Filip Chabik

DevOps Engineer, Husband & Dad.

NGINX Extended 1.18 update

24th July 2020

I realized that I did status updates for security fixes in NGINX Extended… 1.14 (sic!). The thing is that in the meantime the entire stable 1.16 went through and here we are now, 1.18 is ready. I did communicate subsequent releases on Twitter, but there were a few changes that deserve at least a small blogpost.

First, not only Ubuntu LTS are now supported. Interim releases will receive builds too, but they will stay in the given version when that release reaches EOL. Here’s a good looking chart on when that might be: The Ubuntu lifecycle and release cadence. For now Xenial is the only affected release.

Second, there are now mainline builds available. Should you need to use them or for testing purposes, here’s how to add the relevant PPA:

sudo add-apt-repository ppa:hadret/nginx-mainline
sudo apt-get update

At this moment it equals the stable branch, but the new 1.19 NGINX releases are coming early next month.

Finally, I backported ModSecurity 3.01 to Bionic (18.04) and NGINX Extended incorporates official SpiderLabs ModSecurity-nginx module. Be sure to give it a try!

Last time I made plans for “what’s next?”. Xenial did stop at 1.14, pagespeed was dropped (it was too much of a hassle to maintain it), ldap and upsync stayed where they are and brotli support has been introduced.

This time around I’m planning on modernizing my build environment a little bit and pushing few Extended changes towards Debian directly.2 Let’s see what the future holds.

  1. v3.0.4 to be exact. 

  2. VTS should be a standard these days. 

WWDC 2020 Session: Enable encrypted DNS →

When people access the web within your app, their privacy is paramount. Safeguard that information by leveraging encrypted DNS across our platforms to deliver private and secure connectivity within your app. Discover how you can use system DNS settings to connect to encrypted servers or enable encrypted DNS within an app using standard networking APIs. Enabling encrypted DNS is yet another way your app can help preserve privacy for your customers and provide them with a better and more secure experience.

Not long ago I wrote about DNS over TLS on macOS with help of some third-party software.1 This WWDC session showcases how to and how easy it will be in the upcoming new releases to leverage encrypted DNS in the apps. Flexibility that is given here is impressive and it’s really great to see such focus on security & privacy of the Apple users.

  1. dnsmasq & Stubby to be exact. 

Transition of the Mac platform to 'Apple Silicon' →

Unsurprisingly, the transition of the Mac platform to ‘Apple Silicon’—an as of yet unspecified custom chipset—was announced. The parallels to the Intel transition announcement in 2005 were obvious and likely entirely intentional. Apple is conveying the message: “we’ve done this before, we know what we are doing.”

Out of all the things on this years’ WWDC, I think this one is the most exciting to me. I haven’t been Apple user back in the PowerPC to Intel transition and honestly this one is a bit different — after all, they want to move Mac to the in-house silicon this time. Outstanding performance per watt will definitely make a huge difference, especially in the laptops market. One of the additional perks appears to be possibility to run iOS and iPadOS apps natively — though can’t think of any use case for myself, I guess games might be a good example.

This transition is going to be tricky though. While moving from PowerPC removed Apple from being “industry’s weirdos” using Power architecture and embrace standard being x86, they are now moving away from it when it’s essentially still a standard. Linux on ARM is a thing, though it’s still early days, even with the whole Raspberry Pi and alike movement. Windows is tough sell on anything else than x86, likely for years to come. Compatibility-wise I’m very curious how Apple is going to tackle these things. Exciting times for sure.

DoT w/ Stubby & dnsmasq on macOS

4th May 2020

OK, let’s start with DoT definition:

DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

There are, of course, multiple ways to use DoT on macOS.1 I took the approach of dnsmasq + Stubby simply because I had already planned playing with the former – editing /etc/hosts has bitten me so many times, that I finally gave up and decided to use some tiny DNS instead. Additionally I wanted to get rid of at least some trackers, counters, analytics and, potentially, ads.

  1. One alternative would be to use Unbound

Read More