G-Loaded Journal » Web Applications

Mobile version of G-Loaded

George Notaras — Sun, 29 Apr 2012 13:51:46 +0000

I tested the website using the default browser of a smartphone and I realized that it is needed to improve the theme to make the content easier to read on mobile devices. If you think such a task is easy, you’re way outline! From a quick web search I noticed that there are many things to take into consideration before making any changes. I’m currently gathering information that will help me decide what would be the best way to serve two versions of the content, one suitable for mobile devices (smartphones and tablets) and one of PCs (desktops, laptops). If you’ve gone through this procedure and care to provide some insight, feel free.
Update: A mobile friendly version of the current theme has been scheduled and will be applied to the web site soon. Stay tuned.

Mobile version of G-Loaded, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Limit the number of stored revisions per post in WordPress

George Notaras — Sat, 28 Apr 2012 02:52:28 +0000

It’s been a while since WordPress implemented revisions for posts and pages. Being able to revert a post or page to a previous state is a useful feature. However, I recently realized that WP creates a revision of the content every time it is saved, but there is no upper limit for the number of stored revisions. So, if you save your work quite often, it is very possible that the WordPress database is filled with numerous revisions of the content, which make the database grow in size quite aggressively. After thinking about it for a while, I realized that all those revisions are pretty useless to me. All I really care about is having a couple of recent revisions of each post or page available, so as to be able to get an idea of my recent changes.

It was only a matter of minutes to find out that it is possible to limit the number of stored revisions per post in WordPress. Open wp-config.php in your favorite editor and add the following:

/**
 * Revision management. Store 5 (+1 autosave) revisions per post.
 */
define('WP_POST_REVISIONS', 5);

The above setting forces WordPress to store only the 5 most recent revisions of the content. One extra revision is also saved because of the autosave feature.

The acceptable values for WP_POST_REVISIONS and their meanings are:

-1: store every revision (this is the default)
0: do not store any revisions except for the one used for the autosave feature
N (integer) > 0: store N revisions per post. Revisions are rotated so that only the N most recent recent ones are available.

After getting rid of all those useless revisions that had piled up over the last months, I’m now quite happy with the size of the database. Although the idea of automatic revisions is fine, in my case, on-demand revisions would have been more useful and would make more sense in the way I author these posts.

Limit the number of stored revisions per post in WordPress, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Speed up Apache by including htaccess files into httpd.conf

George Notaras — Mon, 28 Nov 2011 05:12:59 +0000

It is widely known that, if virtual hosts in Apache (httpd) are configured to permit vhost administrators override specific configuration options at the directory level using htaccess files, the web server consumes valuable time in order to check whether an htaccess file exists in every directory included in the requested path and parse it. On the other hand, many popular web applications utilize htaccess files, especially those residing in the DocumentRoot, in order to implement pretty URLs or HTTP redirections, which is extremely convenient since the virtual host owner does not have to edit httpd’s configuration directly. So, I had the idea to include the htaccess file of the DocumentRoot directory on the filesystem into the virtual host’s configuration.

Suppose we have the /home/example.org/public_html/ directory on the filesystem, which serves as the document root of our virtualhost. The relevant httpd configuration for that vhost would look like this:


  ServerName example.org:80
  ...
  DocumentRoot /home/example.org/public_html
  
    AllowOverride All
    ...
  
  ...

In order to prevent the htaccess lookups on the filesystem without losing the htaccess functionality – at least at the DocumentRoot level- I transformed the configuration to the following:


  ServerName example.org:80
  ...
  DocumentRoot /home/example.org/public_html
  
    AllowOverride None
    Include /home/example.org/public_html/.htaccess
    ...
  
  ...

Let’s see what we have accomplished with this:

httpd does not waste any time looking for and parsing htaccess files resulting in faster request processing,
the virtual host administrator can still override the configuration options of the document root manually or through the web interface of the web application.

Seems like a win-win situation performance and functionality wise.

But, as usual, there is no win-win situation without a downside. In this case, the above trick weakens the server’s security. Let’s see how.

Although the configuration of a directory can be set in both httpd.conf and the directory’s htaccess file, not all directives can be used in both contexts. htaccess files support a subset of the directives that can be used in the Directory context within httpd.conf. By including the htaccess file in httpd’s configuration the vhost admin is no longer restricted to that subset of directives.

This means that by implementing the above configuration the virtual host administrator is granted more privileges regarding the configuration of the virtual host. This also means that a potential attacker, that would exploit a vulnerability of the web application, would be granted the same privileges once he got write access to that htaccess file.

So, although this trick may seem like a good idea at first, it is in fact a rather bad idea and should never be used in production, unless you trust the virtual host administrator and the web application. I do not intend to use such a configuration and I do not recommend it. There are by far better ways to speed up Apache.

Your comments and suggestions are welcome.

Speed up Apache by including htaccess files into httpd.conf, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

WordPress is getting better

George Notaras — Tue, 27 Sep 2011 23:48:18 +0000

The first time I used WordPress back in September 2005 I considered it to be the content publishing platform of choice as far as a personal or business website was concerned. It was easy to set up and publish content and, also, easy to customize, even with ugly hacks. Today I still consider WordPress to be the overall best choice, despite the fact it still does not excel in any particular sector. Although I am not a pro, I have enough experience to say it’s the engine with the most acceptable trade-off between ease of use, security, features, ease of customization and being a solid base for development upon it. It is also one of those open-source projects that can create business opportunities for software engineers, system administrators, web designers, internet advertisers and marketers. The huge and active community of users and developers have boosted this project over the years. It proves that, if an open-source project is surrounded by a big active community and has good marketing (like WordPress had all these years) it can fly and create business opportunities in many sectors. During the last days I spent much time trying some of the features that have been implemented in the newer releases of WordPress and also various plugins. I must admit that today, by using WordPress, it is just a matter of some hours to have a high performance, good looking and feature rich small web site from scratch with minimal cost.

WordPress is getting better, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

How to configure mod_gnutls to use the RC4 cipher to mitigate the SSL/TLS vulnerability

George Notaras — Tue, 27 Sep 2011 20:40:45 +0000

It’s been a while since the details of an SSL/TLS vulnerability have been released to the public. Since then, security experts have worked on the issue and have released a whitepaper describing how to mitigate the attack, known as BEAST (Browser Exploit Against SSL/TLS).

From the security researchers’ article:

The problem lies in the way that block ciphers are used in SSL/TLS. Block ciphers are generally operated in one of several modes that define how encrypted blocks are manipulated to ensure complete confidentiality. Cipher Block Chaining, or CBC mode, is used in SSL for all block ciphers, including AES and Triple-DES. The BEAST attack relies on a weakness in the way CBC mode is used in SSL and TLS. Non-CBC cipher suites, such as those using the RC4 stream encryption algorithm, are not vulnerable.

There have been several suggested mitigations that can be put into play from the perspective of the client, such as reorganizing the way the data is sent in the encrypted stream. Servers can protect themselves by requiring a non-CBC cipher suite. One such cipher suite is rc4-sha, which is widely supported by clients and servers.

Researchers have concluded that the RC4 (Alleged RC4) based cipher suites are not vulnerable to the BEAST attack, while CBC (Cipher Block Chaining mode) based cipher suites are. This involves both the TLS 1.0 and the SSL 3.0 protocols. On the contrary, TLS 1.1 and 1.2 have not been found to be vulnerable, but their use is very limited since they haven’t been adopted by the majority of HTTP clients and servers yet.

So, the use of RC4 based ciphers is all that is left for the moment. The security experts have released a list of cipher suites that is suitable for use in the configuration of the mod_ssl module for httpd:

SSLHonorCipherOrder on
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

They have also released a one-liner list of ciphers suitable for use in the relevant fields of the Local Group Policy Editor in Windows Server boxes.

However, there is no info about configuring the mod_gnutls module for apache to use RC4 based ciphers, so, as a dedicated user of mod_gnutls, I decided to release this tip. All you have to do is set the preferred ciphers in the GnuTLSPriorities directive. In this example we use the TLS 1.0 protocol:

GnuTLSPriorities NONE:+VERS-TLS1.0:+ARCFOUR-128:+RSA:+SHA1:+COMP-NULL

Visiting a secure web site that has been configured using any of the methods described above and by checking the information of the secure connection to that website, you should see the following message:

Firefox message about using RC4 encryption cipher

This means that everything is working correctly.

As always, comments and suggestions are welcome and appreciated.

How to configure mod_gnutls to use the RC4 cipher to mitigate the SSL/TLS vulnerability, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

PHP syntax error caused 48-hour web site downtime

George Notaras — Tue, 14 Jun 2011 11:50:50 +0000

Today I realized my web site had been serving an empty HTML document for the last 2 days on every HTTP request no matter what the path was. When I initially noticed the issue, I was a bit worried, but, after taking a closer look at the Apache error log, I found out about a PHP syntax error causing the issue. A couple of days ago I had edited a WordPress plugin on my live web site and, apparently, I made a typo which led to a syntax error and an empty document being served on every request. But, I recall I had checked the website after the modification of the plugin but I hadn’t noticed any issues! Actually, this happened because I had forgot to clear the cache, so when I checked the site after the modification of the plugin, it seemed OK. My modification didn’t change the visual representation of the web site, so, having forgot to turn off caching, there was no way for me to find out about the typo. Lesson learned: never modify the code of a live web site, but, if you have to do it, always turn-off caching before doing so.

PHP syntax error caused 48-hour web site downtime, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

CPU Time saved by WP-Super-Cache

George Notaras — Thu, 16 Sep 2010 23:29:22 +0000

I needed to make some changes to the website layout this afternoon, so I turned off WP-Super-Cache for a while. As you can clearly see in the following graph the CPU time consumed by php-cgi processes increased by 2-4 times when caching was turned off between 14:00-17:00. And this increase was caused by a single WordPress installation during low traffic hours. This is one of the many reasons I love caching plugins.

CPU consumption with WP-Super-Cache turned off between 14:00-17:00

CPU Time saved by WP-Super-Cache, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Declutter Plugin for WordPress

George Notaras — Thu, 16 Sep 2010 21:28:04 +0000

Web applications that add unnecessary HTTP headers or meta tags and links in the HTML HEAD section of my web pages usually make me nervous. Today, WordPress, once again, made me spend my free time trying to find which filters add such useless data in my web pages and try to remove it. Removing the meta tags and links from the HTML head was rather easy using the remove_action() function, but the HTTP headers gave me a hard time. Before giving up, I decided to search for a plugin that could possibly provide a solution. Fortunately, I discovered a great plugin, named WP-Declutter, which makes it possible to remove all that useless stuff in one go. Below, there is some information about which items I have removed.

First of all, I should say that the plugin’s feature set by far exceeded my expectations as it can remove links and metatags from the HTML HEAD area, HTTP headers added by WordPress, the generator element of the feeds, and also various classes WP adds to various HTML elements.

I removed the following items from the HTML HEAD:

Link to the Really Simple Discovery service endpoint. That’s the link to: /xmlrpc.php?rsd
Link to the first post on your blog.
Link to the Windows Live Writer manifest file. That’s the link to: /wp-includes/wlwmanifest.xml
The generator meta tag.
The shortlink.

From the “feeds” section I removed the the “generator” element.

Finally, from the HTTP headers section I removed everything. In my case, the ETag, Expires and Cache-Control headers are added by the webserver (FileETags and mod_expires). If this is not the case for you, then consider keeping these enabled.

Another thing you should keep in mind is that if you use any caching mechanism, like WP-Super-Cache, make sure you clear the cache after you make any changes in the WP-Clutter’s administration panel, otherwise the changes you made will be visible after the cached pages expire.

Declutter Plugin for WordPress, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Some Preliminary Redmine Customizations

George Notaras — Wed, 14 Apr 2010 15:55:33 +0000

I’ve been using Redmine for several months now. During this period of time I had the chance to evaluate most of its features. Although I still consider it one of the most feature-rich project management web applications currently available, using it on a production website revealed some weaknesses in the anti-spam area. Truth is the application lacks anti-spam features, but, on the other hand, such features most probably belong to the plugin area instead of the application core, so noone can put the blame on the core developers for not making the app spam-proof. Apart from this, I also realized that some of its templates need some improvement in some cases. Time permitting, I’ll be working on these things in the upcoming weeks and release the customizations in the form of patches that can be applied directly on the latest official release of Redmine.

Some Preliminary Redmine Customizations, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

A change of plans regarding a web-based VCS manager

George Notaras — Mon, 12 Apr 2010 16:06:41 +0000

About a month ago, I had finally decided to start writing a simple web-based VCS manager. This is a project I had been thinking about for the last 2 years as a solution for source-code management at CodeTRAX.org, but I never really started development. The initial plan included support (repository creation only) for the most popular open-source version control systems, like subversion, mercurial, git, and bazaar. The VCS manager, actually a Django application, should be able to create source code repositories and manage user permissions on a per repository basis. It would also include an authentication/authorization backend for httpd, compatible with mod_wsgi‘s access control mechanisms, in order to provide controlled access to the repositories over HTTP or HTTPS. During the last days, after exploring several of the Mercurial features, I am quite certain that Mercurial includes all the necessary features to meet any requirement of CodeTRAX. So, I seriously consider dropping support for any other VCS except hg and try to make the VCS manager more hg specific. Now I realize that this should be the approach from the beginning. The needs are quite specific, so supporting several version control systems was completely unnecessary.

A change of plans regarding a web-based VCS manager, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

G-Loaded Journal » Web Applications

Mobile version of G-Loaded

Related Articles

Limit the number of stored revisions per post in WordPress

Related Articles

Speed up Apache by including htaccess files into httpd.conf

Related Articles

WordPress is getting better

Related Articles

How to configure mod_gnutls to use the RC4 cipher to mitigate the SSL/TLS vulnerability

Related Articles

PHP syntax error caused 48-hour web site downtime

Related Articles

CPU Time saved by WP-Super-Cache

Related Articles

Declutter Plugin for WordPress

Related Articles

Some Preliminary Redmine Customizations

Related Articles

A change of plans regarding a web-based VCS manager

Related Articles