Dr Clèm's Blog

Captain's Log #5

Monday Jul 27, 2020 12:05
Feedback on LXD

I had an issue with LXD where its database got corrupted. In that case, there is nothing we can do. All Linux containers on every physical servers are gone. I managed to restore most of the containers using rsync, but the internal file-system management of LXD is completely screwed. I cannot export not publish my containers to backup them, nor restart my LXD configuration from scratch by exporting and importing them back. My only option is to get another physical server, I have three so far, so adding a fourth one, make a new LXD server, outside of the current cluster. Then, recreate from scratch all my containers, which will be a a task requiring a tremendous amount of time. After this, deleting the current LXD cluster, creating a new one with the three physical servers, export the containers from the temporary LXD server and finally importing the containers to the cluster. It is necessary that I perform this task as quickly as possible because I cannot perform backup.

Spam, again

Adding to iptables (INPUT, DROP) has not enough. I added other IPs and few range of IPs, up to /16. It was not enough and it was a fastidious task. So I added a new field to the comment section. You need to answer yes. It is not case sensitive. This simple trick appears to do the job so far.


My git repo were not working anymore. I forgot to enable the mods in Apache HTTP Server when I migrate from Xen to LXD.

a2enmod cgi alias env
It is now fixed. For more information, see Smart HTTP.


Statistics were not working anymore. I use a custom version of Awstats in order to integrate smoothly the statistics in my website. Part of this script rely on the package provided by Ubuntu. When I upgrade the virtual machine from Ubuntu 16.04 LTS (Xenial Xerus) to Ubuntu 18.04 LTS (Bionic Beaver), some modifications in Awstats broke my customization. I realize that maintaining this part will be complex as it is a 22000+ lines Perl file which is difficult to edit automatically. I made a quick fix. It will most-likely broke again when I will migrate from Ubuntu 18.04 LTS (Bionic Beaver) to Ubuntu 20.04 LTS (Focal Fossa).

To Do List

I am working on TootLine, the PHP code that allows you to share your TootLine on your blog, like the one there is on the right or bottom, depending on the size of your screen. I have couple of issues to address before publishing it, which are proper word wrapping, create a cache for the media in order to solve CSP issue, handle the NSFW content that is displayed so far.


I would like to make a French version of this blog, with most of the articles translated.

More restrictive CSP headers

I want to rewrite some part of the web site to be able to provide more secure CSP headers.


I am planning on adding a RSS feed for each commentary section so it will be easy to follow. I will also add a cookie to auto fill the fields Name and Website. I will put a check box if you want to add the cookie when you comment.


I will add the list of all tags on the right panel.


I will add proper Open Graph protocol and Twitter cards in the headers. I already updated the MySQL database, so everything is ready on this side, I just need to rewrite the headers that I include to make them dynamic.

Better looking links

I already changed the URL of some links to make them better looking, but I did not finish yet. The rewriting rules are not as simple as I expected, if you want to make them SEO compliant.

Better CMS

My work-flow is not the most efficient. Each article points to an actual file, which is not so good, because I need to create a file each I add an entry in this blog. I will improve this soon. It is one of the reason why I stopped writing here. It is too complex.

Migrating the last virtual from Xen to LXD

I need to migrate completely my photo galleries (Piwigo) from XEN to the new ones on LXD.

Home made modem/router/NAS

I bought few items in order to build my own modem/router/NAS.


Although RSS feed appears to work fine, there are PHP errors in the logs. I need to investigate.


Wednesday Nov 08, 2017 00:54

I wrote a new piece of code to generate a RSS feed from a MySQL database. I named it MySQLiToRSS. It is a PHP file that generate a RSS 2.0 feed. It is licensed under GPLv3. It handles sorting by date, the use of HTML in the description of an item, which allow to render the article as it appears in the feed reader, excepted for the CSS sheets, and multitag articles. It is based on Version 2.0.11 of the RSS 2.0 specification, the most up to date at the time of writing this software. Some optional items are missing because I do not use them. I might add them later (some or all). I will be pleased to add optional items if requested.


Wednesday Nov 08, 2017 00:05

I'm proud to announce my first (free) software, SHA1BruteForce, that performs brute-force attack to crack SHA-1 hash.
Page of the project


After my 10yo Firefox session crashed, I lost a password stored in it. But, I managed to find the hash and it turns out to be a SHA-1 hash (software installed in 2009 on my server). I could change it, I guess, but I knew that SHA-1 is now considered as a weak encryption (although the first real collision is from February), so I challenged myself to recover it by writing a piece of code that do the job. It took me a bit more than a day to achieve a working code.
After, I began to optimized it and to have fundamental questioning about C++.

It is pretty simple and it seems to perform well. It takes about 4h to crack any 6 characters password on my computer. So I decided to publish it on my server, which was not as simple as I expected.
But I also have account in the main git platforms.
So I also published it on GitHub, GitLab and FramaGit, more know by the French.

It is licensed under GPL3.

It performs the tasks on the CPU only. GPU implementation does not seems possible at the time using only free software. Indeed, CUDA required the proprietary drivers and OpenCL does not seems to work properly with Nouveau (last version of the Linux kernel, i.e.4.13, on Ubuntu 16.04). But I want to use only free software (and I cannot install Nvidia drivers anyway, they do not work on my system).

It is not a revolutionary tools that intends to bit existing ones. I did it for myself and share it for anyone interested.

It is my first published code, so there are most likely some improvements to do on how to write the manual, how to write the code so it can be used by others, how I should comment it, and so on. The same goes for the code itself. Feel free to comment, share, submit commits, report bugs, etc.

Server Git repository with Apache HTTP Server - Smart HTTP

Wednesday Oct 25, 2017 18:59, last edition on Wednesday Oct 25, 2017 20:17
There is a lot of outdated documentations about how to make your git repositories available through HTTP, even in the official Reference Manual. There are not working, not well documented, and trying to adjust them can lead to serious security issues like allowing anonymous users to push commits. After hours of reading the official manual, discussions about people struggling with the configuration, I finally managed to have a working set up with the expected behavior. What I want to do is sharing one of my repositories through HTTP with Apache HTTP Server with anonymous users allowed to pull and clone, and only register users allowed to push, which is the expected behavior in most cases. This for Apache HTTP Server version 2.4 because the configuration changed compare to version 2.2. The first step is to enable the required mods
# a2enmod cgi alias env
# systemctl restart apache2
With mpm event instead of prefork, which the case is you enables HTTP/2 on Ubuntu Xenial, you will have a warning about the fact it enable cgid, not cgi, but it does not affect this configuration. The second step is to change your virtual host. You need to choose a method to authenticate the users. Because I will be the only one to push commit, I will use the most simple configuration which is AuthType Basic. You can choose other ones, but I will not cover it. You need to create a file that contains users and their password, if not already done. To create the user USER in the file /etc/htpasswd/.htpasswd
# mkdir -p /etc/htpasswd/
# htpasswd -c /etc/htpasswd/.htpasswd USER
Now, if you want to server repositories stored in /var/www/git with the URL mydomain.tld/git/ change your virtual host by adding the following lines
SetEnv GIT_PROJECT_ROOT /var/www/git
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
<Files "git-http-backend">
 AuthType Basic
 AuthName "Git Access"
 AuthUserFile /etc/htpasswd/.htpasswd
 Require expr !(%{QUERY_STRING} -strmatch '*service=git-receive-pack*' || %{REQUEST_URI} =~ m#/git-receive-pack$#)
 Require valid-user
Restart Apache HTTP Server and your are done!
# systemctl restart apache2
This is done!
To go a bit further about git, let us consider that you have a local repository called MyProject that you want to share. On the webserver, you need to initialize the repository
# mkdir -p /var/git/MyProject.git
# cd /var/git/MyProject.git
# git init --bare
# chown -R www-data:www-data /var/git/
The last command set the proper ownership on the files. If you don't do it, you will be able to push locally but not remotely. For the next repository, you will not need to perform the command on the whole directory. Just do
# mkdir /var/git/MyNEWProject.git
# cd /var/git/MyNEWProject.git
# git init --bare
# chown -R www-data:www-data /var/git/MyNEWProject.git
Now, push your project from your computer to the web server
% git remote set-url origin --push --add https://USER:PASSWORD@mydomain.tld/git/MyProject.git
% git remote -v
origin https://USER:PASSWORD@mydomain.tld/git/MyProject.git
% git push Delta compression using up to 8 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 20.15 KiB | 0 bytes/s, done.
Total 9 (delta 1), reused 0 (delta 0)
To https://USER:PASSWORD@mydomain.tld/git/MyProject.git
 * [new branch]      master -> master
The second line just check that the previous command worked. On another computer, you can clone the project on other computers with
% git clone https://mydomain.tld/git/MyProject.git
If you try to push from the second computer, you will need to authenticate
% git push
Username for 'https://mydomain.tld': USER
Password for 'https://USER@mydomain.tld':
Counting objects: 2, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (2/2), 222 bytes | 0 bytes/s, done.
Total 2 (delta 1), reused 0 (delta 0)
To https://mydomain.tld/git/MyProject.git
   bc49af8..f7121b5  master -> master
To add the authentication
% git remote set-url origin --push --delete https://mydomain.tld/git/MyProject.git
% git remote set-url origin --push --add https://USER:PASSWORD@mydomain.tld/git/MyProject.git
and you are done!

Dr Clément Février

Bonjour, Je suis Clément Février, docteur en physique théorique de l’université de Grenoble Alpes, ingénieur Recherche et Développement dans le domaine de l’imagerie médicale et de la chirurgie mini-invasive chez Surgivisio et soutien du mouvement La France Insoumise.

Non, mais je rêve. La faille de sécurité Windows CVE-2021-40444 ne touche que le moteur de rendu d'Internet Explorer, pas celui de Edge. Donc, ça semblait cool sauf pour les très vieux Windows ? Sauf que Office utilise toujours le moteur de rendu d'Internet Explorer (oui, il y a un navigateur Web dans le tableur et dans le traitement de texte) et est donc vulnérable, et cette faille est exploitée (on ouvre le document vérolé et paf).