SSL Headache with WordPress inside Docker Container- and how to solve them

It all started with the migration of a website from one host to another for a revamp of said site.
No big deal we initially thought. Just change the DNS entry to point to the new host and be done with it. But it turned into an all night debugging session.
With this blog post I hope to safe you a couple of hours if you ever run into a similar situation.

After switching the DNS Entry to the new host we noticed that the site keeps redirecting us to the HTTPS version of the site.
The new setup didn’t had the SSL certificates for the domain yet. We wanted to fix this once the domains has moved. As we’re using LetsEncrypt Certificates it’s easier to have the domain already pointing to the host where the LSE agent is running so it can validate the ownership.
The new host had multiple sites running on a shared hosting environment. So there was an HTTPS Port open, but certainly not with the correct certificate for our site.
I tried to look at the certificate but my browser wouldn’t show it to me. At first I didn’t payed much attention to the error message my browser was showing. These kind of SSL error messages are a rather usual thing when you work with web services in development environments a lot.

I checked the site with cURL command line tool to figure out what part of the setup was sending the redirect to HTTPS. But strange enough with cURL the HTTP connection worked and there were not trace of a redirect. I checked with some other browsers and found one I really rarely use which also worked initially.

But usual Firefox and Chrome always got redirected to HTTPS regardless of whether I explicitly typed “http://“ in the address bar. Eventually I read the error message my browsers presented and noticed that it was complaining about HSTS settings preventing the site from loading. I had never heard of this feature before. A quick online search revealed the explanation for the strange behaviour.

When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:[11]

  1. Automatically turn any insecure links referencing the web application into secure links. (For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.)
  2. If the security of the connection cannot be ensured (e.g. the server’s TLS certificate is not trusted), show an error message and do not allow the user to access the web application.[12]

Every browser which had ever visited the original site received the HSTS header from our web server. This header informs the browser that the site shall only be used with strict security settings – in short via a SSL/TLS connection.

No wonder the site was working via cURL. The command line tool doesn’t save any cookies or other settings by default. So it didn’t respect the HSTS settings. Same for the browser that I rarely use. This one had never ever visited the original site and thus didn’t had the HSTS tokens set.

Now it was clear that we definitely need the HTTPS setup for the site. Otherwise users who had ever visited our site would run in to problems. The HSTS token can’t be easily cleared. It’s not a cookie or cache item that can be flushed. Unfortunately the new share hosting provided doesn’t support HTTPS. So I had to find a different solution.

I wanted the final setup to be different. The WordPress should run inside a Docker container so I don’t taint the host with all the fancy modules and libraries PHP would require. Then an NGINX on the host would accept the incoming connections for HTTP and HTTPS and reverse proxy to the WordPress inside the container.

I created this setup on my local machine to tested it. Did all the magic steps to change WordPress’ SITE_URL and everything seemed to work fine. I didn’t test the HTTPS part though.

At last I transferred the container to the actual web server host and adjusted the NGINX configuration. This host already had the old SSL certificate so everything should be just fine.

But instead the new site I only got a redirect loop error message in my browser. Every URL I tried, whether it be HTTP or HTTPS would be redirected to the same URL on HTTPS.
I had configured WordPress in the Container to the SITE_URL being on https since that should have been our default protocol.
The HTTPS part was working just fine – apart from the fact that it ended in a redirect loop.

I searched the usual suspects like mod_rewrite settings in .htaccess and browsed the WordPress forum and StackOverFlow for solutions.

It was already in the middle of the night that I came to realise that WordPress somehow needs to know whether the incoming connection was HTTP or HTTPS. So it could either send a redirect from HTTP to HTTPS or just serve the site. There was the flaw or rather misconfiguration in my setup. The SSL connection was terminated in the NGINX and only forwarded as HTTP to the Apache in the WordPress container.

So I added the respective settings in the NGINX config to convey the original protocol to the backend host:

location / {
    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header Host       $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://webserver_de; 
    }

Still no luck. The redirect loop persisted. Another couple of minutes later I found out that the receiving Apache web server must evaluate the “X-Forwarded-Proto” Header and set the HTTPS context.:

<IfModule mod_setenvif.c>
  SetEnvIf X-Forwarded-Proto "^https$" HTTPS
</IfModule>

Finally everything was working as it should be. WordPress now knew whether the incoming connection was via HTTPS and would not send a redirect anymore.
I also found the setting in our NGINX which caused the initial SSL HSTS problems:

add_header Strict-Transport-Security max-age=63072000;

This tells the browser to only use the site via secure connections until the max age has expired. The the header shall be re-evaluated.

In concert: Queens of the Stone Age

Their most recent album “Villians” is on heavy rotation in my phone. And coincidental a good friend of mine pinged me yesterday wether I’d like to go to their concert this evening.
That was a nice surprise since I indeed considered getting concert tickets – but were as usual too lazy to really do so.

The gig took place in the Velodrom which is conveniently just around the corner from my place. We were standing in the lower ground just about 30m away from the stage.
As soon as we had gotten our beers and entered the main area the band started to play. So just in time arrival on our part.

The sound was of course loud and quite physical. Unfortunately the sound mix was rather bad. The guitars, basses and drums were much too prominent while the lead guitar and especially the vocals were too low. This absolutely didn‘t do the band justice as Josh Hommes is a quite good singer.
Still it was a very powerful concert and the band played for about 90 minutes.

Twitter hat Twitter nicht verstanden…

Sascha Lobo schreib in seiner aktuellen Kolumne auf SPIEGEL ONLINE :

Deshalb taugt die Zeichenerweiterung von Twitter so hervorragend als Symbol: In Zeiten politischer Beeinflussung via Social Media, von Hyperpolarisierung und Debattendysfunktionalität – zieht sich Twitter zur Lösung der Probleme zurück und kommt wieder mit 280 statt 140 Zeichen. Das ist nicht bloß die falsche Lösung, das ist die falsche Lösung des völlig falschen Problems. Als würde man in einem brennenden Haus den Flur neu streichen. Twitter hat Twitter nicht verstanden. Facebook hat Facebook nicht verstanden.

Ich glaube das sowohl Twitter als auch Facebook sich ihrer Wirkung sehr wohl bewusst sind. Sascha ist ja nun nicht der erste und einzige dem die Wirkung von Social Media auf unsere Gesellschaften auffällt.

Für mich stellt sich eher die Frage was könnten Facebook & Twitter tuen, um ihrem eigenen negativen Effekt entgegen zu wirken?

Twitter ist notorisch knapp bei Kasse und kämpft irgendwie ums Überleben. Da werden die kaum irgendwelche Massnahmen ergreifen die zwar moralisch richtig, aber ökonomisch suboptimal sind. Letztlich fühlen sich die CEOs in erster Linie ihren “Shareholdern” verpflichtet. Denn nur denen müssen sie Rede und Antwort stehen. Bestes Beispiel dafür ist Trump nicht den Account zu sperren. Der verstösst so offensichtlich gegen Twitters Richtlinien, dass er geblockt werden müsste. Aber Twitter entschied sich ihn wegen des Unterhaltungswertes nicht zu blocken. WTF!?

Facebook hat da sicher mehr finanziellen Spielraum. Dort glaube ich haben Zuckerberg & Co. den Ernst der Lage noch nicht akzeptiert und suchen noch nach einem Weg dort glimpflich rauszukommen. Möglicherweise ist er inzwischen auch so abgehoben dass er Facebook ernsthaft als Lösung des Problems sieht…

#Meatermade – My cup of tea

I like my tea with honey. But honey doesn’t like too much heat. Putting honey into the freshly boiled tea might destroy some of the healthy effects of that delicious bee product.

Excessive heat can have detrimental effects on the nutritional value of honey. Heating up to 37°C (98.6 F) causes loss of nearly 200 components, part of which are antibacterial. Heating up to 40°C (104 F) destroys invertase, an important enzyme.

Since I own that neat little Meater device and its iPhone App has multiple alarm options I’ve created myself a “Honey Alarm”. This one will go off if the tea temperature falls below 40° Celsius.

Then I know it’s safe to start adding honey without loosing its nutritional value.

Adieu Kreisgebietsreform Brandenburg!

Die maßgeblich von der brandenburgischen SPD geplante Kreisgebietsreform ist nun erst einmal Geschichte. Ministerpräsident Dietmar Woidke erklärte in einem Interview, dass auf Grund des Feedbacks der betroffenen Landkreise und der Bevölkerung eine geplante Abstimmung im Landtag nicht stattfinden wird.

Ich bin von dieser Entscheidung positiv überrascht und hätte sie bisher dem Ministerpräsidenten nicht zugetraut. Leider ist in Politikkreisen eine ausgeprägte Starrsinnigkeit weit verbreitet. Fakten und sich verändernde Umstände werden gerne zu Gunsten der vermeintlichen Wahrung des Gesichtes ignoriert.

Selbst wenn der Gegenwind zu dieser Reform aus vielen Richtungen enorm war, hätte so mancher Politiker sie einfach nur aus Prinzip durchgepeitscht. Lange sah es auch in Brandenburg genau danach aus. Daher nun die Überraschung.

Spannend bleibt, was die nun anvisierte Verwaltungsreform bringen soll und welche Strategie das Land für den Umgang mit dem demographischen Wandel aufruft und umsetzt.

Let the cooking begin – MEATER Probe in da house

  • MEATER Probe in action
  • MEATER App Progress
  • MEATER App ambient high
  • MEATER App Temperature Graph

Today I finally got my long awaited crowd funded MEATER Probe. This tiny probe is bluetooth low energy enabled temperature sensor which is about to revolutionize meat cooking.

When it was anounce quite a while ago (actually 2015) on Kickstarter I immediately fell in love with the device. Small, wireless and beautifully designed with a smart mobile app to help getting me meat just perfect on the grill or oven.

The little metal rod sports actually two temperature sensors. One in the metal tip to measure the internal temperature of the meat. One in the square metal cap on the end to measure the ambient temperature. It comes neatly places in a bamboo charging station to hold the probe while its not in use.

My IoT Hello World Setup

The internet of things (IoT) is everywhere now. And of course I’m into connecting all sort of electronic stuff to the internet as well. I think the equivalent of the famous “Hello World!” programming language example is the “Temperature Sensor” for IoT. And of course I’m interested in Temperature, Humidity and Pressure as well. Not only because I want to know how cold it is outside. I also want to know the temperature and especially the historical temperature in every room.

In the long term I’d hope to derive some learnings from these data to optimize our heating schedule and eventually control the heating from an automated systems.

To get started I wanted to build some cheap wireless sensors whose data are collected in a central place. Sure you can buy that stuff readymade. But where’s the fun in that?

To keep the wireless transfer part as low profile as possible (also in terms of power consumption) I picked the 868MHz Radio band that’s free to use and has a good range. Alternatives are LoRa Packet radio at 900Mhz which seems to emerge as a new standard for IoT connections. There is an affordable breakout module from Adafruit for this with the well supported RFM69HCW chipset. 

As Sensor node I picked the Adafruid Feather M0 with the RFM69HCW module integrated. That’s a tiny Arduino-compatible Micro-Controller which has the packet radio module integrated on the same PCB. In addition it has a JTAG header and Lithium-Polymer battery loader circuit. This makes it flexible on the  power supply.

For temperature and humidity I chose the really cheap Adafruit Si7021 breakout board with I2C interface. This allows to connect more sensors to the Feather M0 if needed.

On the receiver side I first tried to connect the RFM68HCW to the RaspberryPi. But I couldn’t find any reliable libraries talking to the chipset to get proper readings. And for things rather close to hardware the MicroControllers seems to be the weapon of choice. So I got myself a Gertduino. This is a full fledged Arduino UNO (and some other neat stuff) on a PCB that sits on top of a RaspberryPi and connects to its GPIO headers. You can program the Arduino from the RapsberryPi and read/write data from it via Serial line. So much on the hardware side. 

On the software side my first goal was to collect and visualize the data. Recently I had to look into ElasticSearch and figured that it’s actually quite simple to setup. It also comes with a usual visualization web frontend named Kibana. ElasticSearch prefers JSON documents as input. So I configured the collector nodes to emit their sensor readings in JSON format.

The ElasticSearch and Kibana I raised with this simple Docker setup (docker-compose.yml):

version: '2'
services:
 elasticsearch:
 image: elasticsearch
 ports:
 - "9200:9200"
 volumes:
 - /home/fzurell/elastic/esdata:/usr/share/elasticsearch/data
 kibana:
 image: kibana
 ports:
 - "127.0.0.1:5601:5601"
 links:
 - elasticsearch

Adafruit Feather nodes on the input side and ElasticSearch/Kibana on the visualization. But how to connect the dots? First I thought of writing myself some python code to read from the Gertduino serial line on the RaspberryPi and send it to the ElasticSearch. But my local IoT guru Chaosblog brought some new stuff to the table – Node Red

This is a Node.js application which helps do the plumbing described above. It’s got little building blocks that you can drag to a canvas and connect with wires. Messages travel the wires and can be consumed and manipulated by the blocks. There are many predefined blocks which offer easy solutions to common problems.

My workflow in Node Red looks like this:

  • read data from serial port
  • try to parse as JSON object
  • insert timestamp into JSON object
  • HTTP POST document to ElasticSearch

There was hardly any coding needed. The only little piece of JavaScript I had to write was the insert timestamp function. All other blocks are stock Node Red elements. 

Some things I learned along the way:

  • do a Serial.flush(); to make sure data is written to the serial line
  • The Feather M0 has a realtime clock than can be used in the power saving setup
  • You can’t program the Gertduino from the RaspberryPi when using the serial connection (hardware jumpers … )
  • The RFM69HCW needs an exactly 16 byte encryption key
  • the RFM69HCW modules has got it’s own temperature sensor
  • the RFM69HCW can only send packets of app. 61 bytes (might need to split messages)
  • Interrupt Service Routines (ISR) are tricky:
    • don’t use delay(); it will make your code hang
    • you might not need any code in the ISR at all.

Source Code for the Weather Nodes (make sure you give each node a different Node: #define NODEID 1)

Source Code for the Weather Hub (on the Gertduino)

Pesto all the things

Von gutem Pesto á la Genovese kann man eigentlich nie genug haben. Es passt zu allem herzhaften und man kann es bei Bedarf sogar pur essen.

Das Problem ist allerdings woher gutes Pesto bekommen. Im Lebensmittelhandel gibt es diverse Hersteller die vermeintlich Pesto anbieten. Aber glaubt mir, 99% davon ist Dreck. Kein Pesto. Will man nicht essen.

Das merkt Mensch jedoch erst, wenn er mal richtiges Pesto aus frischen Zutaten gegessen hat. Und das ist erstaunlicherweise gar nicht schwer selbst zu machen. Nämlich so:

Zutaten:

  • 1 Topf frische Basilikum ( lebende Pflanze, am besten Bio-Qualität)
  • 60 g Pinienkerne
  • 200g Parmesan am Stück
  • ca. 200ml Olivenöl
  • 2-3 Knoblauchzehen

Zubereitung:

Zuerst die Pinienkerne auf Backpapier im Backofen bei ca. 180 Grad Celsius goldbraun rösten. Vorsichtig, von goldbraun nach dunkelbraun und schwarz geht es sehr schnell. Also nicht aus den Augen lassen. In der Regel dauert das ca. 6 – 10 Minuten.

Als nächstes die Blätter von der Basilikumpflanze zupfen und bei Bedarf waschen und trockenschleudern.

Den Parmesan in kleine Stücke schneiden, so dass der Stabmixer sie weiter zerkleinern kann. Knoblauchzehen schälen und ggf. einmal durchschneiden.

Alle Zutaten (Basilikum, Pinienkerne, Parmesan, Knoblauch, Olivenöl) in einen hohen Mixbehälter füllen und mit dem Stabmixer gut zerkleinern. Olivenöl hinzugeben bis die gewünschte Konsistenz erreicht ist. Hier eher etwas mehr als weniger, da der Käse über die nächsten Tage noch aufquillt so denn etwas vom Pesto übrig bleibt 😉

Ganz frisch schmeckt das Pesto natürlich am besten. In Gläser abgefüllt und verschlossen hält es sich einige Tage im Kühlschrank. Wenn man die Oberfläche mit Olivenöl bedeckt, können auch keine Bakterien aus der Luft an das Pesto.

Die einzelnen Zutaten kann man nach Bedarf leicht variieren. Mehr Parmesan ist meistens gut, mehr Pinienkerne nicht unbedingt.

Ein Stück Wiese

K1 hat zum Geburtstag letzte Woche ein Stück Wiese aus dem Garten seines Freundes bekommen. Das ist eine sehr coole Idee. K1 liebt den Garten und hat selbst auch ein bisschen einen grünen Daumen. Die kleinen Dinge sind es die die größte Freude machen.

Ein Stück Wiese

Ein Stück Wiese

Endlich Frühling

Frost statt Frust

Irgendwie kam mir in diesem Jahr der Winter sehr lange vor. Also nicht einmal unbedingt die Zeit in der es kalt und schneeig war. Aber die Zeit in der draußen alles grau ist weil die Bäume und Sträucher kein grün tragen.

Doch seit dem letzten Wochenende geht es ja nun endlich voran. Natürlich auch mit den bekannten Nebenwirkungen wie z.B. Pollenflug und Allergie. Aber ich niese gerne und reibe mir die Augen wenn man dafür endlich wieder auf dem Balkon sitzen kann, alles so schön grün wird und auch die Anzahl der Tierstimmen im Wald wieder zunimmt.

 

Frost statt Frust

Frost statt Frust