wto - Dave's Blog

Search
My timeline on Mastodon

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Tweet from David_Risney

2015 Nov 9, 9:28
Missing planet Vulcan predicted by Newtonian physics+Mercury's orbit. Decades of mistaken Vulcan sightings before GR http://www.theatlantic.com/science/archive/2015/11/science-doesnt-work-the-way-you-think-it-does/414744/ …
PermalinkComments

Tweet from David_Risney

2015 Mar 30, 10:52
Or from GitHub's POV, how else can you use this XSS? Example: Open a new window with info on howto subvert particular censorship. What else?
PermalinkComments

Retweet of linkalis

2015 Mar 15, 9:30
Was skeptical at first, but now I'm sold! "USB Type-C Explained: What It Is and Why You’ll Want it" http://www.howtogeek.com/211843/usb-type-c-explained-what-it-is-and-why-youll-want-it/ … @howtogeek
PermalinkComments

AbleGamers creates how-to accessibility guide for devs, publishers | Joystiq

2012 Sep 14, 4:20

A howto on making your video game accessible to those with disabilities (blind, color blind, deaf, etc)

The AbleGamers Foundation has created a 48-page document it hopes will serve as a how-to guide for game developers and publishers on how to create more accessible games. The in-depth guide by the disability non-profit covers in great detail how to make games available to those with varying degrees of mobility, hearing, visual and cognitive issues.

PermalinkCommentsgame technical video-game programming accessibility howto

MapReduce Patterns, Algorithms, and Use Cases

2012 Feb 10, 3:42PermalinkCommentstechnical map-reduce programming howto

Vim anti-patterns (geek.nz)

2012 Feb 7, 11:58

Things you do in VIM but faster with more obscure and specific commands.

PermalinkCommentstechnica vi vim reference howto

Going Paper-Free for $220 / Steve Losh

2011 May 26, 1:17PermalinkCommentshowto paperless scanner ocr technical

DVD Ripping and Viewing in Windows Media Center

2010 Aug 17, 3:05

I've just got a new media center PC connected directly to my television with lots of HD space and so I'm ripping a bunch of my DVDs to the PC so I don't have to fuss with the physical media. I'm ripping with DVD Rip, viewing the results in Windows 7's Windows Media Center after turning on the WMC DVD Library, and using a powershell script I wrote to copy over cover art and metadata.

My powershell script follows. To use it you must do the following:

  1. Run Windows Media Center with the DVD in the drive and view the disc's metadata info.
  2. Rip each DVD to its own subdirectory of a common directory.
  3. The name of the subdirectory to which the DVD is ripped must have the same name as the DVD name in the metadata. An exception to this are characters that aren't allowed in Windows paths (e.g. <, >, ?, *, etc)
  4. Run the script and pass the path to the common directory containing the DVD rips as the first parameter.
Running WMC and viewing the DVD's metadata forces WMC to copy the metadata off the Internet and cache it locally. After playing with Fiddler and reading this blog post on WMC metadata I made the following script that copies metadata and cover art from the WMC cache to the corresponding DVD rip directory.

Download copydvdinfo.ps1

PermalinkCommentspowershell wmc technical tv dvd windows-media-center

Make: Online : How-To: Personal Applause Sign

2010 Jul 14, 10:24This would be perfect to hook up to my automated test system. Everytime new tests pass the applause sign flashes.PermalinkCommentsapplause sign howto

Access Hulu from Outside the U.S. Without a Proxy Server

2010 Jul 12, 7:11How to get around Hulu's physical location filtering: Use something like Fiddler to add the X-Forwarded-For header that HTTP proxies with an IP address associated with a phyiscal location you desire and block your port 1935 which Flash uses for RTMP (see http://kb2.adobe.com/cps/164/tn_16499.html)PermalinkCommentshulu proxy security tv howto technical

Mastering Windows Search using Advanced Query Syntax

2010 Mar 28, 4:29Some interesting queries for Windows search like size:>50MB, broadcastdate:2005, datetaken:6/12/2006.PermalinkCommentswindows search syntax win7 howto technical

Remove a Stripped Screw with a Rubber Band - Household - Lifehacker

2010 Feb 3, 3:18PermalinkCommentsdiy tip howto screw rubber-band macgyver

Obama should back up Google with more than rhetoric: The US should challenge China’s “firewall” before the WTO. : First Amendment Coalition

2010 Jan 25, 5:25"...file a complaint with the World Trade Organization, contesting China’s internet censorship as a breach of the international trade rules to which China, as a WTO member, is subject. The US can argue that China’s “Great Firewall”–a system of filters and bottlenecks that effectively shutters the country within its own intranet–is an illegal restraint on international trade because it bars foreign companies from competing, via the internet, in the vast Chinese market."PermalinkCommentseconomics wto politics google china internet censorship us

The Answer Factory: Fast, Disposable, and Profitable as Hell | Magazine

2009 Oct 22, 12:33"When asked for the most valuable topic in Demand’s arsenal, he replies instantly: “‘Where can I donate a car in Dallas?’"PermalinkCommentsvia:kris.kowal wired internet video howto automation business media marketing economics advertising

How to Remove Caulk in 6 Easy Steps - Popular Mechanics

2009 Oct 18, 5:22"Q: The caulk around my bathtub is peeling away in places, and it looks pretty ugly. How do I remove it and recaulk?"PermalinkCommentshowto diy home tool caulk shower bathtub tile

linkiblog | How to Build a Popularity Algorithm You can be Proud of

2009 Sep 9, 5:49PermalinkCommentstechnical statistics algorithms howto social tutorial math popular reddit digg programming

Dive Into HTML 5 by Mark Pilgrim with illustrations from the Public Domain

2009 Aug 21, 3:26"Dive Into HTML 5 seeks to elaborate on a hand-picked Selection of features from the HTML 5 specification and other fine Standards. I shall publish Drafts periodically, as time permits." Lovely design.PermalinkCommentsvia:waxy reference programming howto design html5 typography mark-pilgrim html web development technical

Replace your T-Mobile voicemail with Google Voice visual mail | Android Atlas - CNET Blogs

2009 Aug 4, 7:00PermalinkCommentsgoogle google-voice android phone cellphone voicemail hack howto technical

Changing The Ring Time On T-Mobile US Before VoiceMail Kicks In - Thoughts Media Forums

2009 Aug 3, 9:37"If you have T-Mobile USA, you can program the time your phone rings before it rolls to voice mail, but it isn't at all intuitive."PermalinkCommentstmobile cellphone phone voicemail howto
Older Entries Creative Commons License Some rights reserved.