HSTS, GitLab, and LetsEncrypt

I set up a test install of GitLab on one of our group's servers, and set up and successfully deployed LetsEncrypt with it. This is awesome! TLS certificates in seconds!

For various reasons, we only have one domain and IP for this overall server, that has multiple VMs on it. I then wanted to set up a monitoring tool, such as NetData.To run this on the same domain I had to set it up on a different port. (This is running in a separate VM to GitLab, but on the same HyperVisor, and hence same domain).

This was all well and good, until you try to visit both in the same browser. GitLab (when running over TLS) enables HSTS by default. This is the behaviour you want for GitLab, i.e. as soon as a client has visited https://mygitlabdomain.com, there should be no way of downgrading a connection to http://mygitlabdomain.com in future visits.

However, for our NetData install (running at e.g. http://mygitlabdomain.com:9999), this was a disaster: as soon as I tried to visit NetData again (from an install that I knew was working fine, and had previously visited), I was a) being redirected to https://mygitlabdomain.com:9999, and b) now only getting ERR_SSL_PROTOCOL_ERROR errors, with no further information. This only occurred after I enabled TLS on GitLab, but didn't notice the link between the two at the time.

Someone sensible suggested that HSTS might be the cause of this behaviour. You can have multiple TLS configurations on the same domain, different ports, but if HSTS is configured for the default ports (i.e. 80 automatically redirecting to 443) then it ties that configuration and requirement for TLS to all ports for that domain.

The immediate, temporary, client-side fix (for testing purposes) is therefore to remove the HSTS config for this domain in Chrome, by going to chrome://net-internals/#hsts and adding the domain in question to the 'delete domain' form. This only temporarily enables the non-port 443 server for use without TLS again.

The longer term fix in (for us at least) seems to be to run the HSTS demanding install (GitLab) on ports other than 80/443, so that the browser doesn't expect TLS for all servers at that domain (on a range of different ports). The better fix of course is to add TLS to all servers on all ports at the same domain!

tl;dr: Be careful with TLS and HSTS when running multiple web-servers on the same domain.

TLS (SSL), WordPress, Apache VHosts, LetsEncrypt, and CloudFlare

It took a little while to get TLS/SSL working with this site as I use CloudFlare, and when I couldn't get it to work, I guessed it was because of CloudFlare, rather than WordPress. The main, persistent error I was getting whenever I enabled SSL in the Apache config was ERR_TOO_MANY_REDIRECTS. Turns out it was actually an error with the (WordPress) redirection all along.

Continue reading "TLS (SSL), WordPress, Apache VHosts, LetsEncrypt, and CloudFlare"

DacMagic 100 USB mode on Mac OS X: 96kHz vs 192kHz

Just bought a brand new Cambridge Audio DacMagic 100, and I'm really pleased with it.

The only slight foible with it was that, out of the box on Mac OS X, it defaults to USB 1.0, rather than USB 2.0. This means that the maximum sample rate supported by default is 96kHz, rather than the advertised maximum of 192kHz.

The simple way to fix it (as found in the depths of the online PDF manual) is found on page 14: Continue reading "DacMagic 100 USB mode on Mac OS X: 96kHz vs 192kHz"

XenServer, VMs, pfSense vs. IPFire, and Heavy Lifting

My research group ordered a nice new shiny server with some grant money, for crunching through models of security protocols with our model checker. We requested a server that would be suitable for lots of heaving lifting with many cores and lots of memory, and eventually ordered a nice shiny Dell Poweredge R630 with 48 cores, and 512GB of memory.

The initial plan was to run a hypervisor on the server, and to have one big VM using ~75% of the server's resources, and then a couple of smaller VMs on the side for other purposes, e.g. a file-server, monitoring, and the like. We were strongly recommended to install ESXi for this purpose, and did so, but sadly found out after installing it that on the free licence version of ESXi, each VM can have a maximum of 8 vCores: not so useful. A licence to do what we wanted was only about £400, but the grant money had already been spent, so that wasn't going to happen. Continue reading "XenServer, VMs, pfSense vs. IPFire, and Heavy Lifting"

Login attempts to my servers

I've got a couple of years worth of logs from this server and others, showing the good the bad and the ugly. Most interesting is it keeps every IP address that has ever tried to connect to each server in the last 24 hours, and emails me a list of these, among other things.

I downloaded my email inbox from GMail and wrote a quick bit of Python to scrape through a .mbox file for IP addresses that had attempted to login. In decreasing order of number of unique IP address which attempted to connect to one of my servers over SSH, the countries are as follows: US (12,048), China (4,614), GB (2,761), India (1,816), Bahrain (1,507), Brazil (1,123), Canada (1,093).

Note that this is just the country of origin of the IP, it doesn't mean the server was actually controlled by someone in that country -- botnets, people!

Here are those IP addresses plotted on a graph, where the x-axis is the first octet of the address, and the y-axis is the second octet of the address, e.g. x.y._._

(Click link for a higher resolution & DPI version).

IP Adresses small (/16)

The vertical banding is what I'd expect, but I'm fascinated by the horizontal banding at ~52 on the y-axis.

I'll publish the code at some point, but at the moment the associated data files have all the full IP addresses, so I don't want to make them public yet.

"Up-Goer Five your Thesis"

My research, described using only the ten-hundred most common English words:

Computers were made to work, and not be safe against people who want to break into them. Bad people started to find they could make money and have fun by breaking into computers, so good people had to start thinking about how to stop bad people breaking into them.

By this point, a lot of very important computers were out there, with nothing to stop people breaking into them. So we are trying to fix that. Turns out, it's easier to make stuff that stops people breaking into them when you think about it from the start, rather than trying to do it after the computer's been made.

At the moment, if a bad person breaks into one small bit of your computer, a lot of the time, they can do anything they want in the rest of your computer. This is bad. What I'm trying to do is make parts of computers (and the way these parts talk to each other) that don't completely break when just one bit gets broken into.

Made with The Up-Goer Five Text Editor.

“AttributeError: ‘module’ object has no attribute ‘blah'”

This is a stupid one.

I was getting the Python error: “AttributeError: ‘module’ object has no attribute ‘mailbox'”

I read this helpful guide, which didn't fix it. I then realised that I had 'import mailbox' in the head of the python file, and the python file itself was called 'mailbox.py': Python takes files in the local folder as higher priority than the modules in the main installation.

Moral of the story: don't name your python files the same as any of the modules you're importing.


Whole screen images in LaTeX & Beamer

As I've just found out while writing my presentation for BluePrint Durham, if you want to put a whole screen image into a LaTeX/Beamer presentation, you can't just centre it, as you end up with a fairly unwieldy left-margin. Unfortunately, the simplest solution that I can see is to use a `tikzpicture' frame.

Make sure you include


in the preamble, and then for each image (per slide), use:

  \begin{tikzpicture}[remember picture,overlay]
   \node[at=(current page.center)] {

(Solution courtesy of StackExchange, as ever.)

My Setup

Wow, it has been a long time. It's always nice see what other people use daily to do their jobs, so I guess it's only fair that I share mine. (Shamelessly inspired by James!)


My main computer is a 2007 Mac Pro (Quad 3.0GHz Core, 5GB RAM with about 3TB of storage, impressively running faster than most people's computers today), attached to a beautiful HP LP2475 24" Professional monitor - I've never been so impressed by a monitor out of the box; the colours on it are perfect for all aspects of photography. Sound system-wise I've got a Cambridge Audio Azur 340a Amplifier, running into some old but perfectly serviceable Celestion bookshelf speakers. In the lounge I've got a Cambridge Audio A1 hooked up to some even older, but just as nice Yamaha bookshelf speakers - these are mainly for casual listening (iPod etc.) or for attaching to my laptop either with a cable or over AirFoil for music, Spotify or iPlayer.

When I'm out my iPhone 4S rarely leaves my sight, and I take my 2008 MacBook (2.4GHz Intel Core 2 Duo, 4GB RAM) with me a lot of the time (less so at night: pub + laptop ≠ great success), some Sony in ear headphones, which are pretty much the best I've found for under £25; when I'm going on a longer journey or period away from home I take my Grado SR60's, which in my opinion outperform most other headphones under £500. They might look a bit dweebish (is that a word?) but they sound absolutely stunning, and you don't have to look at yourself wearing them! I've got an old iPod Classic which is mainly for use in the car, but I keep on forgetting to charge it before long journeys.  I always make a point of taking my Kindle with me if I'm using public transport, but I find that I'm reading more and more books on it full stop. I've also got an old PC set up running Ubuntu (10.04 LTS) as a media(-ish) server, but haven't finished sorting it out yet; the aim will be to get it attached to a projector. Also in the lounge is my Samsung ML-2525w Wireless Laser printer which a friend was kind enough to point out to me at the stupidly cheap price of £50, and is far more useful than a USB-only printer as you only need the router on to print to it, not any specific computer. I'm yet to get Google Cloud Printing to work with it though...

Camera-wise I've got the Nikon D300S with the standard 16-85mm lens, both of which I love dearly, but which isn't complete without the Nikkor 50mm f/1.4, which is frankly sharp beyond belief and my favourite lens ever. I've been pleased to note that the D300S currently retails for the same price that it did when I bought it two years ago! I've got a Sigma 70-300mm, but rarely use it as the glass isn't particularly good. I've got a Nikon SB-50DX flash which in spite of having 'DX' in the name wasn't designed to work with Nikon's Digital SLRs, but is fine as a manual flash. I've got a great & sturdy Camlink Professional Tripod which is a lot better than I expected (given I only paid ~£35 for it). My camera, lenses, other kit and laptop (if I'm so inclined) all fit neatly inside my Crumpler rucksack. I take my camera with me quite a lot of the time, but not as much as I'd like - it's a superb piece of kit, but a tad heavy & bulky for EDC.

My SAD Lightbox is absolutely indispensable (and is hooked up to a timer to aid waking up in the morning), my Kawai piano helps keep me sane when home (it's the equivalent model to the link from about 20 years ago), and I'm lucky enough to have a baby grand to play just beneath my flat (Definitely Not Mine!). Now I just need to get an iPad to read the music from...


OS X Lion (10.7). Google Chrome. GMail in browser & Mail for Durham email. LastPassAdium. Twitter. Dropbox (if you're not using it already, get it now). ReadNow (with InstaPaper). NetNewsWire (with Google Reader). iTunes. Spotify Unlimited (best £5 I spend each month). VLCAperture 3 (although I'm in the process of moving over to LightRoom). Photoshop CS5. Textmate is simply wonderful. TeXShop for as many documents as I can physically manage (from the wider MacTeX package). MS Office (grudgingly, although Excel's pretty good). Transmit. MacGPG (integrates wonderfully with Mail). Terminal (all the time; Oh-My-ZSH, OpenSSH, IRSSI, Github, nanoc... the list goes on.) Flux is absolutely superb software for anyone who uses their computer after sunset (so, everyone) as it slowly adjusts the colour temperature of your display after the sun sets based on your location. Seems odd at first, but only takes 10 minutes to get used to! Easily cancellable if you're e.g. editing photos.

I probably use other software on my Mac Pro, but I'm writing from my MacBook right now so can't remember what I'm missing... there will be an update at some point.

I feel as if there's a section missing here... perhaps 'websites read/used daily'? Web Apps and the like are in many ways now so close to downloadable software that they should at least get a mention. GMailWorkFlowy and RememberTheMilk (with 'A Bit Better RTM') are permanently open in pinned tabs. I try, but fail, to avoid Facebook (enough said). I like Flickr a lot, but don't upload enough.  Otherwise I've got so many websites' RSS feeds loaded into Google Reader that I can't list them all here, but I am a big fan of (and probably spend a little too much time reading) BoingBoingLifeHacker, Hack A Day and Wired. Oh, and The Guardian, in electronic or dead-tree format.

If I were to improve anything in my setup, it would be (in agreement with James) SSDs in both my MacBook and my MacPro, but unfortunately not until I get paid quite a bit more. A decent, modern flash for my camera would rock too, but otherwise I'm a pretty happy bunny! (#1stworldproblems much?)

Writing this has pointed out a) just how many Apple products I have, and b) just how lucky I am generally, but then I knew that much already.