Exiting relays

Both SpunkWeasel (865A408E2B1EA3E18C9A12E80A8D458F9C985C16) and AnorexicSquirrel (B8E6FFEB6F91FA3D26BC572836FB0ABBD142DC87) have been given additional horsepower in terms of CPU and memory and both have been allowed to exit. Additionally, both are now capable of IPv6 connectivity as guards, relays and exits.

New relays

A new exit relay has been put online called VivaciousAlpaca (24B1783665A9B0A4BF640A1CD02F685C0CA098ED). It has the same CPU and memory as SpunkWeasel and AnorexicSquirrel and also has full IPv6 capabilities.

A full list of my public Tor relays can be found on the tor page.

Privacy is key

I am a big fan of keeping my browsing habits and other personal information private. As such, I use a VPN service provided by proxy.sh (affiliate link), I also use their proxies, Tor and various other proxies, usually from online lists, should I feel the need.

Anonymous nodes

I’ve run some Tor nodes for quite a while now, two Exits and five relays to be precise. They are all listed as being part of the same family and have never had any reference to me being their operator.

Sadly, these seven nodes will always remain a secret due to the hassle that inherently comes with running Tor Exit nodes. These issues include some mean emails and IP addresses and CIDR blocks being blacklisted by services like Netflix.

New nodes!

The good news is, I have recently launched three more nodes! These nodes belong to a …

Batfish is a Python client and API wrapper for the Digital Ocean V2 API. It can be used as a library module in your own Python code but also provides a CLI interface and a shell-like command interpreter.

Batfish is still under development and is considered in the Alpha stage. It is not yet available via PyPI but can be tried out using the code available on GitHub.

There is a small amount of documentation available on Read The Docs and tests are still being written to get as much coverage as possible and eaked out all of the bugs. You can find the latest test status on Travis CI.

Module interface

>>> from batfish import Client
>>> client = Client()
>>> client.authorize("abcde12345")
>>> client.droplets
[<Droplet ego.kura.io>, <Droplet fax.kura.io>, <Droplet jet.kura.io>, <Droplet ski.kura.io>]
>>> client.droplet_reboot(1234)

CLI interface

$ batfish authorize
abcde12345
$ batfish droplets
ego …

Yarg is a PyPI client, it was written for pypip.in and can search packages as well as read the RSS feeds from PyPI for new packages and new package version releases.

Search interface

>>> import yarg
>>> package = yarg.get("yarg")
>>> package.name
u'yarg'
>>> package.author
Author(name=u'Kura', email=u'kura@kura.io')

Newest packages interface

>>> import yarg
>>> packages = yarg.newest_packages()
>>> packages
[<Package yarg>, <Package gray>, <Package ragy>]
>>> packages[0].name
u'yarg'
>>> packages.url
u'http://pypi.python.org/pypi/yarg

Updated packages interface

>>> import yarg
>>> packages = yarg.latest_updated_packages()
>>> packages
[<Package yarg>, <Package gray>, <Package ragy>]
>>> packages[0].name
u'yarg'
>>> packages[0].version
u'0.1.2'
>>> packages[0].url
u'http://pypi.python.org/pypi/yarg/0.1.2

Documentation

Full documentation is at <https://yarg.readthedocs.org>.

As you might expect, pypip.in employes a fair amount of caching in the backend to control load on the imaging API and servers.

For a long time, this cache was entirely managed by Varnish and was doing a fantastic job. Varnish has a hit:miss ratio of 10:1, for every 10 hits we get 1 miss. This is a fairly decent ratio when you consider where these images are displayed, how often they are viewed and that Varnish only caches the images for an hour.

The impact on PyPI

You will firstly need to understand how pypip.in used to work to understand the changes that were made and why they were made.

Let’s set up the request first - a request for a shield is made and it is not present in the Varnish cache.

Request received in API layer
              |
              v
    API layer queries PyPI
              |
              v
   PyPI …

While pypip.in is available under the MIT license on GitHub, it’s not explained how to really use it properly.

You can gather how to set-up the Python source of the project and get the Twisted process running, this is totally reliant on using the img.shields.io.

I decided to write this article explaining how to install your own copy of the shields nodejs code, pypipin itself and even cover off supervisord and Varnish too.

shields & nodejs

nodejs

First of all you’ll need to get the latest source code copy of nodejs from the nodejs download page.

Extract it.

tar -xvzf node-<VERSION>.tar.gz
cd node-<VERSION>

You’ll need to install the build tools, if you don’t have them already.

sudo apt-get install build-essential

And then make and install node.

make && sudo make install

Redis

Redis is used to temporarily store PyPI responses.

sudo …

Supported Python versions

This one is generated from the list of classifiers you provide to PyPI.

If no Python version classifiers exist, it defaults to Python 2.7. This is because really, Python 3 is not widely used in production or supported by libraries.

Python implementation(s)

I think this one is really cool. Chances are you’re unlikely to get more than two supported implementations, like CPython and PyPy or CPython and Stackless.

The shield uses the Python implementation classifiers to generate this shield. It supports all classifiers that PyPI supports (CPython, Jython, Iron Python, PyPy and Stackless) and defaults to CPython is none are set.

Styling changes

This change is simply because of the upgrade of the shields library. This allows us to use the default rounded badges like below.

But also allow you to use a much nicer, cleaner, flat styling like the ones used on this …

With haproxy 1.5 finally being released we are lucky enough to get a basic interface around OCSP stapling.

Sadly this interface really is quite basic and it’s not the simplest thing to figure out without some trial and error.

According to the official documentation, you should be able to pipe your OCSP response to haproxy via it’s stats socket. Sadly I could not get this to work properly at all, so I decided to swap the piping for a file and reload solution.

You’ll need to get a copy of your certification authorities root certificate to proceed with this.

Looking for your OCSP URI

If you don’t know the URI you need to do an OCSP lookup against, you can find it in your certificate data.

openssl x509 -in /path/to/your/certificate -text

Inside the output, look for the following section.

Authority Information Access …

Pelican FontAwesome allows you to embed FontAwesome icons in your RST posts and pages.

Installation

To install pelican-fontawesome, simply install it from PyPI:

$ pip install pelican-fontawesome

Then enable it in your pelicanconf.py

PLUGINS = [
    # ...
    'pelican_fontawesome',
    # ...
]

Include the FontAwesome CSS in your base template.

<link href="//netdna.bootstrapcdn.com/font-awesome/4.1.0/css/font-awesome.min.css" rel="stylesheet">

Usage

In your article or page, you simply need to add a reference to FontAwesome and then the icon name.

:fa:`fa-github`

Which will result in:

<span class="fa fa-github"></span>

And the user will see:

You can also increase the size, just like the FontAwesome documentation shows.

:fa:`fa-github fa-4x`

Will result in:

License

MIT license.

Abstract

This proposal describes a build system for generating “wheel” archives and is very, very informal. This plan was drawn up after a random discussion with Jannis Liedel on Twitter and IRC.

Wheel files can be platform and Python-version dependent, a way of generating these files automatically needs to be created and linked to the Packaging Index (PyPI.)

Design

After discussions with Jannis, I believe the simplest solution would likely be the best solution for this problem. As such, I feel that using a custom-built, lightweight solution makes more sense than using something like buildbot.

Technology

I feel the platform should leverage existing Python packages that are tried, tested and well used in the community. Therefore I feel we should use a combination of the following;

  • RabbitMQ for queueing builds
  • Celery for building wheels and
  • pyenv for managing multiple Python versions

Operating systems

I lack any understanding of Windows or …

tugboat-bash-completion is a bash completion script the tugboat CLI interface for the Digital Ocean API.

Downloads

Installation

Debian/Ubuntu

Install manually

Download the source file from above and run the commands below.

sudo make install
. ~/bashrc

Or you can do it the lazy way

sudo wget https://github.com/kura/tugboat-bash-completion/blob/master/tugboat \
    -O /etc/bash_completion.d/tugboat
. ~/bashrc

Notes

It’s worth noting that any command that supports a FUZZY_MATCH will take a small amount of time to respond, due to querying the API for a list of either droplets or images.

Commands that do a droplet lookup;

  • destroy
  • halt
  • info
  • password-reset
  • rebuild
  • resize
  • restart
  • snapshot
  • ssh
  • start
  • wait

An image lookup;

  • destroy_image
  • info_image
  • rebuild

Source

The source can be found on GitHub.

Issues

Issues can be tracked using GitHub Issues.

License

This software is licensed using the MIT License. The license is provided in …

I have made a breaking change to the apt.kura.io repositories.

Ubuntu is now properly supported, but to do this properly it meant separating Ubuntu and Debian in to totally separate sections to fix the dependency issues.

Breaking changes

Anyone currently using apt.kura.io as it is will get 404 errors and will need to reconfigure their APT settings.

Debian

sudo sed -i 's/apt.kura.io\//apt.kura.io\/debian\//g' /etc/apt/sources.list.d/apt.kura.io.list

Ubuntu

sudo sed -i 's/apt.kura.io\//apt.kura.io\/ubuntu\//g' /etc/apt/sources.list.d/apt.kura.io.list

Changes

This patched version is built using the USE_ZLIB option, allowing for usage of compression or using haproxy as a compression offloader.

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy to work under SSL/TLS and allowing the use of SPDY/2 and SPDY/3.

This version is available on apt.kura.io or as a manual download, from the link below.

Manual download

haproxy_1 …

pypip.in

pypip.in is a website I have written about before. I decided I would look at the shields and see which ones were the most requested so far this year.

Due to the volumn of requests, I only keep 90 days of logs from nginx and no logs from Varnish, pypipin or the local version of buckler. nginx sits in front of Varnish so, even if Varnish responds with a cached version of the shield, a log line is still written to say it was requested.

Top 20

  1. requests [downloads]
  2. Pillow [version]
  3. Pillow [downloads]
  4. Theano [version]
  5. Theano [downloads]
  6. fake-factory [downloads]
  7. livestreamer [downloads]
  8. django-cms [downloads]
  9. django-cms [version]
  10. speedtest-cli [version]
  11. speedtest-cli [downloads]
  12. boto [downloads]
  13. thumbor [downloads]
  14. thumbor [version]
  15. pip [version]
  16. tweepy [version]
  17. tweepy [downloads]
  18. django-allauth [downloads]
  19. pymssql [downloads]
  20. pymssql [version]

The first thing that struck me is that I actually hadn’t heard of or used quite a lot of …

Requirements

  • bash-completion 1:2.0

Downloads

There versions are available on apt.kura.io or as a manual download, from the links below.

MD5

1dcb73ca965b3731df20823a6005392c  vagrant-bash-completion-0.0.6.deb
db494d0bf1b3dcdbcce5b0111ad377a0  go-bash-completion-0.0.1.deb

SHA1

ed6890fdd08ac459a0f61112fcfb48f9e3ce953d  vagrant-bash-completion-0.0.6.deb
fd92cd53f2d6ff98077cb10d3578381025d002e7  go-bash-completion-0.0.1.deb

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy to work under SSL/TLS and allowing the use of SPDY/2 and SPDY/3.

This version is available on apt.kura.io or as a manual download, from the link below.

Manual download

haproxy_1.5-dev22_amd64.deb

MD5

1d258aaf1592ac5d6cb34e495e283591  haproxy_1.5-dev22_amd64.deb

SHA1

f17cb661d2ceb1686a0a4b8566168503a0d372d9  haproxy_1.5-dev22_amd64.deb

By default haproxy enables stateless SSL session resumption, but you can enable stateful session resumption in accordance with RFC 5077. This functionality, like the SSL handling it relies on is only available from haproxy 1.5.

Configuration

The option to enable stateful SSL session resumption is as below

no-tls-tickets

You will need to add it in to your bind line, like below

bind 0.0.0.0:443 ssl ... no-tls-tickets

I have built and released nginx 1.5.10 with SPDY 3.1. Like the nginx 1.5.9 release , this release comes with ngx_pagespeed 1.7.30.3-beta and is available on apt.kura.io or as downloads below.

MD5

9fe2e5273cc195161268f7d85261c4e2  nginx_1.5.10_all.deb
edc55aa4866036eade02cd49957a9126  nginx-common_1.5.10_all.deb
0361cdb3d00ac6e65c5e9d6167ba0d36  nginx-doc_1.5.10_all.deb
833264c08fc6212f55ae37c26bd5cbc5  nginx-light_1.5.10_amd64.deb
c5c1ffa0dd93673ac4a859a11d1b3b50  nginx-full_1.5.10_amd64.deb
245d7628f143a6116ceb30c707264737  nginx-extras_1.5.10_amd64.deb
dc404a346db86006672b5a6f8b016402  nginx-naxsi_1.5.10_amd64.deb
ad3b7cf166752c2a8017bba8f6810496  nginx-naxsi-ui_1.5.10_all.deb
cdb47100b4fef09bb8a8e414cd48554e  nginx-light-dbg_1.5.10_amd64.deb
1ee2067aef2e1fcbc559dfdf9b8269ad  nginx-full-dbg_1.5.10_amd64.deb
9f528d80802dd6a78d85b8558e65f650  nginx-extras-dbg_1.5.10_amd64.deb
324dbf6afdff615d7c2bbe367f73bd1f  nginx-naxsi-dbg_1.5.10_amd64 …

I have built and released nginx 1.5.9 with ngx_pagespeed module 1.7.30.3-beta and published them on apt.kura.io.

MD5

e3595519df9865941f0bd5c2c28bba18  nginx_1.5.9_all.deb
b2f3e4dcded2ce419175be8f4329b81e  nginx-common_1.5.9_all.deb
379ea6ad2805f3584609617deb5d1db9  nginx-doc_1.5.9_all.deb
140247350a651b24bde7278ce1f18148  nginx-light_1.5.9_amd64.deb
0a28a4965f00a5e739187aa81a16af3f  nginx-full_1.5.9_amd64.deb
e54ab6b670cfe7d56502ef08b6e2656f  nginx-extras_1.5.9_amd64.deb
9bb9b524c523a69f9f263eefbe5f5783  nginx-naxsi_1.5.9_amd64.deb
7b8e254515d3b6f90b8e55c720d314b8  nginx-naxsi-ui_1.5.9_all.deb
389b8b53360695d5fbbff183a3e94c4a  nginx-light-dbg_1.5.9_amd64.deb
b8b44d1519cb59761984bc06159aee85  nginx-full-dbg_1.5.9_amd64.deb
c8139d0abb8a04b22507342a80e6f5ea  nginx-naxsi-dbg_1.5.9_amd64.deb
76466c2c427e7263b3629b413ebd49a6  nginx-extras-dbg_1.5.9_amd64.deb

SHA1

cc1e71b89c30de80083e55acb4b4cebc0f5f1fd7  nginx_1.5.9_all.deb
07d2bb7bdb038f5491b8707a56dafbf0a10a1b74  nginx-common_1.5.9_all.deb
ba0921fc31ae539fba175ab4392b3bc691593047  nginx-doc_1.5.9_all …

I am a firm believer in using SSL as much as possible, for me that is pretty much everywhere and, thanks to the wonderful guys at GlobalSign, most of my SSL certificates are free becauses my projects are all open source.

I used a blog post by Hynek Schlawack as a base for my SSL setup, he is keeping this article up-to-date as much as possible so it should be a great source for any security conscious people that would like to know more and get good explanations about each part.

Let’s take a brief look at how this website achieves it’s A* rating.

Key

I use a 4096 bit RSA key that is no a Debian weak key.

Protcols

I do not support SSLv2 or SSLv3 but I do support much stronger protocols;

  • TLS 1.2,
  • TLS 1.1 and,
  • TLS 1.0.

dhparam

It’s a …

I have previously written an article on using SPDY with haproxy but have been spending some time recently being annoyed that the SPDY check tool said I didn’t advertise a fall back to HTTP over SSL in the NPN protocol list.

After some digging I discovered it was actually quite simple to advertise multiple protocols using npn and haproxy.

Previously my article called for using the following section of configuration at the end of the bind line.

npn spdy/2

To advertise HTTP protocols as well as SPDY you simply need to add them to the npn list, using commas as a delimiter.

npn spdy/2,http/1.1

After releasing my own versions of haproxy with SPDY support and nginx with ngx_pagespeed and SPDY support, I decided it would make sense to actually host these in my own apt repository, so I did.

You can enable this by adding it to your apt config.

wget -qO - http://apt.kura.io/apt.kura.io.key | sudo apt-key add -
echo "deb http://apt.kura.io/ `lsb_release -cs` main" | sudo tee /etc/apt/sources.list.d/apt.kura.io.list
sudo apt-get update

Simple.

If you’re an Python developer that uses Ubuntu or even Debian, you have probably heard of Felix Krull’s deadsnakes PPA.

I find myself using it a lot and since I tend to destroy my environments quite frequently, I thought I’d save myself some time and write a simple shell script to install the PPA, the versions of Python I frequently use and, after messing up a machine — ignore the existing version of python.

I have previously released haproxy1.5-dev19 with SSL & SPDY support enabled and nginx 1.4.1 with SPDY support and pagespeed, although I do not remember which version of pagespeed.

I have received a few messages asking me for the latest version of haproxy, nginx and pagespeed so I decided to finally build and release them.

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

haproxy

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy …