Tag Archives: linux

HTTPS, encrypt via SSL / TLS

Free SSL certificates and how to install on nginx in 10 steps

Here how you can get free SSL cerificates using Let’s Encrypt. Forget about the expire of certificates using the auto-renewal script. A complete reference to install a Let’s Encrypt certificate is this Digital Ocean’s howto. Here there’s a quick guide based on it, plus some additional suggestions. Here we go!

The following code download the script and make it executable. (1)

cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto

The following code create a path for ssl certificate. Change /usr/local/etc/my/files/path/ssl_cert with a path for where you’ll store certificates, you can select a path not in your document root. (2)

mkdir /usr/local/etc/my/files/path/ssl_cert

Now edit your /etc/nginx/conf.d/mysites.conf and add this into the server {…} directive to make available example.com/.well-known url (3):

        location ^~ /.well-known {
                alias /usr/local/etc/my/files/path/ssl_cert/.well-known;
                allow all;

Check syntax and if ok reload the nginx server. (4)

nginx -t
systemctl reload nginx

Now execute the script to install certificates for your domains. Remember to use the command with -d domain-without-www -d www-domain in this order. (5)

  1. Install all needed dependencies for your system (via yum on RedHat based distro and apt on Debian based)
  2. Generate a valid certificate
certbot-auto certonly -a webroot --webroot-path=/usr/local/etc/my/files/path/ssl_cert -d example.com -d www.example.com -d mysite.com -d www.mysite.com

An auto check will be performed and you will get a Congratulation message.

Now generate a strong Diffie-Hellman group with this command (6):

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048


A certificate will be valid for a short period of time, e.g. 3 months.

To auto-renew the certificate for all of your domains, you should add the auto-renewal command to cron (7):

30 2 * * 0 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 0 /etc/init.d/nginx reload

The command will be executed every sunday night, between 2.30-2.35am, when the certificate will be checked to be renewed if needed.

Enable SSL on nginx

To enable SSL on nginx, if you have already a mysite.conf file mapped for uncrypted connection on port 80. Inside the /etc/nginx/conf.d directory, copy the file as mysite_ssl.conf and:

Change all occurrences of:

listen 80;


listen 443 ssl;

In this way nginx will listen to 443 port on SSL. Ensure you have this port available externally (firewall and/or Selinux audit2allow). (8)

Add and enable cyphers. Here there’s a good cyphers list, reliable for compatibile but secure using TLS only. (9)

server {
    # the port your site will be served on
    listen      443 ssl;
    # the domain name it will serve for
    server_name example.com; # substitute your machine's IP address or FQDN
    ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
    ##### Cyphers and SSL fine tuning #####
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
    ##### END Cyphers and SSL fine tuning #####
    # charset     utf-8; etc...

Test nginx syntax with:

nginx -t

and then reload nginx to apply changes (10), on CentOS:

systemctl restart nginx

How to find big files on disk

On Windows: WinDirStat

  • Download and install WinDirStat
  • Run WinDirStat on your disks (it will take time)
  • You’ll see a coloured map of file occupation by file type


On Linux command line: ncdu

  • On Ubuntu / Debian
    • apt-get install ncdu
    • cd /dir/to/check
    • ncdu
  • On CentOS / Fedora / RedHat
    • yum install ncdu
    • cd /dir/to/check
    • ncdu

ncdu screenshot by dev.yorhel.nl: Official Website

On Linux with window manager

  • CentOS / Fedora / RedHat
    • apt-get install k4dirstat
  • On Ubuntu / Debian
    • yum install k4dirstat

Again, you’ll see a coloured map of file occupation by file type.

Official website



Screenshot by yuenhoe.com

Turn Raspberry into a small NAS with samba

I got a Raspberry Pi Model B. It’s cheap and I want to do some experiments for fun.

Experiment #1: I have a 1T external HDD (FAT) and I want to turn Raspberry into a very basic NAS.

I used:

  • 1 External USB HDD (with external power supply)
  • 1 ethernet cable CAT. 5 (10/100) or better
  • 1 HDMI cable and monitor / tv
  • 1 smartphone microusb battery charger
  • 1 SDHC (for the OS)
  • Raspbian “wheezy” (tested on 2012-08-16 release)
  • 1 modem router for connectivity (4 port)
  • 1 Windows PC plugged to the router

I flashed Raspbian into a class 10 SDHC, I follow this useful howto about to turn on HDMI instead of TV and voilà, I got a down-scaled debian system into a silent, little board that I charge with the smartphone charger via microusb (5V, 700mA).

I plug a wireless mouse and keyboard on the first USB port, and then I plug my external drive on the second. Debian read the FAT partition well (mounted on /media/MYDRIVE), but now I have to turn it into a wannabe-NAS.

Shall we dance? With Samba!

I plug the RJ-45 ethernet connector from my modem router into the Raspberry Pi and I follow this howto in Italian.

$ is a pi console (Start > Accessories > LXTerminal)
# is a root console (Start > Accessories > Root terminal)

# adduser guest --home=/home/public --shell=/bin/false --disabled-password
# sudo chmod -R 0700 /home/public
# chown -R guest.guest /home/public
$ sudo apt-get install samba smbfs

Then I have a new user “guest” with no password authentication. The howto covers the creation of a shared home (/home/public) but I do something slightly different (WORKGROUP is my local network name):

editing /etc/samba/smb.conf

## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

####### Authentication #######
   security = share

   obey pam restrictions = yes
   guest account = guest
   invalid users = root

And now the most interesting part:

comment = Mydrive
read only = no
locking = no
path = /media/MYDRIVE
guest ok = yes
force user = pi

Where /media/MYDRIVE is the path to your external usb drive.

And then:

# /etc/init.d/samba restart

to apply.

As this howto explains, the “force user” allows a user (i.e. guest) to get the files from a device mounted by another user (i.e. pi, the default raspbian user).

Have fun

Now on the Windows machine on the Network panel I look for RASPBERRYPI and inside it I find the “mydrive” folder, with all the files from MYDRIVE within. I play a 720p video without slowdown. And so, the cheap NAS experiment is successfully completed.

Make Flash works with Chrome on Ubuntu 64 bit

  1. Download Chrome for Linux (64 bit .deb package)
  2. Install the package
  3. On shell type:
    $ sudo bash
    If you don’t have wget installed:
    # apt-get install wget
    # cd /opt/google/chrome/
    # mkdir plugins
  4. Get the latest experimental Flash Player “Square” on
    and then put it on Chrome plugins folder e.g.

    wget http://download.macromedia.com/pub/labs/flashplayer10/flashplayer10_2_p3_64bit_linux_111710.tar.gz
  5. Close and restart Chrome: now Flash 10 is working.

See also:

Site off-line error after changing mysql to mysqli on Drupal

Sometimes Drupal try to access MySQL using a wrong socket, i.e. /tmp/mysql.sock.

There are two solutions: creating a symbolic link from the wrong location to the right location, or change the php.ini (es. /etc/php.ini) to point to the right socket:

mysqli.default_socket = /var/lib/mysql/mysql.sock

This solution is more reliable, since the symbolic link to socket should be recreated at any system boot on solution #1.

See also:

Disable file system check on boot

Sometimes you want to disable time-based automatic check on your filesystems on boot. To do so, you can use the tune2fs utility with the following command:

tune2fs -c0 -i0d /dev/mydev

Where /dev/mydev is your device.

See also:

Howto extract tracks from mkv and avi

This howto requires:

  • mplayer
  • mkvtoolnix
  • your Linux box 😉

Audio from Avi files (es. Xvid + MP3):

mplayer -dumpaudio "mymovie.avi" -dumpfile mymovie_audio_track.mp3

Tracks from Matroska MKV file:

List all tracks:

mkvmerge -i mymovie.mkv

File 'mymovie.mkv': container: Matroska
Track ID 1: video (V_MS/VFW/FOURCC, XVID)
Track ID 2: audio (A_VORBIS)
Track ID 3: audio (A_VORBIS)
Track ID 4: subtitles (S_TEXT/UTF8)
Track ID 5: subtitles (S_TEXT/UTF8)

mkvextract tracks *.mkv 3:mymovie_audio_track.ogg 4:mymovie_subtitle.srt

Creates two files, mymovie_audio_track.ogg (track 3) and mymovie_subtitle.srt (track 4).