Free SSL/TLS Certificates with Nginx and Let’s Encrypt

As you might have already noticed, I am now running this site with a SSL certificate provided by Let’s Encrypt. Formerly only enabled to another domain hosted here.

For those who don’t know Let’s Encrypt, it’s a free automated, and open certificate authority. You can literally have a SSL certificate on your hosting in minutes.

You can easily install it with the following instructions. Keep in mind that the instructions are for Ubuntu 14.04, so some steps may differ.

Install Let’s Encrypt client.

Download the script and make it executable:

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto

Check your package manager for letsencrypt. Ubuntu 16.04 already have it.

Obtain the certificate.

To generate the certificate the client will create a temporary file on your webroot. You need to allow the access to the file adding the following to your nginx server block configuration:

location ~ /.well-known {
                allow all;
        }

After that, restart your nginx and run the following command:

certbot-auto certonly -a webroot --webroot-path=/var/www/yourwebroot -d yourdomain.com -d www.yourdomain.com

Don’t forget to change your webroot-path and your domain. If needed, add any other sub domain after the -d yourdomain.com. At the prompt insert your e-mail and, after read, accept the agreement.

You will end up with a set of four .pem files.

Set up nginx with SSL.

Edit your nginx configuration file again, you may now remove that .well-knowmentioned earlier. Also remove the listen 80 portion.

listen 443 ssl;
#listen 80; 
server_name www.yourdomain.com yourdomain.com; 
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

To redirect all your http traffic to https you should add this server block before the above:

server { 
    listen 80; 
    server_name www.yourdomain.com yourdomain.com; 
    return 301 https://$host$request_uri; 
}

Restart nginx again and test to make sure everything is working as expected.

Set up auto-renewal.

The certificate expires within 90 days, you can run the command certbot-auto renew to perform the renewal of the certificate. However, it will only renew if it’s 30 days away or less to expire. So you can create a cronjob to run every week without any problem.

Edit your crontab and insert the following entries:

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

A log of the output of certbot-auto renew will be available in the path shown above.

Conclusion:

Easy to install and maintain. You can also improve it using a strong encryption.

Running MariaDB/MySQL on small VPS

I had my databases down twice in a month with the following error message:

[ERROR] mysqld: Out of memory

Compared to shared hosting services that we used to have, the tiny and cheap cloud VPSs are amazing. I am a user and big fan of the service as I don’t have any personal projects that require AWS by now.

These servers are convenient and comfortable as you can customize, install and configure as you wish. When everything is to your liking you can take snapshots as backup or to create duplicates of your server.

The only problem is that some of the softwares needed to run a fully web server comes with predefined configuration files. They run fine on their own but you need to take in mind that your VPS have a limited RAM to work with. MySQL and MariaDB by default will allocate around 400MB, which is reasonable to a normal server, but not to a limited virtual instance running 24/7.

I will comment on the measures it took to get around this problem. As usual the following steps are for Ubuntu 14.04, your steps may vary depending on your distro and version. You may find a my.cnf over the internet that fits your server’s specifications.

Disable Performance Schema

In my opinion, performance schema only has a use if you or a DBA wants to monitor the database activity. To disable it edit the default MySQL configuration file, in this case /etc/mysql/my.cnf, and edit the following line under the [mysqld] block (if it doesn’t exist, create the line).

performance_schema = off

MyISAM tables

InnoDB tables have a huge impact in performance and memory usage, if you don’t use its resources you may consider to use MyISAM. To do so you need edit the following variables under the [mysqld] block of the /etc/mysql/my.cnf file:

default-storage-engine=MyISAM
default-tmp-storage-engine=MyISAM

If you don’t need InnoDB resources at all you can disable it adding the following line to your my.cnf:

skip-innodb

You may need to change your existing tables to MyISAM. The following ShellScript can do that for you.

#!/bin/bash

MYSQLCMD=mysql

for db in `echo show databases | $MYSQLCMD | grep -v Database`; do
        for table in `echo show tables | $MYSQLCMD $db | grep -v Tables_in_`; do
                TABLE_TYPE=`echo show create table $table | $MYSQLCMD $db | sed -e's/.*ENGINE=\([[:alnum:]\]\+\)[[:space:]].*/\1/'|grep -v 'Create Table'`
                if [ $TABLE_TYPE = "InnoDB" ] ; then
                        mysqldump $db $table > $db.$table.sql
                        echo "ALTER TABLE $table ENGINE = MyISAM" | $MYSQLCMD $db
                fi
        done
done

Swap

Swap isn’t recommended, at least by DigitalOcean that uses SSDs, but I use it as a fail-safe measure. The following commands will create a swapfile and use it as swap space in your machine, run as root:

fallocate -l 256M /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

To keep your changes permanent don’t forget to add the following line to your /etc/fstab file:

/swapfile   none    swap    sw    0   0

Conclusion

Cloud VPSs are amazing considering their cost, reliability and convenience, keep in mind that you will need to tweak one thing or other. If you need a more robust solution I recommend Amazon’s RDS or upgrading your instance plan.

Don’t forget to restart your MySQL/MariaDB service after any changes to the my.cnf file.

service mysql restart

Git repository access control with Gitolite

I already used other version control software like CVS and SVN in the past, but Git was one that really got me because I just felt it easy and intuitive.

Besides having a GitHub account I really don’t see the point of paying US$7/month just to have private repositories when you can roll your own VPS for less than that. Obviously, you can install something more similar to GitHub like GitLab, but, in my opinion, Gitolite is easy to use, fast and works; Keep it simple, sucker!

So, I will give the steps to install and configure on Ubuntu Server 16.04. On other distros the paths and steps may differ.

First of all, you should check existing SSH keys or generate a new set on your machine. (To be honest, if you are already using git you should have your keys)

#to check:
ls -al ~/.ssh
#to generate(linux/mac):
ssh-keygen -t rsa

On Windows machines I advise you to install cygwin with net/openssh package. I prefer that way, but you can try with other methods.

Back to our server, now we should install gitolite3 and git-core:

sudo apt-get install git-core gitolite3

Insert your public key configure gitolite. On older versions you need to create a user and run the setup by yourself, keep that in mind if you are using other distro.

Now you can ssh the gitolite user to list the repositories:

ssh gitolite3@yourdomain.com

You can add some rules and keys cloning the gitolite-admin repository.

git clone gitolite3@youtdomain.com:gitolite-admin

You can now add pub keys for other users(or machines) creating files in the keydir directory. For multiple machines you should use the name convention user@machine.pub, like nimlhug@notebook.pub. On the conf/gitolite.conf file you can add users and repositories.

Checkout the official documentation. Apart from being a non resource-intensive, gitolite is a rich and powerful software that you can make use of RegEx, groups, hooks, VREF, wild repos and much more.