Archive for the 'Software' category

Verbose commiting

published on December 12, 2016.
Heads-up! You're reading an old post and the information in it is quite probably outdated.

One thing I recently learned about git, is the -v or --verbose flag for the git commit command. It shows the diff of what is being commited in $EDITOR below the commit message template. Taken directly from man git commit:

Show unified diff between the HEAD commit and what would be committed at the bottom of the commit message template to help the user describe the commit by reminding what changes the commit has. Note that this diff output doesn’t have its lines prefixed with #. This diff will not be a part of the commit message.

I keep double checking the code that I commit, so prior to discovering this flag, I was constantly switching between writing the commit message and seeing what’s in the diff. This now gives me the diff inside vim, as that is my specified $EDITOR. I can navigate the diff using vim motions, use search, etc, which greatly improves my workflow.

Happy hackin’!

Tags: git, message, verbose, diff.
Categories: Software, Development.

Configure Fedora's firewall for Vagrant

published on December 09, 2016.
Heads-up! You're reading an old post and the information in it is quite probably outdated.

This one’s been in my drafts for a long time, might as well publish it.

FirewallD, Fedora’s firewall, has a set of zones, which basically enables to configure trusted network connections inside these zones. You can read more about FirewallD on it’s wiki page.

Whenever I bring up a Vagrant box for the first time, Fedora’s firewall blocks the NFS shares, because the new Vagrant network interface does not belong to any zone. The usual symptom of this is that Vagrant gets stuck on the mounting NFS shares step.

I have a zone called FedoraWorkstation that I use for all the Vagrant boxes I have on my laptop. This zone has a list of services that are allowed:

robert@odin ~$ sudo firewall-cmd --zone FedoraWorkstation --list-services
dhcpv6-client rpc-bind nfs mountd ssh samba-client

You can use any other zone you like, but you need to have the rpc-bind, nfs and mountd services allowed for that zone.

After bringing up the Vagrant box, we need to figure out what’s the name of the new Vagrant interface and add it to the firewall zone. Vagrant interfaces follow the naming schema of vboxnetX where X is a number:

robert@odin ~$ ip link show | grep "state UP" | grep "vbox"
7: vboxnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000

From this we can see that the name of the interface is vboxnet3.

Let’s add it to the FedoraWorkstation zone and reload:

robert@odin ~$ sudo firewall-cmd --zone FedoraWorkstation --add-interface vboxnet3 --permanent
success
robert@odin ~$ sudo firewall-cmd --reload
success

Finally let’s make sure that the interface was indeed added:

robert@odin ~$ sudo firewall-cmd --zone FedoraWorkstation --list-interfaces
vboxnet3 vboxnet2 vboxnet0

And that’s it. Happy hackin’!

Missing colors for PHPUnit

published on July 20, 2016.
Heads-up! You're reading an old post and the information in it is quite probably outdated.

I ran accross a minor issue today that I never experienced before. The colors for the PHPUnit’s output were missing. I had the colors=true directive set in the phpunit.xml configuration file, but the output was just black and white.

Turns out I was missing the posix extension, which is provided by the php-process package on Fedora. After installing it:

$ sudo dnf install php-process

all was good again in the world of unit testing.

Oh well.

Happy hackin’!

Tags: phpunit, php.
Categories: Programming, Software, Development.

Setting up SSL certificates with Let's Encrypt

published on July 06, 2016.
Heads-up! You're reading an old post and the information in it is quite probably outdated.

SSL Report Summary

This past week I finally got around to setting up SSL certificates using Let’s Encrypt. Let’s Encrypt is an open certificate authority that provides free SSL/TLS certificates. It’s goal is to make creating, renewing and using SSL certs painless.

And it most certainly is. I was expecting a lot more hassle to set up all this, but it was really easy to do.

Install certbot

Certbot is a Let’s Encrypt client that helps setting up a certificate by obtaining and installing it on your servers. There are many more clients out there, but certbot is the recommended one to use.

I simply installed certbot using dnf:

sudo dnf install certbot

but if your OS has no package for it yet, there’s always the manual way.

Creating a certificate

Certbot has a number of plugins that can be used to create and install a certificate on a server. I chose the webroot plugin which only gets the certificate for me and leaves the webserver configuration up to me.

sudo certbot --text --renew-by-default --agree-tos --webroot \
--email youremail@domain.tld \
--domains domain.tld,www.domain.tld \
--webroot-path /path/to/site/public \
certonly

This will create the certificate and it’s private key in the /etc/letsencrypt/live/domain.tld/ directory.

Configuring nginx

The next step is to configure nginx by enabling SSL, providing the paths to the certificate and the private key, and which protocols and ciphers to use. I added these to the server block:

listen 443 ssl;

ssl on;
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

After restarting nginx, you should be able to load up your site through https. Just remember to allow traffic on the 443 port:

sudo firewall-cmd -add-service=https --permanent
sudo firewall-cmd reload

Additional configuration

To further harden the Diffie-Helman key exchange, create new parameters for it using openssl:

sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
sudo openssl dhparam -out dhparams.pem 2048

I told nginx to use it by adding it to the same server block where I set up the SSL configuration:

ssl_dhparam /etc/nginx/ssl/dhparams.pem;

I also did some SSL optimizations and enabled Strict Transport Security:

ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_buffer_size 8k;
add_header Strict-Transport-Security max-age=31536000;

This blog post explains HTTP Strict Transport Security nicely.

All this and my website gets an A+ rating on the Qualys SSL Server Test.

Enable OCSP stapling

Thanks to Goran Jurić for pointing out to enable OCSP stapling. I did so by adding this to the nginx server config:

ssl_stapling on;
ssl_stapling_verify on;

According to the nginx documentation the ssl_trusted_certificate directive is needed only when the ssl_certificate file does not contain intermediate certificates, but the fullchain.pem created by Let’s Encrypt does contain them, so I’m skipping that.

To test whether OCSP stapling is enabled, reload nginx, and from a local terminal run the following:

openssl s_client -connect domain.tld:443 -status

The output should have something like:

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

Installing Python2 with Ansible

published on June 29, 2016.
Heads-up! You're reading an old post and the information in it is quite probably outdated.

Ansible uses Python2 to run the provisioning commands on the host machines. At this time it does not support Python3, which is the default python version in Fedora releases for quite some time now.

So to be able to manage Fedora machines with Ansible, I need to install Python2, but how to install it when all the Ansible modules depend on Python2 being installed? Turns out it’s quite simple, by turning of the gathering of facts in Ansible and using the raw module to install the required packages:

- hosts: all
  gather_facts: no
  become: yes
  tasks:
    - name: Install python2 and python2-dnf
      raw: dnf -y install python2 python2-dnf
    - name: Gather facts
      setup:

Just remember this needs to be the very first thing that happens on all your Fedora hosts. After python2 is installed, gather the facts for all the hosts by running the setup module.

Happy hackin’!

Robert Basic

Robert Basic

Software engineer, consultant, open source contributor.

Let's work together!

If you require outsourcing or consulting help on your projects, I'm available!

Robert Basic © 2008 — 2019
Get the feed