Menu

Skip to content
CryptkCoding

CryptkCoding

Ramblings of a Linux administrator

Category: Linux

WWW and HTTPS redirects with nginx… the right way

Posted on January 31, 2015 by cryptk

UPDATE: Just to clarify, this blog post is purely about how to set up the redirects to get all users over to a URL that uses ‘https://www.’ in one redirect. It does not cover how to set up NGINX SSL in a way that mitigates all known SSL vulnerabilities (and even if it did, it would quickly become outdated). I highly recommend that you run your SSL sites through a test (such as the one at https://www.ssllabs.com/ssltest/) to find out what, if any, SSL vulnerabilities your site has, and make the recommended changes to fix them. Back to the original post 😉

Recently I splurged and bought a wildcard SSL certificate for the cryptkcoding domain. Because I have the certificate, I figured that I would set up my blog to use SSL by default (before it was a self-signed certificate, and I only used it for the back-end). Since I was poking at the nginx configuration to get the redirects all set up, I figured I would write a blog post on how to have nginx force all visitors over to both the www URL as well as enforce https. And we will be doing this right, no matter what visitors will only get one redirect (unless they go straight to the https://www site).

Here is the relevant part of the configuration:

## Force all users to https://www
server {
    listen 80; ## IPv4
    listen [::]:80; ## IPv6
    server_name yoursite.com www.yoursite.com;

    return 301 https://www.yoursite.com$request_uri;
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name yoursite.com;

    ssl_certificate /etc/nginx/ssl/www.yoursite.com.bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/www.yoursite.com.key;

    return 301 https://www.yoursite.com$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.yoursite.com;

    ssl_certificate /etc/nginx/ssl/www.yoursite.com.bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/www.yoursite.com.key;

}

No matter what, your visitors will end up on the encrypted and www versions of your website. The best part is that none of this redirect config will ever touch your websites code, it all happens purely in nginx. If you are running a PHP based site (likely with php-fpm) then you don’t have to worry about the overhead of connecting back to php-fpm just to have it return a redirect.

This does obviously rely on you having a valid SSL certificate for www.yoursite.com (that said, it will still work with self-signed ones, you visitors will just need to add an exception to their browser for your website).

Let me know how this works out for you!

Posted in Linux Web Development | 1 Comment

My Conky Configuration

Posted on September 6, 2012 by cryptk

The other day I added a new monitor to my desktop. I write a lot of code, and it is very useful having a monitor in portrait orientation (vertical) for doing that. Because I now had a taller screen, I moved my conky display over to that screen and added a bit more information to it. While I was at it, I added some new color to it. After I was finished I tweeted a picture and had a couple of people ask me for the conkyrc for it. Unfortunately my conky isn’t just a “drop in this config and call it done” type deal. If you know what you are doing with conky and want to set it up, follow the read more link and check it out!

Read more
Posted in Linux

Leveraging screen to increase command-line multitasking

Posted on August 22, 2012 by cryptk

I am an avid fan of the Linux utility screen. It allows you to have multiple ‘screenlets’ inside of one command line session on a server, swapping between them as you wish. On top of that, if you get disconnected from your server because you have to do some admin work from a hotel room with a poor internet connection, the screen will keep whatever work you were doing on your server chugging along. If you need to fire up some long running process, but you don’t want to stay SSH’d into your remote server the entire time, screen will also let you ‘detach’ from it, leaving the command running, while you go off to Olive Garden to grab a bite to eat.

I’m not going to go into all the details of how to work screen… instead, I am going to cover what I use in 90% of my interactions with it, which is a surprisingly small list! First, we are going to get it all set up to give you a nicely configured screen session with a few screenlets in it. We can do this by placing a file called .screenrc inside of your home folder. Here are the contents of my .screenrc:

shelltitle ''
vbell on
autodetach on
startup_message off
defscrollback 2048
termcapinfo xterm* ti@:te@

hardstatus alwayslastline "%-Lw%{= BW}%50>%n%f* %t%{-}%+Lw%< %=%D %M %d %c" hardstatus string '%{= kK}%-Lw%{= KW}%50>%n%f %t%{= kK}%+Lw%< %{=kG}%-= %d%M %c:%s%{-}'

screen -t r00t 0 bash
screen -t vimTerm 1 bash
screen -t general 2 bash

I can’t take complete credit for that .screenrc. The hardstatus line I pulled off the internet somewhere 😉

It works out really well, it gives a nice bar at the bottom which shows all of your screenlets and highlights whichever one you are now on. It also keeps a clock in the bottom right corner, and will flash the title of a screenlet if a ‘bell’ go’s off in it.

Now that we have a good screenrc, you can fire up screen by running the command ‘screen’ (you may need to install screen from your distributions repository). But we can take this one step further and have your system fire up screen automatically when you SSH into the server by adding a little snippet of code at the end of your .bashrc:

if [ $SSH_TTY ] && [ ! $WINDOW ]; then
  SCREENLIST=`screen -ls | grep 'Attached'`
  if [ $? -eq "0" ]; then
    echo -e "Screen is already running and attached:\n ${SCREENLIST}"
  else
    screen -U -R
  fi
fi

That will fire up a screen session when you SSH in unless someone is already attached to your user accounts screen session. Now that we have screen configured, and we have your server starting it up automatically when you log in, lets learn how to use it!

If you are using the .screenrc that I provided above, you will notice the 3 screenlet’s titles at the bottom (r00t, vimTerm and general). You can adjust those names by editing the .screenrc. In order to swap between different screenlets use the keystrokes Ctrl+a NUMBER. The number will be whatever number of screenlet you want to go to, so if you want to go to screenlet 1, it would be ‘Ctrl+a 1’.

If you want to detach from your screen, leaving everything running, and enabling you to disconnect from the server, use the keystrokes Ctrl+a d.

If you log into the server and you get a message saying that ‘Screen is already running and attached’ you can detach screen from the other location and attach it to you current SSH session with the command ‘screen -D -RR’. That command will do whatever is necessary to get you a screen session… detaching other sessions and attaching, starting a new session, attaching to a detached session etc.

Posted in Linux Nas-Admin | 1 Comment

How to optimize MySQL JOIN queries through indexing

Posted on April 6, 2012 by cryptk

This is a pretty broad topic, and there is no way that I will be able to cover every facet of using indexes in your schema and queries in anything short of a small book, but the first step is getting your feet wet.  I will be covering one of the most common causes for queries to run slowly, lack of indexes.  This can cause simple queries to run slowly, but it has an exponentially increasing negative impact on performance when used on more complex queries, such as ones that use joins.  In order to grasp this topic, it would be extremely helpful if you already have a basic grasp of how to use MySQL.  Topics such as creating tables, and running queries should be pretty easy for you already.  If you expand your basic grasp with some information on how to optimize those queries using indexing, continue on after the break.

Read more
Posted in Linux | 20 Comments

How to build a Minecraft server on Ubuntu

Posted on March 7, 2012 by cryptk

So, I decided to reboot my Minecraft server mainly because it hadn’t been updated in forever, and there are several new things available in Minecraft with the recent(ish) updates, and I decided that to start nice and super clean, I would just start with a fresh server rebuild.  I am going to be doing this on a virtualized server with 1.5GB of ram (java is a little memory hungry).

If you are looking for a way to set up a nice Minecraft server with some fancy schmancy web functionality, this is the article for you, more info after the break.

Read more
Posted in Linux | 13 Comments

Basic ubuntu server security

Posted on March 7, 2012 by cryptk

So this blog post is going to cover some basic security do’s and don’ts.  The end goal will be to have an Ubuntu powered server that is not only decently secure, but also not so secure that it is a pain to work with.  I will be covering many things that should be done as part of basic security, some general best practices, and I will also hit on one thing that I find to be a HUGE annoyance than many many… many… people do, thinking that it will make their server more secure, when in reality it does next to nothing.  I will be targeting an Ubuntu 11.10 server in this article, but everything that I have in here should work on anything 10.04 LTS and up.  I am mainly going to be focusing on securing SSH logins. Read on after the break

Read more
Posted in Linux Nas-Admin | 2 Comments

Ubuntu 11.10… Unity vs. Gnome Shell

Posted on September 23, 2011 by cryptk

I have been an ubuntu fan for years now. I have worked as a server administrator on multiple distributions ranging from the Red Hat side doing admin work on RHEL and CentOS to the Debian side doing admin work on straight Debian and Ubuntu boxes and even doing admin work on BSD, Solaris and Suse. I also run a Linux distro on my home PC as well.

For production servers I am definitely a “use what’s stable and secure” kind of person but on my home desktop I tend to be more of a “bleeding-edger”. It is common for me to run beta versions of software, and sometimes even alpha versions, including my distro. Before Ubuntu 10.10 Beta1 came out I was running a minimal install of Ubuntu 10.04 that I then threw gnome-shell on top of… and I really liked it. After Beta1 came out I installed that and was very pleased to find that getting gnome shell on it was as easy as installing the gnome-shell package straight from the repository… everything worked amazingly.  It was even possible to switch between Unity and gnome-shell from GDM (the login screen) which was something that never did work properly with gnome-shell in 10.04 (once you went to shell… unity was broken).

Read on to see my experiences so far with it!

Read more
Posted in Linux | Tagged 11.10 gnome shell ubuntu unity | 1 Comment

Setting up a git server with xinetd, gitolite and cgit (the right way)

Posted on September 4, 2011 by cryptk

So I need to set up a git server for one of the projects that I work with, so I figured I would document how to do it properly. Even though I am a huge fan of the web server nginx, this server in particular is already set up with apache2 so I will be serving cgit through apache2. Perhaps later I will add in an nginx config for cgit.

I am using a resh install of Ubuntu 10.04 LTS with all updates applies for my testbed while I write this, but the instructions should apply equally well to all versions of Ubuntu up to at least 11.10 (when it releases) and likely versions afterwards as well.

As usual, this is going to be a long one, so catch the rest after the linkeration..

Read more
Posted in Linux Nas-Admin | Tagged cgit git gitolite ubuntu xinetd | 4 Comments

Running WordPress with nginx, php-fpm, apc and varnish

Posted on August 21, 2011 by cryptk

Recently I built a server to host the blogs and other PHP powered websites of a few family members.  I wanted something lightweight, efficient and fast.  With that in mind I threw out the “standard” of Apache and it’s mod_php and instead went with something else entirely.  This article is going to be geared at people running a server with Ubuntu 10.10 or newer (sorry LTS fans… php5-fpm isn’t available in your repos… but you can backport it fairly easily).  I’m going to be including some config file examples as well, everything you need to get this up and running will be included… and it’s easier than you think 😉  Catch the details after the break

Read more
Posted in Linux Nas-Admin | 18 Comments

Things to consider when hosting a website

Posted on August 14, 2011 by cryptk

Doing what I do for a living, I tend to see the same mistakes made over and over.  Luckily where I work I am in a position to have a conversation with the person that made the mistakes, offer up a little bit of education, and most times they are very receptive to it.  I am also in a position where I can help them to transition from their currently slow and possibly buggy solution to something that gives them the speed and performance that they want.  This entire post is going to be targeted at Linux powered servers but many of the points will apply equally as well to Windows powered servers.

This one is a little bit long so if you want the full disk, click the link

Read more
Posted in Linux Nas-Admin | 5 Comments

Post navigation

  • Older posts

Pages

  • Who Am I?

Blogroll

  • Failverse
  • major.io
  • SyntheticWorks

Archives

  • January 2015
  • February 2013
  • September 2012
  • August 2012
  • April 2012
  • March 2012
  • September 2011
  • August 2011
  • April 2011
Proudly powered by WordPress
Theme: Flint by Star Verte LLC