faq - Dave's Blog

Search

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Sci-fi short stories disguised as Internet docs

2013 May 29, 2:48
The recent short story Twitter API returning results that do not respect arrow of time by Tim May written as a Twitter bug report reminded me of a few other short sci-fi stories written in the style of some sort of Internet document:
PermalinkCommentscsc fiction sci-fi Scifi time-travel twitter

NOAA FAQ - "Why don't we try to destroy tropical cyclones by nuking them?"

2012 Nov 5, 5:28

This sounds like an Onion article but is actually a real article on NOAA’s website describing why we can’t use nukes to destroy tropical storms. This in the frequently asked questions.

PermalinkCommentshumor storm nuke noaa

Comcast DNSSEC Trial FAQs

2010 Feb 25, 4:10Comcast is running an opt-in DNSSEC trial for all Comcast customers. Their FAQ covers the incompat. of DNSSEC with their Comcast Domain Helper (typo DNS redirects to Comcast ads... bleh!): "What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC? We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC. Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented." Yay!PermalinkCommentsdns dnssec comcast faq internet ip security technical

Exuberant Ctags FAQ

2009 Dec 14, 9:36Find all references to a function, type, etc.PermalinkCommentsctags faq vim cscope code development technical programming

Stroustrup: C++ Style and Technique FAQ

2009 Sep 30, 5:12Bjarne Stroustrup answers the age old style questions like "int *p or int* p?" and "const int a or int const a?"PermalinkCommentsreference c++ faq style coding programming bjarne-stroustrup technical

Infrared Paint Link Roundup

2009 May 29, 2:50

I like the idea of QR codes, encoding URLs and placing them on real world objects, but the QR codes themselves are kind of ugly. To make them less obvious I thought I could spray QR codes on to an object with an infrared reflective paint and shine infrared light on the QR codes, since most cameras, for instance the camera in my G1 phone, pick up infrared that our eyes do not.

In my search for infrared paint I've found a seller of IR ink (via programming forum) and an Infrared Paint Recipe (via IR FAQ).

In looking for this paint I've found that it comes up a lot in relation to the military for things like paint markers that are visible at night with proper equipment, and paint that absorbs IR light to make vehicles less obvious to night vision goggles. Even though the first reflects infrared light and the second absorbs it websites end up refering to both as infrared paint which made it difficult to search.

Additionally I found links to some other geeky infrared projects:

PermalinkCommentsir paint technical ir infrared qr qr code

Presidential Election 2008 FAQ

2008 Oct 13, 10:53"This is an FAQ (Frequently Asked Questions list) for the 2008 United States Presidential Election. I need to disclose up front that I am an Obama supporter. However, with the exception of the very last question, this FAQ is designed as a collection of factual information (such as the latest poll results) and of analysis that is as objective as possible."PermalinkCommentsvia:kris.kowal politics election obama mccain

rec.arts.sf.science qdFAQ

2008 Aug 26, 3:42Links to write ups on how much energy it would take to destroy the Earth or at least make it inhabitable in various fashions: "Destroying the Earth, It is often asked what it would take to shatter the Earth into little pieces. Erik Max Francis gives a rough answer. A less drastic measure would be to sterilise it by heating the outside. Brian Davis does the arithmetic, but I think he should have calculated what it would take to boil the oceans, which is a few thousand times more by my BotEC. Occasionally it is asked what would happen if you shot a fast-moving projectile at the Earth; I've written something up."PermalinkCommentsscifi science math

Amorphia Apparel - Look on my shirts, ye mighty, and despair!

2008 Jun 17, 5:52More awesome t-shirts. I like the scientist rocking out, 'Moai (All Ears)', and 'I bought this on the internet!'. Also the FAQ is pretty hilarious.PermalinkCommentsart clothing humor geek science tshirts purchase shopping shirt

Zelda II: The Adventure of Link World Map - IGN FAQs

2008 Jun 1, 4:56World map of Zelda IIPermalinkCommentszelda nintendo videogame map faq zelda2

Paper Mario: The Thousand-Year Door FAQs - Paper Mario: The Thousand-Year Door Walkthroughs - Paper Mario: The Thousand-Year Door Guides

2008 May 4, 12:07Paper Mario the Thousand Year Door Guides. Having finished the game its fun to see various hidden things...PermalinkCommentsfaq game mario videogame walkthrough howto paper-mario

NearlyFreeSpeech.NET FAQ

2008 Mar 17, 5:54NearlyFreeSpeech's FAQ about what their webhosting includes.PermalinkCommentsweb webhosting hosting faq

IPv6 Roundup: Address Syntax on Windows

2008 Jan 9, 11:34

IPv6 address syntax consists of 8 groupings of colon delimited 16-bit hex values making up the 128-bit address. An optional double colon can replace any consecutive sequence of 0 valued hex values. For example the following is a valid IPv6 address: fe80::2c02:db79

Some IPv6 addresses aren't global and in those cases need a scope ID to describe their context. These get a '%' followed by the scope ID. For example the previous example with a scope ID of '8' would be: fe80::2c02:db79%8

IPv6 addresses in URIs may appear in the host section of a URI as long as they're enclosed by square brackets. For example: http://[fe80::2c02:db79]/. The RFC explicitly notes that there isn't a way to add a scope ID to the IPv6 address in a URI. However a draft document describes adding scope IDs to IPv6 addresses in URIs. The draft document uses the IPvFuture production from the URI RFC with a 'v1' to add a new hostname syntax and a '+' instead of a '%' for delimiting the scope id. For example: http://[v1.fe80::2c02:db79+8]/. However, this is still a draft document, not a final standard, and I don't know of any system that works this way.

In Windows XPSP2 the IPv6 stack is available but disabled by default. To enable the IPv6 stack, at a command prompt run 'netsh interface ipv6 install'. In Vista IPv6 is the on by default and cannot be turned off, while the IPv4 stack is optional and may be turned off by a command similar to the previous.

Once you have IPv6 on in your OS you can turn on IPv6 for IIS6 or just use IIS7. The address ::1 refers to the local machine.

In some places in Windows like UNC paths, IPv6 addresses aren't allowed. In those cases you can use a Vista DNS IPv6 hack that lives in the OS name resolution stack that transforms particularly crafted names into IPv6 addresses. Take your IPv6 address, replace the ':'s with '-'s and the '%' with an 's' and then append '.ipv6-literal.net' to the end. For example: fe80--2c02-db79s8.ipv6-literal.net. That name will resolve to the same example I've been using in Vista. This transformation occurs inside the system's local name resolution stack so no DNS servers are involved, although Microsoft does own the ipv6-literal.net domain name.

MSDN describes IPv6 addresses in URIs in Windows and I've described IPv6 addresses in URIs in IE7. File URIs in IE7 don't support IPv6 addresses. If you want to put a scope ID in a URI in IE7 you use a '%25' to delimit the scope ID and due to a bug you must have at least two digits in your scope ID. So, to take the previous example: http://[fe80::2c02:db79%2508]/. Note that its 08 rather than just 8.

PermalinkCommentsroundup ip windows ipv6 technical microsoft boring syntax

Theme Options

2007 Dec 24, 12:41These days it seems like there's a social sharing website for everything representable as bits. Like Scribd for (mostly legal) documents, SciVee for scientific research videos, Wordie for words, and Kuler for color themes. Kuler seems like a ridiculous website (overkill) but I had been meaning to update my homepage's color design and Kuler has an RSS based REST API. The API lets you obtain things like the most recently added color themes or the most popular or all themes containing the color dark red, etc... So of course rather than update my website's design I hooked up my css to the color themes coming out of Kuler. Select my main page's color theme from a list of random Kuler themes. As I'm sure the regular readers can guess I use an xslt and blah blah blah... It looks OK with Silver Surfer and Happy Hipo but in general changing the colors this way doesn't produce something pretty.

When reading about Kuler I found that they may have stolen the whole idea wholeslae from ColourLovers. They discuss the thievery in an article on their blog. I would have switched over to ColourLovers out of principle but they don't have an easily accessible API.PermalinkCommentscolourlovers color xslt theme homepage technical kuler design

How do I download all of my journal entries? - FAQ Question #8 - LiveJournal FAQ

2007 Jul 25, 10:08LiveJournal's FAQ describes how to download all of your blog entries. Seems like a good idea after LiveJournal disappeared for the day yesterday.PermalinkCommentsbackup howto livejournal blog

BashFaq - Greg's Wiki

2007 Mar 19, 10:54Tutorials and examples for making scripts for the Unix shell Bash.PermalinkCommentshowto linux bash reference shell script tutorial programming tips

IPv6 for Microsoft Windows: Frequently Asked Questions

2007 Jan 16, 6:02How to enable your IPv6 stack on Windows XP.PermalinkCommentshowto reference windows ipv6 faq install

FAQ - UTF-8, UTF-16, UTF-32 & BOM

2006 Jun 21, 12:22Unicode Byte Order Mark FAQPermalinkCommentsunicode encoding bom language

Grand Theft Auto: San Andreas (PS2) Full FAQ and Walkthrough

2005 Mar 27, 6:01Full walkthrough of GTA3: SAPermalinkCommentswalkthrough gta game
Older Entries Creative Commons License Some rights reserved.