When getting started with Linux and open source software, running websites was one of the first things I learned how to do. Of course with the way software evolves, I’m still learning new ways to better secure, encrypt and protect web assests. Recently I wanted to build a new project and decided I wanted to use OpenBSD, arguably the most secure operating system out of the box. While years ago I switched to FreeBSD for web and mailserver handling, OpenBSD is just more stringent about how it presents things. There’s more to learn, sure, but that’s all part of the fun. Now, if you look around at normal VPS options like DigitalOcean and Linode won’t allow you to run OpenBSD, but with Vultr (affilate link) you can use any ISO you can point to. They have a $5/month option, but they give you 768M RAM versus the 512M that you get from most other VPS providers for that price. With that decided I ran through the install using their console and was up and running in no time. Now for the fun part, let’s
ssh to the server and setup a very setup a secure webserver!
UPDATE 02-29-2016 a reader had issues getting this working, and after reproducing his issue I found that the
ssl_cipers HIGH:!aNULL:!MD5; no longer works. Apparently sometime after I wrote this, the HTTP/2 specs were updated, and browsers followed suit. This blog post tells us, “According to the HTTP/2 specification, over TLS 1.2 HTTP/2 SHOULD NOT use any of the cipher suites that are listed in the cipher suite black list, found here” So now, we have to call out another cipher before the blacklisted ones
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5 Thanks for the note Elias!
Last week nginx relased mainline version 1.9.5 which features experimental HTTP/2 module. According to the Internet Engineering Task Force “HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients. This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP’s existing semantics remain unchanged.” You can get an idea of how HTTP/2 is better and faster on this demo page which shows the multiple connections making a significant difference.
TL;DR it’s faster, backwards compatible and the new hotness (obviously).
The other day I came across a situation where a web-server was getting hammered, and we needed to know who the offend(ers) were. While watching a logfile tail by at high speeds is always fun, we wanted to be able to sort the web-server access log and find top users, to be able to narrow down where the traffic was coming from. While we don’t want to block users that want to access our data, sometimes we need to throttle things back so one requester doesn’t overwhelm all the available bandwidth and make the site unusable for others.
[caption id=“attachment_780” align=“alignright” width=“150” caption=“nginx”][/caption]
So back in January I had a post about HOWTO: log the user’s IP, not the proxy’s, in Lighttpd access log, but today I switched that system to run nginx (actually nginx has been running since early this year, I just got lazy on running Varnish) fronted again by Varnish. I had the same issue, but not much trouble solving it. Since I often refer to my own notes on fak3r, I’m recording it here for myself, and anyone streaming in from Google.
**UPDATE: **I’m reworking my config blending in the security ideas found on camomel.org they’re really thought things through on this, this should make for a very secure environment.
I’m always trying new software, and with the webserver I’ve moved from Apache 1.3 to 2.0 to 2.2, and then later I moved everything over to Lighttpd, which I’ve liked, save for some memory issues that popped up. Now, enter a web server named nginx (engine x), written by a Russian hacker.