Category: Technology

Getting Started with Ansible

So, for the past week I’ve been using Ansible in anger. Genuine, bare knuckled, actually trying to get shit done with it. Oh yes, I’ve tinkered over the years, nothing serious. You know, to kick the tires. But I never really saw the point. I was pretty happy with puppet. But recently the team I work in decided as a group to adopt Ansible for our provisioning and management tasks. I think that it’s a good choice – for a bunch of reasons – but I don’t really want to go into them here.

What I want to do, is document a little of my journey, and explain what I’ve learned after a week or so of trying to use this thing for reals.

Read more

A+ SSLLabs with NGINX with HTTP/2 in January 2018

So, there isn’t a good post for this right now. I’ve spent a little time on this server rebuild looking at the options. I have some base assumptions

  • Only TLS 1.2 because all other protocols are considered weak at this time.
  • Maximum key strength possible – prefer 256 bit ciphers and fall back to 128 bit for software that doesn’t support that.
  • Support only the latest OS/Library implementations. That means old version of Java, Android, Windows, OpenSSL etc are not supported.
  • Support HTTP/2 You can see the result of my configuration here.
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

ssl_protocols       TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS:!aNULL;
ssl_ecdh_curve      secp384r1;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 21h;
ssl_session_tickets off;
ssl_buffer_size 4k;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1;

add_header Strict-Transport-Security "max-age=31536000; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;

This will give you an A+ with 100% in everything except Cipher Strength. The reason for this is HTTP/2. If you decide you can live without HTTP/2, then remove ECDHE-RSA-AES128-GCM-SHA256 and you will get 100% across everything, but you’ll also break Java8 clients. Which you may not care about.

Letsencrypt certificates should be generated with:

--rsa-key-size 4096

dhparam.pem should be generated with 4096 bits also.

Another year, another reboot

I seem to go through these every year or so. I don’t know why. I think I just like rebuilding servers.

Apologies for the awful theme. I try to find something that speaks to me but often all I find is trash.

I’m not a designer.

I kind of feel that WordPress has jumped the shark, but haven’t found anything better. I’ve considered writing something in Go but that seems like a well invented wheel.

edit: Wow, I really like this theme.