# uname -a


jeudi 19 octobre 2017

Setup Letsencrypt certificates on Gitlab and Mattermost

The new versions of Gitlab are embedding the Mattermost server. Here is how to setup the certificates for these instances.

1. Install certbot

Read the docs here (choose Nginx on the appropriate system) : certbot.eff.org

2. Make a webroot

mkdir -p /var/www/letsencrypt/.well-known

3. Configure Gitlab and Mattermost to answer /.well-known to this webroot

Edit /etc/gitlab/gitlab.rb and add :

nginx['custom_gitlab_server_config']="location ^~ /.well-known/ {\n alias /var/www/letsencrypt/.well-known/;\n}\n"
mattermost_nginx['custom_gitlab_mattermost_server_config']="location /.well-known/ {\n alias /var/www/letsencrypt/.well-known/;\n}\n"

And reconfigure Gitlab :

gitlab-ctl reconfigure

4. Create the certificates

Run the certbot command :

certbot certonly --staging --webroot --webroot-path=/var/www/letsencrypt/ -d gitlab.your-domain.com
certbot certonly --staging --webroot --webroot-path=/var/www/letsencrypt/ -d mattermost.your-domain.com

5. Tell Gitlab to use the certificates

Edit /etc/gitlab/gitlab.rb again, and add :

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.your-domain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.your-domain.com/privkey.pem"

mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/mattermost.your-domain.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/mattermost.your-domain.com/privkey.pem"

6. Done

Reconfigure Gitlab again :

gitlab-ctl reconfigure

mardi 10 octobre 2017

Elastisearch, Kibana : mapper [hits] cannot be changed from type [long] to [integer]

Every time I upgrade my ELK stack, it breaks. This time, it was the Kibana index with this obscurous errors :

[DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction] [logs] failed to put mappings on indices [[[.kibana]]], type [timelion-sheet]
java.lang.IllegalArgumentException: mapper [hits] cannot be changed from type [long] to [integer][DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction]

[DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction] [logs] failed to put mappings on indices [[[.kibana]]], type [timelion-sheet]
java.lang.IllegalArgumentException: mapper [version] cannot be changed from type [long] to [integer]

Here is how to fix it. You will have to re-create an index with the correct mapping, and then reindex it.

Lire la suite...

mardi 12 septembre 2017

The war on SPAM: an review of the real world tools

Anti-spam techniques review: a few hints and tools review from my own experience.

Spam mesage are very common these days, but filtering them out is not as easy as it seems. The filtering techniques have evolved at the same rate than the spammers' evasive techniques, and the risk of filtering out a legitimate message is greater than ever.

It is also quite difficult to find good and up-to-date counter-measures list that anyone can implement.

Here is a summary of the anti-spam strategies I used / am still using. I hope it will help you understanding today's threats, and build your own solutions.

Lire la suite...

lundi 17 juillet 2017

Mémo rsync pour mes collègues

Un rappel de l'usage pratique de rsync pour mes collègues qui oublient tout le temps les commandes à taper.

Lire la suite...

mardi 11 juillet 2017

Configure Wordpress for Performance and Stability

Wordpress is a very common CMS nowadays, and works well out-of-the-box. But when it comes to Performance and Security, its default options are not hardening it enough.

This topic has been discussed a lot on Internet, but here are my tips, as a web developer and sysadmin.

Performance : the main culprits

On a public websites, the slowness can com from :

  • Network : your provider has as slow network, a huge traffic load, or the user simply has a bad connection
  • Database access : the provider's database may be under load, you query's sizes may be too important, or the access time between the script and the datbase is just "usually slow".
  • Disk access : the disk where is stored your files may be slow, or does not have proper in-ram caching
  • CPU : the CPU of the machine where you site is hosted may be slow, or you are on a low-cost VPS

There is no "miracle solution" for a badly designed website, but in the vast majority of cases, we could help a bit with simple solutions.

Security : the main threats

The main threat in a Wordpress installation is the updates execution. You should update your modules, themes, and core as soon as possible.

Custom and unmaintained modules and themes can also become a threat as they are not updated anymore, and can contain exploitable leaks.

There are several way to prevent your site from leaking too many informations on its "healthiness". It can give you some time to update your website before its exploitation by hackers.

Lire la suite...

- page 1 de 31