With haproxy 1.5 finally being released we are lucky enough to get a basic interface around OCSP stapling.

Sadly this interface really is quite basic and it’s not the simplest thing to figure out without some trial and error.

According to the official documentation, you should be able to pipe your OCSP response to haproxy via it’s stats socket. Sadly I could not get this to work properly at all, so I decided to swap the piping for a file and reload solution.

You’ll need to get a copy of your certification authorities root certificate to proceed with this.

Looking for your OCSP URI

If you don’t know the URI you need to do an OCSP lookup against, you can find it in your certificate data.

openssl x509 -in /path/to/your/certificate -text

Inside the output, look for the following section.

Authority Information Access …

Pelican FontAwesome allows you to embed FontAwesome icons in your RST posts and pages.

Installation

To install pelican-fontawesome, simply install it from PyPI:

$ pip install pelican-fontawesome

Then enable it in your pelicanconf.py

PLUGINS = [
    # ...
    'pelican_fontawesome',
    # ...
]

Include the FontAwesome CSS in your base template.

<link href="//netdna.bootstrapcdn.com/font-awesome/4.1.0/css/font-awesome.min.css" rel="stylesheet">

Usage

In your article or page, you simply need to add a reference to FontAwesome and then the icon name.

:fa:`fa-github`

Which will result in:

<span class="fa fa-github"></span>

And the user will see:

You can also increase the size, just like the FontAwesome documentation shows.

:fa:`fa-github fa-4x`

Will result in:

License

MIT license.

Abstract

This proposal describes a build system for generating “wheel” archives and is very, very informal. This plan was drawn up after a random discussion with Jannis Liedel on Twitter and IRC.

Wheel files can be platform and Python-version dependent, a way of generating these files automatically needs to be created and linked to the Packaging Index (PyPI.)

Design

After discussions with Jannis, I believe the simplest solution would likely be the best solution for this problem. As such, I feel that using a custom-built, lightweight solution makes more sense than using something like buildbot.

Technology

I feel the platform should leverage existing Python packages that are tried, tested and well used in the community. Therefore I feel we should use a combination of the following;

  • RabbitMQ for queueing builds
  • Celery for building wheels and
  • pyenv for managing multiple Python versions

Operating systems

I lack any understanding of Windows or …

tugboat-bash-completion is a bash completion script the tugboat CLI interface for the Digital Ocean API.

Downloads

Installation

Debian/Ubuntu

Install manually

Download the source file from above and run the commands below.

sudo make install
. ~/bashrc

Or you can do it the lazy way

sudo wget https://github.com/kura/tugboat-bash-completion/blob/master/tugboat \
    -O /etc/bash_completion.d/tugboat
. ~/bashrc

Notes

It’s worth noting that any command that supports a FUZZY_MATCH will take a small amount of time to respond, due to querying the API for a list of either droplets or images.

Commands that do a droplet lookup;

  • destroy
  • halt
  • info
  • password-reset
  • rebuild
  • resize
  • restart
  • snapshot
  • ssh
  • start
  • wait

An image lookup;

  • destroy_image
  • info_image
  • rebuild

Source

The source can be found on GitHub.

Issues

Issues can be tracked using GitHub Issues.

License

This software is licensed using the MIT License. The license is provided in …

I have made a breaking change to the apt.kura.io repositories.

Ubuntu is now properly supported, but to do this properly it meant separating Ubuntu and Debian in to totally separate sections to fix the dependency issues.

Breaking changes

Anyone currently using apt.kura.io as it is will get 404 errors and will need to reconfigure their APT settings.

Debian

sudo sed -i 's/apt.kura.io\//apt.kura.io\/debian\//g' /etc/apt/sources.list.d/apt.kura.io.list

Ubuntu

sudo sed -i 's/apt.kura.io\//apt.kura.io\/ubuntu\//g' /etc/apt/sources.list.d/apt.kura.io.list

Changes

This patched version is built using the USE_ZLIB option, allowing for usage of compression or using haproxy as a compression offloader.

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy to work under SSL/TLS and allowing the use of SPDY/2 and SPDY/3.

This version is available on apt.kura.io or as a manual download, from the link below.

Manual download

haproxy_1 …

pypip.in

pypip.in is a website I have written about before. I decided I would look at the shields and see which ones were the most requested so far this year.

Due to the volumn of requests, I only keep 90 days of logs from nginx and no logs from Varnish, pypipin or the local version of buckler. nginx sits in front of Varnish so, even if Varnish responds with a cached version of the shield, a log line is still written to say it was requested.

Top 20

  1. requests [downloads]
  2. Pillow [version]
  3. Pillow [downloads]
  4. Theano [version]
  5. Theano [downloads]
  6. fake-factory [downloads]
  7. livestreamer [downloads]
  8. django-cms [downloads]
  9. django-cms [version]
  10. speedtest-cli [version]
  11. speedtest-cli [downloads]
  12. boto [downloads]
  13. thumbor [downloads]
  14. thumbor [version]
  15. pip [version]
  16. tweepy [version]
  17. tweepy [downloads]
  18. django-allauth [downloads]
  19. pymssql [downloads]
  20. pymssql [version]

The first thing that struck me is that I actually hadn’t heard of or used quite a lot of …

Requirements

  • bash-completion 1:2.0

Downloads

There versions are available on apt.kura.io or as a manual download, from the links below.

MD5

1dcb73ca965b3731df20823a6005392c  vagrant-bash-completion-0.0.6.deb
db494d0bf1b3dcdbcce5b0111ad377a0  go-bash-completion-0.0.1.deb

SHA1

ed6890fdd08ac459a0f61112fcfb48f9e3ce953d  vagrant-bash-completion-0.0.6.deb
fd92cd53f2d6ff98077cb10d3578381025d002e7  go-bash-completion-0.0.1.deb

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy to work under SSL/TLS and allowing the use of SPDY/2 and SPDY/3.

This version is available on apt.kura.io or as a manual download, from the link below.

Manual download

haproxy_1.5-dev22_amd64.deb

MD5

1d258aaf1592ac5d6cb34e495e283591  haproxy_1.5-dev22_amd64.deb

SHA1

f17cb661d2ceb1686a0a4b8566168503a0d372d9  haproxy_1.5-dev22_amd64.deb

By default haproxy enables stateless SSL session resumption, but you can enable stateful session resumption in accordance with RFC 5077. This functionality, like the SSL handling it relies on is only available from haproxy 1.5.

Configuration

The option to enable stateful SSL session resumption is as below

no-tls-tickets

You will need to add it in to your bind line, like below

bind 0.0.0.0:443 ssl ... no-tls-tickets

I have built and released nginx 1.5.10 with SPDY 3.1. Like the nginx 1.5.9 release , this release comes with ngx_pagespeed 1.7.30.3-beta and is available on apt.kura.io or as downloads below.

MD5

9fe2e5273cc195161268f7d85261c4e2  nginx_1.5.10_all.deb
edc55aa4866036eade02cd49957a9126  nginx-common_1.5.10_all.deb
0361cdb3d00ac6e65c5e9d6167ba0d36  nginx-doc_1.5.10_all.deb
833264c08fc6212f55ae37c26bd5cbc5  nginx-light_1.5.10_amd64.deb
c5c1ffa0dd93673ac4a859a11d1b3b50  nginx-full_1.5.10_amd64.deb
245d7628f143a6116ceb30c707264737  nginx-extras_1.5.10_amd64.deb
dc404a346db86006672b5a6f8b016402  nginx-naxsi_1.5.10_amd64.deb
ad3b7cf166752c2a8017bba8f6810496  nginx-naxsi-ui_1.5.10_all.deb
cdb47100b4fef09bb8a8e414cd48554e  nginx-light-dbg_1.5.10_amd64.deb
1ee2067aef2e1fcbc559dfdf9b8269ad  nginx-full-dbg_1.5.10_amd64.deb
9f528d80802dd6a78d85b8558e65f650  nginx-extras-dbg_1.5.10_amd64.deb
324dbf6afdff615d7c2bbe367f73bd1f  nginx-naxsi-dbg_1.5.10_amd64 …

I have built and released nginx 1.5.9 with ngx_pagespeed module 1.7.30.3-beta and published them on apt.kura.io.

MD5

e3595519df9865941f0bd5c2c28bba18  nginx_1.5.9_all.deb
b2f3e4dcded2ce419175be8f4329b81e  nginx-common_1.5.9_all.deb
379ea6ad2805f3584609617deb5d1db9  nginx-doc_1.5.9_all.deb
140247350a651b24bde7278ce1f18148  nginx-light_1.5.9_amd64.deb
0a28a4965f00a5e739187aa81a16af3f  nginx-full_1.5.9_amd64.deb
e54ab6b670cfe7d56502ef08b6e2656f  nginx-extras_1.5.9_amd64.deb
9bb9b524c523a69f9f263eefbe5f5783  nginx-naxsi_1.5.9_amd64.deb
7b8e254515d3b6f90b8e55c720d314b8  nginx-naxsi-ui_1.5.9_all.deb
389b8b53360695d5fbbff183a3e94c4a  nginx-light-dbg_1.5.9_amd64.deb
b8b44d1519cb59761984bc06159aee85  nginx-full-dbg_1.5.9_amd64.deb
c8139d0abb8a04b22507342a80e6f5ea  nginx-naxsi-dbg_1.5.9_amd64.deb
76466c2c427e7263b3629b413ebd49a6  nginx-extras-dbg_1.5.9_amd64.deb

SHA1

cc1e71b89c30de80083e55acb4b4cebc0f5f1fd7  nginx_1.5.9_all.deb
07d2bb7bdb038f5491b8707a56dafbf0a10a1b74  nginx-common_1.5.9_all.deb
ba0921fc31ae539fba175ab4392b3bc691593047  nginx-doc_1.5.9_all …

I am a firm believer in using SSL as much as possible, for me that is pretty much everywhere and, thanks to the wonderful guys at GlobalSign, most of my SSL certificates are free becauses my projects are all open source.

I used a blog post by Hynek Schlawack as a base for my SSL setup, he is keeping this article up-to-date as much as possible so it should be a great source for any security conscious people that would like to know more and get good explanations about each part.

Let’s take a brief look at how this website achieves it’s A* rating.

Key

I use a 4096 bit RSA key that is no a Debian weak key.

Protcols

I do not support SSLv2 or SSLv3 but I do support much stronger protocols;

  • TLS 1.2,
  • TLS 1.1 and,
  • TLS 1.0.

dhparam

It’s a …

I have previously written an article on using SPDY with haproxy but have been spending some time recently being annoyed that the SPDY check tool said I didn’t advertise a fall back to HTTP over SSL in the NPN protocol list.

After some digging I discovered it was actually quite simple to advertise multiple protocols using npn and haproxy.

Previously my article called for using the following section of configuration at the end of the bind line.

npn spdy/2

To advertise HTTP protocols as well as SPDY you simply need to add them to the npn list, using commas as a delimiter.

npn spdy/2,http/1.1

After releasing my own versions of haproxy with SPDY support and nginx with ngx_pagespeed and SPDY support, I decided it would make sense to actually host these in my own apt repository, so I did.

You can enable this by adding it to your apt config.

wget -qO - http://apt.kura.io/apt.kura.io.key | sudo apt-key add -
echo "deb http://apt.kura.io/ `lsb_release -cs` main" | sudo tee /etc/apt/sources.list.d/apt.kura.io.list
sudo apt-get update

Simple.

If you’re an Python developer that uses Ubuntu or even Debian, you have probably heard of Felix Krull’s deadsnakes PPA.

I find myself using it a lot and since I tend to destroy my environments quite frequently, I thought I’d save myself some time and write a simple shell script to install the PPA, the versions of Python I frequently use and, after messing up a machine — ignore the existing version of python.

I have previously released haproxy1.5-dev19 with SSL & SPDY support enabled and nginx 1.4.1 with SPDY support and pagespeed, although I do not remember which version of pagespeed.

I have received a few messages asking me for the latest version of haproxy, nginx and pagespeed so I decided to finally build and release them.

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

haproxy

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy …

Some time back in April 2013 I was bored and looking for a new project to keep my attention, if only for a short period of time.

My colleague @codeinthehole had an idea but no time to implement it, this idea was to have shields like those of travis-ci (shown below) but displaying package download counts.

Status of blackhole on Travis CI

Tech stack

From the very start I decided to use Tornado framework, although this may change in the future.

The original plan was to generate the images using Pillow (PIL) and then simply cache them to disk. I decided it would make far more sense to do this using Varnish and not have to worry about it working as expected.

Manually generating the images

The images were originally generated from a base template using Pillow, but sadly Python’s image manipulation is not very good, especially it’s text manipulation and the shields could …

Today I can happily announce that the Google Analytics tracking code has been removed from this website.

Goodybye Google Analytics & hello Open Web Analytics

I’ve been planning on doing it from a while because I do not like Google Analytics, I don’t like being tracked and I actively stopped trying to use Google services for my own reasons.

The company I work for uses Piwik for some of our clients, I am not a fan of Piwik or how it works and does things. I did some research and found some service providers but their free options were limited or I felt they weren’t a good fit, eventually I stumbled upon Open Web Analytics and decided that it not only suited my purposes, but it meant servers I control would hold the analytical data, rather than some third party.

Hello DuckDuckGo

After launching the new version of …

I love my prompt, always have and always will. I spend so much of my life in a terminal, usually with half a dozen mini terminals open in each tab. As such I like to tweak it and get it as perfect as possible for my life, needs and even mood.

In the past I’ve had quite a large PS1 that covers multiple lines and gives a lot of information, after having that PS1 in one form or another for some time I decided it was time for a change, to a smaller PS1 that takes up a lot less space.

So here it is, the first image is my standard PS1 when in a git repository, the red @ means a file hasn’t been added to Git, a blue @ means a tracked file has been modified but not stage and finally a green @ means a file is staged …

Over the last week I’ve been doing a huge amount of refactoring of Blackhole as well as writing dozens of additional tests. To make Blackhole more testable I needed to make a big change to how the program is launched and controlled.

setup.py scripts vs. entry_points

Whenever I’ve written Python programs that require some kind of command line script I’ve always used distutils’ scripts, this can be seen in blackhole’s setup.py on GitHub or in the three line example below.

scripts=[
    'blackhole/bin/blackhole',
],

In doing so, it allowed me to be lazy and write a lot of prodecural code in the main “binary” which made it pretty much impossible to test. You can also see that on GitHub in the main “binary”.

I’ve noticed that most people who write Python packages that have some kind of command line entry point use distutils …

Pelican is a Python-powered static blog generator that processes ReStructuredText and Markdown articles and pages and converts them to HTML. I use Pelican to power this blog.

There is a YouTube RST directive built in to Pelican core but it really shouldn’t exist there.

I submitted a pull request for Pelican core to enable Vimeo videos in articles but that request was declined because it didn’t belong in the core. So I decided I would write it as a plugin instead and while I was doing it, also wrote a plugin for YouTube so that it could be removed from the core.

There is a decent amount of detail in the Pelican documentation on how to write plugins, I’m not going to cover the whole process but I thought I would cover a little of what I did.

Adding an RST directive

Really all we’re doing …