Home › Category Archives › Site Meta

Securing this with SSL

andy April 6, 2013 Site Meta 0

Time to apply some proper certificates via good ‘ol StartSSL. After validating the domain via email, I need an SSL/TLS certificate. I generate my own signing request:

# cd /etc/ssl/
# openssl req -new -newkey rsa:2048 -nodes -keyout outofadjectives.org.key -out outofadjectives.org.csr

Just copy/paste the CSR and finish up the StartSSL wizard and copy/paste the resulting key into a .crt file. It corresponds with the previously generated .key.

The nginx instructions are the most straightforward. The unified certificate format makes configuration for everything else simpler since there are no chain files to deal with. The password step might not be necessary depending whether you used a password with the CSR.

To use the certificate in Dovecot, edit /etc/dovecot/conf.d/10-ssl.conf so ssl_cert points at the unified certificate file and ssl_key points at the .key file. Then restart the service.

For Postfix, edit /etc/postfix/main.cf so that smtpd_tls_cert_file and smtp_tls_cert_file both point at the unified certificate file and smtpd_tls_key_file and smtp_tls_key_file both point at the .key file. The “smtp_” settings may not exist by default. Again, restart the service.

PDO and only PDO

andy March 26, 2013 Site Meta 0

Life on EC2 can be a bit cramped (or alternately, expensive) in the way of memory. I wanted to slim down my memory footprint for PHP by disabling extra extensions. The biggest culprit in terms of redundancy was MySQL with mysql, mysqli, and pdo_mysql. Using just the mysql extension would be the easy route, but not the future-proofing route. I picked pdo_mysql for a slight edge in flexibility – even if SQL-agnostic applications are a fantasy.

First up for compatibility checking was roundcube. The version available via apt can only use the mysql extension, but that’s a fairly old version and development on the project is still active. Roundcube has moved over to github from SVN which is a nice change. The development version is built entirely around PDO and works quite nicely so far. Upgrading was as simple as copying a few configuration directives from the old version to the new one.

Next was WordPress. The base version still requires mysql and it looks like that will be the case for quite awhile due to compatibility and availability concerns. But some WordPress developers have contributed a set of preliminary patches to allow mysqli and pdo_mysql usage. After a little tinkering, I applied those patches to the latest development release and the blog now runs on PDO too (knock on wood). I made my own fork on github with a PDO branch since tracking the upstream version is going to be a bit more complicated with local changes to maintain.