Category: How To

SSL Intermediary Certificates

Every now and then, my Andriod friends tell me my store won’t work on their phones.

Now my store works on Chrome, Firefox, Safari, and IE. I get a green lock, which is what you’re looking for on Chrome, and SSL Labs comes back … with varying results of stupidity. I tend to get this:

Unexpected failure – our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can’t provide accurate results, which is why we fail.

Now this is a ‘valid’ failure. I have one IP and a multi-domain certificate (ipstenu.org, mothra.ipstenu.org, store.halfelf.org). It’s stupid, mind you, since sometimes it works and sometimes it doesn’t and it gives me a headache. If you look on Digicert or SSLShopper, they both come back just fine. I’ve started to think that the ssllabbs cache is drunk. I’m going to assume I’m okay based on sslcheck, who gives me a B because it can’t tell if I patched for BEAST (I did).

That said, I did some research and determined I was not the only person having this issue specifically with a Comodo cert! As it happens, the issue was in part due to missing an intermediate certificate in my file. If someone’s already visited another website which has the same certificate seller, the intermediate certificate is remembered in the browser. Sounds great, right? The site loads faster! But if the visitor hasn’t hit my store, then they don’t have the intermediary certificate and it would fail.

But why does this only happen on an Android phone? Your browser on your big computer has a whole mess of certificates it saves for you, to make things faster for everyone. Your phones don’t.

To solve a missing intermediate certificate in the SSL connection, you have to add the intermediate certificate to your own certificate file. This is a little annoying with cPanel/WHM, because I can only do it as root. I’d previously added everything via cPanel as my ipstenu.org log in because it was per domain, right? The trick here is that I have to not just add the certificate by pasting that in, but I have to grab the other two certs that came with:

Notice how there are four? The first one is my certificate, the one I pasted in. The second is my Root certificate, leave it alone. The bottom two I had to add at the bottom of the cert page, where it said “Certificate Authority Bundle (optional):” Those I pasted the content of, one after the other, and saved it. In my case, I was so annoyed I deleted them all and re-added everyone, pasting in the main cert and using auto-fill, and then manually adding in the bundle.

I do find it interesting to note that this only failed on Android phones, though.

24 December, 2014
Learning nginx
I’m an nginx rookie. In fact, I moved a site specifically to nginx so I could sit and learn it. While this site, today, is ‘on’ nginx, it’s actually an nginx proxy that sits in front of Apache 2.4, not because I think Apache is necessarily better, but because after all this time, I still can’t stand the loss of the dynamism of my .htaccess.

When I was experimenting, though, one of the things I started to do was recreate my ‘tinfoil hat’ .htaccess rules in nginx. What are ‘tinfoil hat rules’? They’re things I’ve tweaked in .htaccess to make it harder for nefarious people to look at my code and get into my servers. They’re also general ‘stop being from being jerks’ rules (like preventing hotlinking).

This isn’t complete, but it’s everything I’d started to compile and test.

Header
```
######################
# TinFoil Hat Rules
```
This is pretty basic, I like to document my section before I get too far into this.

Directory Listing
```
# Directory Index Off
location  /  {
  autoindex  on;
}
```
Directory listing is like when you go to domain.com/images/ and you get a list of all their images. This is just a bad idea, as people can also use it to list PHP files you might have (many plugins lack an index.php, and no, this isn’t a bad thing). This simple rule will protect you.

Hotlinking
```
# Hotlinking
location ~* (.jpg|.png|.jpeg|.gif)$ {
    valid_referers blocked elftest.net *.elftest.net;
    if ($invalid_referer) {
        return 444;
    }
}
```
Ah. Hotlinking. This is in-line using images from someone else’s server, like <img src="http://example.com/images/yourimage.jpg" /> – If I’m on example.com, that’s fine. If I’m not then that’s bad. Never ever hotlink images unless the site provides you a hotlinking URL. I cannot stress this enough.

This code comes straight from the nginx wiki, and works great.

Protecting wp-config.php

This is pretty straightforward. I want to block anyone from hitting that directly, any time, any where.
```
location /wp-config.php {
    deny all;
}
```
Done.

Brute Force Protection

If you have ngx_http_limit_req_module module then you can rate-limit how many requests an IP can give to a file.
```
location /wp-login.php {
    limit_req zone=one burst=5;
}
```
And that’s all I got to…

And that is, sadly, as far as I got before I started playing with Apache 2.4 and enjoying the ifs of that, over nginx. What about you? What are your nginx security tweaks?
15 December, 2014
Stick a Fork In It
So you’ve forked a repository from someone and they happen to be using git. This is great and with git (and GitHub) this is so easy and so simple. Heck, on GitHub, they want you to press that fork button. And this is all wonderful except for two things.
1. You can’t search a fork on GitHub.
2. Merging back into your fork is confusing.
The first issue drives me nuts.

That it says “currently” gives me some hope, but it’s one of the most annoying aspects of a fork on GitHub.

The second issue is bigger than just GitHub.

Sometimes when you fork, you never want to go back, and that’s sensible. You’ve decided to go a different way. That’s how most of us view a fork, after all, because we’re used to repositories being silo’d and stand alone (like with SVN). But with git, you can actually send your fork repo as a pull request to the original for them to merge in your changes. And the reverse is also true, so if you and another dev have a fundamental difference on something you can’t hack with an add-on, you have options that don’t involve reading every line of code and copy/pasting.

Yes, I did that before.

Thankfully you won’t have to. You can follow three steps to do this.

Add the Upstream

Technically you should do this any time you make a fork, but if you use GitHub you probably forgot. After all, GitHub has that nice ‘Pull Request’ button for you, which takes care of it. They want you to cross contribute and, bless them, they make it quite easy to do so.

Instead, you’ll want to manually tell your repository that yes, Virginia, there is an upstream. This is the parent repository and it’s one command:
```
git remote add upstream ORIGINALREPO
```
On GitHub it looks like this:
```
git remote add upstream https://github.com/ORIGINAL_OWNER/ORIGINAL_REPOSITORY.git
```
Simple. Done.

Fetch the Upstream

Now you want to fetch the upstream repository so your clone of the repository has the code it will need to merge.
```
git fetch upstream
```
Yeah, it’s that simple. It’s pretty much making a branch and fetching its changes. At this point, you’ve not made any changes to your own code.

Merge with Upstream

This works best on master to master, but I’ll bet you can also set a branch and merge that way.
```
git merge upstream/master -m "Merging from upstream"
```
If there aren’t any commit differences, it fastforwards. Otherwise you get a merge done safely, your changes stick.

But I don’t use Git on the CLI!

According to Hermes Pique, you can do it this way:
1. Open your fork on GitHub.
2. Click on Pull Requests.
3. Click on New Pull Request. By default, GitHub will compare the original with your fork, and there shouldn’t be anything to compare if you didn’t make any changes.
4. Click on switching the base. Now GitHub will compare your fork with the original, and you should see all the latest changes.
5. Click on Click to create a pull request for this comparison and assign a predictable name to your pull request (e.g., Update from original).
6. Click on Send pull request.
7. Scroll down and click Merge pull request and finally Confirm merge. If your fork didn’t have any changes, you will be able to merge it automatically.
Me? I like the CLI.
12 December, 2014
Hide Your Site on Multisite
Sometimes when you’re building a network, you don’t want all your sites to be available just yet. While you can install a ‘Coming Soon’ plugin, there are also built in ways to handle this.

First you’ll want to take advantage of two of the Network’s least loved features: Deactivate and Archive. When you go to the Sites page on the Network Admin and hover over the items, you have new options appear:

Should you click on Deactivate, you’ll be asked to confirm and then you get this:

Don’t panic!!

I know it says Deleted. It’s not. A deleted site is 100% deleted, the DB tables dropped and the images nuked. So while it ‘says’ deleted, it’s not. If you press Archive it’s a little more realistic:

What’s the difference? In both cases, this is what a non-logged in user sees:

This site is no longer available.

And in both cases, you can’t log in, because this is what you see for wp-admin and wp-login.php.

It’s weird, but it pretty much ‘archived’ the sites. You can, as a Super Admin, see it, but you can’t even change user roles from the network dashboard. (I spent about an hour trying to debug why I, as a Super Admin, couldn’t get to the dashboard at all, and it turned out I needed to flush my cache, so remember folks, caching is wonderful until you shoot your foot.) Still this presents a predicament.

Frankly, I don’t want people to know a site doesn’t exist. That can be easily done with a filter and a redirect:
```
// Archived sites only I can see
function helf_redirect_hidden_sites() {

	// Super Admins always get in
	if ( is_super_admin() || current_user_can( 'manage_options' ) ) {
		return true;
	} else {
		// Defines
		if ( defined( 'NOBLOGREDIRECT' ) ) {
			$goto = NOBLOGREDIRECT;
		} else {
			$goto = network_site_url();
		}

		$blog = get_blog_details();

		if( '1' == $blog-&gt;deleted || '2' == $blog-&gt;deleted || '1' == $blog-&gt;archived || '1' == $blog-&gt;spam ) {
			wp_redirect( $goto );
	        die();
		}
	}
}
add_filter('ms_site_check','helf_redirect_hidden_sites');
```
I wanted to allow my site admins and my super admin to view it, but if you don’t, edit if ( is_super_admin() || current_user_can( 'manage_options' ) ) to only allow what you want. And because I’m using a subdomain site, this makes it look like an archived/deleted site is just another non-existent site, by redirecting to NOBLOGREDIRECT.

But this doesn’t work around the problem that my whole wp-admin is blocked off to non logged in users. I mean, how can I log in? The only workaround is that if the site is a subdomain (test.halfelf.org) or a subfolder (halfelf.org/test), then I can log in at halfelf.org/wp-admin and then visit over. If this was a mapped domain, I’d be in trouble. So it’s clearly not a perfect solution for everyone.

By the way, you can customize the various messages for suspended or deleted sites by creating the following files in wp-content:
```
blog-suspended.php
blog-deleted.php
blog-inactive.php
```
So if you just want it to be pretty, that’s easy.
10 December, 2014
Switching The Main Blog on Multisite
Previously I’d only ever posted this in my ebook, WordPress Multisite 110.

What people mean by this is the site they originally set to be seen at domain.com is no longer the one they want to use, but the one at (say) domain.com/temp or temp.domain.com. If this is what you’re wanting to due, it’s not impossible, but it is annoying and a little tricky. If you’re using the trick to give WP it’s own directory, these are not the directions you’re looking for. I haven’t written those out yet.

First you have to go to Network Dashboard > Sites and edit the site you want to be the main site.

This you want to to look like this:

~~Make certain you leave ‘Update siteurl and home as well’ checked! If you forget that, you’ll be sad.~~ You no longer need to check the box (it’s gone in newer versions of WP), but if you DO have it, check it.

Now you’d think you go to edit the main site and change it, but you can’t.

By default, the main site is not editable. This makes sense when you think about how messy this might be, so in order to edit it you have to go to your wp-config.php file and look for this line:

define('BLOG_ID_CURRENT_SITE', 1);

Change it to the site ID you want to use as your main site. In this example, I want site #2, aka, two, to become my main site.

define('BLOG_ID_CURRENT_SITE', 2);

Save the file and then you have to go back to your Sites and edit the old main site.

Give its path a new name and press save, making sure you keep that checkbox checked if it’s there.

In this example, I’ve picked a new URL for my formerly main site becuase I don’t want any conflicts, but there’s nothing stopping me from picking ‘two’ again and just totally swapping things.

The last step is to change your post content. Using a plugin like Velvet Blues Update URLs, you will need to search each site separately and replace the URLs. If you have wp-cli, you can do that too like this:
```
wp search-replace 'example.com' 'example.com/new' wp_posts wp_postmeta --dry-run
wp search-replace 'example.com/two' 'example.com' wp_2_posts wp_2_postmeta --dry-run
```
If those look good, rerun without dry run and call it a day!

An interesting quirk is that you may need to edit the Fileupload URL if you’re using blogs.dir for your images. I noticed that on one site it was set to http://example/two/files which clearly is wrong. To fix that, go to Network Admin, click on Sites, and click on edit for the site. From there, click on the dangerous “Settings” tab and look for “Fileupload URL” and edit as needed to match things.

Cool tricks like this can be found in WordPress Multisite 110.
3 December, 2014
No Notice For Upgrades?

About a week ago I realized I’d not see an email with the subject “[Ipstenu.Org] Background updates have finished” in a long time. A really long time. Like so long that when I looked in my email trash, there wasn’t one.

This was bad, because on Ipstenu.org I’m running trunk WordPress, which means I should get two emails a day about this. I ran to my server and scanned logs for 30 days. Nothing. And that was really bad.

I’ve been using Advanced Automatic Updates for a long time, and I love it, it works well, but it wasn’t working ‘right’ for some reason, because it wasn’t emailing me on that one site, so I uninstalled it. The problem there is that without it, how would I upgrade plugins and themes? Since I know I can control the upgrades with filters, I decided to make an mu-plugin to handle just that.

And that was when I saw I already had an mu-plugin called upgrades.php with this:

WordPress site: https://ipstenu.org/
The following plugins were successfully updated:
* SUCCESS: Akismet

Perfect!

I don’t know how fun that story was, Benny, but that’s what happened.

26 November, 2014