HTTP to HTTPS
Fri 24 July 2020
Public key (Photo credit: Michael Drummond)

The goal was to migrate from HTTP to HTTPS

HTTPS overview

The HTTPS protocol rely on TLS (previously SSL) to ensure data integrity (data cannot be modified unnoticed), confidentiality (requested URL and content are only known by end points) and authentication (end points are the ones they claims to be).

TLS (ex-SSL)

TLS is a transport-layer protocol protocol. To ensure its services, cryptography is used. To do so, keys must be exchanged. I won't go into details into the shared cryptographic material (cryptographic algorithms, keys, handshakes). The most important thing is that cryptographic materials used to authenticate the server can be shared in a publicly available certificate [RFC8446 sec.4.4.2]. The most common type of certificate is known as X.509. The cryptographic material contained in the certificate (mostly the public keys and the associated cryptographic algorithm) are used to initiate the TLS connection (the handshake, described in [RFC8446 sec.4]).

X.509

X.509 certificate contains material used to authenticate an endpoint. To be valid, the certificate must be part of a certification path (as defined in [RFC5280 sec.3.2]). This imply either a certificate authority or a self-signed certificate.

The self-signed certificate is easy to setup but is not trusted by default by most verification tools. Thus, for a public server, a self-signed certificate is not suited.

DevOps corner

To migrate from HTTP to HTTPS, the following steps must be followed:

  1. create a X.509 certificate
  2. get your certificate signed by a certificate authority
  3. publish your newly signed certificate
  4. configure your web server to use it
  5. test your web server works
  6. check that links to your website are still working
  7. add a reminder in your calendar to update your certificate before it expires

Certbot is a tool that automated most of this steps. Let's encrypt is a non-profit certification authority. It provides certificates with an expiration date in 3 months [1]. Having to renew the certificate every 3 month is not painful as it can also be automated thanks to Certbot.

If running in interactive mode (as suggested by the documentation), Certbot asks for multiples question to modify the configuration. You can even keep 2 versions of your website: one secured with HTTPS and another one using classic HTTP.

Note that if you have multiple sites running on you server (using virtualhost), you can select which one will be migrated to HTTPS.

The first time you run Certbot, it will perform steps 1 to 4. Checking the certificate renew works by performing a dry run will add a line in a crontab, taking care of the step 7.

You still have to perform tests manually. For example, the pelican configuration include a global variable SITEURL that must be updated.

[1]Having short-live certificate is generally a good idea (you won't have to live with mistakes for long, if compromised, the certificate cannot be abusively used for long,...). Yet, everything in security is a compromise between high level of security and conviviality (otherwise it is not used as expected), and short live certificate require frequent renewals.

Category: network security Tagged: Unix Debian tools how to network security

Travis setup
Tue 12 May 2020
One job in continuous integration pipeline (Photo credit: Wikipedia)

The goal is to setup a CI pipeline based on Travis with external dependencies integrated to a Github repository

Travis basics

To enable Travis integration in Github, one must edit ./.travis.yml file.

I won't go into detail. The setup is …

Category: how to Tagged: travis ci how to

Read More

LaTeX makefile updated
Fri 29 March 2019

My default LaTeX makefile evolved. Here is an update:

The makefile looks like:

LATEX=pdflatex
BIBTEX=bibtex
BIB=
RERUN='(There is undefined reference|Rerun to get (cross-references|the bars) right)'

%.pdf:%.tex
    ${LATEX} $<
    @if [ -e $*.bbl ]; then ${BIBTEX} $* && ${LATEX} $< && ${LATEX} $< ; fi
    @if egrep -q $(RERUN) $*.log ; then ${LATEX} $< ; fi

%.aux …

Category: tools Tagged: GNU LaTeX Makefile Writing how to tools

Read More

Conference posters
Fri 11 December 2015
English: This mindmap (Mind map) consists of r...

mindmap needing clarification (Photo credit: Wikipedia)

Few weeks ago, I wrote about mindmap in LaTeX . Now I want to precise few ideas and to have all key ideas visible in one sight. I think the best layout is similar to a conference poster:

  • key ideas are easily seen few meters away …

Category: LaTeX Tagged: LaTeX Poster how to tools

Read More

LaTeX mindmap
Tue 09 June 2015

The canonical way to draw a mindmap in LaTeX seems to be using the ad-hoc tikz module.

Quick beginner guide

  1. use the tikz package adding in the preamble usepackage{tikz}
  2. load the mindmap module using usetikzlibrary{mindmap}
  3. begin your tikz picture with begin{tikzpicture}[mindmap] (you may add others options) and …

Category: LaTeX Tagged: LaTeX Mindmap how to tools

Read More
Page 1 of 2

Next »