Panquake Me gives you a simpler URL for sharing

https://pnqk.me

This project is brought to you by the team building Panquake.com and is an example of the strong ethical design and high-quality standard we bring to the software development process. It is released as Free and Open-Source Software (FOSS) in the interest of the public good. We welcome community contributions, bug reports, and security research. Please see SECURITY.md for more information.

What is Panquake Me?

Sharing Pnqk.me links helps to protect you, your family, your friends, your communities and/or your audience from having your personal data captured and exploited.

Panquake Me is a link shortener with the added benefit of cleaning your links of any marketing or ad tracking cookies which are commonly used to permanently associate the browsing activities of people sharing links on the internet with the activities of the people who then click on those links.

This data — known as "social network analysis data" or "social graph data" — can then be used in ways which you will never wholly know about and can therefore never really consent to. It is frequently packaged and sold, often to big data companies, other social networks or corporations across a wide range of industries, or even to governments and intelligence agencies.

Additionally, Pnqk.me archives the original source content, solving the issue of "link rot". If the original source disappears or the link breaks, your Panquake Me link will still work!

---

App Overview

This repository contains a full-featured web application that shortens URLs via a beautiful and functional frontend UI. Pnqk.me is built upon Polr and is enhanced with additional backend services for link-checking and archiving at popular archive services. There is no recent release of Polr, so this repository incorporates the updated and well-maintained codebase here.

Panquake Me is written in PHP and the Laravel framework and uses MariaDB/MySQL as the target database system. Pnqk.me is updated to run on PHP 8.2.10 and contains a patch for the security issue CVE-2021-21276. We will continue to upgrade, patch, and extend Pnqk.me for the privacy, security, and safety of users across the Internet.

---

Privacy and Security

Panquake Me code does not track or surveil users and the developers have deliberately turned off anti-privacy settings that are standard in traditional short URL services. The implementation of this code at Pnqk.me has been penetration tested by top security experts, and does not collect any personally-identifiable information (PII) about you or anyone who clicks on Panquake Me links. When a you provide Pnqk.me with a link, the service saves the scrubbed URL, a timestamp, and a counter for the number of clicks to that URL. If you have any questions or concerns in regard to privacy, please get in touch with us at privacy@talkliberation.com.

---

URL Cleaning

We strive to contribute positively to the Internet, giving back to a global community and increasing the privacy and security of people everywhere. Before converting your long links into short links, we check and clean them to reduce tracking, spam, phishing, and the spread of malware. We believe in algorithmic transparency and do not utilize "black box" algorithms or AI/LLM in our software, publishing the rules utilized to clean Pnqk.me links in this repository. When we send links to archiving services such as the Internet Archive and Archive.today, we queue requests and try to verify that URLs resolve to a page that exists before sending.

Panquake Me URL checks:

Better Security

• Empty input and non-standard URL characters, including emoji
• Missing "http://" or "https://" prefix. We choose "https://" if no protocol prefix exists, erring on the side of better security for users.
• Proper URL format
• Mitigation for Cross-site Scripting (XSS) attacks
• Mitigation for SQL injection attacks
• Wrong URI scheme (e.g. "ftp://")

Better Privacy

• Removal of 600+ known UTM codes & URL tracking variables
• Unwrapping of other link shorteners. For example, we try to replace Twitter/X t.co links with the original URL.

Content Handling

• Detect links that already exist at https://pnqk.me
• Detect if URL resolves without error (HTTP error codes in 400-500 range). We detect if the page exists whenever possible.
• Link to original content and archive versions for Talk Liberation & Panquake.com links
• Link to original content for sites that archive poorly or that block archiving services
• Link to original content for popular multimedia sites and Web 3 or FOSS alternatives. Archiving services will not process audio and video.
• Link to original content and archive versions for state-funded news outlets ("level playing field" for 60+ countries)
• Blocklist for dodgy websites, adware, malware, and phishing domains
• Blocklist for "18+ only" content
• Strip potential profanity from short URL endings (e.g. "3-letter" or "4-letter" words)

---

Feedback & Enhancements

We welcome public feedback and are continuously building on and improving our software. If you have found a bug, please report at pnqk@talkliberation.com to help us improve Panquake Me. If you believe you have discovered a privacy or security issue, refer to SECURITY.md.

Our team has been enhancing the Pnqk.me link cleaning and archiving process based upon global contributions from community members like you. Sometimes web pages may not archive correctly or there is an issue with the link cleaning process and the URL checks we list above. Panquake Me is developed with the goals of information preservation, censorship resistance, and access to knowledge. Please contact us if there are any issues with accessing a URL you have submitted to our service.

---

Installation and Configuration

This code has been developed specifically for deployment at Pnqk.me, though we have retained general-purpose functionality and setup scripts for self-hosted installations. It contains features and assets specific to our use-case, including design elements for Panquake and Talk Liberation. See licensing information below before installing and deploying for the public.

Dependencies

• Apache, nginx, IIS, or lighttpd (Apache preferred)
• MariaDB or MySQL >= 10.0 (SQLite is possible but not recommended)
• PHP >= 8.0
• PHP composer
• Additional PHP requirements:
  • OpenSSL
  • PDO
  • PDO MySQL
  • mbstring
  • Tokenizer
  • JSON
  • cURL

Getting Started

Panquake Me is written in PHP and the Laravel Framework, using MariaDB/MySQL as the target database system.

To get started with Pnqk.me on your server, you can clone this repository or download a stable release. This project uses semantic versioning.

TLDR;

Panquake Me will run in your web root directory like a traditional LAMP application, and has similar requirements and setup steps as an application like WordPress. Clone or download this repository, set the correct web document root, create a MariaDB/MySQL database, go to yoursite.com/setup, and follow the prompts.

Setup Instructions

Below are detailed instructions that will cover many use cases for setting up Pnqk.me in a typical web server environment. We try to simplify the procedure, for example by including a setup script for part of the process, but basic experience with hosting websites is required. Small differences in your system configuration may introduce issues beyond the scope of these instructions and, as with all technical projects, YMMV.

1. Switch to a user with superuser permissions or the root user on the system. Example:

sudo su

2. Clone the git repository (alternatively, download and extract a release).

git clone https://codeberg.org/talkliberation/pnqk-me.git --depth=1

3. Make sure the directory pnqk-me is the web document root, or that the files in that directory are copied to the web document root. This will vary based upon your system and chosen web server. Assuming your web document root is empty, a common way to do this would be:

cp -Rvfa pnqk-me/* /var/www

The pnqk-me/public folder (copied to /var/www/public in this scenario) is of special note. It contains files that are intentionally exposed to the public web and would replace, for example, the commonly-used /var/www/html folder. All of this will vary depending on your web server configuration.

4. Make sure relevant directories have execute permissions. Example:

chmod -Rvf 755 app public resources

5. Make sure the entire web root is owned by the correct user for the web server. Example:

chown -Rvf www-data:www-data /var/www

6. Install PHP composer dependencies. Using curl:

curl -sS https://getcomposer.org/installer | php
php composer.phar install --no-dev -o

If composer fails installing the dependencies (often due to your PHP version), delete composer.lock and try installing the dependencies again.

rm composer.lock
php composer.phar install --no-dev -o

7. Edit your web server configuration.

   • Apache: You will need to create or edit an Apache configuration file in your operating system's Apache configuration folder (e.g /etc/apache2/sites-enabled) or add a virtual host to your configuration as in the example below. Replace example.com with your server's external address and restart Apache when done.

     <VirtualHost *:80>
         ServerName example.com
         ServerAlias example.com
         DocumentRoot "/var/www/public"
         <Directory "/var/www/public">
             Require all granted
             Options Indexes FollowSymLinks
             AllowOverride All
             Order allow,deny
             Allow from all
         </Directory>
     </VirtualHost>
     

     If mod_rewrite is not already enabled, you will need to enable it:

     a2enmod rewrite
     

     You will need to restart the Apache service after making any configuration changes. Example:

     sudo service apache2 restart
     

   • nginx: You will need to create or edit an nginx configuration file in your operating system's Apache configuration folder (e.g /etc/nginx/sites-enabled) or add a virtual host to your configuration as in the example below. Replace example.com with your server's external address and restart nginx when done.

     upstream php {
         server unix:/var/run/php-fpm.sock; # requires php-fpm
         server 127.0.0.1:9000;
     }
     
     server { # HTTP settings
         listen [::]:80 default_server;
         listen       *:80 default_server;
         root         /var/www/public;
         index        index.php index.html index.htm;
         server_name  example.com; # or whatever domain you want to use
     
         location / {
                 try_files $uri $uri/ /index.php$is_args$args;
                 # rewrite ^/([a-zA-Z0-9]+)/?$ /index.php?$1;
         }
     
         location ~ \.php$ {
                 try_files $uri =404;
                 include /etc/nginx/fastcgi_params;
                 fastcgi_pass    php;
                 fastcgi_index   index.php;
                 fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
                 fastcgi_param   HTTP_HOST       $server_name;
                 fastcgi_param HTTP_PROXY ""; # mitigate https://httpoxy.org vulnerabilities
         }
     }
     

     You will need to restart the nginx service after making any configuration changes. Example:

     sudo service nginx restart
     

   • HTTPS: We highly recommend that you set up HTTPS with strong TLS cipher settings on your installation to protect your users, unless you are testing in a non-public environment that is not connected to the Internet. We recommend using Let's Encrypt and the Certbot utility from the EFF for TLS certificates.

     • Apache example

     • nginx example

8. You must create a database for Pnqk.me to use.

   • MariaDB/MySQL: Log into your mysql-cli shell and run:

     CREATE DATABASE pnqk;
     

     In this example, pnqk is the database name, but you can choose any name you'd like. If you want to create a new user with access to solely this database (which is a good idea for security) please learn about the GRANT directive. Examples:

     CREATE USER 'pnqk' @ 'localhost' IDENTIFIED WITH authentication_plugin BY 'password';
     GRANT ALL PRIVILEGES ON pnqk.* To 'pnqk'@'localhost' IDENTIFIED BY 'password';
     

     This would create a user named pnqk and give that user access to the pnqk database. Of course, use a utility like pwgen to generate a strong password. Additionally, utilities like mysql_secure_connection are useful for setting secure defaults.

   • SQLite: You may also use SQLite in place of MariaDB/MySQL for Pnqk.me but it is not recommended.

     The setup script described below should populate the rest of the database. However, if there is an error, example SQL dumps that can be used to create and populate a default database are available in database/examples. Database connection settings can be changed in config/database.php and we have added directives for TLS connections.

9. Copy the .env.setup file to .env in your web root directory. Example: cp .env.setup .env NOTE: This .env file is very sensitive and should never be shared publicly.

10. Visit your site in a web browser. You may now continue setting up your environment and start to populate the database using the setup script at /setup (e.g. https://yoursite.com/setup) or you can complete setup manually (see instructions below). The setup script contains administrative settings such as API and SAML access.

    • Manual configuration: If you decide not to use the setup script at /setup or it fails, copy resources/views/env.blade.php to .env at the web document root and update the values appropriately. Do not leave any curly braces {} in your new .env

      You may leave certain sections blank or commented-out to use the defaults. Run the following artisan command to create the necessary database tables:

      php artisan migrate --force
      

      If there is an error, example SQL dumps that can be used to create and populate a default database are available in database/examples.

      You will also need to insert a admin user into the users table through a mysql-cli shell (or a graphical SQL interface such as phpmyadmin).

      Optionally, update the GeoIP info:

      php artisan geoip:update
      

      By default, Panquake Me does not utilize this information or even record the visitor's IP address. If you need rough estimates of a visitor's origin, we recommend scrubbing the last octets of the IP address and only recording the country of origin or using self-hosted, privacy-respecting metrics from Plausible.io.

11. Run the archiving script in util/archive-links.sh. Panquake Me utilizes the archiving services at Internet Archive and Archive.today. We include a shell script that will read from the database and submit URLs to the archiving services in util/archive-links.sh. By default, this script utilizes curl and will create logs for errors as well as successful archives in CSV format. The script can be edited to use additional utilities like wayback and there may be additional system configuration required to mitigate CAPTCHA issues.

    We recommend adding this script to cron or as a systemd timer.

---

Database Structure

Pnqk.me uses a very basic database structure. The most important table is the "links" table, which contains all of the long and short URL information. By default, Panquake Me does not record the IP address in the ip field below and creator is a random UUID for each submission.

id, int(10)
short_url, varchar(255), utf8mb4_unicode_ci
long_url, longtext, utf8mb4_unicode_ci
original_url, longtext, utf8mb4_unicode_ci
archiveorg_url, longtext, utf8mb4_unicode_ci
archivetoday_url, longtext, utf8mb4_unicode_ci
ipfs_url, longtext, utf8mb4_unicode_ci
ip, varchar(255), utf8mb4_unicode_ci
creator, varchar(255), utf8mb4_unicode_ci
clicks, varchar(255), utf8mb4_unicode_ci
secret_key, varchar(255), utf8mb4_unicode_ci
is_direct_link, tinyint(1)
is_disabled, tinyint(1)
is_custom, tinyint(1)
is_api, tinyint(1)
archive_check, tinyint(1)
created_at, timestamp
updated_at, timestamp
long_url_hash, varchar(10), utf8mb4_unicode_ci

---

Licensing

This project is ethical Free and Open-Source Software (FOSS) that is copyright © 2023 Talk Liberation Limited and released under the GNU General Public License version v2.0 or later. See LICENSE for more information. Pnqk.me is built upon code from Polr by Chaoyi Zhao and Antelope Valley College. We are grateful for their efforts and those of the Internet Archive and Archive.today.

For JavaScript licensing information, see the LibreJS labels in weblabels.html

"Panquake”, “Talk Liberation”, “Panquake Me”, “Pnqk”, “Pnqk.me” and all related brands, slogans, trademarks, service marks, and logos are property of Talk Liberation Limited. Contact opensource@talkliberation.com for further information or additional permissions. For correct branding files and usage guidelines please refer to Panquake.com/brand. For press resources and other relevant information about Panquake please visit Panquake.com/press

---

Contact

For media inquiries, please contact pnqk@talkliberation.com