Jekyll2026-04-30T18:16:05-04:00http://blog.lavoie.sl/feed.xmlComputers and stuffSoftware Engineering, People Management, and other things I find interesting.Sebastien LavoieOverride Doctrine ODM mapping for Symfony FOSUserBundle2015-01-06T13:44:00-05:002015-01-06T13:44:00-05:00http://blog.lavoie.sl/2015/01/symfony-override-doctrine-mappingIn Symfony Cookbook How to Override any Part of a Bundle, it is written that you cannot override entity mappings and only attributes can be modified in superclasses. However, it is possible to hack you way through and register an Event Listener on loadClassMetadata that will rewrite the mapping on-the-fly. I would not qualify this as a good approach, but it is the only way I found.

A similar solution can be used for Doctrine ORM.

Here is an example, removing the uniqueness on emailCanonical of FOSUserBundle:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

<?php
# ClassMetadataListener.php

namespace Acme\UserBundle\EventListener;

use Doctrine\ODM\MongoDB\Event\LoadClassMetadataEventArgs;

/**
 * Ran when Mongo metadata is loaded.
 */
class ClassMetadataListener
{
    public function loadClassMetadata(LoadClassMetadataEventArgs $eventArgs)
    {
        $classMetadata = $eventArgs->getClassMetadata();

        // Override FOS to not have unique emails
        if ($classMetadata->reflClass->name == 'FOS\UserBundle\Model\User') {
            foreach ($classMetadata->indexes as $i => $index) {
                if (count($index['keys']) === 1 && isset($index['keys']['emailCanonical'])) {
                    $classMetadata->indexes[$i]['options']['unique'] = false;
                    break;
                }
            }
        }
    }
}

1
2
3
4
5
6

# services.yml
services:
    acme.user.metadata_listener:
        class: Acme\UserBundle\EventListener\ClassMetadataListener
        tags:
            -  { name: doctrine_mongodb.odm.event_listener, event: loadClassMetadata }

View Gist

]]>Sebastien LavoiePreventing cache stampede when using Doctrine Cache2014-12-04T11:28:00-05:002014-12-04T11:28:00-05:00http://blog.lavoie.sl/2014/12/preventing-cache-stampede-using-doctrine-cacheWikipedia has short and clear article on the matter, cache stampede can be quite deadly, especially when you are rebooting your server, clearing your cache or having a midnight maintenance (cronjob).

Cache stampede, put simply, is when your process is trying to fetch an expensive cache entry, it is not there, and tries to build it, but a simultaneous process comes and does the same thing. This results in resource waste because of processes all trying to do the same thing, uselessly.

The trick is to put a lock on the cache entry and make the other processes wait. I use the trick of having a TTL for the cache calculation. This way, even if the server crashes or there is an exception, the lock will expire and another process will take over. This estimation is also used to calculate how much time to sleep while waiting.

This example uses Doctrine Cache as a global variable, but this should definitely be refactored (or change to another system).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

<?php
# cacheGetDefault.php

/**
 * Get a value from the cache or compute it using a callback
 * Includes cache stampede protection
 * @link http://en.wikipedia.org/wiki/Cache_stampede
 * @link http://blog.lavoie.sl/2014/12/preventing-cache-stampede-using-doctrine-cache
 * @global cache Doctrine\Common\Cache\Cache
 *
 * @param  string  $key         Cache key
 * @param  Closure $callback    Computing function
 * @param  float   $ttl         Seconds
 * @param  float   $stampedeTtl Seconds before cache stampede expires
 *                              Should be about 2-3 times the estimated time to build the cache
 * @return mixed
 */
function cacheGetDefault($key, Closure $callback, $ttl = 0, $stampedeTtl = null)
{
    global $cache;

    $data = $cache->fetch($key);

    if (false !== $data) {
        return $data;
    }

    if (null !== $stampede) {
        $stampede = max((double) $stampede, 0.001); // prevention for infinite ttl
        // data is being computed, wait
        while ('__STAMPEDE__' === $data) {
            // wait 1/20th of the stampede TTL, to give the CPU a chance
            sleep($stampede / 20);
            $data = $cache->fetch($key);
        }
    }

    if ($data === false) {
        if (null !== $stampedeTtl) {
            // acquire lock
            $cache->save($key, '__STAMPEDE__', $stampedeTtl);
        }
        // compute the actual data
        $data = $callback();
    }

    $cache->save($key, $data, $ttl);

    return $data;
}

1
2
3
4
5
6
7
8
9

<?php
# useCache.php

$cacheTtl = 3600; // an hour
$stampedeTtl = 5; // seconds before releasing lock

cacheGetDefault('recent_tweets', function() {
    return file_get_contents('https://api.twitter.com/1.1/search/tweets.json?q=@lavoiesl');
}, $cacheTtl, $stampedeTtl);

View Gist

]]>Sebastien LavoieLoad Doctrine Fixtures when using Migrations in Symfony2014-12-02T13:55:00-05:002014-12-02T13:55:00-05:00http://blog.lavoie.sl/2014/12/load-doctrine-fixtures-when-usingUsing app/console doctrine:migrations:migrate is really easy and trouble free for everybody, but those tables are often empty and they need some data to be of any use. A common example is a table of countries or user roles.

However, once a project is started, it is often hard to use fixtures because it messes with your data. The trick here is to load only the fixtures you need, only when needed by the migration. This way, a new developer starting with the project could simply run the migrations and have a database ready for testing.

Here is a simple way of loading those fixtures on postUp. You need to pass an array of initialized fixture classes, Doctrine will figure the way to order them by itself.

This is only a proof of concept, it would need some refactoring and testing to be production ready, but you can get the idea.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

<?php
# AbstractFixtureMigration.php

use Doctrine\Common\DataFixtures\Executor\ORMExecutor;
use Doctrine\Common\DataFixtures\Purger\ORMPurger;
use Doctrine\DBAL\Migrations\AbstractMigration;
use Symfony\Bridge\Doctrine\DataFixtures\ContainerAwareLoader as Loader;
use Symfony\Component\Console\Output\ConsoleOutput;
use Symfony\Component\DependencyInjection\ContainerAwareInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;

abstract class AbstractFixtureMigration extends AbstractMigration implements ContainerAwareInterface
{
    use FixtureMigrationTrait;

    private $container;

    public function setContainer(ContainerInterface $container = null)
    {
        $this->container = $container;
    }

    public function loadFixtures(array $fixtures, $append = true)
    {
        $em = $this->container->get('doctrine.orm.entity_manager');

        $loader = new Loader($this->container);
        array_map(array($loader, 'addFixture'), $fixtures);

        $purger = null;
        if ($append === false) {
            $purger = new ORMPurger($em);
            $purger->setPurgeMode(ORMPurger::PURGE_MODE_DELETE);
        }

        $executor = new ORMExecutor($em, $purger);

        $output = new ConsoleOutput;
        $executor->setLogger(function($message) use ($output) {
            $output->writeln(sprintf('  <comment>></comment> <info>%s</info>', $message));
        });

        $executor->execute($loader->getFixtures(), $append);
    }
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?php
# Version1.php

use Doctrine\DBAL\Schema\Schema;
use AcmeBundle\DataFixtures\ORM as Fixtures;

class Version1 extends AbstractFixtureMigration
{
    public function up(Schema $schema)
    {
        // ...
    }

    public function down(Schema $schema)
    {
        // ...
    }

    public function postUp(Schema $schema)
    {
        $this->loadFixtures(array(
            new Fixtures\LoadMyData,
            new Fixtures\LoadMyOtherData,
        ));
    }
}

View Gist

]]>Sebastien LavoieMySQL 5.7 and Wordpress problem2014-12-01T14:58:00-05:002014-12-01T14:58:00-05:00http://blog.lavoie.sl/2014/12/mysql-57-and-wordpress-problemIf you upgrade to MySQL 5.7, you may encounter bugs with legacy software. Wordpress, which I also consider some kind of legacy software, does not handle this very well with its default settings.

You may encounter the “Submit for review” bug where you cannot add new posts. It may be related to permissions, auto_increment and other stuff, but here is another case: bad date formats and invalid data altogether.

In MySQL <= 5.6, by default, invalid values are coalesced into valid ones when needed. For example, attempting to set a field NULL on a non-null string will result in empty string. Starting with MySQL 5.7, this is not permitted.

Hence, if you want to upgrade to 5.7 and use all the goodies, you should consider putting it in a more compatible mode, adding this to your /etc/my.cnf:

[mysqld]
# Default:
# sql_mode = ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION
sql_mode = ALLOW_INVALID_DATES,NO_ENGINE_SUBSTITUTION

See official documentation for complete information

]]>Sebastien LavoieStarting a text editor from inside a Virtual Machine2014-11-05T17:24:00-05:002014-11-05T17:24:00-05:00http://blog.lavoie.sl/2014/11/starting-text-editor-from-insideUsing Vagrant, Docker or other virtual development environment is becoming quite popular. However, a drawback of this is that you cannot start a visual text editor on your main machine because heh, the files are not there. Purist may tell you that you should be using Vim or Emacs, but I like Sublime, I want to keep using it.

A simple trick I came up with it to call my text editor by SSH using path translation. Of course, you will need to translate the paths and otherwise adapt it to your needs, but this should get you started:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# subl.sh
#!/bin/bash

# Starting Sublime Text from inside a Virtual Machine
# @link https://gist.github.com/lavoiesl/c01b16b5f875906a6d82

# You may require to install realpath

path="$(realpath "$1")"

if echo "${path}" | grep -q "^/media/data/projects"; then
  path="$(echo "${path}" | sed 's/^\/media\/data\/projects\//~\/projects\//')"
elif echo "${path}" | grep -q "^/media/home"; then
  path="$(echo "${path}" | sed 's/^\/media\/home\//~\//')"
else
  echo "Only paths inside /media/data/projects and /media/home are supported" >&2
  exit 1
fi

ssh seb@10.10.10.1 subl "${path}"

View Gist

In this example, /media/data/projects on the Guest exists as ~/projects on the Host and ~ on the Host exists as /media/home on the Guest.

Make sure you have ~/.ssh/authorized_keys and ForwardAgent properly setup to avoid password prompts each time.

You could also use this trick to open a webpage by using the “open” program on Mac. Equivalent exists on most Linux distros.

]]>Sebastien LavoieCreating a static private network on VMWare Fusion with Ubuntu2014-10-08T11:58:00-04:002014-10-08T11:58:00-04:00http://blog.lavoie.sl/2014/10/static-private-network-vmware-fusion-ubuntuThis tutorial is using VMWare Fusion 7, Ubuntu 14.04.1 server and OSX 10.9

The goal here is to create a private network shared with selected VMs and the host, while offering NATing to connect to the Internet. VMWare offers some documentation, which works great with DHCP, but I needed to specify everything static for custom needs.

Creating a private network

  1. Go to the Network tab of general settings (⌘,)
  2. Unlock the screen by clicking on the lock.
  3. Add a custom network by clicking on the +.
  4. Make sure all options are checked (see screenshot).
  5. Specify a subnet IP, I will be using 192.168.200.0. Activating the DHCP here is needed for the host to connect to it, even though our VMs will be using static IPs.

Configure the VM’s network adapter

  1. Make sure your VM is powered off.
  2. Go to the VM’s settings (⌘E)
  3. Click on Network Adapter.
  4. Select your newly created network (for me it was vmnet2).

Configure the OS’s network adapter

  1. Edit the network interfaces: 
    $ sudo nano /etc/network/interfaces
   
# The loopback network interface
auto lo
iface lo inet loopback
   
# The primary network interface
auto eth0
iface eth0 inet static
  address 192.168.200.100
  netmask 255.255.255.0
  gateway 192.168.200.2
  dns-nameservers 192.168.200.2
  2. Reboot
  3. Check to see if Internet works: 
    ping google.com
  4. Check to see if you can see your host: 
    ping 192.168.200.1
  5. Try SSHing to your VM from your host: 
    ssh 192.168.200.100

You can add more VMs to this private network, just remember to change the IP from 192.168.200.100 to something else from 192.168.200.3 to 192.168.200.253.

]]>Sebastien LavoieAdding newlines in a SQL mysqldump to split extended inserts2014-06-20T15:27:00-04:002014-06-20T15:27:00-04:00http://blog.lavoie.sl/2014/06/split-mysqldump-extended-insertsThe official mysqldump supports more or less two output styles: separate INSERTs (one insert statement per row) or extended INSERTs (one insert per table). Extended INSERTs are much faster, but MySQL write them all in one line, the result being a SQL very hard to read. Can we get the best of both worlds ?

Separate INSERTs

INSERT INTO mytable (id) VALUES (1);
INSERT INTO mytable (id) VALUES (2);

Extended INSERTs

INSERT INTO mytable (id) VALUES (1),(2);

New-And-Improved™ INSERTs

INSERT INTO mytable (id) VALUES
(1),
(2);

Current solutions

Using sed

mysqldump --extended-insert | sed 's/),(/),\n(/g'

Only problem is, lines will be split, even in the middle of strings, altering your data.

Using net_buffer_length

mysqldump --extended-insert --net_buffer_length=5000

mysqldump will make sure lines are not longer than 5000 (or whatever), starting a new INSERT when needed. The problem is that the behaviour is kinda random, diffs are hard to analyze and it may break your data if you are storing columns longer than this.

Writing a parser

This question has been often asked without a proper reply, so I decided to write a simple parser. Precisely, we need to check for quotes, parenthesis, and escape characters.

I first wrote it in PHP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

<?php
# process-mysqldump.php

// Usage: cat dump.sql | php process-mysqldump.php

$input = fopen('php://stdin', 'r');

while(!feof($input)) {
    $line = fgets($input);
    if (substr($line, 0, 6) == 'INSERT') {
        process_line($line);
    } else {
        echo $line;
    }
}

function process_line($line) {
    $length = strlen($line);

    $pos = strpos($line, ' VALUES ') + 8;
    echo substr($line, 0, $pos);

    $parenthesis = false;
    $quote = false;
    $escape = false;

    for ($i = $pos; $i < $length; $i++) {
        switch($line[$i]) {
            case '(':
                if (!$quote) {
                    if ($parenthesis) {
                        throw new Exception('double open parenthesis');
                    } else {
                        echo PHP_EOL;
                        $parenthesis = true;
                    }
                }
                $escape = false;
                break;

            case ')':
                if (!$quote) {
                    if ($parenthesis) {
                        $parenthesis = false;
                    } else {
                        throw new Exception('closing parenthesis without open');
                    }
                }
                $escape = false;
                break;

            case '\':
                $escape = !$escape;
                break;

            case "'":
                if ($escape) {
                    $escape = false;
                } else {
                    $quote = !$quote;
                }
                break;

            default:
                $escape = false;
                break;
        }

        echo $line[$i];
    }
}

fclose($input);

View Gist

But then I realized it was too slow, so I rewrote it in C, using strcspn to find string occurence:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

// process-mysqldump.c
// gcc -O2 -Wall -pedantic process-mysqldump.c -o process-mysqldump
// Usage: cat dump.sql | process-mysqldump
//   Or : process-mysqldump dump.sql

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>

#define BUFFER 100000

bool is_escaped(char* string, int offset) {
    if (offset == 0) {
        return false;
    } else if (string[offset - 1] == '\') {
        return !is_escaped(string, offset - 1);
    } else {
        return false;
    }
}

bool is_commented(char* string) {
    char buffer[4];

    sprintf(buffer, "%.3s", string);

    return strcmp(buffer, "-- ") == 0;
}

int main(int argc, char *argv[])
{
    FILE* file = argc > 1 ? fopen(argv[1], "r") : stdin;

    char buffer[BUFFER];
    char* line;
    int pos;
    int parenthesis = 0;
    bool quote = false;
    bool escape = false;
    bool comment = false;

    while (fgets(buffer, BUFFER, file) != NULL) {
        line = buffer;

        // skip commented
        if (comment || is_commented(line)) {
            comment = line[strlen(line) - 1] != '\n';
            fputs(line, stdout);
        } else {
            pos = 0;

            nullchar:
            while (line[pos] != '\0') {
                // if we are still in escape state, we need to check first char.
                if (!escape) {
                    // find any character in ()'
                    pos = strcspn(line, "()'\\");
                }

                if (pos > 0) {
                    // print before match
                    printf("%.*s", pos, line);
                }

                switch (line[pos]) {
                    case '(':
                        if (!quote) {
                            if (parenthesis == 0) {
                                putchar('\n');
                            }
                            parenthesis++;
                        }
                        if (escape) {
                            escape = false;
                        }
                        break;

                    case ')':
                        if (!quote) {
                            if (parenthesis > 0) {
                                parenthesis--;
                            } else {
                                // whoops
                                puts("\n");
                                fputs(line, stdout);
                                fputs("Found closing parenthesis without opening one.\n", stderr);
                                exit(1);
                            }
                        }
                        if (escape) {
                            escape = false;
                        }
                        break;

                    case '\\':
                        escape = !escape;
                        break;

                    case '\'':
                        if (escape) {
                            escape = false;
                        } else {
                            quote = !quote;
                        }
                        break;

                    case '\0':
                        goto nullchar;

                    default:
                        if (escape) {
                            escape = false;
                        }
                        break;
                }

                // print char then skip it (to make sure we don’t double match)
                putchar(line[pos]);
                line = line + pos + 1;
                pos = 0;
            }
        }
    }

    return 0;
}

View Gist

The only flaw that I can think of is that the parser will fail if the 10001st character of a line is an escaped quote, it will see it as an unescaped quote.

Happy dumping !

]]>Sebastien LavoieUsing PHP’s mb_detect_encoding to cleanup your data2014-06-16T14:29:00-04:002014-06-16T14:29:00-04:00http://blog.lavoie.sl/2014/06/using-phps-mbdetectencoding-to-cleanupEver heard of iso-8859-1 ? Yeah… that nightmare… With it, my name ends up more often than not… Sébastien. The computers gurus came up one day with UTF-8 and all our problems should have been solved; one encoding to rule them all.

Sweet, let’s all switch to UTF-8 ! Oh wait… legacy projects… PHP internal encoding is still not UTF-8 and functions like strlen() are still not able to properly process multi-bytes strings. It is being said that UTF-8 should land in PHP 6, but in the mean time, we still have to do something.

I am currently working on a big project with a lot of spaghetti-legacy code with a lot of entry points to the database. Almost all the data is stored in one big table, but not encoded uniformly. When I started working on it, tables had fields with a combinaison of  ascii_bin, utf8general_ci, latin_general_ci and latinswedish_ci … and we are in Canada ! In all those fields, data was stored with absolutely no guaranty of its encoding. Data was retrieved and passed through a series of UTF-8 encode/decode and stuff like this:

if (strpos($string, 'é') !== false) {
   $string = utf8_decode($string);
}

I eventually managed to change every field, change all database connections and remove and traces of encode/decode. However, I still had the problem of having data not encoded properly in some rows/columns. You may or may not be familiar with mb_detect_encoding, here is a very simple trick:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

<?php
# check-utf8-db.php

// $pdo = new PDO(...)

$charsets = array('UTF-8', 'ISO-8859-1');

$tables = array(
    'events' => array(
        'title',
        'description',
    ),
    'locations' => array(
        'title',
        'description',
    ),
);

foreach ($tables as $table => $fields) {
    $result = $pdo->query('SELECT id, ' . implode(', ', $fields) . ' FROM ' . $table);
    
    while ($row = $result->fetch()) {
        foreach ($fields as $field) {
            if (($encoding = mb_detect_encoding($row[$field], $charsets, true)) != 'UTF-8') {
                echo $table . '[' . $row['id'] . ']' . '.' . $field . ': ' . $encoding . "\n";

                $converted = iconv($encoding, 'UTF-8', $row[$field]);
                $stmt = $pdo->prepare('UPDATE ' . $table . ' SET ' . $field . ' = ? WHERE id = ?');
                $stmt->execute(array($converted, $row['id']));
            }
        }
    }
}

View Gist

Once you have detected the encoding, use iconv to convert it. This crunched through my 1GB database in no time and I was then sure that everything was in UTF-8.

Of course, this is an example with a database, it can work with any data. This script could also be faster if all updates where done at the same time for each row.

Please, save yourself some trouble, make sure all user content is in UTF-8.

]]>Sebastien LavoieSimple custom CSS checkboxes with Font Awesome2014-05-23T15:55:00-04:002014-05-23T15:55:00-04:00http://blog.lavoie.sl/2014/05/simple-custom-css-checkboxes-with-font-awesomeBrowsers make it notoriously hard to modify the default form elements like dropdowns and checkboxes. For ages, the only way to add a custom style was to use images and CSS Checkbox gives a very good example of this. However, using images is more of a hack than anything else, developers usually prefer to avoid them for good reason: hard to modify, adds to the loading time, flicker when hovering unless you preload or you use sprites, and resolution issues when scaling.

Then came the Javascript solutions. I personally like Chosen for custom dropdowns. These solutions are usually well supported cross-browser and are highly customizable and reliable, but they have the downside of being… Javascript. This means additional libraries, loading time, etc.

The holy grail is to use native CSS: you can customize it as you like, it can be built on top of your site’s stylesheet, inheriting the colours, the fonts, etc. There are a lot of examples out there that will show you working solutions, but they are usually complex. Here is a quick tutorial:

The basics

The concept is to define a custom element that will have a different style based on the state of the input element. No javascript and barely any extra markup. We will hide the original input, but it will continue to work as intended.

Base HTML

<label>
  <input type="checkbox">
  <span class="icon"></span>
  My label
</label>

Base CSS

input {
  display: none;
}
.icon {
  visibility: hidden;
}
input:checked + .icon {
  visibility: visible;
}

This way, the input is always hidden and the .icon is hidden only when the input is not checked.

** The :checked selector is not available for IE8 and lower.

Working demo

For a basic demonstration: http://codepen.io/lavoiesl/pen/rjcIx. The CSS is divided in section to clearly see what is essential. This demo uses Font Awesome to have a nice and clean checkmark.

For more complex examples, see http://cssdeck.com/labs/css-checkbox-styles.

]]>Sebastien LavoieSecure your SSL/TLS server2014-04-09T10:55:00-04:002014-04-09T10:55:00-04:00http://blog.lavoie.sl/2014/04/secure-your-ssltls-serverHeartbleed

Recently the Heartbleed bug came to light. It is a bug in the OpenSSL library that causes information to leak from the server. It is an undetectable backdoor that allows to gain the private key of your server. Let’s just say it is VERY important to fix it. Most distros have been very quick to propagate the OpenSSL update, so running your favorite update manager should fix it in no time.

To verify if you have protected, run this command and check for built on to be greater or equal to April 7th, 2014:

1
2
3
4
5

$ openssl version -a

OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr 7 20:33:19 UTC 2014
platform: debian-amd64

Disable weak ciphers

The way SSL/TLS works is that the client and the server must agree on a cipher to use for encryption. If you were to attack a server, you would obviously use the least secure cipher. To protect against this, simply disable ciphers to be known as weak or those which flaws have been discovered.

I am using this configuration for Apache:

1

SSLCipherSuite ALL:!ADH:!AECDH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

For Nginx, see their configuration reference. Since 1.0.5, they are using a sensible default. Otherwise, you can use the same as above.

Do not use a too weak or too strong private key

The private key must never be discovered. Otherwise, anyone could decrypt the content and could perpetrate a MITM attack. If the private key is too weak, it could eventually be guessed given enough data. However, SSL/TLS handshakes are very CPU intensive for both the server and the client. Using a key too long will considerably slow down your website. In most cases, 2048 is perfect.

Test your own server

SSL Labs provides a free test suite that will test your ciphers and for known attacks including BEAST and Heartbleed. This is a must: https://www.ssllabs.com/ssltest/

Further reading

I am not a security expert, I simply happen to have done hosting for quite a time. I suggest you do not take my word blindly and go check this very pertinent paper from SSL Labs.

]]>Sebastien Lavoie