Currently Viewing Posts in L.A.M.P.

How to check the disk usage of your VPS

The df utility displays the disk space usage on all mounted filesystem.

The -T option prints the filesystem type as well. By default, df measures the size in 1K blocks, which could be a little difficult for a desktop user to decipher. Use the -h option to get the more understandable output:

davidyin@localhost:~$ df -h -T
Filesystem     Type      Size  Used Avail Use% Mounted on
udev           devtmpfs  463M     0  463M   0% /dev
tmpfs          tmpfs      99M  7.0M   92M   8% /run
/dev/sda       ext4       25G   12G   12G  51% /
tmpfs          tmpfs     493M     0  493M   0% /dev/shm
tmpfs          tmpfs     5.0M     0  5.0M   0% /run/lock
tmpfs          tmpfs     493M     0  493M   0% /sys/fs/cgroup
tmpfs          tmpfs      99M     0   99M   0% /run/user/1000
davidyin@localhost:~$

The VPS system will be problemed when the disk is used 100% full.

So to make sure the disk usage in the health range is very important. Clean the files when it is growing too fast or close to 85% or 90%.

Look at the log files. For example, web site error log, web site access log, security log files.

How to take a webpage screenshot at terminal window

The scenario is to run the program inside of Ubuntu VPS.  Input a URL the program will output the jpg file.

The solution is to use wkhtmltoimage, which is a part of wkhtmtopdf.

I used to use the old version wkhtmltopdf v0.12.3. Now it is not working anymore due to some reason I don’t know.

But the wkhtmltopdf v0.12.5  is OK.

The OS is Ubuntu 18.04.

Then I install wkhtmltopdf with the following command

sudo apt-get install -y software-properties-common
sudo apt-add-repository -y "deb http://security.ubuntu.com/ubuntu xenial-security main" 
sudo apt-get -yq update
sudo apt-get install -y libxrender1 libfontconfig1 libx11-dev libjpeg62 libxtst6 fontconfig xfonts-75dpi xfonts-base libpng12-0 libjpeg-turbo8
wget "https://downloads.wkhtmltopdf.org/0.12/0.12.5/wkhtmltox_0.12.5-1.xenial_amd64.deb" 
sudo dpkg -i wkhtmltox_0.12.5-1.xenial_amd64.deb 
sudo apt-get -f install

After installation, run the command to show the help of the program.

Continue reading “How to take a webpage screenshot at terminal window”

Use GoAccess to Generate Report with Multiple Nginx Log Files

I have a VPS with Nginx as a web server and also a lot of web sites on it. It is on Digital Ocean.

Here is the VPS basic information.

  • SFO2
  • 1GB Nanode
  • Ubuntu Linux 18.04.2
  • Intel(R) Xeon(R) CPU E5-2650 v4 @ 2.20GHz, 1 cores
  • Nginx 1.15.9

All sites use one access.log file. The following code is in the http block of /etc/nginx/nginx.conf file.

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

All access logs look like below:

Now it is time to show you how to use GoAccess to Generate Report with Multiple Nginx Log files.

Install GoAccess

sudo install goaccess

 

Modify the Config file of GoAccess

GoAccess config file is located at /etc/

sudo nano /etc/goaccess.conf

Add the following code or modify the code inside of the goaccess.conf.

time-format %H:%M:%S

date-format %d/%b/%Y

log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"

Run GoAccess to generate the report

I would like to get a static report.

sudo goaccess /var/log/nginx/access.log -o /home/davidyin/mywebsite.com/report.html --log-format=COMBINED

The report looks like below:

Due to the log is not just one file. The log files are generated by date and also compressed.

Two log files are not compressed.

  • access.log
  • access.log.1

The older log files are compressed.

  • access.log.2.gz
  • access.log.3.gz
  • access.log.4.gz
  • access.log.5.gz

I want to generate all the access log files. So the command is changed to the way which can phrase multiple log files.

zcat /var/log/nginx/access.log.*.gz | goaccess /var/log/nginx/access.log /var/log/nginx/access.log.1 - -o /home/davidyin/mywebsite.com/report.html --log-format=COMBINED

The sample command above using mywebsite.com. Please replace it with your own sites.

At the last, I add this command into Cron jobs. Schedule it every hour.

Renew the SSL Certificate for Yinfor.com

I just renewed the SSL certificate. The cheapest DV SSL certificate I found is from GoGetSSL.com.

I paid by paypal. The price is so good. US$7.90 for two years. Comodo PositiveSSL.

After I installed the certificate on my blog. I check the certificate by clicking on the lock icon on the address bar. It is not shown as Comodo, but Sectigo.

Look at the old certificate.

Details of certificates

Continue reading “Renew the SSL Certificate for Yinfor.com”

PHP Benchmark of php 7.1, php7.2, php7.3 and even php5.6

Here I run the PHP benchmark script on my Virtualbox guest OS Ubuntu 16.04.

Every version of PHP I tested 7 times. So get rid of the highest one, and the lowest one. Get the average of the rest five scores.

php5.6.39
The average is 5.13 seconds.

--------------------------------------
|        PHP BENCHMARK SCRIPT        |
--------------------------------------
Start : 2018-12-20 17:49:49
Server : t.g2list.win@192.168.1.120
PHP version : 5.6.39-1+ubuntu16.04.1+deb.sury.org+1
Platform : Linux
--------------------------------------
test_math                 : 1.523 sec.
test_stringmanipulation   : 1.594 sec.
test_loops                : 1.147 sec.
test_ifelse               : 0.808 sec.
--------------------------------------
Total time:               : 5.072 sec.

php 7.1.25
The average is 1.859 seconds.

--------------------------------------
|        PHP BENCHMARK SCRIPT        |
--------------------------------------
Start : 2018-12-20 17:41:51
Server : t.g2list.win@192.168.1.120
PHP version : 7.1.25-1+ubuntu16.04.1+deb.sury.org+1
Platform : Linux
--------------------------------------
test_ifelse               : 0.517 sec.
test_loops                : 0.378 sec.
test_stringmanipulation   : 0.561 sec.
test_math                 : 0.389 sec.
--------------------------------------
Total time:               : 1.845 sec.

php7.2
The average is 1.286 seconds.

--------------------------------------
|        PHP BENCHMARK SCRIPT        |
--------------------------------------
Start : 2018-12-20 17:44:37
Server : t.g2list.win@192.168.1.120
PHP version : 7.2.13-1+ubuntu16.04.1+deb.sury.org+1
Platform : Linux
--------------------------------------
test_ifelse               : 0.164 sec.
test_loops                : 0.274 sec.
test_stringmanipulation   : 0.495 sec.
test_math                 : 0.336 sec.
--------------------------------------
Total time:               : 1.269 sec.

php7.3
The average is 1.31 seconds.

--------------------------------------
|        PHP BENCHMARK SCRIPT        |
--------------------------------------
Start : 2018-12-20 17:47:16
Server : t.g2list.win@192.168.1.120
PHP version : 7.3.0-1+ubuntu16.04.1+deb.sury.org+1
Platform : Linux
--------------------------------------
test_ifelse               : 0.181 sec.
test_loops                : 0.350 sec.
test_stringmanipulation   : 0.469 sec.
test_math                 : 0.323 sec.
--------------------------------------
Total time:               : 1.323 sec.

I do have to say that the tests I run is not good enough. It does’t test all the php features. Actually, it is just a very small part of it.
If you count on the database, memory usage, etc., the answer will be quite different.

How to pass the Real IP Address of client to Nginx Server

I use a Nginx as  the reverse proxy. Here is the scenario.

The original server is Server A. The reverse proxy is Server B. Web users are browser the website through Server B.

Wikipedia

The web log of Server A just received the IP address of server B. All users are shared one remote address. It is Server B.

 

To pass the real IP address of client to the Web server, or server A.

  1. Set up on Server B.
    Let server B add the X-Forwarded-For header to the request. It is the real IP of users.
  2. Set up on Server A.
    Add following in to Nginx server block

    set_real_ip_from IP_Address_of_Server_B;
    real_ip_header X-Forwarded-For;

 

Continue reading “How to pass the Real IP Address of client to Nginx Server”

How to use GeoIP database to block a country in Nginx

First I need to make sure my Nginx has the geoip module.

Check it by entering the command below.


nginx -V

My Nginx shown the results as below.

nginx version: nginx/1.14.1
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-urYIzg/nginx-1.14.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-echo --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-urYIzg/nginx-1.14.1/debian/modules/http-subs-filter

I found  –with-http_geoip_module=dynamic

It is cool, I have the geoip module with my Nginx installation.

Second,  I need GeoIP country database.

Here is the official site to download the database.

I use the commands in my terminal window.

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

gunzip GeoIP.dat.gz

sudo mkdir/etc/nginx/geoip

sudo copy GeoIP.dat /etc/nginx/geoip

Continue reading “How to use GeoIP database to block a country in Nginx”

Untrack files already added to git repository based on .gitignore

There is some files added to your git repository before you created .gitignore file. So they are already in the repos. Even you input the file name into .gitignore.  It is still there. Every time you change this file. It will be tere.

How to remove it?

Step 1: Commit all your changes.

It is the first step. Check your git status and commit all your changes. Including the .gitignore file.

Step 2: Remove everything from the repository

It is clean up. Enter following command:

git rm -r --cached .
  • rm is the remove command
  • -r  is an option to allow recursive removal
  • -cached will only remove files from the index. Your files will still be there, untouched.
  • The . indicates that all files will be untracked.

Step 3: Add everthing now

git add .

Step 4: Commit

git commit -m ".gitignore fix"

Step 5: Push

git push 

Then. Your repository is as clean as you expect.

How to get a perfect SSL Labs score

It is easy to get an A+ on your website. But it is a little bit hard to make a 4 parts, Certificate, Protocol Support, Key Exchange, and Cipher Strength, to be 100%.

Most of time, I got A+ rating of my site. For individual scores, the last two are 90%.

Let me break down.

Certificate

It is preaty easy to get 100% here.

  • Make sure your certificate and intermediate certificate and CA are in the correct order.
  • Don’t use SHA1 for the signature algorithm. Use SHA256 instead. Actually all main CA are using SHA256 now.
  • Use a trusted CA. Do not use WoSign, StartCom.

Protocol Support

  • SSL 2.0 0%
  • SSL 3.0 80%
  • TLS 1.0 90%
  • TLS 1.1 95%
  • TLS 1.2 100%

So it is best to just use TLS 1.2.

 

Key Exchange

Make a strong DHE (Ephemeral Diffie-Hellman) paramaaters.

openssldhparam -out /etc/nginx/ssl/dhparam.pem 4096

It is not enough. Add following into Nginx settings.

ssl_ecdh_curve secp384r1;

Cipher Strength

  • 0 bits (no encryption) 0%
  • < 128 bits (e.g., 40, 56) 20%
  • < 256 bits (e.g., 128, 168) 80%
  • >= 256 bits (e.g., 256) 100%

So I just use 256 bit cipher suites.

 

Here is a test site, I tried it today, 2018-08-11. It is A+ with four 100% scores.

Here is the most important part of Nginx config file. I put them all together.

ssl_certificate /etc/nginx/ssl/whovpn.com/fullchain;
ssl_certificate_key /etc/nginx/ssl/whovpn.com/key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384';
ssl_prefer_server_ciphers on;

ssl_ecdh_curve secp384r1;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

 

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/whovpn.com/fullchain;

resolver 8.8.8.8;

Ubuntu 17.10 (Artful Aardvark) End of Life reached on July 19 2018

Today, I received the email, regarding the life of Ubuntu 17.10. You will see it is end of life on July 19, 2018, means Today.
If you are still using Ubuntu 17.10, you would better to upgrade to Ubuntu 18.04.

This is a follow-up to the End of Life warning sent earlier this month
to confirm that as of today (July 19, 2018), Ubuntu 17.10 is no longer
supported. No more package updates will be accepted to 17.10, and
it will be archived to old-releases.ubuntu.com in the coming weeks.

The original End of Life warning follows, with upgrade instructions:

Ubuntu announced its 17.10 (Artful Aardvark) release almost 9 months
ago, on October 19, 2017. As a non-LTS release, 17.10 has a 9-month
support cycle and, as such, the support period is now nearing its
end and Ubuntu 17.10 will reach end of life on Thursday, July 19th.

At that time, Ubuntu Security Notices will no longer include
information or updated packages for Ubuntu 17.10.

The supported upgrade path from Ubuntu 17.10 is via Ubuntu 18.04.
Instructions and caveats for the upgrade may be found at:

https://help.ubuntu.com/community/BionicUpgrades

Ubuntu 18.04 continues to be actively supported with security updates
and select high-impact bug fixes. Announcements of security updates
for Ubuntu releases are sent to the ubuntu-security-announce mailing
list, information about which may be found at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customise or alter their software in order to meet their needs.

On behalf of the Ubuntu Release Team,

Adam Conrad

  • Archives