20 years

So, I was looking at the whois data for stupendous.net and I realised that I’ve owned this domain for nearly 20 years.

   Domain Name: STUPENDOUS.NET
   Registry Domain ID: 2627376_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.dyndns.com
   Registrar URL: http://www.oracle.com
   Updated Date: 2017-08-06T16:04:49Z
   Creation Date: 1998-05-08T04:00:00Z

I thought that was pretty cool, though it made me sad to realise Oracle has subsumed yet another company and owns dyndns.com who I’ve used for at least 10 years.

On another note. I’ve added facebook login for commenting on this site. I think pretty much everyone has a facebook login these days.

Obviously, it’s going to send me your email address. I promise I won’t spam you. I won’t do anything with the email address other than use it as your primary key in the database.

A+ SSLLabs with NGINX with HTTP/2 in January 2018

So, there isn’t a good post for this right now. I’ve spent a little time on this server rebuild looking at the options. I have some base assumptions

  • Only TLS 1.2 because all other protocols are considered weak at this time.
  • Maximum key strength possible – prefer 256 bit ciphers and fall back to 128 bit for software that doesn’t support that.
  • Support only the latest OS/Library implementations. That means old version of Java, Android, Windows, OpenSSL etc are not supported.
  • Support HTTP/2 You can see the result of my configuration here.
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

ssl_protocols       TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS:!aNULL;
ssl_ecdh_curve      secp384r1;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 21h;
ssl_session_tickets off;
ssl_buffer_size 4k;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1;

add_header Strict-Transport-Security "max-age=31536000; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;

This will give you an A+ with 100% in everything except Cipher Strength. The reason for this is HTTP/2. If you decide you can live without HTTP/2, then remove ECDHE-RSA-AES128-GCM-SHA256 and you will get 100% across everything, but you’ll also break Java8 clients. Which you may not care about.

Letsencrypt certificates should be generated with:

--rsa-key-size 4096

dhparam.pem should be generated with 4096 bits also.

Another year, another reboot

I seem to go through these every year or so. I don’t know why. I think I just like rebuilding servers.

Apologies for the awful theme. I try to find something that speaks to me but often all I find is trash.

I’m not a designer.

I kind of feel that WordPress has jumped the shark, but haven’t found anything better. I’ve considered writing something in Go but that seems like a well invented wheel.

edit: Wow, I really like this theme.