Helion-Prime Solutions blog

Use https securely

vasiliy.kiryanov — Thu, 07 Jun 2012 12:23:35 +0000

preamble

Nowadays everyone understands how easy to hijack unsecured http session. So, https is the key for secure web. Sometime people don’t use https for small project due to price of certificates, http://www.startssl.com/ solves this problem, they give (Class 1) certificates for free, and verified (Class 2) have ridiculous cost. Therefore the only problem is errors of https usage.

keep cookie safe

The cookie can be stolen before redirect to https, to avoid cookie theft you need to use ‘Secure’ flag. It instructs browser to send cookie only thru https connection.

Set-Cookie: mycookie=somevalue; path=/securesite/; Expires=12/12/2345; Secure;

make correct redirect

When certificate is adjusted for usage with application server you need to redirect users from http://mysite.com to https://mysite.com. The redirect opens vulnerability as an attack can be performed before redirect.

The HTTP/1.1 specification (rfc2616) informs us that http responsе codes 301 (“moved permanently”) и 302 (“found”/”moved temporarily”) can be cashed by browser. So by using of Expires or Cache-Control max-age with big expiration dates we can avoid redirects.

Expires: Mon, 01 Jan 2099 00:00:00 GMT

Another idea is usage of Strict-Transport-Security header. It informs browser that website accessible only thru https. All http quires will be rewritten on client-side by browser.

Strict-Transport-Security: max-age=31556926;

It tells browser that support Strict-Transport-Securityto use only https for particular site during 1 year. At this time Firefox and Chrome support it, Opera waits till this standard change type to ‘agreed’ or ‘established’.

don’t mix content

You should ensure that you don’t use content from http sites. Often people forget that they use CDN to load libraries or Google analytics. So check for each http entry on your site and change it to https.

nginx setup for t-wiki

vasiliy.kiryanov — Sat, 17 Mar 2012 14:45:09 +0000

preamble

I will start it fast, you know that nginx is cool due to it faster than apache, and you know that t-wiki is good due to it is open-source enterprise wiki used by number of Fortune 500 companies. But you should also know that t-wiki is perl application.

“Perl – The only language that looks the same before and after RSA encryption.”
Keith Bostic

nginx setup

T-wiki developers don’t believe in power of nginx, it’s the only idea that come to my mind when I think why they have number of apache examples and even web-based apache configuration but nothing for nginx. Quick search in google shows that common question is “t-wiki perl scripts don’t have extensions. How to execute them with nginx?”

So, the only way is to read documenation.

list of docs to look into:
http://wiki.nginx.org/Configuration
http://wiki.nginx.org/HttpCoreModule
http://wiki.nginx.org/Pitfalls (try it for sure)

nginx config file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

server {
listen my_ip:80;
server_name my_servername.com www.my_servername.com;

access_log /var/log/nginx/my_servername.com.access.log;

location /wiki/pub {
root /var/www;
}

location = /wiki/bin/configure {
root /var/www;
allow my_ip;
deny all;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include /etc/nginx/fastcgi_params;
}

location ~ /wiki/bin/(?[a-z]+)(\/(?.*))?$ {
root /var/www;

fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_param SCRIPT_FILENAME $document_root/wiki/bin/$action;
fastcgi_param SCRIPT_NAME $action;

#identifies the resource to be returned by the CGI script,
#and is derived from the portion of the URI path hierarchy following
#the part that identifies the script itself.
fastcgi_param PATH_INFO /$path;

#virtual-to-physical translation appropriate to map it onto the
#server's document repository structure
fastcgi_param PATH_TRANSLATED $document_root/wiki/bin/$action;

include /etc/nginx/fastcgi_params;
}

location ~ /wiki/(^/lib|^/data|^/locale|^/templates|^/tools|^/work) {
deny all;
}

location = /favicon.ico {
access_log off;
log_not_found off;
}
}

devenv – development environment

vasiliy.kiryanov — Sun, 20 Nov 2011 12:12:41 +0000

It’s quite common when developers share information about environment, libraries or tools that they use. And it should be work practice for every good software engineer, manager or architect to constantly evaluate new technologies, ideas, fraimworks, etc.

As software development director I always look into new things and want to share my current understanding of important things in Java and Ruby development, architecture design, and performance.

All the companies are telling us that they are developing the best products to support the development of the software but we will rely on a variety of awards, and statistics of usage whenever possible + my experience. This does not mean it will be possible to do without investing your own time but will hopefully make this job a little easier. I will be glad to get your thoughts, critics, and information about things that empower your IT development process.

So, welcome: http://devenv.in

How to finish with differences in renders of HTML in browsers

vasiliy.kiryanov — Thu, 18 Aug 2011 14:12:16 +0000

preamble

When there is no standard there is no same approach for same things and we have chaos.
But we have standards for HTML and CSS, we can find them all on W3C pages http://www.w3.org/MarkUp/ and http://www.w3.org/Style/CSS/.
And still we hear from users “Why does my website look different on different browsers?” or “I want to kill developers of Internet explorer” from web-developers.

complexity of standards

First problem is the complexity of standards that should take into account many different things. It’s hard for developers to understand and develop products appropriately.
As W3C can’t simplify standards it should put special effort to develop and provide special set of test-cases like famous set of Acid tests but it should provides not just set of randomly picked features but complete cover of specifications – XHTML, CSS, DOM, SVG. There will be standard way to test browsers and someday we will finally have same picture on all browsers.

human nature

The problem not only in the standards but in human nature that incite some people to use evolving versions of HTML/CSS to get fantastic features. But I believe when W3C begins to provide tests it will be evident for anyone that developer is guilty for bugs or using of experimental features.

Improvement of Google Ads

vasiliy.kiryanov — Fri, 24 Jun 2011 14:28:29 +0000

We all know that Google generates profit primarily from its advertising programs. So keeping them effective is very important but difficult task as users tend to ignore advertisement and use special plug-ins for browsers to block it.

The key here is to make Ads more attractive using information about users, as people say today make them more social. It’s clear that for Social networks like Facebook it is much easier to collect such data then for search engine that can only remember history of your searches and detect your current location.

the straightforward solution

Ask users to provide data and setup Ads they want to see!

After users click “Select Ads you want to see” they see simple Ads dashboard:

When users can select useful content there are no reasons for them to block it or ignore, Google can reduce amount places for Ads (like recent bottom place in Gmail) and decries distraction even more. Additionally Google can add Google offers here and turn Ads into some kind of fun.