I don’t know whether the creators of AWS Lightsail were thinking about solar sails or whether they just thought it was a cool name, but doing some work with Lightsail got me thinking.
Category: Web
Matters related to the Web
More Swarm Adventures
I recently went back to refresh my understanding of the state of Docker networking (there’s been some changes over the last few years I wanted to be sure of), and so have been working through the excellent tutorial materials they have built, and spinning off some tutorial materials of my own demonstrating automation of the setups.
For your interest, here’s a Terraform project on AWS that sets up a Docker Swarm to play with – of course in reality we’d use ECS and EKS, but this is a fun exercise in infrastructure-as-code: https://github.com/TheBellman/terraform-aws-swarm
Cross-Account use of AWS CLI
The documentation around using the AWS CLI from an AWS EC2 instance on one account to access resources in another account are not great. The information is all there, somewhere, but it’s scattered across many places and to derive what you need from those sources you have to pretty well read all the sources. Two useful places to begin, but you will need to spiral out from, are:
However, I’ll try to give a summary and simple example here. This won’t include code or detailed instructions to set this up, although I hope to follow this up with a code demonstration expressed in Terraform.
Continue reading “Cross-Account use of AWS CLI”Oh no! The certificate has expired!
Hey kids! You know those SSL certificates you obtained and installed today?
Yeah, put a reminder in your calendar right now for a week before the expiry date, so you don’t get caught out.
Future you will thank you.
OpenSSL on HighSierra
Recently I finally got around to reading the excellent OpenSSL Cookbook from Ivan Risti? – you can grab a free copy via https://www.openssl.org/docs/ – and the first question in my mind was “what version of OpenSSL is already installed on my Mac”. A quick check showed it’s there pre-built in HighSierra in /usr/bin
:
[code lang=text] $ /usr/bin/openssl version LibreSSL 2.2.7 [/code]
TLS 1.3 – It’s like Christmas
Via The Register I see that TLS 1.3 has finally rolled off the standards and committee draft assembly line. This is pretty big news, not least because we’ve been working with the current TLS 1.2 standard for almost a decade, and the defects in it have well and truly been discovered and exploited.
Two-factor in the middle of the night
Wherever possible I have been enabling two-factor authentication and similar protections. Not that I am paranoid, it’s just that I am paranoid. One of these I have had in play for a long time is protection on my Google account. So it’s somewhat comforting to get an unexpected SMS message from Google in the middle of the night sending me an unexpected authorisation code. Because it means whoever just tried to access my account could not.
Lock your doors people. A simple username and password combination, particularly on anything critical, is effectively useless.
SSL Made Easy
Time for a shout-out to DreamHost, who have partnered with LetsEncrypt to make using SSL with this website very, very easy. DreamHost have always aimed to make many actions against the site push-button, with sensible defaults, and clear documentation, and generating and attaching the certificate was a walk in the park.
I was a little surprised to see the certificate expiring so soon, but LetsEncrypt’s rationale is very sound: re-rolling certificates can and should be automated, and limiting the life time of a certificate automatically limits the exposure if the certificate is subverted. It is very much in line with a core idea that they have: the default for HTTP traffic should be across SSL, or in some other way encrypted.
For me, the process was as simple as pushing the buttons on the DreamHost control panel, then do a bulk find-and-replace on my site to update any http links to be https. I will probably have to chase around the interwebs to find where I’ve published the old URL, but I’m pretty sure I’ve found and updated the important ones already.
A man is not dead while his name is still spoken.
Something I have been meaning to do for quite a time is to take up the idea of keeping PTerry’s name alive by adding the X-Clacks-Overhead header to parts of this site. Even if it is only in the overhead:
GNU Terry Pratchett.
CSS3 Oops.
Revising my resumé as part of an overall overhaul of my site, I realised that the presentation on mobile devices was not very good. Fortunately since I last did anything major, CSS3 has become widely implemented, so Media Queries are now an option for degrading onto smaller screens. To my pleasure it did (eventually) just work, but I’m embarrassed to say that I spent a good hour wondering why it was not initially working. It would have helped if I’d remembered that CSS files are read from the top down…
On a side note, I’m quite disappointed in the behaviour of the Safari ‘responsive design mode’. While it does allow quick switching of window size, as far as I can tell apart from tinkering with the user agent string it does not register as a mobile device from the point of view of CSS. I’m hoping to find a better way of designing against mobile, because it’s definitely suboptimal to push changes to a server just so that I can test them on the phone.