Welcome to my world
It is often required to parse the apache log, but the normal log format requires special handling like: https://github.com/JBlond/apache_log_parser
It is easier to have a direct output like JSON format.
LogFormat "{ \"time\":\"%t\", \"remoteIP\":\"%a\", \"host\":\"%V\", \"request\":\"%U\", \"query\":\"%q\", \"method\":\"%m\", \"status\":\"%>s\", \"userAgent\":\"%{User-agent}i\", \"referer\":\"%{Referer}i\" }" json
Now we have an easy to read log file.
Finding a good cipher for your web server is not an easy task. openssl ciphers -v ALL:COMPLEMENTOFALL lists all the available ciphers on your system.
What we don’t want
That gives us:
openssl ciphers -v ALL:COMPLEMENTOFALL | grep -v "SSLv3" | grep -v "(128)" | grep -v "Enc=None" | \ grep -v "Au=DSS" | grep -v "DHE-RSA-AES256-SHA" | grep -v "TLSv1 " | grep -v "Au=PSK" | grep -v "Kx=RSAPSK" | \ grep -v "CAMELLIA" | grep -v "CBC" | grep -v "Au=RSA" | grep -v "Au=None" | grep -v "Enc=AESCCM"
now choose your poison.
Installing or updating a global installed composer can be a PITA if you don’t want to rely on the Linux distro
An easy way is:
curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/bin --filename=composer
Now with the release of Apache 2.4.37 it supports TLSv1.3 (with OpenSSL 1.1.1). Before is was possible to compile Apache against OpenSSL 1.1.1 but it had no effect compared to OpenSSL 1.1.0
There are some advantages using TLS 1.3. it comes with Zero Round Trip Time (0-RTT). Explained simply, with TLS 1.2, two round-trips had been needed to complete the TLS handshake. With TLSv1.3, it requires only one round-trip, which in turn cuts the encryption latency in half. It feels faster.
At the moment only Chrome and Firefox support TLS 1.3. But I think other browser will follow soon.
This requires Apache 2.4.37 or better and OpenSSL 1.1.1 or better. Note that there are now two different directives for SSLCipherSuite. Also new is that the names for the Ciphers for TLS 1.3 are directly taken from the OpenSSL internal naming. This is different compared to the old way in apache. Only two ciphers that are allowed for TLSv1.3 support 256 bit encryption that is why I chose those.
Listen 443
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>
ProtocolsHonorOrder On
Protocols h2c h2 http/1.1
TraceEnable Off
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd DHParameters "/opt/apache2/conf/dh4096.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1
H2Direct On
Sadly not OS Distributions support the last OpenSSL version or that TLv1.3 version has been backported or it has been patched, but apache shows still an older version number.
Some weeks ago canada released a document for offical / public websites. No longer is TLS 1.0 nor TLS 1.1 allowed, but TLS 1.2 and TLS 1.3
Until this writing apache does not support TLS 1.3 yet, but it will come soon. This is because Apache does not work 100% with OpenSSL 1.1.1 yet. Soon it will do.
This brings an updated SSL config for apache webserver
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1
H2Direct On
Some old clients including older Android versions are not longer supported, unless you install a newer browser like current Firefox.
SELECT (LENGTH(`table`.`fieldname`) - LENGTH( REPLACE( `table`.`fieldname` , ',', '' ) ) + 1) AS `number` FROM `table` WHERE TRIM( IFNULL( `table`.`fieldname` , '' ) ) > ''
Delete all local branches but master and the current one
git branch | grep -v "master" | grep -v ^* | xargs git branch -D;
what did I do? aka git last commit
git diff @~..@
What did I do the last week?
git log --stat --since='1 Week Ago' --graph --pretty=oneline --abbrev-commit --date=relative
git log only the relevant merges
git log --all --graph --decorate --oneline --simplify-by-decoration
show all untracked files
git ls-files --others --exclude-standard
last tag
describe --tags --abbrev=0
It is a hassle to have different configurations in development and production. Often it is required to protect the new webpage with user and password. Publishing that config on production on the other hand would be fatal.
With Apache 2.4 that is pretty easy done
<If "%{HTTP_HOST} == 'stage.example.com'">
AuthType basic
AuthName "private"
AuthUserFile /home/example/.htpasswd
Require valid-user
</If>
Now there Debian available over the Microsoft Store on Windows 10. Very small RAM usage, much better than the ubuntu version.
Open PowerShell as Administrator and run:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
Then Open the Microsoft Store and search for debian.
The File are now in C:\Users\%USERNAME%\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*
I wonder why it is no longer in C:\Users\%USERNAME%\AppData\Local\lxss\
For having correct displayed german characters I had to change the console
sudo dpkg-reconfigure locales sudo apt install console-setup sudo dpkg-reconfigure console-setup
I had an issue while migrating (My)SQL data back and forth from Linux and Windows. When ever I made come changes on my local windows dev system and tried to apply the changes to the production system the SQL statement failed. Later I noticed that the table names on Windows were no matter what I tried in lower case. The MariaDB docs told me that the table names on Windows where always lower case and case insensitive. What a bummer.
Searching I foundlower_case_table_names in the docs. With the values 0,1 and 2.
0 (Unix) = table names and aliases and database names are compared in a case-sensitive manner.
1 (Windows) = names are stored in lowercase and not compared in a case-sensitive manner.
2 (Mac OS X) = names are stored as declared, but compared in lowercase.
I tried 0 and got
[ERROR] The server option 'lower_case_table_names' is configured to use case sensitive table names but the data directory resides on a case-insensitive file system. Please use a case sensitive file system for your data directory or switch to a case-insensitive table name mode. [ERROR] Aborting
But setting it to 2 works. No longer problems
[mysqld] datadir=C:/Program Files/MariaDB 10.2/data port=3306 innodb_buffer_pool_size=1003M character-set-server=utf8 performance_schema = ON lower_case_table_names = 2 [client] port=3306 plugin-dir=C:/Program Files/MariaDB 10.2/lib/plugin
I wonder cause in the old days of using MySQL it never was a problem.