To anyone who follows my posts here, my love of open-source software is well-known. Open-source alternatives allow me to host my own nameservers, email, website, and GitHub alternative, and I’ve now supplanted Slack and automation tools like IFTTT and Zapier.
Category: Tech & Tools
Upgrading to PHP 7.1
Two weeks ago, I noted that I was preparing to switch from PHP 7.0 to 7.1. It took me a bit more time than expected, thanks to a segmentation fault that appeared in 7.1 when using OPcache.
Preparing for PHP 7.1
I’ve been using PHP 7.0 for just over a year, and the 7.1 branch reached its first stable release last month, so I’ve begun thinking about what the switch will entail. Fortunately, my needs are fairly simple, so I only require two additional modules: Redis and GeoIP. I’ve made one hasty attempt to build 7.1 with support for these features, which failed spectacularly; fortunately, the chance that it was an error on my part is quite good, so things may just work when I try it again.
Sadly, I’m not yet able to drop PHP 5.6 support from my VPS as a few necessary applications still don’t work as expected under newer releases.
I love my CDN
KeyCDN is rather spectacular. I’ve used them for more than two years now, and their features-for-price are unmatched. Of greatest importance to me, they support custom SSL certificates as part of their basic offering. Given my obsession with HSTS and HPKP (see also), this was essential.
In the last six months, they’ve spared my VPS appreciable traffic:
I can’t recommend KeyCDN enough. I’m told that Brotli and IPv6 support are coming in the first quarter of 2017. 🎉
Adding Brotli support to nginx
Last year, Google released a successor to the deflate compression algorithm, Brotli. Chrome adopted it in version 51, and Firefox in version 44 (see Can I use…). That said, from the webserver side, nginx doesn’t support it natively, so Google provides the ngx_brotli module, making it just a matter of compiling nginx.
With your own authoritative DNS, dynamic DNS is easy
At the beginning of the year, I wrote about using nsd3 to run my own nameservers: “Authoritative DNS with redundancy, using nsd and Debian Wheezy“. That post focused on the public-facing benefits of running my own nameservers, notably the flexibility it gives me with regard to record types and update frequency.
As I’ve added more and more services to the Raspberry Pis running on our home network, the flexibility I have has demonstrated another benefit: assigning a domain name to the network’s ever-changing IP address. Time Warner doesn’t offer static IPs for consumer accounts, which presents a challenge to using our router’s native VPN functionality. To make it convenient to connect to our home network from afar, I’ve employed an open-source script and a custom DNS zone to provide dynamic DNS via my own servers.
Continue reading With your own authoritative DNS, dynamic DNS is easy
chmod math
As is the case with many things I post, this is mostly a reminder to myself of the math behind chmod.
x = 1(execute)w = 2(write)r = 4(read)
Sorry VaultPress
PHP’s open_basedir is one way I isolate the various PHP applications running on my VPS. Within the directory that holds this WordPress install, there exists a symlink from when I relocated my presentation slides from http://ethitter.com/slides/ to https://slides.ethitter.com/. VaultPress doesn’t particularly appreciate this:
PHP Warning: file_exists(): open_basedir restriction in effect. File(/.../network/public_html/slides) is not within the allowed path(s).
Letting VaultPress access the directory that the symlink points to would defeat the purpose of using open_basedir, so instead, my VPS continually frustrates VaultPress.
Compiling nginx with OpenSSL 1.0.2 to maintain HTTP/2 support
Chrome 51 disabled support for NPN, or Next Protocol Negotiation, the mechanism that millions of nginx servers needed to establish HTTP/2 connections with Chrome users. For anyone running nginx compiled against OpenSSL 1.0.1, Chrome 51 users are still connecting over SSL, but only via the legacy HTTP/1.1 specification, which lacks the performance benefits HTTP/2 imparts.
Both the nginx project, and Mattias Geniar, provide lengthier explanations of what changed in Chrome 51:
- https://www.nginx.com/blog/supporting-http2-google-chrome-users/
- https://ma.ttias.be/day-google-chrome-disables-http2-nearly-everyone-may-31st-2016/
For those wondering how to restore HTTP/2 support for Chrome 51 users, there is but one answer: switch nginx to OpenSSL 1.0.2. While OpenSSL 1.0.1 is only receiving security updates (and will stop receiving any updates after December 31, 2016), OpenSSL 1.0.2 is actively maintained and receiving new features, including the successor to NPN, which nginx supports: ALPN, or Application-layer Protocol Negotiation.
Continue reading Compiling nginx with OpenSSL 1.0.2 to maintain HTTP/2 support
screen all the things
I recently started a lengthy cpan update, but failed to do so in a screen session. I then updated my router’s firmware. Sadly, I had to start the cpan update again.
I really, really try to start every ssh session with screen, for this very reason.