Code, Security and Server Stuff
Views are my own and not my employer's.
This is how I setup Certification Authority Authorization (CAA) DNS record(s) to prevent https cert issue/misuse on my domain and 1 sub domain.
Read the full article here: https://fearby.com/article/setup-a-certification-authority-authorization-caa-dns-records-to-prevent-https-cert-issue-misuse/
This is how I replacing Google Analytics with Piwik/Matomo for a locally hosted privacy-focused open source analytics solution
Advertisement:
Aside
I have a number of guides on moving away from CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. PHP is my programming language of choice.
Now on with the post
Google Analytics
I will fully admit Google Analytics is good. I posted this a while ago on how you can set up Google Analytics on your site.
Google Analytics has some great charts and graphs. Simple to set up and easy to use.
My site traffic is growing and I would prefer to hold my own analytics on user data. Matomo is an analytics solution that stays on my server and not in the hands of Google.
Google Analytics can be Slow
Sometimes the Google Analytics server is slow (affecting the speed of my server). I blogged recently about speeding up a WordPress site here and Google Servers were not adding expiry headers on assets.
I did log a ticket with Google to fix this and the experience was terrible.
Support for Google Analytics is terrible
GT Metrix scores show poor delivery of tracking assets.
Privacy
After the Cambridge Analytica fiasco (that made me decide to delete facebook) sending analytics to Google is not a good idea.
I am not saying Google is evil but I want my site’s visitors tracking data to remain local.
Website Speed Benchmark before installing Matomo
I can load my site in 1.3 seconds at best, 1.5 seconds on average and 2.0 seconds at worst. My site is loading 11 assets.
Page Speed Scores
Y Slow Scores, Gogol Assets are reporting no expiry headers (slowing down scores)
Advertisement:
Google Analytics tracking assets are slow.
Optimizations to be made
Browser caching is not possible with Google Analytics.
Missing Expiry Headers (I can see a Google Tag Manager server is slowing down my servers benchmark score)
Why Mamoto (instead of Google Analytics)
I came across
Someone pointed out that @haveibeenpwned got a bunch of traction on Reddit today. With pretty much everything now either cached by @Cloudflare or served by @AzureFunctions, the first I know of a 28x traffic increase is no longer when something scales it’s when someone tells me 😎 pic.twitter.com/ifj7nQg3n4
— Troy Hunt (@troyhunt) November 5, 2018
Mamoto was mentioned
It’s an Open Source, self hostable, privacy friendly alternative to Google Analytics:https://t.co/NiK7A7uQAE
— Lukas Winkler (@lw1_at) November 5, 2018
I visited https://matomo.org/
Snip
> Take care of running Matomo yourself by installing it on your own server. There is no cost for Matomo itself but you need a server and update Matomo & your server regularly to keep it fast and secure. Need help? The Matomo team provides free help resources and paid support.
Source Code
Source code is available.
> Matomo is the leading open alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites, apps & the IoT and visualise this data and extract insights. Privacy is built-in. We love Pull Requests! https://matomo.org/
https://github.com/matomo-org/matomo
Installation Guide
I read the installation guide here https://matomo.org/docs/installation/
You can view the change log here https://matomo.org/changelog/
Downloading Mamoto
I logged into my server via SSH and downloaded the 18MB download to the desired folder
I unzipped the zip file
I loaded the URL where Matoto was installed (e.g “https://fearby.com/folder/subfolder/matomo/”)
I received this well-crafted error.
Raw Output
I refreshed the page after running the commands above on my site (via SSH)
A system check was performed. I installed when PHP 7.2.11 was the latest, PHP 7.2.12 or higher might be available. Follow my guide to update PHP on Ubuntu.
I had one Issue with Freetype not being installed.
I solved this error by installing freetype
Output
Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'freetype-tools' for glob 'freetype*' Note, selecting 'freetype2-demos' for glob 'freetype*' The following NEW packages will be installed: freetype2-demos 0 upgraded, 1 newly installed, 0 to remove and 66 not upgraded. Need to get 123 kB of archives. After this operation, 728 kB of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 freetype2-demos amd64 2.8.1-2ubuntu2 [123 kB] Fetched 123 kB in 0s (965 kB/s) Selecting previously unselected package freetype2-demos. (Reading database ... 122574 files and directories currently installed.) Preparing to unpack .../freetype2-demos_2.8.1-2ubuntu2_amd64.deb ... Unpacking freetype2-demos (2.8.1-2ubuntu2) ... Processing triggers for man-db (2.8.3-2) ... Setting up freetype2-demos (2.8.1-2ubuntu2) ...
Then I installed “php-gd”
Output:
I refreshed the Matomo setup wizard page, Freetype is now installed 🙂
Advertisement:
Database Settings
For the life of me, I could not get Matomo to talk to a database on another server so I set it up on my localhost.
I used this guide to help in mysql CLI to create the database and users.
Commands in mysql to create a database and user and assign the user to the database. If you are not comfortable with MySql CLI you can use Adminder GUI.
I used this PHP code to test connecting to the dedicated server before using the localhost
<?php
$servername = "localhost";
$username = "databaseuser";
$password = "#################";
$dbname = "tbdatabasename";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} else {
echo "Connection Success";
}
$conn->close();
?>Database created ok
I created a Matomo user then I grabbed the javascript tracking ID code so I could paste this into WordPress.
I opened my WordPress theme settings and deleted the Google tracking tags and added the Matomo tracking code.
I added the Matomo tracking javascript in the head section.
The dashboard is up and collecting data.
Some reports are missing data so I will come back later.
After 1 week I could see data
Advertisement:
Securing Mamoto
I read this guide here to secure Matomo
Opt Out Tracking
I enabled Opt Out Tracking in the Mamoto settings and added the generated opt-out code to my front page and at the bottom or all existing articles.
I had to allow iframe tags on my site by adding this header in NGINX (previously I blocked iframes)
add_header X-Frame-Options sameorigin
Add Opt Out Tracking Code to WordPress.
I updated my privacy page and my GDPR notification bar. Now visitors will see a opt out of tracking on the front page and all article pages.
SMTP Settings
I added my GSuite mail server settings to enable sending of reports via email. I loaded my old guide here to get the GSuite SMTP settings.
I enabled force https on the Mamoto application (edited: config/config.ini.php file)
[General] ... force_ssl = 1
Matomo Plugins (Marketplace)
I opened the System then Plugins section of Matomo to open the Marketplace
I installed these plugins
Updating PHP
Matomo Admin (Panel – Security/Diagnostics) section will report if your PHP gets out of date.
Hardening Advice
I enabled 2fA Authorisation at logins (Google Analytics Plugin).
Read my guide here on hardware 2FA YubiCo YubiKeys here.
php.ini hardening changes
Matomo also recommended some php.ini file changes.
> open_basedir – open_basedir is disabled. When this is enabled, only files that are in the given directory/directories and their subdirectories can be read by PHP scripts. You should consider turning this on. Keep in mind that other web applications not written in PHP will not be restricted by this setting.
> upload_tmp_dir – upload_tmp_dir is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access temporary copies of files uploaded via your PHP scripts. You should set upload_tmp_dir to a non-world-readable directory
This may break your WordPress so enable at your own risk. I might move Mamoto to a dedicated “analytics” subdomain then enable these options.
Advertisement:
Troubleshooting
I had to run this command when installing Device Pixel Ratio, Device Network Information, Bandwidth plugins
Output:
GTMetrix (After)
GT Metrix reports that my site is not slower (still 1.5 seconds)
I can see that some JavaScript is not being picked up by CDN.
Also 2 More files loading (when compared to Google Analytics)
Time to add the Mamoto files to my CDN.
Adding Matomo Resources to a CDN
I read this Matomo forum post.
I copied these 2 assets to my WordPress wp-content folder (my WordPress CDN ewww.io will then upload them to the CDN).
I have cache everything enabled in ewww.io and this will copy the javascript assets ot my CDN. I will need to manually update these js files each time a Matomo update is installed.
I change my Matomo tracker code to include the new CDN location
<!-- Matomo -->
<script type="text/javascript">
var _paq = _paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//fearby.com/utils/matomo/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src='https://fearby-com.exactdn.com/wp-content/piwik.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<!-- End Matomo Code -->
Advertisement:
I could not find out how to change the location of my (now CDN cached https://fearby-com.exactdn.com/wp-content/optOut.js) so I temporarily disabled the opt-out form on my front page.
todo: Find out how to change the CDN location of optOut.js and re-enabled the form.
All assets are loading from CDN.
Analytics Reporting
Graphs are not as pretty as Google Analytics but they are working.
Mobile Reporting
Mobile reporting is good too.
Updating Matomo Plugins
Don’t forget to update your plugins from the Matomo dashboard.
Updating Matomo (Core)
Matomo has an official guide on how to update Matomo here.
I do not have FTP so I will perform the manual three step update.
But before I do that I will manually backup my web server and database server just in case.
I backed up my Matomo config (I SSH”ed to the server)
$ cd /www-root/matomo-root/
$ cp ./config.ini.php ./config.ini.3.x.x.php
I navigated to the folder above my Matomo folder
Advertisement:
$ cd ..
$ cd ..
I downloaded Matomo
$ wget https://builds.matomo.org/matomo.zip
I unzipped the zip file
$ unzip -o matomo.zip
I removed the matomo.zip file
$ rm matomo.zip
I loaded the Matomo Login page again and was prompted to update the database.
Matomo reported it was updated Successfully.
Oops and error in config error appeared when I tried to login.
Oh, Do I need to replace the config file with my backed up config file?
(edit: Yes Matomo say to do this, my bad)
Ten seconds later I accidentally deleted all my config files (I had zero backups), the next 2 minutes were spend shutting down my servers (web and db) and restoring them from backup. Thanks goodness UpCloud are awesome hosts.
I now had to restore my servers and repeat the steps but this time restore my config file before logging back in.
I did this but had thew same error
> An error occurred
> Authentication object cannot be found in the container. Maybe the Login plugin is not activated?
> You can activate the plugin by adding:
> Plugins[] = Login under the [Plugins] section in your config/config.ini.php
I checked my replaced config.ini.php and it did have
> [PluginsInstalled]
> PluginsInstalled[] = “Login”
I googled and found this page that said reset your password (this was not an option as Matomo was not loading)
I logged into mysql with my Matomo user
> mysql -u matomodbusername -p
> Enter password:
> Welcome to the MySQL monitor. Commands end with ; or \g.
> Server version: 5.7.xxxx
> Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
> Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
> Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
> mysql> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| matomodb |
+——————–+
> 2 rows in set (0.00 sec)
The account and database seems ok.
Advertisement:
I tried “FLUSH PRIVILEGES;” with no luck
I tried to sop mysql but it was locked
It was late so I rebooted my server (it did not come back up after a few minutes, I forced a reboot)
I still had an “Authentication object cannot be found in the container.” error when trying to login to Matomo???
I re-checked the “config.ini.php” file after reding threads at the Matomo Forums
$ sudo nano /www-root/matomo-root/config.ini.php
“Plugins[] = “Login”” was not in the “[Plugins]” area of the file??? I added it, saved the change and was able to reload the Matomo GUI.
I checked some key reports.
Visitors over time:
Visitor Location Map
Visitor Overview
Out links Clicked
Nice
I subscribed to the Matomo newsletter here to keep up to date with Matomo update releases: https://matomo.org/newsletter/
Advertisement:
Good luck and I hope this guide helps someone
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]Revision History
v1.2 Hardening info
v1.1 Updating Matomo
v1.0 Initial post
I recently had an issue where I set up a website for a friend. I invested 6 hours into setting up, the server and backups were automatically deleted after 7 days while I was away from my keyboard because I assumed the account was valid and had credits.
Read Full Article:
No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider
Advertisement:
Aside
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
Buy a domain name here
Now on with the post.
Murphy’s Law
I recently had an issue where I set up a website for a friend. I invested 6 hours into setting up..
I setup…
I had tested GTMetrix scores = less than 1 second. Security headers were tested and I was happy with the site.
The server and backups were automatically deleted after 7 days while I was away from my keyboard because I assumed the account was valid and had credits.
Lesson Learned
I have guides on setting up a server on UpCloud, AWS, Vultr, Digital Ocean but setting up can be rather repetitive so how can you prevent resetting up servers?
Why Plan for the Worst
How I will prevent this in future
I hope this guide helps someone.
Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]Revision History
v1.0 Initial Post
This is how I set up a dedicated Debian subdomain (VM), Installed MySQL 14 and connected to it from a WordPress installation on a different VM
Advertisement:
Aside
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving fearby.com from Vultr to UpCloud.
Buy a domain name here
Now on with the post.
Fearby.com
I will be honest, fearby.com is my play server where I can code, learn about InfoSec and share (It’s also my stroke rehab blog).
There is no faster way to learn than actually doing. The problem is my “doing” usually breaks the live site from time to time (sorry).
I really need to set up a testing environment (DEV-TEST-LIVE or GREEN-BLUE) server(s). GREEN-BLUE has advantages as I can always have a hot spare ready. All I need to do is toggle DNS and I can set the GREEN or BLUE server as the live server.
But first I need to separate my database from my current fearby.com server and setup up a new web server. Having a Green and Blue server that uses one database server will help with near real-time production website switches.
Dedicated Database Server
I read the following ( Should MySQL and Web Server share the same server? ) at Percona Database Performance Blog. Having a separate database server should not negatively impact performance (It may even help improve speeds).
Deploy a Debian VM (not Ubuntu)
I decided to set up a Debian server instead of Ubuntu (mostly because of the good focus on stability and focus on security within Debian).
I logged into the UpCloud dashboard on my mobile phone and deployed a Debian server in 5 mins. I will be using my existing how to setup Ubuntu on UpCloud guide (even though this is Debian).
TIP: Sign up to UpCloud using this link to get $25 free UpCloud VM credit.
Deploy a Debian server setup steps:
After 5 mins your server should be deployed.
Advertisement:
After Deploy
Setup DNS
Login to your DNS provider and create DNS records to the new IP’s (IPv4 and IPv6) provided by UpCloud. It took DNS 12 hours to replicate to my in Australia.
Setup a Firewall (at UpCloud)
I would recommend you set up a firewall at UpCloud as soon as possible (don’t forget to add the recommended UpCloud DNS IP’s and any whitelisted IP’s your firewall).
Block everything and only allow
Read my post on setting up a whitelisted IP on an UpCloud VM… as it is a good idea.
UpCloud thankfully has a copy firewall feature that is very handy.
After I set up the firewall I SSH’ed into my server (I use vSSH on OSX buy you could use PUTTY).
I updated the Debian system with the following command
Get the MySQL Package
Visit http://repo.mysql.com/ and get the URL of the latest apt-config repo deb file (e.g “mysql-apt-config_0.8.9-1_all.deb”). Make a temp folder.
Download the MySQL deb Package
Install the package
Update the system again
Install MySQL on Debian
Secure MySQL
Advertisement:
You can secure the MySQL server deployment (set options as needed)
Install NGINX
I installed NGINX to allow Adminer MySQL GUI to be used
I ran these commands to install NGINX.
I edited my NGINX configuration as required.
I reloaded NGINX
Advertisement:
Install PHP
I followed this guide to install PHP on Debian.
Install PHP FPM
Increase Upload Limits
You may need to temporarily increase upload limits in NGINX and PHP before you can restore a WordPress database. My feabry.com blog is about 87MB.
Add “client_max_body_size 100M;” to “/etc/nginx/nginx.conf”
Add the following to “/etc/php/7.2/fpm/php.ini”
Restore a backup of my MySQL database in MySQL
You can now use Adminer to restore your blog to MySQL. Read my post here on Adminer here. I used Adminer to move my WordPress site from CPanel to a self-managed server a year ago.
First login to your source server and export your desired database then login to the target server and import the database.
Firewall Check
Don’t forget to allow your WordPress site’s 2x Public IP’s and 1x Private IP to access port 3306 in your UpCloud Firewall.
How to check open ports on your current server
Set MySQL Permissions
Open MySQL
I ran these statements to grant the user logging in on the nominate IP’s access to MySQL.
Reload permissions in MySQL
Allow access to the Debian machine from known IP’s
Edit “/etc/host.allow”
Additions (known safe IP’s that need access to this MySQL remotely).
Tell MySQL to listen on
Edit “/etc/mysql/my.cnf”
Added..
I guess you could change the port to something random???
Restart MySQL
Install a second local firewall on Debian
Advertisement:
Install ufw
Do add the IP of your desired server or VPN to access SSH
Do add the IP of your desired server or VPN to access WWW
Now add the known IP’s (e.g any web servers public (IPv4/IPv6) or Private IP’s) that you wish to grant access to MySQL (e.g the source website that used to have MySQL)
Do add UpCloud DNS Servers to your firewall
Add all other rules as needed (if you stuff up and lock your self out you can login to the server with the Console on UpCloud)
Restart the ufw firewall
Prevent MySQL starting on the source server
Now we can shut down MySQL on the source server (leave it there just in case).
Edit “/etc/init/mysql.conf”
Comment out the line that contains “start on ” and save the file
and run
Reboot
Stop and Disable NGINX on the new DB server
We don’t need NGINX running now the database has been imported with Adminer.
Stop and prevent NGINX from starting up on startup.
Check to see if MySQL is Disabled
Yep
Test access to the database server in PHP code
Add to dbtest.php
<em>SELECT guid FROM wp_posts</em>()<br />
<ul><?php
//External IP (charged after quota hit)
//$servername = 'db.yourserver.com';
//Private IP (free)
//$servername = '10.x.x.x';
$username = 'username';
$password = '********your*password*********';
$dbname = 'database';
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = 'SELECT guid FROM wp_posts';
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo $row["guid"] . "<br>";
}
} else {
echo "0 results";
}
$conn->close();
?></ul>
DoneCheck for open ports.
You can install nmap on another server and scan for open ports
Advertisement:
Install nmap
Scan a server for open ports with nmap
You should see this on a server that has access to see port 3306 (port 3306 should not be visible by non-whitelisted IP’s). Port 3shouldoudl not be seen via everyone.
You should see something like this on a server that has access to see port 80/443 (a web server)
I’d recommend you use a service like https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap# to check for open ports. https://hackertarget.com/tcp-port-scan/ is a great tool too.
https://www.infobyip.com/tcpportchecker.php is also a free port checker that you can use to verify individual closed ports.
Hardening MySQL and Debian
Read: https://www.debian.org/doc/manuals/securing-debian-howto/ap-checklist.en.html
Configuring WordPress use the dedicated Debian VM
On the source server that used to have MySQL edit your wp-config.php file for WordPress.
Remove
define('DB_HOST', 'localhost');add (read the update below, I changed the DNS IP to the Private IP to have free traffic)
//Oriinal localhost
//define('DB_HOST', 'localhost');
//New external host via DNS (Charged after quota hit)
//define('DB_HOST', 'db.fearby.com');
//New external host via Private IP (Free)
define('DB_HOST','10.x.x.x');Restart NGINX
Restart PHP-FPM
Conclusion
Nice, I seem to have shaved off 0.3 seconds in load times (25% improvement)
Update: Using a Private IP or Public IP between WordPress and MySQL servers
After I released this blog post (version 1.0 with no help from UpCloud) UpCloud contacted me and said the following.
I will have updated my references in this post and replace the public IP address (that is linked to DNS record for db.fearby.com) and instead use the private ip address (e.g 10.x.x.x), your servers private IP address is listed against the public IPv$ and IPv6 address.
I checked that the local ufw firewall did indeed allow the private IP access to MySQL.
On my new Debian MySQL server, I edited the file /etc/mysql/my.cnf and changed the IP to the private IP and not the public IP.
Now it looked like
(10.x.x.x my Debian servers private IP)
On my WordPress instance, I edited the file /www-root/wp-config.php
I added the new private host
//Oriinal localhost
//define('DB_HOST', 'localhost');
//New external host via DNS (Charged after quota hit)
//define('DB_HOST', 'db.fearby.com');
//New external host via Private IP (Free)
define('DB_HOST','10.x.x.x');(10.x.x.x my Debian servers private IP)
Alos on Debian/MySQL ensure you have granted access to the private IP of the WordPress server
Edit /etc/host.allow
Add
Restart MySQL
TIP: Enable UpCloud Backups
Do setup automatic backups (and or take manual backups). Backups are an extra charge but are essential IMHO.
Troubleshooting
If you can’t access MySQL log back into MySQL
and run
Reboot
Lower Upload Limits
Don’t forget to lower file upload sizes in NGINX and PHP (e.g 2M) now that the database has been restored.
I hope this guide helps someone.
TIP: Sign up to UpCloud using this link to get $25 free UpCloud VM credit.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]Advertisement:
Revision History
v1.6 Changed Public IP use to private IP use to ensure we are not charged when the serves sage goes over the quota
v1.5 Fixed 03 type (should have been 0.3)
v1.4 added disable nginx info
v1.3 added https://www.infobyip.com/tcpportchecker.php
v1.1 added https://hackertarget.com/tcp-port-scan/
v1.0 Initial Post
This post will explain why I will never buy a new Apple Laptop until they fix the hardware cooling issues.
This post will explain why I will never buy a new Apple Laptop until they fix the hardware cooling issues.
Background
I used to work in retail selling computers and I would go to great lengths to open a desktop computer chassis and talk someone out of buying a cheaper/slower computer (usually when it had a Cyrix Media GX processor in it). I would do myself out of higher commission and burn time educating customers. I have blogged about what to look for when buying a computer (here).
2012
In 2012 I bought my first Apple Mac computer to write iOS apps (write your first OSX app). I would call myself an Apple fanboy (previously being a PC fanboy for 15 years). I have never rebuilt my OSX system in 6 years buy would rebuild Windows every 6 months. Some Apple things I like.
2017
My Mid 2012 Mac Book Pro i7 processor overheats like crazy. I have blogged about my Mid 2012 MPB overheating issues (read here). I have even gone and installed third party software to control the speeds of my Mac’s fans (read here).
Inside my Mid 2012 Mac Book Pro (heatsink and fans at the top)
Stupidly thin heatsink (IMHO).
Complete heatsink (CPU and GPU plate)
I am certain this Mac Book heatsink is too small for the processor and graphics card.
As I type this my Mac Book Pro is Thermal throttling (slowing down the CPU) while typing a blog post (not gaming).
My only option is to crank up the fans to 100% and overrise Apple silence first mantra.
I am currently sitting here at Winter with my MBP 2012 MBP i7 fans running at 100% to try (try) and prevent thermal throtelling killing my productivity. https://t.co/IM6IlnmjC7
— Simon Fearby (Aussie DevSecOps) (@FearbySoftware) July 18, 2018
Intel Power Gadget showing thermal throttling (CPU dropping t0 almost 1Ghz to drop temps).
Move forward to 2018
Today I learned that Apple is putting an Intel i9 Procesor into a laptop, great? Hold onto your cash, that thing will run very hot and will never operate at its maximum potential.
Reviews are scathing.
I tweeted..
What a joke, why is @Apple putting an Intel i9 into a stupidly thin Mac Book Pro, my i7 can barely keep cool https://t.co/IM6IlnmjC7
— Simon Fearby (Aussie DevSecOps) (@FearbySoftware) July 13, 2018
Apple’s Website: https://www.apple.com/macbook-pro/
What a waste of a good processor.
Below you will see the fallout on YouTube from Apple putting an i9 Processor in the latest 15″ Mac Book Pros.
Dave Lee posted “MacBook Pro 15 (2018) – Beware the Core i9”
TechLinked posted “2018 Macbook ALREADY Overheating?”
AppleInsider – 2018 MacBook Pro i9 Thermal Throttling CONFIRMED!
Best of all, Louis Rossmann summed up the Apple situation perfectly.
Update 25th July
Apple is doubling down on the lack of cooling (calling it a “missing digital key”).
I will #BoycottAppleProMachines
That’s all.
Revision History
v1.4 Added update 25th July 2018 Missing Digital Key
v1.3 Gizmodo link
v1.2 Test new db server
v1.1 Added Apple Insider video
v1.0 Initial Post
Here is how I added two subdomains (one pointing to a new UpCloud VM and the other pointing to an NGINX subsite) on Ubuntu 18.04
Advertisement:
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
UpCloud performance is great.
Buy a domain name from Namecheap here.
Goal(s)
Setup 2x subdomains on https://fearby.com
– Sub Domain #1: https://test.fearby.com (pointing to a dedicated UpCloud VM in Singapore for testing).
– Sub Domain #2: https://audit.fearby.com (pointing to a sub-website on the NGINX/VM that runs https://fearby.com )
Let’s set up the first Sub Domain (dedicated VM) and SSL
Backup
Do backup your server first.
VM
I created a second server ($5 month or $0.07c hour 1,024MB Memory, 25GB Disk, 1024 GB Month Data Transfer) at UpCloud. If you don’t already have an account at UpCloud use this link to signup and get $25 free credit ( https://www.upcloud.com/register/?promo=D84793 ). Read my blog post on why UpCloud is awesome and how I moved my domain to UpCloud.
Once I spun up a second server I obtained the IPv4 and IPv6 IP addresses of the new “test” VM from the UpCloud dashboard.
DNS
These DNS records were already in place with my DNS provider (Cloudflare).
I added these DNS records for the subdomains.
I added a new A NAME record for the new shared NGINX subdomain (for https://audit.fearby.com), this subdomain will be a sub-website that is running off the same server as https://fearby.com
I added another set of records for the new dedicated VM subdomain (for https://test.fearby.com)
I waited for DNS to replicate around the globe by watching https://www.whatsmydns.net/
Setup a Firewall
On the new dedicated https://test.fearby.com VM, I installed the ufw firewall.
I configured the firewall to allow minimum ports (and added whitelisted IP for port 22 and added UpCloud DNS servers). I will lock this down some more later.
TIP: If your ISP does not offer a dedicated IP try a VPN. I use https://cyberghostvpn.com on OSX and Android.
Firewall rules.
I enabled the firewall.
Install NGINX (on https://test.fearby.com)
On the new dedicated https://test.fearby.com VM I…
Created a new www root
Set permissions
Installed NGINX
I created a placeholder webpage
Configured the root value in /etc/nginx/sites-available/default
Created a symbolic link of the nginx config
Lets Encrypt SSL
I have previously setup Lets encrypt on Ubuntu 16.04 but not 18.04. Certbot had info on setting up Lets Encrypt for 14.x 16.x and 17.x but not 18.x
Full credit for the SSL steps goes to @Linuxize ( tips on setting up Lets Encrypt on Ubuntu 18.04 ). Check out https://linuxize.com/
I installed Lets Encrypt certbot
I created a new Diffie–Hellman key
Map requests to http://test.fearby.com/.well-known/acme-challenge to /var/lib/letsencrypt/.well-known ( Read the linuxize post for detailed steps ).
Create a /etc/nginx/snippets/letsencrypt.conf on http://test.fearby.com and enforce the redirect.
Create a /etc/nginx/snippets/ssl.conf file on http://test.fearby.com
Let’s get a certificate
Certificates have been created 🙂
Now lets edit “/etc/nginx/sites-available/default” on https://test.fearby.com VM and add the cert paths.
Advertisement:
Reload NGINX
or
Now let’s setup the second subdomain (subsite off https://fearby.com) and SSL
VM
I already have NGINX on https://fearby.com set up a second site.
DNS
We have already setup a DNS record for https://audit.fearby.com (above)
Firewall
Already configured at https://fearby.com
SSL
Because I had an existing Comodo certificate on https://fearby.com I am going to repeat the steps above to generate a new certificate but save the NGINX config to /etc/nginx/sites-available/audit.fearby.com (this activates the second site)
TIP: Follow the Linuxize guide here (for creating ssl.conf, letsencrypt.conf etc config files), Do a backup and restore if need be.
I created a new Diffie–Hellman key
Let’s get a certificate
Configure NGINX
Map requests to http://audit.fearby.com/.well-known/acme-challenge to /var/lib/letsencrypt/.well-known ( Read the linuxize post for detailed steps ).
I created a new NGINX site ( /etc/nginx/sites-available/audit.fearby.com )
I created a symbolic link of the config file
Reload NGINX
or
How to test the certificate renewal
Automate the renewal in crontab (every 12 hours)
I set this crontab entry up on https://fearby.com and https://test.fearby.com
Conclusion
Yes, I haVe 2 subdomains (1x dedicated VM and the other is a sub-website off an existing server) with SSL certificates.
Ping Results
Webpage Results
Troubleshooting
If you are having troubles generating the initial certificate check that you have not blocked port 80 and don’t have “Strict-Transport-Security” heavers enabled.
I re-ran the certbot command but pointed to the real /www-root (not/var/lib/letsencrypt/)
Create a new
mkdir /www-root/.well-known/ mkdir /www-root/.well-known/acme-challenge/ sudo certbot certonly --agree-tos --email [email protected] --webroot -w /www-root -d yoursubdomain.domain.com
Advertisement:
I hope this guide helps someone.
Please consider using my referral code and get $25 credit for free.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]Revision History
v1.1 Troubleshooting
v1.0 Initial Post
This is how I upgraded from my standalone 1Password 6.x family licence to a 1Password 7 cloud subscription on OSX. I am not reviewing 1Password here.
Advertisement:
This is NOT a paid endorsement, this is output from my legitimate quest from upgrading an old stand-alone family licence to a cloud subscription. I have been using 1Password for the past 5 years and have recommended it to everyone I know.
Always backup your data before updating (things can go wrong), good luck. At the time of writing 1Password 7 was not out of beta.
Why
I have a number of guides on moving away from CPanel, Setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean and let’s say 1Password has helped me store everything from service invoices, SSH password service passwords etc. I did have a stroke last year (caused by the flu (a cough) and luckily all is OK ) and I now realise that having everything out of my brain and in a secure vault is a good idea (touch wood).
Reasons why I use 1Password – Password Manager.
1Password 7 News
1Password 7 has been hitting my twitter timeline, should I upgrade? Here is the official upgrade guide.
Security Researcher Troy Hunt’s – https://haveibeenpwned.com/ is now a feature in 1Password 7
@1Password just keeps getting better and better. Ping: @troyhunt pic.twitter.com/qTtE6XyoXb
— Grant Harrington (@harringg) May 22, 2018
I wrote a PHP implementation to check a password exposure level with Troy Hunt’s pwned passwords API and know it’s a good idea.
Also, there are loads of great features in 1Password 7.
Anything that can help create secure passwords is a good idea.
86% of Passwords are Terrible (and Other Statistics) https://t.co/pSqbb7IV0g by @troyhunt
— Particular Software (@ParticularSW) May 25, 2018
1Password Twitter Support Shoutout
Before I begin I would like to acknowledge the patient 1Password support team on twitter. They answered well over 20 questions from me and handled my frustrations of there not being a clear standalone family licence, I suspected a plot to force people onto a cloud subscription at first.
In an ideal world upgrading, 1Password should be an easy process (1Password Twitter Support indicated)
Load’s of 1 Password activity on Twitter
Phew! ? 1Password 7 for Mac has generated a lot of excitement! If you have any questions, be sure to check out our forums to see if they’ve been answered. Our team is always here. https://t.co/Xixe8e80yY
— 1Password (@1Password) May 23, 2018
Before I downloaded the latest 1Password 7 I fired heaps of questions at the twitter support. I hope 1Password give them a raise or bonus.
I did spend way too long reading past the negative 1Password support posts on “where is the standalone licence”, “beta discounts are gone”, “why so expensive” and “how can I upgrade from 1password 6 and still use dropbox” etc.
I ended up logging a support ticket (looking for the unicorn beta tester discount/stand-alone licence, I think I was too late to join the beta program).
I backed up my 1Password 6 data
Always take backups of your data before upgrading anything.
I also backed up the 1Password file in Dropbox before upgrading. Simply drag it to your desktop.
Advertisement:
I visited https://1password.com/extlink/signin/ and…
Then I..
I did have a peek at the 1Password SSL certificate strength and other tools and they came up all good (I don’t want to use an insecure service).
You too can test SSL on sites with https://dev.ssllabs.com/ssltest/
The only concern I have is TLS 1.3 is not an option yet. I use it on my blog’s web server (guide here) also a few SSL labs identified weak cyphers are presented as available from the server (Is this an issue)?
I also had a look at Google Chrome’s developer console to see if anything out of the ordinary was popping up? The console appears a little chatty? TLS 1.2 was in force securing the client/server communications so that’s nice.
Now that I am logged into my cloud 1Password (trial) account I can…
Now I can connect my new 1Password cloud account to my local 1Password 6 installation by.
Advertisement:
Now I am prompted to import my local 1Password data into the cloud account from my local 1Password.
When the import completed I was prompted to delete the local vault (I said yes because I backed it up).
Tip: 1Password 6 on my Mac did not appear to delete the Dropbox data so I deleted this manually.
After a few minutes, I noticed Dropbox was still syncing files?
Troubleshooting: I had to set my new cloud vault as the primary vault to save to and not the old vault that was syncing via Dropbox. I also deleted all links to Dropbox on iOS and Android devices.
I did notice that 1Password was 6.8.9 (I thought 1password 7 was the latest?, I did try the update button). I ended up ticking “Include beta builds” and then 1Password 7.0 is a download option (maybe this will change in the next few days)?
I opened 1Password 7 on my local desktop.
I had a quick look around in 1Password 7 for the https://haveibeenpwned.com/ feature. I opened an existing account I added to 1Password. It look’s nice.
Some nice alerts and features I noticed when viewing my data in 1 Password 7.
Aside: I had to opt into beta builds on Windows to get 1Password 7 too.
Summary
When I set out and wanted a stand-alone licence but it appears I would need to pay for a licence on Windows and Mac and portable devices.
I overlooked an earlier DM from 1Password (that provided the purchase links) so I decided to go with a subscription (I think I missed the BETA program too, no reply from the hockey app email when opting into beta on Windows).
Buy standalone licences
From what I could see standalone licences only work via Dropbox (or locally) and not via the 1Password cloud.
However, the subscription does away with the requirement to buy multiple licences (all apps are free once you subscribe). I am not sure when 1Password 8 is coming out so I think it is wiser to go with a yearly subscription (that’s about 10.8c a day in Australian peso’s).
Time to Subscribe
I pulled the trigger and subscribed 🙂
Advertisement:
One nice thing is the trial time is added on to the subscription length so if you have 30 days left in the trial it add’s on to the yearly subscription length (13 months), that’s nice.
Update: June 2019
1Password now allow you to setup 2FA (authenticator app or YuiKey leys (or both)) authentication on your 1Password login. Read the official post here.
Goto https://my.1password.com/profile/2fa to setup 2FA.
You can setup 2FA (authapp and or hardware keys)
You will be notified by email if a 2FA method is setup.
You will need to sign out and back into your apps web, Desktop and Mobile).
Web Signin
You will need to insert and press your hardwre key.
And enter your 2FA code
Mobile app login
![Enter 2fa code on mobile app loginb]](https://fearby.com/wp-content/uploads/2018/05/pasword-2fa-005-mobile-login.jpg)
I used my YubiCo Authentocator app to get the temporary OTP.
You can remove previous logged in devices from accessing your data or force them to reqire 2FA at next login
Nice
Conclusion
Happy = Yes (they are shooting fish in a barrel)
Could have been easier to upgrade from 1 password = Yes
I hope this guide helps someone.
Find out more about 1Password at http://1password.com/
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]Revision History
v1.4 Added 2fA Info
v1.3 Fixed typo in the title/url.
v1.2 Added Links
v1.1 Added Conclusion
v1.0 Initial post
This guide will show you how you can open a Windows 10 Boot Camp Installation on OSX in Parallels (like a VM).
Advertisement:
Installing Parallels on a Mac allows you to install Windows in A VM, this is handy but you may want to install Windows on a Mac drive with Boot camp (guide here) for better performance.
Can you load this VM-less Windows install in OSX rather than reboot it, the answer is YES (with Parallels v13).
Setup your Windows Bootcamps (see my guide here).
Create a new VM image in Parallels (Select Boot Camp)
Click Continue
Confirm the reaction warning.
Name the VM and choose a location
Set desired memory etc.
Choose your desired clipboard and disk access settings.
Done, now Parallels will prepare your VM (Really Boot Camp)
Preparing
Parallel tools will be automatically installed.
Done, you will now be able to load your Apple Bootcamp partition as it is was a VM inside OSX (or boot it)
yes, the VM file is pointing to the Boot Camp partition.
I hope this guide helps someone.
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]Revision History
v1.0 Initial post
