Archive for the hosting Category

SSLChecker a script to avoid expired Letsencrypt certificates

Saturday, May 4th, 2019 | Permalink

Letsencrypt is a wonderful, simple and cost free way to encrypt your SSL traffic.
Since it start it helped protect data privacy to millions of websites. One of the downsides of Letsencrypt is the limited time a certificate is valid. Every three months you need to update your certificates, otherwise your users will be seeing a warning page in their browsers.

But not only Letsencrypt users struggle with the problem of expiring certificates. Also bigger every now and then face the same problem. Just with a different twist. The more servers and components are running SSL and need certificates, the more likely people tend to buy certificates with long running periods. Which means, on one hand you have to touch all these systems only every couple of years, but on the other hand the probability that the colleague that installed the cert is not around anymore. Results in partial failing systems and people under pressure trying to fix system by system.

As I am running multiple servers and also multiple domains, I created a small Python script called SSLChecker which notifies you via email 30,14,3 and one day before a certificate expires.

It can handle multiple domains at once and notify a list of people.

It is under the GNU license released on GitHub. Feel free to contribute, use and help keeping data private.

WordPress, redirect all traffic from http to https Nginx and Apache

Saturday, September 24th, 2016 | Permalink

To redirect all traffic that goes to a http site to your https site, you have to work with redirect.

If you are using Apache as your webserver, just edit the .htaccess file in your document root.
Be sure mod_rewrite is enabled in your setup.

Then, just simply add the following lines

RewriteCond %{HTTP_HOST} !^www\.YOURWEBSITE\.com$ [NC]
RewriteRule ^(.*)$ https://www.YOURWEBSITE.com/$1 [R=301,L]

For Nginx this needs a little bit more of effort.
Add the following lines into the the server {} configuration for your port 80 webserver within the virtual server configuration. Usually be found in /etc/nginx/site-available/.

location / {
return 301 https://www.YOURWEBSITE.com$request_uri;
try_files $uri $uri/ /index.php?$args;
}

For exception management, have a look at exceptions for redirects

Nginx, don’t redirect to https for specific site / url

Saturday, September 24th, 2016 | Permalink

After you have read my article on redirecting all traffic to https, you discovered that some content is not appearing correctly anymore.

For the finance blog I am supporting, this is the case for some pages like “10 goldene Regeln für binaere Optionen” were http content is embedded. In this case it is an external javascript (unfortunately, you should try to avoid this whenever possible) that could not be served using https.

So, we needed an exception to do this.

In your server {} configuration for port 80 (non-ssl) add this:

location ^~ /10-goldene-regeln-fur-den-handel-mit-binaren-optionen {
try_files $uri $uri/ /index.php?$args;
}

In the configuration for port 443 (ssl / https) add this:

location /10-goldene-regeln-fur-den-handel-mit-binaren-optionen {
return 301 http://$server_name$request_uri;
try_files $uri $uri/ /index.php?$args;
}

Of course you need to adjust that for your needs. This overrides the configuration for the redirect all, for an exception with the URL “/10-goldene-regeln-fur-den-handel-mit-binaren-optionen”

HTST – Strict Transport Security

Sunday, May 1st, 2016 | Permalink

I recently stumbled across a pretty cool, but also painful if you don’t know it, functionality within the HTTP/S protocol.

It is called HTST or HTTP Strict Transport Security. Basically it tells the browser over a header to request everything from this server only via HTTPS instead of HTTP.
The first request will set something like a cookie, but it is, depending on the browser, not a regular cookie. For example Safari stores this information in a file called HTST.plist.

The header sets a lifetime like for a cookie.

In my specific case, I had an entire server redirected to https by a rewrite rule, but one specific URL redirected to http. HTST avoided that drastically and it took me a few hours and some external help to figure this out.

Details about my case can be found here.

What’s the state on IPv6 – 2016 Edition

Saturday, April 9th, 2016 | Permalink

Nearly three years ago, I tested a list of popular website for there IPv6 support. Back then the adoption was shockingly small.

ARIN recently ran out of IPv4 addresses and now has a waiting list for new address spaces. This makes the situation even more dramatic.

Time to run my test again.

Only 8 websites that didn’t support IPv6 three years ago now support it.

yahoo.com
linkedin.com
microsoft.com
apple.com
instagram.com
aol.com
netflix.com
dropbox.com

Why you want to support IPv6 now!

Sunday, November 17th, 2013 | Permalink

I recently change ISP and surprise I now have a native IPv6 network ending up at my router instead of an IPv4 internet address.

My new ISP uses something called DualStack Lite, which means I can still reach IPv4 (old internet), but I get routed (nat) thru one of their IPs. In fact I am sharing an IPv4 with hundreds of other customers. In the usual case this is not an issue as people do not need fixed IPv4 addresses at their home network.

I switched from 50Mbit/s to 100Mbit/s. The second I reach a website that supports IPv6 I see the content extremely fast, connections are brilliant and everything. The second I access IPv4, I get a feeling that everything feels more slowly.
This is happening because of the DualStack-Lite, as lots and lots of other users have to be re-routed thru my ISPs system.

Beside the fact that there are just no IPv4 addresses left, the user experience using IPv6 is way better now.

If you are in the internet industry, get your stuff finally ready for IPv6. It is shocking how many companies are still only supporting IPv4 out of laziness.

In case you are not sure if your website/service support IPv6 yet, check it at IPv6 Test

What’s the state of IPv6?

Wednesday, October 16th, 2013 | Permalink

I am switching to another ISP in a couple of days. My new ISP will give me an IPv6 address instead of an IPv4 one. In the usual case I should get at least a IPv4 and in addition an IPv6, something called Dual-Stack. My new ISP will run something called DS-Lite, which is an IPv6 and routes IPv4 stuff thru NAT’ting.

So what I can’t do is accessing my home network using IPv4 e.g. from my mobile. For most users that’s not really important and to be honest I am happy to get IPv6.
Why? Because it’s f*cking time to start with it. IPv4 networks are rare and limited. Of course there would be a short-time solution, like taking some of the network ranges from some companies, but at the end this is just limited.

Everyone knew that IPv4 is not there to stay since at least a decade and IPv6 is upcoming. So I am happy that my provider decided to switch, because it is the only natural way to go!

So I thought, lets check who provides IPv6 addresses for DNS queries already and I am shocked.

For the record, what I did is:

user# dig aaaa domain.com

Here is a list that I just made (October 2013):

google.com yes
facebook.com yes
youtube.com yes
yahoo.com no
baidu.com no
wikipedia.org yes
linkedin.com no
live.com no
twitter.com no
amazon.com no
blogspot.com yes
yandex.ru no
bing.com no
ebay.com no
tumblr.com no
pinterest.com no
msn.com no
mail.ru no
microsoft.com no
apple.com no
instagram.com no
blogger.com yes
imdb.com no
craigslist.com no
bbc.co.uk no
cnn.com no
imgur.com no
alibaba.com no
espn.go.com no
huffingtonpost.com no
aol.com no
akamai.com yes
limelight.com yes
wordpress.com no
reddit.com no
netflix.com no
vimeo.com no
nytimes.com no
dropbox.com no
booking.com no
weather.com no
yelp.com no
etsy.com no
github.com no
bitbucket.org no
shopping.com no
expedia.com no

8 out of 48 big internet companies and start ups support IPv6. At least three of them are owned by Google. Microsoft or Apple? Not at all!

Shouldn’t be these technology companies the first ones to start with innovation and always be up to date with technology?

How does a Facebook server look like?

Friday, April 8th, 2011 | Permalink

Facebook today announced an open source project called Open Compute Project.
After Google showed how their servers are design, Facebook even went a step further and presented CAD files and detailed hardware information so everyone can build his own Facebook server.
They removed everything that is completely useless for a server from the motherboard and designed an open chasie.
More information about Open Compute Project can be found on http://opencompute.org/

Activate PHP5 on Mac OS X Snow Leopard

Monday, November 16th, 2009 | Permalink

I blog this, because it took me some time to figure that out and is so simple to fix.

I just bought a Mac Mini Server with Mac OS X Snow Leopard Server. There is a nice interface to configure apache2, mailserver and everything else. By default there is no php5 enabled.
If you look into the module list in the server admin interface, there is the php5_module. Just check the box, the server will perform a gracefully restart.

I just installed a little script with the following code in it.

After that I opened the site in the local webbrowser.

The result was:

Mhhh??? What went wrong?

The answer is quite simple. Mac OS X Server comes with NO php.ini and PHP comes with short_tags disabled by default.

So, just at a php.ini file or add to your script.

problem with permalinks in wordpress on plesk – strato virtual server

Tuesday, August 12th, 2008 | Permalink

This took me a while!
We installed a wordpress on the strato virtual machine and changed the permalink structure, but it didn’t work.
My first thought was that there must be something wrong with mod_rewrite. Seems like apache is not reporting if a module isn’t loaded but tried to use.
As Plesk is doing a good job with it’s user interface, they are not using a standard apache installation with mods-enabled & mods-availible.
After searching for a while I found a file called /etc/sysconfig/apache2.

In my case it’s line 84:

APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 perl python suexec"

This is telling the apache which modules have to loaded, as you can see there is nothing like rewrite.
Edit this line:

APACHE_MODULES="rewrite actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 perl python suexec"

Restart apache with:
/etc/init.d/apache2 restart
And it works.