| // This program was used to build Caddy up to (but not including) v0.10. | |
| // On April 20, 2017, it was replaced by a new releaser script that | |
| // integrates with the autonomous build server. It bundles assets into | |
| // an archive format that best fits the target OS. It could use `go build` | |
| // to compile, but the way I configured it was to run the build.bash | |
| // script that ensured the Caddy binary had proper version information | |
| // embedded. | |
| // | |
| // I'm posting this here because it is no longer available in the Caddy | |
| // repository and maybe you will find it useful for your own (simple?) |
On Twitter the other day, I was lamenting the state of OCSP stapling support on Linux servers, and got asked by several people to write-up what I think the requirements are for OCSP stapling support.
Support for keeping a long-lived (disk) cache of OCSP responses.
This should be fairly simple. Any restarting of the service shouldn't blow away previous responses that were obtained. This doesn't need to be disk, just stable - and disk is an easy stable storage for most server
Date: Mon, 5 Oct 2015 16:34:03 -0700
Apache caches an OCSP response for one hour by default. Unfortunately, once the hour is up, the response is purged from the cache, and Apache doesn't attempt to retrieve a new one until the next TLS handshake takes place. That means that if there's a problem contacting the OCSP responder at that moment, Apache is left without an OCSP response to staple. Furthermore, it caches the non-response for 10 minutes (by default), so for the next 10 minutes, no OCSP response will be stapled to your
| #!/bin/bash | |
| # *As root* | |
| cd ~ | |
| killall caddy | |
| rm -rf ~/caddy | |
| mkdir caddy && cd caddy | |
| curl -SL 'https://caddyserver.com/download/build?os=linux&arch=amd64&features=hugo' > caddy.tgz | |
| tar xzf caddy.tgz |
| fff.red { | |
| header / { | |
| Strict-Transport-Security "max-age=31536000; includeSubDomains" | |
| Content-Security-Policy "default-src https:*" | |
| Public-Key-Pins "pin-sha256=\"ckOIjdimiwD3mfMmkmCh7uiJCBtXvoqoBoKKB1K5UIM=\"; pin-sha256=\"QiTyymM4e635OgWkx9d7nq5xvEuqmgV7HiDjIIGyymo=\"; max-age=2592000" | |
| X-Frame-Options SAMEORIGIN | |
| X-XSS-Protection "1; mode=block" | |
| X-Content-Type-Options nosniff | |
| } | |
| } |
| mholt [9:10 AM] | |
| When using http.Get(), is it really necessary to read the full response body just to close it later? | |
| [9:10] | |
| The docs keep saying `Caller should close resp.Body when done reading from it.` and I keep seeing code like this: | |
| ``` | |
| io.Copy(ioutil.Discard, resp.Body) | |
| resp.Body.Close() | |
| ``` |
| config_server "https://etcd.local:2379" | |
| service users { | |
| endpoint: "/users", | |
| proxy: "{{services.users.ip}}:{{services.users.port}}" | |
| } | |
| # In this example 'services.users' would be a directory with a json key for every user service container / application. | |
| # Using this we could template the proxy and any other information in the services block, and it would just work with caddy. |
| Developer Certificate of Origin | |
| Version 1.1 | |
| Copyright (C) 2004, 2006 The Linux Foundation and its contributors. | |
| 660 York Street, Suite 102, | |
| San Francisco, CA 94110 USA | |
| Everyone is permitted to copy and distribute verbatim copies of this | |
| license document, but changing it is not allowed. |
A supervisor's main task, is to start a specified process (in a specified environment), watch it running, and do something when it ends - usually based on the exit code.
From my experience, the environment setup can be a complex task (consult some config management for the required ports, actualize the config file from the central config management...), and this is where the most featureful supervisor (systemd, AFAIK) falls short:
| // Comcast Cable Communications, LLC Proprietary. Copyright 2014. | |
| // Intended use is to display browser notifications for critical and time sensitive events. | |
| var _ComcastAlert = (function(){ | |
| return { | |
| SYS_URL: '/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do' | |
| , dragObj: {zIndex: 999999} | |
| , browser: null | |
| , comcastCheck: 1 | |
| , comcastTimer: null | |
| , xmlhttp: null |
