The PHP circle: from Apache to Nginx and back

As with many technologies, the PHP community too evolves. And over the last 6 or 7 years, a rather remarkable circle has been made by a lot of systems administrators and PHP developers in that regard. Read more ›

Yet Another Microsoft Windows CVE: Local Privilege Escalation MS14-068

As if the SSL/TLS vulnerability dubbed MS14-066 last week wasn't enough, today Microsoft announced an out-of-band patch for a critical Privilege Escalation bug in all Windows Server systems. This time, Kerberos gets patched.

A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.
Microsoft Security Bulletin MS14-068

On the plus-side, it only applies to servers in an Active Directory domain. Standalone Windows Servers shouldn't be vulnerable to this. But there's plenty of Domain-controlled Windows servers that do need urgent patching.

Make HTTPerf use a proxy for connections

I like HTTPerf. It's a simply tool for a simply job: start HTTP calls and benchmark a remote system. But the CLI syntax for making it work with proxies is ... cumbersome. So, here's how to get it to work. Read more ›

A Certificate Authority to Encrypt the Entire Web today announced A Certificate Authority to Encrypt the Entire Web.

The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS

Completely agree. Especially the cost, since most certificates are automated end-to-end, are in fact nothing more than a few bits and bytes that require no further follow-up, and are stilled charged at 150$ and more per year.

The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds.

First thoughts: great in theory, disaster in practice? It's still based on CA's that need to be "trusted". I thought we were getting passed this?

Follow-up: 3 years of automation with Puppet

Yesterday I blogged about my lessons learned after 3 years of using Puppet. In reply, @roidelapluie also posted his list of lessons learned. Accidentally, also after 3 years. Go figure.

And he touches on topics I didn't think of, but I can only agree on what he said.

Using Puppet does not mean your infrastructure is managed correctly. You need to ask yourself the right questions, because automation is not a goal. Automation brings you a lot of different tools, an overview of your infra, but it will not erase your technical debt. It can even be the opposite.@roidelapluie

Read the full article at his blog, 3 years of automation with Puppet.

REST API best practices and versioning

This is a short and nice read: Some REST best practices.

I especially like the versioning part, which I've been (trying to) tell for years. Read more ›

The Chocolatey Kickstarter: Making Windows More Like Linux

Remember when I said Microsoft has an Open Source strategy? Well, this could fit right in. Except it isn't from Microsoft. Read more ›

Remove a single iptables rule

How do you remove a single iptable rule from a large ruleset? The easiest way is to delete the rule by the chain-name and the line-number. Here's an example. Read more ›

3 Years of Puppet Config Management: lessons learned

A little over 3 years ago, I started using Puppet as a config management system on my own servers. I should've started much sooner, but back then I didn't see the "value" in it. How foolish ...

Around 2011, when this all started, Puppet was at version 2.7. This means I've skipped the "hard years" of Puppet, where I hear a lot of pre-2.7 complains about. So what did I take away from Puppet after 3 years of heavy usage? Read more ›

Clear the APC cache in PHP

How do you clear the APC cache? There are basically two methods: as a PHP developer, you can use the built-in PHP functions -- or as a SysAdmin, you can restart the necessary services to flush the APC cache. Read more ›


Why ads?

I'm glad you made it to this blogpost. I hope it helps solve your problem. So why then do I show ads on the site? Writing content, testing it and making sure the layout isn't totally b0rked takes time. A lot of time. The ads are a way to pay back a small portion of that time.

And as you know running a site costs (a bit of) money: the domain name, webhosting, time spent writing and updating content, ... So if you like the content of this blog, consider disabling your AdBlocker for this domain. Thanks!

Looking for help?

Tired of fixing all these tech-problems yourself? We've got an excellent team at Nucleus, a top-class Belgian hosting provider, that can help you.

Discover our Managed Hosting, where skilled engineers manage your servers and keep them up-to-date, so you can focus on your core business. We use a variety of Configuration Management Systems such as Puppet to make sure every config is reviewed, unit-tested and guaranteed to be working.

Want to get in touch? Find me as @mattiasgeniar on Twitter or via the contact-page on this blog.