Posted on : By : Robert Posted in : Short

Update to TLS 1.3 with Apache

I moved this site to TLS 1.3 a few weeks ago. So far, it has been working great if I use a web browser. Unfortunately, no one has updated Curl to work with TLS 1.3. The second issue is that Curl is the HTTP client library du jour for C or languages that use C’s Foreign Function Interface. Unfortunately, TLS 1.3 only breaks nearly all applications that use a web callback or WordPress’ APIs.

To add TLS 1.2 back as an option

#Add below the SSLCipherSuite for TLSv1.3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

#Add +TLSv1.2 to the end of the SSLProtocol line
SSLProtocol -all +TLSv1.3 +TLSv1.2
Continue reading "Update to TLS 1.3 with Apache"
Posted on : By : Robert Posted in : Medium

Don’t leave web server performance on the table.

If you followed the WordPress Install Guide you are leaving performance on the table for your website. The WordPress Install Guide defaults to Apache’s mod PHP which is definitely leaving performance on the table.

Here is how to fix that in Ubuntu 20.04:

  1. install php-fpm: sudo apt install php-fpm
  2. disable mod_php and mpm_prefork: sudo a2dismod php mpm_prefork
  3. enable mpm_event proxy_fcgi and setenvif: sudo a2enmod mpm_event proxy_fcgi setenvif
  4. enable the php-fpm configuration file: sudo a2enconf php7.4-fpm
  5. mark apache2 as a manually installed package: sudo apt-mark manual apache2
  6. remove mod_php: sudo apt purge libapache2-mod-php*

That takes care of the general Apache configuration. The next configuration adjustments need to be done at the vhost level. Substitute the correct information for YOUREMAIL, YOURDOMAIN, and WPDIR, and you are good to go.

<VirtualHost *:443>
Protocols h2 http/1.1
ServerName YOURDOMAIN
ServerAdmin YOUREMAIL@YOURDOMAIN.COM

DocumentRoot "WPDIR"

<Directory "WPDIR">
    <FilesMatch "\.php$">
 #Proxy php files to php-fpm
        SetHandler  "proxy:unix:/run/php/php-fpm.sock|fcgi://localhost/"
    </FilesMatch>
    Options All
    AllowOverride All
    DirectoryIndex index.php
    Require all granted
</Directory>

#Protect the uploads directory.
<Directory "WPDIR/wp-content/uploads/">
    <FilesMatch "\.php$">
        SetHandler  none
        Require all denied
    </FilesMatch>
</Directory>

#snip extraneous stuff
</VirtualHost>

Let me take a minute to talk about performance. I have a small Atom 230 based ITX computer that I use for some network administration tasks and as a CPU limited system for benchmarking.

robert@pallas:~$ lscpu
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   32 bits physical, 48 bits virtual
CPU(s):                          2
On-line CPU(s) list:             0,1
Thread(s) per core:              2
Core(s) per socket:              1
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       GenuineIntel
CPU family:                      6
Model:                           28
Model name:                      Intel(R) Atom(TM) CPU  230   @ 1.60GHz
Stepping:                        2
CPU MHz:                         1595.763
BogoMIPS:                        3191.77
L1d cache:                       24 KiB
L1i cache:                       32 KiB
L2 cache:                        512 KiB
NUMA node0 CPU(s):               0,1
Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Not affected
Vulnerability Meltdown:          Not affected
Vulnerability Spec store bypass: Not affected
Vulnerability Spectre v1:        Not affected
Vulnerability Spectre v2:        Not affected
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss h
                                 t tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts nopl cpuid aperfmperf pni dtes64 monitor ds_cpl
                                  tm2 ssse3 cx16 xtpr pdcm movbe lahf_lm dtherm
robert@pallas:~$

Pallas isn’t fast but it does make a good test bench for what performance difference you might see on a very limited server. I will leave the full benchmark tests below. To summarize the performance looks pretty similar from a users perspective. However, if I point out that the mpm_prefork test had a load average of 88.72 while the mpm_event test had a load average of 11.04 you can see that while mpm_event may not be faster than mp_prefork from a users perspective it does help with server load.

You can expect a return to this topic once I find a way to stress test HTTP 2 connections.

Prefork
robert@Venus:~$ sudo ab -c 100 -n 100000 -r http://192.168.1.12/
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 192.168.1.12 (be patient)
Completed 10000 requests
Completed 20000 requests
Completed 30000 requests
Completed 40000 requests
Completed 50000 requests
Completed 60000 requests
Completed 70000 requests
Completed 80000 requests
Completed 90000 requests
Completed 100000 requests
Finished 100000 requests


Server Software:        Apache/2.4.41
Server Hostname:        192.168.1.12
Server Port:            80

Document Path:          /
Document Length:        10918 bytes

Concurrency Level:      100
Time taken for tests:   110.875 seconds
Complete requests:      100000
Failed requests:        0
Total transferred:      1119200000 bytes
HTML transferred:       1091800000 bytes
Requests per second:    901.91 [#/sec] (mean)
Time per request:       110.875 [ms] (mean)
Time per request:       1.109 [ms] (mean, across all concurrent requests)
Transfer rate:          9857.63 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    4  14.6      3    1039
Processing:     2  107  77.7    108     611
Waiting:        1   29  27.3     21     403
Total:          3  111  78.9    112    1260

Percentage of the requests served within a certain time (ms)
  50%    112
  66%    151
  75%    170
  80%    182
  90%    212
  95%    239
  98%    273
  99%    298
 100%   1260 (longest request)
robert@Venus:~$
Event
robert@Venus:~$ sudo ab -c 100 -n 100000 -r http://192.168.1.12/
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 192.168.1.12 (be patient)
Completed 10000 requests
Completed 20000 requests
Completed 30000 requests
Completed 40000 requests
Completed 50000 requests
Completed 60000 requests
Completed 70000 requests
Completed 80000 requests
Completed 90000 requests
Completed 100000 requests
Finished 100000 requests


Server Software:        Apache/2.4.41
Server Hostname:        192.168.1.12
Server Port:            80

Document Path:          /
Document Length:        10918 bytes

Concurrency Level:      100
Time taken for tests:   118.068 seconds
Complete requests:      100000
Failed requests:        0
Total transferred:      1119200000 bytes
HTML transferred:       1091800000 bytes
Requests per second:    846.97 [#/sec] (mean)
Time per request:       118.068 [ms] (mean)
Time per request:       1.181 [ms] (mean, across all concurrent requests)
Transfer rate:          9257.12 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    3  40.6      1    3143
Processing:    11  115  25.5    110     454
Waiting:        2  108  21.4    107     384
Total:         19  118  47.7    111    3235

Percentage of the requests served within a certain time (ms)
  50%    111
  66%    115
  75%    121
  80%    128
  90%    147
  95%    165
  98%    192
  99%    216
 100%   3235 (longest request)
robert@Venus:~$

—Robert

Continue reading "Don’t leave web server performance on the table."
Posted on : By : Robert Posted in : Short

Use Apache’s mod_usertrack to get analytics without sharing data

First a major caveat, I still have Jetpack installed to simplify a few tasks like reducing comment spam. Until I have a replacement for everything it does, it will still track visitors.

You need to know how many people are interacting with your site and where they are interacting with it. Without some form of visitor tracking, I couldn’t be sure what my most visited post types are.

However, right now, website analytics is dominated by a group of companies that view everyone as a product, not the customer. Google, Facebook, and others all offer analytics for site owners, but you, the site owner, don’t control the data, they do. So how do you respect your visitors’ privacy and get useful analytical data for your website? The answer is to host your own. I haven’t made the full jump to a self-hosted analytics software yet, but I am choosing to log some extra data that will make that move easier in the future.

The most basic information I use for analytics is the access logs that Apache makes. The “combined” log format logs the remote IP address, the timestamp of the request, the final response code, the size of its response, the referer, and the user-agent. Apache also includes a couple of extra items for backward compatibility. There are two pieces of information that would complete the analytics picture, which vhost responded, and a cookie to tell if one client made multiple requests.

Apache’s mod_usertrack adds the cookie and adding the vhost is simple. I also decided to add mod_unique_id as well.

To make these changes, you need to enable those modules. For Ubuntu version 18.04 and later sudo a2enmod unique_id usertrack; sudo systemctl reload apache2 will do the trick and reload Apache, so the changes take effect. If you aren’t using Ubuntu, double-check how to enable Apache modules on the Linux distribution that you are using.

After mod_usertrack and mod_unique_id are enabled, they need to be activated and attached to the logs. The following configuration snippet will do that.

#Add configuration for user tracking to the log file
<IfModule mod_usertrack.c>
	CookieDomain .www.rrbrussell.com
	CookieExpires "2 weeks"
	#Requires >=2.4.42
	#CookieHTTPOnly on
	#CookieSameSite Strict
	#CookieSecure On
	CookieName Apache
	CookieTracking on
	LogFormat "%v:%{Apache}C %r %t %{UNIQUE_ID}e" usertrack
	CustomLog "${APACHE_LOG_DIR}/clicktracker.log" usertrack
</IfModule>

You will need to modify the CookieDomain, CookieExpires, and log destination to suit your system but this basic config will get you started. It outputs something like the following.

vhost             :tracking cookie        the request                              Timestamp                    Unique request identifier                                 
www.rrbrussell.com:689e322a.5adf4e2bd2d78 GET /2020/07/openwrt-on-x86-64/ HTTP/2.0 [28/Aug/2020:14:17:29 -0500] X0lYSSUCdg@45i0GT-H@qQAAAAE

I will write more on this topic in another few days. Until then.

—Robert

Continue reading "Use Apache’s mod_usertrack to get analytics without sharing data"
Posted on : By : Robert Posted in : Short

Another Quick Cash Grab In Blog Writing

Blog Writing: How To Write Successfully, Writing To Sell and Increase Profits by Maxwell J. Pods read by Leigh Ann Haga.

I do not have any other copies or formats of this book to compare the audiobook against. There are a lot of word choice and usage problems in this audiobook. Most Americans would call someone who reads websites, books, or other forms of written language a reader. She consistently uses words like perusers instead of readers or subscribers.

Another example that stood out to me was. “Attempt to think of a lot of thoughts consistently and store them in an article schedule, spreadsheet, or some other spot you can catch notes.” (I had to go over that sentence about four or five times myself just typing it out here because I kept subconsciously correcting the phrasing.)

The author did an adequate job of laying each chapter’s content out in a reasonable way. However, I am worried about the overall order in the book.

If I only look at the chapter titles, the book appears to be laid out reasonably. However, I didn’t get a good sense of connection between the chapters. I noticed this problem more in the later chapters.

This book is not a howto book. It varies widely in the number of pieces a topic gets broken down into. None of the issues get covered in any suitable depth, though.

My overall score is shoddy. I do not suggest getting this book.

—Robert

Continue reading "Another Quick Cash Grab In Blog Writing"
Posted on : By : Robert Posted in : Uncategorized

Second 2 Weeks Posting Challenge

During the previous 2 Weeks Posting Challenge, I missed one of eighteen days that it covered. I missed six of the sixteen days covered by this period.

Why did I miss those days? A lack of good topics to write about and a combination of not sitting down to write. I do not want to turn this blog into a political blog. However, divisive politics keep cropping up all the time.

Talk Later

—Robert

Continue reading "Second 2 Weeks Posting Challenge"
Posted on : By : Robert Posted in : Rants|Short

Supporting Older Programming Languages

In general, No, No, No!

I have been mulling this question over because of recent discussions I am following about Java, WordPress hosting, and Python 2. I will start with Java. Java has become the modern COBOL in a lot of ways. An extremely verbose language designed around one programming paradigm. Excluding the inherent problems of OOP, and Java’s verbosity, Java has one other major issue version rot. Java 8 has been end of lifed for a bit now and a lot of people are now learning that all of the ABI compatibility prior to version 8 comes with a load of technical debt. Most of the language syntax improvements that help with Java’s verbosity required ABI incompatible changes in the runtime and incompatible changes to the language syntax between Java 8 and 11. This means you can’t run Java 8 code on the Java 11 libraries and you can’t recompile that code with the Java 11 compiler either. To make matters worse Oracle now plans to allow such breaking changes about every 2 years now.

Both the Python 2 to Python 3 migration problems and the PHP5 to PHP7 migration mirror the issues with Java 8 to Java 11. Though, they have generally been better handled, especially the Python change. The Python authors released code that makes most of the syntactical adjustments automatically requiring a human for the areas that can’t be cleaned up by a computer. Yes, the ABI of the language changed but unlike Java 8 to Java 11 there is a migration tool that allows most python 2 source code to be migrated without a complete rewrite.

I am not as familiar with the details of the PHP 5 to 7 transition as I am with the Java 8 to 11, and Python 2 to 3 transitions. What I do know is that it has been in the works for a while. From the perspective of a programmer using the language PHP 7 isn’t a massive change. From the perspective of extension creators and hosting providers, it was a big deal initially. We are now 6, almost 7, years past this change and a lot of hosts still run PHP5.

I will have more to say about this topic in the future but for now have a good day.

—Robert.

Continue reading "Supporting Older Programming Languages"
Posted on : By : Robert Posted in : Short

SSH Clients For Windows

Here is a listing of my preferred SSH clients for Windows.

Windows has included a copy of OpenSSH enable by default since the April 2018 Update to Windows 10. The only downside to using it is the very basic default terminal in Windows. If we use Windows Terminal then it is an acceptable option though I prefer using one of the WSL distributions.

Bitvise SSH is a free, but not opensource, SSH client that was previously my default SSH client for Windows.

Putty is the old standard that I abandoned shortly after I found out about Bitvise.

There are a couple of other SSH options on the Microsoft store that I haven’t tried.

Continue reading "SSH Clients For Windows"
Posted on : By : Robert Posted in : Short

Enabling TLS 1.3 in Apache >=2.4.38

TLSv1.3 is now available on 85% of web clients, according to caniuse.com. Since I don’t have to support either Internet Explorer or the six microscopic mobile web browsers that don’t support it at all, I have gone ahead and migrated my servers straight over to TLSv1.3.

Below is a sample configuration that will enable TLSv1.3 and the currently recommended ciphers in a reasonable order. You must enable TLSv1.3 globally on the entire server. I made my adjustments in the /etc/apache2/mods-enabled/ssl.conf file. I gave Chacha preference to AES due to the number of mobile devices running modern browsers that don’t have AES hardware acceleration.

        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of all available
        #   options.
        #   Enable only secure ciphers:
        SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
:TLS_AES_128_GCM_SHA256

        # SSL server cipher order preference:
        # Use server priorities for cipher algorithm choice.
        # Clients may prefer lower grade encryption.  You should enable this
        # option if you want to enforce stronger encryption, and can afford
        # the CPU cost, and did not override SSLCipherSuite in a way that puts
        # insecure ciphers first.
        # Default: Off
        SSLHonorCipherOrder on

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        SSLProtocol -all +TLSv1.3

Continue reading "Enabling TLS 1.3 in Apache >=2.4.38"