Below is my setup to enable Forward secrecy
Generate DH parameters:
# openssl dhparam -out /etc/pki/tls/dh-2048.pem 2048
and then configure your prosody with Let’s Encrypt certificates
VirtualHost "balaskas.gr"
ssl = {
key = "/etc/letsencrypt/live/balaskas.gr/privkey.pem";
certificate = "/etc/letsencrypt/live/balaskas.gr/fullchain.pem";
cafile = "/etc/pki/tls/certs/ca-bundle.crt";
# enable strong encryption
ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4";
dhparam = "/etc/pki/tls/dh-2048.pem";
}
if you only want to accept TLS connection from clients and servers, change your settings to these:
c2s_require_encryption = true
s2s_secure_auth = true
Check your setup
or check your certificates with openssl:
Server: # openssl s_client -connect balaskas.gr:5269 -starttls xmpp < /dev/null
Client: # openssl s_client -connect balaskas.gr:5222 -starttls xmpp < /dev/null
Top Ten Linux Distributions and https
A/A | Distro | URL | Verified by | Begin | End | Key
01. | ArchLinux | https://www.archlinux.org/ | Let's Encrypt | 02/24/2016 | 05/24/2016 | 2048
02. | Linux Mint | https://linuxmint.com/ | COMODO CA Limited | 02/24/2016 | 02/24/2017 | 2048
03. | Debian | https://www.debian.org/ | Gandi | 12/11/2015 | 01/21/2017 | 3072
04. | Ubuntu | http://www.ubuntu.com | - | - | - | -
05. | openSUSE | https://www.opensuse.org/ | DigiCert Inc | 02/17/2015 | 04/23/2018 | 2048
06. | Fedora | https://getfedora.org/ | DigiCert Inc | 11/24/2014 | 11/28/2017 | 4096
07. | CentOS | https://www.centos.org/ | DigiCert Inc | 07/29/2014 | 08/02/2017 | 2048
08. | Manjaro | https://manjaro.github.io/ | DigiCert Inc | 01/20/2016 | 04/06/2017 | 2048
09. | Mageia | https://www.mageia.org/ | Gandi | 03/01/2016 | 02/07/2018 | 2048
10. | Kali | https://www.kali.org/ | GeoTrust Inc | 11/09/2014 | 11/12/2018 | 2048
Baïkal is a CalDAV and CardDAV server, based on sabre/dav,
To self hosted your own CalDAV & CardDAV server is one of the first step to better control your data and keep your data, actually, yours!So here comes Baikal which is really easy to setup. That easily you can also configure any device (mobile/tablet/laptop/desktop) to use your baikal instance and synchronize your calendar & contacts everywhere.
In this blog post are some personal notes on installing or upgrading baikal on your web server.
[ The latest version as this article was written is 0.4.1 ]
Change to your web directory (usually is something like: /var/www/html/) and download baikal:
Clean Install - Latest release 0.4.1
based on sabre/dav 3.1.2
You need at least PHP 5.5 but preferable use 5.6.
# wget -c https://github.com/fruux/Baikal/releases/download/0.4.1/baikal-0.4.1.zip
# yes | unzip baikal-0.4.1.zip
# chown -R apache:apache baikal/
That’s it !
Be Aware that there is a big difference between 0.2.7 and versions greater that 0.3.x.
And that is, that the URL has an extra part: htmlfrom: https://baikal.example.com/admin
to : https://baikal.example.com/html/admin
If you already had installed baikal-0.2.7 and you want to upgrade to 0.4.x version and later, then you have to follow the below steps:
# wget -c http://baikal-server.com/get/baikal-flat-0.2.7.zip
# unzip baikal-flat-0.2.7.zip
# mv baikal-flat baikal
# wget -c https://github.com/fruux/Baikal/releases/download/0.4.1/baikal-0.4.1.zip
# yes | unzip baikal-0.4.1.zip
# touch baikal/Specific/ENABLE_INSTALL
# chown -R apache:apache baikal/
I prefer to create a new virtualhost every time I need to add a new functionality to my domain.
Be smart & use encryption !
Below is mine virtualhost as an example:
< VirtualHost *:443 >
ServerName baikal.example.com
# SSL Support
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!aNULL:!MD5
SSLCertificateFile /etc/letsencrypt/live/baikal.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/baikal.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/baikal.example.com/chain.pem
# Logs
CustomLog logs/baikal.access.log combined
ErrorLog logs/baikal.error.log
DocumentRoot /var/www/html/baikal/
< Directory /var/www/html/baikal/ >
Order allow,deny
Allow from all
< /Directory >
< /VirtualHost >
Next step is to open your browser and browse your baikal's location,
eg. https://baikal.example.com/html/
admin interface:
https://baikal.example.com/html/admin/
or
if you have an older version (0.2.7) on your system
eg. https://baikal.example.com
I use SQLite for personal use (makes easy backup process) but you can always choose MySQL .
Dashboard on 0.4.1
Useful URIs are:
Principals:
Plugins:
Nodes:
Here is a sceen-guide on latest versions:
Login to the admin dashboard and create your user through
Users and resources tab
and you are done with the baikal installation & configuration process.
Principals
Applications (caldav/carddav and task clients) can now be accessed by visiting principals URI:
https://baikal.example.com/html/card.php/principals
or via dav.php
https://baikal.example.com/html/dav.php
but If your client does not support the above holistic URI, then try the below for calendar & contacts:
CalDAV
https://baikal.example.com/html/cal.php/calendars/test/default
CardDAV
https://baikal.example.com/html/card.php/addressbooks/test/default
On android devices, I use: DAVdroid
If you have a problem with your self-signed certificate,
try adding it to your device through the security settings.
I’ve started a new project with bottle.py and had some hiccups with static files and templates.
My project layout is (something) like that:
/
app.wsgi
bottle.py
static/
static/css
static/css/bootstrap-theme.min.css
static/css/bootstrap.min.css
static/img
static/img/logo.png
static/js
static/js/bootstrap.min.js
static/js/npm.js
static/js/tab.js
static/js/jquery-1.12.1.min.js
views/
views/search.tpl
views/index.tpl
views/header.tpl
views/footer.tpl
my app.wsgi is looking something like (dynamic routes & templates):
@bottle.route('/')
@bottle.route('/< action >/< name >')
def main(action='/',name=None):
if ( action == '/' ) :
return template("index", title=" some title ")
else:
return template(action, title=" some title ", name=name)
application = bottle.default_app()
I can translate every REST request to a new template and use AJAX inside the templates.
But what-about static files like stylesheets and javascripts ?
eg.
< script src="jquery-1.12.1.min.js"> < / script>
< img src="logo_hp.png" >
When working with dynamic routes (or any routes in bottle) unless you are using the main app.wsgi everything else will be translated to something like:
GET /search/jquery-1.12.1.min.js
GET /view/jquery-1.12.1.min.js
etc
If you noticed the layout then somehow we need to map all static files (css,js,images) to our static folder. We can map static files from "/" with the code below:
@bottle.get('< filename:re:.*.js >')
def static_js(filename):
return static_file(filename, root='static/js')
@bottle.get(' < filename:re:.*.css > ')
def static_css(filename):
return static_file(filename, root='static/css')
@bottle.get(' < filename:re:.*.png > ')
def static_img(filename):
return static_file(filename, root='static/img')
Ok, that worked for the initial route (index page) but what about all the other templates & requests?
The solution was really (really) very very simply, even if it took me a couple hours to figure it out!!
I just needed to add a forward slash in front of every static file:
< script src="/jquery-1.12.1.min.js"> < / script>
< img src="/logo.png" >
and the GET request becomes:
"GET /jquery-1.12.1.min.js
and we can now route the static files to our static file directory.