Quite simple, using openssl:
openssl s_client -verify_hostname example.com -connect domain.com:993
This will show if a domain is in that certificate.
Author Archive
SSLChecker a script to avoid expired Letsencrypt certificates
Saturday, May 4th, 2019 | Permalink
Letsencrypt is a wonderful, simple and cost free way to encrypt your SSL traffic.
Since it start it helped protect data privacy to millions of websites. One of the downsides of Letsencrypt is the limited time a certificate is valid. Every three months you need to update your certificates, otherwise your users will be seeing a warning page in their browsers.
But not only Letsencrypt users struggle with the problem of expiring certificates. Also bigger every now and then face the same problem. Just with a different twist. The more servers and components are running SSL and need certificates, the more likely people tend to buy certificates with long running periods. Which means, on one hand you have to touch all these systems only every couple of years, but on the other hand the probability that the colleague that installed the cert is not around anymore. Results in partial failing systems and people under pressure trying to fix system by system.
As I am running multiple servers and also multiple domains, I created a small Python script called SSLChecker which notifies you via email 30,14,3 and one day before a certificate expires.
It can handle multiple domains at once and notify a list of people.
It is under the GNU license released on GitHub. Feel free to contribute, use and help keeping data private.
How to fix the Mac calendar, when syncing is not working?!
Thursday, January 31st, 2019 | Permalink
I often have trouble with my Mac calendar syncing with Office 365. Here is a quick fix for that.
https://michaelkummer.com/technology/fix-calendar-cant-save-event-x-exchange/
Plugins that improve your WordPress performance, page speed and security
Sunday, September 25th, 2016 | Permalink
Despite the optimization on the webserver, it makes sense to install a couple of plugins that secure and speed up your wordpress installation.
In my concrete case, I am using as a minimum the following:
Hyper Cache
Hyper Cache is a simple caching plugin that pre-renders your content, so your webserver doesn’t need to processes all dynamic content for every request and only does this once there is a change.
Super simple, but speeds up your website enormously.
It also supports CDN.
Login LockDown
Limites the amount of possible attempts to login. This helps to prevent bruteforce attacks where an attacker tries random passwords till he has access. Find information about it here.
Stop XML-RPC Attack
Stop XML-RPC Attack helps you reducing the amount of requests going to xmlrpc.php. This could possibly used to flood your webserver with useless requests.
BJ Lazy Load
Lazy Load helps to only load content that the user is looking at. E.g. when opening a long page, not all pictures are visible directly. Some are below the fold. It makes no sense to load these images before they are watched, so this helps preventing unnecessary requests + increases the user experience, while speeding up everything.
EWWW Image Optimizer
EWWW Image Optimizer optimizes and compresses all pictures that you have uploaded or will upload in WordPress. Makes files smaller, while not losing the quality and therefore speeds up the page.
miniOrange 2 Factor Authentication
miniOrange 2 Factor Authentication enables you to use several methods of two factor authentication, means your username + password + a second authentication. This could be e.g. an email, SMS or the Google Authenticator. I highly recommend the Google Authenticator. It is free and simple.
All these plugins are free of charge, some have a pro version, which I don’t need.
Load static content directly thru Nginx
Saturday, September 24th, 2016 | Permalink
Everytime your wordpress blog loads, it is also sending a lot of files that are static e.g. images, CSS, javascript and so on.
In the standard configuration, this is passed thru the PHP process which slows down the delivery as it has to be processed before, even that there is absolutely no reason to do this.
You can avoid this, by configuring NGINX to directly deliver these files and speed everything up.
Add to your https configuration the following line
location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff)$ {
expires 30d;
log_not_found off;
}
If you have more file types that you want to deliver directly and that are static, add them to js|css|png|jpg|jpeg|gif|ico|woff e.g. js|css|png|jpg|jpeg|gif|ico|woff|pdf
Restart your NGINX and you are good to go.
Nginx optimize SSL Test Grade
Saturday, September 24th, 2016 | Permalink
There is plenty articles on this topic.
It is basically limiting the accepted ciphers for the encryption and kicking out old broken encryption algorithms.
My configuration for Nginx looks something like this.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header Strict-Transport-Security "max-age=0; includeSubdomains";
Add this to your specific host configuration in the server {} part for port 443.
For Apache I am using something like this
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA2\
56:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECD\
HE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-\
SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM\
-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA
SSLHonorCipherOrder on
Check your result using SSL Test.
WordPress, redirect all traffic from http to https Nginx and Apache
Saturday, September 24th, 2016 | Permalink
To redirect all traffic that goes to a http site to your https site, you have to work with redirect.
If you are using Apache as your webserver, just edit the .htaccess file in your document root.
Be sure mod_rewrite is enabled in your setup.
Then, just simply add the following lines
RewriteCond %{HTTP_HOST} !^www\.YOURWEBSITE\.com$ [NC]
RewriteRule ^(.*)$ https://www.YOURWEBSITE.com/$1 [R=301,L]
For Nginx this needs a little bit more of effort.
Add the following lines into the the server {} configuration for your port 80 webserver within the virtual server configuration. Usually be found in /etc/nginx/site-available/.
location / {
return 301 https://www.YOURWEBSITE.com$request_uri;
try_files $uri $uri/ /index.php?$args;
}
For exception management, have a look at exceptions for redirects
Nginx adding http2 support to improve speed
Saturday, September 24th, 2016 | Permalink
Since version 1.9.5 Nginx support http2, which is a major improvement in comparison to http 1.1.
One of the major differences is https by default. If you haven’t enabled your website for https, then I ask you to read thru my short summary on Letsencrypt and how to set it up.
The second thing is an improvement in regards to overall data transfer. http 1.1 was design at a time in which bandwidth was still a problem. Therefor the RFC set a limit of simultanoius connections as written in RFC 2086.
Clients that use persistent connections SHOULD limit the number of simultaneous connections that they maintain to a given server. A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy. A proxy SHOULD use up to 2*N connections to another server or proxy, where N is the number of simultaneously active users. These guidelines are intended to improve HTTP response times and avoid congestion.
Means, that the amounts of files that could be loaded from a single host is limited. With http2 this limit falls and websites load way faster then before.
Nginx has a manual to install http2 which I literally don’t want to copy & paste here.
Read yourself and make the internet faster!
Once you’re done, check if your site really supports http2 by using the http/2 and spdy indicator plugin in Chrome.
Improve WordPress ranking by adding https
Saturday, September 24th, 2016 | Permalink
One step to improve the overall security in the internet is the usage of https.
https makes sense for every site, not only banks, insurances and online shops.
It is not only making the communication between you and your user secure, it also could improve your Google ranking.
The simplest way to do this is Letsencrypt. Letsencrypt is free of charge and super simple to use.
It comes with a simple bash script that you can execute and it will take care of all the configuration necessary to encrypt your side successfully.
Go to Certbot choose your setup and follow exactly the steps shown underneath.
In my case this was:
This takes a maximum of 10 minutes and you have a secure connection.
Be aware that your certificate needs renewal every three months, but this only takes a couple of seconds.
I added that to my update script, that I am running frequently to cover for this. I will probably post this pretty soon too.
If you like it, please consider donating to Letsencrypt. Even small amounts like $5 can help to keep this project alive. The cheapest alternative certificate I know costs $25 per year.
And just to mention it, for around $60 yearly you can sign up to StartCom and generate as many certificates as you like.
Once done have a look at the SSL Test to check if your site is fully encrypted and gets a good grade.
If you are getting everything but an A, consider optimizing this as well. Have a look at this blog post for SSL optimization.
Also another step is to redirect all your traffic from http to https, so you are 100% sure to serve only secure content. Have a look at my post to achieve forwarding traffic from http to https.
Pimping a wordpress for high-performance and against DDoS attacks – series
Saturday, September 24th, 2016 | Permalink
For quite a while, I am supporting the finance blog of a friend of mine. He started this as a small blog project (it is still a blog) and quickly got a lot of traffic.
The initial setup was a hosted website with a provider including PHP and MySQL.
Quickly there was too much traffic and the site became really really slow. On top, the possibilities in this environment are limited.
Next step – own server. So we booked him a machine at Hetzner, a German ISP with quite good conditions. I put VMWare in place and virtualizied the entire thing.
As time goes, the machine became old and had to be replaced. So we decided for a new machine and to install everything bare metal (no VMs).
The current machine holds a Skylark Quad-Core processor, 64 GB of RAM, SATA HDD and a lot of more cool things.
So a fairly decent setup.
Recently the site was attacked using several different technics.
This series is about the steps we took to keep the site alive and also gain speed, performance, reduce load and file sizes.
The result of this series should be a WordPress installation on steroids.
You will use and run:
– Nginx
– http/2
– https / SSL encryption
– Caching for WordPress
– Optimized compression for images and files
– CDN
– Fail2Ban to avoid to many requests from one source
– Optimized caching on client side
– Faster page loads
– Lazyload for images
– and many things more