modsecurity on debian

Modsecuritty left me confused – i thought i had the basic rules but had the extended crs rules as well and so it did not need configuring.  Debian (my blog) wiki keeps mum on the subject as well.

I know its working although its reporting via ruby,  upgrades via python make it a multidisciplinary tool.

From what i read outside of Debian it seems to work with our stuff so it remains on.  Mystery software that sounds like a future problem for disable.

Its log messages are also hard to grep and awk.

I guess i shall be writing about mod-security rules at some point in the future…

ecommerce idiots who rely on google way too much

Relying on google  is a bad move.I saw this while doing stiff and was surprised since i could not continue doing things.

Idiots – even the zoo has its own recaptcha software (my blog) and if i can do it  Lazy people. – it seems it shutdown sooner rather than when announced.

So i did not buy from them – ergo google breaks the internet/ or perhaps they did not want money – not my problem as i found it elsewhere and they liked money.

I bet the google domain report (or buy adverts from google or else) will ignore that there software stopped them from making a sale.


i still do not grok hpkp and overriding it like a pro

I have mentioned it before (my blog) and since chrome (the web browser not a metal alloy) eventually gave up on this cryptographic hash to verify sites** i decided to have one last go.

I read online that

openssl ecparam -genkey -name secp384r1 > ec.key openssl ec -in ec.key -pubout | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | base64

Got a backup key or something

That looks like this – note not run on a real certificate

read EC key
writing EC key
read EC key
writing EC key

# cat server.key
4Ej/s4iCfUWgBwYFK4EEACKhZBananas – in  – the – Falklands -M4szuJE0DDh/pLBmob

So it appears to add sections EC PARAMETERS & EC PRIVATE KEY to a file

The magic of openssl is beyond most so i went looking for a hpkp generator which appeared to work although despite not doing ec private keys also got me a backup pin hash.

I still had no idea how i could generate a backup cert from those keys – still think money would need to change hands  with the ssl mafia.

Since i had a commented un-working hpkp block with /” syntax a rather nasty line of config speak compared with most already i copied it and used the hashes from that generator and tested it twice both sites agreed hpkp was there and valid.

But i was unable to reproduce how the backup key was made.   It felt easier than before with less effort but i still felt i have no feel for hpkp

I did not add it to the other zoo domains for reasons of being an unknown quantity i would guess if you asked your tls provider does it generate backup keys – your be told to buy the most expensive ssl they have and be done with you.. It appears that encryption files get some extra section but how it works beyond that is beyond me and the ssl supplier

I prefer tlsa hashes (my blog) rather than magicall stuff that very few seem to get.

If your more illuminated than you where well done, but it still makes it useless.

I also had replace tls and i decided to break hpkp

I discovered that i had no access from firefox or chrome

In firefox to disable hpkp find SiteSecurityServiceState.txt in the profile directory and

vi ~/.mozilla/firefox/<something>.default/SiteSecurityServiceState.txt

search for the domain name and delete them.  Restart and you will gain an uncle Bob.

Chrome is also intentionally screwed up but since i do not use chrome its not an issue, Reseting chrome clears the issue – however if i can find and edit / delete to defaults my hpkp settings i am sure malware / ransomware bot could as well.  I conclude that hpkp is useless

Tomorrow cute kitten pictures*

*i joke ** still requires tls certs from a ‘trusted’ ssl source of which most require money.

weird google pagespeed issues with async and defer and http2

The zoo has a single webpage which some of it works and some of it does not dependent upon the browser.

pagespeed (my blog) a googlle thing likes things adjusted with async and defer html 5 keywords (my blog) add http/2 secure and unsecured methods* and you have a party.of which i was designated to solve

So one day i decide to fix this one page weirdo – removing those two words from jQuery and boom the page does what it used to do every time in most browsers.

Sisyphus is still a role model

Should you trust pagespeed – no, but i it seems the move to http2 is one that needs some thinking on with simple html.

I was kind of amazed i was that simple and that http2 conflicts with pagespeed but not too surprised after all what google wants and we want are two different things.

Our csp (my blog)  is causing an issue with some on page javascript which is probably redendant due to http headers but that is not a issue.

*not http/1

the return of the webform bot

The zoo has a web form bot lookup from years and years ago to be honest i not sure it was working since it does not see any action until it caught some web bots trying to send us messages of no value which a script reports to me daily.

Not sure if they got past our captcha either.

It has been a while but i am glad i did not dump that feature.even with the settings we had.

fun with Content Security Policies

Is something your website can do and has included in the spectrum is hpkp (my blog) which is generally considered a nightmare and broken but other content security things are needed by some web things to work..

As kind of tls related i decided to make the zoo compatible with the more common csp’s unused here in the zoo. There are easy headers like hsts, x-frame*, set-cookie, xss and hard ones csp is hard.  I was missing a couple and thought why not.

However csp seems to allow stuff but is quite tricky to figure out the format which goes

<set header> default-src ‘self’ data: hostname; script-src * data: hostname style-src data: hostname

Chrome browser is helpful here for diagnosing stuff, although i never bothered to look at firefox’s tools.

I had to use a wildcard with our policy on the hostnane but things eventually worked.

hkpk remains something i wont touch with a bargepole for if Symantec can issue bad ev [the green ones] unauthorised then the danger becomes clear to all.

apache2-doc debian weirdness fixed

If like the zoo you upgraded from debian 8 to debian 9 (my blog) then apache2-doc fails to do something on the lines of

ERROR: Conf apache2-doc does not exist!
dpkg: error processing package apache2 (–configure):

But apache still runs.  – An purge and install eg:

apt purge apache2-doc;apt install apache2-doc

Fixes it so shit software like systemd will not complain about it.  Honestly no idea why you have to do this when the version of the package was current but that’s how things go with systemd

http/2 in the wild

I have a new plugin that tells me when http/2 is in use and many well known sites still do not support http/2.  It kind of surprised me but it should not after all those grey icons for dnssec (my blog) mostly stay grey – forget it not even red (error) or green (ok).

I have yet to bother with hpkp (my blog)  and seriously doubt there is a plug-in for that, after all very few sites even have that.

http/2 in debian

tube recycle those 1’s and 0’s

Was surprisingly easy to setup in debian 9.2 in apache -turn on the module and add

# for a https server
Protocols h2 http/1.1
# for a http server
Protocols h2c http/1.1

depending on the host config and a software restart – I doubt anybody will notice.

Much better than that spdy (my blog) crap alphabet was promoting.


The ideal google webpage in reality

tapIs more mobile friendly than computer based but if your html is up to standard then quite achievable.

The webserver component is interesting although tricky to decide if what it suggests works – that maybe through debian stable doing its thing.

This is not seo, and industry seo ‘experts’ broke but just html and even something’s are new to me although i dont claim to be a mobile user with there retarded apps (my blog) for instance a tap point is nothing to do with tap dancing but an ahref link and css.

Concerning me is the minified text content that also includes html.  while i can do css and js files it does make troubleshooting fucking hard work and i am not parsing my html in a foreign website where i have no idea what extra content it adds.  No html minifier exists in the .deb ecosystem.

So compiled node.js and installed via npm two minifiers.  One only works via copy and paste on a website, the other worked but the rating algorithm found its work poor and recommended minfying it.

Minifying is best for incomprehensible css, js and php make no difference. html is a disaster area take this.


It becomes (via an online tool)

</footer></div></div><!--[if lte IE 8]>http://js1/respond.js<![endif]-->

Ignoring \n removal – can i have my /body and the rest back ?

Oh good luck fixing that in real life

I had a 100% user experience rating and the page speed was ok although without minification for reasons explained

Security of pages [https] seems ignored and page blocking detection from frames via somebodies else’s website (think this) is frowned upon so i ignored some of the recommendations.  I’d rather not display html to a client if that is how it is delivered rather than direct.

headachejquery that does css blocks (imagine form html) is also frowned on but then i thinking client experience rather than googles worries.

php is interesting – using

zlib.output_compression = On

Resulted in no php content so do not take these suggestions are 100% practicable

Page design is almost an art form and as to tap points what the hell cannot they be called link anchors/url’s.

If i ever find out the web designer that coined the term tap points then they should be shot dead for reasons of sanity.   HUGE Font sizing looks RIDICULOUS

These ideals are for the benefit of google not the open ‘web’