sport - Dave's Blog

Search
Mastodon

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Retweet of ErrataRob

2015 Aug 21, 8:43
Nothing says "elite hacker" like sporting a pager pic.twitter.com/E8BwL9iQqq
PermalinkComments

"HTTP Strict Transport Security (HSTS)" - Jeff Hodges, Collin Jackson, Adam Barth

2011 Nov 14, 5:28PermalinkCommentstechnical https ietf

Eric Lawrence and Adam Barth on Strict-Transport-Security

2011 Aug 22, 9:27PermalinkCommentshttps http http-header technical strict-transport-security browser

Thought Experiments and Design Principles

2010 Jan 29, 3:54

Raymond Chen has some thought experiments useful for discovering various kinds of stupidity in software design:

Tim Berners-Lee's principles of Web design includes my favorite: Test of Independent Invention. This has a thought experiment containing the construction of the MMM (Multi-Media Mesh) with MRIs (Media Resource Identifiers) and MMTP (Muli-Media Transport Protocol).

The Internet design principles (RFC 1958) includes the Robustness Principle: be strict when sending and tolerant when receiving. A good one, but applied too liberally can lead to interop issues. For instance, consider web browsers. Imagine one browser becomes so popular that web devs create web pages and just test out their pages in this popular browser. They don't ensure their pages conform to standards and accidentally end up depending on the manner in which this popular browser tolerantly accepts non-standard input. This non-standard behavior ends up as de facto standard and future updates to the standard essentially has had decisions made for it.

PermalinkCommentstechnical design principles software development

Emanuel Derman's Blog: Trading Places

2009 Dec 31, 1:50Har har: "I had a fantasy in which the Fed and the TSA (Transportation Security Administration) switched roles. If a bank failed at 9 a.m. one morning and shut its doors, the TSA would announce that all banks henceforth begin their business day at 10 a.m. And, if a terrorist managed to get on board a plane between Stockholm and Washington, the Fed would increase the number of flights between the cities."PermalinkCommentseconomics humor airplane emanuel-derman tsa fed government

Welcome | Virgin Galactic

2009 Dec 8, 1:53Supervillain Richard Branson narrates his Virgin Galactic video in which he describes his future domination of all of space.PermalinkCommentsvideo science richard-branson virgin-galactic space tourism transportation

Faceball: your face, our balls

2009 Nov 20, 2:42A sport for the office from Yahoo!. Played between two people, who can get more consecutive hits to the other in the face with a ball.
PermalinkCommentshumor video game ball flickr sport yahoo office

hackademix.net ยป Strict Transport Security in NoScript

2009 Sep 24, 3:51A proposed new HTTP header 'X-Force-TLS' to indicate a site only wants to be over HTTPS.PermalinkCommentshttp header security https extension noscript web browser webbrowser

The Electric Unicycle

2009 Jul 31, 6:04An electric unicycle controlled in a similar manner as the Segway.PermalinkCommentshumor photo unicycle transportation segway diy hardware howto via:swannman

Hot Tub Time Machine | Film | A.V. Club

2009 Jul 24, 11:56New movie Hot Tub Time Machine: "Craig Robinson, John Cusack, Rob Corddry, and Clark Duke are transported back to 1986 in a magical hot tub. So crazy it just might work? Elaborate joke?"PermalinkCommentshumor time-travel hot-tub movie video preview

Onion Store - The Sports Team From My Area Is Superior To The Sports Team From Your Area

2009 Jun 25, 12:33A shirt from the Onion store reading 'The Sports Team From My Area Is Superior To The Sports Team From Your Area'. Humor!PermalinkCommentshumor onion tshirt wishlist sports purchase

Aimee Mullins | Profile on TED.com

2009 Mar 14, 10:23TED talks from Aimee Mullins mostly on the topics of her prosthetic legs. The two talks are eleven years apart and you can note the advances in tech. "A record-breaker at the Paralympic Games in 1996, Aimee Mullins has built a career as a model, actor and activist for women, sports and the next generation of prosthetics."PermalinkCommentsaimee-mullins video ted prosthetic body-mod via:boingboing

Chessboxing

2009 Feb 2, 11:52"Chessboxing: Created in 2003 by Dutch artist Iepe Rubingh, chess boxing has 11 rounds of alternated boxing and chess. In first round, which lasts four minutes, contestants initiate the chess match. A two-minute boxing round follows. Rounds alternate until one of the players gets a checkmate or a knockout."PermalinkCommentshumor art chess boxing sport via:boingboing video youtube

Hairy robot sports dancing eyes - Short Sharp Science - New Scientist

2009 Jan 19, 3:14Researchers make another dancing robot. Its sort of owl like.PermalinkCommentskeepon robot dancing music humor video

Google LatLong: New ways to get around with the Transit Layer

2009 Jan 14, 2:03Google Maps now has a public transit route finder. Would have been useful in Munich and certainly will be useful here at home since they cover the Seattle area including the east-side. "I'm pleased to announce the launch of the Transit Layer on Google Maps in more than 50 cities around the world making it easier for citizens and tourists around the globe to access public transportation line information in their cities."PermalinkCommentsgoogle map travel bus traffic seattle redmond munich transportation maps public-transportation transit

Swarmbots team up to transport child

2009 Jan 13, 12:30A swarm of robots drag a child across the floor. The future is now! "In the meantime, the video below shows that an army of swarmbots belonging to researchers at the Ecole Polytechnique Federale de Lausanne in Switzerland can work together to pull off quite a feat - transporting a small girl across the floor."PermalinkCommentsvideo humor robot robots drag

obstcp - Google Code

2008 Oct 14, 11:14Similar in concept to the Pirate Bay suggestion of encrypting all TCP/IP connections if both server and client support it: "Obfuscated TCP is a transport layer protocol that adds opportunistic encryption. It's designed to hamper and detect large-scale wiretapping and corruption of TCP traffic on the Internet."PermalinkCommentsinternet tcp encryption security google privacy opensource cryptography network ssl

The Future of Driving, Part I: Robots and Grand Challenges: Page 1

2008 Oct 13, 2:35"The robotics community outdid itself once again at DARPA's 2007 Urban Challenge. This contest featured all the challenges of the original Grand Challenge, along with a few new ones: the vehicles navigated a simulated urban environment and were required to interact with human-driven vehicles while obeying all traffic laws. Six teams successfully completed the course, with Boss, a car developed at Carnegie Mellon, claiming the prize." Sure, sure but when will they fly?PermalinkCommentsarticle robot car science technology transportation ai

YouTube - Tiger Woods 09 - Walk on Water

2008 Aug 22, 1:25This is the best its-not-a-bug-its-a-feature ever: "As a response to a fan video from Tiger Woods PGA TOUR 08, Tiger Woods and EA SPORTS demonstrate that the "glitch" Levinator25 thought he found in the game, is not a glitch at all."PermalinkCommentstiger-woods golf video videogame jesus humor
Older Entries Creative Commons License Some rights reserved.