Linux

Strong TLS Encryption at Alureon.net!

October 31, 2017 Apache, Linux, MySQL No comments

You may (or may not) have noticed that alureon.net is now served over strong TLS encryption!  This is a big win for me, as it’s always been something that has puzzled me.

You can check the certificate yourself in Chrome using Developer Tools

TLS in Chrome's developer tools

Aww yeah!

 

 

 

 

 

 

 

 

 

 

 

 

 

What Not To Do

Tempting as it might be, you apparently cannot self-sign a certificate and expect any browser not to freak out about it.

openssl req -x509 -new -nodes -key alureon.key -sha256 -days 1024 -out alureon.pem

(This opens up a whole new basket of problems with Subject Alternative Names as well.  Just don’t do it.)

Expecting users to click through the “INSECURE” prompts or install your root certificate seems a bit unreasonable in most cases.

What To Do

A buddy of mine pointed me over to https://letsencrypt.org/

Using certbot, I was able to get myself a legitimate, trusted cert (for free!) with little hassle.  I opted for:

certbot certonly --apache -w /srv/http -d www.alureon.net -d alureon.net

I answered a few questions, and it generated my SSL cert and key.  Super easy.  The only other steps are pretty much uncommenting the SSL module in httpd.conf.

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

Also, you have to set up extra/httpd-ssl.conf to point to your new SSL cert and key.

SSLCertificateFile "/etc/letsencrypt/live/www.alureon.net/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/www.alureon.net/privkey.pem"

I opted for some other pretty extreme settings as well, forcing only the latest version of TLS.

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC
SSLProtocol -all +TLSv1.2

Fixing Insecure Resource Requests

After you go full TLS, browsers still claim you’re insecure if you make any requests to insecure resources (resources not served over http).  This includes fonts, javascript, and even images.  I wanted the green Secure text in Chrome badly enough to go the extra mile, so I continued to fight the good fight.

I’m sure there’s a better way to do this, but I did

UPDATE wp_posts SET `post_content` = REPLACE (`post_content`, 'http', 'https');

This worked wonderfully, but it also changed the literal text “http” in all of my posts to “https”.  This had some funny side effects, but I think I changed everything that actually needed to be “http” back.  There was one post where I had pasted text of myself working in a directory named “/srv/http”.  It changed the directory name to “/srv/https”, which I though was kind of funny.

Forcing TLS at the Domain Level

This worked great for manually navigating using SSL (typing https:// in the browser), but I’m guessing most people aren’t going to do that.  How do we force them to use SSL at the domain level?

I found this hack on some random website, and it seems to work great (aside from appending an extra forward slash to my TLD).

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVERNAME}/$1 [R,L]

I just appended that to the bottom of my httpd.conf, and it worked!  If anyone knows a more efficient way, let me know.

Fun & Educational IT-Related Challenges

October 28, 2017 Linux, Programming No comments

I’ve decided to compile a list of fun and educational IT challenges out there.  Any challenge on this list I have either completed, or I’m still trying to complete in my spare time 🙂

NameDescriptionLocation
CryptopalsSolve cryptography challenges derived from weaknesses in real-world systems and modern cryptographic constructions. Use any programming language you wish.https://cryptopals.com
BanditSolve Linux-related challenges as you try to find the location of the ssh key to get to the next level. Early levels are very easy, and beginner-friendly, but the difficulty ramps up as you get further into the game.https://overthewire.org/wargames/bandit/

The Bash For Loop

July 15, 2017 Linux, Programming, Shell No comments

This week at work, I had been tasked to copy a directory in Linux 6 times, all with different names.

This, of course, is not that directory, but let’s pretend it is.

We want 6 copies of this, one for each employee

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Easy enough, just cp -r the directory 6 times, right?  Well, you could, but we always strive to be as clever and efficient as possible.

Let’s say for this example we need a copy of this directory for all 6 employees: David, Mark, Jeremy, Clyde, Warren, and Sam.

well, that won’t work

 

 

 

 

 

There’s a lot of things that surprisingly won’t work, mostly because the directories don’t exist.  We could make them, or, as my boss showed me, we could use a little for loop magic.

surprisingly simple!

 

 

 

 

Is it really all there?  Yes!  This is truncated, but you can see these users have a clone of the original directory.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

So how do I use this?

Well, the items you want to iterate through go after for x in

The command you want to execute goes after do and you use the variable $x to iterate through the items.

If we wanted to create 10 files named each letter of the alphabet, we would use

for x in a b c d e f g h i j; do touch $x; done

and you will have those files.  You can remove them with an equally simple line:

for x in a b c d e f g h i j; do rm $x; done

Shelled-out Commands

May 20, 2017 Programming, Shell No comments

So I remember shelling out commands in Java, and it was quite a process.  It turns out it’s essentially the same for Go.

In interpreted scripting languages like python or ruby, it’s not really something you have to put any thought into.


So because bash is a shell you don’t have to do anything.

#!/bin/bash

ls -l

Ruby supports backticks.

#!/usr/bin/env ruby

`ls -l`

In Python, you can call os.system()

#!/usr/bin/env python
import os

if __name__ == "__main__":
    os.system("ls -l")

So what about real programming languages? Well, there’s a little more involved to shell something out if you’re expecting the output much like an actual shell.


Using Go, I wrote this to shell out a command.

package main

import (
    "os/exec"
    "fmt"
    "bufio"
    "os"
)

func main() {
    // create command and arguments
    cmd := "ls"
    args := []string { "-l" }
    command := exec.Command(cmd, args...)

    // connect to stdout and stderr
    stdOutReader, err := command.StdoutPipe()
    checkErr("Error creating stdout pipe", err)
    stdErrReader, err := command.StderrPipe()
    checkErr("Error creating stderr pipe", err)

    stdOutScanner := bufio.NewScanner(stdOutReader)
    stdErrScanner := bufio.NewScanner(stdErrReader)

    go func() {
        for stdOutScanner.Scan() {
            fmt.Printf("%s\n", stdOutScanner.Text())
        }
    }()
    go func() {
        for stdErrScanner.Scan() {
            fmt.Printf("%s\n", stdErrScanner.Text())
        }
    }()

    // run the command
    err = command.Start()
    checkErr("Error starting command", err)

    err = command.Wait()
    checkErr("Error waiting for command", err)
}

func checkErr(msg string, err error) {
    if err != nil {
        fmt.Fprintln(os.Stderr, msg, err)
        os.Exit(1)
    }
}

Here’s the output of that program compared to ls -l

 

 

 

 

 


In reality, when simply using ls, we could have probably ignored stderr.  If you want stderr messages though, the code above will provide that output as well.

Fixing Pretty Permalinks with WordPress and Apache Web Server

March 26, 2017 Apache, Linux, WordPress No comments , , , ,

Apparently, in order to use pretty permalinks in WordPress, (with Apache Webserver…) you can’t simply “enable the option” in WordPress and expect it to work. You have to make the following changes to your httpsd.conf. In my case, this was located at /etc/httpsd/conf/httpsd.conf.

  1. Uncomment LoadModule rewrite_module modules/mod_rewrite.so
  2. Enable FollowSymLinks for your WordPress directory.
  3. Enable AllowOverride to either All or FileInfo. The relevant configurtion section for these steps is as follows:
        <Directory "/srv/https">
        #
        # Possible values for the Options directive are "None", "All",
        # or any combination of:
        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
        #
        # Note that "MultiViews" must be named *explicitly* --- "Options All"
        # doesn't give it to you.
        #
        # The Options directive is both complicated and important.  Please see
        # https://httpsd.apache.org/docs/2.4/mod/core.html#options
        # for more information.
        #
        Options Indexes FollowSymLinks

        #
        # AllowOverride controls what directives may be placed in .htaccess files.
        # It can be "All", "None", or any combination of the keywords:
        #   AllowOverride FileInfo AuthConfig Limit
        #
        AllowOverride All

        #
        # Controls who can get stuff from this server.
        #
        Require all granted
        </Directory>

That should do the trick. The only other caveat is that WordPress needs a .htaccess as well. Fortunately, as long as WordPress has write permissions, it can make its own! I just restarted my web server and viola!