HTTP/SSL Made Easy With FreeBSD + Nginx + Certbot!

certbot

Recently at Hypatia Software Organization we decided to enhance the security of our servers by improving our HTTPS (encryption) support. Use of strong encryption enhances the privacy of our members, volunteers, donors, as well as the Hypatia community at large. In the past deploying strong HTTPS to a web-server was a costly and time-consuming process that required buying an X.509 certificate from a Certificate Authority (CA). This has changed with the creation of the Let’s Encrypt CA, a CA that provides cost free X.509 certificates via a public API, as well as Certbot a client that utilizes the this API to turn certificate generation into a simple process that anyone running a web-server can do!

logo-fullNow that the basics are out of the way, lets get down to how to deploy Certbot on your web-server to obtain a cost free X.509 certificate for yourself! In this example we will be using FreeBSD 10.2-RELEASE using Nginx 1.8.1 as a web-server. The process is fairly simple and requires at least basic understanding of the shell.  In the examples we provide we are using ZSH as our shell and the prompt will be denoted by a “%” character.  Before you can get started you will need a valid domain name pointed to the server that you wish to obtain a certificate with. Additionally you will need to install git and python, you can install them with the following command:

% pkg install git python

Once you have the required packages, the rest is easy. First lets clone the Certbot repository from Github:

% git clone https://github.com/certbot/certbot.git

Now all that’s left to do is obtain our Certificate, Certbot will automatically install any system dependencies and create a Python Virtual Environment to manage any Python packages it requires. In this example we will be requesting a certificate for the following domains: example.com, www.example.com. This process will take several steps that will be noted with comments (Text after the “#” character):

# Change directories to the freshly cloned certbot repository
 % cd certbot
 # Stop Nginx (nothing can be using port 443 when Certbot runs)
 % service nginx stop
 # Obtain our certificate!
 % ./letsencrypt-auto --debug certonly --standalone -d example.com -d www.example.com
 # Start our web-server back up:
 % service nginx start

And that’s it! You will now have a certificate in /etc/letsencrypt/live/example.com/, where example.com is the first domain listed in the above letsencrypt-auto command.

One more suggested security enchantment you can implement for your users is generating your own strong and unique Diffie-Hellman (DH) Key which is used for exchanging cryptographic keys between the client (web-browser) and server. This can easily be done with the following commands which will yield a 4096-bit DH key:

% cd /usr/local/etc/ssl/
% openssl dhparam -out dhparams.pem 4096

Now that you have a new X.509 certificate I’m sure you would like to deploy it to your web-server. Here is our basic Nginx configuration. We store it in a separate file and include it in our /usr/local/etc/nginx/nginx.conf file. By doing this it makes it easy to include the same settings and headers in all of our HTTPS virtual hosts. While this could be written a bit more clean we find it works very well. To include the common file, you will need to add the line “include ssl_common.conf;” to your configuration file, it should look something like this:

http {
      server {
              listen 443 ssl;
              server_name  example.com;
              include ssl_common.conf;
    }
}

Here is the contents of our /usr/local/etc/nginx/ssl_common.conf file:

# Thanks to https://cipherli.st/ for providing a great reference! Please check out their site
# to make sure your SSL Configuration is up to date with current standards! Be aware that in this
# example we use a slightly liberal cipherlist to allow for older browsers on older devices, Eg.
# IE8, android 2.4, etc
# Enable Perfect Forward Secrecy (PFS)
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Disable SSLv2 and SSLv3 (BEAST and POODLE attacks)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Enable our strong DH Key
ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
# Cipher-list for PFS.
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on;
# Requires nginx >= 1.3.7
ssl_stapling_verify on;
# Requires nginx => 1.3.7
resolver 8.8.8.8 4.4.4.4 valid=300s;
resolver_timeout 5s;
# HSTS Support
add_header Strict-Transport-Security "max-age=63072000;includeSubdomains; preload";
# These headers can break applications, be careful!
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff

After making these changes you must restart your web-server:

% service nginx restart

Now you should have HTTPS running with a certificate from the Let’s Encrypt CA! If you would like to test your server for configuration errors, I strongly recommend using https://ssllabs.com to test your server configuration. If you follow this guide and checked https://cipherli.st/ for any changes, you should get an A+ on SSLabs’ test. Good luck and happy hacking!a-plus

Further reading

How to test a game engine

If you were to ask “What are the most difficult aspects of testing a game engine,” an answer you’d hear a lot is “rendering.” What things look like when they’re drawn to screen–how do you test that? Well, to know that things drawn to screen look right you need to compare the rendered image to an image you can expect to be static, unchanging. The first approach is to create an image test fixture of the expected render image and compare that against the render image itself. However, this approach is extremely limited. As unfortunate as is is, we must leave the domain of simple static tests, and enter into the wacky world of dynamically testing.

Continue reading “How to test a game engine”

How I started developing on an iPad

Recently my laptop started falling apart, and I needed a new device to continue my development work on Sappho, previously Hypatia Engine, as well as other development endeavours. I was looking into a replacement laptop, when I had a thought – what if I could develop everything I needed to from an iPad? After some careful thinking about the feasibility of it, I decided that I could probably do everything on one, and so I set about acquiring one. Thanks to Blake (a very generous HSO staff member), I got my hands on one.

Continue reading “How I started developing on an iPad”

Python Tutorial: Testing, Test Driven Development, py.test

Lillian Lemmer talks about testing and Test Driven Development (TDD) in Python at LeadPages (thanks, LeadPages!) about using py.test for testing Python code to assure software stability.

The example used for testing is a game where you eat sugary things until you lose all your enamel (effectively making enamel HP)! Lillian shows how the aforementioned is tested. The TDD part comes in when someone asks to show a Test Driven Development example where brushing your teeth restores enamel.

It’s about 20 minutes long, includes questions/comments from the crowd.

[youtube https://www.youtube.com/watch?v=dIIj3MRnGhs&w=560&h=315]

Here’s the repo being talked about in the video: https://github.com/LeadPages/tutorials

How to Install FreeBSD (with Gui!)

Hello, Lillian here! Wanna learn how to install FreeBSD, with a nice GUI, Firefox, a nice terminal experience, and other goodies? I had some spare time so I made an instructional video for exactly that!

This goes over:

  1. Installing FreeBSD
  2. Setting up your GUI (windowmaker, xorg, rox-filer)
  3. Updates
  4. Terminal experience; zsh + oh-my-zsh
  5. Other goodies!

This setup is pretty much what we use for the official Hypatia Software Organization Developer Image.

Sorry for the choppy and unprofessional video; I didn’t have much time to put this together, so please forgive me! 😬

We’re in the News! BSDNow.tv

Screen Shot 2016-02-28 at 1.50.53 PM
Allan Jude (@allanjude on Twitter) and Kris Moore (@pcbsdkris on Twitter) talk about the Polling is a Hack Article on the Hypatia Software Organization blog/website.

The article I wrote, entitled, “Polling is a Hack: Server Sent Events (EventSource) with gevent, Flask, nginx, and FreeBSD” got covered by BSDNow.tv!

The BSD Now video which we’re featured is Episode 130: Store all the Things | BSD Now 130.

Continue reading “We’re in the News! BSDNow.tv”

Writing Tests for Python

The basics of writing tests in Python, as explained by a very tired and unprepared me (Lily Lemmer!). 😅

[youtube https://www.youtube.com/watch?v=1cRfMjz3Pxc]

I had just come back from vacation and forgotten I was to give a talk on this subject, so I was unprepared and a bit sick as you can hear from my voice, so please be forgiving. 😬 I’ll be doing this talk again, it should be a lot better! Keep a lookout!

Polling is a Hack: Server Sent Events (EventSource) with gevent, Flask, nginx, and FreeBSD

Polling is a Hack (1)

screencapture-staticfuzz-com-1454195611214
staticfuzz.com

Server-sent events efficiently sends data to clients in real-time and asynchronously. This particular setup was used for STATICFUZZ and shows you how to send an event from server/Python to client/JavaScript, plus setting up the server! This is about as full stack as it gets!

Core technologies:

  • JavaScript/EventSource
  • gevent
  • Flask/Python
  • nginx
  • FreeBSD

Continue reading “Polling is a Hack: Server Sent Events (EventSource) with gevent, Flask, nginx, and FreeBSD”

A Simple, Maintainable Slack Bot

This past week we’ve begun automating our onboarding process by developing a chat bot for our team Slack. The bot messages new users with pre-written information which all users should be aware of, like relevant links (Code of Conduct, mentor calendar, etc.). We chose to use a Python implementation of the Slack API; Python is the standard language used at HSO.

Continue reading “A Simple, Maintainable Slack Bot”

Hypatia Engine: Using Tiled Map Editor

Last Halloween I made a special Halloween Release (0.3.0) of Hypatia Engine. Along with it, I released this tutorial video on creating basic scenes with Hypatia Engine:

[youtube https://www.youtube.com/watch?v=xZHk7PgUEGY]

I’m trying to make a habit of releasing Hypatia Engine on its birthday: Halloween! This year it was a smashing success; Hypatia Engine was successfully released on Halloween.

Here’s the Leadpages landing page I used to promote the Hypatia Engine Halloween release (I work at Leadpages; thanks Leadpages!)