29 Mar

Host a RIPE Atlas probe!

RIPE NCC is running an excellent project called RIPE Atlas from few years. This is one of largest distributed network measurement projects where thousands of users host small devices called RIPE Atlas Probes on their networks, home connections, datacenters etc. These probes do measurement under both public and private category and make that data available publicly for use by network engineers and helps in optimizing routing.
This page shows detailed coverage statistics of the probes.
Here’s how a probe looks like

If you are in India and would like to host a probe, simply fill out this form and I will ship out the device. 🙂


27 Mar

Letsencrypt – Free signed automated SSL

Last year a really good project Letsencrypt came up. They key objective of this project is to help in securing web by pushing SSL everywhere.
Two key cool features

  1. It offer free signed SSL certs!
  2. It helps in setting up SSL via an agent seamlessly without having to deal with CSR, getting it signed & updating web server configuration.

At this stage Letsencrypt is itself a Certificate Authority and but it’s root certs are yet not in the browser. It’s probably going to take a while till all major browsers get their certificate.
To help on that one of it’s sponsors IdenTrust has signed their intermediate certs. Hence certs signed by Letsencrypt are accepted by all browsers right away. All certs signed by Letsencypt are signed by Letencrypt Authority X1 which have signature from DST Root CA X3 which is accepted by pretty much all popular browsers. You can read more about How it works here.
Here’s an example of SSL setup for say “demo.anuragbhatia.com” test domain which is already up and working without SSL. http://demo.anuragbhatia.com shows a plain text page. This is Apache running on Ubuntu server.
The Apache web config is pretty straightforward.

<VirtualHost *:80>
ServerName demo.anuragbhatia.com
DocumentRoot /var/www/demo.anuragbhatia.com
ErrorLog /var/log/apache2/demo.anuragbhatia.com
LogLevel notice

Step 1 – Grab the Letscrypt agent
git clone https://github.com/letsencrypt/letsencrypt
Step 2 – Execute the auto script
./letsencrypt-auto –help
This will grab all needed dependencies and will get the agent working.
Step 3 – Execute Letsencrypt auto script with it’s Apache plugin
./letsencrypt-auto –apache -d demo.anuragbhatia.com
It takes with a quick wizard and in the end I get:

Congratulations! You have successfully enabled
You should test your configuration at:

And it’s done!
Wizard got me a signed SSL and installed it in the apache config as well.
Screen Shot 2016-03-27 at 7.22.21 PM
Screen Shot 2016-03-27 at 7.22.37 PM
The agent created an addional Apache config with name demo.anuragbhatia.com-le-ssl.conf with following content

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName demo.anuragbhatia.com
DocumentRoot /var/www/demo.anuragbhatia.com
ErrorLog /var/log/apache2/demo.anuragbhatia.com
LogLevel notice
SSLCertificateFile /etc/letsencrypt/live/demo.anuragbhatia.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/demo.anuragbhatia.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/demo.anuragbhatia.com/chain.pem

Here options-ssl-apache.conf plays an important role by using better security options. It’s config:

# Baseline setting to Include for SSL sites
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLHonorCipherOrder     on
SSLCompression          off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
CustomLog /var/log/apache2/access.log vhost_combined
LogLevel warn
ErrorLog /var/log/apache2/error.log
# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

Some of the limitations 

  1. Signed SSL certs are valid only for 90 days and have to be renewed.
  2. Wildcard SSL certs are not supported yet.
  3. IPv6 is not supported in the autoconfig setup via client. One can always get certificate manually and use with IPv6 but agent is yet to support IPv6 (which I guess is from next month).

You can read more on their excellent documentation here and can also consider checking Presentation by Ashley Jones from PCH at SANOG on All TLS, all the time.
Have fun!

01 Mar

Two day trip to Paihia, Bay of Islands

I had a nice two day trip to Paihia over weekend. Paihia is one of key tourist towns far up in North. It took around 4 hrs via bus from Auckland. Travel was quite comfortable and place was excellent. I would say Paihia itself was quite a nice place but travel to it was one of best scenic travel I ever had.

I travelled via Inter-city bus. Outside India it’s quite common that just one person takes care of everything on behalf of bus company. Same person works on loading stuff, verifying tickets, and of course driving bus. Most of societies outside India are extremely cool & calm which makes overall service quite doable. Not surprising – same person drove the bus back to Auckland next day and the way he kept on updating, greeting all passengers was just amazing. I never had Haryana roadways folks greeting like that. 😉
And oh yes did I mentioned of free wifi in the bus? 🙂
Although I have yet to upload most of videos I took on the way, here’s a quick video showing way from Auckland to Paihia.
Day 1 
In Paihia on the first day I went for Otehei Bay via boat from Explore. This had couple of interesting things like option of swimming with Dolphins, small pause at Otehei Bay for Kayaking, snorkeling and of course swimming.
Night stay was at YHA hostel. In developed world countries hostels are great way to travel while meeting interesting people and of course keeping costs low.
Here’s how stay was (inside room and outside view)

Day 2
On day 2 (Sunday) I wasn’t able to do much as it was raining quite heavily and my bus back to Auckland was at evening. All I could manage was parasailing apart from roaming out in the market. Must say it was very quiet 300m above the sea level. I really loved experience hanging via parachute for a while. I wanted to try for skydiving but apart from that being expensive, it wasn’t an option at all with rain & cloudy sky.
That’s pretty much it about Paihia. I would say if it wasn’t raining & I had a day more, probably could try few more things out. With raining week, two days was decent time for place like that.
Time to get back to routing tables. 🙂