2020-10-26 Speeding up TLS connections for Apache with OCSP 1 month ago
I have one Apache server exposed to the outside world for IPv6 clients (because of a history in hostnames going back to the 20th century). So after enabling OCSP for haproxy I decided to have a look at OCSP stapling for Apache 2.4. That's even easier than haproxy since Apache 2.4 will fetch the ocsp data itself. I followed Apache 2.4 SSL/TLS Strong Encryption: How-To OCSP Stapling and it works. So now the current score at the Qualys SSL server test for koos.idefix.net is A+ both via IPv4 and IPv6.
2020-10-14 Speeding up TLS connections for haproxy with OCSP 1 month ago
On my to-do list was the idea to look at OCSP stapling for haproxy. OCSP is Online Certificate Status Protocol which wraps the revocation status of a certificate in the certificate negotiation. This speeds up the TLS setup a bit since the client doesn't have to make an extra connection to the OCSP responder of the certificate issuer and it adds a bit of privacy because the certificate issuer doesn't see which client requests the status of a certificate. Finding the right way to get the ocsp updates to haproxy was a bit of work, eventually made some modifications to the script in HAProxy OCSP stapling. I also used the remarks in OCSP stapling with HAProxy. From pitfall to euphoria because I saw the "OCSP single response: Certificate ID does not match any certificate or issuer" error message. I had to restart haproxy first to make it enable ocsp processing (because now each server certificate has its own .ocsp file) and now it accepts the "set ssl ocsp-response" command. Update: I'm not completely happy yet: after a certificate was renewed haproxy complained about the .ocsp file being out of date. Which is fully correct, since that .ocsp file was about a previous version of the certificate. This needs more work. Ideally I would check the validity of the .ocsp file before deciding to renew it. And fetch the new ocsp data before reloading a renewed certificate. Anyway, the 'TLS setup' part of connecting to sites like idefix.net goes from 20-21 milliseconds to 5-8 milliseconds. Not a blinding fast improvement but all bits help and I like to have optimal security and privacy.Read the rest of Speeding up TLS connections for haproxy with OCSP
2020-10-13 Searching for a vulnerable framework found in weblogs 1 month ago
I had a look at some weblogs and after removing the entries caused by webbots most of the rest of the traffic was attacks. All on stuff I don't have (usually wordpress), but one thing was noticeable:188.8.131.52 - - [13/Oct/2020:00:17:34 +0200] "GET ////nette.micro?callback=shell_exec&cmd=ifconfig HTTP/1.1" 404 747 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36" 184.108.40.206 - - [13/Oct/2020:00:17:41 +0200] "GET /////nette.micro?callback=shell_exec&cmd=ifconfig HTTP/1.1" 301 715 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36" 220.127.116.11 - - [13/Oct/2020:00:17:43 +0200] "GET /nette.micro?callback=shell_exec&cmd=ifconfig HTTP/1.1" 404 747 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"From what I've found about the 'nette microframework' there are callbacks, but none of those is called shell_exec.
2020-08-25 A new Camp Wireless that looks the same 3 months ago
The new Camp Wireless that looks almost the same, but is completely rewritten is on-line. It should look and work better on mobile devices. According to the statistics about half of the visitors is using a mobile device, so that is an important part. I am a great fan of not breaking existing links, so they will keep working. There is a change in the url scheme for the site, but all old links redirect to the correct new location. The details: Camp Wireless was completely written in PHP since the start of Camp Wireless in June 2004. But I didn't update the code a lot over the last years because I wasn't using PHP anymore and doing all my newer webprojects in modperl. This was becoming a risk, I didn't like updating the code anymore. I had to fix several things when I moved from the old homeserver to the new one because the new system came with PHP 7. Since the url design of Camp Wireless was 'technology neutral' from the start (the main urls do not include .php or other hints to the used technology) it was possible to rewrite it in another language, as long as it could handle all the urls the same way. I made one change to the url scheme: in the old setup the directory of campsites had urls with /database/region/ and /database/site/. Although there is indeed a database behind the site, the better term to use is directory, so I developed with /directory/region/ and /directory/site/ urls. And wrote a rewrite rule handler to redirect all the old links, because I don't like breaking old links. I rewrote the site it in modperl. It was hosted on the development webserver and after implementing and testing each function I committed the result to version control. I still use cvs because that's what I once dove into. After testing for a while with an acceptance version I finally made the switch today. After that I found a few functions missing so I added those promptly. Still using version control, so I know what I changed when and why.Read the rest of A new Camp Wireless that looks the same
2020-08-23 Getting work done on the Camp Wireless rewrite 3 months ago
In the last few weeks I had actual time to work on the planned rewrite of Camp Wireless in perl. I rewrote it in perl and redid a small part of the CSS to use the CSS grid model to optimize Camp Wireless based on screen size. In the coming days I will create an 'acceptance' version of the site using the production version of the database, to iron out the last errors. I still need to finish the correct 404 generation from within mod_perl scripts, advertising and some specific cases. And it's a good idea to run a website security scan on my work. The look and feel hasn't changed a lot. I decided to present the same information in the same order and maintain most of the screenlayout.
2020-07-23 Twitter pointing me right at the dark side of social media 4 months ago
I separated my amateur radio twitter from my work and other contacts twitter to get less depressing world politics in my timeline and today Twitter showed me very clearly that I'm supposed to get agitated and depressed and not retreat into a safer bubble. I got notifications on the @PE4KH account (including on my phone) to look at this tweet by Phil Karn KA9Q: Fascism has arrived in America. which quotes another political tweet. I really appreciate the work Phil Karn has done in the past for networking and amateur radio, and as a person I feel sorry for him and others to have to live their daily lives in a situation like this. But at the same time I don't want to be reminded constantly, because I can't do much about it and I will just feel more depressed. So it really annoys me that Twitter goes out of its way to point me to something that will agitate and depress me. It seems like Twitter wants more doomscrolling and more depression to increase "engagement" at the short term.Read the rest of Twitter pointing me right at the dark side of social media
2020-07-02 My social media accounts 4 months ago
Social media is a nice and easy way to interact with people. There was and is a lot of choice in social media. Ages ago I started with fidonet echomail groups, later with usenet and recently with web-based social media. But that's also a development from volunteer-run systems to commercially run systems. Companies like twitter, google and facebook are in the world to make a profit. With echomail and usenet the protocols and software were not linked to the operator of the service, someone else was able to run the same service and allow access to the network again. When google+ stopped the ties to people I knew were broken and I had to find them again on other networks. I am somewhat active on twitter. My 'main' twitter account is twitter.com/khoos but I was getting a lot of negative messages about world politics which got depressing. Since twitter has made it a lot easier to manage more than one twitter account from the twitter web interface I decided to add a specific account for amateur radio with the predictable name twitter.com/PE4KH. Amateur radio twitter is not completely free of politics, but it's a lot more sane view of twitter.
2020-05-25 Websites get attacked from the very first moment 6 months ago
Sometimes hobby and work intertwine when I'm not expecting it. I set up a domainname and added a dummy website for something related to amateur radio. I have no idea if it will go anywhere, but I thought I'd get the web configuration right. The domain name isn't published anywhere. But, to my surprise:18.104.22.168 - - [20/May/2020:09:14:35 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 22.214.171.124 - - [20/May/2020:09:14:35 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 126.96.36.199 - - [20/May/2020:09:14:53 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 188.8.131.52 - - [20/May/2020:09:14:53 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 184.108.40.206 - - [20/May/2020:09:15:12 +0200] "GET /.git/HEAD HTTP/1.0" 404 594 "-" "-" 2a00:d680:30:50::67 - - [24/May/2020:16:54:36 +0200] "GET /wp-login.php HTTP/1.1" 404 594 "http://******.*******.**/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"I added the domain name and requested a LetsEncrypt certificate on 11 May 2020, I set up the webserver correctly on 19 May 2020. The only 'publication' of the name is via the certificate transparancy log. Somehow this is enough for the first probes for possible security issues. Looking in the haproxy logs finds even more requests on 15 and 18 May 2020. Part of the requests are via http, not https.
2020-05-12 Changing the CSS grid depending on screen size 6 months ago
A special feature I realized when working with the CSS grids is that I can change the order in which objects are displayed based on screen width. Or whether they appear at all on small screens. So now I'm working on stylesheets that change the grid to what works better on a mobile device. Which is what a lot of the visitors to Camp Wireless use! On a small screen I want the important content to come first. There is not enough space for the extras at the top, and a mobile visitor wants fast answers to the question "where can I find a campsite".
2020-05-06 I discovered the CSS grid model 6 months ago
In my todo-list is a rewrite of Camp Wireless to stop maintaining PHP and make it more mobile-device friendly. The reason to stop maintaining php is because I don't like it anymore which gives me a risk of having insecure code, which would be really bad for me. I'm rewriting it in Perl which isn't todays choice in web development either but it is what I can program good enough to avoid security errors. The reason to make it more mobile-device friendly is that over half of the visitors to the site are using mobile devices. They want to find a campsite while travelling with a smartphone or other mobile device. I was already using a media selector CSS, with variations for printer, I'm now looking at CSS grids which allows me to device the page into regions that move place depending on the available screensize. This makes separating content from page layout even easier.
2020-05-05 Internal documentation of my home network 6 months ago
A few times I had to lookup something again about the way things work in my setups. I made a remark before that I should set up a documentation wiki at home to keep this information somewhere central. Right before I started with the homeserver conway I set up Mediawiki on a webserver. First on the previous homeserver greenblatt but as soon as web production was migrated to the new server I ran it on the web production server virtual machine. So for a lot of 'how did I' questions there are answers, and some future plans. Also for plans on the house and on amateur radio related things. People who know me from work will just say this is an extension of the trail of MediaWiki based documentation systems I left behind, and they are right.
2020-04-07 Troy Hunt: No I won't link to your spammy article 7 months ago
A recurring theme in rants here: link request spam written to look like a serious and personal request to improve an article on my site. Troy Hunt seems to get a lot of those too, so he wrote No, I Won't Link to Your Spammy Article. So we can now all stop doing stupid 'search engine optimization' and go back to sharing actual good content.
2019-10-20 Restored the webcam site and archives 1 year ago
I was looking at the overview of most requested but not available URLs and noticed there is still traffic to http://webcam.idefix.net/. For years that was the webcam site when I still had access to a reasonable location for putting up a webcam. First a good view at my previous house, and later a window with a good view from a server room at work. So I dug up the archived images and scripts, cleaned them up and made them available again. There are no fresh images, just the aged archives.
2019-09-08 A thumbs up for robust scripts 1 year ago
Today some of the letsencrypt certificates were older than 60 days, so the renewal script started to kick in. Last year I completely automated the certificate renewal of letsencrypt certificates with dehydrated and wrote some scripts around the renewal process with hopefully enough error handling. Today some of the error handling got tested, one renewal gave an error:+ ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 500)And indeed the dehydrated script gave an error level, the resulting (empty!) .crt file wasn't copied and nothing happened. On the next run of the renewal script this certificate will still be older than 60 days and therefore the renewal will be tried again.
2019-08-26 3000 items on my homepage and counting 1 year ago
I was just wondering about the number of newsitems on my homepage and did a check. An interesting value popped up: 3000. Yes, a round 3000 items since I started writing more than 20 years ago (or rather: 7456 days ago) : I've created a virtual bookcase with an overview of books I like/read. Graphic created with Retro Wave. Hat tip to Wil Wheaton, who mentions 6584 days - Wil Wheaton dot net
2019-05-30 Improving mod_perl pages 1 year ago
I saw some parts in a site that were creating errors and trying to maintain old PHP code was an annoyance again. So I set up the project to port it all to mod_perl to be able to support it again. Not an easy project, and it will take a while. First work was on understanding the mod_perl registry which keeps scripts and perl interpreters running in Apache. I noticed I was getting old errors from scripts which is because the mod_perl registry doesn't automatically reload scripts (to save file actions). This is not ideal on a development server and can be confusing on a production server. Solution: enable Apache2::Reload with# enable perl AddHandler perl-script .pl PerlResponseHandler ModPerl::Registry PerlInitHandler Apache2::ReloadNow to write the right perl code...
2019-05-04 Considering enabling Server Name Indication (SNI) on my webserver 1 year ago
While making a lot of my websites available via HTTPS I started wondering about enabling Server Name Indication (SNI) because the list of hostnames in the one certificate (subjectAltName parameter) keeps growing and they aren't all related. So on a test system with haproxy I created two separate private keys, two separate certificate signing requests and requested two separate certificates. One for the variants of camp-wireless.org and one for most of the idefix.net names. The whole requesting procedure happened on the system where my automated renewal and deployment of LetsEncrypt certificates with dehydrated happens so the request went fine. For the configuration of haproxy I was following HAProxy SNI where 'terminating SSL on the haproxy with SNI' gets a short mention. So I implemented the configuration as shown in that document and got greeted with an error:Read the rest of Considering enabling Server Name Indication (SNI) on my webserverhaproxy[ALERT] 123/155523 (3435) : parsing [/etc/haproxy/haproxy.cfg:86] : 'bind :::443' unknown keyword '/etc/haproxy/ssl/webserver-idefix-main.pem'.And found out that the crt keyword has to be repeated. This is why I like having a test environment for things like this. Making errors in the certificate configuration on the 'production' server will give visitors scary and/or incomprehensible errors. So the right configuration for my test is now:frontend https-in bind :::443 v4v6 ssl crt /etc/haproxy/ssl/webserver-campwireless.pem crt /etc/haproxy/ssl/webserver-idefix-main.pemAnd testing it shows the different certificates in use when I use the -servername parameter for openssl s_client to test things.$ openssl s_client -connect testrouter.idefix.net:443 -servername idefix.net -showcerts -verify 3 .. Server certificate subject=/CN=idefix.net issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 .. Verification: OK $ openssl s_client -connect testrouter.idefix.net:443 -servername camp-wireless.org -showcerts -verify 3 .. Server certificate subject=/CN=www.camp-wireless.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 .. Verification: OKThe certificates are quite separate. Generating the certificate signing requests with a separate private key for each request works fine. So if I upgrade my certificate management to renew, transport, test and install multiple certificate for the main webserver it would work.
2019-01-12 Enabling some old web userdirs 1 year ago
I received a "complaint" that a very old site on the webserver wasn't working anymore. I am not a person to just stop something without planning that so this was an oversight. It was one of the userdirs on idefix.net: Ivo van der Wijk who hasn't updated the page sinds 1994. No, really, not even the broken links. In restoring this one and the others I found that php in userdirs is disabled by default nowadays, found via PHP not working in userdir (public_html) - devPlant. Maybe a good idea, but I only enable php on virtualhosts where I want it, so I disabled that rule. I hadn't missed it on my own webspace yet, but a site like Het online dagboek van hester (Renate) in Australie (en daar in de buurt) depend on PHP completely. While I was looking for the reason the php failed I also noticed that /etc/apache2/mods-available/userdir.conf also has some configuration I do not appreciate, it enables userdirs globally when the module is loaded:<IfModule mod_userdir.c> UserDir public_html UserDir disabled root <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory> </IfModule>I disabled that part: I only want the userdir to work on specific virtual hosts.
2019-01-08 Seeing the 451: Unavailable due to legal reasons in the wild 1 year agoOlder news items for tag web ⇒
Today I tried to follow a link to http://www.independentri.com/ but I got an error message:451: Unavailable due to legal reasons We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this timeAnd indeed in the headers:$ lynx -head -dump http://www.independentri.com/ HTTP/1.1 451 Unavailable For Legal ReasonsI see the real reason as 'not wanting to comply with European consumer protection laws'. I have no idea how many visitors the site is missing due to this regionblock but since it's a regional weekly newspaper in the United States of America: probably not a lot of the intended audience.