HSTS with nginx and Varnish

SSL is good. It’s not perfect, but it makes life harder for mass surveillance and all websites should be using it. Yes, I know this blog doesn’t – I’ll get around to it.

I upgraded one of my sites to use HSTS, which is an extension to enforce usage of SSL where it’s available. This effectively means that after the first request via HTTPS, the browser should remember that domain uses SSL and should make sure any subsequent requests are HTTPS. HTTP requests get redirected to HTTPS immediately. This is great – not only does it mean that you’re less likely to have clients making requests in the clear when they should be using SSL, but it means that SSL stripping attacks will be foiled. Continue reading HSTS with nginx and Varnish

Securing Webservers (Ubuntu 12.04 LTS)

So I set up a lot of boxes and quite a few of them get hammered on pretty hard by attackers looking to break them open. I’ve been doing more than usual in the way of this lately so figured I’d do a quick round up of some of my favourite tools to make life easier. These aren’t just applicable to webservers but most of the boxes I use these on are.

Recently things have changed, with IPv6 becoming not just a nice-to-have but a need-to-have these days you’ll tend to run into quite a few tools that work great for IPv4 but aren’t applicable or don’t work on IPv6 yet.

Read on after the break! Continue reading Securing Webservers (Ubuntu 12.04 LTS)

Sustainable low-budget infrastructure

This month I finish my university career and along with this move I sadly will stop working at Insanity Radio, the student (now community) radio station I’ve been running tech at for about 3 years now. Needless to say, I’m going to miss the place and the people, and the challenges that came with that environment.

Specifically: No budget (a total of £3,000 income annually, compared to the average income of £75,000 for most Community Radio stations according to Ofcom). No paid full-time staff. And a desire for 100% availability regardless.

Over the years the systems at Insanity have evolved and grown – they started out as a single computer for playout, a single encoder and streaming server running Windows Media Encoder with about 50% availability best-case, and we’re now deploying high availability clusters for streaming and encoding, have very few single points of failure, with a total of 21 computers. Back in 2009 we had significant amounts of dead air – outside of a processor failure we’ve had very few incidents since 2011.

Building systems for reliability on no money is a tricky thing to do, and it’s even harder when the people maintaining the infrastructure change on a potentially annual basis. This post is basically a quick encapsulation of some of the most important things to focus on to make such a situation work – not just from a technological perspective but from a human perspective too. Continue reading Sustainable low-budget infrastructure