Profile

Cover photo
James Coleman
Works at Automobile Consumer Service Corporation
121 followers|155,244 views
AboutPostsPhotosYouTube

Stream

James Coleman

Shared publicly  - 
 
Due to HeartBleed and the fact I own more domains now, I have gone and generated new certs. In that process, I decided to make my sites even more secure than it used to be. In this post, I will let you know my configuration for Nginx, how I generated certificates, and what Certificate Authority (CA) I have chosen for SSL.

I will start with the CA. I choose StartSSL because they are cheap (I'll be paying like $2000 a year with other providers), and because they allow unlimited certificate signing. If you just have one site, you can get away with their free option with the limitation that you can't sell things. If you have multiple domains, you would probably want to go with their validation process to become a Class 2 validated user. I went with personal because this is just for my personal sites, but if I were to have a company they would require for you to spend an extra $60 to get validated for your business as well. Once you're a class 2 user, you can revoke certs for free and you can generated a cert with unlimited domains/subdomains/wildcards. This is in my opinion the best solution out there.

As for generating a certificate, I highly recommend you use your own computer and you use 2048 bits or higher (I used 2048 bits because it's better for mobile clients). To generate the best certificate with sha256 as the hash algorithm for a signature, use the following:
    openssl req -out server.csr -new -newkey rsa:2048 -sha256 -nodes -keyout server.key

After you have created a certificate, and got the public key signed (note your not sending your private key to StartCom), you should also generate a Diffie-Hellman parameter file:
    openssl dhparam -out dh4096.pem -5 4096

And finally for the Nginx config, simply change paths to be correct and you should be secure. Comments notes as to what certain things are.

ssl on;
ssl_certificate /server.ca.pem;#Certificate with CA's certificate appended
ssl_certificate_key /server.key;#Certificate and key generated with: openssl req -out server.csr -new -newkey rsa:2048 -sha256 -nodes -keyout server.key
ssl_dhparam /dh4096.pem;#Generated using: openssl dhparam -out dh4096.pem -5 4096

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;#Disabled for security reasons: SSLv3 SSLv2
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";#Tells browser to only allow SSL on this site for 1 year.
add_header X-Frame-Options SAMEORIGIN;#Blocks other servers from using frames to act as our site.


Finally, you should test you site with SSL Labs like how I did:
    https://www.ssllabs.com/ssltest/analyze.html?d=mrgeckosmedia.com
They are a group of people who basically researches SSL and have a test to make sure your site is using the best configuration.

Hope this is useful to some people.
1
Add a comment...
 
Ranging: This is the year Apple releases the amazing invention of the Television.
1
Add a comment...

James Coleman

Shared publicly  - 
 
I just learned of http://bitlbee.org and love it. Have it configured with all my favorite IRC systems and ready to go!
1
Add a comment...

James Coleman

Shared publicly  - 
 
Some blog posts I used to find useful things to do in Ubuntu 13.10 are as follows.

My most favorite is this one because it listed some very useful tools. http://www.webupd8.org/2013/10/8-things-to-do-after-installing-ubuntu.html

This one had some useful stuff, however they seem to be all about making Ubuntu not Ubuntu anymore. http://www.noobslab.com/2013/10/tweaksthings-to-do-after-install-of.html
1
Add a comment...

James Coleman

Shared publicly  - 
 
Fun day to remember the Macintosh SE 30.
 
The World Wide Web turns 25 today! Share your memories of what life was like before the web and how things have improved since then—then sign up to protect it: https://takeaction.withgoogle.com/Web-25  #Web25
1
Add a comment...

James Coleman

Shared publicly  - 
 
 
This is my favorite addition for a Raspberry Pi.

http://www.amazon.com/dp/B005P2BY5I/

It's a USB 2.0 Hub that provides power which does 2 things.
1. If you plug a USB cable into it and into your Pi's power port, it will power the Raspberry Pi.
2. If you plug it into the Raspberry Pi USB port, you gain 2 more ports that can also power devices such as iPods and USB sticks that won't power with the Raspberry Pi's USB ports.

I cannot recommend this more.
1
Add a comment...
Have him in circles
121 people
Matthew D.'s profile photo
Arthur Lockman's profile photo
Joseph MacKenzie's profile photo

James Coleman

Shared publicly  - 
 
Found this guide from Google on dos and don'ts of C++ programming, an interesting read.
1
Add a comment...

James Coleman

Shared publicly  - 
 
My next project is to take these really cool Nixie Tubes and make a clock with an Arduino.

The guy from Scott Bot (http://scott-bot.com/nixie-bot/) is helping me out a lot by providing me with his board design and permissions to redistribute on my github with creative commons license. I'm going to make a few modifications to his board, a 5v, 12v, and ground pin out, as I want to add bluetooth and possibly other things to this board.

Some of the things I thought of were having a system on my Ubuntu Machine which allows sending messages (numeric only) via Bluetooth (http interface) to the clock. I'm going to write a weather perl script to grab the current weather information (change rain and temperature) for my area.

One other thing the Bluetooth will come in handy for is NTP (Network Time Protocol). I will do a few pings to find out a delay to talk with the clock, then I will send the time with the offset to set the clock to be as accurate as possible. This will make it so I don't have to implement buttons to set the time.

I also thought of adding an LED strip for accents, but that would cost quite a bit extra so I threw that out the door with having the the 12V pin out for possible future addition.
1
Add a comment...
 
Ubuntu has a problem pairing bluetooth keyboards. I found the solution at http://devasive.blogspot.com/2012/11/ubuntu-1204-persistent-bluetooth-pairing.html

For Ubuntu 12.10, the instructions are a tiny bit different due to a bug in bluez.
1. Run "hcitool scan" to get the MAC Address.
2. Run "hcidump -at" to watch for the PIN needed to pair.
3. Run "bluez-simple-agent hci0 {MAC}" in another window and watch for the PIN in the window with hcidump.
4. Enter the PIN on the keyboard and hit return.
5. Run "bluez-test-device trusted {MAC} yes" to addthe keyboard as a trusted device.
6. Run "bluez-test-input connect {MAC}" to test the keyboard.
7. Reboot.

Hope this helps someone. I used the above to pair the Logitech k811, but should also work for the k810 and possibly other keyboards.
1
Add a comment...

James Coleman

Shared publicly  - 
 
I've been needing to be able to remote desktop my new Ubuntu machine from the login screen and information on the net is always confusion. So here I will share my solution I ended up with. This is how you access your machine over VNC from the login screen with Ubuntu 13.10 which uses LightDM for the display manager.

Install x11vnc:
apt-get install x11vnc

Then create /etc/init/x11vnc.conf file with the contents as below (ending at end script):
start on login-session-start
script
x11vnc -xkb -noxrecord -noxfixes -noxdamage -display :0 -auth /var/run/lightdm/root/:0 -rfbauth /etc/x11vnc.pass -forever -bg -o /var/log/x11vnc.log
end script

Run this in terminal replacing PASSWORD with the password you want. Use a space at the beginning to not record in bash history.
sudo x11vnc -storepasswd PASSWORD /etc/x11vnc.pass
1
Add a comment...
People
Have him in circles
121 people
Matthew D.'s profile photo
Arthur Lockman's profile photo
Joseph MacKenzie's profile photo
Work
Occupation
Software Engineer/Developer/Designer
Employment
  • Automobile Consumer Service Corporation
    IT Department, 2010 - present
  • Mr. Gecko's Media
    Software Engineer/Developer/Designer, present
Contact Information
Home
Email
Work
Phone
256-513-9622, 720-432-5686
Email
Story
Tagline
A developer who loves God with all his heart.
Bragging rights
I am able to do anything I put my mind to as God helps me through the steps.
Basic Information
Gender
Male
Looking for
Friends, Networking
Relationship
It's complicated