Innocence Seekers

Log in

Planned site maintenance (from 2017-08-06)

Beginning tomorrow, I intend to do some site maintenance, mainly to improve the site’s HTTPS implementation (as well as renew the site certificate). As part of this maintenance, I will test an upgrade to HTTP/2. This requires some work from my end, since the version of Apache bundled with Ubuntu 16.04 LTS does not support HTTP/2. I will update this blog post as I proceed.

UPDATE (2017-08-10): I’ve completed all maintenance work for now.

Maintenance status (2017-08-10):

  • Retrieved weekly MariaDB backup.
  • Added Apache HTTP/2 module. This entailed compiling Apache from source, then manually copying the module to where the modules are located.
  • Enabled Apache HTTP/2 module.
  • Tweaked site configuration (to prevent MIME sniffing and clickjacking).
  • Tweaked SSL configuration (only support TLS 1.2 and a limited number of cipher suites, as well as set the order of cipher suites).
  • Redirected all HTTP to HTTPS.
  • Renew certificate.

This means that you need modern browsers to access this site. I can only guarantee access with Firefox 27+, Chrome 30+, Internet Explorer 11 (Windows 7 or later), Edge (Windows 10), Opera 17+, Safari 9+ (both macOS and iOS), Android 5.0+ and Java 8+. I highly recommend that you use Chrome or Firefox to access this website (I do most of my testing with these two browsers); so far, mobile is not supported (there may be display issues).

Planned:

  • Test HSTS configuration (no set date).
  • Secure cookies (no set timeline due to potential web application issues; the planned site overhaul will implement secure cookies). Currently in progress.
  • Install a bugtracker for the planned site overhaul (no set date). Note that security issues must not use the bugtracker, but must be mailed to me directly.
  • Test the new site on the web server (no set date); so far I’ve been testing it on my own computer.

HSTS configuration will be ongoing.

Postponed:

  • Add DNS CAA record (no set timeline).
  • Replace RSA certificate with ECDSA certificate (will do in the renewal period after Let’s Encrypt implements ECDSA).
  • Set Content Security Policy (CSP) (WordPress relies heavily on inline styles; this makes it even more imperative to overhaul the site).

P.S. I plan to finish the second chapter of Innocence Seekers: April Light by September 28.

Posted

in

by

admin

Tags: