Author: mario

How to make Red Curry Paste

Posted on by mario

Ingredients

  • 3 teaspoons white pepper corns
  • ½ teaspoon cumin powder
  • ½ teaspoon coriander powder
  • 8 dry red spur chilies (soaked in water for about 10 minutes to soften them)
  • ½ teaspoon salt
  • 10 – 14 small cloves of garlic
  • 5 small shallots (Thai shallots are the size of grapes, so it’s about 2 tablespoons worth)
  • 1 tablespoon finely sliced lemongrass
  • 1 tablespoon finely sliced coriander roots
  • 1 tablespoon finely sliced ginger
  • Skin of ½ lime

Instructions

Using a mortar and pestle is the easiest way. If you don’t have one, you can use a blender to make this red curry paste recipe.
First, smash the dry ingredients. Add 3 teaspoons of white pepper corns to your mortar and pound it until it’s a fine powder.
Add ½ teaspoon of cumin and ½ teaspoon of coriander to the pepper and mix it all thoroughly, and then set them aside in a small bowl.

NOTE: If you only have pre-ground white pepper, you can eliminate the first step and just mix these 3 spices together in a small bowl.

Take 8 dry spur chilies (prik chee fa haeng), soak them in water for a few minutes to re-hydrate them, then drain the chilies. Cut off their stems, and you can then chop them into small centimeter pieces. You can take out the seeds to make their red curry paste less spicy.
Add the chopped dry chilies to the mortar along with ½ teaspoon of salt and start pounding. Keep on pounding for about 5 – 10 minutes until most of the chilies are nice and broken, the oils are coming out, and it’s starting to looks almost tomatoey.
Step back over to your chopping board and peel about 10 – 14 cloves of garlic. If the cloves are really big, use about 8.
Next peel 5 small shallots Chop them into small pieces.
Take 1 stalk of lemongrass, pull off and discard the outermost leaf, and then slice it from the bottom into small slivers. You want enough for 1 tablespoon.
Take the fresh coriander roots from about 3 stalks, cut off the roots, slice them into small pieces, and again you want about 1 tablespoon worth of coriander roots
Take your ginger and slice it into pieces, enough for 1 tablespoon worth.
Next take a fresh lime and slice off only the green skin. You want to slice off the skin very delicately, making sure you get mostly green, not cutting off any of the white pith. I used the skin from about ½ of the lime.
Toss all of those ingredients into the already pounded chilies. Pound and pound until you’ve got a buttery, oily, and extremely fragrant Thai red curry paste. This should take anywhere from 15 – 30 minutes, again, you can alternatively use a blender or food processor.
When your paste is buttery and smooth, go back to your bowl of white pepper and dry spices, and mix it into the paste. Mix it all in and smooth it out.
Done :)

JavaScript loop / foreach an object

Posted on by mario

Coming from PHP I wondered how do to a simple foreach() in JavaScript.

function loopObject($object) {
    for (const [$key, $value] of Object.entries($object)) {
        // dome something
    }
}

Not that once I found the entries function. Why I use the dollar sign $ for the variables? It is a habit and easier to read and it avoids conflicts with language reserved words.

Obsolete key exchange mechanisms alias crypto wars part eleven

Posted on by mario

Obsolete key exchange mechanisms alias crypto wars part eleven

Especially weak key exchange mechanisms indicated by the cipher suite include those designated as EXPORT or ANON;  cipher suites using these key exchange mechanisms should not be used. Even if the cipher suite used in a TLS session is acceptable, a key exchange mechanism may use weak keys that allow exploitation. TLS key exchange methods include RSA key transport and DH or ECDH key establishment. DH and ECDH include static as well as ephemeral mechanisms. NSA recommends RSA key transport and ephemeral DH (DHE) or ECDH (ECDHE) mechanisms, with RSA or DHE key exchange using at least 3072-bit keys and ECDHE key exchanges using the secp384r1 elliptic curve. For RSA key transport and DH/DHE key exchange,  keys less than 2048 bits should not be used,  and ECDH/ECDHE using custom curves should not be used. The use of custom public key parameters in key exchange messages is deprecated per RFC 8422 Section 5.1.1

The recommended configuration is the following

Header always set Strict-Transport-Security "max-age=15553000; preload"
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1

H2Direct On

SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256

The only difference is the behavior of auto escaping in twig

Posted on by mario

Imagine you have a var variable containing: <div>I'm happy</div>.

On index.twig, {{ var }} will render <div>I'm happy</div>.

On index.html.twig, {{ var }} will render &lt;div&gt;I&#039;m happy&lt;div&gt;

On index.js.twig, {{ var }} will render \x3Cdiv\x3EI\x27m\x20happy\x3Cdiv\x3E

And so on.

Always use the right extension to avoid any XSS vulnerability, and
always use |raw wisely because it overlaps this extension’s implicit protection.

Apache security headers

Posted on by mario

A good starting point for apache security headers

<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=86400, enforce"
    Header always set Feature-Policy "\
        geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; \
        magnetometer 'none'; accelerometer 'none'; vr 'none'; \
        speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; \
        microphone 'none'"
    Header always set Content-Security-Policy "\
        default-src 'self' 'unsafe-inline' data:;\
        font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; \
        style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
        script-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header always set Access-Control-Allow-Origin "*"
    Header always set X-Content-Type-Options nosniff
</IfModule>

Convert pfx certificate for apache

Posted on by mario

This is more or less a hint for me how to do it. Maybe it helps you, too.

openssl pkcs12 -in example.com.pfx -clcerts -nokeys -out example.com.crt
openssl pkcs12 -in example.com.pfx -nocerts -out example.com-encrypted.key
openssl rsa -in cert-encrypted.key -out example.com.key
openssl pkcs12 -in example.com.pfx -cacerts -nokeys -out ca-cert.ca

Then in the apache config

SSLCertificateFile certs/example.com.crt
SSLCACertificateFile certs/ca-cert.ca
SSLCertificateKeyFile certs/example.com.key

Marios’ version of Kimchi

Posted on by mario

This is my version of Kimchi. There are gazillion versions of Kimchi and this is mine.

Since I’m lazy and don’t want to browse a special Asian store, I changed some ingredients to fit what I can buy and have a similar result.

Paprika powder
Cayenne pepper powder
120g Salt
2 medium sized Onions
4 Garlic cloves
1 thumb sized piece Ginger
1 kg Chinese cabbage
1 tablespoon sugar
2 tablespoons Rice flour
1 small pot
1.5 Liter Jar mit a closing lit
1 Large bowl

Fill the bowl with2  Liters / 8 cups of water and mix  in the salt. Stir until the .salt is resolved
Cut the Chinese cabbage into 1 inch / 2.5 cm size big pieces. Put it into the bowl and leave it there for 3 to 4 hours.

Chop the onions, the garlic, and the ginger very fine.

The Marinade:

Put 250 ml / 1 cup of cold water into the pot. Stir in the rice flour and the sugar. Cook it for 5 minutes with constant stirring. Now let it cool. Add some paprika powder and the Cayenne pepper. Add as much until it fits your spice level. Add the chopped ingredients. Mix it well.

After the 3 to 4 hours drain the Chinese cabbage as much as possible. Add the marinade and mix it well with your hands. You might use gloves as it might be too spicy for your hand. Fill the jar with the result. Push it down so that no air bubbles are inside. Leave a space about an inch / 2.5 cm, otherwise the jar might explode or the juice will come ot of the jar. Close the lid. Let it stand in your kitchen or wherever, but keep it away from sunlight. Once a day open the lid and let the fermentation gases out of the jar. Push the Chinese cabbage down, that nothing is floating on the surface. After 3 days see if it is sour enough for you. You can wait up to 5 days. Now put the jar into a fridge. After 7 days in the fridge the Kimchi is ready to eat. Kimchi can be stored up to 3 month in the fridge. The fermentation process will continue in the fridge, but much slower.After you took out some of the kimchi to consume it, push the rest of it down into the jar. Never use a spoon or something that has your saliva on the to get something out of the jar, your kimchi would spoil very fast.

Influxdb 2.0 lessons learned

Posted on by mario

I played a bit with influxdb version 2.0.0, telegraf client and two of my raspberry pies.
On my oldest pi  a 1 B+ the telegraf client caused too much performance issues on that light weight single CPU and 480 MB of usable RAM. So I chose a simple bash script with curl to send the CPU temperature to influxdb.

#!/bin/bash
timestamp=$(date +%s)
temp=$(vcgencmd measure_temp)
curl -XPOST \
"https://flux.example.com/api/v2/write?org=none&bucket=pihole&precision=s" \
--header "Authorization: Token asas==" \
--data-raw "cpu-temperature,host=pihole ${temp//\'C/} ${timestamp}"

At first I was running influxdbd by hand. But I didn’t want the usual port of 9999 of the alpha version and I also wanted SSL encryption when I log into the backend. Pretty easy with the already running apache on that server.

<VirtualHost *:443>
	ServerName flux.example.com
	DocumentRoot /var/www/empty

	<Directory /var/www/empty>
		Options Indexes FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	ProxyPass / http://localhost:9999/
	ProxyPassReverse / http://localhost:9999/

	SSLEngine on
	SSLCertificateFile  fullchain.pem
	SSLCertificateKeyFile privkey.pem
</VirtualHost>

so far so good. Starting the influxdb by hand after a reboot or failing isn’t an option.  So I created by on systemd service file

sudo $EDITOR /lib/systemd/system/influxdb2.service

[Unit]
Description=InfluxDB 2.0 service file.
Documentation=https://v2.docs.influxdata.com/v2.0/get-started/
After=network-online.target

[Service]
User=influx
Group=influx
ExecStart=/usr/local/bin/influxd
Restart=on-failure

[Install]
WantedBy=multi-user.target

Do not forget to enable it :D sudo systemctl enable influxdb2

 

So far I made one observation. The telegraf client is doing a lot of DNS requests through the network. If I’m not wrong it does it for every request. If you look at the graphic you see that the bottom a big blue line. That is the DNS requests from telegraf. At some point around 20:00 You see a drop. Well there I change the flush interval to 120 seconds. Later at round 7:30 I wrote the IP and host name into /etc/hosts and the “noise” was gone. That is something you maybe want to do in your devices, too to save some bandwidth and energy.

Author Archive

Archives by Month: