apache - Dave's Blog

Search

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Bootstrap 2 released

2012 Feb 1, 9:28

An HTML and CSS UI framework - common icons and layout necessary for web apps - all free under Creative Commons BY and Apache 2

PermalinkCommentscss html creative-commons cc technical

URI Empty Path Segments Matter

2011 Nov 23, 11:00

Shortly after joining the Internet Explorer team I got a bug from a PM on a popular Microsoft web server product that I'll leave unnamed (from now on UWS). The bug said that IE was handling empty path segments incorrectly by not removing them before resolving dotted path segments. For example UWS would do the following:

A.1. http://example.com/a/b//../
A.2. http://example.com/a/b/../
A.3. http://example.com/a/
In step 1 they are given a URI with dotted path segment and an empty path segment. In step 2 they remove the empty path segment, and in step 3 they resolve the dotted path segment. Whereas, given the same initial URI, IE would do the following:
B.1. http://example.com/a/b//../
B.2. http://example.com/a/b/
IE simply resolves the dotted path segment against the empty path segment and removes them both. So, how did I resolve this bug? As "By Design" of course!

The URI RFC allows path segments of zero length and does not assign them any special meaning. So generic user agents that intend to work on the web must not treat an empty path segment any different from a path segment with some text in it. In the case above IE is doing the correct thing.

That's the case for generic user agents, however servers may decide that a URI with an empty path segment returns the same resource as a the same URI without that empty path segment. Essentially they can decide to ignore empty path segments. Both IIS and Apache work this way and thus return the same resource for the following URIs:

http://exmaple.com/foo//bar///baz
http://example.com/foo/bar/baz
The issue for UWS is that it removes empty path segments before resolving dotted path segments. It must follow normal URI procedure before applying its own additional rules for empty path segments. Not doing that means they end up violating URI equivalency rules: URIs (A.1) and (B.2) are equivalent but UWS will not return the same resource for them.
PermalinkCommentsuser agent url ie uri technical web browser

Map/Reduce Tutorial

2009 Oct 6, 3:24The map/reduce tutorial for Hadoop the Apache open source project. "Hadoop Map/Reduce is a software framework for easily writing applications which process vast amounts of data (multi-terabyte data-sets) in-parallel on large clusters (thousands of nodes) of commodity hardware in a reliable, fault-tolerant manner."PermalinkCommentshadoop mapreduce java software programming opensource database distributed google yahoo apache technical todo

5 useful url rewriting examples using .htaccess

2008 Apr 10, 8:14"In this post, I've given five useful examples of URL rewriting using .htacess."PermalinkCommentshtaccess apache linux reference uri url example blog article

Configuring Awstats with Apache 2 on Ubuntu

2007 Feb 20, 5:39More hints on setting up awstats.PermalinkCommentsapache howto linux server statistics web awstats article ubuntu

Creating a self-signed SSL certificate: Ubuntu

2007 Feb 7, 5:38A howto on creating a self-signed cert for your webpage on Ubuntu.PermalinkCommentslinux ssl ubuntu howto apache tutorial https certificate privacy encryption CA

Awstats on Debian

2007 Jan 28, 9:08How to install AWStats on your Debian Linux distro.PermalinkCommentsdebian awstats linux apache statistics install server

Apache HTTP Server Version 2.2 Documentation - Apache HTTP Server

2007 Jan 11, 12:28Apache HTTP Server running on my new server. Fun.PermalinkCommentsapache api open-source opensource reference http documentation server

New Server

2007 Jan 9, 6:08Ever since the power outage from mid December my web server has been down. So sad. Now thanks to Eric I've got a new server. Apache isn't configured quite right yet so several things won't be working (like vizicious or anything else that runs code).PermalinkCommentsapache server homepage

Hardening Linux Web Servers

2006 Jun 30, 2:01PermalinkCommentslinux security howto server web apache internet tutorial

Apache Ant User Manual

2005 Apr 3, 7:14User Manual for Ant the make program for JavaPermalinkCommentsapache ant make java development
Older Entries Creative Commons License Some rights reserved.