Categories
Uncategorised

Something I learnt about openssl

I’ve been starting to use vestacp to manage my server. Mostly because it’s open source and simple design. But recently it’s SSL feature just… fail. It reject every certificate I throw at it, either from Let’s Encrypt or self sign. So after many lazy-ish hesitant, I decided to dig in.
Turn out that vesta use openssl extensively to check and verify certificate before enable them. In the file func/domain.sh it has function is_web_cert_valid with this snippet of code:
openssl s_server -quiet -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &
pid=$!
sleep 0.5
disown &> /dev/null
kill $pid &> /dev/null
check_result $? "ssl certificate key pair is not valid" $E_INVALID

 

This start a dry run ssl server using openssl feature. And if this dry run result in any abnormal return code, the certificate got reject. But openssl by defaults start its testing server using port 4433, this is also the default port for ssl torrent use by deluge with libtorrent < 1.1. Since I got deluge autostart, openssl can never got hold of port 4433 and quit. And thus vesta reject all of my generated certificate.

Now I find no way to disable port 4433 in deluge. That feature seem to have been assigned to deluge 1.4 milestone, some said of install libtorrent 1.1 (which turn off ssl torrents by default), but that’s too much of a hassle. Fortunately, openssl can change its port, so I edit line ~340 in file funct/domain.sh and add one argument to the openssl command:-accept 44333

From

openssl s_server -quiet -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &

To:

openssl s_server -quiet -accept 44333 -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &

And that seem to do the trick.

Categories
Uncategorised

Automatic deploy web application with GIT

I save up some useful link on this topic a long long while back: https://truongan.name.vn/automated-deploying-using-git/ but never got around to finish the story. My situation is: I have this web application project that I collaborated with some colleague. We have one repository  hosting on our team server.  I want to use that same server to host our web application, both the development and production branch of it (on different domains).

Now whenever we made change to the code base, I want those change to be automatically deploy on the server with a simple git push. At first we simply make the repository working tree available to apache and consider it done. However as the code base grew bigger the deployment process require more change. Both our team have [code].env[/code] file with system specific settings like file path, database configuration, v.v.. that is not portable and the server has its own settings as well. Those files must be ignore by git and left alone by the deployment process.

So I googled around to see how’s others doing their deployment, and landed on this page: http://gitolite.com/deploy.html,  It laid out 4 rules of deployment:

  1. All files in the branch being deployed should be copied to the deployment directory.
  2. Files that were deleted in the git repo since the last deployment should get deleted from the deployment directory.
  3. Any changes to tracked files in the deployment directory after the last deployment should be ignored when following rules 1 and 2. However, sometimes you might want to detect such changes and abort if you found any.
  4. Untracked files in the deploy directory should be left alone

Rule 1 and 3 is pretty much overlap each other and it’s easy to achieve. The most important rule for me is rule 2 and 4. So I follow his method and make some improvisation of my own.
First step is create a hook in the repository.

 cd myrepo.git/hooks
 vim post-receive

Now if you have a bare repo, you will file the director name hooks inside it. If your repo directory contain a Working tree, it will have a directory named .git (this folder is hidden by default on Unix-like OS) the hooks directory will reside there.

Now the this post-receive script will run after some one push into the repository and do all the heavy lifting in deployment. This script should be modified to best suit each need, there is no single-work-for-all formula here.

My hooks look like this:

#!/bin/sh

WORK_TREE="../public_html"
GIT_DIR="./checkup.git"

echo "-------- DEPLOYING HEAD ----------"
git --work-tree=$WORK_TREE --git-dir=$GIT_DIR checkout -f

This script is simple and it work fine for many simple project. At the first time deployment I still have to do stuff like populate the config file, set up database, etc… but afterward a simple git push will be enough to update the live project.

Categories
Uncategorised

Generate random password on linux, quick and easy way.

First of all is why random password?

Traditionally, I only use random password on really important website when I really need a super strong password. On most cases I use easy to remember password. I have a small pool of passwords that are strong but also easy to remember for me, I use those passwords on many sites.

But then the news of some massive data breach at may top sites panic me. Even top site like Linkedin, Dropbox, etc have suffered from data breach. This make the password I use on those website at risk. Even thought these site are well designed and stored my password in hash encryption. People will eventually brute-force their way through those hashing algorithm and that put many sites which share the same password at risk. So I was left with no other choice than to change password of any website I have used.

Therefore I decided to use randomly generate password now on. This have two advantage:One, I will have a strong password for every site, not necessary in some cases but it doesn’t hurt either. Two, I will have unique password for each website so in case one of them got data breach, the damage is contained. In order to do that, I will require two things: An easy to use, and quick to access password generator and A browser that can save password and sync them among devices.

About the password generator

You can find password generator anywhere on the web nowadays. However I need something simple, lightweight and no nonsense. So a little googling around show me pwmake, which belongs to libpwquality, a dependency of cryptsetup, gnome-disk-utility:

screenshot-from-2016-11-19-14-08-22

So If you have  ubuntu or any gnome installation, chances are you already have pwmake and no installation is require, which is great. The only argument pwmake require is the number of entropy bits it will take. Normally the number of entropy bits only matter if you’re generating tons of password at the same time. Those bit will make sure those tons of password are truly random and doesn’t form a pattern. But since I only generate 1 password at a time. Any amount of entropy bits would do, even zero is good.

screenshot-from-2016-11-19-14-30-00

Since I always have a terminal window hovering in the corner, poping it up, type that command quickly and copy the generated password is no hassle. Genrated password is always 8 characters or more, with lower case letters, upper case letters and number or symbol mixed in. That’s good enough for most website. If I need longer password, I can throw in more entropy bits.

And for the password manager.

When you use randomly generated password, you won’t be able remember to them.  There’s no way that you can remember a set of long, randomly generated, case sensitive strings with symbols and numbers mixed into them, it’s just impossible. Even if you remember them, typing them is a real pain and typing them on all the  devices you own, like a smartphone, it’s extremely painful. Luckily every major browser nowadays can remember password, autofill them when needed and sync them across devices. It’s god sent relief.

Now there would be some a lot of dedicated password manager software there but at time goes by, browser’s built-in password manager is the best choice in my opinion. First, the stand alone password manager is not well integrated, they may not autofill the password correctly. In most cases you will end up having to install a browser extension just so the stand alone pass manager can work. Second, stand alone may not be available on all your platform and devices, browser like firefox for chrome is very well supported on almost all platform. And the builtin password manager has grown a lot nowadays.

To start using the browser password manager just press save password whenever your suppose ask you to, it’s simple as that. If you need more security consider setting a master password, more on that later.

screenshot-from-2016-11-19-14-49-00

And finally, either firefox or chrome support password syncing over all of your devices. All you need is  an email, when you start firefox for the first time you will be prompted to create a firefox account. If you missed this screen, you can access it again via the sign-in to sync option

screenshot-from-2016-11-19-15-41-07

 

An interesting thing I notice as a long time firefox user is that firefox have to password syncing mechanism: https://blog.mozilla.org/services/2014/04/30/firefox-syncs-new-security-model/

Ideally one won’t want his/hers password to be store in plain sight on some server, a data breaching in that server would be disastrous. So all password syncing service encrypt the password before sending them to server, which is fair enough consider that modern encryption algorithm is pretty strong. However, when those encrypted password is transfer from the syncing server to your new devices, they will require a decryption key.

Now, it would be easier for users if the Firefox account password was also the decryption key. That way when you login to download your synced information, you can also decrypt it without a need for additional password. But that would mean if your firefox account password was compromised, people can get all of your password in one place, JACKPOT. So in the early days, firefox want to ensure the maximum security by separatint the account password and the decryption key. Instead, after you login from a new device, you can download the  synced information but cannot read it. You will have to do the pairing, a special operation that allow one of your old device to securely transfer the decryption key to your new device. And this pairing process is HIDEOUS. So they later change their mind and went back to the normal way.

As for the master password. It’s meant to protect your data in case someone on  got a hold of your device. Now I won’t worry much about data safety when my device got stolen, I have full disk encryption for that. The problem is when someone ask to use your device and you can’t refuse. When you set the master password, browser will encrypt all of your sensitive information. The master password is not saved on your computer, browser will ask you when it need access your data and remember this password for one session only. If someone ask to borrow device, you can simply quit your browser, easy like that.

 

Categories
Uncategorised

A small handmade box for my small tech stuff

Every time I commute to work, some of my tech have to go with me. I often travel light so besides my laptop and it’s charger, there’s not much stuff but they are small and tend to tangle up at the bottom of my bag.

Below you can see some of my normal on-the-move stuff: My bluetooth mouse, my phone’s earbuds, the dell’s universal adapter to connect my laptop with the old projector at work, micro-usb cable to charge my phone, retractable Ethernet cable and an adapter for the laptop’s power plug.

IMG_20160625_113844

After a long while having them jingling in my bag, I finally decide to step up and be more organized with them. First it will take an old gift box. I don’t even remembered what gift was in that box, but I just have a habit to kill nice box. Still, All those years with its ribbon ripped off and being left to collect dust have but a toll on the classy box

IMG_20160625_113944

Now it’s time to add some divider in the box. I don’t have any paperboard at hand so I decide to finally put some old  CD drivers (who neec CD drivers nowadays) to rest and reduce  them to some plastic board. It was hard to cut up CD using small scissor but I finally got it done, throwing in some more duct tape, meassurment and adjustment I got this:

IMG_20160625_114010

You can clearly see the hole of the CD divider, now it’s time to put the stuff back in the box. And viola:IMG_20160625_114129

 

Categories
Uncategorised

Gnome 3.20 won’t work with synaptic touchpad anymore

My Arch Linux laptop has jut got updated to Gnome 3.20 and the first thing I notice is that palm detection and disable touchpad while typing will not work.
It’s very annoying because I have quite large hand and while I rest my hand on the laptop to type, it will inevitably touch that touchpad, cause it to register a click and unwanted result happened. And so I investigate.
At first I tried gpointing-device-settings, it still work. synclient and syndaemon still work as well, so the touchpad and synaptic driver still work. The problem is from Gnome 3.20.
Quick googling around reveal that Gnome 3.20 has dropped synaptic in favor of libinput, and so I quickly remove xf86-input-synaptics and xf86-input-libinput and everyting was restore back to normal. But still I would have to stay on a look out since libinput is new and I have never used it before while synaptics has been around for a long time and widely support.