Eclectic Dreams

A Web Design and Development Blog

Posts Tagged ‘web’

Now with HTTPS

Tuesday, December 8th, 2015

So, if you’ve been paying attention over the last few years, you’ll have noticed more of the web going encrypted. This is a good thing. It keeps your data more secure and stops proxies and malicious wifi providers eavesdropping or injecting ads into your content.

Of course for those who don’t have money to burn on expensive certificates there was always a blocker to going https. The cost. Even cheaper certificates to secure your site cost about three times as much as the domain name. Plus the notoriously headachey setup steps for getting a secure certificate working on your site

All that changed last year, when Let’s Encrypt announced their service. Free certificates and a simple client you could use to set them up. Pretty much the ideal solution if they could pull it off, and with board members from the likes of Cisco, E.F.F. and Mozilla. It’s been in beta since the summer and at the start of December they went public beta.

So I decided to give it a whirl. I’ve always left SSL config to somebody else before, so this should be “fun”.

Getting started

First off you need ssh/console access to your server and the ability to install software. I have a Centos server at Digital Ocean (who I recommend by the way) and can go in and switch to root to install stuff.

The instructions on the Let’s Encrypt docs are pretty thorough. You’ll probably need to install some dependencies with yum (or apt-get or whatever). You might need to do:

sudo yum install gcc libffi-devel python-devel openssl-devel

Though running ./letsencrypt-auto as root should sort these for you, but I found that my servers memory and CPU were a little low for some of the compiling steps, particularly the python cryptography package used. So I waited for a lull time before installing that manually with:

pip install cryptography

Also, my system had an older python install that grumbled about a few things and requires using the –debug flag to run the client.

Installing the certs

Although Let’s encrypt supports sorting the server setup for some platforms and web servers, my combo of Centos and nginx wasn’t, so I needed to just create a cert int he client and manually install. I needed my web root directory and domain, the command looked like this:

./letsencrypt-auto certonly --webroot -w <webroot> -d <example.com> --debug

This popped up a query for some info (email and so on), then quickly sorted the certs and told me where it put them. Simple.

Setting up nginx was a case of adding an appropriate virtual server and pointing it at the cert/key combo:

server {
    listen 443;
    server_name <domain>;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;

}

This required a restart of nginx. Went to https:/<domain> and things seemed to work.

Post install massaging

So you’ve got your secure cert. What next? Well I decided to check the connection against the tool provided by Qualsys to be sure it was secure enough and up to scratch.

Oh dear, only grade C.  Seems there’s some more work to do post install.

Fortunately the report gives some advice on what to fix. For me it was out of date protocols/ciphers still be available and an older form of

I set the protocols in nginx  config with:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

then the ciphers with:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_prefer_server_ciphers on;

That last bit came from the detail over here, which also recommended setting up a “strong DH group” by running:

openssl dhparam -out dhparams.pem 2048

and then pointing my server at the file with an update to nginx config:

ssl_dhparam /etc/nginx/dhparams.pem;

All that done and my server goes from C rating to A, and avoids lots of known exploits of older SSL technologies. After checking it all worked, I set up a http to https redirect in the old http server config:

 if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

And that’s it. If you can view this page, you can see it’s working… You can see it right?


		

In Praise of Gov.uk

Thursday, November 1st, 2012

Something extraordinary happened a few weeks ago and I felt like I should mark the occasion: The government launched a website that didn’t suck.

No, not only didn’t it suck, this website has a wonderful user experience. Really. Not only that, but it came in without falling foul of the cost creep endemic in government digital projects. It replaced and rationalised content. It made things clearer and used plain English. It focused on what users wanted to find, not what government departments wanted to say. The team shared their code on github and accept pull requests. They set metrics for pages and continually revised and improved. They ran detailed user and accessibility tests.

Wow!

I can’t quite remember when I first heard of the then alpha.gov.uk project. Possibly from one of the many folks on the web scene who seemed to get sucked into the project. This in itself was the first sign that those behind the new government website knew what they were doing, they got professionals with industry respect to work on the prototype. Over the last year or so I’ve watched it move from alpha to beta and slowly iterate and optimise. They’ve done this in public, often sharing their detailed research and testing experiences on their blog (with some interesting results, see their notes on auto-completing search). The web community in the UK has been cheering from the sidelines the whole way, because it’s really made a nice change to be enthusiastic about a government website. It’s weird when the hotest startup in the UK is a government website…

If you ever wanted a case study for a large scale user-centric redesign, this is it.

This is truly a watershed moment, and one whose lessons I hope will cascade down from central government to regional (please pay attention Birmingham City Council) and other public sector areas. The Government Digital Service is a model for how this kind of project should be delivered. They put the web it its own category and built something amazing.

Given I have pretty much hated the major policies of the current coalition, it seems very strange to be congratulating it, but for their support of this one project they really deserve it. They’ve given us a UK website to be proud of.

 

Geek in the Park

Monday, July 24th, 2006

From the minds that brought you Multipack comes:

Geek in the Park 2006
The time: 27th August 2006
The Place: Royal Leamington Spa,Warwickshire
The Picnic: Bring food, drink, people and so on.
The Discussion: The Excellent Patrick Lauke and Bruce Lawson will be providing evening discussion on ‘Where the rubber meets the road: Web Accessibility and Pragmatism.’ at the Jug and Jester pub.

There’s also some very nice web design books on offer as prizes from Friends of Ed

I’ll be there, and you should be too!