http posts

It was recently discovered that Cogneato websites' HTTPS certificates were cross-signed by an expired AddTrust certificate, and were showing security warnings in old versions of Safari. Continue reading post "#2949"

Somehow, my recent upgrade to Ubuntu 20.04 switched the Apache MPM module installed and thus disabled HTTP2 for PHP requests on my server. Continue reading post "#2889"

I had to manually force renew the TLS certificate for my site (the thing that makes it encrypted over HTTPS) because of a bug in LetsEncrypt's software. Continue reading post "#2674"

I use Letsencrypt with certbot for the HTTPS certificates of my personal sites. I use the certonly method to allow full control over my server configuration. This means specifying one or more web-roots for each certificate. Continue reading post "Letsencrypt: Shared verification web-root for all domains"

In the interest of progressive enhancement, my site doesn't force browsers to connect over HTTPS unless they demonstrate support for it. Continue reading post "Forcing HTTPS and progressive enhancement"

I recently got h2 (HTTP 2.0) running on my server. Continue reading post "HTTP 2 on Ubuntu 18.04 with Apache and PHP"

Woo-hoo. My site is finally sending h2 (HTTP 2.0). Continue reading post "#2103"

I've finally updated my server to Ubuntu 18.04 using do-release-upgrade. Continue reading post "Server upgrade: Ubuntu 18.04"

While working on my site's error pages, I became aware of the #save418 kerfuffle. Continue reading post "#1644"

I've done some more testing on the problem I mentioned before of all requests showing up as 200's in the Apache log on my Dreamhost shared server. I'm pretty sure it's specific to their mod_rewrite module. Continue reading post "Dreamhost, mod_rewrite, and logged status codes"

Gah. Apparently wordpress.com is discouraging 'https' for self-hosted blogs: Their redirection service does not allow any protocol but 'http'. I could swear it did when I first set it up, as I remember typing in my URL with 'https' and I thought I tested it with curl -I to make sure it works, but the docs have an explicit note saying:

Note: Site redirects will only point to a non-ssl ( http:// ) url.

I don't remember seeing it before, but the wayback machine suggests it was there since 2013, well before I switched to self-hosted.

Jetpack's sitemap plugin has gotten an update or two since I found it listing th…

In playing with service workers, I set up a self-signed SSL certificate for my local development environment. I used instructions from debian.org. It was very simple, since I didn't need the security involved with a real operating site. Creating the certs took a single command:

openssl req -new -x509 -days 365 -nodes -out /path/to/server/config/certs/sitename.pem -keyout /path/to/server/config/certs/sitename.key

You then just need to set things up in the server configuration (Apache in my case). mod_ssl must be installed and enabled, which looks something like:

LoadModule ssl_module modules/mod_ssl.so

On my site, I'm using Apache's 'mod_deflate' and 'mod_filter' to compress my com…

Struggling to figure out why every response from my Symfony application is showi…

My sites are now HTTPS-enabled with LetsEncrypt. It was easy to set up with Dreamhost's panel. It was just a few clicks and some waiting. This is the first time my own sites have been available over HTTPS. I've been wanting to do it for a while, but it was kind of costly until the free LetsEncrypt became available. This brings my sites in line with the "HTTPS Everywhere" movement. I've also been wanting to play with the new installable apps forming standard for making web apps installable almost like native apps.

I had written a post before about how I'm setting my security-related headers. I've now added an HTTPS related header in a similar manner: Upgrade-Insecure-Requests and HSTS.

Dreamhost now supports LetsEncrypt even with shared hosting. LetsEncrypt provid…

I've been working on the HTTP headers my site sends recently. I had been working on performance / cache related headers, but after seeing mention of a security header scanner built by Scott Helme, I decided to spend a little time implementing security related headers on my site. I don't really know these headers that well, so I added the headers it suggested and mostly went with the recommended values. I did read up a bit on what they mean though and modified the Content-Security-Policy as I saw fit.

I added most of the headers using a Symfony reponse event listener. This handles all of my HTML responses without sending the headers for other responses, where they aren't necessary. The exception is the X-Content-Type-Options, which should be set for all responses. I set that in Apache configuration.

Until recently, I had no experience working with sites behind load balancers. Cogneato has been moving its sites to Rackspace virtual servers for flexibility, among other things. One of their recommendations that we took was to put our web server behind a load balancer. Even though we haven't needed multiple nodes behind it yet, it makes it easier to upgrade the server behind it without needing to change IPs in DNS and will allow us to easily pop up another node when it is needed.

This arrangement has gone relatively smoothly except a few issues. The biggest ones have had to do with our HTTPS sites. We run both HTTP and HTTPS sites on the same server. We put the certificates on the load balancer, so traffic goes from the load balancer to the web server over HTTP. Both Apache and code see the request as HTTP as standard methods are concerned. I will discuss some of the problems we had and solutions I found.