Cult of Tech.net

Lets Encrypt & Nginx: Www-root method and Subject Alt Names

Published on March 14, 2016

Digital Ocean has a pretty good guide for setting up Lets Encrypt with Nginx on Ubuntu 14.04. However, their guide requires you to turn down your Nginx server while initially getting you Lets Encrypt TLS certificates, this of course is problematic for server/site operators who either need or want to continue to have service continuity while getting lets Encrypt Certificates. They also don’t explain how to use subject alternative names to handle multiple sub domains on the same server.

Lets Encrypt’s software requires that they be able to connect to your server to verify that the domain you’re attempting to register a certificate for you control. In the Digital Ocean guide, this process is handled by using the built-in web server in the lens encrypt package. However, Lets Encrypt does not need to operate in this manner to create new certificates, it can use the wwwroot/filesystem approach and your existing server configuration.

The process is very similar to Digital Oceans guide, but the order of operations are slightly different.

WordPress Hardening, Moving WP-Config

Published on March 12, 2016

Lets be clear about somethings. Security is hard. Even the so called experts get it wrong, surprisingly often at that. I’m not an expert, and I’m not proposing that I’m right. Take what I say with a grain of salt.

In part of WordPress’s hardening guide they discuss moving the WordPress config file (wp-config.php) out of the document root as a mechanism that can be used to make it more difficult to attack. Specifically they say:

You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.

Note: Some people assert that moving wp-config.php has minimal security benefits and, if not done carefully, may actually introduce serious vulnerabilities. Others disagree.

Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

The linked discussion on the topic on Stack Exchange is also worth reading while you’re at it.

With that said, I’m going to throw my 2-cents in to the discussion.

Rebuilding the Windows System Reserved Partition

Published on July 16, 2015

I’ve been googling this like crazy for the past couple of days to find out how rebuild a Windows 7 System Reserved partition. So lets start with the back story of why I needed to do this.

A few weeks ago I upgraded my Samsung 840 EVO to a new 850 EVO, and installed the 840 EVO in another computer here. In both cases I used Samsung’s Migration Tool to copy the old drives to the new drives. In both cases, at least so far as I can tell, Samsung’s tool renamed the 100MB System Reserved partition to “Data” and filled it until it had 5MB free. For whatever reason, the file filling the partition is completely invisible.

The problem with this problem, is that while the system works just fine, if you use Window’s image backup utilities (wbadmin), for a drive that’s smaller than 500MB, there must be at least 50MB free. Well in the default configuration from a Windows install, there’s about 70MB free and everything backs up just fine. However, with only 5 MB free, the volume shadow copy can’t be made, and the backup will error out. Backups failing was the symptom that clued me in that the system reserved partition was messed up again.

In any event, I’ve tried a couple of ways to recover this situation without resorting to the most oft given advice of format and reinstall—advice I find simply appalling in almost every situation that it’s given. The first time I had this problem, I just repartitioned the disk so that I had more space on the system reserved partition so it would back up—it also helped that I needed >300MB since I was going to try and convert the computer to boot off UEFI instead of the legacy BIOS.

Fixing my slow Wordpress, Nginx, & WP-Supercache Setup

Published on March 20, 2014

I probably should have caught this one a long time ago, but I didn’t. For a while now I’ve been complaining endlessly, at least in my internal monologue, about the poor performance I’ve been seeing from WP-Supercache on my VPS. Preloaded cache files simply shouldn’t take 1-1.5 seconds to serve up. They should be quick quick quick. Yet I was seeing such slow load times.

I’ve been struggling with the issue for quite sometime. I had changed from WP-Supercache to W3 Total Cache, added memcached, cached DB operations and so on and so forth trying to figure out why my pages were so slow to load.

What struck me, was that when I rolled back my W3 Total Cache implementation to no caching, responsiveness stayed about the same or got slightly better. As a non-logged in user, the inverse should have been true. Pages should have taken longer to load without a caching implementation than with one.

Then it hit me, Nginx config files are parsed in order.

Okay, let me take a step to the side here a moment. On Dreamhost VPSes if you’re running Nginx the server looks for supplementary config files in ~/nginx/$domain/ for each of the virtual hosts it’s configured to serve. Knowing that Nginx config files are read in order, I organized mine using the ##-description.conf style. So I might have 10-rewrites.conf, 50-wordpress.conf, 60-supercache.conf.

On a lark the idea struck me that maybe I should try loading the supercache rules before I got to the regular Wordpress rules, which include the directives for passing requests for .php files back to the PHP back-end.

A quick rename of 45-supercache.conf to 30-supercache.conf, thus placing the supercache rules ahead of the Wordpress rules, and my non-logged in user (i.e. reading from the static HTML cache) page response times dropped form 1-1.5s to less than 400ms.

Suffice to say, all my grumbling about slow performance was entirely due to poor configuration on my part.

I’m sure there’s probably a note about this somewhere in one of the myriad of guides for running Wordpress and WP-Supercache on Nginx, but I missed it.

I’d still love to improve the response time for pages that are being processed with PHP, but I can live with it being a touch slower for me knowing that it’s a whole lot faster for everybody else.

Bash: Watching Aliases

Published on August 11, 2013

If you’re trying to watch the output of an alias, you need to make watch an alias of watch as well.

For example, if you have an alias like say:

alias zfslist='zfs list -o name,volsize,used,avaiable,referenced,compressratio,mountpoint'

And want to watch the output over time as if you ran:

user@host:~/$ watch zfslist

Then you need to set up watch as an alias to watch, as follows.

alias watch='watch '

The space after watch is necessary to get bash to expand subsequent aliases after the first one.

Writing on the iPad

Published on September 1, 2012

When it comes to writing I have a love-hate relationship with just about every product I’ve ever used on my iPad. None of them are really the one stop solution that I want.

For me, the gold standard is MS Word. Why am I not using Word for everything you may ask? Well because Microsoft hasn’t released a version of it for the iPad, and more and more I’m working on my iPad–even if the experience is mildly frustrating at the best of times.

I like word, in a large way because you style things semantically not visually, even if it doesn’t seem that way. That is, you define text as a heading 1 and then tell Word to make a heading 1s look how you want them. Ultimately this translates very nicely to eventual publication on my sites via Wordpress. H1s become H1s and the website styling gets applied, there’s no serious translation or rewriting involved.

Working with this train of thought, I first started with Apple’s Pages. In a way, Pages does a lot of what I wanted in a word processor, well kind of. The behind the scenes things were great, pages could write out a Word doc file and save it to a WebDAV server. Since I already run a Linux development server, and Apache supports WebDAV pretty much out of the box, it was a no brainer to turn WebDAV on and mutually share a folder on both WebDAV (for the iPad) an CIFS for my Windows workstations. Easy-peasy and data is flowing from iPad to workstation for final editing and publication.

Unfortunately, the experience with Pages was less than seamless for me. It worked, but there were enough minor hassles that I couldn’t quite get over that Pages, to Word, to Wordpress wasn’t quite the way I wanted to work.

Enter WriteRoom.

When I bought it, I almost immediately had buyers remorse. The thought, “what did I just waste $5 of my money on,” was pretty prominent in my head. Now that I’ve been using it for a couple of weeks, I actually like it.

WriteRoom is not without it’s flaws, and man are they gaping holes–in my opinion at least–but since WriteRoom isn’t a fancy rich text editor there’s not a whole lot of room for incompatibilities moving the data from WriteRoom’s text files to something else. Moreover, the UI is clean, and it plays well enough with a bluetooth keyboard, which is a fundamental requirement if you’re actually trying to write on an iPad.

That said, WriteRoom falls down in three major ways.

First, there’s no way to resize the width of the document, the writing area remains the same width regardless of whether the iPad is vertical or horizontal. When writing in 18 pt, which is quite comfortable to work at, the page is only 53 characters wide, even though there’s a good inch of margin on either side of the writing area with the iPad horizontal. While this may be ideal for reading, I find it to be somewhat less than ideal when I’m writing. That said, I do appreciate the ability to change the font size and line spacing, even if things feel a bit claustrophobic.

Second, there’s no way to reorganize documents after you’ve created them. Well there is, but it’s one of those workarounds that only an idiot would consider acceptable (copy the content from one doc, paste it in to a new doc, and delete to old doc). The in ability to sort things however, is rather frustrating when you have to move more than one thing around.

Finally, WriteRoom will only sync via Dropbox and iTunes–or you can email yourself the file.

I’m sure there’s probably a ton of people who don’t have a problem with that, I’m not. To me, dropbox is a liability not a feature. It’s yet another service that I have to have an account with, yet another unique password to manage, and yet another place my email address or other personal information can be lifted or lost from.

Unfortunately, from what I’ve been able to determine from the WriteRoom feature/request discussion group, that the author would rather focus on features for WriteRoom instead of writing a WebDAV library for it. As much as I don’t want to fault him for not wanting to add WebDAV support, I do; I also fault Apple for not including WebDAV client support as a basic part of their iOS APIs.

In the end, perhaps the most amusing thing about all of this, is that ultimately I’m publishing most of what I write to a Wordpress blog and there’s a native iOS Wordpress app. So why aren’t I using it for the writing?

Well in truth I do a little. However, the Wordpress app is occasionally broken when using an external keyboard. Which is odd, but apparently there’s a bug in either their code or the iOS virtual keyboard driver/screen resizing, that causes the keyboard’s advanced formatting bar (which I don’t really need or want anyway) to cover the last line of text if the on-screen keyboard hadn’t been docked at the bottom of the screen. Since I use the on-screen keyboard split almost always, the glitch almost always bites me. It’s a big enough PITA to fix, that it’s just easier to write in WriteRoom and copy it over when I’m done.

In the end, WriteRoom is a pretty good piece of software, I certainly like it better than Pages for writing. It’s certainly made my iPad a little more productive, though ultimately I keep finding that although the iPad shows little glints of genius in terms of what it could be, the design and software continue to fall just slightly short of being a real good productivity tool.

Sometimes I really hate software…or maybe just Wordpress

Published on July 21, 2012

I’ve been struggling for a while to get some kind of workflow in place to track and organize my posts on my photography site. Just having a pile of drafts with no real order to them was causing me to lose things that were almost complete but needed a finishing touch to two. Then I cam across the plug-in Edit Flow which seemed like the a good solution to my problem. It would let me create custom post states (i.e. draft, pending review, etc.), which I could then use to organize my content as I was developing it.

Only problem, Edit Flow’s developers apparently do something with Wordpress’ post_date_gmt field, which Wordpress uses to indicate whether a post is scheduled or not, and what date ot post it on. Because of this, they have a function that runs to normalize the post_date_gmt instead of leaving it to Wordpress’ devices. As a result, Edit Flow basically breaks the publishing and administrative post display behavior built into Wordpress.

Now I’m not sure which is a worse actually.

Wordpress really should have a post_on_date field for each post that controls the scheduling. If it’s set to null—and yes, null is a perfectly appropriate value to represent not applicable, more so than ‘0000-00-00 00:00:00‘ is at least—then the post isn’t scheduled to be posted and Wordpress should behave as if it’s a publish immediately type of thing. On the other hand, if there’s a date stamp in the field, then that’s when the post is scheduled to be published, assuming it’s status is set to publish or scheduled.

Going off on a slight tangent here the date situation in thewp_posts table is simply ridiculous. Granted dates suck, the whole time zones, daylight savings, etc., etc. makes dealing with dates a minefield for even the most experienced programmers. That said, pick a standard and stick to it, either store all the dates in GMT or store all the dates in local time, or GMT with an offset (i.e. YYYY-MM-DD HH:MM:SS ±OFFSET). The rest can be handled though the intermediate code (either at the DB level with stored procedures, views, or dynamic columns) or in the API side though the functions presented to the users.

Getting back to the rant…

Of course the Edit Flow developers instead of working around the issue, say by building their code to GMTify the post_date field, or creating a new field, or storing things in another table, decided to appropriate the post_date_gmt field for something without much concern or though—at least it seems that way—for the fact that doing what they do break Wordpress’s default behavior. I’m sure they had their reasons, and personally I don’t know if I really care what they were, but I really hate people that do things in a way that breaks the functional, if quirky, default behavior unless the point is to deliberately change that behavior. Nor do I think that deliberately breaking the default behavior was their intent.

Oh and how do I come across this little gem?

I was writing a plug-in that would reset that the “scheduled/post on date”. Why isn’t this native functionality, though? It sure as hell should be.

Slight side tangent: What’s worse that it not being native functionality, is the insultingly ridiculous work around that’s trotted out when you Google for how to unscheduled a post in Wordpress. Here’s what your “supposed” to do: Change the date the post is scheduled to be posted on. That’s been the work around for at least a couple of years now to boot, even though there seems to have been patches submitted that fixed it almost 2 years ago.

Back to where I was, ya, so resetting the “scheduled post date” back to “post immediately” is actually as simple as zeroing out the post_date_gmt field, which is a rather trivial task to write a plug-in to do. (Yes, when I’m sure there aren’t any unintended consequences for doing what I’m doing and the code is the way I want it, I’ll probably release the plug in here, under my typical “You can use it, but don’t ask me for help” type license.) Well, at least it would be trivial if there was good documentation available. Instead, you’re left to do something like this.

Google a post hook that sounds about right, or visit this page or this page. Find something that looks reasonable, and then visit here to see where the hook occurs in the Wordpress source code or just grep though the source with something like grep -R 'action_hook' * | grep 'do_action'. Open up the source file, find the function and the hook call, and see if there isn’t a more appropriate action to hook into. In this case there isn’t, I can’t hook into pre_post_update because it doesn’t have a way to modify the post object before it’s put in the DB and doing the DB manipulation directly at that point would overwrite the operation.

Speaking of dropping down to writing the SQL, seriously Wordpress guys, I can do in 5 SQL statements what takes 50 odd plus lines of PHP and god knows how much more code and queries between the function calls and manipulating the data. Should I, or anybody else, do that? Probably not, but damn if it’s not an attractive proposition.

So what have I learned form this?

On one hand, I can’t imagine giving up Wordpress now that I’m familiar enough with it, that I can actually make it do what I want on a programmatic level. Moreover, the fact you can get plug-ins to do so much (I picked up WYSIWYG Inline Code Command in the process of writing this to save having to drop to HTML to wrap bits in <code></code> tags), makes it real attractive to keep dealing with the annoyances.

On the other hand, some things really make me want to fork Wordpress and re-implement it in a more clean, extensible, clear, way. Then again, I don’t really want to release my plug-ins because I don’t want to feel obligated to support them after I solve my problem, dealing with a major 1100+ file 170,000 odd line (by my count) code base. Such is life.

Wordpress Live Drafts Plugin – Patch

Published on July 17, 2012

I found Stephen Sandison’s Live Drafts Wordpress plug-in the other day and it’s been a godsend for the “publish place holder and then replace with final post” type of posts I publish on some of my other sites where I’m abusing Wordpress as a CMS. If you are looking for a way to have a draft copy of an update (including previews) of an already published post; this is the plug in you want.

That said, as a nitpicker, I found one minor detail that annoyed me to no end. The safe draft button was misaligned.

publish-box-misaligned — Alignment of save draft button when running Live Drafts as of version 3.0.1.

How it should look.

publish-box-correct — Correct alignment of save draft button.

With that in mind, I dug into the impressive short and clear source code (at least for a Wordpress plugin) and identified the problem which was quickly rectified with the patch below.

diff --git liveDrafts.php liveDrafts.php
index 0707b0e..93fa739 100644
--- liveDrafts.php
+++ liveDrafts.php
@@ -48,7 +48,7 @@ if (!class_exists('liveDrafts')) {
                     // Add save draft button to live pages
                     jQuery(document).ready(function() {

-                        jQuery('<input type="submit" tabindex="4" value="Save Draft" id="save-post" name="save">').appendTo('#save-action');
+                        jQuery('<input type="submit" tabindex="4" value="Save Draft" id="save-post" name="save">').prependTo('#save-action');

                     });

If you know how to apply a patch a source code file, you’re good to go. If not, or you want to make the fix though the editor in your Wordpress install, you’re looking for line 51 where it says “jQuery('<input type....“. You want to change the appendTo in .appendTo('#save-action'); at the end of the line to prependTo so the end of the line reads .prependTo('#save-action');.

Unclear Instructions: Setting Ubuntu/Unity Keyboard Shortcuts

Published on December 15, 2011

I don’t know who wrote the text for the dialog for changing Keyboard shortcuts in Ubuntu 11.10, but wow could they have been more misleading.

The instructions read, “click the row and hold down the new keys,” in reality the only place that will allow you to change the short cut is to click the text directly under the black arrow in the above image. I spent the better part of 20 minutes trying to figure out why I couldn’t change a keyboard shortcut because the directions are utterly useless.

This should probably also be filed under: Won’t file a bug report as it’s too much bloody work, and now I won’t forget how to do it.

Enough With the Updates Already

Published on December 12, 2011

If there’s one thing I’m really starting to get tired of, it’s software updates. It doesn’t seem like a day goes by when something doesn’t need to be updated. Sure, I could probably get away without updating as much, but given the security of most applications and the fact that most software updates are at least partially security related not applying them seems like asking for trouble.

There has to be a better way.

If there’s one thing that some/most Linux distributions get right it’s updates. Yes, it’s a little annoying that ever time I log into my Ubuntu server it says there are updates. However, at the same time, the list of necessary updates covers everything I’ve installed—at least so long as I installed it from an apt repository.

Windows on the other hand is a comparative mess. Microsoft products update though Windows/Microsoft update, 3rd party programs need to roll their own update mechanism.

Things like Adobe’s Flash player, quite possibly one of the worst security offenders, are their own little special hell. Flash seemingly only seems to check for or at least try to apply updates when you first boot your computer; which means my system that sleeps nightly and is only restarted for OS updates that require a restart—yes, Windows 7 is that stable that multi-week uptimes are not only possible but should be routine—doesn’t prompt about Flash updates virtually ever. Morever, since Firefox, Chrome, and Internet Explorer all use different installers, it’s not just a simple one click update it’s a multi-stage process including downloading the installer twice.

Then there’s the other stuff. Like Wordpress. Updated recently to 3.3. Which I might add is really quite nice compared to 3.2, though since switching to Nginx most of the egregious Wordpress performance issues have at least been mitigated.

Wordpress’s built in upgrade system is nice, when it works, but even that I’m not sure goes far enough. It’s annoying as hell to upgrade Wordpress. Then the themes. Then the pluings. Then have the updater come back and say that more plugins have updates. Why can’t I click “Update everything” and confirm it and have Wordpress update everything that has an outstanding update available?

Then again, the problem isn’t Wordpress, Windows or Linux, it’s the lack of a real software engineering standards and short deadlines aimed at maximizing profits regardless of the expense it causes to the consumers.

This is painfully obvious when you start looking at games. When I got Deus Ex: Human Revolution a couple of weeks ago the first thing it did after installing 8.something gigs of game files, is spend 30 minutes downloading a couple hundred meg patch.

Skyrim is even worse, in fact it’s to the point that I’m glad I didn’t buy it when it was released because so far it’s been an epic cluster fsck of updates and patches, some that actually broke more than they fixed.

I don’t know what the solution is, or if there even is one, but I do know this. I’m freaking tired of updates, and even more tired of software that’s written shoddily in the first place, because it can be updated later.

Cult of Tech.net Posts