Skip to content

Instantly share code, notes, and snippets.

Avatar
💪
I write code with my bare hands

Matt Holt mholt

💪
I write code with my bare hands
View GitHub Profile
@mholt
mholt / keybase.md
Created Mar 29, 2014
Self-verifying on keybase is a little like talking to yourself in the mirror :)
View keybase.md

Keybase proof

I hereby claim:

  • I am mholt on github.
  • I am mholt (https://keybase.io/mholt) on keybase.
  • I have a public key whose fingerprint is 7C5D 8989 09D4 E407 20B8 1FF3 1DAA D2EB EC55 EA33

To claim this, I am signing this object:

@mholt
mholt / comcast.js
Created Nov 19, 2015 — forked from Jarred-Sumner/comcast.js
Comcast injects this into webpages to show copyright notices
View comcast.js
// Comcast Cable Communications, LLC Proprietary. Copyright 2014.
// Intended use is to display browser notifications for critical and time sensitive events.
var _ComcastAlert = (function(){
return {
SYS_URL: '/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do'
, dragObj: {zIndex: 999999}
, browser: null
, comcastCheck: 1
, comcastTimer: null
, xmlhttp: null
View CLA_LinuxFoundationDCO.txt
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
660 York Street, Suite 102,
San Francisco, CA 94110 USA
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
@mholt
mholt / Caddyfile
Created Jan 17, 2016 — forked from j-mcnally/Caddyfile
Caddyfile - Example
View Caddyfile
config_server "https://etcd.local:2379"
service users {
endpoint: "/users",
proxy: "{{services.users.ip}}:{{services.users.port}}"
}
# In this example 'services.users' would be a directory with a json key for every user service container / application.
# Using this we could template the proxy and any other information in the services block, and it would just work with caddy.
@mholt
mholt / Caddyfile
Created Mar 28, 2016 — forked from phred/Caddyfile
A+ grade on securityheaders.io with this: https://securityheaders.io/?q=https%3A%2F%2Ffff.red
View Caddyfile
fff.red {
header / {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Content-Security-Policy "default-src https:*"
Public-Key-Pins "pin-sha256=\"ckOIjdimiwD3mfMmkmCh7uiJCBtXvoqoBoKKB1K5UIM=\"; pin-sha256=\"QiTyymM4e635OgWkx9d7nq5xvEuqmgV7HiDjIIGyymo=\"; max-age=2592000"
X-Frame-Options SAMEORIGIN
X-XSS-Protection "1; mode=block"
X-Content-Type-Options nosniff
}
}
@mholt
mholt / ocsp_stapling_robustness.md
Created Aug 9, 2016 — forked from AGWA/ocsp_stapling_robustness.md
OCSP Stapling Robustness in Apache and nginx
View ocsp_stapling_robustness.md

Date: Mon, 5 Oct 2015 16:34:03 -0700

Apache caches an OCSP response for one hour by default. Unfortunately, once the hour is up, the response is purged from the cache, and Apache doesn't attempt to retrieve a new one until the next TLS handshake takes place. That means that if there's a problem contacting the OCSP responder at that moment, Apache is left without an OCSP response to staple. Furthermore, it caches the non-response for 10 minutes (by default), so for the next 10 minutes, no OCSP response will be stapled to your

@mholt
mholt / runit-caddy.md
Created Dec 2, 2015 — forked from tgulacsi/runit-caddy.md
Using runit as a supervisor for Caddy
View runit-caddy.md

Supervisors

A supervisor's main task, is to start a specified process (in a specified environment), watch it running, and do something when it ends - usually based on the exit code.

Systemd

From my experience, the environment setup can be a complex task (consult some config management for the required ports, actualize the config file from the central config management...), and this is where the most featureful supervisor (systemd, AFAIK) falls short:

  • it can setup & manage the listening sockets, and pass it to your app (if it can accept it - not hard, just have to be ready for it),
@mholt
mholt / unprivileged_caddy.sh
Created May 29, 2016 — forked from kennwhite/unprivileged_caddy.sh
Run caddy server as unprivileged user, includes Hugo option
View unprivileged_caddy.sh
#!/bin/bash
# *As root*
cd ~
killall caddy
rm -rf ~/caddy
mkdir caddy && cd caddy
curl -SL 'https://caddyserver.com/download/build?os=linux&arch=amd64&features=hugo' > caddy.tgz
tar xzf caddy.tgz
@mholt
mholt / automate.go
Created May 6, 2017
The old automation program that produced Caddy builds for various platforms and bundled them into archives for distribution
View automate.go
// This program was used to build Caddy up to (but not including) v0.10.
// On April 20, 2017, it was replaced by a new releaser script that
// integrates with the autonomous build server. It bundles assets into
// an archive format that best fits the target OS. It could use `go build`
// to compile, but the way I configured it was to run the build.bash
// script that ensured the Caddy binary had proper version information
// embedded.
//
// I'm posting this here because it is no longer available in the Caddy
// repository and maybe you will find it useful for your own (simple?)
@mholt
mholt / example.Caddyfile
Created Jun 21, 2017
restic plugin for Caddy
View example.Caddyfile
example.com
# specifying an empty root is not strictly necessary but not a bad
# idea if all you are serving on this site is the backups
root empty_www/
# authentication is required when using the Caddy plugin;
# this line assumes all requests are protected
basicauth / user pass
You can’t perform that action at this time.