Two weeks ago, the VPS that hosts this site moved to a machine that had been patched for the Spectre vulnerabilities. Immediately, I began receiving warnings about high load, and these alerts continued unabated for over a week. I tried moving services to other hosts, and I reduced the resources allocated to
php-fpm, all to no avail.
As I continued to monitor and debug the situation,
fail2ban regularly appeared among the top resource consumers, but I didn’t think much of it;
fail2ban has always been a voracious resource user, but it’s an indispensable tool, so removing it wasn’t an option.
Continue reading Restoring performance after Spectre updates
Earlier today, I switched from custom PHP builds to sury.org's PHP 7.2 builds. I've been using his builds on my Photon server for some time now, and I've lost interest in maintaining my own builds, so this seemed like a natural progression.
Previously, I used
curl to trigger
dyndnsd updates via my Raspberry Pis. This worked well for many months, but lacked IPv6 support as
dyndnsd was interpreting my IP from the request. Fortunately, the daemon accepts parameters for IPv4 and IPv6 addresses, so I wrote a Go program to handle regular updates. It still relies on cron, but passes explicit IP values and moves all options to a configuration file.
The client is available from https://git.ethitter.com/open-source/dyndnsd-client. I don't provide built binaries yet, but I'd like to soon.
If your ISP doesn't support IPv6, or if you run multiple daemons on the same network, options are available for your situation. Take a look at the readme for more.
Hopefully someone else finds this useful!
After a few successful months of testing Packet.net, I've once again moved
git.ethitter.com. The decision was purely financial–my GitLab instance doesn't receive enough traffic to warrant Packet.net's pricing. As far as reliability and value were concerned, Packet.net was excellent. I would've appreciated built-in backups, but otherwise, I have no complaints about the service.
It will likely come as little surprise that git.ethitter.com is back on Linode. Compared to Digital Ocean, Linode is slightly more-generous with its resources, and GitLab wants all the resources it can get.
The migration itself was quite easy, with most of the time was spent preparing the server; GitLab's backup/restore process did most of the hard work. Now I just have to finish the ancillary setup, like monitoring.
Almost exactly four years after I first installed GitLab, I’ve migrated my instance to a new host, and in the process, finally switched to their “omnibus” install.
Continue reading Upgrading my GitLab experience
With 40 domains–plus a half dozen certificates–to track, I added the DomainMOD tool to my repertoire. Its API integrations, in particular, made it an appealing choice, as I had little desire to manually enter so many details. After three months, I’m quite pleased with my decision.
Installation was as straightforward as a git checkout, creation of a MySQL table, and the addition of a server block to my nginx configuration. With DomainMOD successfully running, I configured it to use my mailserver, then got to importing my domains.
Continue reading Managing domain and certificate expiration with DomainMOD
Recently, as part of my ongoing quest to self-host as much as possible, I found myself in need of an image proxy. A service I’d installed on an HTTPS-only URL was requesting HTTP-only images, making for a very poor experience.
Continue reading Running a private Photon instance
After Mozilla’s devastating report, and both Chrome and Firefox’s decision to stop trusting StartSSL certificates issued after October 28, I had no choice but to replace the certificates I’d obtained through StartSSL.
The process took a few months, mainly due to the associated costs. While most of my StartSSL certificates were replaced with ones issued by Let’s Encrypt, there were a few cases where LE wasn’t appropriate. This primarily impacted domains that have many, many subdomains, however there were also a few cases where Let’s Encrypt’s three-month duration would’ve been burdensome. Ultimately I had to purchase three wildcard certificates, plus three single-domain certificates. With those installed, I’m now free of StartSSL/Wosign. After sixty days, I can rotate the pinned keys, impeding any further use of my legacy StartSSL certificates.
To anyone who follows my posts here, my love of open-source software is well-known. Open-source alternatives allow me to host my own nameservers, email, website, and GitHub alternative, and I’ve now supplanted Slack and automation tools like IFTTT and Zapier.
Continue reading Replacing Slack, IFTTT, and Zapier
Two weeks ago, I noted that I was preparing to switch from PHP 7.0 to 7.1. It took me a bit more time than expected, thanks to a segmentation fault that appeared in 7.1 when using OPcache.
Continue reading Upgrading to PHP 7.1