Ice Age

I come from the ice age. I have started what it is called today “web development” during the first release of PHP 3.0 and ASP 3.0. That happened in the previous millennium. In the previous century!
 
Back then IE had more than 95% of the market.
 
Until ~2010 it was a complete nightmare to develop front ends. You had to develop special cases for IE. Paddings? Margins? Overflows ? Give 10px to IE and he will eat 2 of them. I can write for days about those nightmares but the memory of clients using IE 6 (worst: IE5.5) in 2010 still gives me creeps.
 
When Chrome came into the picture, it was the best thing it could happen. It was the heaven on earth like jQuery was (and is) for a JS frontend dev. I was among first people who said: Use IE to download Chrome or Firefox!
 
So if you ask me, a unified browser would be the perfect future. I would ask Google, Microsoft, Firefox and Apple to agree on the f*****g specs and release the first unified version of “Gomfa Browser” (or whatever acronym suits their ego)…

SSL certificates: Let’s Encrypt

In this post I’ll explain how to install free SSL certificates for your website, using Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Platform: Ubuntu 14.04, Nginx and OpenSSL, SSH root access

Step 1

Download Certbot (ACME Client Implementation) for Let’s Encrypt:

$ sudo su
$ cd ~
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ ./certbot-auto

Executing ./certbot-auto will first install all the requirements.

Step 2

Generate Strong Diffie-Hellman Group. To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Step 3

Allow requests to Nginx, to read from . directories. Add the following lines to your /etc/nginx/sites-enabled/siteconfig*:

server {
# ... snippet start
        location ~ /\.well-known/acme-challenge/ {
           root /usr/local/acme-ssl/;
           index index.html index.htm;
           try_files $uri =404;
        }
# ... snippet end
}

*siteconfig is the file name of your enabled site. eg: mydomain.net.conf

Step 4

Create /usr/local/acme-ssl/ directory and chown it with Nginx user (usually www-data):

$ mkdir -p /usr/local/acme-ssl/
$ chown -R www-data:www-data /usr/local/acme-ssl

Step 5

Generate a certificate using Certbot

$ cd ~
$ ./certbot-auto certonly --renew-by-default -a webroot --webroot-path=/usr/local/acme-ssl/ -d domain.tld -d www.domain.tld

Certbot will save certificate information in /etc/letsencrypt/live/domain.tld directory.

Step 6

Enable SSL by making modifications to your /etc/nginx/sites-enabled/siteconfig* file. The new file should look like this:

server {
	listen *:80;
    	server_name www.domain.tld domain.tld;
	return 301 https://$host$request_uri;
}

server {
    listen *:443;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    server_name www.domain.tld domain.tld;

    # rest of your server {} block goes below ...
}

Step 7

Test Nginx configuration and reload reload it:

$ service nginx configtest
$ service nginx reload

That’s it. Now, when you access http://domain.tld you should be redirected to https://domain.tld/ having a valid certificate.

P.S. Let’s Encrypt certificates are valid for 90 days only. You should create a cronjob that runs twice a day and will automatically renew your certificate. Example cronjob:

30 6,23 * * * /root/certbot-auto renew --quiet --no-self-upgrade
35 6,23 * * * /etc/init.d/nginx reload

This cronjob will run twice a day: at 06:30 AM and 23:30 (11:30 PM) and will renew all the certificates that are about to expire. At :35 , Nginx configuration will be reloaded in order to use the new certificate.

Youtube sucks. Or why we should kill it !

I am honestly tired of Youtube’s aggressive advertisement. Really now … guys … we are eating ads all day. On TV, on the street, listening to FM, reading online news and more.

Lately, in Spain, at every 1-2 videos I have to mute my speakers and switch tabs in my browser. Not only that most of the ads are 19-22 seconds and you can’t skip them, but they are also completely unrelated to my preferences. Youtube … PLEASE, pay some respect to the users that are feeding your bank accounts.

I understand and I agree that every company should find a way to make profits. But if this aggressive advertisement on Youtube is a reaction on the company’s low KPI, then you should rethink a little bit your business strategy.

Until then, with respect, YOU[suck]tube !

Force a logout shortcut, in Ubuntu

If everything is blocked / freezed, you can try this:

CTRL + ALT + F2

After this, you will be asked for your username and password to login. Type them then type this:

$ killall -u  [your-username] gnome-session

That’s it. Of course all your unsaved data is lost !