Jump to content

uudruid74

Members
  • Content Count

    139
  • Joined

  • Last visited

  • Days Won

    8

Reputation Activity

  1. Trolling
    uudruid74 got a reaction from duncan.britton for a blog entry, Mobile Detection on Tengine / Nginx   
    If you use a content management system for your site, it probably already deals with mobile systems. But, what if you have parts of your site that aren't in a CMS, or you do your site by hand?
     
    Well, it would be nice to either redirect from www.example.com to m.example.com, or (my preference), to redirect to a subdirectory. I like the subdirectory approach because I can easily share content with the main site via symlinks (such as the content management system). Normally, this isn't a nice thing to do to your caches since any caches along the way won't know that the symlinked files aren't the same, but if you can solve that, let me know.
     
    The following method redirects the user if they are on a mobile browser, but still allows them to use the "Request Desktop Site" feature. Just include the file in your tengine or nginx server configuration. The actual rewrite is done at the end. Scroll to the bottom and you'll see the line to edit. I tried to attach the file, but it said I'm not permitted to upload files of that type. Cut-Paste or email me and I'll send it to you.
    >#- This file for doing redirects based on mobile detectionset $mobile_rewrite do_not_perform;#- chi http_user_agent for mobile / smart phonesif ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino") {set $mobile_rewrite perform;}if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {set $mobile_rewrite perform;}set $force_dt_cookie "";if ($args ~ 'desktop=true') {set $mobile_rewrite do_not_perform;set $force_dt_cookie "desktop=true";}add_header Set-Cookie $force_dt_cookie;if ($http_cookie ~ 'desktop=true') {set $mobile_rewrite do_not_perform;}location /m {error_page 404 /m/error/404.html;}#- redirect to /m except /m, /mail, /joomlaif ($mobile_rewrite = perform ) {rewrite ^(?!(/m|/joomla)+) /m$request_uri? break;break;}#- To redirect to m.example.com, change above rewrite to# rewrite ^ https://m.example.com$request_uri? break;
    That's it! I just put my mobile files in the /m directory of the server.
  2. Trolling
    uudruid74 got a reaction from duncan.britton for a blog entry, Adding SSL to Tengine / Nginx   
    OK, you've got your SSL certificate and you have tengine or nginx setup, but you need it secure. After all, you've heard of all the recent DH attacks, BEAST, CRIME, FREAK, Heartbleed and others, right? Is your system already secure? Test it! Check out The SSL Labs Test Site. I'm getting an A+ rating! The following assumes tengine, but nginx is exactly the same, just s/tengine/nginx/g;
     
    Need a certificate? OK - I highly recommend StartSSL. It's FREE! These guys will step you through the process by following the instructions on their site. If you have problems, the tech support via email is instantaneous and incredibly professional. My cert was the free variety, but if I ever upgrade, I will go to them because the support (to a non-paying customer no less) was so good.
     
    OK ... Make a file /etc/tengine/ssl.conf (or equiv for nginx):
    >#- Ports to listen on, all addresses, IPv6 and IPv4listen [::]:443 ssl;listen 443 ssl;#- Support current SSL standards and options onlyssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";ssl_session_tickets off;ssl_stapling on;ssl_stapling_verify on;#- And some security related headersadd_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff;
    Now, go into your sites-available and in the server{} configuration for the site you want to include SSL, add these lines:
    >include /etc/tengine/ssl.conf;ssl_dhparam /etc/ssl/tengine/dhparam4096;ssl_trusted_certificate /etc/ssl/tengine/startssl_trust_chain.crt;ssl_certificate /etc/ssl/tengine/ssl-unified.crt;ssl_certificate_key /etc/ssl/tengine/ssl.key;
    Now, there are 4 files here for SSL in addition to the one we just included. Let's look at where they come from. First, you should have a certificate file (ssl.crt in the following), and a key for that file (private_ssl.key). The CRT begins with "-----BEGIN CERTIFICATE-----", but you will need to view this in vi, not less (less will try to decode many of these files). Your private key is password protected (the key is "-----BEGIN RSA PRIVATE KEY-----" followed by a line that says ENCRYPTED). Since you probably don't want to issue a password every time you start your server, let's fix that first.
    >openssl rsa -in private_ssl.key -out /etc/ssl/tengine/ssl.key
    Easy enough? And we have one of our lines done. 3 to go!
     
    The next is to create a chain of certificates back to the root. For StartSSL, you download their cert:
    >wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    Then make the file you need with your cert and theirs. Here's your next 2 files!
    >cat ssl.crt sub.class1.server.sha2.ca.pem > /etc/ssl/tengine/ssl-unified.crtcp sub.class1.server.sha2.ca.pem /etc/ssl/tengine/startssl_trust_chain.crt
    Now, the final command for the final file:
    >openssl dhparam -out /etc/ssl/tengine/dhparam4096 4096
    4096 might be overkill, but 1024 is the minimum and you might as well go all out just in case 1024 gets broken next month!
     
    Be sure all these files are secure!
    >chmod 0600 /etc/ssl/tengine/*
    Delete originals, clean up, then restart tengine.
     
    Next I'll cover gzip compression, detecting mobile client, and joomla configuration. Any particular one anyone wants to see first?
  3. Trolling
    uudruid74 got a reaction from 666threesixes666 for a blog entry, Adding SSL to Tengine / Nginx   
    OK, you've got your SSL certificate and you have tengine or nginx setup, but you need it secure. After all, you've heard of all the recent DH attacks, BEAST, CRIME, FREAK, Heartbleed and others, right? Is your system already secure? Test it! Check out The SSL Labs Test Site. I'm getting an A+ rating! The following assumes tengine, but nginx is exactly the same, just s/tengine/nginx/g;
     
    Need a certificate? OK - I highly recommend StartSSL. It's FREE! These guys will step you through the process by following the instructions on their site. If you have problems, the tech support via email is instantaneous and incredibly professional. My cert was the free variety, but if I ever upgrade, I will go to them because the support (to a non-paying customer no less) was so good.
     
    OK ... Make a file /etc/tengine/ssl.conf (or equiv for nginx):
    >#- Ports to listen on, all addresses, IPv6 and IPv4listen [::]:443 ssl;listen 443 ssl;#- Support current SSL standards and options onlyssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";ssl_session_tickets off;ssl_stapling on;ssl_stapling_verify on;#- And some security related headersadd_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff;
    Now, go into your sites-available and in the server{} configuration for the site you want to include SSL, add these lines:
    >include /etc/tengine/ssl.conf;ssl_dhparam /etc/ssl/tengine/dhparam4096;ssl_trusted_certificate /etc/ssl/tengine/startssl_trust_chain.crt;ssl_certificate /etc/ssl/tengine/ssl-unified.crt;ssl_certificate_key /etc/ssl/tengine/ssl.key;
    Now, there are 4 files here for SSL in addition to the one we just included. Let's look at where they come from. First, you should have a certificate file (ssl.crt in the following), and a key for that file (private_ssl.key). The CRT begins with "-----BEGIN CERTIFICATE-----", but you will need to view this in vi, not less (less will try to decode many of these files). Your private key is password protected (the key is "-----BEGIN RSA PRIVATE KEY-----" followed by a line that says ENCRYPTED). Since you probably don't want to issue a password every time you start your server, let's fix that first.
    >openssl rsa -in private_ssl.key -out /etc/ssl/tengine/ssl.key
    Easy enough? And we have one of our lines done. 3 to go!
     
    The next is to create a chain of certificates back to the root. For StartSSL, you download their cert:
    >wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    Then make the file you need with your cert and theirs. Here's your next 2 files!
    >cat ssl.crt sub.class1.server.sha2.ca.pem > /etc/ssl/tengine/ssl-unified.crtcp sub.class1.server.sha2.ca.pem /etc/ssl/tengine/startssl_trust_chain.crt
    Now, the final command for the final file:
    >openssl dhparam -out /etc/ssl/tengine/dhparam4096 4096
    4096 might be overkill, but 1024 is the minimum and you might as well go all out just in case 1024 gets broken next month!
     
    Be sure all these files are secure!
    >chmod 0600 /etc/ssl/tengine/*
    Delete originals, clean up, then restart tengine.
     
    Next I'll cover gzip compression, detecting mobile client, and joomla configuration. Any particular one anyone wants to see first?
  4. Trolling
    uudruid74 reacted to Chris Kurlinski for a blog entry, Working towards my ideas   
    I'm a big fan of trying anything new, but the cardinal rule for me is this:
    Don't mess with the data. If you don't what to lose those irreplaceable pics of grandma, keep it on a separate drive.
     
    This is my mantra. I love playing with my system, updating, tweaking, and exploring.
    But this can be dangerous to your data.
     
    This is also the reason why I chosen to use zfs as my storage for all my data. I can get to it from just anywhere. If it's unix(-like), I can download the kernel modules and access it.
     
    I feel like zfs is the becoming the unix(-like) version of fat32. Let me explain.
     
    I just did some consulting on a smartos job, but I had to p2v an existing Windows 2k3 server, with a dying hard drive.
    Smartos is great an all, but it is really not setup to virtualise an existing machine.
    So I place the failing drive into my setup, created a zvol the same size as the failing drive, dd the old drive to the new zvol.
    Created a new KVM instance, and booted the thing up.
     
    After some general cleanup and a massive amount of defragging, I had a good image ready for production.
     
    Smartos side of things was fine, json took a little getting used to, helps finding a good validating editor, zfs send | zfs receive, brought up the zvol, and away I went with the client configuration, igmadm create and all. Now the setup is in production, and all seems to be well.
     
    But the real point of this endeavour is this, ZFS is getting to the point of being truly cross platform.
    The only thing that can't read ZFS is windows, and that access is a samba share away.
     
    As much as I like Smartos, I love Funtoo. If I was going to roll out a data centre with clean installs, then Smartos is a great base.
    But p2v a small business client, not so sure.
     
    That's why I'm thinking about a Smartos like Funtoo usb bootable read-only install, and keeping with the way Funtoo is, basically a recipe for using the existing tools to create it, because that is the right way to do it.
     
    Our BDFL gives us the tools to do anything we want with his creation, we as users of Funtoo, get to assemble it as we need to get the job done.
     
    This is my idea, bootable usb Funtoo minimal, bare essential tools, read only root, builtin zfs kernel and xen hypervisor.
     
    Now just to figure out how to do it........
×
×
  • Create New...