Tuesday, December 17, 2019

AWS RDS - Update Your Amazon RDS SSL/TLS Certificates by February 5, 2020

If you got the mail from AWS about updating your client side certificate for RDS connection, this is a very simple explanation about what you need to do. Your first concern is functionality of your application should not be affected and everything should be working as smoothly as now.

When you connect to database, either you connect to it securely or non-securely. If you connect to database non-securely, you do not need to worry about the mail you received as it affects only those connection which are made securely. Suppose your RDS is mysql or postgres and you connect to it from php framework or Python, you need to check the database connection code and if ssl/tls parameter is defined with client certificate file, it means you are using secured method to connect to RDS. You need to download latest client side certificate file from here or here and replace with existing one.

Another way of checking it, you need to check the parameter rds.force_ssl in parameter groups settings of your RDS instance. If its value is set to 0, it means insecure RDS conenction can also be made but if its value is 1 then no insecure connection can be made. Your code must have used client side certificate file to make it working successfully.

Similarly if force ssl is on, you can not connect to database on command line without addressing client side certificate file.
Here is an example to connect Postgresql RDS server on comamnd line
psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslrootcert=rds-ca-2015-root.pem sslmode=verify-full"

Secure Mysql connection on RDS
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-verify-server-cert
If you enable set rds.force_ssl and restart your instance, non-SSL connections are refused with the following message for postgresql
psql: FATAL: no pg_hba.conf entry for host "host.ip", user "someuser", database "postgres", SSL off
and similar message will be displayed for mysql and other RDS database types.

Thursday, December 12, 2019

Add Swap Space in AWS EC2 Centos or Linux AMI

Here are the steps to create swap space in AWS EC2 CentOS or Linux AMI

1. Create an EBS volume (ssd gp2) of the size you want for your swap space. Suppose it is 4G.
2. Attach the volume into your instance. Suppose attached mount point is /dev/xvdf
3. Now run
sudo mkswap /dev/xvdf

4. sudo swapon /dev/xvdf
5. Edit file /etc/fstab and add following line in /etc/fstab
/dev/xvdf none swap sw 0 0
6. Now you can verify the added swap space.
sudo swapon --show

Postfix : postdrop warning unable to look up public/pickup

Your Postfix is running successfully but it is not sending any mails. If you get above error in log, here is the solution for you.

sudo mkfifo /var/spool/postfix/public/pickup
sudo service postfix restart


After running both commands, your issue should be fixed and mails should be sent successfully.

Gitlab - Stop Showing your gitlab setup and repositories in google search results


If your gitlab setup is accessible by global url but you do not want to show results in Google, here is solution for you.

1. You can make your gitlab url restricted to limited IPs only. Gitlab works on default port 89. You must have used a web server to serve the gitlab url globally. Your web server may be apache, nginx or some other web server. You can add  attributes in your virtualhost which will stop accessing gitlab from undefined IPs.

2a. Sometimes you need to access gitlab from undefined IPs and it is not feasible to change the Virtualhost setting every time. If you can not restrict your gitlab setup to some IPS but still you do not want to be in Google search results, you can try this solution.
Always make your repository and group private. Do not make any public repository or any public group. Public repositories and public groups are visible in google search results. Gitlab has settings in admin area. After enabling it, no registered user can create a public repository/group. Only admin will have access to create public repository and group.
Here is the settings.

Admin Area > Settings > General > Visibility and access controls > Restricted visibility levels

Check the box Public.
Now no registered user can create a Public repository and Group.

2b. After following solution 2a, you need to implement solution 2b. Like every other web application, gitlab too has robots.txt file.

robots.txt is a direction for search engines and crawlers. They follow it blindly. If you write a rule to not allowing your site in search result, your web application will not be listed.

By default gitlab allows to show login page and explore page to list in search results. Explore page contains list of all public repositories and groups and if your gitlab has some of them, it will be listed in search results. You need to modify your gitlab robots.txt. Here is the path.

/opt/gitlab/embedded/service/gitlab-rails/public/robots.txt

Now comment every single line except these two

 User-Agent: *
 Disallow: /

it will restrict to show your gitlab url in search results. If it is already listed, once you make changes in robots.txt, it will be gone after some days.

Wordpress - https mixed content issue

After configuration of ssl in your wordpress site, the most annoying problem is mixed content error. Your browser shows error "Your connection is not fully secure". Here is the solution for you to fix the issue.

Solution : 1
1. You need to change all urls in code from http to https manually. If there are any js files in any plugin or fusion directory of Uploads, you need to find those and replace them.
2. You can install Go Live plugin in your wordpress site to replace all urls in database. It provides easy option to replace all urls with http into https.

OR

Solution : 2
There is one easy solution, you can install a wordpress plugin name "Really Simple ssl". Once you activate it, it delivers all the urls in browser with https and you do not get same error again.
Let me know which solution worked for you.