So I’ve been neglecting this blog for the last year and a bit, mostly because work has been eating brain power, and not leaving me and spare for geeking in the evenings. On the plus side, that seems to not be the case now, as I’ve got my head around the vast majority of things I need to know, so I’m not constantly learning new things, and burning through lots of mental energy.
So recently I’ve decided to migrate this blog off the old host (physically in Austria), and onto a Linode VPS in London. As always, forming A List of things that I wanted the new server to do was made:
- Host both domains (maco.org.uk, davidmcevoy.org.uk), with enforced SSL, hosting:
- This WordPress blog.
- My private wiki.
- iPython notebook
- Act as a VPN server
- Host emails for both domains
So I’ve mostly had multiple terminal windows open all over the place configuring, breaking, fixing, reinstalling things. It’s been good to geek again 🙂
I shopped around a bit on the net and Linode look to be a decent provider for VPS’s, and for the 1GB RAM option, quite cheap. The machine hosting this is based in London, so I get a ping of ~9ms from my home, which is quicker than Google(!!).
One thing I really like is ‘StackScripts’, which allows you to run a bash script on the first boot of your machine, so you can auto-configure it. My attempts so far are OK for my setup, though I need to go back to it and ensure it’s configuring all the services correctly and then try it on another host to validate everything works as expected. This should make mucking about with the server much simpler, as I can spin up a new instance using this script and it should be identical to the live system (well, identical as of 1am that morning, as that’s when the backups run!).
Nginx, SSL, WordPress
I’ve gone with nginx instead of apache again, as it uses less RAM, which is useful when your VPS only has 1GB. The sites are also now on HTTP2 (upgraded from SPDY 3.1), which is a recent update (with nginx 1.9.5), so the site is all shiny (and chrome?) from a bleeding edge tech perspective.
I also included this config line:
add_header X-Clacks-Overhead "GNU Terry Pratchett";
Let’s Encrypt, SSL Labs tests
Thanks to Let’s Encrypt, I’ve now got free, trusted, and easy to renew SSL certificates for both domains. It took a bit of playing around with the installer, as it’s in beta, but I’ve got a cron job which will run every couple of months now to refresh the certificates (they’re only valid for 90 days). So I don’t need to worry about renewing them far in the future, and if something goes wrong, I’ll get an email saying that the cron job failed, so I’ll still have a month to fix whatever broke in the script.
As far as the encryption settings go, I used the Mozilla SSL Configuration Generator to generate the SSL configuration part of the config file, then updated a few settings to work with my setup. So now I get an A+ on the SSL Labs Server Test for one domain, though only an A for this domain, which I suspect is due to SSL Labs not correctly scoring the HSTS, as this domain is on the preload list (but still sends the headers).
This went surprisingly simply – downloaded the latest WordPress files, unpacked, got the basic config done, migrated the database over, restarted some services and it Just Worked (other than plugins, but that was easy to fix).
I wanted to be able to access and run python code (because Reasons, mostly wanting to learn the language, plus doing maths/physics stuff), so wanted to run a notebook server. Unfortunately, as I’ve already got nginx running, running it would be complicated (non standard ports run into issues with firewalls). So I’ve had to run the server listening on localhost, with nginx proxying the requests. It was a little tricky to get working, there’s a lot of options for nginx running as a reverse proxy, even more so if you need web socket access (which of course iPython notebooks do!).
I managed to get it working in the end though with these settings (trimmed for relevance):
proxy_pass http://localhost:9999/ipython/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $proxy_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Origin "http://localhost:9999/ipython/";
The critical one to make sure everything worked was the last line – the iPython notebook web server looks to have access controls in place which needs the origin to be the same as where it’s running.
Still a work in progress, as MediaWiki installed just fine, but migrating the database over doesn’t seem to have been reflected in the wiki. I’m not sure why, as the database is definitely there and has the same content, but I’m not seeing any errors on why it’s not showing on the site. Something to keep my brain occupied at least!
This idea was mainly born with the posting of the Draft Investigatory Powers Bill, which (albeit only a draft and therefore subject to revision) doesn’t look great from a privacy perspective (bulk surveillance, logging of all websites visited by ISPs, etc), so having a secure channel from my devices out to The Internet seems like a good idea. I’m not sure how much of the traffic from data centres is logged/surveilled, but my guess is ‘less than consumer ISP traffic’, especially if DNS requests/http headers are being logged for the domains you visit.
It’s something I’ve looked into before, but never actually done, so it was a pleasant surprise that it was a few apt-get install, and a few commands to run to generate the certificates for the server and client machines.
It did have a significant impact on battery life of my phone, but after a bit of investigation, the default cipher/hash for openvpn are Blowfish and SHA1, and the iPhone 5S has hardware acceleration for AES and SHA256, so after updating the server and clients to require them, battery life is less impacted.
Previously gaia (the old server), was running the full email stack and had all my emails stored on it, which is less than ideal, as email servers take a certain amount of time to keep running and updated, which I’ve not really had. Additionally, email is something I’ve never quite managed to get my head around, mainly because it’s comprised of many interlocking pieces of software which have to be configured just so, or they don’t work (or look like they are, but are subtly broken).
So having heard about FastMail from various places, I decided to take a look.
Turns out they do everything that I need (i.e. host email, securely, decent spam filtering, plenty of storage, backups), plus calendar, contacts exportable via calDAV/cardDAV, for USD 40 a year (which about GBP 2.25 a month), which I’m happy to pay to make hosting my emails someone else’s problem 😀 It was also simple to migrate everything from existing accounts over – you supply your email server details and authentication details, and they’ll download everything via IMAPS into your new inbox.
I’ve now got a FastMail account setup to host email from both domains in a single inbox. I started with two, but I’m finding that I end up with duplicated folders across the two accounts (I generally use Thunderbird, or Mail on the iShiny, instead of webmail), so combining the two makes things simpler.