Managing domain and certificate expiration with DomainMOD

With 40 domains–plus a half dozen certificates–to track, I added the DomainMOD tool to my repertoire. Its API integrations, in particular, made it an appealing choice, as I had little desire to manually enter so many details. After three months, I’m quite pleased with my decision.

Installation was as straightforward as a git checkout, creation of a MySQL table, and the addition of a server block to my nginx configuration. With DomainMOD successfully running, I configured it to use my mailserver, then got to importing my domains.

Continue reading Managing domain and certificate expiration with DomainMOD

Running a private Photon instance

Recently, as part of my ongoing quest to self-host as much as possible, I found myself in need of an image proxy. A service I’d installed on an HTTPS-only URL was requesting HTTP-only images, making for a very poor experience.

Continue reading Running a private Photon instance

Abandoning StartSSL

After Mozilla’s devastating report, and both Chrome and Firefox’s decision to stop trusting StartSSL certificates issued after October 28, I had no choice but to replace the certificates I’d obtained through StartSSL.

The process took a few months, mainly due to the associated costs. While most of my StartSSL certificates were replaced with ones issued by Let’s Encrypt, there were a few cases where LE wasn’t appropriate. This primarily impacted domains that have many, many subdomains, however there were also a few cases where Let’s Encrypt’s three-month duration would’ve been burdensome. Ultimately I had to purchase three wildcard certificates, plus three single-domain certificates. With those installed, I’m now free of StartSSL/Wosign. After sixty days, I can rotate the pinned keys, impeding any further use of my legacy StartSSL certificates.

Replacing Slack, IFTTT, and Zapier

To anyone who follows my posts here, my love of open-source software is well-known. Open-source alternatives allow me to host my own nameservers, email, website, and GitHub alternative, and I’ve now supplanted Slack and automation tools like IFTTT and Zapier.

Continue reading Replacing Slack, IFTTT, and Zapier

Preparing for PHP 7.1

I’ve been using PHP 7.0 for just over a year, and the 7.1 branch reached its first stable release last month, so I’ve begun thinking about what the switch will entail. Fortunately, my needs are fairly simple, so I only require two additional modules: Redis and GeoIP. I’ve made one hasty attempt to build 7.1 with support for these features, which failed spectacularly; fortunately, the chance that it was an error on my part is quite good, so things may just work when I try it again.

Sadly, I’m not yet able to drop PHP 5.6 support from my VPS as a few necessary applications still don’t work as expected under newer releases.

I love my CDN

KeyCDN is rather spectacular. I’ve used them for more than two years now, and their features-for-price are unmatched. Of greatest importance to me, they support custom SSL certificates as part of their basic offering. Given my obsession with HSTS and HPKP (see also), this was essential.

In the last six months, they’ve spared my VPS appreciable traffic:

I can’t recommend KeyCDN enough. I’m told that Brotli and IPv6 support are coming in the first quarter of 2017. 🎉

Adding Brotli support to nginx

Last year, Google released a successor to the deflate compression algorithm, Brotli. Chrome adopted it in version 51, and Firefox in version 44 (see Can I use…). That said, from the webserver side, nginx doesn’t support it natively, so Google provides the ngx_brotli module, making it just a matter of compiling nginx.

Continue reading Adding Brotli support to nginx

With your own authoritative DNS, dynamic DNS is easy

At the beginning of the year, I wrote about using nsd3 to run my own nameservers: “Authoritative DNS with redundancy, using nsd and Debian Wheezy“. That post focused on the public-facing benefits of running my own nameservers, notably the flexibility it gives me with regard to record types and update frequency.

As I’ve added more and more services to the Raspberry Pis running on our home network, the flexibility I have has demonstrated another benefit: assigning a domain name to the network’s ever-changing IP address. Time Warner doesn’t offer static IPs for consumer accounts, which presents a challenge to using our router’s native VPN functionality. To make it convenient to connect to our home network from afar, I’ve employed an open-source script and a custom DNS zone to provide dynamic DNS via my own servers.

Continue reading With your own authoritative DNS, dynamic DNS is easy

Give me a Raspberry Pi and I’ll want 12

For quite some time, I avoided acquiring any Rasbperry Pis. I already have four VPS, and I genuinely wanted to avoid expanding the number of Linux instances I was responsible for. My hesitation was for good reason; less than a month after acquiring my first Pi 3, I found a reason to add a second to our home network.

To be clear, I’ve nothing against the Raspberry Pi; I simply knew that my addictive personality would compel me to find ever-more uses for the devices, compelling their multiplication.

Continue reading Give me a Raspberry Pi and I’ll want 12