Wednesday, December 14, 2016

How to setup FREE HTTPS for your website -- including a free CA certificate

**GET YOUR SETTINGS REVIEWED BY AN EXPERT BEFORE YOU GO LIVE**


You will find a lot of information in bits and pieces all over the Internet, too much technical jargon peppered all over. If you do not know how https works, do not worry. It is not hard to setup https. Lets say the https setup encrypts stuff between browser and the website and move on to set up https for your website. The keys are a couple of files needed to encrypt your website and these keys need to be signed by CA or the certificate authority in order for browsers to recognise that traffic is properly encrypted. I will use nginx web server and centos7 operating system to show how https can be setup. If you use a different webserver like apache or os like ubuntu look up corresponding instructions elsewhere. So here go the steps:

1. Get a free CA signed certificate
2. Update your web server to use the certificates and enable https
3. Setup certificate renewal and optimize and secure your https website

1. Get a free CA signed certificate
Yes! you can get free CA certificate which is valid for 90 days and setup auto renewal. You can get the certificate here or even better use a tool to validate your domain and copy keys to your host.

So you can use this which generates the letsencrypt key for you https://www.sslforfree.com/ or you can use:
sudo yum install certbot
certbot certonly --webroot -w /usr/share/nginx/html -d example.com -d www.example.com

where /usr/share/nginx/html is the folder where your website sits. If your website is in a different folder change all occurrence of /usr/share/nginx/html with the correct folder path. example.com id your website name.


You may endup with a host validation error. This could be because your server isnt setup to allow access to some folders that certbot requires. Add the following to /etc/nginx/nginx.conf file after (below) existing "location / {}"

location ^~ /.well-known/acme-challenge/ {
     default_type "text/plain";
     root /usr/share/nginx/html;
}

You may have to create /usr/share/nginx/html/.well-known/acme-challenge


Then do the following to load new settings and rerun certbot command above (with your changes). 
nginx -s reload 

The output will be bunch of files:
[root@li851-111 nginx]# ls /etc/letsencrypt/live/example.com
cert.pem  chain.pem  fullchain.pem  privkey.pem 


Now you have the CA certified files. 

2. Update your web server to use the certificates and enable HTTPS
Now that you have the certificates, you can start enabling https for your website. Uncomment the TLS section of the /etc/nginx/nginx.conf after the line: # Settings for a TLS enabled server.

The setting looks something similar to below: you should add your key path to ssl_certificate and ssl_certificate_key

# Settings for a TLS enabled server.
    server {


        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;


           ssl on;         
ssl_certificate "/etc/letsencrypt/live/example.com/cert.pem";
        ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout  120m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;


        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;


        location / {
        }


        error_page 404 /404.html;
            location = /40x.html {
        }


        error_page 500 502 503 504 /50x.html;


            location = /50x.html {
        }
    }

Then reload the web server: nginx -s reload

3. Setup certificate renewal and optimize and secure your https website
The certbot tool can request a renewal. So all we need to do is to setup a cron job to request renewal every 3 months (90 days) as letsencrypt certificates expire after 90 days.  You can replace 13 in below command by current date -1 so the renew happens on 89th day. 


certbot 0 0 13 * * certbot renew --quiet renew


Now follow the steps here to either optimize redirect http to https or disable it: https://bjornjohansen.no/redirect-to-https-with-nginx and https://bjornjohansen.no/optimizing-https-nginx


Now try https://example.com

References:
  1. https://certbot.eff.org/#centosrhel7-nginx
  2. https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622
  3. https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/
  4. https://www.digicert.com/ssl-certificate-installation-nginx.htm
  5. https://bjornjohansen.no/optimizing-https-nginx
  6. https://letsencrypt.org/

Thursday, March 31, 2016

Pageant for Mac - Using Jump Server on Mac

If you use putty on windows, you probably used pageant to store multiple keys, ssh to jump server and then ssh to your work machine. If you ended up on Mac for some reason and you have a production situation, there is no reason to panic. Mac systems have Keychain - a software that manages your keys including ssh keys. There are 3 steps to use it for jumping.


1. Add your ssh keys to Keychain.
2. Create an ssh  config file to access jump terminal
3. Agent forwarding

1. Adding keys

If you had ppk/putty keys you need to convert them. If you have ssh keys then you can add them without converting. I had puttygen on my mac. If you were using Windows machine, you can convert ppk keys to ssh key on Windows and then add on Mac.

I had two keys - if you have only one that is fine.
puttygen user_rsa.ppk -O private-openssh -o user_rsa.key
puttygen jump.ppk -O private-openssh -o jump.key

If a window pops up then DO NOT hit generate key. 
1. Load your private key and then 
2. Go to Conversions tab and export open ssh key. Save as jump.key whatever 
3. Copy the key to your mac and do the below:

ssh-add -K /Users/raguk/Documents/access/user_rsa.key
ssh-add -K /Users/raguk/Documents/access/jump.key

2. Create an ssh config file.

Create the ~/.ssh folder if you do not have one.

raguk$ cd ~/.ssh
raguk$ cat config

Host jump
Hostname
Port 12345
User raguk
IdentityFile /Users/raguk/Documents/access/jump.key
ForwardAgent yes

3. Agent forwarding

You have already done it in the last step. The last red line on the config file is crucial.  You can now

laptop>ssh jump
server1>ssh server2

Remember not to store the keys on jump server. That defeats the purpose of using a jump server. ssh -A will also do the agent forwarding. Happy jumping.

Pageant for Mac - Using Jump Server on Mac

If you use putty on windows, you probably used pageant to store multiple keys, ssh to jump server and then ssh to your work machine. If you ended up on Mac for some reason and you have a production situation, there is no reason to panic. Mac systems have Keychain - a software that manages your keys including ssh keys. There are 3 steps to use it for jumping.












1. Add your ssh keys to Keychain.
2. Create an ssh  config file to access jump terminal
3. Agent forwarding

1. Adding keys

If you had ppk/putty keys you need to convert them. If you have ssh keys then you can add them without converting. I had puttygen on my mac. If you were using Windows machine, you can convert ppk keys to ssh key on Windows and then add on Mac.

I had two keys - if you have only one that is fine.
puttygen user_rsa.ppk -O private-openssh -o user_rsa.key
puttygen jump.ppk -O private-openssh -o jump.key

If a window pops up then DO NOT hit generate key. 
1. Load your private key and then 
2. Go to Conversions tab and export open ssh key. Save as jump.key whatever 
3. Copy the key to your mac and do the below:

ssh-add -K /Users/raguk/Documents/access/user_rsa.key
ssh-add -K /Users/raguk/Documents/access/jump.key

2. Create an ssh config file.

Create the ~/.ssh folder if you do not have one.

raguk$ cd ~/.ssh
raguk$ cat config

Host jump
Hostname
Port 12345
User raguk
IdentityFile /Users/raguk/Documents/access/jump.key
ForwardAgent yes

3. Agent forwarding

You have already done it in the last step. The last red line on the config file is crucial.  You can now

laptop>ssh jump
server1>ssh server2

Remember not to store the keys on jump server. That defeats the purpose of using a jump server. ssh -A will also do the agent forwarding. Happy jumping.

Sunday, October 18, 2015

Installing Ubuntu and Fixing Boot, Software Centre Issues

Installing Ubuntu 12.04
===============
As long as you do not choose to screw your windows partition explicitly default installation should work fine. The problems starts later on however! I trust you on this part and proceed further directly to problems.

Boot Problems
===========
The grandchildren of linux have the same old boot loader problems that their grandmother RedHat 2-6.0x had! What happens is you will not see an option to boot to Linux, stuff directly goes to Windows or whatever else you have on you computer.

Ctrl+Alt+T
sudo grub-install /dev/sda

Hit enter the problem should now be solved.

Software Centre
===========
The Canadian server seems to be sleeping so you may get this error.

Error
=====
W:Failed to fetch http://ca.archive.ubuntu.com/ubuntu/dists/precise/Release.gpg  Unable to connect to ca.archive.ubuntu.com:http:
E:Some index files failed to download. They have been ignored, or old ones used instead.

Open Software Centre and choose Edit -> Software Sources and select Other hit the Best Server option and accept when Ubuntu finds you the best server.

Now
Ctrl+Alt+T
sudo apt-get update

This will update your software stuff and you should be good to go from there.

Have fun.
Regards
Ragu

Monday, September 21, 2015

Perl Script to find intersection of lines in two files

#!/usr/bin/perl
#/* Author : ~rAGU () */
# /*Descripation: A script to find the intersection set of the lines in two text files */
# /* when one of the file is a subset of the other */
# /* finsec.pl */
# 2004


open(SET, @ARGV[0]);
$isInSubset = 0;
$count = 0;

while ($lineInSet = )
{
    chop($lineInSet);

    #$lineInSet = ~s / ^ \s * (.* ? )\ s * $ / $1 / ;
    $count++;
    $counts = 0;

    open(SUBSET, @ARGV[1]);

    while ($lineInSubset = )
    {
        $counts++;
        chop($lineInSubset);
        #$lineInSubset = ~s / ^ \s * (.* ? )\ s * $ / $1 / ;

        if ($lineInSet eq $lineInSubset)
        {
            $isInSubset = 1;
        }

    }#End subset loop close(SUBSET);

    if ($isInSubset == 0)
    {
        #chop($lineInSet);
        print "$lineInSet";
    }
    $isInSubset = 0;

}#End of set loop

close(SET);# /* End of the program */

Monday, October 27, 2014

Using Regular Expressions for Program Transformation


I have been investigating the problem of practical code transformation to deal with small changes that have to be made across large collection of programs in different programming languages. So the problem is not to transform a program entirely but doing small transformation to a large set of programs that too when we have C, Perl, Java etc source programs in that set. This has practical application in software development, code refactoring and testing. A lot of cost savings in software testing is possible if test suits are well maintained and are automagically transformed using some method. I used a method and published findings on ip.com which is rather a full system explanation of what I described here in 2011 There are some interesting obstacles to transforming programs. I will try to explain as well as understand some of them in this post.

When we to want transform a set of programs in different languages what we are dealing with is a bunch of Context Free Grammars (CFG) implemented using syntax symbols that are a result of 'wild' imagination of authors (wild characters can not be domesticated that is!). The transformation therefore has to deal with two things: 1) CFG 2) syntax symbols. It is not obvious, but I have worked out after a some effort and intuition that best chance to modify these programs is only through full knowledge of each of these CFGs and their syntax. However, we can make some complex changes of practical importance without their knowledge using Regular Expressions (RE).

Regular expressions are nothing but representation of Finite Automata (FA). From the knowledge of Formal Systems we know that not all CFGs have a corresponding REs. Therefore even partial CFG parsing using REs may be impossible depending on the portion of CFG we are looking to transform. In other words, regex alone can not make some modifications no matter how small the change is. For a programer this would mean, there will always be mismatches for some REs when used across multiple programs (same language). The problem of coming up with a RE to always match patterns across programming languages or in single programming language defined by CFG are not solvable.

It is also tempting to think that, using some specially designed syntax symbols, modification of a program using RE may be possible. Unfortunately as long as what we use is RE we can not modify a language defined by CFG no matter what syntax symbols we use. The problem lies in the grammar, not syntax symbols.

As stated earlier, we can still make many meaningful and useful changes to programs across languages. We used two heuristic approaches successfully (very!):

1) Identify if what needs modified (portion) across the programs is an FA. If it is, write a regular expression to modify it. This will not fully succeed because syntax symbols of various languages may make it impossible to identify an FA. Thus this as well will work partially.

2) Identify a subset of CFG that can be matched easily using a set of REs and custom parsing. This can be used to modify the subset of CFG across programs and languages again partially.

If we learn to make better use of successful transformation we can achieve a lot of practical advantages and save labour. For idealists, a plugin can be implemented for all languages in question to program the compiler front end to do the transformation for us. I have written a small interpreter that can accept instructions on what to change in a program. I have called it the Test Mutation Language.

Ragu Kattinakere