En-tête HTTP X-Robots-Tag
▻http://robots-txt.com/x-robots-tag
les en-têtes HTTP X-Robots-Tag pour empêcher l’indexation de pages web
(pour vérification de ces en-têtes, cf l’extension Firefox ▻https://addons.mozilla.org/fr/firefox/addon/http-header-spy par ex)
A lot of recent articles about the #DoH (#DNS over #HTTPS) security protocol. Read carefully, there is a lot of bad faith, too.
A set of Internet actors wrote to the US congress to complain that activation of DoH by Google may deprive them of the spying and manipulation they’re used to ▻https://www.ncta.com/sites/default/files/2019-09/Final%20DOH%20LETTER%209-19-19.pdf
Summary of the issue in the Wall Street Journal ▻https://www.wsj.com/articles/google-draws-house-antitrust-scrutiny-of-internet-protocol-11569765637 (paywall, note how the Akamai spokeperson clearly states that they monitor DNS requests and want to continue to do so).
▻https://arstechnica.com/tech-policy/2019/09/isps-worry-a-new-chrome-feature-will-stop-them-from-spying-on-you (one of the few articles that do not copy blindly the discourse of the Internet operators and ISPs)
▻https://www.cnet.com/news/google-reportedly-under-antitrust-scrutiny-for-new-internet-protocol (based on the Wall Street Journal article, with a nice addition “cable and wireless companies being cut off from much of users’ valuable DNS surfing data”, which spills the beans.)
▻https://www.eff.org/deeplinks/2019/09/encrypted-dns-could-help-close-biggest-privacy-gap-internet-why-are-some-groups (#EFF opinion, with a strange idea “EFF is calling for widespread deployment of DNS over HTTPS support by Internet service providers themselves”, so asking DoH support by the very entities that you do not fully trust.)
Sécurité : Contrebande de #HTTP, Apache Traffic Server
▻https://makina-corpus.com/blog/metier/2018/securite-contrebande-de-http-apache-traffic-server
Détails de la CVE CVE-2018-8004 (Août 2018 - Apache Traffic Server).
How to Enable DNS-over-HTTPS (DoH) in Mozilla Firefox
▻https://www.trishtech.com/2018/08/how-to-enable-dns-over-https-doh-in-mozilla-firefox
How to Enable DNS-over-HTTPS (DoH) in Mozilla Firefox
Posted onAugust 8, 2018AuthorTrishaLeave a comment
When you visit a website, the web browser first translates the domain name (such as yahoo.com) to the IP address using the DNS server configured in your operating system. We actually offer a free tool Public DNS Server Tool that helps you quickly configure your Windows system to use one of the publicly available DNS servers.
But now Firefox browser (starting from version 62) has come up with a new feature called Trusted Recursive Resolver (TRR) which sets Firefox to use a secure DNS server of its own. For this feature, all the DNS resolution requests are sent over HTTPS and this is why only a DNS over HTTPS (DoH) complaint server can be used for this feature.
Here is how you can enable DoH in Firefox browser:
Type about:config in the address bar and press Enter.
When warning appears, click on the I accept the risk button.
In the search box type trr to find the settings we want.
#dns #DoH #dnsoverhttps #https
How to enable #HTTP/2 support in #Apache
Starting from Apache 2.4.27, the Apache MPM (Multi-Processing Module) prefork no longer supports HTTP/2.To fix this, select a different MPM: event or worker. We highly recommend you to use the event prefork.
If you are using PHP, it is likely that PHP is integrated to Apache via the mod_php module, which requires the prefork MPM. If you switch out from preform MPM, you will need to use PHP as FastCGI. To switch to php-fpm, you can do as folllwing.
▻https://http2.pro/doc/Apache#prefork-http2
▻https://httpd.apache.org/docs/2.4/fr/howto/http2.html#mpm-config
Sur debian stretch ça donne ça (si on avait activé mpm_prefork alors que mpm_event est bien celui proposé par défaut) :
apt install php-fpm
a2enmod proxy_fcgi setenvif
a2enconf php7.0-fpm
a2dismod php7.0
a2dismod mpm_prefork
a2enmod mpm_event
service apache2 restart
apt purge libapache2-mod-php
Dans la foulée, deux liens à propos de l’optimisation de #php-fpm :
Apache2 and php fpm performance optimization — Step-by-step guide
▻https://medium.com/@sbuckpesch/apache2-and-php-fpm-performance-optimization-step-by-step-guide-1bfecf161534
If you consistently see a large number of idle workers, you may want to lower your MinSpareServers (for the prefork MPM) or MinSpareThreads (for the worker and event MPMs) setting so that you are not sustaining a higher number of processes or threads than necessary to process your rate of traffic. Maintaining more processes or threads than you actually need will unncessarily exhaust system resources.
▻https://www.datadoghq.com/blog/monitoring-apache-web-server-performance
Toujours à propos de #php-fpm, et de l’intérêt de basculer le process manager de dynamic (valeur par défaut) vers autre ondemand ou static.
Certaines personnes recommandent d’utiliser ondemand pour ne pas avoir de process php en idle quand il n’y a pas de trafic :
Dans mon cas j’ai 10 processus qui tournent en permanence, même si aucun de mes sites n’est visité.
▻https://www.guillaume-leduc.fr/une-autre-facon-dutiliser-php-fpm.html
If you’re working on a high performance PHP setup, the ’ondemand’ PM may not be for you. In that case, it’s wise to pre-fork your PHP-FPM processes up to the maximum your server can handle. That way, all your processes are ready to serve your requests without needing to be spawned first. However, for 90% of the sites out there, the ondemand PHP-FPM configuration is better than either static or dynamic.
▻https://community.webcore.cloud/tutorials/php_fpm_ondemand_process_manager_vs_dynamic
Mais comme indiqué ci-dessus, ça n’est pas forcément mieux car le process manager va devoir spawner des process alors que des process en idle permettent une réaction plus rapide en cas de pic de trafic :
Idle process stay online waiting for traffic spikes and responding immediately, rather than having to wait on the pm to spawn children and then kill them off after x pm.process_idle_timeout expires...
The common advice is to use pm ondemand, as is the advice in this same support thread. However, that’s even worse, because ondemand will shutdown idle processes right down to 0 when there’s little to no traffic and then you’ll end up with just as much overhead issues as traffic fluctuates.
▻https://haydenjames.io/php-fpm-tuning-using-pm-static-max-performance
Mais...
PM dynamic and especially ondemand can be save you however, when you have multiple PHP-FPM pools. For example, hosting multiple cPanel accounts or multiple websites under different pools. I have a server for example with 100+ cpanel accounts and about 200+ domains and it would be impossible for pm.static or even dynamic to perform well. Only ondemand performs well since more than two third’s of the websites receive little to no traffic and with ondemand it means all children will be shutdown saving tons of server memory!
When it comes to PHP-FPM, once you start to serve serious traffic, ondemand and dynamic process managers for PHP-FPM can limit throughput because of the inherent overhead. Know your system and set your PHP-FPM processes to match your server’s max capacity. Start with pm.max_children set based on max usage of pm dynamic or ondemand and then increase to the point where memory and CPU can process without becoming overwhelmed. You will notice that with pm static, because you keep everything sitting in memory, traffic spikes over time cause less spikes to CPU and your server’s load and CPU averages will be smoother. The average size of your PHP-FPM process will vary per web server requiring manual tuning, thus why the more automated overhead process managers – dynamic and ondemand – are more popular recommendations.
Grosso merdo, il semble que dynamic peut faire le job quand on ne veut pas trop se prendre la tête, ondemand quand on sait à quoi s’attendre et qu’on est juste en mémoire (ou pour du dev), et static quand on veut faire du tuning précis.
Un bon résumé :
In dynamic type, the number of child processes is set dynamically based on the PHP-FPM parameters in conf file. But it is a bit memory-intensive type.
In static type, the number of child processes is fixed by pm.max_children parameter, but this type is not flexible for a server with changing web traffic. It also consumes too much memory.
In ondemand type, the PHP-FPM processes are spawned only on demand, based on the traffic. This type helps to manage varying traffic in memory restrained servers. But the overhead increases when there is so much traffic fluctuation.
▻https://bobcares.com/blog/php-fpm-tuning-high-load
Bref, comme souvent il n’y a pas de recette unique/magique :p
Et vous les gens, vous utilisez quoi ?
Contrebande de #HTTP (HTTP Smuggling) : Jetty
▻https://makina-corpus.com/blog/metier/2019/contrebande-de-http-http-smuggling-jetty
Détails des failles CVE-2017-7658, CVE-2017-7657 et CVE-2017-7656 (failles publiées le 2018-06-27)
Top 5 réducteurs de liens pour raccourcir vos URLs
▻http://ton-hebergement-gratuit.com/top-5-des-reducteurs-de-liens
Guzzle, PHP HTTP client — Guzzle Documentation
▻http://docs.guzzlephp.org/en/stable
Guzzle is a PHP HTTP client that makes it easy to send HTTP requests and trivial to integrate with web services.
– Simple interface for building query strings, POST requests, streaming large uploads, streaming large downloads, using HTTP cookies, uploading JSON data, etc...
– Can send both synchronous and asynchronous requests using the same interface.
– Abstracts away the underlying HTTP transport, allowing you to write environment and transport agnostic code; i.e., no hard dependency on cURL, PHP streams, sockets, or non-blocking event loops.
(en relation avec le ticket ▻https://core.spip.net/issues/3973 de SPIP)
What are HTTP cookies?
▻https://hackernoon.com/what-are-http-cookies-91359fd798b2?source=rss----3a8144eabfe3---4
Open your wallet. See a cookie in there? I do.Cookies are a way for a website to store information in your browser.gift idea for the web enthusiast in your lifeCookies in my wallet?? ?Yes, your ID is like a cookie! ?The government (issuer) provides an ID (cookie) that you store in your wallet (web browser’s storage) and take with you everywhere you go (the world is your web browser/oyster).Your ID can be used to board an airplane (request): the TSA agent will verify the validity of your ID to ensure it was provided by the government (issuer) and wasn’t forged or altered (authorization tokens are verified for validity/alteration as well). They’ll ensure you match the picture in the ID and that the name matches the ticket (authentication — “who you are”), if there are no issues you’ll be allowed (...)
#http-cookie #browsers #what-are-http-cookies #javascript #what-are-cookies
Standardizing HTTP API testing
▻https://hackernoon.com/standardizing-http-api-testing-cc7e513d4823?source=rss----3a8144eabfe3--
This blog post is actually a draft for a standard operating procedure for my software development and consulting business. I’ve come across the task of writing tests for HTTP APIs for three or four times in the last couple of months. I’ve tried multiple ways of writing automated tests and this is the method I’ve converged on. #typescript, #jest, and supertest appear to work well together and are sufficient to implement concise tests.Background and the need for standardizationYears ago most of my programming for the web was limited to PHP. Tests on those project were done by using PHPUnit and Guzzle. Later we also used Behat for more readable tests. After Docker became popular the PHP monolith evolved into an application built with multiple programming languages. Some small services are now (...)
Ce que peut faire votre Fournisseur d’Accès à l’Internet
►https://framablog.org/2018/11/29/ce-que-peut-faire-votre-fournisseur-dacces-a-linternet
Nous sommes ravis et honorés d’accueillir Stéphane Bortzmeyer qui allie une compétence de haut niveau sur des questions assez techniques et une intéressante capacité à rendre assez claires des choses complexes. Nous le remercions de nous expliquer dans cet article … Lire la suite
#Claviers_invités #G.A.F.A.M. #Internet_et_société #Chiffrement #FAI #FFDN #GAFA #https #Internet #neutralité #Réseau #RFC #Snowden #Surveillance
RFC 8484 : DNS Queries over HTTPS (DoH)
Voici un nouveau moyen d’envoyer des requêtes #DNS, #DoH (DNS over #HTTPS). Requêtes et réponses, au lieu de voyager directement sur UDP ou TCP sont encapsulées dans HTTP, plus exactement HTTPS. Le but ? Il s’agit essentiellement de contourner la #censure, en fournissant un canal sécurisé avec un serveur supposé digne de confiance. Et le chiffrement sert également à préserver la vie privée du client. Toutes ces fonctions pourraient être assurées en mettant le DNS sur #TLS (RFC 7858) mais DoH augmente les chances de succès puisque le trafic HTTPS est rarement bloqué par les pare-feux, alors que le port 853 utilisé par DNS-sur-TLS peut être inaccessible, vu le nombre de violations de la neutralité du réseau. DoH marque donc une nouvelle étape dans la transition vers un Internet « port 443 seulement ».
#RFC
HTTP/2 n’est pas le futur. C’est le présent. | Blog Eleven Labs
▻https://blog.eleven-labs.com/fr/http2-nest-pas-le-futur-cest-le-present
Une introduction à HTTP/2
En complément : la doc de mod_http2 d’Apache : ▻https://httpd.apache.org/docs/2.4/mod/mod_http2.html
Sécurité #HTTP : Apache Traffic Server - Contrebande de HTTP
▻https://makina-corpus.com/blog/metier/2018/securite-http-apache-traffic-server-contrebande-de-http
Plusieurs correctifs de sécurité viennent d’êtres appliqués dans les version 6 et 7 de Apache Traffic Server (ATS). Ces correctifs viennent corriger des failles découvertes grâce à nos recherches sur la contrebande HTTP.
RFC 8446 : The Transport Layer Security (TLS) Protocol Version 1.3
Après un très long processus, et d’innombrables polémiques, la nouvelle version du protocole de #cryptographie #TLS, la 1.3, est enfin publiée. Les changements sont nombreux et, à bien des égards, il s’agit d’un nouveau protocole (l’ancien était décrit dans le RFC 5246, que notre nouveau #RFC remplace).
Contrebande de #HTTP (Smuggling) : Load Balancer Apsis Pound
▻https://makina-corpus.com/blog/metier/2018/contrebande-de-http-smuggling-load-balancer-apsis-pound
Détails de la faille CVE-2016-10711 (faille publiée en février 2018)
Monitor your #https certificate expiry with this script
▻https://hackernoon.com/monitor-your-https-certificate-expiry-with-this-script-1338bf5acfe9?sour
Last year’s new years eve, I got a call from my client. They said their website was infected by a virus and no one can access it.Now, my client runs a juice shop, and had no idea about how the web technically works, so I discarded the “virus” issue but he said site can’t be accessed so I fired up Firefox in my phone and I saw the Your connection is not secure page.Ever since Let’s Encrypt came out of beta, I’ve used it to convert all my and my clients’ sites to secure connections via HTTPS. I had set up a cron as instructed by certbot to renew the certificates regularly, but it used to fail every once in a while because I didn’t update the python packages, or something like that. Let’s Encrypt is kind enough to send a mail before expiring, but initial installations were done by an employee.Since (...)
#lets-encrypt #https-certificate-expiry #ssl-certificate #https-certificate-script
Content Security Policy CSP Reference & Examples
▻https://content-security-policy.com
Site de référence pour les HTTP Headers « Content Security Policy » (CSP)
Voir aussi :
– des explications plus complètes : ▻https://www.html5rocks.com/en/tutorials/security/content-security-policy
– un outil de test : ▻https://observatory.mozilla.org
– un autre outil de test (permet de choisir la version de CSP) : ▻https://csp-evaluator.withgoogle.com
– un exemple commenté : ▻https://hacks.mozilla.org/2016/02/implementing-content-security-policy
Déja sur seenthis :
– ▻https://seenthis.net/messages/522624#message523937
– ►https://seenthis.net/messages/523919
Cross-origin resource sharing (CORS) - HTTP | MDN
▻https://developer.mozilla.org/fr/docs/Web/HTTP/CORS
Le « Cross-origin resource sharing » (CORS) ou « partage des ressources entre origines multiples » (en français, moins usité) est un mécanisme qui consiste à ajouter des en-têtes HTTP afin de permettre à un agent utilisateur d’accéder à des ressources d’un serveur situé sur une autre origine que le site courant.
Anomalie #4097 : bug HTTPS dans la fonction url_de_base() sur certains serveurs mal configurés - SPIP - SPIP Core (Forge de développement)
▻https://core.spip.net/issues/4097
le contournement nécessaire dans mes_options.php pour les serveurs mal configurés ($_SERVER[’HTTPS’] et $_SERVER["SCRIPT_URI"] absents ou faux)
HTTP Status Codes you probably haven’t heard of
▻https://hackernoon.com/http-status-codes-you-probably-havent-heard-of-edf780a9f391?source=rss--
And might not often see in the wild.A colleague of mine stumbled upon a HTTP status code that the team wasn’t sure of: 207. When I took a look I stumbled across a few others I hadn’t really been made aware of throughout my 4 year developer career.Lets go through some interesting codes…207: Multi-StatusA status code sent to represent information about multiple resources where appropriate.Imagine you have an aggregation layer that might make calls against multiple APIs to collate & process the data and return a JSON payload. If one of the calls succeeds and several others fail what’s the #api to do?It’s not a 4xx, the resource was found; it’s not a 300, there’s no redirect; it’s not a 5xx, the aggregation server didn’t fail to handle something and explode so it’s technically a 200 in the eyes (...)
Divide and Govern : How We Implemented Session Separation at Mail.Ru portal
▻https://hackernoon.com/divide-and-govern-how-we-implemented-session-separation-at-mail-ru-porta
In the beginning…Mail.Ru is a gigantic portal created more than 15 years ago. Since then we have evolved from a minor web project to the most visited Runet site online. The portal comprises an enormous number of services, each with its own story and separate team of developers, who had to do their utmost to make sure all projects (new, old and those joining the portal as it evolved) shared a single user #authentication system. Then after many years we were eventually faced with a task that was almost the opposite: separate user sessions. Why this was necessary, what obstacles tripped us up and how we got around them will be covered in this post. If we take a trip back in time when all our services were part of a single second-level domain and separated into third-level domains, (...)
Türkischer Provider jubelte Kunden Überwachungs-Software unter (h...
▻https://diasp.eu/p/6855609
Türkischer Provider jubelte Kunden Überwachungs-Software unter
#berwachungs #citizenlab #deeppacketinspection #dpi #https #internetzensur #jubelte #kunden #provider #rkischer #software #turkei #uberwachung #unter posted by pod_feeder
GNU Terry Pratchett
▻http://www.gnuterrypratchett.com/index.php
In Terry Pratchett’s Discworld series, the clacks are a series of semaphore towers loosely based on the concept of the telegraph. Invented by an artificer named Robert Dearheart, the towers could send messages “at the speed of light” using standardized codes. Three of these codes are of particular import:
G: send the message on
N: do not log the message
U: turn the message around at the end of the line and send it back again
When Dearheart’s son John died due to an accident while working on a clacks tower, Dearheart inserted John’s name into the overhead of the clacks with a “GNU” in front of it as a way to memorialize his son forever (or for at least as long as the clacks are standing.)
