Skip to content

Instantly share code, notes, and snippets.

💪
I write code with my bare hands

Matt Holt mholt

View GitHub Profile
@mholt
mholt / main.go
Created Oct 16, 2018 — forked from LiamHaworth/main.go
Example of run an interactive process on the current user from system service on windows (Golang)
View main.go
package main
import (
"github.com/kardianos/service"
"log"
"flag"
)
type Service struct {}
@mholt
mholt / passwordpwned.go
Created Aug 12, 2018
Use Go to check if a password has been pwned
View passwordpwned.go
// checkPasswordPwned checks if the password is "pwned" according
// to the API offered by https://haveibeenpwned.com/. (The password
// is not sent to their servers to do the check.)
//
// This function returns the number of times the password appears in
// their data set. A password is pwned, or compromised, if the return
// value is greater than 0.
//
// API Docs: https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
//
@mholt
mholt / macapp.go
Created May 18, 2018
Distribute your Go program (or any single binary) as a native macOS application
View macapp.go
// Package main is a sample macOS-app-bundling program to demonstrate how to
// automate the process described in this tutorial:
//
// https://medium.com/@mattholt/packaging-a-go-application-for-macos-f7084b00f6b5
//
// Bundling the .app is the first thing it does, and creating the DMG is the
// second. Making the DMG is optional, and is only done if you provide
// the template DMG file, which you have to create beforehand.
//
// Example use:
@mholt
mholt / apply-license.bash
Created Mar 27, 2018
Apply the Apache 2.0 license to all your .go files
View apply-license.bash
#!/bin/bash
FILES=$(find . -name "*.go" -not -path "./vendor/*" -type f)
for f in $FILES
do
echo "processing: $f"
ed -s $f << EOF
0a
// Copyright YEAR YOU
//
@mholt
mholt / example.Caddyfile
Created Jun 21, 2017
restic plugin for Caddy
View example.Caddyfile
example.com
# specifying an empty root is not strictly necessary but not a bad
# idea if all you are serving on this site is the backups
root empty_www/
# authentication is required when using the Caddy plugin;
# this line assumes all requests are protected
basicauth / user pass
@mholt
mholt / automate.go
Created May 6, 2017
The old automation program that produced Caddy builds for various platforms and bundled them into archives for distribution
View automate.go
// This program was used to build Caddy up to (but not including) v0.10.
// On April 20, 2017, it was replaced by a new releaser script that
// integrates with the autonomous build server. It bundles assets into
// an archive format that best fits the target OS. It could use `go build`
// to compile, but the way I configured it was to run the build.bash
// script that ensured the Caddy binary had proper version information
// embedded.
//
// I'm posting this here because it is no longer available in the Caddy
// repository and maybe you will find it useful for your own (simple?)
View ocsp-stapling.md

On Twitter the other day, I was lamenting the state of OCSP stapling support on Linux servers, and got asked by several people to write-up what I think the requirements are for OCSP stapling support.

  1. Support for keeping a long-lived (disk) cache of OCSP responses.

    This should be fairly simple. Any restarting of the service shouldn't blow away previous responses that were obtained. This doesn't need to be disk, just stable - and disk is an easy stable storage for most server

@mholt
mholt / ocsp_stapling_robustness.md
Created Aug 9, 2016 — forked from AGWA/ocsp_stapling_robustness.md
OCSP Stapling Robustness in Apache and nginx
View ocsp_stapling_robustness.md

Date: Mon, 5 Oct 2015 16:34:03 -0700

Apache caches an OCSP response for one hour by default. Unfortunately, once the hour is up, the response is purged from the cache, and Apache doesn't attempt to retrieve a new one until the next TLS handshake takes place. That means that if there's a problem contacting the OCSP responder at that moment, Apache is left without an OCSP response to staple. Furthermore, it caches the non-response for 10 minutes (by default), so for the next 10 minutes, no OCSP response will be stapled to your

@mholt
mholt / unprivileged_caddy.sh
Created May 29, 2016 — forked from kennwhite/unprivileged_caddy.sh
Run caddy server as unprivileged user, includes Hugo option
View unprivileged_caddy.sh
#!/bin/bash
# *As root*
cd ~
killall caddy
rm -rf ~/caddy
mkdir caddy && cd caddy
curl -SL 'https://caddyserver.com/download/build?os=linux&arch=amd64&features=hugo' > caddy.tgz
tar xzf caddy.tgz
@mholt
mholt / Caddyfile
Created Mar 28, 2016 — forked from phred/Caddyfile
A+ grade on securityheaders.io with this: https://securityheaders.io/?q=https%3A%2F%2Ffff.red
View Caddyfile
fff.red {
header / {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Content-Security-Policy "default-src https:*"
Public-Key-Pins "pin-sha256=\"ckOIjdimiwD3mfMmkmCh7uiJCBtXvoqoBoKKB1K5UIM=\"; pin-sha256=\"QiTyymM4e635OgWkx9d7nq5xvEuqmgV7HiDjIIGyymo=\"; max-age=2592000"
X-Frame-Options SAMEORIGIN
X-XSS-Protection "1; mode=block"
X-Content-Type-Options nosniff
}
}
You can’t perform that action at this time.