So, I was looking at the whois data for stupendous.net and I realised that I’ve owned this domain for nearly 20 years.
Domain Name: STUPENDOUS.NET Registry Domain ID: 2627376_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.dyndns.com Registrar URL: http://www.oracle.com Updated Date: 2017-08-06T16:04:49Z Creation Date: 1998-05-08T04:00:00Z
I thought that was pretty cool, though it made me sad to realise Oracle has subsumed yet another company and owns dyndns.com who I’ve used for at least 10 years.
On another note. I’ve added facebook login for commenting on this site. I think pretty much everyone has a facebook login these days.
Obviously, it’s going to send me your email address. I promise I won’t spam you. I won’t do anything with the email address other than use it as your primary key in the database.
So, there isn’t a good post for this right now. I’ve spent a little time on this server rebuild looking at the options. I have some base assumptions
listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS:!aNULL; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparam.pem; ssl_session_cache shared:SSL:40m; ssl_session_timeout 21h; ssl_session_tickets off; ssl_buffer_size 4k; ssl_stapling on; ssl_stapling_verify on; resolver 127.0.0.1; add_header Strict-Transport-Security "max-age=31536000; preload" always; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN;
This will give you an A+ with 100% in everything except Cipher Strength. The reason for this is HTTP/2. If you decide you can live without HTTP/2, then remove ECDHE-RSA-AES128-GCM-SHA256 and you will get 100% across everything, but you’ll also break Java8 clients. Which you may not care about.
Letsencrypt certificates should be generated with:
dhparam.pem should be generated with 4096 bits also.
I seem to go through these every year or so. I don’t know why. I think I just like rebuilding servers.
Apologies for the awful theme. I try to find something that speaks to me but often all I find is trash.
I’m not a designer.
I kind of feel that WordPress has jumped the shark, but haven’t found anything better. I’ve considered writing something in Go but that seems like a well invented wheel.
edit: Wow, I really like this theme.