Category: Server

HTTPS Encryption

Encryption on the web has a history of being notoriously expensive, and difficult to implement.  Not long ago, you could expect to pay upwards of $1,000 per year to register your website’s SSL certificate with the root server Verisign directly.  A shorter time ago, a few re-sellers such as Godaddy came into play.  As of the date of this article, one year for Godaddy’s SSL service will cost $69.99 for one website.

While I would have loved to have had a “valid” certificate, for some of my purposes, a snake oil certificate, or self-signed certificate, was secure enough.  Since self-signed certificates aren’t validated by a Certificate Authority (CA), modern browsers will try to prevent users from navigating to websites that use them (or any other non-validated certificate).

 

Now, since I created the certificates on my own server — I hope I can trust myself, I can ignore those messages in that case just fine.  This was useful for securing dev websites and code repository connections.  Anything public facing, this wouldn’t really be acceptable.

I tried an application called NetDrive a few years earlier with some success in 2010, then a few years later I came across OwnCloud.  This package was a decent competitor to Dropbox itself, so I decided to give it a shot.  With anything involving logging in and transferring files, it’s a good idea to use HTTPS, so I initially started with my usual self-signed certificate.

Unfortunately if I wanted to link any of the pictures I uploaded to there, anyone clicking on them will see a larger warning message.connectionnoteprivate

This gave me a few choices:

  1. Chance not using encryption
  2. Use SFTP to handle the file transfers
  3. Search out cheap certificate authorities.

This search eventually led me to StartCom StartSSL, who offered free SSL certificates, it seemed almost too good to be true!  Sure enough I signed up, validated the domains that I wanted to set up HTTPS, and I was on my way.  There weren’t many extra steps to this process verses using a self-signed certificate, it’s mostly just the fact that a third party validates your self-signed certificate.  So after getting everything in the correct directories, and updating my Apache config files, I was online.

Fast forward a couple of years, and there is a new player in town, Let’s Encrypt.  These guys caught my attention a few months ago on the tech news article circuit, and a CommitStrip comic.  It requires you download a script onto your web server, run it, tell it which domains you want to set up HTTPS for… and you’re done.  I didn’t believe it at all until I tried it for myself.  An odd catch, the certificates it generates are good for 3 months, instead of 12 months.  It comes with the option to have it run nightly to renew them, so it’s mostly a moot point.  I haven’t gotten to the point where any have expired yet, so I may have to add a followup.

Browser encryption has come a long way has come a long way, and it’s almost at the point where it’s just as easy to have HTTPS as it is to have standard HTTP.

Apache Logs

This has happened to me a couple times, still more than I would like to admit.  First off, I used to have my apache logs named the same as the website URL (“bodhidevelopment.com”).  This is a pretty minor problem and can go unnoticed for years… until your server runs out of storage space.  Apache2 has a nice little feature to rotate logs, but the default will only look for files with the “.log” extension.  I used to regularly have log files that were over a gigabyte, and I could only imagine what kind of performance issues that might cause.

I never really paid attention to PHP warnings/errors unless they were causing serious problems, but it felt like the next logical step after getting the logs in order.  A large potion of warnings were just undefined variables being used, which is extremely easy to fix, and can add up fast if there are a large number of variables/loops on a page.  This gave me the opportunity to look through code that hasn’t been touched for years.

Apache mod_pagespeed

In a previous post, I’ve been using Google’s PageSpeed Insights for a while to help optimize the page loads of my websites for a while now, but I’ve never gone so far as installing the Apache mod_pagespeed plugin.  But after trying a few different Joomla extensions, I figured this one might be more efficient by optimizing directly through the Apache layer.

mod_pagespeed is an open-source Apache module that automatically optimizes web pages and resources on them. Optimization is done by rewriting the resources using filters that implement web performance best practices. Webmasters and web developers can use mod_pagespeed to improve the performance of their web pages when serving content with the Apache HTTP Server.

Among many other features, this plugin will automatically combine/optimize how JavaScript and CSS are presented.  Afterinstalling and enabling it using .htaccess, on two of my sites so far, the pagespeed scores have increased about 6 points (from 88 to 94 on Used Boats Ahoy!), and shaved an average 500ms off page load speeds.

2012-05-24 Update:

After having good luck with this plugin on Used Boats Ahoy!, I enabled it on my other websites.  Below are the changes in PageSpeed score.
Bodhi Development: 70 to 92
Stat Addict: 74 to 90
Washington State Used Boats: 85 to 92
Quality Used Boats: 88 to 93
Bodhi Sanctum: 72 to 76
Used Boats Ahoy: 88 to 94

Linux Server Kernel Upgrade

I’ve been hosting a VPS through Linode for the last couple of years, and I’ve have a great experience so far.  A VPS provides the full root server experience without having to worry about the hardware.  I was going through my server configurations, and realized I was running a deprecated Linux Kernal 2.6.  A host like Linode makes it extremely easy to change kernels on a VPS with a simple web interface with a dropdown menu to select from a prepolulated list of kernels. From an issue in May of last year, I was recommended to use a more stable version (2.6.32.16) which was still selected.  I’m hoping any issues I experienced have been resolved since then.

While there are no significant changes, there rare plenty of random fixes and driver updates, updating the revision to 3.0 was a huge milestone for Linus and Linux. As of today Linux 3.4 has been released, which I hope to be able to look in to taking the additional leap.

WordPress Themes