tee - Dave's Blog

Search
Mastodon

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

intoosteep: She died as she lived: walking down stairs checking Facebook statuses.

2015 Jan 17, 6:59
Claire Ayoub @intoosteep :
She died as she lived: walking down stairs checking Facebook statuses.
PermalinkComments

MotherJones - Meet the people behind the Wayback Machine, one of...

2014 Jun 1, 4:16


MotherJones - Meet the people behind the Wayback Machine, one of our favorite things about the internet

PermalinkCommentstechnical internet-archive

exec($_GET

2014 Apr 29, 8:27

Does it betray my innocence that I’m shocked by the amount of exec($_GET you can easily find on github? Hilarious comment thread on hacker news: 

This is awful. Shell commands are not guaranteed to be idempotent, people! These should all be of the form exec($_POST, not exec($_GET.

ephemeralgomi

PermalinkCommentshumor security http php technical

C++ constructor member initializers run in member declaration order

2013 Jul 18, 3:29PermalinkCommentsc++ development programming technical

Google Street View Hyperlapse

2013 Apr 17, 2:00PermalinkCommentsVimeo webgl hyperlapse googlestreetview teehanandlax

Jeopardy! - The Exciting (And Amusing) Teen Tournament...

2013 Feb 21, 4:02


Jeopardy! - The Exciting (And Amusing) Teen Tournament Conclusion (Feb. 12, 2013) (by thechadmosher)

Leonard on Teen Jeopardy was the best.

PermalinkCommentshumor tv jeopardy

laughingsquid: Amp Tee, A Geeky T-Shirt Bringing Together Music...

2012 Sep 18, 2:37


laughingsquid:

Amp Tee, A Geeky T-Shirt Bringing Together Music And HTML Code

PermalinkCommentshumor html ampersand amp shirt t-shirt

wired: cnet: Mp3 playing retainer transmits music through your...

2012 Jul 3, 2:31




wired:

cnet:

Mp3 playing retainer transmits music through your teeth:

Bone conduction audio, retainers, and shiny hip-hop teeth grills aren’t new inventions, but tech hacker Aisen Caro Chacin had the clever idea to put them all together.

The Play-A-Grill MP3 player prototype fits in your mouth like a retainer, shines on the outside like a precious metal rap grill, and plays music through bone conduction through your teeth.

Read more

Oh man, this would have made puberty just a touch cooler. Maybe. 

PermalinkCommentshumor mp3 tech

Microsoft Surface: a gentle kick in the teeth of the OEMs | Ars Technica

2012 Jun 25, 12:59

But if Surface is aimed at the OEMs—telling them “we can do this just as well as you can, if we have to”—and setting them a challenge—”your tablets have to be at least this good”—then the limited availability isn’t necessarily such a big deal. As long as the OEMs heed the warning and raise their game, so that Redmond can be assured that bad hardware won’t jeopardized Windows 8’s success, Microsoft could safely keep Surface operating as a small-scale operation, playing the Nexus role without upsetting the PC market.

PermalinkCommentstechnical surface win8 windows windows8 business

EFF White Paper Outlines How Businesses Can Avoid Assisting Repressive Regimes

2012 Apr 18, 6:24

A House subcommittee has passed the Global Online Freedom Act (GOFA), which would require disclosure from companies about their human rights practices and limit the export of technologies that “serve the primary purpose of” facilitating government surveillance or censorship to countries designated as “Internet-restricting.”

PermalinkCommentstechnical human-rights eff software government law surveillance

European Parliament Blocks Copyright Reform With 113% Voter Turnout (falkvinge.net)

2012 Mar 15, 4:05

Hmmm

This rather embarrassing issue was pointed out to the committee, the fact that there were three votes too many, and that these three votes determined the outcome. When this was done, along with formally requesting a re-vote, that re-vote on the points in question was denied.”

PermalinkCommentscopyright legal europe law

Web Worker Initialization Race

2012 Feb 24, 1:44

Elaborating on a previous brief post on the topic of Web Worker initialization race conditions, there's two important points to avoid a race condition when setting up a Worker:

  1. The parent starts the communication posting to the worker.
  2. The worker sets up its message handler in its first synchronous block of execution.

For example the following has no race becaues the spec guarentees that messages posted to a worker during its first synchronous block of execution will be queued and handled after that block. So the worker gets a chance to setup its onmessage handler. No race:

'parent.js':
var worker = new Worker();
worker.postMessage("initialize");

'worker.js':
onmessage = function(e) {
// ...
}

The following has a race because there's no guarentee that the parent's onmessage handler is setup before the worker executes postMessage. Race (violates 1):

'parent.js':
var worker = new Worker();
worker.onmessage = function(e) {
// ...
};

'worker.js':
postMessage("initialize");

The following has a race because the worker has no onmessage handler set in its first synchronous execution block and so the parent's postMessage may be sent before the worker sets its onmessage handler. Race (violates 2):

'parent.js':
var worker = new Worker();
worker.postMessage("initialize");

'worker.js':
setTimeout(
function() {
onmessage = function(e) {
// ...
}
},
0);
PermalinkCommentstechnical programming worker web-worker html script

How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did (forbes.com)

2012 Feb 17, 12:17

What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance.

“If we send someone a catalog and say, ‘Congratulations on your first child!’ and they’ve never told us they’re pregnant, that’s going to make some people uncomfortable,” Pole told me. “We are very conservative about compliance with all privacy laws. But even if you’re following the law, you can do things where people get queasy.”

PermalinkCommentsad target pregnancy humor privacy

What a cool idea! (via Mad Science Monday: Never Visit The...

2012 Feb 16, 5:43


What a cool idea!

(via Mad Science Monday: Never Visit The Dentist Again)

PermalinkCommentshumor teeth dentist video bow-and-arrow

Bug Spotting: Smart pointers and parameter evaluation order

2011 Oct 19, 5:58PermalinkCommentsc++ technical bug programming smart-pointer cpp

Playable Archaeology: An Interview with Telehack's Anonymous Creator - Waxy.org

2011 Jun 20, 2:25I knew it was a game but still felt bad war-dialing and otherwise messing around in there. What if I accidentally find a way out? "Telehack is the most interesting game I've played in the last year... a game that most users won't realize is a game at all. It's a tour de force hack — an interactive pastiche of 1980s computer history, tying together public archives of Usenet newsgroups, BBS textfiles, software archives, and historical computer networks into a multiplayer adventure game." Also, see all the accounts of people finding their teenage selves in the game.PermalinkCommentsinternet technical development hack telnet wardial game

clip.exe - Useful tool I didn't know shipped with Windows

2011 May 26, 11:00

When you run clip.exe, whatever comes into its standard input is put onto the clipboard. So when you need to move the result of something in your command window somewhere else you can pipe the result into clip.exe. Then you won't have to worry about the irritating way cmd.exe does block copy/pasting and you avoid having to manually fixup line breaks in wrapped lines. For instance, you can put the contents of a script into the clipboard with:

more cdo.cmd | clip

I've got a lot of stuff dumped in my bin folder that I sync across all my PCs so I didn't realize that clip.exe is a part of standard Windows installs.

Nice for avoiding the block copy in cmd.exe but I'd prefer to have the contents sort of tee'd into the clipboard and standard output. So TeeClip.ps1:

$input | tee -var teeclipout | clip;
$teeclipout;
PermalinkCommentspowershell clip tool clipboard cli technical windows tee

RFC 3797 - Publicly Verifiable Nominations Committee (NomCom) Random Selection

2010 Dec 13, 11:12Used to generate publicly verifiable random numbers. For instance to pick 'xn--' for the IDN prefix from a set of prefixes, they decided on a hash, a set of stocks and a time in the future to generate the hash from the stock values. The resulting value is random and anyone can check the work to verify that it was chosen randomly.


Although, now looking back from the future I can't verify that they didn't generate this data after the stock quotes came out. And they're using MD5...PermalinkCommentsrfc algorithm random election ietf technical

C-SPAN Video Player - House Judiciary Subcmte. Hearing on Immigration and Farm Labor

2010 Sep 24, 8:38"Comedian Stephen Colbert joined the panel of witnesses at a House hearing on immigrant farm workers. Mr. Colbert has partnered with United Farm Workers and their campaign calling on unemployed Americans to take jobs in the agriculture sector. The organization's president, Arturo Rodriguez, also testified at the Judiciary Subcommittee on Immigration and Border Security hearing chaired by Rep. Zoe Lofgren (D-CA).
Washington, DC : 2 hr. 10 min."PermalinkCommentshumor video stephen-colbert politics immigration farm labor house
Older Entries Creative Commons License Some rights reserved.