domains are quickly converted to use the proxy route. The 14-day cache configuration means once an image loads through the proxy, subsequent views are instant.

Verifying Cache Performance

To verify that the caching was working as intended, I checked the Nginx cache directory:

# Count cached files
sudo find /var/cache/nginx/images -type f | wc -l

# Check cache size
sudo du -sh /var/cache/nginx/images

The cache was working as intended, with files being created and deleted as expected.

Responsible Usage

This solution requires thoughtful implementation to respect both technical constraints and content platforms. The 14-day caching configuration significantly reduces load on source CDNs—an image that might be viewed dozens of times only generates a single upstream request.

The referrer validation prevents unauthorized access. The valid_referers directive restricts proxy usage to requests originating from my dashboard domain, ensuring it can’t be exploited as an open relay by external users.

When implementing similar solutions, consider the scope and purpose of your usage to maintain ethical standards and avoid potential service violations.

Jekyll LiveReload vs WebSocket Secure: A Protocol Compatibility Issue

2025-06-12T02:37:38+10:00

The Problem

I have to disable "Allow access to container domains & IPs" in OrbStack to make LiveReload work for Jekyll.

I recently switched from Docker Desktop to OrbStack because of its better performance and native macOS integration. One of OrbStack’s convenient features is automatic domain name assignment for containers. Instead of remembering port numbers, containers get clean URLs like https://container-name.orb.local with automatic HTTPS certificates. This makes accessing development services much more elegant than dealing with localhost:3000, localhost:4000, etc.

However, when I maintain my Jekyll-based website in a container, this convenient feature introduced an unexpected issue with LiveReload that took some detective work to understand.

When I try to use the OrbStack generated domain name https://jekyll.zhipenghegithubio.orb.local/ to access my Jekyll site, LiveReload crashes immediately with the following error:

jekyll-1  | LiveReload experienced an error. Run with --trace for more information.
jekyll-1  | /usr/local/bundle/gems/jekyll-4.4.1/lib/jekyll/commands/serve/websockets.rb:44:in 'HTTP::Parser#<<': Could not parse data entirely (0 != 247) (HTTP::Parser::Error)
jekyll-1  | 	from /usr/local/bundle/gems/jekyll-4.4.1/lib/jekyll/commands/serve/websockets.rb:44:in 'Jekyll::Commands::Serve::HttpAwareConnection#dispatch'
jekyll-1  | 	from /usr/local/bundle/gems/em-websocket-0.5.3/lib/em-websocket/connection.rb:79:in 'EventMachine::WebSocket::Connection#receive_data'
jekyll-1  | 	from /usr/local/bundle/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in 'EventMachine.run_machine'
jekyll-1  | 	from /usr/local/bundle/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in 'EventMachine.run'
jekyll-1  | 	from /usr/local/bundle/gems/jekyll-4.4.1/lib/jekyll/commands/serve/live_reload_reactor.rb:42:in 'block in Jekyll::Commands::Serve::LiveReloadReactor#start'

If revisiting the page, it will show 502 Bad Gateway error and OrbStack proxy error: dial tcp 192.168.97.2:8080: connect: connection refused.

The WebSocket parsing error doesn’t just break LiveReload—it crashes the entire Jekyll server. This means the site becomes completely inaccessible until the container is restarted. Here’s what I discovered after systematically testing different configurations.

Testing with Another WebSocket Application

Facing this crash, I needed to understand what was causing it. Was this an issue with OrbStack’s reverse proxy, Jekyll’s implementation, or something else entirely? To isolate the problem, I decided to test whether other WebSocket applications had the same issue in the identical setup.

docker run -p 8080:8080 jmalloc/echo-server

I then tested both access methods:

Direct access: http://localhost:8080/.ws
OrbStack domain: https://condescending_solomon.orb.local/.ws (The container name condescending_solomon is automatically generated)

Result: Both worked perfectly! The WebSocket echo server had no problems connecting and echoing messages through either direct access or OrbStack’s domain routing.

Looking at the browser’s network tab revealed the difference in WebSocket connection types:

Direct: ws://localhost:8080/ (plain WebSocket)
OrbStack: wss://condescending_solomon.orb.local/ (WebSocket Secure)

Both WebSocket connections established successfully and functioned normally. The echo server handled both WS and WSS connections gracefully. This proved that OrbStack’s reverse proxy handles WebSockets correctly - the issue was specific to Jekyll, not OrbStack.

The Real Issue: Jekyll’s WebSocket Limitation

With OrbStack ruled out as the culprit, I investigated Jekyll-specific WebSocket issues and found this isn’t an isolated problem. Jekyll GitHub issue #9495 documents the exact same error occurring when Jekyll runs behind reverse proxies like Caddy.

The issue report contains a crucial finding from direct testing of Jekyll’s WebSocket behavior:

Plain WebSocket (ws://) connections work fine
Secure WebSocket (wss://) connections crash Jekyll

The report explains: “The Jekyll LiveReload barfs when it receives the encrypted data, because it can’t parse it.” Most importantly, the investigation proved this was caused by a specific Jekyll change: “I can confirm that [reverting PR #8718] fixes this issue; LiveReload works as expected even over reverse-proxied HTTPS URLs.” This definitively links the problem to Jekyll 4.3.2’s protocol detection change.

Understanding Jekyll’s Change in PR #8718

The issue stems from a change in Jekyll 4.3.2 (PR #8718) that modified how LiveReload script injection works.

Before Jekyll 4.3.2:

Jekyll always used hardcoded http:// for LiveReload connections
Even HTTPS pages made plain WebSocket (ws://) connections to LiveReload
This worked fine with reverse proxies

After Jekyll 4.3.2:

Jekyll switched to using location.protocol to dynamically detect the page protocol
HTTPS pages now attempt WebSocket Secure (wss://) connections to LiveReload
This breaks Jekyll’s WebSocket server

Here is the diff of the change in the PR #8718:


diff --git a/lib/jekyll/commands/serve/servlet.rb b/lib/jekyll/commands/serve/servlet.rb
index 2544616adf3..cee9c663a8a 100644
--- a/lib/jekyll/commands/serve/servlet.rb
+++ b/lib/jekyll/commands/serve/servlet.rb
@@ -101,7 +101,7 @@ def template
           @template ||= ERB.new(<<~TEMPLATE)