Written by: Robert R. Russell on Monday, August 31, 2020.
I moved this site to TLS 1.3 a few weeks ago.
So far, it has been working great if I use a web browser. Unfortunately, no
one has updated Curl to work with TLS 1.3. The is a major issue because Curl
is the HTTP client library du jour for C or languages that use C’s Foreign
Function Interface. Unfortunately, TLS 1.3 only breaks nearly all applications
that use a web callback or WordPress’ APIs.
To add TLS 1.2 back as an option
#Add below the SSLCipherSuite for TLSv1.3SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
#Add +TLSv1.2 to the end of the SSLProtocol lineSSLProtocol -all +TLSv1.3 +TLSv1.2
Written by: Robert R. Russell on Saturday, August 29, 2020.
If you followed the
WordPress Install Guide
you are leaving performance on the table for your website. The WordPress
Install Guide defaults to Apache’s mod_PHP which is definitely leaving
performance on the table.
Here is how to fix that in Ubuntu 20.04:
install php-fpm: sudo apt install php-fpm
disable mod_php and mpm_prefork: sudo a2dismod php mpm_prefork
enable mpm_event proxy_fcgi and setenvif: sudo a2enmod mpm_event proxy_fcgi setenvif
enable the php-fpm configuration file: sudo a2enconf php7.4-fpm
mark apache2 as a manually installed package: sudo apt-mark manual apache2
That takes care of the general Apache configuration. The next configuration
adjustments need to be done at the vhost level. Substitute the correct
information for YOUREMAIL, YOURDOMAIN, and WPDIR, and you are good to go.
Written by: Robert R. Russell on Friday, August 28, 2020.
First a major caveat, I still have Jetpack installed to simplify a few tasks
like reducing comment spam. Until I have a replacement for everything it does,
it will still track visitors.
You need to know how many people are interacting with your site and where they
are interacting with it. Without some form of visitor tracking, I couldn’t be
sure what my most visited post types are.
However, right now, website analytics is dominated by a group of companies
that view everyone as a product, not the customer. Google, Facebook, and others
all offer analytics for site owners, but you, the site owner, don’t control
the data, they do. So how do you respect your visitors’ privacy and get useful
analytical data for your website? The answer is to host your own. I haven’t
made the full jump to a self-hosted analytics software yet, but I am choosing
to log some extra data that will make that move easier in the future.
The most basic information I use for analytics is the access logs that Apache
makes. The “combined” log format logs the remote IP address, the timestamp of
the request, the final response code, the size of its response, the referer,
and the user-agent. Apache also includes a couple of extra items for backward
compatibility. There are two pieces of information that would complete the
analytics picture, which vhost responded, and a cookie to tell if one client
made multiple requests.
Apache’s mod_usertrack adds the cookie and adding the vhost is simple. I also
decided to add mod_unique_id as well.
To make these changes, you need to enable those modules. For Ubuntu version
18.04 and later sudo a2enmod unique_id usertrack; sudo systemctl reload apache2 will do the trick and reload Apache, so the changes take effect. If
you aren’t using Ubuntu, double-check how to enable Apache modules on the Linux
distribution that you are using.
After mod_usertrack and mod_unique_id are enabled, they need to be activated
and attached to the logs. The following configuration snippet will do that.
#Add configuration for user tracking to the log file<IfModule mod_usertrack.c>
CookieDomain .www.rrbrussell.com
CookieExpires"2 weeks"#Requires >=2.4.42#CookieHTTPOnly on#CookieSameSite Strict#CookieSecure OnCookieName Apache
CookieTrackingonLogFormat"%v:%{Apache}C %r %t %{UNIQUE_ID}e" usertrack
CustomLog"${APACHE_LOG_DIR}/clicktracker.log" usertrack
</IfModule>
You will need to modify the CookieDomain, CookieExpires, and log destination
to suit your system but this basic config will get you started. It outputs
something like the following.
vhost :tracking cookie the request Timestamp Unique request identifier
www.rrbrussell.com:689e322a.5adf4e2bd2d78 GET /2020/07/openwrt-on-x86-64/ HTTP/2.0 [28/Aug/2020:14:17:29 -0500] X0lYSSUCdg@45i0GT-H@qQAAAAE
I will write more on this topic in another few days. Until then.
I do not have any other copies or formats of this book to compare the audiobook
against. There are a lot of word choice and usage problems in this audiobook.
Most Americans would call someone who reads websites, books, or other forms of
written language a reader. She consistently uses words like perusers instead of
readers or subscribers.
Another example that stood out to me was. “Attempt to think of a lot of
thoughts consistently and store them in an article schedule, spreadsheet, or
some other spot you can catch notes.” (I had to go over that sentence about
four or five times myself just typing it out here because I kept subconsciously
correcting the phrasing.)
The author did an adequate job of laying each chapter’s content out in a
reasonable way. However, I am worried about the overall order in the book.
If I only look at the chapter titles, the book appears to be laid out
reasonably. However, I didn’t get a good sense of connection between the
chapters. I noticed this problem more in the later chapters.
This book is not a howto book. It varies widely in the number of pieces a topic
gets broken down into. None of the issues get covered in any suitable depth,
though.
My overall score is shoddy. I do not suggest getting this book.
Written by: Robert R. Russell on Wednesday, August 26, 2020.
During the previous Two Weeks Posting Challenge, I missed one of eighteen days
that it covered. I missed six of the sixteen days covered by this period.
Why did I miss those days? A lack of good topics to write about and a
combination of not sitting down to write. I do not want to turn this blog into
a political blog. However, divisive politics keep cropping up all the time.
Written by: Robert R. Russell on Monday, August 24, 2020.
In general, No, No, No!
I have been mulling this question over because of recent discussions I am
following about Java, WordPress hosting, and Python 2. I will start with
Java. Java has become the modern COBOL in a lot of ways. An extremely verbose
language designed around one programming paradigm. Excluding the inherent
problems of OOP, and Java’s verbosity, Java has one other major issue version
rot. Java 8 has been end of lifed for a bit now and a lot of people are now
learning that all of the ABI compatibility prior to version 8 comes with a
load of technical debt. Most of the language syntax improvements that help
with Java’s verbosity required ABI incompatible changes in the runtime and
incompatible changes to the language syntax between Java 8 and 11. This means
you can’t run Java 8 code on the Java 11 libraries and you can’t recompile that
code with the Java 11 compiler either. To make matters worse Oracle now plans
to allow such breaking changes about every 2 years now.
Both the Python 2 to Python 3 migration problems and the PHP5 to PHP7 migration
mirror the issues with Java 8 to Java 11. Though, they have generally been
better handled, especially the Python change. The Python authors released code
that makes most of the syntactical adjustments automatically requiring a human
for the areas that can’t be cleaned up by a computer. Yes, the ABI of the
language changed but unlike Java 8 to Java 11 there is a migration tool that
allows most python 2 source code to be migrated without a complete rewrite.
I am not as familiar with the details of the PHP 5 to 7 transition as I am
with the Java 8 to 11, and Python 2 to 3 transitions. What I do know is that it
has been in the works for a while. From the perspective of a programmer using
the language PHP 7 isn’t a massive change. From the perspective of extension
creators and hosting providers, it was a big deal initially. We are now 6,
almost 7, years past this change and a lot of hosts still run PHP5.
I will have more to say about this topic in the future but for now have a good
day.
Written by: Robert R. Russell on Sunday, August 23, 2020.
Here is a listing of my preferred SSH clients for Windows.
Windows has included a copy of OpenSSH enable by default since the April 2018
Update to Windows 10. The only downside to using it is the very basic default
terminal in Windows. If we use Windows Terminal then it is an acceptable option
though I prefer using one of the WSL distributions.
Bitvise SSH is a free, but not opensource, SSH client that was previously my
default SSH client for Windows.
Putty is the old standard that I abandoned shortly after I found out about
Bitvise.
There are a couple of other SSH options on the Microsoft store that I haven’t
tried.
Written by: Robert R. Russell on Wednesday, August 19, 2020.
TLSv1.3 is now available on
85% of web clients, according to
caniuse.com. Since I don’t have to support either
Internet Explorer or the six microscopic mobile web browsers that don’t support
it at all, I have gone ahead and migrated my servers straight over to TLSv1.3.
Below is a sample configuration that will enable TLSv1.3 and the currently
recommended ciphers in a reasonable order. You must enable TLSv1.3 globally
on the entire server. I made my adjustments in the
/etc/apache2/mods-enabled/ssl.conf file. That is the correct file for Debian
and Ubuntu. Fedora and RHEL will probably be under /etc/httpd/. I gave Chacha
preference above AES due to the number of mobile devices running modern browsers
that don’t have AES hardware acceleration.
# SSL Cipher Suite:# List the ciphers that the client is permitted to negotiate. See the# ciphers(1) man page from the openssl package for list of all available# options.# Enable only secure ciphers:SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
# SSL server cipher order preference:# Use server priorities for cipher algorithm choice.# Clients may prefer lower grade encryption. You should enable this# option if you want to enforce stronger encryption, and can afford# the CPU cost, and did not override SSLCipherSuite in a way that puts# insecure ciphers first.# Default: OffSSLHonorCipherOrderon# The protocols to enable.# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2# SSL v2 is no longer supportedSSLProtocol -all +TLSv1.3