SSL with Docker Swarm, Let's Encrypt and Nginx

A couple of weeks ago, Let's Encrypt announced that support for wildcard certificates was coming in Jan 2018 which got me and my devops friends very excited. Currently with LE, you have to specify all the domains (including www) you want to include in the certificate which is really annoying. With wildcard certificates, this limitation will be gone and you'll be able to create one certificate for all the different subdomains. ūüôĆ Getting SSL to work with Docker and Let's Encrypt has been one of my short term goals recently. I started researching and found that there are some convoluted ways of doing it which involve tying in lots of other services into your stack which you don't need. ūüĎé I've found continue...

My programming story... so far

Early days When I was 12, I was given a Raspberry Pi. For the first couple of days, it was really fun. After I had browsed the web for a while and played a bit of Minecraft, it sat in it's box for a few months. I really had no idea what to do with it. That was until I discovered that I could build a website with it. Wow, that was cool. I installed Apache and spent some time finding out where I needed to put the code. I started off getting to grips with HTML in nano (using inline styling, of course) until I realised I could write CSS in separate files and load them in. That was continue...

How does my stuff work?

I have a bit of a complex set up with all my sites and services, mainly due to using a multitude of different tools and languages to deploy different things. Currently, I have one main OVH server which most of my stuff is hosted on, including different database engines, Node.js and PHP apps. Static sites The first thing that traffic comes into contact with on my server is Nginx. It serves as an ultra lightweight traffic 'handler', whereupon it routes the incoming request to the appropriate location. I do this by using different Nginx config files for different domains. Here is an example: server { include /etc/nginx/mime.types; listen 80; listen [::]:80; # IPV6 server_name finnian.io; # compress continue...

Git directory server vulnerability

Do you use git to manage your site and or server files? In my opinion, this is undoubtably a good way to run things but you need to make sure it's secure. Just try going to yoursite.com/.git/config. If you haven't secured your server properly, you will see the configuration file for your git repository. Not good, huh? Not only could an attacker reveal lots of information about your code base including where the upstream server is, I believe they could possibly get the entire source. This would allow the attacker to see exactly how the site works and be able to exploit it very easily. Now, the good news. It's an easy fix! Here are the two continue...

Cyber Centurion competition at Bletchley Park

Today, the guys at SubjectRefresh and I competed in the Cyber Centurion Security Challenge at The National Museum of Computing at Bletchley Park. The day started with an introduction by the organisers and a brief explanation of how the day was going to work. Then it was off to the marquee to get started securing the machines we were provided with. There were two Windows VMs (server 2008 and 8.1) and one Ubuntu 14.04 image. The team delegated four people to work on the machines in the first part of the day and swapped out two at lunch time. By the end, we'd managed to get 66% of the vulnerabilities on Ubuntu and about 80% on each of continue...