If you’re migrating from Windows and you’ve already a Windows installation of OpenVPN you can copy .key, .crt, .conf and .ovpn files from the OpenVPN location. Copy these files to your Linux home (e.g. ~/openvpn/) and reshape permissions to allow the access only to the owner.
After you’ve the .ovpn, .crt, .key files locally, you can test the connection using these commands:
cd ~/openvpn/;
sudo openvpn my-openvpn-file.ovpn
Type the sudo password, wait and the connection should be established successfully. Press Ctrl+C to stop the VPN from command line.
Now you can configure the Network Manager to accept the .ovpn file.
Click on the network icon on the top right corner of the screen and look for VPN Settings.
Click the + icon aside the VPN title and select Import from file…
Select the my-openvpn-file.ovpn you’ve checked before. A form containing user certificate, CA, private key and the gateway will be automatically filled. It’s very important to select .ovpn and not .conf since the latter will not work.
If the private key is password protected you can also type the password and on Advanced you can do some fine tuning but it’s usually unnecessary.
On the Details tab, uncheck the automatic connection option if you don’t want to start the VPN at every login and choose if you want to allow other users to access the connection.
On IPv4 and IPv6 you can disable a specific protocol or limit the connection to “Use this connection only for resources on its network“. This last step is particularly important because using VPN can limit network connection.
Press Apply and you should be able to connect pressing the network icon on the top right corner > VPN > your VPN name.
If you get the “Failed to start Authorization manager” while booting a Linux OS (e.g. CentOS) most likely you’ve a SELinux misconfiguration.
The main issue is that if you’ve restarted the system, you cannot login since OpenSSH service is not running. If you’ve a virtual server, even the console shipped by your provider is stuck on the Authorization manager error.
The reason behind this in my case was a completely wrong value in SELINUXTYPE.
The example below is valid for a Digital Ocean’s droplet running a CentOS 7 but can be adapted to other providers and distro.
To fix it I had to:
1. Boot the OS with initramfs (also called Recovery Kernel). You can do this on the dashboard provided by your virtual server provider (e.g. on Digital Ocean)
2. Open the console from your provider’s dashboard
Go to a new blank line after, then type Ctrl+D to quit. Since initramfs hasn’t a text editor like vi or nano, the simple cat > filename do the trick.
5. From your dashboard, change the kernel version to what you’ve used previously and Power Cycle (reboot) the machine using the dashboard because a reboot from initramfs in this state will restart initramfs itself.
Open the provider’s console on boot to see your system working again. Wait the services to start and then connect with your SSH client to see again your files and get again the control of your server.
Be careful when configuring SELinux again and create a shapshot and/or backup after you’ve restored your server…and before changing SELinux again.
HTTPS is a great improvement to a website security. However, HTTPS comes in different flavours and among these there are very weak ones.
Among protocols, SSL have to be avoided because it is not secure. Its successor, TLS, comes in different versions and supports different ciphers. To be short, the cipher is the encryption method/algorihms the website and the client use to talk each other.
The combination of protocols and ciphers available to implement HTTPS will limits the type of clients capable to access the website.
To be sure your website will not lose traffic, you have to balance the strongest ciphers available with the most compatible but still secure, dropping all weaker ciphers.
Check the strenght of your HTTPS implementation
If you’ve already implemented HTTPS on your website, first you’ve to check ist current security status of protocols and ciphers.
Check your hostname on Qualys SSL Labs pasting the HTTPS protected domain on the Test your server section. It’s a fast method with a very detailed output for public websites.
The report will give your hostname a rank, a detailed list of issues, browser support, and the complete list of supported ciphers. Among these ciphers, you can get some ciphers highlighted in yellow. You have to get the rid of these no matter what.
The list of ciphers actually differs from a typical cipher declaration on nginx because nginx can use the OpenSSL naming and Qualys uses IANA naming.
Here’s an helpful conversion table by Mozilla where you can convert IANA to OpenSSL and the other way round. Take note of the weak ciphers but wait before start to cut your cipher declaration on nginx.
You’ve to check how many visitors you’ll lose after the cut first.
Get the website statistics
Using Google Analytics or similar services and software, go to the Audience > Technology > Browser to get a list of your visitors’ browsers. Select a timespan like the last year or less.
You can add Browser version or OS version as secondary dimension to match the list of supported browsers from SSL Labs. You’ll get something similar:
Well, someone is still using Internet Explorer 9.0 in 2018.
Since Internet Explorer running on old Windows versions (like XP) is one of the most troublesome combination, check how many visitors use this legacy software.
On Google Analytics type on the search box “Internet Explorer” and you’ll get the browser usage of this legacy browser. Select OS version as secondary dimension to get a list of OSes using IE.
Compare this list with the report from SSL Labs and with the conversion table from Mozilla cited above and count the number of visitors you want to cut off from your website in the sake of security.
Cut the weak ciphers
Trimming down the ciphers declaration on nginx conf you’ll get something like this:
Each cipher is separated by a ‘:’ and at the end some elements (typically using OpenSSL naming) are forbidden with a ‘!’.
Here’s the context:
server {
# the port your site will be served on
listen 443 ssl;
# the domain name it will serve for
# substitute your machine's IP address or FQDN
server_name example.com www.example.com;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# cfr. ........................................
ssl_ciphers ** PASTE CIPHERS HERE **;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
charset utf-8;
# This is for Let's Encrypt
location ^~ /.well-known {
alias /path/to/.well-known;
allow all;
}
# max upload size
client_max_body_size 75M; # adjust to taste
location /webpath {
alias /path/to/web;
}
}
Change the conf file, reload nginx (on CentOS 7 systemctl reload nginx) and then re-run the SSL Labs test.
The Qualys’ tool will show you the new incompatibility with legacy browsers in the Handshake Simulation section:
Modern protocols and ciphers implemented using the above declaration on nginx cut off IE 8 on XP and IE 6, the report explain.
According to the technology used by visitors of the analyzed website, few visits are sacrificed for better security for both visitors and host.
Tune these settings according to your needs, keep monitoring the tecnology used by site visitors and dropping legacy system progressively, with Modern compatibility as a (not so) long term objective.
I’ve started using Drupal on 2007. For about 9 years I visits drupal.org almost on daily basis, I released a module, I suggested some patches, participated to local events and so on. I’ve started working on Drupal with Drupal 5 and I ended on Drupal 7 with a long time on Drupal 6.
In the meantime, Acquia was created to support Drupal development and make some money from the project and for the project in a typical open source scheme, free software accompained to paid services.
This is my report based on those years.
Flaws
On my journey to Drupal and beyond, I enjoyed the community but I’ve seen many issues in those years:
Too much security flaws in core and contrib.
Too much bugfix to fix these flaws: maintaining tens of website without Acquia automatic update services become a challenge (and it’s the reason you want to pay for it).
Contrib modules are frequently poorly designed and maintained.
Issues remains unfixed forever or are automatically closed without being actually fixed on both core and contrib.
Any major version released can be totally different from the previous one, requiring extra efforts for nothing.
Drupal inherit all the PHP problems and try to overcome them with internal functions replacing some of those from the language accompained with the good Drupal API documentation.
The result of these issues together is that you cannot use Drupal without a dedicated Drupal team to take care of fixing components. Even two people are not enough to develop and follow couples of Drupal websites, not to mention a lone developer.
I’ve talked with other developers that used Drupal and other applications to design and publish websites and their assumption is easy: if you have a small team, you cannot use Drupal. Not anymore. Maintainance would be overwhelming.
Following this fondness for big teams, the release of Drupal 8 confirmed how low is the power of the community become compared to core contributors and Acquia (where many of them now works). They deliberately moved this open source software from a multipurpose Content Management System usable from small and big firm to a software that has the Enterprise world in his mind and forget the others.
This was a shock for many small developers and enthusiasts.
GTFO
I’ve read about Drupal enthusiasts that suffers the same uneasiness of mine after long-time Drupal and PHP development.
Here’s a list of theirs experiences along with the number of years they used this software:
Some of them migrated to Django like me. During this journey I’ve discovered a wonderful language like Python and his tools and documentation. I’ve also discovered how deep you can customize the framework to do the job, concentrating on the important things.
You cannot tell the difference without using another framework like Django or WordPress, just to pick some very different beasts. You need to compare Drupal with others to try the difference.
Try and choose
While Drupal try to overcome PHP language, Django uses only a fraction of the power of Python and it’s not the best tool on the Earth for building website like I supposed Drupal was.
This means that I can move for example to Flask when I have to build small of focused web applications, or to Kivy when I have to make a desktop and mobile app using the same language, the same Python packages, building my own classes to share when needed.
This is actually a change of perspective, to choose a language before the framework to easily switch from one to another in case the project go wild.
Upgrading an existing application using a well designed framework is straightforward compared to the major versions migration on Drupal. During the last 7 years, Django preserved much of his structure making simple the maintainance and the upgrade of websites. Virtualenvs surely helps, but the whole design supports the developer in his duties. This is not an unique feature of Python and Django, but it’s what it lacks to PHP/Drupal.
Here’s and example of how a framework built in Python can scale and how to migrate between major versions of the language here, even a very big website can be feasible when the framework design works in your same team:
Decreasing popularity
Another reason to think about leaving Drupal is his decreasing popularity. It seems naif but it’s a very important matter for open source software since a weak community leaves bugs unfixed and create less contrib modules.
Here’s the popularity in Google Trends of Drupal compared to Django between May 1st, 2007 and December 31st, 2017:
Golden age for Drupal was long time ago, at the time of Drupal 6 and early 7. Decline followed the effort to build Drupal 8 in 2012 and the outcome of this transition is better described by this graph:
Drupal was a credible WordPress competitor back on 2008 scoring a 1:3 ratio in Trends at the time of Drupal 5. On January 2018 with Drupal 8 as major version it’s passed to 1:10.
Drupal failed to become the alternative for WordPress and actually was surpassed by niche, low-level alternatives like Django. Because by now:
Who wants to build web applications uses Python/Django, Ruby on Rails, Javascript/Node.js, Java, C# and so on.
Who wants to build website with a great backend still using PHP uses WordPress.
PHP as a declining language
If it’s not enough, here’s the TIOBE index for PHP language compared to Python from 2002 to 2018:
These are simple indexes, but you can find other evidences about the usage crisis of the couple Drupal/PHP. Take another index like PyPL, read some of the experiences listed above or read this good picture of Drupal development cycle. Find as many sources as you want, the conclusion is the same: Drupal is now a declining framework written in a declining language. Who still uses PHP go for the winner WordPress.
What is to be done?
If you read this, probably you’re asking yourself how to leave Drupal. Start to use another language and framework to suit your needs and then try the difference. If you still want to use Drupal, using another language and framework will surely help you to write better code.
Last months I looked for a tool to shape my community on Twitter to follow interesting profiles and to increase my followers.
I had bad experiences using integration from third party (app) so I wanted this tool to be able to create my own app on Twitter without 3rd party involvment for better security and privacy.
Since I wanted real new followers and I don’t want to violate Twitter policies I looked for a tool able to select and filter users from my network, choosing only those whom are relevant to follow.
I wasn’t looking for a new, fancy SaaS website with a monthly fee to pay, and I want to handle many accounts at the same time without additional costs.
I wanted a tool able to run on my own PC and with the full access to the source code to avoid my data to be stolen and to understand its inner mechanics.
Well, that tool doesn’t exists at the time.
So I decided to write my own.
The fancy app
When I start to develop a full-featured Twitter app for desktop with a user interface running on my local machine. I started to add icons for the actions, tables to list users, buttons to do actions, a lot of checkboxes to select users and so on.
The result was a good-looking app that works. But when I tried to filter and select users using some criteria it all became clumsy.
As a programmer, I started to feel my own application as a cage.
I wasn’t allowed to search for users on my network for multiple or complex criteria. I wasn’t able to merge, diff or intersect different set of users.
Then I realized that what I was really looking for wasn’t an app but a brand new scripting language to manage social networks.
The programming language
I started to look for open source solutions able to create this new programming language for social media management using Python 3. There is a small bunch of instructions to add to this programming language but I want it to be efficient and well-designed.
Here comes in help TextX by the professor Igor Dejanović, a parser build on top of the ArpeggioPEG. Among all formal languages and parsers, Parsing Expression Language (PEG) seems to me the better for my purpose and the most modern approach to parsers.
The grammar of this new language is written on a single file and can be graphically represented using DOT language. Then TextX use the grammar to parse the language using a Meta-model where the language comes to life.
.ows language grammar
To handle the Twitter management I used the solid Tweepy by Joshua Roesslein and to query the social network SQLAlchemy and SQLite.
Scripts are launched by command line and an interactive console with history is available to manage your Twitter account using the scripting language using the Python Prompt Toolkit by Jonathan Slenders.
JournaKit Followship .ows
All these free software / open source tools among others are the construction blocks used to create this bare-bones social media managers’ tool for Twitter.
A simple scripting language to manage and expand your network of followers and friends with complex queries, running on my PC, registered with custom application on Twitter and executable on many accounts at the same time.
Its name is JournaKit Followship .ows and it’s available on Gumroad. The complete application, the source code and a comprehensive user manual are provided allowing you to master the .ows language.
This is the first application of the JournaKit suite aiming to help journalists and writers whom use the web to share their works and to discover new sources and contacts.
Comment this article or contact me privately if you want to know more about it.
