Category Archives: technical

i wrote a thing – paragraph, a simple plugin for wordpress

Along with becoming more active on Mastodon,  I’ve been thinking more about concision recently.

One of the big selling points for Mastodon is that the character limit per post is 500 instead of Twitter’s 140.

And I was thinking, “what if there was a way to force you to write better by writing less / more compactly / more concisely?”

So after a couple weeks, I sat down and wrote an incredibly simple WordPress plugin. Introducing Paragraph.

Paragraph removes all formatting of a post or page, effectively turning it into a wall of text.

How does this help you?

If you see your writing as an uninterrupted wall of text – or a “paragraph” – you may notice that what you’re trying to say is getting lost in the noise.

It could also help force you to write more often but shorter each time.

Or maybe you’ll find it completely useless: and that’s OK, too.

update: keeping your let’s encrypt certs up-to-date

Last year I posted a simple script for keeping your Let’s Encrypt SSL certificates current.

In conjunction with my last post sharing the “best” SSL configs you can use with Apache on CentOS, here is the current state of the cron’d renewal script I use.

systemctl stop httpd.service
systemctl stop postfix
~/letsencrypt/letsencrypt-auto -t -n --agree-tos --keep --expand --standalone certonly --rsa-key-size 4096 -m user@domain.tld -d domain.tld
# you can append more [sub]domains to a single cert with additional `-d` directives ([-d otherdomain.tld [-d sub.domain.tld...]])
#...repeat for every domain / domain group
systemctl start httpd.service
systemctl start postfix

I have this script running @weekly in cron. You should be able to get away with doing it only every month or two .. but I like to err on the side of caution.

I’m stopping and starting Postfix in addition to httpd (Apache on my system) for only two reasons: first, I am using some of the LE-issued certs in conjunction with my Postfix install; second, because I don’t know if Dovecot and my webmail system need to make sure Postfix is restarted if underlying certs change.

ssl configuration for apache 2.4 on centos 7 with let’s encrypt

In follow-up to previous posts I’ve had about SSL (specifically with Let’s Encrypt), here is the set of SSL configurations I use with all my sites. These, if used correctly, should score you an “A+” with no warnings from ssllabs.com. Note: I have an improved entropy package installed (twuewand). This is adapted from the Mozilla config generator with specific options added for individual sites and/or to match Let’s Encrypt’s recommendations.

Please note: you will need to modify the config files to represent your own domains, if you choose to use these as models.

[/etc/httpd/conf.d/defaults.conf]

#SSL options for all sites
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
Mutex sysvsem default
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom  1024
# requires twuewand to be installed
SSLRandomSeed startup exec:/bin/twuewand 64
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 1024
SSLCryptoDevice builtin
# the SSLSessionTickets directive should work - but on Apache 2.4.6-45, it does not
#SSLSessionTickets       off
SSLCompression          off
SSLHonorCipherOrder	on
# there may be an unusual use case for enabling TLS v1.1 or 1 - but I don't know what that would be
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLOptions +StrictRequire
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

#all unknown requests get domain.tld (over http)
<VirtualHost *:80>
    DocumentRoot /var/html
    ServerName domain.tld
    ServerAlias domain.tld *.domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log combined
    ServerAdmin user@domain.tld
    <Directory "/var/html">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>
</VirtualHost>

SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css text/php

[/etc/httpd/conf.d/z-[sub-]domain-tld.conf]

<Virtualhost *:80>
    ServerName domain.tld
# could use * instead of www if you don't use subdomains for anything special/separate
    ServerAlias domain.tld www.domain.tld
    Redirect permanent / https://domain.tld/
</VirtualHost>

<VirtualHost *:443>
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
# if you put "fullchain.pem" here, you will get an error from ssllabs
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAdmin user@domain.tld

# could put this in defaults.conf - I prefer it in each site config
    SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>

</VirtualHost>

I use the z....conf formatting to ensure all site-specific configs are loaded after everything else. That conveniently breaks every site into its own config file, too.

The config file for a non-https site is much simpler:

<VirtualHost *:80>
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ServerAlias domain.tld *.domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log combined
    ServerAdmin user@domain.tld
    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>
</VirtualHost>

If you’re running something like Nextcloud, you may want to turn on Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" in the <VirtualHost&gt directive for the site. I haven’t decided yet if I should put this in every SSL-enabled site’s configs or not.

firewalld

Last week, for the better part of 4.5 days, this site was offline.

Along with, of course, every other domain hosted hereon .

Here’s the timeline of my actions

  • Tuesday, reboot to update kernel revs
    • system did not come back online
  • over the next several days, tried all kinds of diagnostic attempts, including
    • verified host was pingable, tracerouteable, etc
    • rescue environments to chroot and remove out of date packages, update boot menus, etc
    • remote KVM (which is Java based, and wouldn’t run on my macOS Sierra machine with Java 8 U121)
  • late Friday (or maybe it was Saturday), received a cron-generated email – which meant the server was up
    • had a bolt of inspiration, and thought to check the firewall (but couldn’t for several hours for various reasons)
  • Saturday evening, using a rescue environment from my hosting provider, chroot’ed into my server, and reset firewalld
    • reboot, and bingo bango! server was back

So. What happened? Short version, something enabled firewalld, and setup basic rules to block everything. And I do mean everything – ssh, http, smtp, etc etc.

Not sure exactly how the firewall rules got mucked-up, but that was the fix.

 

apple tv – how apple can beat amazon and google

In e99 of Exponent, Ben Thompson makes a compelling case for his idea that Amazon Echo (Alexa) is an operating system – and that Amazon has beaten Apple (with Siri) and Google Home (with Assistant) at the very game they both try to play.

And I think he’s onto the start of something (he goes on to elaborate a bit in his note that Apple TV turned 10 this week (along with the little thing most people have never heard of, iPhone)).

But he’s only on the *start* of something. See, Apple TV is cheaper than Amazon Echo – by $30 for the entry model (it’s $20 more for the model with more storage). Echo Dot is cheaper, but also is less interesting (imo). And Alexa doesn’t have any local storage (that I know of).

And neither of them will stream video.

By Apple TV has something going for it – it *already* has Siri enabled. In other words, it has the home assistant features many people want, and does video and audio streaming to boot.

It handles live TV via apps like DIRECTV or Sling. And Netflix and other options for streaming (including, of course, iTunes).

Oh, and it handles AirPlay, so you can plop whatever’s on your iPhone, iMac, etc onto your TV (like a Chromecast).

But Apple doesn’t seem to focus on any of that. They have a device which, by all rights, ought to be at least equal (and probably superior to) with its competition – but they seem to think their competition is Roku or the Fire Stick. From a pricing perspective, those are the wrong folks to be considering your competition.

It’s Google and Amazon Apple should have in its sights – because Apple TV *ought* to beat the ever living pants of both Home and Echo.

If HomeKit exists on Apple TV, and you have Siri on Apple TV, why is it not the center of home automation?