2020-07-23 Twitter pointing me right at the dark side of social media 2 weeks ago
I separated my amateur radio twitter from my work and other contacts twitter to get less depressing world politics in my timeline and today Twitter showed me very clearly that I'm supposed to get agitated and depressed and not retreat into a safer bubble. I got notifications on the @PE4KH account (including on my phone) to look at this tweet by Phil Karn KA9Q: Fascism has arrived in America. which quotes another political tweet. I really appreciate the work Phil Karn has done in the past for networking and amateur radio, and as a person I feel sorry for him and others to have to live their daily lives in a situation like this. But at the same time I don't want to be reminded constantly, because I can't do much about it and I will just feel more depressed. So it really annoys me that Twitter goes out of its way to point me to something that will agitate and depress me. It seems like Twitter wants more doomscrolling and more depression to increase "engagement" at the short term.Read the rest of Twitter pointing me right at the dark side of social media
2020-07-02 My social media accounts 1 month ago
Social media is a nice and easy way to interact with people. There was and is a lot of choice in social media. Ages ago I started with fidonet echomail groups, later with usenet and recently with web-based social media. But that's also a development from volunteer-run systems to commercially run systems. Companies like twitter, google and facebook are in the world to make a profit. With echomail and usenet the protocols and software were not linked to the operator of the service, someone else was able to run the same service and allow access to the network again. When google+ stopped the ties to people I knew were broken and I had to find them again on other networks. I am somewhat active on twitter. My 'main' twitter account is twitter.com/khoos but I was getting a lot of negative messages about world politics which got depressing. Since twitter has made it a lot easier to manage more than one twitter account from the twitter web interface I decided to add a specific account for amateur radio with the predictable name twitter.com/PE4KH. Amateur radio twitter is not completely free of politics, but it's a lot more sane view of twitter.
2020-05-25 Websites get attacked from the very first moment 2 months ago
Sometimes hobby and work intertwine when I'm not expecting it. I set up a domainname and added a dummy website for something related to amateur radio. I have no idea if it will go anywhere, but I thought I'd get the web configuration right. The domain name isn't published anywhere. But, to my surprise:220.127.116.11 - - [20/May/2020:09:14:35 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 18.104.22.168 - - [20/May/2020:09:14:35 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 22.214.171.124 - - [20/May/2020:09:14:53 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 126.96.36.199 - - [20/May/2020:09:14:53 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 188.8.131.52 - - [20/May/2020:09:15:12 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 2a00:d680:30:50::67 - - [24/May/2020:16:54:36 +0200] "GET /wp-login.php HTTP/1.1" 404 594 "http://******.*******.**/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"I added the domain name and requested a LetsEncrypt certificate on 11 May 2020, I set up the webserver correctly on 19 May 2020. The only 'publication' of the name is via the certificate transparancy log. Somehow this is enough for the first probes for possible security issues. Looking in the haproxy logs finds even more requests on 15 and 18 May 2020. Part of the requests are via http, not https.
2020-05-12 Changing the CSS grid depending on screen size 2 months ago
A special feature I realized when working with the CSS grids is that I can change the order in which objects are displayed based on screen width. Or whether they appear at all on small screens. So now I'm working on stylesheets that change the grid to what works better on a mobile device. Which is what a lot of the visitors to Camp Wireless use! On a small screen I want the important content to come first. There is not enough space for the extras at the top, and a mobile visitor wants fast answers to the question "where can I find a campsite".
2020-05-06 I discovered the CSS grid model 3 months ago
In my todo-list is a rewrite of Camp Wireless to stop maintaining PHP and make it more mobile-device friendly. The reason to stop maintaining php is because I don't like it anymore which gives me a risk of having insecure code, which would be really bad for me. I'm rewriting it in Perl which isn't todays choice in web development either but it is what I can program good enough to avoid security errors. The reason to make it more mobile-device friendly is that over half of the visitors to the site are using mobile devices. They want to find a campsite while travelling with a smartphone or other mobile device. I was already using a media selector CSS, with variations for printer, I'm now looking at CSS grids which allows me to device the page into regions that move place depending on the available screensize. This makes separating content from page layout even easier.
2020-05-05 Internal documentation of my home network 3 months ago
A few times I had to lookup something again about the way things work in my setups. I made a remark before that I should set up a documentation wiki at home to keep this information somewhere central. Right before I started with the homeserver conway I set up Mediawiki on a webserver. First on the previous homeserver greenblatt but as soon as web production was migrated to the new server I ran it on the web production server virtual machine. So for a lot of 'how did I' questions there are answers, and some future plans. Also for plans on the house and on amateur radio related things. People who know me from work will just say this is an extension of the trail of MediaWiki based documentation systems I left behind, and they are right.
2020-04-07 Troy Hunt: No I won't link to your spammy article 4 months ago
A recurring theme in rants here: link request spam written to look like a serious and personal request to improve an article on my site. Troy Hunt seems to get a lot of those too, so he wrote No, I Won't Link to Your Spammy Article. So we can now all stop doing stupid 'search engine optimization' and go back to sharing actual good content.
2019-10-20 Restored the webcam site and archives 9 months ago
I was looking at the overview of most requested but not available URLs and noticed there is still traffic to http://webcam.idefix.net/. For years that was the webcam site when I still had access to a reasonable location for putting up a webcam. First a good view at my previous house, and later a window with a good view from a server room at work. So I dug up the archived images and scripts, cleaned them up and made them available again. There are no fresh images, just the aged archives.
2019-09-08 A thumbs up for robust scripts 11 months ago
Today some of the letsencrypt certificates were older than 60 days, so the renewal script started to kick in. Last year I completely automated the certificate renewal of letsencrypt certificates with dehydrated and wrote some scripts around the renewal process with hopefully enough error handling. Today some of the error handling got tested, one renewal gave an error:+ ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 500)And indeed the dehydrated script gave an error level, the resulting (empty!) .crt file wasn't copied and nothing happened. On the next run of the renewal script this certificate will still be older than 60 days and therefore the renewal will be tried again.
2019-08-26 3000 items on my homepage and counting 11 months ago
I was just wondering about the number of newsitems on my homepage and did a check. An interesting value popped up: 3000. Yes, a round 3000 items since I started writing more than 20 years ago (or rather: 7456 days ago) : I've created a virtual bookcase with an overview of books I like/read. Graphic created with Retro Wave. Hat tip to Wil Wheaton, who mentions 6584 days - Wil Wheaton dot net
2019-05-30 Improving mod_perl pages 1 year ago
I saw some parts in a site that were creating errors and trying to maintain old PHP code was an annoyance again. So I set up the project to port it all to mod_perl to be able to support it again. Not an easy project, and it will take a while. First work was on understanding the mod_perl registry which keeps scripts and perl interpreters running in Apache. I noticed I was getting old errors from scripts which is because the mod_perl registry doesn't automatically reload scripts (to save file actions). This is not ideal on a development server and can be confusing on a production server. Solution: enable Apache2::Reload with# enable perl AddHandler perl-script .pl PerlResponseHandler ModPerl::Registry PerlInitHandler Apache2::ReloadNow to write the right perl code...
2019-05-04 Considering enabling Server Name Indication (SNI) on my webserver 1 year ago
While making a lot of my websites available via HTTPS I started wondering about enabling Server Name Indication (SNI) because the list of hostnames in the one certificate (subjectAltName parameter) keeps growing and they aren't all related. So on a test system with haproxy I created two separate private keys, two separate certificate signing requests and requested two separate certificates. One for the variants of camp-wireless.org and one for most of the idefix.net names. The whole requesting procedure happened on the system where my automated renewal and deployment of LetsEncrypt certificates with dehydrated happens so the request went fine. For the configuration of haproxy I was following HAProxy SNI where 'terminating SSL on the haproxy with SNI' gets a short mention. So I implemented the configuration as shown in that document and got greeted with an error:Read the rest of Considering enabling Server Name Indication (SNI) on my webserverhaproxy[ALERT] 123/155523 (3435) : parsing [/etc/haproxy/haproxy.cfg:86] : 'bind :::443' unknown keyword '/etc/haproxy/ssl/webserver-idefix-main.pem'.And found out that the crt keyword has to be repeated. This is why I like having a test environment for things like this. Making errors in the certificate configuration on the 'production' server will give visitors scary and/or incomprehensible errors. So the right configuration for my test is now:frontend https-in bind :::443 v4v6 ssl crt /etc/haproxy/ssl/webserver-campwireless.pem crt /etc/haproxy/ssl/webserver-idefix-main.pemAnd testing it shows the different certificates in use when I use the -servername parameter for openssl s_client to test things.$ openssl s_client -connect testrouter.idefix.net:443 -servername idefix.net -showcerts -verify 3 .. Server certificate subject=/CN=idefix.net issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 .. Verification: OK $ openssl s_client -connect testrouter.idefix.net:443 -servername camp-wireless.org -showcerts -verify 3 .. Server certificate subject=/CN=www.camp-wireless.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 .. Verification: OKThe certificates are quite separate. Generating the certificate signing requests with a separate private key for each request works fine. So if I upgrade my certificate management to renew, transport, test and install multiple certificate for the main webserver it would work.
2019-01-12 Enabling some old web userdirs 1 year ago
I received a "complaint" that a very old site on the webserver wasn't working anymore. I am not a person to just stop something without planning that so this was an oversight. It was one of the userdirs on idefix.net: Ivo van der Wijk who hasn't updated the page sinds 1994. No, really, not even the broken links. In restoring this one and the others I found that php in userdirs is disabled by default nowadays, found via PHP not working in userdir (public_html) - devPlant. Maybe a good idea, but I only enable php on virtualhosts where I want it, so I disabled that rule. I hadn't missed it on my own webspace yet, but a site like Het online dagboek van hester (Renate) in Australie (en daar in de buurt) depend on PHP completely. While I was looking for the reason the php failed I also noticed that /etc/apache2/mods-available/userdir.conf also has some configuration I do not appreciate, it enables userdirs globally when the module is loaded:<IfModule mod_userdir.c> UserDir public_html UserDir disabled root <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory> </IfModule>I disabled that part: I only want the userdir to work on specific virtual hosts.
2019-01-08 Seeing the 451: Unavailable due to legal reasons in the wild 1 year ago
Today I tried to follow a link to http://www.independentri.com/ but I got an error message:451: Unavailable due to legal reasons We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this timeAnd indeed in the headers:$ lynx -head -dump http://www.independentri.com/ HTTP/1.1 451 Unavailable For Legal ReasonsI see the real reason as 'not wanting to comply with European consumer protection laws'. I have no idea how many visitors the site is missing due to this regionblock but since it's a regional weekly newspaper in the United States of America: probably not a lot of the intended audience.
2018-12-04 Really ending a domain name and the web presence 1 year ago
On 25 december 2004 there was a special deal giving me the .info names camp-wireless.info and campwireless.info for free for the first year. Since that moment I kept the names registered and redirected all web traffic to the right version: https://www.camp-wireless.org/. So the deal worked from a 'selling domain names' perspective: Christmas is a bad moment to review the need for domain names, so the easy solution is to renew it. My decision to stop with these names was made in January 2018. Traffic to the .info versions is very minimal. With the cost of the domain registration I decided to stop doing that and devised an exit strategy which would result in a domain name that attracts no traffic and is not linked to my other webprojects. On the next renewal date the domain will expire. I have done this before in a different context: when we ended the students personal webspace at www.students.cs.uu.nl. The solution is to start returing HTTP state 410 Gone for search engines while at the same time returning a somewhat user-friendly error page. Relevant bit of apache 2.4 configuration:Read the rest of Really ending a domain name and the web presence<VirtualHost *:80> ServerName www.camp-wireless.info ServerAlias www.campwireless.info ServerAlias camp-wireless.info ServerAlias campwireless.info DocumentRoot /home/httpd/campwireless-expire/html <Directory "/home/httpd/campwireless-expire/html"> Require all granted </Directory> RewriteEngine On RedirectMatch 410 ^/(?!gone.html|robots.txt) ErrorDocument 410 /gone.html </VirtualHost>The gone page is simple: It has an explanation for human visitors and a meta refresh tag to redirect the browser eventually. But to a search engine the status 410 on almost any url will give a clear flag the page is gone and should be flushed from the cache.
2018-11-20 Fixing old deeplinks to twitter 1 year ago
Remember the twitter #! hashbang urls? I'd rather not. Those URLs were active from 2010 to 2012 and have been eliminated. But I got reminded today as it seems they are now silently failing. I checked the archive of my own website to fix all those links. I try to keep all old URLs working. Unless the content completely goes away.
2018-09-26 Made the big bang to the new homeserver 1 year ago
So for months and months I had hardware ready for the new homeserver, I was testing bits and pieces in the new environment and I still did not get around to making the big bang. Part of the time the new system was running and using electricity. And a few weeks ago I had time for the big bang and forgot to mention it! So one free day I just did the last sync of homedirectories and started migrating all services in a big bang. No more but, if, when, is it done yet. It's a homeserver, not a complete operational datacenter. Although with everything running it sometimes does look that way! The new setup, more completely documented at Building - and maintaining home server conway 2017 is now running almost all tasks. The main migration was homedirectories, mail, news, webservers. Things are now split over several virtual machines and the base virtual machine running kvm virtual machines is as minimal as possible. One thing I just noticed is that the new virtual machine with pppoe kernel mode drivers and updated software is doing great: the bigger MTU is working by default and kernel mode pppoe does not show up as using CPU when a 50 mbit download is active. I looked at CPU usage with htop and at the network traffic with iptraf and the result was that iptraf was using the most cpu. There are still some things left to migrate, including a few public websites that currently give 50x errors. But I will find the time eventually.
2018-07-08 Automating Let's Encrypt certificates further 2 years ago
Over two years ago I started using Let's Encrypt certificates. Recently I wanted to automate this a step further and found dehydrated automated certificate renewal which helps a lot in automating certificate renewal with minimal hassle. First thing I fixed was http-based verification. The webserver has been set up to make all .well-known/acme-challenge directories end up in one place on the filesystem and it turns out this works great with dehydrated. I created a separate user for dehydrated, gave that user write permissions for the /home/httpd/html/.well-known/acme-challenge directory. It also needs write access to /etc/dehydrated for its own state. I changed /etc/dehydrated/config with:Read the rest of Automating Let's Encrypt certificates furtherCHALLENGETYPE="http-01" WELLKNOWN="/home/httpd/html/.well-known/acme-challenge"Now it was possible to request certificates based on a .csr file. I used this to get a new certificate for the home webserver, and it turned out to be easier than the previous setup based on letsencrypt-nosudo.
2018-06-17 Apache 2.2 Proxy and default block for everything but the .well-known/acme-challenge urls 2 years agoOlder news items for tag web ⇒
I'm setting up a website on a new virtual machine on the new homeserver and I want a valid letsencrypt certificate. It's a site I don't want to migrate so I'll have to use the Apache proxy on the 'old' server to allow the site to be accessed via IPv4/IPv6 (for consistency I am now setting up everything via a proxy). So first I set up a proxy to pass all requests for the new server to the backend, something like:ProxyPass / http://newsite-back.idefix.net/ ProxyPassReverse / http://newsite-back.idefix.net/But now the requests for /.well-known/acme-challenge also go there and they are blocked needing a username/password since the new site is not open yet. So to set up the proxy correctly AND avoid the username checks for /.well-known/acme-challenge the order has to be correct. In the ProxyPass rules the rule for the specific URL has to come first and in the Location setup it has to come last.ProxyPass /.well-known/acme-challenge ! ProxyPass / http://newsite-back.idefix.net/ ProxyPassReverse / http://newsite-back.idefix.net/ <Location /> Deny from all AuthName "Site not open yet" [..] </Location> <Location /.well-known/acme-challenge> Order allow,deny Allow from all </Location>And now the acme-challenge is done locally on the server and all other requests get forwarded to the backend after authentication.