Dr Clèm's Blog

Activer le plugin IPv6 dans AWStats

Tuesday Jul 28, 2020 15:46, last edition on Tuesday Jul 28, 2020 15:51

Dans AWStats, si à l’exécution de

/usr/lib/cgi-bin/awstats.pl -config=domain.tld -update
vous avez des retours sur l'impossibilité d'effectuer la résolution DNS inverse des IPv6, cela veut dire que le plugin IPv6 n'est pas activé. Ce plugin dépend de deux modules, Net::IP and Net::DNS. Sur Ubuntu, il est possible des les installer avec APT
% apt install libnet-ip-perl libnet-dns-perl
Pour activer le plugin avec Vim, vous devez ouvrir le fichier de configuration du virtual host /etc/awstats/awstats.domain.tld.conf et entrer la commande
:%s/#LoadPlugin="ipv6"/LoadPlugin="ipv6"/
La commande
/usr/lib/cgi-bin/awstats.pl -config=domain.tld -update
devrait normalement s’exécuter normalement.

Apache HTTP Server ne renvoie pas le bon certificat à OpenSSL

Tuesday Jul 28, 2020 10:07

J'ai utilisé OpenSSL pour vérifier le certificat de ce site fonctionnant avec Apache HTTP Server et j'ai obtenu des résultats aléatoires.

% openssl s_client -connect clementfevrier.fr:443
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = clementfevrier.fr
verify return:1
---
Certificate chain
0 s:CN = clementfevrier.fr
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGbzCCBVegAwIBAgISA5hZCLbOyHsuTxNLqVmT2Ux+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA2MTAwOTA3MjBaFw0y
MDA5MDgwOTA3MjBaMBwxGjAYBgNVBAMTEWNsZW1lbnRmZXZyaWVyLmZyMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt6arsvarIBaP0LmwOYpg3J2sFH69
g23kgUXPHEg+icDl16O0yLsNZy/3OmnBS+pL1ZXT1IyfX7YC6GwOYWoBb8dfwS6V
TncKhtwTPG28FJSuXezMlcjCOSdq0cxyrmt4SHajdeaaNNGPRqRjsOAtYT1KMsTM
FhxfSAT+gbSA0iqY632m22329P3OEVpjbBgkNAXE3Nv5x5AqIrAK+GsppX2A8wr0
a5n3sF0fYb8byCoaCwVvV1Bgwa20adJHUjCTBSYOoGR1wpo3LDys/GATLAUfYSOy
bSzTP4b8DWAxspFDcm0aQuO9/PzYlOP+jeq6ShYM+3OybQe/yrmvEpckX2Jz00O/
5mx0nJLd77jaBNkC02hEdL0z5G59qq4G/mgm2em4tjHk8wvPuQ8yohnLr0lk7BPZ
bedEyFb6OM8WJYufBaR/wqo31VTRzUGzNwXJqzzVW2yZUrcYKF3/nAfhq3fivPNx
J2CqpSE7wopf1jJ2lkKITlAJXGXAnePwDpMxx1DEofhLnxvAE1xWlb81qSuyKlAQ
V2jiwflvFUoY0Y1cGJyINBzLuMBiSSJtTlpELGxw7zbQKTdWQizQxL5YEcq0zCoj
KnZMlmYD79JKQ5HfCIv6kPjyllh/r6DVS6WuKd/B0YaRoU6H+9jkb+CE3I2QU0OV
VtCIq8K5zRmJrGkCAwEAAaOCAnswggJ3MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
L8eqTvf8KwSRnt5TaPS1y2vuufEwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl
7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5p
bnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p
bnQteDMubGV0c2VuY3J5cHQub3JnLzAxBgNVHREEKjAoghMqLmNsZW1lbnRmZXZy
aWVyLmZyghFjbGVtZW50ZmV2cmllci5mcjBMBgNVHSAERTBDMAgGBmeBDAECATA3
BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1ALIeBcyLos2KIE6HZvkr
uYolIGdr2vpw57JJUy3vi5BeAAABcp2yzLwAAAQDAEYwRAIgaR2cyhJ0XGOo6t5j
ONvKPspMdGAp9wFf3mGj4kfAN10CIBdLdswoMfdwZ/qveOJjpLJiTRjq8LeTZzMv
UZZUwBX3AHcAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFynbLM
5gAABAMASDBGAiEAu3mmQ6lFg6EvA32qSvRNRoXhviRmb1cYJNi2gqn0ShICIQDR
UvdT/vhSgH7O3B8L+TkGKyHwWibis3FpdrkEH1MERDANBgkqhkiG9w0BAQsFAAOC
AQEAgOfa0V7+sn2WULujrQy3Ob837nV+oMDmQgv59SKUR9aOxU3CBAcGsXOXzS6Z
aY1AUFT9b8D4YKNCjVi/0jruEXNGEk49IviHmU+7r2blf2MuvQfoQIABjGUvKH5+
u2dP+8Y+kqwfZc/lZ04KjMCJv1+osQMzBHhzz5HQ9SR+XgBG+Ah+5XxClfzm1odu
1IGWDrC7qDzv4leqWk69uazZLjEPWDxodFsgPAlviCnYBT1Q58x8UcOoqbRVT6Fo
3Gyi0wUeMG3wx4bbzhLKpeyJEd9BxX0U1MMR3moublihWvnIh06OXday6QjxWR/r
bYOkfH/5V04jDm8tSnC3lK9C/Q==
-----END CERTIFICATE-----
subject=CN = clementfevrier.fr

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3646 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: EA567A55348D38DEC3BBB7414AB1B3B38A7E4FEFA0AA8FB0468E97650F359FC0
Session-ID-ctx:
Resumption PSK: E335C79A8C6F1F18480760304163359F1E741208AACF26D94CF49B88B87541BA0DE9592D89D2091B90C08134EDD4D6AF
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 7c 56 31 2e 2c 34 71 38-1a d8 ab 01 6c 69 0a 58 |V1.,4q8....li.X
0010 - 69 62 0c 1b 33 4f ab 0a-4e aa b6 5a 3f f5 d6 bb ib..3O..N..Z?...
0020 - 73 b8 d0 8a ff f6 9c 38-fc 31 a2 da 4a 25 62 9b s......8.1..J%b.
0030 - e9 9f 09 04 7b cd 24 71-01 42 76 d2 3d 00 e5 1b ....{.$q.Bv.=...
0040 - ff 45 ab 98 41 60 2f e2-ee d5 25 5d 69 1c 89 01 .E..A`/...%]i...
0050 - 13 ec 1a 72 b7 e0 3b 9d-51 d7 87 31 6c 89 b4 a5 ...r..;.Q..1l...
0060 - eb c4 44 83 e3 99 06 2c-e8 c1 d1 a6 e1 d2 4d 19 ..D....,......M.
0070 - 69 7e 6d 62 c7 b6 00 b5-f7 e6 ae 6e 69 bf bb 90 i~mb.......ni...
0080 - 43 87 7a be 00 75 8f 24-cb 01 17 cb fb f9 35 71 C.z..u.$......5q
0090 - fa 73 57 f9 28 cb 16 86-91 a4 14 58 cb 25 49 cf .sW.(......X.%I.
00a0 - d4 e8 2a 6a 3b 94 0b 08-72 a0 3e 2a 8c cd ff 39 ..*j;...r.>*...9
00b0 - 59 36 52 97 2c c7 2f 92-ce 99 8d 8b 24 3d 14 fc Y6R.,./.....$=..
00c0 - 2b 6e 83 07 6e da 57 35-31 c9 35 fd 53 4f 5d af +n..n.W51.5.SO].
00d0 - 4a 01 ce c5 b7 7a 3b 13-e5 b0 7a 3f 14 d1 ba f4 J....z;...z?....
00e0 - 88 9f dd 09 20 6c 76 d6-69 88 e9 6b 78 8b b3 36 .... lv.i..kx..6
00f0 - fe 04 38 bd ea 30 16 c0-b8 37 6a 5e db a5 1c 19 ..8..0...7j^....

Start Time: 1595887003
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: EDFE0B9061C93DC3C98510117D0A9824979A4423673597A76D1D10AF97969726
Session-ID-ctx:
Resumption PSK: 620FE5C493BD46AC848548F637F1FE74F2A2FF44449BAA785E4F7EEE12393FBA9533805DA1B41835F3BF1A2E232EC212
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 7c 56 31 2e 2c 34 71 38-1a d8 ab 01 6c 69 0a 58 |V1.,4q8....li.X
0010 - 95 68 d7 b3 f6 39 18 5c-36 53 f4 ef 1a dc 3a 8e .h...9.\6S....:.
0020 - 92 9b 96 4d 35 4e dc f7-1a 4c 6e 69 9b 51 cb 98 ...M5N...Lni.Q..
0030 - b9 d4 e0 bb 18 db 2c 2e-46 14 14 e2 98 73 2f a4 ......,.F....s/.
0040 - 40 55 e9 7a 59 fb 26 70-09 03 cd 41 0d 16 ce 43 @U.zY.&p...A...C
0050 - 2d 63 9d 3f 2a 52 3f d9-e3 d0 c8 b8 5a bf 9d ba -c.?*R?.....Z...
0060 - c9 e3 f3 1f 40 ba 91 c5-84 eb 57 d5 e3 51 62 1e ....@.....W..Qb.
0070 - 3c c6 65 6d 98 2e f4 f7-87 75 c3 37 f1 ae 7a 9f <.em.....u.7..z.
0080 - 85 a6 91 58 ec fc 68 7f-81 18 0b da ee 19 ab aa ...X..h.........
0090 - c9 88 d1 39 d6 7a de 21-53 8b b1 b0 9d 1d 4d ce ...9.z.!S.....M.
00a0 - a6 e9 98 79 74 75 fd eb-06 f2 60 b7 35 c7 ff d6 ...ytu....`.5...
00b0 - 0b 26 32 da c8 b1 8f e5-ec da c7 59 90 3f 47 9a .&2........Y.?G.
00c0 - fb ef 0d a8 f8 75 0a cb-f1 ea b9 24 bb cc 5a 27 .....u.....$..Z'
00d0 - f0 41 be 36 11 b3 cf e7-cd a2 a2 95 49 23 f0 f6 .A.6........I#..
00e0 - 79 40 3a b2 a7 81 ff cf-0b 35 10 32 0d b1 3e e9 y@:......5.2..>.
00f0 - 73 8a c1 6f 27 8e 96 53-3d 8d 12 7d 45 94 18 3c s..o'..S=..}E..<

Start Time: 1595887003
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
% openssl s_client -connect clementfevrier.fr:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = forumanalogue.fr
verify return:1
---
Certificate chain
0 s:/CN=forumanalogue.fr
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGbjCCBVagAwIBAgISBJpK5d6fFdQjt8g9YwVRHQi4MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA2MTAwODUzMjNaFw0y
MDA5MDgwODUzMjNaMBsxGTAXBgNVBAMTEGZvcnVtYW5hbG9ndWUuZnIwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2r4Xal8UI93cg0paqi2E185pfodRr
iMrLlqPq80XV0fttsCLsoASmKCB/XMb1dTNYwDc1sm5js0I4la2boBeN+qnlNda0
bs3ycH7tClM7mKKl3puDpl2YTTlfcBlXq21/l2bLt3peX6DjrOl4a2TLf51pqgea
NaKHLJva6k2wyDxUEHsFmNfw3oCJZaIy27VV+UcfJOtsw8UoaP1N9JTvHBdjZQUn
awNaHNuWaxG0IWyljmNtZJIrn2oGq5H9jHirC3KEg3X6D0l3SlO5PA5AZCUg0wlY
i65tVt4Hd319yD+etMiDcLZyGcN6dscYYwV2NZe9mSiY2OYAOwia5GIiBO7WOjxB
GYWH7jI1nyLZa1N/lozW/084o61W02Q76fiU20CBcQC20CaNZ6uKhXawc3KhMMnC
ZfkWA0/U+nJLu9sGYLvnaOdKEpFtBjHEB9nY2MZ75C8IpT/dM5OOkWDju7BasN1U
YqoB2L+Tb93QAioCXsmdkajUdM05n4RJcs2gFzeB+0ip661/IoeQhTzyprpW6++C
Z2HyrSDyvMaEtP3dQjmpi4CW8JBJhzj0671zhOdvIZVETo3LmDGOw2m68lc5ZVHU
RNt9e4fJHChaCIs9e6NP+cEOvJMSVbqG3g5EgiHN8rNc374B+uWTlIinhXJ2ngqI
iLCpBs8MnxWhvQIDAQABo4ICezCCAncwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTf
ZuBN3lyieTg9hUMHchYLipExyjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv
86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmlu
dC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu
dC14My5sZXRzZW5jcnlwdC5vcmcvMC8GA1UdEQQoMCaCEiouZm9ydW1hbmFsb2d1
ZS5mcoIQZm9ydW1hbmFsb2d1ZS5mcjBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AF6nc/nfVsDntTZIfdBJ4DJ6
kZoMhKESEoQYdZaBcUVYAAABcp2mB3kAAAQDAEgwRgIhAI8BZ9sHZfyfXvHrurVg
aey40vkWsPt+0yIguqz5R1qcAiEAhnowj6V6S8L7OK5o4XUiA9dSKuBtZgRapm8A
2rVUfnsAdwAHt1wb5X1o//Gwxh0jFce65ld8V5S3au68YToaadOiHAAAAXKdpgej
AAAEAwBIMEYCIQCgpRxyo7WgNIVorX4ZD0SmOTTbbPamr7iUtgwA0372OgIhALKP
4e969RZk9LfQnTpqYv6EzgxHeBqr38TltkNTnXngMA0GCSqGSIb3DQEBCwUAA4IB
AQBB6eZGn/iEFiNxdEMD/uQlXlHL7skYIKRPWKHXqyVXF1Z6srZnM+XbecOLpCxr
ZWuZRV9O2uvkgxdXxIt2vXpxasvW0WQm2n92o2i8Mfi23e3sqqXAHgdevCRn1WDK
/k4cq0XvmISusCJWZyeOUqhZPqUby6zGFQxKPzKTpg9xIpHEXKS0PYEEw86QJPch
P2LHrdD1GPnwOvOPG1J+Q3sSKH7D+sU7XuJxFn+wbSAZz8IWMJ/XAB5YoZkQve+p
bYBiHds0RWfsKDSlybcRRZukx5vncCFQ2zye0sHUSacLs7JcspSdCALAKBHUV6PN
thR4aLG54Kp1XUGghHSskHKJ
-----END CERTIFICATE-----
subject=/CN=forumanalogue.fr
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3769 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 35C2D13A9EF98911E09237E588C6BDB54B83B32C6F453CF60E7C4821C53A3148
Session-ID-ctx:
Master-Key: 35ACDCD6ED409A658425D8B8D4135DD3B4FAAD565E1AB03DAB0B1227B9D55046C8F17E450519D937282C82270D4A7BD1
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 7c 56 31 2e 2c 34 71 38-1a d8 ab 01 6c 69 0a 58 |V1.,4q8....li.X
0010 - 47 9b 56 88 a7 52 73 5a-8d 9e 29 87 c9 3c 49 18 G.V..RsZ..).. 0020 - e3 f9 9e ef 58 cb 4e 29-43 b1 2a 92 d4 a4 d5 ef ....X.N)C.*.....
0030 - b8 4f ac c6 8f 81 c1 5a-76 b0 1b 63 65 a7 95 0b .O.....Zv..ce...
0040 - 73 f2 38 5a 04 f3 53 24-f7 b0 07 c9 75 25 ef 29 s.8Z..S$....u%.)
0050 - b8 61 b9 4d 42 24 88 ae-36 40 b9 6a 8d 1f 28 57 .a.MB$..6@.j..(W
0060 - b4 9a 7d 10 45 18 e7 7b-ea 77 fc c8 8d 2a e9 00 ..}.E..{.w...*..
0070 - e4 7a 10 64 88 62 a6 0b-9b 24 2c c8 2a 62 aa e7 .z.d.b...$,.*b..
0080 - bb 4d 43 50 f2 48 80 20-0b 40 83 1d 90 79 b5 8a .MCP.H. .@...y..
0090 - 6a d5 b0 7b cf a9 96 96-72 0f c8 a7 a5 1c 17 29 j..{....r......)
00a0 - ed 33 b4 4a 2f b9 d2 a3-b7 ae 73 70 bd f3 6f 3a .3.J/.....sp..o:
00b0 - 6c 02 29 fe b0 02 90 fd-64 5a bb fd 91 77 bb ab l.).....dZ...w..

Start Time: 1595887288
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
Comme on peut l'observer dans la deuxième réponse, le champs CN ne correspond pas au nom du serveur indiqué à OpenSSL. Il s'avère que Apache HTTP Server renvoie aléatoirement un certificat parmi ceux des virtual hosts. Pour s'assurer d'avoir le bon certificat, il faut utiliser l'extension Server Name Indication du protocole TLS. Avec openssl, il suffit d'utiliser l'option -servername.
% openssl s_client -connect clementfevrier.fr:443 -servername clementfevrier.fr
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = clementfevrier.fr
verify return:1
---
Certificate chain
0 s:/CN=clementfevrier.fr
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGbzCCBVegAwIBAgISA5hZCLbOyHsuTxNLqVmT2Ux+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA2MTAwOTA3MjBaFw0y
MDA5MDgwOTA3MjBaMBwxGjAYBgNVBAMTEWNsZW1lbnRmZXZyaWVyLmZyMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt6arsvarIBaP0LmwOYpg3J2sFH69
g23kgUXPHEg+icDl16O0yLsNZy/3OmnBS+pL1ZXT1IyfX7YC6GwOYWoBb8dfwS6V
TncKhtwTPG28FJSuXezMlcjCOSdq0cxyrmt4SHajdeaaNNGPRqRjsOAtYT1KMsTM
FhxfSAT+gbSA0iqY632m22329P3OEVpjbBgkNAXE3Nv5x5AqIrAK+GsppX2A8wr0
a5n3sF0fYb8byCoaCwVvV1Bgwa20adJHUjCTBSYOoGR1wpo3LDys/GATLAUfYSOy
bSzTP4b8DWAxspFDcm0aQuO9/PzYlOP+jeq6ShYM+3OybQe/yrmvEpckX2Jz00O/
5mx0nJLd77jaBNkC02hEdL0z5G59qq4G/mgm2em4tjHk8wvPuQ8yohnLr0lk7BPZ
bedEyFb6OM8WJYufBaR/wqo31VTRzUGzNwXJqzzVW2yZUrcYKF3/nAfhq3fivPNx
J2CqpSE7wopf1jJ2lkKITlAJXGXAnePwDpMxx1DEofhLnxvAE1xWlb81qSuyKlAQ
V2jiwflvFUoY0Y1cGJyINBzLuMBiSSJtTlpELGxw7zbQKTdWQizQxL5YEcq0zCoj
KnZMlmYD79JKQ5HfCIv6kPjyllh/r6DVS6WuKd/B0YaRoU6H+9jkb+CE3I2QU0OV
VtCIq8K5zRmJrGkCAwEAAaOCAnswggJ3MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
L8eqTvf8KwSRnt5TaPS1y2vuufEwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl
7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5p
bnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p
bnQteDMubGV0c2VuY3J5cHQub3JnLzAxBgNVHREEKjAoghMqLmNsZW1lbnRmZXZy
aWVyLmZyghFjbGVtZW50ZmV2cmllci5mcjBMBgNVHSAERTBDMAgGBmeBDAECATA3
BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1ALIeBcyLos2KIE6HZvkr
uYolIGdr2vpw57JJUy3vi5BeAAABcp2yzLwAAAQDAEYwRAIgaR2cyhJ0XGOo6t5j
ONvKPspMdGAp9wFf3mGj4kfAN10CIBdLdswoMfdwZ/qveOJjpLJiTRjq8LeTZzMv
UZZUwBX3AHcAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFynbLM
5gAABAMASDBGAiEAu3mmQ6lFg6EvA32qSvRNRoXhviRmb1cYJNi2gqn0ShICIQDR
UvdT/vhSgH7O3B8L+TkGKyHwWibis3FpdrkEH1MERDANBgkqhkiG9w0BAQsFAAOC
AQEAgOfa0V7+sn2WULujrQy3Ob837nV+oMDmQgv59SKUR9aOxU3CBAcGsXOXzS6Z
aY1AUFT9b8D4YKNCjVi/0jruEXNGEk49IviHmU+7r2blf2MuvQfoQIABjGUvKH5+
u2dP+8Y+kqwfZc/lZ04KjMCJv1+osQMzBHhzz5HQ9SR+XgBG+Ah+5XxClfzm1odu
1IGWDrC7qDzv4leqWk69uazZLjEPWDxodFsgPAlviCnYBT1Q58x8UcOoqbRVT6Fo
3Gyi0wUeMG3wx4bbzhLKpeyJEd9BxX0U1MMR3moublihWvnIh06OXday6QjxWR/r
bYOkfH/5V04jDm8tSnC3lK9C/Q==
-----END CERTIFICATE-----
subject=/CN=clementfevrier.fr
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3790 bytes and written 459 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7D1F8AD8FC80D74FD7E47AD4D3B0102C9BDD438AE84EEAB0BC50F240020BD23F
Session-ID-ctx:
Master-Key: 09CA79EE5D635DF7B718DD89CBED5D0CA4226AEEFB4B532FA677487EA06480D85B0CD0DCED6971B2CCBD0685DFBBC0C9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 7c 56 31 2e 2c 34 71 38-1a d8 ab 01 6c 69 0a 58 |V1.,4q8....li.X
0010 - a0 79 b0 db eb e7 5e 82-c7 98 17 38 b5 f4 1f 49 .y....^....8...I
0020 - b0 11 0b a0 ce 4c 29 e9-8e 99 0e eb 8b f7 fd 57 .....L)........W
0030 - cc 60 a3 ea 16 2b 85 98-8c a8 b7 15 7c 2f e5 bf .`...+......|/..
0040 - f3 3a 6e 3d 2e d3 fa 66-92 26 f2 56 ad dd 46 9f .:n=...f.&.V..F.
0050 - bc 50 70 84 39 d4 c0 93-e2 f6 c0 41 2d 1a be 78 .Pp.9......A-..x
0060 - 3d e6 46 5c 11 03 4a 87-1a b1 f3 86 7a 7f 01 08 =.F\..J.....z...
0070 - 34 55 52 f5 da ef f6 45-85 e7 05 9d cc 6e 67 95 4UR....E.....ng.
0080 - bc 80 7d 2a 83 ff 9b bb-97 e3 d7 56 8b e4 f8 4a ..}*.......V...J
0090 - e1 6b 4a 1a d0 f6 a8 f3-8a e3 73 e7 cf b4 0f 9e .kJ.......s.....
00a0 - 1e 18 bd 6c ad 6b e3 4f-02 84 eb 07 41 9a 4d 83 ...l.k.O....A.M.
00b0 - 56 7b 01 7f 62 19 89 98-94 2b 77 73 06 13 2a 67 V{..b....+ws..*g
00c0 - 5b c6 11 3c d8 c5 c8 75-de 2e 15 d5 c6 86 43 f2 [..<...u......C.

Start Time: 1595887739
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed

Captain's Log #5

Monday Jul 27, 2020 12:05
Feedback on LXD

I had an issue with LXD where its database got corrupted. In that case, there is nothing we can do. All Linux containers on every physical servers are gone. I managed to restore most of the containers using rsync, but the internal file-system management of LXD is completely screwed. I cannot export not publish my containers to backup them, nor restart my LXD configuration from scratch by exporting and importing them back. My only option is to get another physical server, I have three so far, so adding a fourth one, make a new LXD server, outside of the current cluster. Then, recreate from scratch all my containers, which will be a a task requiring a tremendous amount of time. After this, deleting the current LXD cluster, creating a new one with the three physical servers, export the containers from the temporary LXD server and finally importing the containers to the cluster. It is necessary that I perform this task as quickly as possible because I cannot perform backup.

Spam, again

Adding 212.83.46.232 to iptables (INPUT, DROP) has not enough. I added other IPs and few range of IPs, up to /16. It was not enough and it was a fastidious task. So I added a new field to the comment section. You need to answer yes. It is not case sensitive. This simple trick appears to do the job so far.

Git

My git repo were not working anymore. I forgot to enable the mods in Apache HTTP Server when I migrate from Xen to LXD.

a2enmod cgi alias env
It is now fixed. For more information, see Smart HTTP.

Statistics

Statistics were not working anymore. I use a custom version of Awstats in order to integrate smoothly the statistics in my website. Part of this script rely on the package provided by Ubuntu. When I upgrade the virtual machine from Ubuntu 16.04 LTS (Xenial Xerus) to Ubuntu 18.04 LTS (Bionic Beaver), some modifications in Awstats broke my customization. I realize that maintaining this part will be complex as it is a 22000+ lines Perl file which is difficult to edit automatically. I made a quick fix. It will most-likely broke again when I will migrate from Ubuntu 18.04 LTS (Bionic Beaver) to Ubuntu 20.04 LTS (Focal Fossa).

To Do List
TootLine

I am working on TootLine, the PHP code that allows you to share your TootLine on your blog, like the one there is on the right or bottom, depending on the size of your screen. I have couple of issues to address before publishing it, which are proper word wrapping, create a cache for the media in order to solve CSP issue, handle the NSFW content that is displayed so far.

Translations

I would like to make a French version of this blog, with most of the articles translated.

More restrictive CSP headers

I want to rewrite some part of the web site to be able to provide more secure CSP headers.

Comments

I am planning on adding a RSS feed for each commentary section so it will be easy to follow. I will also add a cookie to auto fill the fields Name and Website. I will put a check box if you want to add the cookie when you comment.

Tags

I will add the list of all tags on the right panel.

SEO

I will add proper Open Graph protocol and Twitter cards in the headers. I already updated the MySQL database, so everything is ready on this side, I just need to rewrite the headers that I include to make them dynamic.

Better looking links

I already changed the URL of some links to make them better looking, but I did not finish yet. The rewriting rules are not as simple as I expected, if you want to make them SEO compliant.

Better CMS

My work-flow is not the most efficient. Each article points to an actual file, which is not so good, because I need to create a file each I add an entry in this blog. I will improve this soon. It is one of the reason why I stopped writing here. It is too complex.

Migrating the last virtual from Xen to LXD

I need to migrate completely my photo galleries (Piwigo) from XEN to the new ones on LXD.

Home made modem/router/NAS

I bought few items in order to build my own modem/router/NAS.

RSS

Although RSS feed appears to work fine, there are PHP errors in the logs. I need to investigate.

Captain's Log #4

Friday Jul 24, 2020 12:48, last edition on Monday Jul 27, 2020 11:19
Migration to LXD

I pretty much migrate all my virtual servers from Xen to LXD. Only one virtual server is left on Xen because I made a mistake configuring it in LXD and it requires a rather complex merge of two databases, so it's on hold for now.

Spam

Comment section has been subject to a lot of spam. I blindly deleted all comments from November 26, 2017. I first comment the PHP section of this website which allow to comment, but it did not stop anything. Looking at apache's log, I identified an IP, 212.83.46.232, which I added in iptables. I hope that it will solve the issue. The comment section is now open again.

To Do List
TootLine

I am working on TootLine, the PHP code that allows you to share your TootLine on your blog, like the one there is on the right or bottom, depending on the size of your screen. I have couple of issues to address before publishing it, which are proper word wrapping, create a cache for the media in order to solve CSP issue, handle the NSFW content that is displayed so far.

Translations

I would like to make a French version of this blog, with most of the articles translated.

I addition to what remains on the To Do List, I want to add couple of improvement.

More restrictive CSP headers

I want to rewrite some part of the web site to be able to provide more secure CSP headers.

Comments

I am planning on adding a RSS feed for each commentary section so it will be easy to follow. I will also add a cookie to auto fill the fields Name and Website. I will put a check box if you want to add the cookie when you comment.

Tags

I will add the list of all tags on the right panel.

SEO

I will add proper Open Graph protocol and Twitter cards in the headers. I already updated the MySQL database, so everything is ready on this side, I just need to rewrite the headers that I include to make them dynamic.

Better looking links

I already changed the URL of some links to make them better looking, but I did not finish yet. The rewriting rules are not as simple as I expected, if you want to make them SEO compliant.

Better CMS

My work-flow is not the most efficient. Each article points to an actual file, which is not so good, because I need to create a file each I add an entry in this blog. I will improve this soon. It is one of the reason why I stopped writing here. It is too complex.

Migrating the last virtual from Xen to LXD

I need to migrate completely my photo galleries (Piwigo) from XEN to the new ones on LXD.

Home made modem/router/NAS

I bought few items in order to build my own modem/router/NAS.

Captain's Log #3

Wednesday Jan 31, 2018 09:53
EnableSendfile Directive

I enabled the EnableSendfile Directive in Apache HTTP Server by adding EnableSendfile On to the Virtual Host.

To Do List
TootLine

I am working on TootLine, the PHP code that allows you to share your TootLine on your blog, like the one there is on the right or bottom, depending on the size of your screen. I have couple of issues to address before publishing it, which are proper word wrapping, create a cache for the media in order to solve CSP issue, handle the NSFW content that is displayed so far.

Translations

I would like to make a French version of this blog, with most of the articles translated.

I addition to what remains on the To Do List, I want to add couple of improvement.

More restrictive CSP headers

I want to rewrite some part of the web site to be able to provide more secure CSP headers.

Comments

I am planning on adding a RSS feed for each commentary section so it will be easy to follow. I will also add a cookie to auto fill the fields Name and Website. I will put a check box if you want to add the cookie when you comment.

Tags

I will add the list of all tags on the right panel.

SEO

I will add proper Open Graph protocol and Twitter cards in the headers. I already updated the MySQL database, so everything is ready on this side, I just need to rewrite the headers that I include to make them dynamic.

Better looking links

I already changed the URL of some links to make them better looking, but I did not finish yet. The rewriting rules are not as simple as I expected, if you want to make them SEO compliant.

Better CMS

My work-flow is not the most efficient. Each article points to an actual file, which is not so good, because I need to create a file each I add an entry in this blog. I will improve this soon.

Migration to LXD

I am not entirely sure that I will do it, but I am considering to migrate from Xen to LXD.

How to set up Content Security Policy headers?

Tuesday Nov 21, 2017 04:45

I think a have a simple methodology to build Content Security Policy (CSP) headers. I did it with Apache HTTP Server and Firefox, but it is a generic methodology. I assume that you know what are CSP headers.

Before we start
Add-ons

First, you might want to disable most of your extensions. Indeed, some will add scripts or rewrite part of the displayed HTML code making it hard to distinguish warnings and errors form your code than from the extensions. I kept Test Pilot , Multi-Account Containers and Firefox Lightbeam by Mozilla, Privacy Badger and HTTPS Everywhere by the Electronic Frontier Foundation, and DuckDuckGo Plus by DuckDuckGo.

A useful tool

Laboratory by April King is an extension that allows you to record your website in order to provide a ready CSP header. But it is no fun and it does not push you think about how to rewrite some parts of website in order to improve security. You can also enforce CSP, which is useful if you add another component, for example if you add your Twitter timeline, you will need to adjust your CSP headers. With this tool, it is easy to check, try, add CSP headers, that you can later add to you web server. But for the purpose of this small how to, do not use this extension. If installed, please make sure that none of the check boxes are enabled and that Generated CSP configuration: is set to default-src 'none' if not, click on Delete All Settings or it will be a nightmare.

Laboratory extension

Always keep Developer Tools opened

Another step to avoid spend plenty of time looking at irrelevant answers on Stack Exchange is to open the Developer Tools, go on the options tab and check Disable HTTP Cache (when toolbox is open), and then keep it open at all time. Otherwise, some requests can be cached and you will not understand why your brand new configuration is not taking into account.

Building your CSP headers without blocking content
Report only

We will use the Content-Security-Policy-Report-Only header. When the web browser receive the content of a web page, it will display warnings for each violated CSP directive. We will see later that it can be used in a better way.

Be verbose

I strongly advise to add all possible directives to the header because any warning or error not related to an explicitly defined directive will be reported as violating default-src. This is because directives inherit from default-src if not explicitly set. If you only have something like default-src 'none'; style-src 'self';, then an unsafe-inline for script-src will be reported as violating default-src.

So our starting point will be default-src 'none'; child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; worker-src 'none'; base-uri 'none'; frame-ancestors 'self'; and from this, we will allow one by one what we need.

Send report to your website

We will use a very nice feature of CSP, report-uri. It makes web browsers send a JavaScript Object Notation (JSON) file to the web server at the specified Uniform Resource Identifier (URI). This file will give you the basic instructions to build the correct CSP header. In my case, I created a folder /csp/ with the proper ownership and write rights containing one file index.php

<?php
// Start configure
$log_file dirname(__FILE__) . '/csp-violations.log';
$log_file_size_limit 1000000// bytes - once exceeded no further entries are added
// End configuration
$current_domain $_SERVER['SERVER_NAME'];
http_response_code(204); // HTTP 204 No Content
$json_data file_get_contents('php://input');
// We pretty print the JSON before adding it to the log file
if ($json_data json_decode($json_data)) {
  
$json_data json_encode($json_dataJSON_PRETTY_PRINT JSON_UNESCAPED_SLASHES);
  
// Do not write is file size exceeded
  
if (filesize($log_file) > $log_file_size_limit) {
    exit(
0);
  }
  
file_put_contents($log_file$json_dataFILE_APPEND LOCK_EX);
}
?>
It is a simplified and adapted version of the code you can find here. It will log errors and warnings in /csp/csp-violations.log.

All together

In your virtual host, add the following line

Header set Content-Security-Policy-Report-Only "report-uri /csp/; default-src 'none'; child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; worker-src 'none'; base-uri 'none'; frame-ancestors 'self';"
Mind the ' and the ". The set of directives must start and end with ". All arguments of each directive must be surrounded by ' if, and only if, they are keywords. The corollary is do not use ' to surround Uniform Resource Locator (URL) and URI.

Restart Apache HTTP Server

# systemctl restart apache2

Debugging

Visit your website. You should see in the Console tab of the Developer Tools.

In the /csp/ folder of you virtual host, you should see the csp-violations.log file. It contains lines like

{
     "csp-report": {
         "blocked-uri": "self",
         "document-uri": "https://clementfevrier.fr/images/r3.svg",
         "original-policy": "report-uri https://clementfevrier.fr/csp/ https://clementfevrier.fr/images/default-src https://clementfevrier.fr/images/'none'; child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; worker-src 'none'",
         "referrer": "https://clementfevrier.fr/articles/11_rand.php",
         "script-sample": "onclick attribute on g element",
         "source-file": "https://clementfevrier.fr/images/r3.svg",
         "violated-directive": "script-src 'none'"
     }
 }
original-policy displays the CSP header. It is useful to ensure that it matches what you set in our web server. violated-directive tells you with directive you should adjust, in this example script-src and it also remind you its arguments 'none' because it is our starting point. blocked-uri tells you what it blocked, here it is self. So, you just need to replace script-src 'none' by script-src 'self' and the warning will disappear.

Repeat this for each violated directive.

Notice that without explicitly setting all directives, violated-directive will always report to default-src which makes it more difficult to debug.

For each directive that I set, I restart the web server, delete the log file, reload a page from my website in my web browser, and look at the new log.

Don't forget to check different pages of your web site to check all cases.

Your CSP log file does not report anymore violated directive? Let us add the real header.

Apply your CSP

Your header should look like

Header set Content-Security-Policy-Report-Only "report-uri /csp/; default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'none'; img-src 'self' data: https://toot.forumanalogue.fr; manifest-src 'none'; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'none'; base-uri 'none'; frame-ancestors 'self';
Just remove the -Report-Only and you are done.
Header set Content-Security-Policy "report-uri /csp/; default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'none'; img-src 'self' data: https://toot.forumanalogue.fr; manifest-src 'none'; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'none'; base-uri 'none'; frame-ancestors 'self';

Restart Apache HTTP Server

# systemctl restart apache2

Final checks

First, check that your website renders as you wish.

Then, there are couple of useful tools to perform checks on you CSP headers.

Check their recommendations and the links, they are full of useful informations.

As you can see, I still have to work to achieve a good CSP, but I know you to eliminate most of the so-called insecure inline code. I say so-called because for most of it, if not all of it, it is perfectly secure since I am not in the cases where it can be potentially insecure.

Changing you website and modifying your CSP headers

You can have both Content-Security-Policy-Report-Only and Content-Security-Policy at the time. It is useful to make a more restrictive CSP without blocking content. You can have one report-uri for the block content and one for the report only, which will simplify debugging.

Further reading

MDN Web Docs, by Mozilla, is the only website that I found with proper explanation and reference of CSP.

Server Git repository with Apache HTTP Server - Smart HTTP

Wednesday Oct 25, 2017 18:59, last edition on Wednesday Oct 25, 2017 20:17
There is a lot of outdated documentations about how to make your git repositories available through HTTP, even in the official Reference Manual. There are not working, not well documented, and trying to adjust them can lead to serious security issues like allowing anonymous users to push commits. After hours of reading the official manual, discussions about people struggling with the configuration, I finally managed to have a working set up with the expected behavior. What I want to do is sharing one of my repositories through HTTP with Apache HTTP Server with anonymous users allowed to pull and clone, and only register users allowed to push, which is the expected behavior in most cases. This for Apache HTTP Server version 2.4 because the configuration changed compare to version 2.2. The first step is to enable the required mods
# a2enmod cgi alias env
# systemctl restart apache2
With mpm event instead of prefork, which the case is you enables HTTP/2 on Ubuntu Xenial, you will have a warning about the fact it enable cgid, not cgi, but it does not affect this configuration. The second step is to change your virtual host. You need to choose a method to authenticate the users. Because I will be the only one to push commit, I will use the most simple configuration which is AuthType Basic. You can choose other ones, but I will not cover it. You need to create a file that contains users and their password, if not already done. To create the user USER in the file /etc/htpasswd/.htpasswd
# mkdir -p /etc/htpasswd/
# htpasswd -c /etc/htpasswd/.htpasswd USER
Now, if you want to server repositories stored in /var/www/git with the URL mydomain.tld/git/ change your virtual host by adding the following lines
SetEnv GIT_PROJECT_ROOT /var/www/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
<Files "git-http-backend">
 AuthType Basic
 AuthName "Git Access"
 AuthUserFile /etc/htpasswd/.htpasswd
 Require expr !(%{QUERY_STRING} -strmatch '*service=git-receive-pack*' || %{REQUEST_URI} =~ m#/git-receive-pack$#)
 Require valid-user
</Files>
Restart Apache HTTP Server and your are done!
# systemctl restart apache2
This is done!
To go a bit further about git, let us consider that you have a local repository called MyProject that you want to share. On the webserver, you need to initialize the repository
# mkdir -p /var/git/MyProject.git
# cd /var/git/MyProject.git
# git init --bare
# chown -R www-data:www-data /var/git/
The last command set the proper ownership on the files. If you don't do it, you will be able to push locally but not remotely. For the next repository, you will not need to perform the command on the whole directory. Just do
# mkdir /var/git/MyNEWProject.git
# cd /var/git/MyNEWProject.git
# git init --bare
# chown -R www-data:www-data /var/git/MyNEWProject.git
Now, push your project from your computer to the web server
% git remote set-url origin --push --add https://USER:PASSWORD@mydomain.tld/git/MyProject.git
% git remote -v
origin https://USER:PASSWORD@mydomain.tld/git/MyProject.git
% git push Delta compression using up to 8 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 20.15 KiB | 0 bytes/s, done.
Total 9 (delta 1), reused 0 (delta 0)
To https://USER:PASSWORD@mydomain.tld/git/MyProject.git
 * [new branch]      master -> master
The second line just check that the previous command worked. On another computer, you can clone the project on other computers with
% git clone https://mydomain.tld/git/MyProject.git
If you try to push from the second computer, you will need to authenticate
% git push
Username for 'https://mydomain.tld': USER
Password for 'https://USER@mydomain.tld':
Counting objects: 2, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (2/2), 222 bytes | 0 bytes/s, done.
Total 2 (delta 1), reused 0 (delta 0)
To https://mydomain.tld/git/MyProject.git
   bc49af8..f7121b5  master -> master
To add the authentication
% git remote set-url origin --push --delete https://mydomain.tld/git/MyProject.git
% git remote set-url origin --push --add https://USER:PASSWORD@mydomain.tld/git/MyProject.git
and you are done!

SVG with GZIP Compression in Apache HTTP Server

Friday Oct 20, 2017 16:45, last edition on Friday Oct 20, 2017 17:42

To save bandwidth with Apache HTTP Server, you can compress SVG files. On Ubuntu 16.04.3, Apache HTTP Server comes with version 2.4.27 which enable GZIP Compression by default.

# apache2 -v
Server version: Apache/2.4.27 (Ubuntu)
Server built: 2017-09-28T00:00:00
If not enable, you can do it with mod_deflate
# a2enmod deflate
For SVG Compression, edit the file /etc/apache2/mods-available/deflate.conf and add AddOutputFilterByType DEFLATE image/svg+xml between the IfModule. It should look like this
# cat /etc/apache2/mods-available/deflate.conf
<IfModule mod_deflate.c>
 <IfModule mod_filter.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
  AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE image/svg+xml
 </IfModule>
</IfModule>
Restart Apache HTTP Server
# systemctl restart apache2
Now, let us check if it is working with curl and its -I argument to query only the headers.
% curl -I https://clementfevrier.fr/images/CC-BY-SA_icon.svg
HTTP/1.1 200 OK
Date: Fri, 20 Oct 2017 14:23:11 GMT
Server: Apache/2.4.27 (Ubuntu)
Upgrade: h2
Connection: Upgrade
Last-Modified: Mon, 07 Oct 2013 03:09:42 GMT
ETag: "1bf8-4e81dfbbce980"
Accept-Ranges: bytes
Content-Length: 7160
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: image/svg+xml
and now with -H 'Accept-Encoding: gzip,deflate' to let know Apache HTTP Server that it can serve the file using compression
% curl -I -H 'Accept-Encoding: gzip,deflate' https://clementfevrier.fr/images/CC-BY-SA_icon.svg
HTTP/1.1 200 OK
Date: Fri, 20 Oct 2017 14:25:19 GMT Server: Apache/2.4.27 (Ubuntu) Upgrade: h2 Connection: Upgrade Last-Modified: Mon, 07 Oct 2013 03:09:42 GMT
ETag: "1bf8-4e81dfbbce980-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 3077
Content-Type: image/svg+xml
In this case, the file is more than 2 times smaller (7160÷3077 ~ 2.326941826). Enjoy!


Dr Clément Février

Bonjour, Je suis Clément Février, docteur en physique théorique de l’université de Grenoble Alpes, ingénieur Recherche et Développement dans le domaine de l’imagerie médicale et de la chirurgie mini-invasive chez Surgivisio et soutien du mouvement La France Insoumise.