Author: Ipstenu (Mika Epstein)

SSL Intermediary Certificates

Every now and then, my Andriod friends tell me my store won’t work on their phones.

Now my store works on Chrome, Firefox, Safari, and IE. I get a green lock, which is what you’re looking for on Chrome, and SSL Labs comes back … with varying results of stupidity. I tend to get this:

Unexpected failure – our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can’t provide accurate results, which is why we fail.

Now this is a ‘valid’ failure. I have one IP and a multi-domain certificate (ipstenu.org, mothra.ipstenu.org, store.halfelf.org). It’s stupid, mind you, since sometimes it works and sometimes it doesn’t and it gives me a headache. If you look on Digicert or SSLShopper, they both come back just fine. I’ve started to think that the ssllabbs cache is drunk. I’m going to assume I’m okay based on sslcheck, who gives me a B because it can’t tell if I patched for BEAST (I did).

That said, I did some research and determined I was not the only person having this issue specifically with a Comodo cert! As it happens, the issue was in part due to missing an intermediate certificate in my file. If someone’s already visited another website which has the same certificate seller, the intermediate certificate is remembered in the browser. Sounds great, right? The site loads faster! But if the visitor hasn’t hit my store, then they don’t have the intermediary certificate and it would fail.

But why does this only happen on an Android phone? Your browser on your big computer has a whole mess of certificates it saves for you, to make things faster for everyone. Your phones don’t.

To solve a missing intermediate certificate in the SSL connection, you have to add the intermediate certificate to your own certificate file. This is a little annoying with cPanel/WHM, because I can only do it as root. I’d previously added everything via cPanel as my ipstenu.org log in because it was per domain, right? The trick here is that I have to not just add the certificate by pasting that in, but I have to grab the other two certs that came with:

Notice how there are four? The first one is my certificate, the one I pasted in. The second is my Root certificate, leave it alone. The bottom two I had to add at the bottom of the cert page, where it said “Certificate Authority Bundle (optional):” Those I pasted the content of, one after the other, and saved it. In my case, I was so annoyed I deleted them all and re-added everyone, pasting in the main cert and using auto-fill, and then manually adding in the bundle.

I do find it interesting to note that this only failed on Android phones, though.

24 December, 2014
Two Factor Apps

Hat tip to Kat for cluing me into this!

Two Factor Authentication is a wonderful thing between two places. Between ten it’s a hassle.

I got a new phone and was going through the process of re-entering all my codes on the official Google Authenticator which, once you install it and add a couple codes, looks pretty basic and utilitarian. It lists all your codes and what site they’re for.

My issue with the app is pretty basic. First of all, it’s Google’s and I’m not a huge fan. Second, the app hasn’t been updated in a year and it shows. Third, I have to pull my phone out when I want to log in (which is the point, I know). Fourth, I got a new phone and had to manually move everything over.

The last two items are actually the biggest hassle.

Enter Authy. It hits all four points. It’s not Google, it’s updated to look right on an iPhone 6, it has a desktop app that syncs with your phone, and it’s got backups.

My fear right away was “Where is my backup?” and this is all they say:

For your convenience Authy can store an encrypted copy of your Authenticator accounts in the cloud. The account is encrypted/decrypted inside your phone, so neither Authy or anyone affiliated with Authy have access to your accounts.

I’m not super happy that I don’t know what cloud it’s in, or whose (Amazon probably), and I dislike that unlike 1Password I can’t pick where I put the backups. What if I want to sync to Dropbox? Or iCloud? That would be a great improvement. That said, they’re upfront about their backups and how they work and, unlike Google, appear to have people who are willing to talk to you about things.

But.

Google

Authy

The only issue I see with Authy’s layout is that if I have more than 12 items, it’s a little weird to scroll around the tiny boxes.

Now if only Twitter and Paypal would have real 2FA and not ‘SMS’ which doesn’t help me at all outside my home country.

22 December, 2014
Mailbag: Can I do it on WP (Legally?)

This one comes from Zara:

I’m about to create a website on wordpress. My website is an escort website. It is adult oriented. The new website would look exactly like my current website […] and I’m considering to build a new website on wp.

Since my friend’s website is built on wp and is escort oriented, plus it was banned by wp, now I’m worried about it all.

Is it allowed to build an escort website on wp?

Yes.

I’ve mentioned it before, that you can use WP for porn because the freedoms of the GPL allow it. More specifically, WordPress states that you can use it for anything you want.

So what’s Zara talking about when she says ‘it was banned by wp’ if that’s true? We’re talking about a couple things here, one is WordPress.org and the other is WordPress.com and yes, it’s a headache.

WordPress.org is the home of the software. WordPress.com is a hosting service that runs nothing but a locked down, managed, WordPress Multisite instance that you can use for free (or pay for add-ons). As a hosting company, WordPress.com has specific rules and bylaws that they restrict their users to. This is, in no way shape or form, a violation of your GPL permissions. They’re not restricting WordPress usage, they’re restricting your usage of their servers and their system.

So yes, Zara, you can use the WordPress software for your escort website, but you need to find a web host who will give you permission to host it. My advice to you is to make sure what you’re doing is legal where you live. Also, make sure it’s legal for your webhost. At DreamHost, I know we allow any website that’s legal in the state of California, which means we host a lot of sites I personally disagree with but will defend their right to publish with my dying breath. Not every website has the same rules, so just ask them if they allow escort sites. They should be able to answer, or pass you on to legal for confirmation.

Good luck!

19 December, 2014
You’re Not The Priority With Free Support

Once in a while, someone flies off the rails when they don’t get a fast enough answer for their question in a freely supported product. They don’t get the right answer, or they get what they feel is a run-around by a total stranger trying to understand the real problem, and basically they feel the service should be better.

Here’s a cold hard truth.

When it comes to free support on free products, you aren’t the priority.

Usually when people get shirty about the ‘lack of quality support’ I point out that (on WordPress.org) support is handled predominantly by unpaid volunteers who are offering sage advice and help out of the kindness of their hearts. This is mostly true. Some of us are paid by our companies to volunteer, others are doing it to master skills (not much teaches you how a product works faster than helping someone else debug it), and others do it because they enjoy it. But as far as WordPress goes, it doesn’t directly pay anyone to do support.

Sidebar: Automattic isn’t WordPress and doesn’t own WordPress. Automattic is a company who pays for some of their employees to help out in the forums. And it’s making my point. Some of us get paid by our companies.

When I tell people that they need to scale down their expectations, what I don’t mean is they should expect worse help, but that they should expect slower help. Because they’re not the priority.

What’s my priority? Number one is my family (hello). But after that you get my paying job. Keeping abreast of everything WP related that impacts us, keeping on top of server changes, looking for patterns in tickets to see if we missed something, and generally knowing everything I possibly can about WordPress at DreamHost. After that my priority becomes the websites I run (like this one) and other hobbies I have.

That begs the question of when is WordPress public support my priority? When I have the time. I try to carve out at least a couple hours a day to check in. These need to be consecutive hours, a nice block of time to catch up and read and help. I don’t always get it. Sometimes I get thirty minutes. And when I am helping out, I prioritize my time.

If there’s an alpha/beta of WP out, I check there first. If we just released a new version, I’m over in the general troubleshooting. Then I hit Multisite, because we have a very small amount of people there. If I still have time, I’ll get the ‘Requests and Feedback’ and ‘Misc.’ forums. Next I hit up the dread Ideas forum, clean out the spam, and sort things that are dupes or solved or in the wrong place.

And then I’ve hit how much free time I have, so I go over to plugins for reviewing those. Anyone who was closed for a security issue comes first. After that, it’s anyone who replied to our emails. Then I close out anyone who didn’t reply in 7 days, check for people with bad plugin names, and finally I can start in on the queue.

It’s a lot to do on top of a day job. So sometimes you will get a reply from me at 8am and then nothing again for 24 hours, because all of those things are important to people and they all need to be taken care of and you, personally, aren’t my number one priority. It’s the same reason why you may not get immediate replies from anyone volunteering, and its why I tell you to lower your expectations.

Free support isn’t better or worse, but it does run at it’s pace and that may not be yours.

17 December, 2014
Learning nginx
I’m an nginx rookie. In fact, I moved a site specifically to nginx so I could sit and learn it. While this site, today, is ‘on’ nginx, it’s actually an nginx proxy that sits in front of Apache 2.4, not because I think Apache is necessarily better, but because after all this time, I still can’t stand the loss of the dynamism of my .htaccess.

When I was experimenting, though, one of the things I started to do was recreate my ‘tinfoil hat’ .htaccess rules in nginx. What are ‘tinfoil hat rules’? They’re things I’ve tweaked in .htaccess to make it harder for nefarious people to look at my code and get into my servers. They’re also general ‘stop being from being jerks’ rules (like preventing hotlinking).

This isn’t complete, but it’s everything I’d started to compile and test.

Header
```
######################
# TinFoil Hat Rules
```
This is pretty basic, I like to document my section before I get too far into this.

Directory Listing
```
# Directory Index Off
location  /  {
  autoindex  on;
}
```
Directory listing is like when you go to domain.com/images/ and you get a list of all their images. This is just a bad idea, as people can also use it to list PHP files you might have (many plugins lack an index.php, and no, this isn’t a bad thing). This simple rule will protect you.

Hotlinking
```
# Hotlinking
location ~* (.jpg|.png|.jpeg|.gif)$ {
    valid_referers blocked elftest.net *.elftest.net;
    if ($invalid_referer) {
        return 444;
    }
}
```
Ah. Hotlinking. This is in-line using images from someone else’s server, like <img src="http://example.com/images/yourimage.jpg" /> – If I’m on example.com, that’s fine. If I’m not then that’s bad. Never ever hotlink images unless the site provides you a hotlinking URL. I cannot stress this enough.

This code comes straight from the nginx wiki, and works great.

Protecting wp-config.php

This is pretty straightforward. I want to block anyone from hitting that directly, any time, any where.
```
location /wp-config.php {
    deny all;
}
```
Done.

Brute Force Protection

If you have ngx_http_limit_req_module module then you can rate-limit how many requests an IP can give to a file.
```
location /wp-login.php {
    limit_req zone=one burst=5;
}
```
And that’s all I got to…

And that is, sadly, as far as I got before I started playing with Apache 2.4 and enjoying the ifs of that, over nginx. What about you? What are your nginx security tweaks?
15 December, 2014
Stick a Fork In It
So you’ve forked a repository from someone and they happen to be using git. This is great and with git (and GitHub) this is so easy and so simple. Heck, on GitHub, they want you to press that fork button. And this is all wonderful except for two things.
1. You can’t search a fork on GitHub.
2. Merging back into your fork is confusing.
The first issue drives me nuts.

That it says “currently” gives me some hope, but it’s one of the most annoying aspects of a fork on GitHub.

The second issue is bigger than just GitHub.

Sometimes when you fork, you never want to go back, and that’s sensible. You’ve decided to go a different way. That’s how most of us view a fork, after all, because we’re used to repositories being silo’d and stand alone (like with SVN). But with git, you can actually send your fork repo as a pull request to the original for them to merge in your changes. And the reverse is also true, so if you and another dev have a fundamental difference on something you can’t hack with an add-on, you have options that don’t involve reading every line of code and copy/pasting.

Yes, I did that before.

Thankfully you won’t have to. You can follow three steps to do this.

Add the Upstream

Technically you should do this any time you make a fork, but if you use GitHub you probably forgot. After all, GitHub has that nice ‘Pull Request’ button for you, which takes care of it. They want you to cross contribute and, bless them, they make it quite easy to do so.

Instead, you’ll want to manually tell your repository that yes, Virginia, there is an upstream. This is the parent repository and it’s one command:
```
git remote add upstream ORIGINALREPO
```
On GitHub it looks like this:
```
git remote add upstream https://github.com/ORIGINAL_OWNER/ORIGINAL_REPOSITORY.git
```
Simple. Done.

Fetch the Upstream

Now you want to fetch the upstream repository so your clone of the repository has the code it will need to merge.
```
git fetch upstream
```
Yeah, it’s that simple. It’s pretty much making a branch and fetching its changes. At this point, you’ve not made any changes to your own code.

Merge with Upstream

This works best on master to master, but I’ll bet you can also set a branch and merge that way.
```
git merge upstream/master -m "Merging from upstream"
```
If there aren’t any commit differences, it fastforwards. Otherwise you get a merge done safely, your changes stick.

But I don’t use Git on the CLI!

According to Hermes Pique, you can do it this way:
1. Open your fork on GitHub.
2. Click on Pull Requests.
3. Click on New Pull Request. By default, GitHub will compare the original with your fork, and there shouldn’t be anything to compare if you didn’t make any changes.
4. Click on switching the base. Now GitHub will compare your fork with the original, and you should see all the latest changes.
5. Click on Click to create a pull request for this comparison and assign a predictable name to your pull request (e.g., Update from original).
6. Click on Send pull request.
7. Scroll down and click Merge pull request and finally Confirm merge. If your fork didn’t have any changes, you will be able to merge it automatically.
Me? I like the CLI.
12 December, 2014