Finally, new, well, everything

Sun 22 December 2013 by Kevin van Haaren

It has taken waaaay longer than I wanted but the site is finally migrated to a new blogging system. The whole backend has been redone, and most of sites hosted here are now SSL. This post is mostly a test to see if it's all working correctly. If it is it should auto-post to the blog in less than 30 minutes of setting it as publishable.

New blogging software

I liked Darby Lines' description of the Pelican blogging platform so selected this as my blogging platform as well. As Darby did, Dropbox is used to get content to my site where it is then processed by Pelican into this web site.

Most blogging systems store content to be displayed in a database. When somebody opens a page, the content for that page is retrieved from the database and displayed. To use Pelican, on the other hand, the files that make up a site are stored in a content directory. Mostly stored as Markdown or other supported file formats, plus images. Pelican takes these files and processes them into a website of all static HTML content. Creating rss/atom feeds, index pages, archive pages, etc... as required.

There were several reasons for going with a static site. Primarily security but also perfomance. While I've not suffered large loads on the site, database backed dynamic sites can be overwhelmed by a large traffic spike. Web servers perform at their best with static content so this leverages this feature.

A dynamic site typically requires a scripting language such as PHP, Ruby or perl. Plus a database like MySQL, SQLite or, Postgres SQL. Including the web server this means you have to keep all required components patched for security reasons. Each patch update can cause conflicts with other installed components. Reducing a site to just the web server reduces the number of things that can be attacked.

New virtual machine

Instead of using a hosted web service I have a virtual server from Host Virtual. I prefer running a virtual machine, it gives me flexibility to run the services and software I want. I can host multiple domains and sub-domains without paying extra. I get to pick, and maintain the Linux distribution I want (Gentoo) and my choice of web server. Keeping up to date with security patches and new versions is my responsibility, but I prefer it this way and Gentoo's package management makes it pretty easy.

SSL

I used SSL on my old server, mainly with the mail server and a sub-domain site I had setup. I decided to expand my use of SSL because I think there should be more encrypted traffic flowing on the net. The NSA gathers as much as possible, and is especially interested in encrypted traffic. Might as well fill their drives with my pointless blog.

I didn't just throw a self-signed SSL certificate on the server and call it good. I wanted a truly signed SSL certificate, but I'm cheap, so I went with a free certificate from StartSSL. They provide a basic domain signed public key for free. Although they offer to create a private key for you, if you create the key yourself on your own equipment then they never have to see it and you don't need to worry about the security of their service.

Once I had an officially trusted public/private key pair I wanted to make sure SSL was setup correctly. I used SSL Labs SSL site tester to verify I was doing it right. After some experimentation I got all the current best practices working. Forward secrecy is supported so that even if my private key has been compromised the encrypted traffic can't be broken. According SSL Labs Internet Explorer really won't like this site, although the IE 9 I use in the office seems to work OK.