WWW and HTTPS redirects with nginx… the right way

Posted on January 31, 2015 by cryptk

UPDATE: Just to clarify, this blog post is purely about how to set up the redirects to get all users over to a URL that uses ‘https://www.’ in one redirect. It does not cover how to set up NGINX SSL in a way that mitigates all known SSL vulnerabilities (and even if it did, it would quickly become outdated). I highly recommend that you run your SSL sites through a test (such as the one at https://www.ssllabs.com/ssltest/) to find out what, if any, SSL vulnerabilities your site has, and make the recommended changes to fix them. Back to the original post 😉

Recently I splurged and bought a wildcard SSL certificate for the cryptkcoding domain. Because I have the certificate, I figured that I would set up my blog to use SSL by default (before it was a self-signed certificate, and I only used it for the back-end). Since I was poking at the nginx configuration to get the redirects all set up, I figured I would write a blog post on how to have nginx force all visitors over to both the www URL as well as enforce https. And we will be doing this right, no matter what visitors will only get one redirect (unless they go straight to the https://www site).

Here is the relevant part of the configuration:

## Force all users to https://www
server {
    listen 80; ## IPv4
    listen [::]:80; ## IPv6
    server_name yoursite.com www.yoursite.com;

    return 301 https://www.yoursite.com$request_uri;
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name yoursite.com;

    ssl_certificate /etc/nginx/ssl/www.yoursite.com.bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/www.yoursite.com.key;

    return 301 https://www.yoursite.com$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.yoursite.com;

    ssl_certificate /etc/nginx/ssl/www.yoursite.com.bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/www.yoursite.com.key;

}

No matter what, your visitors will end up on the encrypted and www versions of your website. The best part is that none of this redirect config will ever touch your websites code, it all happens purely in nginx. If you are running a PHP based site (likely with php-fpm) then you don’t have to worry about the overhead of connecting back to php-fpm just to have it return a redirect.

This does obviously rely on you having a valid SSL certificate for www.yoursite.com (that said, it will still work with self-signed ones, you visitors will just need to add an exception to their browser for your website).

Let me know how this works out for you!

Cleaner form buttons with jQuery

Posted on February 19, 2013 by cryptk

I have been working on a dynamic form for a project at work, and one thing that really bugs me is the little dashed line around buttons on the form when you click on them. It breaks the aesthetic of the page. Luckily a little bit of jQuery can solve the issue. jQuery has a .focus() event that you can catch on the button, and you can specify in the callback of that function to .blur() the button to de-select it. This is pretty commonly done to clean up the look of forms, but the problem is that it breaks keyboard navigation. If you tab to the button, it will focus it, which will cause it to be blurred, and then the space bar and enter will not toggle that button.

The trick is to bind to .mouseup() and not .focus(). This way you manipulate what happens when the mouse clicks the button, but you allow the keyboard to interact with the form unabated. Here is the snipped of jQuery that I use to carry out this task

$(".btn").mouseup( function() {
    $(this).blur();
});

Because I love to use twitter’s bootstrap, all of my buttons have the class ‘btn’ on them already, so this works great. If you aren’t using bootstrap, then you can either add the btn class to your buttons to make that snippet work, or you can adjust the selector. It’s pretty common for me to use that code but with a selector of ‘$(“.nofocus”)’ and then add that class to just the individual items that I don’t want to be focused after a click if I want to be more selective about its application.

You can see it in action on a little demo form I have been building for a friend.

My Conky Configuration

Posted on September 6, 2012 by cryptk

The other day I added a new monitor to my desktop. I write a lot of code, and it is very useful having a monitor in portrait orientation (vertical) for doing that. Because I now had a taller screen, I moved my conky display over to that screen and added a bit more information to it. While I was at it, I added some new color to it. After I was finished I tweeted a picture and had a couple of people ask me for the conkyrc for it. Unfortunately my conky isn’t just a “drop in this config and call it done” type deal. If you know what you are doing with conky and want to set it up, follow the read more link and check it out!

Leveraging screen to increase command-line multitasking

Posted on August 22, 2012 by cryptk

I am an avid fan of the Linux utility screen. It allows you to have multiple ‘screenlets’ inside of one command line session on a server, swapping between them as you wish. On top of that, if you get disconnected from your server because you have to do some admin work from a hotel room with a poor internet connection, the screen will keep whatever work you were doing on your server chugging along. If you need to fire up some long running process, but you don’t want to stay SSH’d into your remote server the entire time, screen will also let you ‘detach’ from it, leaving the command running, while you go off to Olive Garden to grab a bite to eat.

I’m not going to go into all the details of how to work screen… instead, I am going to cover what I use in 90% of my interactions with it, which is a surprisingly small list! First, we are going to get it all set up to give you a nicely configured screen session with a few screenlets in it. We can do this by placing a file called .screenrc inside of your home folder. Here are the contents of my .screenrc:

shelltitle ''
vbell on
autodetach on
startup_message off
defscrollback 2048
termcapinfo xterm* ti@:te@

hardstatus alwayslastline "%-Lw%{= BW}%50>%n%f* %t%{-}%+Lw%< %=%D %M %d %c" hardstatus string '%{= kK}%-Lw%{= KW}%50>%n%f %t%{= kK}%+Lw%< %{=kG}%-= %d%M %c:%s%{-}'

screen -t r00t 0 bash
screen -t vimTerm 1 bash
screen -t general 2 bash

I can’t take complete credit for that .screenrc. The hardstatus line I pulled off the internet somewhere 😉

It works out really well, it gives a nice bar at the bottom which shows all of your screenlets and highlights whichever one you are now on. It also keeps a clock in the bottom right corner, and will flash the title of a screenlet if a ‘bell’ go’s off in it.

Now that we have a good screenrc, you can fire up screen by running the command ‘screen’ (you may need to install screen from your distributions repository). But we can take this one step further and have your system fire up screen automatically when you SSH into the server by adding a little snippet of code at the end of your .bashrc:

if [ $SSH_TTY ] && [ ! $WINDOW ]; then
  SCREENLIST=`screen -ls | grep 'Attached'`
  if [ $? -eq "0" ]; then
    echo -e "Screen is already running and attached:\n ${SCREENLIST}"
  else
    screen -U -R
  fi
fi

That will fire up a screen session when you SSH in unless someone is already attached to your user accounts screen session. Now that we have screen configured, and we have your server starting it up automatically when you log in, lets learn how to use it!

If you are using the .screenrc that I provided above, you will notice the 3 screenlet’s titles at the bottom (r00t, vimTerm and general). You can adjust those names by editing the .screenrc. In order to swap between different screenlets use the keystrokes Ctrl+a NUMBER. The number will be whatever number of screenlet you want to go to, so if you want to go to screenlet 1, it would be ‘Ctrl+a 1’.

If you want to detach from your screen, leaving everything running, and enabling you to disconnect from the server, use the keystrokes Ctrl+a d.

If you log into the server and you get a message saying that ‘Screen is already running and attached’ you can detach screen from the other location and attach it to you current SSH session with the command ‘screen -D -RR’. That command will do whatever is necessary to get you a screen session… detaching other sessions and attaching, starting a new session, attaching to a detached session etc.

How to optimize MySQL JOIN queries through indexing

Posted on April 6, 2012 by cryptk

This is a pretty broad topic, and there is no way that I will be able to cover every facet of using indexes in your schema and queries in anything short of a small book, but the first step is getting your feet wet. I will be covering one of the most common causes for queries to run slowly, lack of indexes. This can cause simple queries to run slowly, but it has an exponentially increasing negative impact on performance when used on more complex queries, such as ones that use joins. In order to grasp this topic, it would be extremely helpful if you already have a basic grasp of how to use MySQL. Topics such as creating tables, and running queries should be pretty easy for you already. If you expand your basic grasp with some information on how to optimize those queries using indexing, continue on after the break.

How to build a Minecraft server on Ubuntu

Posted on March 7, 2012 by cryptk

So, I decided to reboot my Minecraft server mainly because it hadn’t been updated in forever, and there are several new things available in Minecraft with the recent(ish) updates, and I decided that to start nice and super clean, I would just start with a fresh server rebuild. I am going to be doing this on a virtualized server with 1.5GB of ram (java is a little memory hungry).

If you are looking for a way to set up a nice Minecraft server with some fancy schmancy web functionality, this is the article for you, more info after the break.

Basic ubuntu server security

Posted on March 7, 2012 by cryptk

So this blog post is going to cover some basic security do’s and don’ts. The end goal will be to have an Ubuntu powered server that is not only decently secure, but also not so secure that it is a pain to work with. I will be covering many things that should be done as part of basic security, some general best practices, and I will also hit on one thing that I find to be a HUGE annoyance than many many… many… people do, thinking that it will make their server more secure, when in reality it does next to nothing. I will be targeting an Ubuntu 11.10 server in this article, but everything that I have in here should work on anything 10.04 LTS and up. I am mainly going to be focusing on securing SSH logins. Read on after the break

Ubuntu 11.10… Unity vs. Gnome Shell

Posted on September 23, 2011 by cryptk

I have been an ubuntu fan for years now. I have worked as a server administrator on multiple distributions ranging from the Red Hat side doing admin work on RHEL and CentOS to the Debian side doing admin work on straight Debian and Ubuntu boxes and even doing admin work on BSD, Solaris and Suse. I also run a Linux distro on my home PC as well.

For production servers I am definitely a “use what’s stable and secure” kind of person but on my home desktop I tend to be more of a “bleeding-edger”. It is common for me to run beta versions of software, and sometimes even alpha versions, including my distro. Before Ubuntu 10.10 Beta1 came out I was running a minimal install of Ubuntu 10.04 that I then threw gnome-shell on top of… and I really liked it. After Beta1 came out I installed that and was very pleased to find that getting gnome shell on it was as easy as installing the gnome-shell package straight from the repository… everything worked amazingly. It was even possible to switch between Unity and gnome-shell from GDM (the login screen) which was something that never did work properly with gnome-shell in 10.04 (once you went to shell… unity was broken).

Read on to see my experiences so far with it!

Force logged in wordpress users to HTTPS

Posted on September 22, 2011 by cryptk

So I am working on making a custom theme and set of plugins for a WordPress blog. I had the need to make sure that users that were logged in were using HTTPS and not just HTTP. I came up with a quick little function that will do just that. I added this block of code to the top of the themes header.php file within php tags and it gave me the desired effect:

 // This forces logged in users to use HTTPS
if (is_user_logged_in() && ($_SERVER['SERVER_PORT'] !== '443')){
    wp_redirect("https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
}

You may need to adjust the code a little depending on what web server you are running and what headers get set, but this is working great for me running on an nginx web server with PHP 5.3. Basically it just checks to see if the user is logged in and they are on a port other than 443 (443 is the port number used by HTTPS). If both of those are true then it redirects them to the HTTPS version of the page.

Granted you will need to have HTTPS working properly before you can use this, so you need certificates and a proper web server configuration.

Let me know if you have a better way of doing this. And no… the WordPress HTTPS plugin does not count. It is far too heavy for this requirement of just ensuring that all logged in users are on HTTPS at all times. If I needed more fine-tuned control then sure I would go for it 😉

Setting up a git server with xinetd, gitolite and cgit (the right way)

Posted on September 4, 2011 by cryptk

So I need to set up a git server for one of the projects that I work with, so I figured I would document how to do it properly. Even though I am a huge fan of the web server nginx, this server in particular is already set up with apache2 so I will be serving cgit through apache2. Perhaps later I will add in an nginx config for cgit.

I am using a resh install of Ubuntu 10.04 LTS with all updates applies for my testbed while I write this, but the instructions should apply equally well to all versions of Ubuntu up to at least 11.10 (when it releases) and likely versions afterwards as well.

As usual, this is going to be a long one, so catch the rest after the linkeration..

CryptkCoding

Ramblings of a Linux administrator