Adding Brotli support to nginx

Last year, Google released a successor to the deflate compression algorithm, Brotli. Chrome adopted it in version 51, and Firefox in version 44 (see Can I use…). That said, from the webserver side, nginx doesn’t support it natively, so Google provides the ngx_brotli module, making it just a matter of compiling nginx.

Continue reading Adding Brotli support to nginx

Compiling nginx with OpenSSL 1.0.2 to maintain HTTP/2 support

Chrome 51 disabled support for NPN, or Next Protocol Negotiation, the mechanism that millions of nginx servers needed to establish HTTP/2 connections with Chrome users. For anyone running nginx compiled against OpenSSL 1.0.1, Chrome 51 users are still connecting over SSL, but only via the legacy HTTP/1.1 specification, which lacks the performance benefits HTTP/2 imparts.

Both the nginx project, and Mattias Geniar, provide lengthier explanations of what changed in Chrome 51:

For those wondering how to restore HTTP/2 support for Chrome 51 users, there is but one answer: switch nginx to OpenSSL 1.0.2. While OpenSSL 1.0.1 is only receiving security updates (and will stop receiving any updates after December 31, 2016), OpenSSL 1.0.2 is actively maintained and receiving new features, including the successor to NPN, which nginx supports: ALPN, or Application-layer Protocol Negotiation.

Continue reading Compiling nginx with OpenSSL 1.0.2 to maintain HTTP/2 support

One ssl_protocols to rule them all

For some time now, I’ve hoped to disable support for TLSv1 and TLSv1.1, and move to Mozilla’s “modern” cipher suite. Unfortunately, due to one application not supporting this combination of protocols and ciphers, I’ve been unable to make the switch.

Continue reading One ssl_protocols to rule them all

Request type and nginx caching

A few weeks ago, I published a new post and was immediately contacted by Aaron Brazell reporting that the page was blank. A few moments of testing couldn’t reproduce the issue before it “resolved itself,” so I attributed his trouble to some transient problem and thought little more of it. After all, I’d received just one inquiry about this over the last several months of regular publishing.

I should’ve investigated further, as the problem proved quite easy to reproduce.

Continue reading Request type and nginx caching

Planning for the post that Matt links to

For most of the time that I’ve had my multisite network and the underlying infrastructure that I’ve written about lately, I’ve been overly focused on performance and scalability.

I say “overly focused” because I average about 50 views a day here on ethitter.com, on a good day. I write about exceedingly technical–or exceedingly uninteresting–topics, so that’s no surprise.

It’s also no surprise that my two most-popular posts are both about Automattic: the first announcing my hiring, the second declaring that Matt will have to fire me to be free of me. Interest in our hiring process and company culture far exceeds that which exists for my blathering.

When Matt retweeted the latter post back in January, my heart paused, then skipped into overdrive. Beyond the excitement of Matt recognizing my post, I immediately feared the embarrassment of my site crashing.

As it turns out, I had nothing to worry about. The pageviews were, while meaningful for this humble site, insignificant as far as the infrastructure was concerned. No resource-usage alerts were triggered, nor did my provider inform me that I’d exceeded my plan’s allotments. Between Redis-based object and page caching, nginx microcaching, and a robust CDN, there was really no cause for concern.
Continue reading Planning for the post that Matt links to

X-Frame-Options and WordPress post embeds

WordPress 4.4 simplified the process of embedding WordPress content on other sites with the introduction of post embeds. From the feature’s announcement post:

WordPress has been operating as an oEmbed consumer for quite some time now, allowing users to easily embed content from other sites. Starting with version 4.4, WordPress becomes an oEmbed provider as well, allowing any oEmbed consumer to embed posts from WordPress sites.

The problem

As exciting as this feature is, it ran into an incompatibility with my server configuration. I’ve set the X-Frame-Options header to SAMEORIGIN near-universally within my nginx configuration, thereby blocking other sites from displaying my sites in frames; instead, my sites can only display their own content inside of frames. I’ve done so as a security measure against “clickjacking.” This header has no impact on my use of WordPress, nor on visitors’ interaction with my sites, but as I discovered, it breaks post embeds in an awkward way.

Continue reading X-Frame-Options and WordPress post embeds

Creating Public Key Pinning headers (HPKP)

In my post two weeks about setting consistent headers in nginx, one of the headers I was concerned with was the Public Key Pinning header (HPKP). This, and the Strict Transport Security header (HSTS) are both defensive mechanisms meant to increase the reliability of secure connections to a given site.

Continue reading Creating Public Key Pinning headers (HPKP)

nginx header inconsistency, aka setting headers all the way down

For the three visitors I attract in a month, I’ve had an outsized interest in making this the most secure WordPress site that I can. My focus of late has been primarily on the security-related headers I can set. In particular, ensuring that HSTS and HPKP were present on all requests became a priority.

Why?

A few weeks ago, I noticed that certain assets served from my CDN host lacked the Strict Transport Security headers (HSTS) I’d expected. To the best of my knowledge, I’d configured nginx to set these headers on every request.

Continue reading nginx header inconsistency, aka setting headers all the way down

Building My Network

Over the past three years, I’ve spent more time than I care to admit on a single project. It started off innocently. Since then it’s grown to occupy a significant place in my daily thoughts.

As you read this, you’re experiencing the product of these efforts. Perhaps you clicked on an eth.pw short URL to get here. If not, your browser still had to figure out how to get to ethitter.com. Now that you’re here, maybe you need to contact me via email. To make any of these endeavors possible, I’ve built a personal “network” of servers and had endless fun doing so.
Continue reading Building My Network