iAchieved.it

Aug
17

The Best Fudgy Brownies Ever

Category: RecipesTags: brownie, chocolate, fudgy Leave a Comment

This is an experimental blog post, because in the sea of posts about Ansible and Swift is a brownie recipe. To be fair, this is not just any brownie recipe, but the best one ever for fudgy brownies.

Why am I writing this post here on the iAchieved.it? Because the world needs to know how to make these brownies, and I’m sick of recipe blogs that are ninety percentage rambling (we’re not going to go into the history of the brownie here) and instructions on how to fold. If you don’t know to fold versus whisk, this blog isn’t for you. I’m not even going to bother with fancypants WordPress plugins for recipes. Well, not for now at least.

This recipe makes a 13×9 pan of awesome fudgy brownies. I am not joking.

1/3 cup Dutched cocoa powder
2 ounces unsweetened chocolate, chopped
1/2 cup plus 2 tablespoons boiling water
4 tablespoons unsalted butter, melted
1/2 cup plus 2 tablespoons vegetable oil
2 eggs
2 egg yolks
2 teaspoons vanilla
2 1/2 cups sugar
1 3/4 cups unbleached all-purpose flour
3/4 teaspoon salt
6 ounces bittersweet chocolate chips

In a large mixing bowl (the kind you might, you know, make brownies in) toss in the dutched cocoa powder and chopped unsweetened chocolate. Pour in the boiling water and whisk until smooth. If you’re lucky I might add a picture here.

At this point whisk in the melted butter and vegetable oil, but be prepared for it to look a little weird. The chocolate and the oils will not want to get happy together, but don’t worry, that’s when you whisk in the eggs and extra yolks and everyone comes together like a nice chocolate pudding. By all means, shove your finger in there for a taste, but there’s no sugar yet so it’ll be nasty.

Whisk in the vanilla (I grew up in Texas so it goes without saying my preference is Mexican vanilla), and in 1/2 cup batches whisk in the sugar until thoroughly combined and glossy. Note: If you’ve ever done any baking you know that there’s always cautions regarding over mixing. We will now invoke this caution because you’re going to start adding the flour. Do not overmix after this! We’re making brownies, not bread.

Fold in the flour and salt. I usually do this a half cup at a time and don’t fret if there are some streaks of flour in the batter. It’ll sit a bit and hydrate while you go for that second glass of wine, so relax.

Once you’ve folded in all of the flour and it looks like brownie batter, fold in those bittersweet chocolate chips. Fold, not mix. Remember, boxed brownies have a lot of chemicals that act like guard rails. No rails here, so don’t get crazy.

Pour all of the batter into a greased (PAM, people) 13×9 and bake for about 32 to 35 minutes in a 350 degree oven. I usually rotate it after 15 minutes, but that’s only because Memaw did.

Let cool for a bit if you have self-control, but if you’re like me, by all means, tear into there and enjoy molten fudgy brownie goodness. Here’s what is you can expect to indulge in!

Jul
6

By Joe

Auditing Shared Account Usage

Category: DevOps Leave a Comment

Occasionally you find yourself in a situation where utilizing a shared account cannot be avoided. One such scenario is managing the deployment of NodeJS applications with Shipit and PM2. Here’s how the scenario typically works:

Alice, Bob, and Carol are three developers working on NodeJS applications that need to be deployed to their staging server. They’ve decided on the use of PM2 as their process manager, and ShipIt as their deployment tool. Their shipitfile.js file contains a block for the staging server, and it looks something like:

staging: {
      servers: [
        {
          host: 'apps.staging.iachieved.it',
          user: 'deployer',
        },
      ],
      environment:  'staging',
      branch: 'develop',
    },

As we can see the deployer user will be used to deploy our application, and by extension, will be the user that pm2 runs the application under. Alice, Bob, and Carol all have their SSH keys put in /home/deployer/.ssh/authorized_keys so they can deploy. Makes sense.

Unfortunately what this also means is Alice, Bob, or Carol can ssh to the staging server as the deployer user. Even though deployer is an unprivileged user, we really don’t want that. Moreover, by default, we can’t trace who deployed, or if someone is misusing the deployer user. Let’s take a look at how we can address this.

Creating a Deployment Group

The first thing we want to do is to create a security group for those that are authorized to perform deployments. I’ll be using an Active Directory security group in this example, but a standard Unix group would work as well. We can use getent to see the members of the group. getent will come in handy to help determine whether someone attempting to deploy is authorized.

# getent group "application deployment@iachieved.it"
application deployment@iachieved.it:*:1068601118:alice@iachieved.it,bob@iachieved.it

SSH authorized_keys command

Until I started researching this problem of auditing and restricting shared account usage I was unaware of the command option in the SSH authorized_keys file. One learns something new every day. What the command option provides for is executing a command immediately upon SSHing via a given key. Consider that we put the following entry in the deployer user ~/.ssh/authorized_keys file:

ssh-rsa AAAA...sCBR alice

and this is Alice’s public key. We would expect that Alice would be able to ssh deployer@apps.iachieved.it and get a shell. But what if we wanted to intercept this SSH and run a script instead? Let’s try it out:

deployer@apps.iachieved.it:~/.ssh/authorized_keys:

command="/usr/bin/logger -p auth.INFO Not permitted" ssh-rsa AAAA...sCBR alice

When Alice tries to ssh as the deployer user, we get an entry in auth.log:

Jul  5 22:30:58 apps deployer: Not permitted

and Alice sees Connection to apps closed..

Well that’s no good! We do want Alice to be able to use the deployer account to deploy code.

A Wrapper Script

First, we want Alice to be able to deploy code with the deployer user, but we also want to:

know that it was Alice
ensure Alice is an authorized deployer
not allow Alice to get a shell

Let’s look at how we can create a script to execute each SSH invocation that will meet all of these criteria.

Step 1, let’s log and execute whatever Alice was attempting to do.

/usr/local/bin/deploy.sh:

#!/bin/bash

logger -p auth.INFO $SSH_REMOTE_USER executed "$SSH_ORIGINAL_COMMAND"
exec /bin/bash -c "$SSH_ORIGINAL_COMMAND"

#!/bin/bash

logger -p auth.INFO $SSH_REMOTE_USER executed "$SSH_ORIGINAL_COMMAND"

exec /bin/bash -c "$SSH_ORIGINAL_COMMAND"

SSH_ORIGINAL_COMMAND will be set automatically by sshd, but we need to provide SSH_REMOTE_USER, so in the authorized_keys file:

command="export SSH_REMOTE_USER=alice@iachieved.it;/usr/local/bin/deploy.sh" ssh-rsa AAAA...sCBR alice

Note that we explicitly set SSH_REMOTE_USER to alice@iachieved.it. The takeaway here is that it associates any attempt by Alice to use the deployer account to her userid. We then execute deploy.sh which logs the invocation. If Alice tries to ssh and get a shell with ssh deployer@apps the connection will still be closed, as SSH_ORIGINAL_COMMAND is null. But, let’s say she runs ssh deployer@apps ls /:

alice@iachieved.it@apps ~> ssh deployer@apps ls /
bin
boot
dev
etc

In /var/log/auth.log we see:

Jul  6 13:43:25 apps sshd[18554]: Accepted publickey for deployer from ::1 port 48832 ssh2: RSA SHA256:thZna7v6go5EzcZABkieCmaZzp+6WSlYx37a3uPOMSs
Jul  6 13:43:25 apps sshd[18554]: pam_unix(sshd:session): session opened for user deployer by (uid=0)
Jul  6 13:43:25 apps systemd-logind[945]: New session 54 of user deployer.
Jul  6 13:43:25 apps systemd: pam_unix(systemd-user:session): session opened for user deployer by (uid=0)
Jul  6 13:43:26 apps deployer: alice@iachieved.it executed ls /

What is important here is that we can trace what Alice is executing.

Managing a Deployment Security Group

Left as is this technique is much preferred to a free-for-all with the deployer user, but more can be done using security groups to have finer control of who can use the account at any given time. Let’s add an additional check in the /usr/local/bin/deploy.sh script with the uig function introduced in the last post.

#!/bin/bash

. /usr/local/bin/uig.sh

uig "$SSH_REMOTE_USER" "$DEPLOY_GROUP"
if [ "$?" == 0 ]; then
  logger -p auth.INFO $SSH_REMOTE_USER is in $DEPOY_GROUP and executed "$SSH_ORIGINAL_COMMAND"
  exec /bin/bash -c "$SSH_ORIGINAL_COMMAND"
else
  logger -p auth.INFO $SSH_REMOTE_USER is not in $DEPLOY_GROUP and is not authorized to execute "$SSH_ORIGINAL_COMMAND"
  exit -1
fi

#!/bin/bash

. /usr/local/bin/uig.sh

uig "$SSH_REMOTE_USER" "$DEPLOY_GROUP"

if [ "$?" == 0 ]; then

logger -p auth.INFO $SSH_REMOTE_USER is in $DEPOY_GROUP and executed "$SSH_ORIGINAL_COMMAND"

exec /bin/bash -c "$SSH_ORIGINAL_COMMAND"

else

logger -p auth.INFO $SSH_REMOTE_USER is not in $DEPLOY_GROUP and is not authorized to execute "$SSH_ORIGINAL_COMMAND"

exit -1

The authorized_keys file gets updated, and let’s add Bob and Carol’s keys for our additional positive (Bob) and negative (Carol) test:

command="export SSH_REMOTE_USER=alice@iachieved.it DEPLOY_GROUP='application deployment@iachieved.it';/usr/local/bin/deploy.sh" ssh-rsa AAAA...sCBR alice
command="export SSH_REMOTE_USER=bob@iachieved.it DEPLOY_GROUP='application deployment@iachieved.it';/usr/local/bin/deploy.sh" ssh-rsa AAAA...r4Gz bob
command="export SSH_REMOTE_USER=carol@iachieved.it DEPLOY_GROUP='application deployment@iachieved.it';/usr/local/bin/deploy.sh" ssh-rsa AAAA...f5Xy carol

command="export SSH_REMOTE_USER=alice@iachieved.it DEPLOY_GROUP='application deployment@iachieved.it';/usr/local/bin/deploy.sh" ssh-rsa AAAA...sCBR alice

command="export SSH_REMOTE_USER=bob@iachieved.it DEPLOY_GROUP='application deployment@iachieved.it';/usr/local/bin/deploy.sh" ssh-rsa AAAA...r4Gz bob

command="export SSH_REMOTE_USER=carol@iachieved.it DEPLOY_GROUP='application deployment@iachieved.it';/usr/local/bin/deploy.sh" ssh-rsa AAAA...f5Xy carol

Since Bob is a member of the application deployment@iachieved.it group, he can proceed:

Jul  6 20:09:26 apps sshd[21886]: Accepted publickey for deployer from ::1 port 49148 ssh2: RSA SHA256:gs3j1xHvwJcSMBXxaqag6Pb7A595HVXIz2fMoCX2J/I
Jul  6 20:09:26 apps sshd[21886]: pam_unix(sshd:session): session opened for user deployer by (uid=0)
Jul  6 20:09:26 apps systemd-logind[945]: New session 79 of user deployer.
Jul  6 20:09:26 apps systemd: pam_unix(systemd-user:session): session opened for user deployer by (uid=0)
Jul  6 20:09:27 apps deployer: bob@iachieved.it is in application deployment@iachieved.it and executed ls /

Now, Carol’s turn to try ssh deployer@apps ls /:

Jul  6 20:15:37 apps deployer: carol@iachieved.it is not in application deployment@iachieved.it and is not authorized to execute ls /

Poor Carol.

Closing Thoughts

For some teams the idea of having to manage a deployment security group and bespoke authorized_keys file may be overkill. If you’re in an environment with enhanced audit controls and accountability the ability to implement safeguards and audits to code deployments may be a welcome addition.

Jul
5

By Joe

A Script for Testing Membership in a Unix Group

Category: DevOps Leave a Comment

Sometimes you just need a boolean test for a given question. In this post we’ll look at answering the question, “Is this user in a given group?” Seems simple enough.

It’s easy to see what groups a user is a member of in a shell:

% id
alice@iachieved.it@darthvader:~$ id
uid=1068601116(alice@iachieved.it) gid=1068601115(iachievedit@iachieved.it) groups=1068601115(iachievedit@iachieved.it),1068600513(domain users@iachieved.it),1068601109(linux ssh@iachieved.it),1068601118(application deployment@iachieved.it)

Note that Alice is an Active Directory domain user. We want to test whether or not she is a member of the application deployment@iachieved.it group. We can see this with our eyes in the terminal, but a little scripting is in order. We’ll skip error checking for this first example.

uig.sh:

#!/bin/bash

USER=$1
GROUP=$2

# getent returns all of the members of a given group, see
# https://en.wikipedia.org/wiki/Getent for examples

uig=`getent group "$2" | awk '{split($0,a,":"); print a[4];}'`

# IFS (internal field separator) is a gem I frequently forget about

IFS="," read -r -a array <<< $uig

# Print each entry of our array (members of the group) and then 
# grep to find if $USER is there

if printf '%s\n' ${array[@]} | grep -qP "^${USER}$"; then
  echo "User $USER IS in group $GROUP"
  exit 0
fi
echo "User $USER IS NOT in group $GROUP"
exit -1

#!/bin/bash

USER=$1

GROUP=$2

# getent returns all of the members of a given group, see

# https://en.wikipedia.org/wiki/Getent for examples

uig=`getent group "$2" | awk '{split($0,a,":"); print a[4];}'`

# IFS (internal field separator) is a gem I frequently forget about

IFS="," read -r -a array <<< $uig

# Print each entry of our array (members of the group) and then

# grep to find if $USER is there

if printf '%s\n' ${array[@]} | grep -qP "^${USER}$"; then

echo "User $USER IS in group $GROUP"

exit 0

echo "User $USER IS NOT in group $GROUP"

exit -1

Let’s take it out for a spin.

alice@iachieved.it@darthvader:~$ ./uig.sh `whoami` "linux administrators@iachieved.it"
User alice@iachieved.it IS NOT in group linux administrators@iachieved.it

Now let’s test whether or not Alice is in the application deployment@iachieved.it group:

alice@iachieved.it@darthvader:~$ ./uig.sh `whoami` "application deployment@iachieved.it"
User alice@iachieved.it IS in group application deployment@iachieved.it

Terrific. This will come in handy in the next blog post.

Let’s clean this up into a function that can be sourced in a script or shell:

#!/bin/bash

function uig () {

  if [ $# -ne 2 ]; then return -1; fi

  USER=$1
  GROUP=$2

  _uig=`getent group "$2" | awk '{split($0,a,":"); print a[4];}'`

  IFS="," read -r -a array <<< $_uig

  if printf '%s\n' ${array[@]} | grep -qP "^${USER}$"; then
      return 0
  fi
  return -1

}

#!/bin/bash

function uig () {

if [ $# -ne 2 ]; then return -1; fi

USER=$1

GROUP=$2

_uig=`getent group "$2" | awk '{split($0,a,":"); print a[4];}'`

IFS="," read -r -a array <<< $_uig

if printf '%s\n' ${array[@]} | grep -qP "^${USER}$"; then

return 0

return -1

}

alice@iachieved.it@darthvader:~$ uig `whoami` "linux ssh@iachieved.it"
alice@iachieved.it@darthvader:~$ echo $?
0

Or, the invocation we’re most likely to use:

uig `whoami` "linux ssh@iachieved.it"
if [ "$?" == 0 ]; then
  echo "In the group";
else
  echo "Not in the group";
fi

uig `whoami` "linux ssh@iachieved.it"

if [ "$?" == 0 ]; then

echo "In the group";

else

echo "Not in the group";

Jun
9

By Joe

macOS 10.15 Catalina Adds Additional Filesystem Restrictions

Category: Apple Leave a Comment

macOS 10.15 (Catalina) has added additional Privacy restrictions that require user intervention before applications can access the certain portions of the filesystem. Not only that, but taking screenshots for this post required permissions to be explicitly granted to Skitch. The fact that macOS 10.15 introduces new security and privacy safeguards is unsurprising as we got introduced to stricter automation controls in Catalina’s predecessor.

Let’s look at what happens when we try to cd ~/Documents in the macOS 10.15 Terminal app:

We’re greeted by a dialog box presented by Finder requesting specific permission for Terminal to access files in the Documents folder:

"Terminal" would like to access files in your Documents folder. Once this permission is granted, Terminal can access the contents of ~/Documents. If the permission isn’t granted, trying to ls ~/Documents results in something along the lines of:

# ls ~/Documents
ls: Documents: Operation not permitted

Updating which filesystem access permissions have been granted for a given application can be accomplished in the Security & Privacy preference panel. In this example Terminal has been granted access to the Documents folder whereas iTerm has not been granted any access.

It was an added bonus while writing this post that even trying to take a screenshot with Skitch on Catalina prompted a dialog requesting explicit access. The final result was that I’ve now authorized Skitch to capture my screen:

There has been much speculation regarding Apple’s WWDC 2019 announcement of Sign in with Apple as to its real intent. What is clear (to me, at least) is that Apple is positioning itself as the guardian of security and privacy (compared to Facebook and Google who are clearly not in the interest of safeguarding either), whether it is Sign in with Apple or tighter controls around what applications can access your data on your own Mac.

Feb
24

By Joe

Fixing A Module Compiled Cannot Be Imported Errors

Category: XCode TipsTags: swift module compiled imported error Leave a Comment

This was an annoying error message the first time I ran into it. I had just downloaded Xcode 10.2 beta 2 and opened a project I had been working on in Xcode 10.1 and was greeted by Module compiled with Swift 4.2.1 cannot be imported by the Swift 5.0 compiler. After a bit of searching I realized that I needed to rebuild my Carthage modules, and had forgotten that xcode-select needed to be employed as well.

So if you run into this like I did, the fix is simple. Choose which Xcode you need to work with and then use xcode-select to choose it for commandline builds and run carthage update.

For example, if I need to switch to the beta version of Xcode:

sudo xcode-select -s /Applications/Xcode.app
carthage update

I include a nice Makefile in my projects that streamlines switching back and forth:

PHONY: xcode xcode-beta

xcode:
        sudo xcode-select -s /Applications/Xcode.app
        carthage update --platform ios

xcode-beta:
        sudo xcode-select -s /Applications/Xcode-beta.app
        carthage update --platform ios

PHONY: xcode xcode-beta

xcode:

sudo xcode-select -s /Applications/Xcode.app

carthage update --platform ios

xcode-beta:

sudo xcode-select -s /Applications/Xcode-beta.app

carthage update --platform ios

If I need to switch to using Xcode-beta (which I frequently do since my phone is usually running a beta build), I can just type make xcode-beta.

Now, of course, when I open my project back up in Xcode I get Module compiled with Swift 5.0 cannot be imported by the Swift 4.2.1 compiler., but that’s okay, a simple make xcode will get me going!

Feb
23

By Joe

TLS 1.3 Support Coming with Safari 12.1

Category: Apple, TLS 1.3Tags: safari tls 1.3 Leave a Comment

With the landing of macOS 10.14.4 Beta (18E194d), Safari has versioned up from 12.0.3 to 12.1, and includes with it support for TLS 1.3!

Pointing Safari 12.1 at tls13.iachieved.it (which only runs TLS 1.3) returns

Your User Agent is: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15 with TLS_AES_256_GCM_SHA384 selected as the cipher. Note: If your current browser doesn’t support TLS 1.3 it will not be able to connect with tls13.iachieved.it.

Interesting in standing up your own TLS 1.3 webserver or see what browsers and clients support TLS 1.3? Come check out our instructions on configuring NGINX to do just that.

Feb
16

By Joe

TLS 1.3 with NGINX and Ubuntu 18.10

Category: DevOps, Hacking, Nginx, UbuntuTags: tls 1.3 Leave a Comment

TLS 1.3 is on its way to a webserver near you, but it may be a while before major sites begin supporting it. It takes a bit of time for a new version of anything to take hold, and even longer if it’s the first new version of a protocol in nearly 10 years.

Fortunately you don’t have to wait to start experimenting with TLS 1.3; all you need is OpenSSL 1.1.1 and open source NGINX 1.15 (currently the mainline version), and you’re good to go.

OpenSSL

OpenSSL 1.1.1 is the first version to support TLS 1.3 and its ciphers:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_8_SHA256
TLS_AES_128_CCM_SHA256

Since 1.1.1 is available out-of-the-box in Ubuntu 18.10 Cosmic Cuttlefish (as well as FreeBSD 12.0 and Alpine 3.9), we’ll be using it for this tutorial. Note that 18.10 is not an LTS release, and the decision was made to port to OpenSSL 1.1.1 to 18.04 (Bionic Beaver), but it did not make it in 18.04.2. We like to make things easy on ourselves, and launched a publicly available ubuntu-cosmic-18.10-amd64-server-20181018 AMI in AWS.

NGINX

NGINX hardly needs an introduction, so we’ll skip straight to its support for TLS 1.3, which came all the way back in version 1.13.0 (August 2017), well before the protocol was finalized. Combined with OpenSSL 1.1.1, the current open source version (1.15), NGINX is fully capable of supporting TLS 1.3, including 0-RTT.

Current Browser Support for TLS 1.3

TLS 1.3 will be a moving target for months to come, but as of this writing (February 23, 2018), here’s a view of browser support for it. As you can see, it’s pretty limited at this point, with only the Chrome, Brave, and Firefox browsers capable of establishing a connection with a TLS 1.3-only webserver.

OS	Browser	TLS 1.3 Support	Negotiated Cipher
macOS 10.14.3	Chrome 72.0.3626.109	Yes	TLS_AES_256_GCM_SHA384
macOS 10.14.3	Firefox 65.0.1	Yes	TLS_AES_256_GCM_SHA384
macOS 10.14.3	Brave 0.59.35	Yes	TLS_AES_256_GCM_SHA384
macOS 10.14.3	Safari 12.0.3 (14606.4.5)	No	NA
macOS 10.14.4	Safari 12.1	Yes	TLS_AES_256_GCM_SHA384
iOS 12.2 (Beta)	Safari	Yes	TLS_AES_256_GCM_SHA384
Windows 10.0.17134	IE 11.345.17134.0	No	NA
Windows 10.0.17134	Edge 17.17134	No	NA
Ubuntu 18.10	curl/7.61.0	Yes	TLS_AES_256_GCM_SHA384
Ubuntu 18.04.2	curl/7.58.0	No	NA

Note: An astute reader might notice iOS 12.2 (currently in Beta) indeed supports TLS 1.3 and our webserver confirms it!

Testing It Out

To test things out, we’ll turn to our favorite automation tool, Ansible and our tls13_nginx_cosmic repository with playbooks.

We happened to use an EC2 instance running Ubuntu 18.10, as well as Let’s Encrypt and Digital Ocean‘s Domain Records API. That’s a fair number of dependencies, but an enterprising DevOps professional should be able to take our example playbooks and scripts and modify them to suit their needs.

Rather than return HTML content (content-type: text/html), we return text/plain with interesting information from NGINX itself. This is facilitated by the LUA programming language and LUA NGINX module. The magic is here in our nginx.conf:

location / {
  default_type 'text/plain';
  content_by_lua_block {
    ngx.say("Thanks for connecting to {{ HOSTNAME }}");
    ngx.say("");
    ngx.say("       Client User Agent:  " .. ngx.var.http_user_agent);
    ngx.say("Client supported ciphers:  " .. ngx.var.ssl_ciphers);
    ngx.say("         Selected cipher:  " .. ngx.var.ssl_cipher);
  }
}

location / {

default_type 'text/plain';

content_by_lua_block {

ngx.say("Thanks for connecting to {{ HOSTNAME }}");

ngx.say("");

ngx.say(" Client User Agent: " .. ngx.var.http_user_agent);

ngx.say("Client supported ciphers: " .. ngx.var.ssl_ciphers);

ngx.say(" Selected cipher: " .. ngx.var.ssl_cipher);

}

This results in output similar to:

Thanks for connecting to tls13.iachieved.it

       Client User Agent:  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36
Client supported ciphers:  0x2a2a:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:0x000a
         Selected cipher:  TLS_AES_256_GCM_SHA384

Thanks for connecting to tls13.iachieved.it

Client User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36

Client supported ciphers: 0x2a2a:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:0x000a

Selected cipher: TLS_AES_256_GCM_SHA384

In all of our tests thus far, TLS_AES_256_GCM_SHA384 was chosen as the ciphersuite.

Qualys SSL Assessment

Now let’s look at what Qualys SSL Server Test has to say about our site.

Not an A+, but notice in our nginx.conf we are not configuring HSTS or OCSP. Our standard Let’s Encrypt certificate is also hampering our score here.

Here’s what Qualys has to say about our server configuration:

The highlight here is that TLS 1.3 is supported by our server, whereas TLS 1.2 is not. This was done on purpose to not allow a connecting client to use anything but TLS 1.3. You definitely would not do this in practice as of February 2019, as the Qualys Handshake Simulation shows. Only Chrome 70 was able to connect to our server.

Closing Thoughts

As a DevOps practitioner, and someone who manages dozens of webservers professionally, I’m quite excited about the release and adoption of TLS 1.3. It will, no doubt, take quite some time before a majority of browsers and sites support it.

If you’re interested more about TLS 1.3 in general, there are a lot of great resources out there. Here are just a few:

Wikipedia has a good rundown of TLS 1.3 features and changes from TLS 1.2.

The folks at NGINX recently hosted a webinar on R17, the latest NGINX Plus version. TLS 1.3 and it’s benefits were covered in more detail.

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source from NGINX, Inc.

Here’s a great tutorial on deploying modern TLS configurations (including 1.3) from Probely.

And, last but not least, Cloudflare has a number of in-depth TLS 1.3 articles.

Jan
19

By Joe

Updating Yarn’s Apt Key on Ubuntu

Category: DevOps, Ubuntu Leave a Comment

If you’re one of those unfortunate souls that run into the following error when running apt update

Err:5 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures couldn't be verified because the public key
  is not available: NO_PUBKEY 4F77679369475BAA

Err:5 https://dl.yarnpkg.com/debian stable InRelease

The following signatures couldn't be verified because the public key

is not available: NO_PUBKEY 4F77679369475BAA

you are not alone. Fortunately the fix is easy, but it’s buried in the comments, so here it is without a lot of wading:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4F77679369475BAA

1	sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4F77679369475BAA

Rerun apt update (or the apt-get equivalent), and you should be golden.

Jan
13

By Joe

Swift 4 titleized String Extension

Category: SwiftTags: swift string title case Leave a Comment

Rails provides the titleize inflector (capitalizes all the words in a string), and I needed one for Swift too. The code snippet below adds a computed property to the String class and follows these rules:

The first letter of the first word of the string is capitalized
The first letter of the remaining words in the string are capitalized, except those that are considered “small words”

Create a file in your Xcode project named String+Titleized.swift and paste in the following String extension:

import Foundation

let SMALL_WORDS = ["a", "al", "y", "o", "la", "el", "las", "los", "de", "del"]

extension String {
  var titleized:String {
    var words = self.lowercased().split(separator: " ").map({ String($0)})
    words[0] = words[0].capitalized
    for i in 1..<words.count {
      if !SMALL_WORDS.contains(words[i]) {
        words[i] = words[i].capitalized
      }
    }
    return words.joined(separator: " ")
  }
}

import Foundation

let SMALL_WORDS = ["a", "al", "y", "o", "la", "el", "las", "los", "de", "del"]

extension String {

var titleized:String {

var words = self.lowercased().split(separator: " ").map({ String($0)})

words[0] = words[0].capitalized

for i in 1..<words.count {

if !SMALL_WORDS.contains(words[i]) {

words[i] = words[i].capitalized

}

return words.joined(separator: " ")

}

Configure SMALL_WORDS to your liking. In this example I was titleizing Spanish phrases, so my SMALL_WORDS contains various definite articles and conjunctions. An example of the usage and output:

 1> "CORUÑA y SAN ANTONIO".titleized
$R0: String = "Coruña y San Antonio"

 2> "el día de muertos".titleized
$R1: String = "El Día de Muertos"

1> "CORUÑA y SAN ANTONIO".titleized

$R0: String = "Coruña y San Antonio"

2> "el día de muertos".titleized

$R1: String = "El Día de Muertos"

Note: This post is a Swift 4.2 version of this one written in Swift 2.

Dec
22

By Joe

Leveraging Instance Size Flexibility with EC2 Reserved Instances

Category: AWS, DevOps, EC2Tags: aws, ec2, ec2 reserved instances, reserved instances Leave a Comment

Determining which EC2 reserved instances to purchase in AWS can be a daunting task, especially given the fact that you’re signing up for a long(ish)-term commitment that costs you (or your employer) real money. It wasn’t until after several months of working with reserved instances and reading up that I became comfortable with their concepts and learning about a quite useful feature known as Instance Size Flexibility.

But first, we need to cover what this post is not about, and that is how to choose what type of instance you need to run a given application (web server, continuous integration build server, database, etc.). There are plenty of tutorials out there. Once you’ve become comfortable with your choice of instance types (I gravitate towards the T, M, and R types), you can begin thinking about saving on your EC2 compute costs by purchasing reserved instances.

I will admit to being a bit confused the first time I began purchasing reserved instances, and I attribute that to the fact that, well, they are a bit confusing. Standard reserved instances. Convertible reserved instances. Zonal reserved instances. No upfront payment. Partial upfront payment. Reserved instance marketplace. There’s a lot to take in, and on top of that, it is a bit nerve-wracking making a choice that you might have to live with (and pay) for a while. In fact, even after spending quite some time reading through everything, it still took me a few billing cycles to realize how reserved instances really worked.

While I can’t help you get over that initial intimidation factor, what I can do is share a bit of wisdom I gathered from How Reserved Instances Are Applied, with specific attention paid to How Regional Reserved Instances Are Applied.

With some exceptions, you can purchase a number of nano (or other size) reserved instances for a given instance type, and those reservations can be applied to larger (or smaller) instances in that same family. Note that there are exceptions (I told you it was confusing), as this feature does not apply to:

Reserved Instances that are purchased for a specific Availability Zone
bare metal instances
Reserved Instances with dedicated tenancy
Reserved Instances for Windows, Windows with SQL Standard, Windows with SQL Server Enterprise, Windows with SQL Server Web, RHEL, and SLES

But that’s okay, because my favorite type of machine, a shared tenancy instance running Ubuntu 16.04 or 18.04 LTS, is supported.

Instance Size Flexibility works like this. Each instance size is assigned a normalization factor, with the small size being given the unit factor of 1. A nano instance has a normalization factor of 0.25. That is, for the purposes of instance size flexibility and reserved instances, a single reservation for a small instance is the equivalent of 4 nano instances, and vice versa, 4 nano reserved instances are the equivalent of a single small reserved instance.

AWS publishes the normalization factors in the How Reserved Instances Are Applied documentation, but we’ll provide it here as well:

Instance size	Normalization factor
nano	0.25
micro	0.5
small	1
medium	2
large	4
xlarge	8
2xlarge	16
4xlarge	32
8xlarge	64
9xlarge	72
10xlarge	80
12xlarge	96
16xlarge	128
18xlarge	144
24xlarge	192
32xlarge	256

Using Instance Size Flexibility In Your Account

Now let’s take advantage of our knowledge about normalization factors and see how we can apply them to our account (and our bill). We’re going to leverage the Ruby programming language and the AWS SDK for Ruby. If you’ve never used Ruby before, do yourself a favor and invest some time with it. You’ll be glad you did.

Let’s get started.

We’re going to be applying the instance size flexibility normalization factors, so let’s declare a Hash of their values.

normalizationFactors = {
'nano':     0.25,
'micro':    0.5,
'small':    1,
'medium':   2,
'large':    4,
'xlarge':   8,
'2xlarge':  16,
'4xlarge':  32,
'8xlarge':  64,
'9xlarge':  72,
'10xlarge': 80,
'12xlarge': 96,
'16xlarge': 128,
'18xlarge': 144,
'24xlarge': 192,
'32xlarge': 256
}

normalizationFactors = {

'nano': 0.25,

'micro': 0.5,

'small': 1,

'medium': 2,

'large': 4,

'xlarge': 8,

'2xlarge': 16,

'4xlarge': 32,

'8xlarge': 64,

'9xlarge': 72,

'10xlarge': 80,

'12xlarge': 96,

'16xlarge': 128,

'18xlarge': 144,

'24xlarge': 192,

'32xlarge': 256

}

Using Bundler to pull in our AWS SDK gem, we will retrieve all of our instances in a given region (remember that this feature is scoped to the zones in a given region). I am using us-east-2 in this example, also known as US East Ohio.

require 'bundler/setup'
require 'aws-sdk-ec2'

ec2 = Aws::EC2::Resource.new(region: 'us-east-2')

require 'bundler/setup'

require 'aws-sdk-ec2'

ec2 = Aws::EC2::Resource.new(region: 'us-east-2')

Note that the above uses ~/.aws/credentials. If you do not have this file you will need to configure your access key ID and secret access key.

Let’s iterate over our instances (filtering out Windows instances since they are not eligible for Instance Size Flexibility) and create a hash of the various classes. In the end we want our hash to contain, as its keys, all of the classes (types) of instances we have, and the values to be a list of the sizes of those classes.

instances = Hash.new
ec2.instances.each do |i|
  next if i.platform == 'windows' # Windows instances are not eligibile
  class_, size = "#{i.instance_type}".split('.')
  if not instances.has_key? class_ then
    instances[class_] = []
  end
  instances[class_].push(size)
end

instances = Hash.new

ec2.instances.each do |i|

next if i.platform == 'windows' # Windows instances are not eligibile

class_, size = "#{i.instance_type}".split('.')

if not instances.has_key? class_ then

instances[class_] = []

end

instances[class_].push(size)

end

For example, if we had 4 t2.nano, 3 t2.small instances, 1 t2.large, 4 m4.xlarge instances, and 2 m4.2xlarge instances, our hash would look like this: {"t2"=>["nano", "nano", "nano", "nano", "small", "small", "small", "large"], "m4"=>["large", "large", "large", "large", "2xlarge", "2xlarge"]}.

Now we’re going to determine how many equivalent small instances we have. This is done by adding our normalization factors for each of the instance sizes.

allocation = Hash.new
instances.keys.each do |k|
  instances[k].each do |i|
    if not allocation.has_key? k then
      allocation[k] = 0.0
    end
    allocation[k] += normalizationFactors[i.to_sym].to_f
  end
end

allocation = Hash.new

instances.keys.each do |k|

instances[k].each do |i|

if not allocation.has_key? k then

allocation[k] = 0.0

end

allocation[k] += normalizationFactors[i.to_sym].to_f

end

Using our previous example of 4 t2.nano, 3 t2.small instances, 1 t2.large, 4 m4.xlarge instances, and 2 m4.2xlarge instances, we’re walking through the math of 0.25 + 0.25 + 0.25 + 0.25 + 1 + 1 + 1 + 4 for our t2 instances and 8 + 8 + 8 + 8 + 16 + 16 for the m4 instances. This results in a Hash that looks like this: {"t2"=>8, "m4"=>64}. To be clear, the interpretation of this is that we have, for the purposes of Instance Size Flexibility with reserved instances, the equivalent of 8 t2.small and 64 m4.small instances in us-east-2. Put another way, if we purchased 8 t2.small reserved instances and 64 m4.small instances in us-east-2, we would have 100% coverage of our EC2 costs with a reserved instance.

Now, let’s take it a step further and see what the equivalence would be for the other sizes. In other words, we know we have the equivalent of 8 t2.small and 64 m4.small instances, but what if we wanted to know how many equivalent nano instances we had? This loop will create a row for each class and size:

puts "Class,Size,Count"
normalizationFactors.each do |sk, sv|
  allocation.each do |ak, av|
    n = (av * (1.0 / sv)).floor
    puts "#{ak},#{sk},#{n}"
  end
end

puts "Class,Size,Count"

normalizationFactors.each do |sk, sv|

allocation.each do |ak, av|

n = (av * (1.0 / sv)).floor

puts "#{ak},#{sk},#{n}"

end

Again, taking our previous example, we would expect to see 32 t2.nano instances and 256 m4.nano instances. That’s right. If we purchased 32 t2.nano and 256 m4.nano instances we would have the equivalent of our 4 t2.nano, 3 t2.small instances, 1 t2.large, 4 m4.xlarge instances, and 2 m4.2xlarge instances. Now, there doesn’t happen to be such a thing as an m4.nano instance, and we’ve corrected for this in our published example code.

The Best Fudgy Brownies Ever

Auditing Shared Account Usage

Creating a Deployment Group

SSH authorized_keys command

A Wrapper Script

Managing a Deployment Security Group

Closing Thoughts

A Script for Testing Membership in a Unix Group

macOS 10.15 Catalina Adds Additional Filesystem Restrictions

Fixing A Module Compiled Cannot Be Imported Errors

TLS 1.3 Support Coming with Safari 12.1

TLS 1.3 with NGINX and Ubuntu 18.10

OpenSSL

NGINX

Current Browser Support for TLS 1.3

Testing It Out

Qualys SSL Assessment

Closing Thoughts

Updating Yarn’s Apt Key on Ubuntu

Swift 4 titleized String Extension

Leveraging Instance Size Flexibility with EC2 Reserved Instances

Using Instance Size Flexibility In Your Account

A Word From Our Sponsors

Recent Posts

Archives

Categories