DevOps Engineer, Husband & Dad
OK, let’s start with DoT definition: DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. https://en.wikipedia.org/wiki/DNS_over_TLS There are, of course, multiple ways to […]
The better alternative is to run the script in its own process and leave the task of receiving HTTP requests to the web server. FastCGI allows you to separate the web server (or proxy) and the running script by defining the communication protocol between the two. Performance benchmarks indicate that separating scripts into their own process equates […]
As mentioned the last time, I’m still tracking and building latest kernel releases. 5.6 was on my radar for some time and I’m going to stick to it for longer period. One of the most important features of this release is addition of WireGuard. I was building it in for the older releases but now […]
Claudio Kuenzler: In the past 20 years we have moved from SSL to TLS (yet we’re still talking about SSL certificates, funny isn’t it). According to Wikipedia’s Transport Layer Security page, this is the release history: SSL 1.0 -> Never officially released due to security flawsSSL 2.0 -> 1995, deprecated in 2011SSL 3.0 -> 1996, deprecated […]
One of my New Year’s resolution was to get back a bit closer to the lower level parts of Linux. And what’s there lower than the kernel itself? I always preferred vanilla kernel, even when I was fooling around with Gentoo, and this hasn’t changed. In December I started with preparing first builds. Nothing too […]
Not long ago I wrote about backporting BCC & bpftrace in Ubuntu with focus on bionic (18.04 LTS). With this new release, there’s a lot of going on: release notes. I “backported” this one already into my PPA. On that note, I did drop support for the disco (19.04) and added support for the upcoming […]
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. That’s the essence of the CVE-2019-20372. Yet again, as I mentioned in my NGINX Extended post I was not going to work […]
I’m following Brendan Gregg’s performance-related content for years now. I started when he was still in Joyent, later on I bought his Systems Performance book and I get back to it whenever I’m doing any profiling. Now I follow closely all of the latest work he’s doing on BPF front. There’s a small problem though. […]
I already briefly wrote about the idea of having dynamically discoverable upstreams in NGINX when I covered the topic of NGINX Extended. With the boom of microservices and containers scattered all over the place there was suddenly a need for something that would serve as a single source of truth. When solutions like Mesos/Marathon or […]
Backups are one of those things that are usually afterthought. Maybe reason for that was a bit too much of necessary configuration or not enough sensible default choices to fit the bill in the older apps I’ve been trying. Either way — this small, single-binary go application simply nails it. All backups are automagically encrypted […]