Vasos Koupparis

Vasos Koupparis

Full Stack Web Developer – Devops Engineer

How to share a git stash with another developer or yourself to another machine

Creating the stash as a patch

The following git command will create a patch file that contains all the differences represented by the set of changes in the stash.

$ git stash show "stash@{0}" -p > changes.patch

The “stash@{0}” is the ref of the stash.

If you want a different one just use $ git stash list to see your list of stashes and select which one you want to patch.

Applying the patch

Transfer/Send the patch file generated from one machine to the other and drop it into the root of your project directory.

Then the following command will do all the magic!!! KEEP ON HACKING!

$ git apply changes.patch

Reversing the patch

$ git apply changes.patch --reverse

Για ‘σένανε μιλώ, Άγιε μου Αμβρόσιε – For you I speak, My Saint Ambrosius

Μια φορά και ένα καιρό,
σε ένα όμορφο χωριό, Αύγουστο καιρό,
οι κάτοικοι του εκδιωχθήκαν,
και οι ξένοι κατοικήσαν.

Για ‘σένανε μιλώ, Άγιε μου Αμβρόσιε,
με τα χρυσά σου μήλα,
που ποτέ μου δεν σε γνώρισα,
μα μια φορά σε γεύτηκα.

Τώρα τα χρόνια πέρασαν,
και ακόμα είσαι μόνος,
και τα παιδιά σου χάθηκαν,
στα ξένα έχουν μείνει.

Πληγώθηκες, μαράνθηκες,
γκρεμίστηκες και σβήνεις,
περίμενε όμως, δέν τέλειωσε,
ο εχθρός θα πέσει.

Για ‘σένανε μιλώ, Άγιε μου Αμβρόσιε,
Θα ‘ρθεί η μέρα, βάσταξε,
που θα έρθουν νέοι πίσω,
ας είναι και τα εγγόνια τους,
να σε παρηγορήσουν.

Κοιμήζεις τον παππούλη μου,
μές στο χρυσό σου χώμα,
γι’αυτό και εγώ σ’ευχαριστώ,
και ακόμα θα προσμένω.

Με υπομονή και θέληση,
όλα ξανά θα φτιάξουν,
και τα χρυσά τα μήλα σου,
ξανά θα δείς να ανθίζουν.

Για ‘σένανε μιλώ, Άγιε μου Αμβρόσιε,
Για ‘σένανε παρακαλώ, Άγιε μου Αμβρόσιε,

Κάνε θεούλη μου καλέ, μόνο αυτήν την χάρη,
διώξε τον ξένο, τον οχτρό, τον βάρβαρο, τον κλέφτη,
ολα του τα παιδιά, ήσυχα να επιστρέψουν.
και εγώ θα σε ευγνωμονώ και όλα σου τα τάζω.

————————————————————

Once upon a time,
in a beautiful village, August time,
its inhabitants were expelled,
and the foreigners dwelt.

For you I speak, My Saint Ambrosius,
with your golden apples,
that I never met you,
but once I tasted it.

Now the years have passed,
and you’re still alone,
and your children are gone,
in foreigh lands have stayed.

You were hurt, rotten,
you have broken down and gone,
but wait, it is not over,
the enemy will fall.

For you I speak, My Saint Ambrosius,
It will be the day,
who will come young back,
let them be their grandchildren,
to comfort you.

You sleep my grandfather,
in your golden soil,
so I thank you,
and I will still wait.

With patience and will,
they will all again make,
and your golden apples,
you will again see bloom.

For you I speak, My Saint Ambrosius,
For you, please, My Saint Ambrosius,

Make me, good Lord, only this grace,
expelled the stranger, the burglar, the barbarian, the thief,
all his children, quietly returning.
and I will be grateful to you, and my everything I promise you.

Lyrics: Vasos Koupparis



AWS CLI – Getting Started – Install AWS Command Line Interface on Windows, Linux and Mac OS

Step-by-step tutorial of how to download and install AWS CLI on Windows, Linux and Mac OS.

 

The AWS CLI is an open source tool built on top of the AWS SDK for Python that provides commands for interacting with AWS services.

It provides direct access to AWS services’ public APIs enabling us to develop shell scripts to manage our resources(EC2, S3 etc)

Check out the releases CHANGELOG for more information on the latest release and choose the version that is required for your Operating System and your project. If you just getting started with AWS CLI , I suggest you to get the latest stable release.

Prerequisites

  • Applicable for Linux, macOS
  • Python 2 version 2.6.5+ or Python 3 version 3.3+

Check your Python installation:

$ python --version

If you do not have Python already installed, or you would like to install a different version of Python, do it before you continue.

Install AWS CLI – Windows

You can install the AWS CLI on Windows with a standalone installer and is supported on Windows XP or later.

NOTE
Repeat the installation process to get the latest version of the AWS CLI.
  1. Download awscli for windows 
  2. Run the downloaded setup file
  3. NOTE
    The CLI installs to C:\Program Files\Amazon\AWSCLI (64-bit) or C:\Program Files (x86)\Amazon\AWSCLI (32-bit) by default.

Install AWS CLI – Linux

We will use the default package managers to install since is available on most Linux distributions and the installation is straight forward.

$ sudo apt-get -y update
$ sudo apt-get -y upgrade
$ sudo apt-get -y install awscli

Install AWS CLI – Mac OS

The easiest and quickest way to install awscli is using Homebrew.

$ brew install awscli

Verify Install

When you’re done, you should be able to run the aws –version command and get the version information:

$ aws --version
aws-cli/1.15.66 Python/2.7.10 Darwin/17.7.0 botocore/1.10.65

 

Steps to Improve Performance and Security of Nginx Web Server

Intoduction

Nginx is one of the most popular and fastest growing open source web servers in the world.
Compared to apache is more resource-friendly, it can be used as a web server, reverse proxy, load balancer, mail proxy and HTTP cache.

According to Gartner, misconfigurations is the reason for most breaches. Is critical to understand how to provision securely web servers as it will prevent misconfigurations and potential breaches or outages.

For this guide, we’ll go through several steps to improve Nginx security and performance.

Before we get started, I assume you have an Ununtu 16.0.4 server running with nginx installed.
If you do not, then follow this guide: Nginx getting started – Install 

I will also provide an easier way to play around with nginx security and performance for the purpose of this guide with Docker (here).

For your convenience, the final configuration file is (here).

Testing Environment

  • Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1066-aws x86_64)
  • Nginx version: nginx/1.10.3

Keep Nginx up to date

$ sudo apt-get -y update
$ sudo apt-get -y upgrade
$ sudo apt-get -y update nginx

If you are using Docker:

 RUN apt-get -y update && apt-get -y upgrade && $ apt-get -y update nginx

Remove Unnecessary Modules

WIP

Remove Unnecessary backup files

WIP

Disable server_tokens Directive

Syntax: server_tokens on | off | build | string;
Default: server_tokens on;
Context: http, server, location

This nginx directive enables or disables emitting nginx version on:

  • error pages and
  • in the “Server” response header field.

In order to prevent attacks on our web server caused by known vulnerabilities of our version, we should not share this information with the world.

So, since the default is on , we should set it to off in the http, server or location block.

http {
  include    conf/mime.types;
  index    index.html index.htm index.php;

  default_type application/octet-stream;
  log_format   main '$remote_addr - $remote_user [$time_local]  $status '
    '"$request" $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
  access_log   logs/access.log  main;
  sendfile     on;
  tcp_nopush   on;

  # don't send the nginx version number in error pages and Server header
  server_tokens off;

  server { # php/fastcgi
    listen       80;
    server_name  domain1.com www.domain1.com;
    access_log   logs/domain1.access.log  main;
    #server_tokens off;
    root         html;

    location ~ \.php$ {
      fastcgi_pass   127.0.0.1:1025;
      #server_tokens off;
    }
  }

NOTE: Restart nginx to verify the changes.

$ sudo nginx -s stop
$ sudo nginx -s start
or 
$ sudo nginx -s reload

Deny HTTP User Agents/ Bots

## Deny certain User-Agents (case insensitive)
## The ~* makes it case insensitive as opposed to just a ~
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
    return 403;
}
# Add/ Remove agents/bots from the list below depending your preference
map $http_user_agent $limit_bots {
  default 0;
  ~*(google|Googlebot|bing|yandex|msnbot) 1;
  ~*(AltaVista|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
  ~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
  ~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
  ~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
  ~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
  ~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
}

if ($limit_bots = 1) {
  return 403;
}

Setup Monitor Logs

# Format to use in log files
# $remote_addr        The remote host
# $remote_user        The authenticated user (if any)
# $time_local         The time of the access
# $request            The first line of the request
# $status             The status of the request
# $body_bytes_sent    The size of the server's response, in bytes
# $http_referer       The referrer URL, taken from the request's headers
# $http_user_agent    The user agent, taken from the request's headers
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

# Default log file
# (this is only used when you don't override access_log on a server{} level)
access_log /var/log/nginx/nginx.access.log main;
# Default error log file
# (this is only used when you don't override error_log on a server{} level)
error_log /var/log/nginx/nginx.error.log warn;

Prevent Image and other files Hotlinking

# Prevent hotlinking - To prevent people hotlinking to your files. One aspect is security:
# say you have sensitive material that you only want your direct visitors to see.

location ~ .(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov)$ {
  valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;
  if ($invalid_referer) {
    return   403;
}

Avoid Clickjacking Attack

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

Enable the Cross-site scripting (XSS) filter

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

Disable content-type sniffing on some browsers

# When serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

Mitigating Slow HTTP DoS Attack – Limit the Number of Connections by IP

## Reset lingering timed out connections, freeing ram. Deflect DDoS.
reset_timedout_connection on;

# Directive describes the zone, in which used to limit the number of connections per the
# defined key,in particular, the number of connections from a single IP address
# 1m can handle 32000 sessions with 32 bytes/session, set to 10m x 32000 session
limit_conn_zone $binary_remote_addr zone=perip:10m;

# Control maximum number of simultaneous connections for one session i.e. ###
# restricts the amount of connections from a single ip address ###
limit_conn perip 10;

Buffer Overflow Protection Set Buffer Size Limitations

## Start: Size Limits & Buffer Overflows ##
client_body_buffer_size       1K;
client_header_buffer_size     1k;
client_max_body_size          4g;
large_client_header_buffers 2 1k;
## END: Size Limits & Buffer Overflows ##

Allow Access To Specified Domain Only

## Only requests to our Host are allowed i.e. yourdomain.com
if ($host !~ ^(www.yourdomain.com|api.yourdomain.com)$ ) {
    return 444;
}

Limit IP clients access

Deny or allow a single IP:

deny 1.2.3.4; or
allow 1.2.3.4;

Deny or allow IP range:

deny 1.2.3.4/24; or
allow 1.2.3.4/24;

Deny All:

deny all;

Combined for specific location(admin area):

location ^~ /admin { 
    deny all; 
    allow 1.2.3.4; # home ip address
    allow 9.8.7.6; # office ip address
}

Disable Unwanted HTTP Methods

add_header Allow "GET, POST, HEAD" always;
if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 405; 
}

SSL/TLS Configuration – Lets Encrypt

WIP

Disable SSL and only Enable TLS

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Disable weak cipher suites

# cipher suite for backwards compatibility (IE6/WinXP)
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# means that the server will prefer to use ciphers specified in the ssl_ciphers
# directive over the ciphers preferred by clients.
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

For backwards compatibility (IE6/WinXP) use:

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

Enable OCSP Stapling

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

ssl_trusted_certificate /etc/letsencrypt/domain/live/chain.pem

Redirect HTTP traffic to HTTPS

# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Implement Mod Security WAF

WIP

Nginx – Getting Started – Install Nginx on Windows, Linux and Mac OS

Step-by-step tutorial of how to download and install Nginx on Windows, Linux and Mac OS.

 

Nginx is one of the most popular and fastest growing open source web servers in the world.

Compared to apache is more resource-friendly, it can be used as a web server, reverse proxy, load balancer, mail proxy and HTTP cache.

Nginx is distributed as a package for all supported platforms and architectures and must first be installed on your machine.

Check out the releases CHANGELOG for more information on the latest release and choose the version that is required for your Operating System and your project. If you just getting started with Nginx , I suggest you to get the latest stable release.

Download Nginx

You can download a version of Nginx from the downloads service.

Install Nginx – Windows

  1. Download nginx for windows 
    • Note: Nginx is packaged as a zip archive, so after downloading Nginx, unzip the package. Nginx runs as nginx.exe.
  2. Copy files from the zip to “c:\nginx” for example. That’s our nginx PATH.
  3. The final step is to make sure that the nginx.exe is available on the PATH.

General Information

  • The PATH is the system variable that your operating system uses to locate needed executables from the command line or Terminal window.
  • The PATH system variable can be set using System Utility in control panel on Windows, or in your shell’s startup file on Linux.

Windows 10 and Windows 8

  1. In Search, search for and then select: System (Control Panel)
  2. Click the System and Security link.
  3. Click the System link.
  4. Click the Advanced system settings link.
  5. Click Environment Variables. In the section System Variables, find the PATH environment variable and select it. Click Edit. If the PATH environment variable does not exist, click New.
  6. In the Edit System Variable (or New System Variable) window, append at the end of the PATH environment variable the value of nginx path ex.”c:\nginx\nginx.exe;” . Click OK. Close all remaining windows by clicking OK.
  7. Reopen Command prompt window, and run nginx.

Windows 7

  1. From the desktop, right click the Computer icon.
  2. Choose Properties from the context menu.
  3. Click the Advanced system settings link.
  4. Click Environment Variables. In the section System Variables, find the PATH environment variable and select it. Click Edit. If the PATH environment variable does not exist, click New.
  5. In the Edit System Variable (or New System Variable) window, append at the end of the PATH environment variable the value of nginx path ex.”c:\nginx\nginx.exe;” . Click OK. Close all remaining windows by clicking OK.
  6. Reopen Command prompt window, and run nginx.

Windows XP

  1. Select Start, select Control Panel. double click System, and select the Advanced tab.
  2. Click Environment Variables. In the section System Variables, find the PATH environment variable and select it. Click Edit. If the PATH environment variable does not exist, click New.
  3. In the Edit System Variable (or New System Variable) window, append at the end of the PATH environment variable the value of nginx path ex.”c:\nginx\nginx.exe;” . Click OK. Close all remaining windows by clicking OK.
  4. Reopen Command prompt window, and run nginx.

Install Nginx – Linux

Nginx is available pre-compiled on these Linux distributions and the installation is straight forward.

$ sudo apt-get -y update
$ sudo apt-get -y upgrade
$ sudo apt-get -y install nginx

How to compile and install manually, I will write a seperate article.

Install Nginx – Mac OS

The easiest and quickest way to install Nginx is using Homebrew.

$ brew install nginx

Verify Install

When you’re done, you should be able to run the nginx -h command and get the usage information:

Visit http://localhost:8080


 

Terraform – Getting Started – Install Terraform on Windows, Linux and Mac OS

Step-by-step tutorial of how to download and install Terraform on Windows, Linux and Mac OS.

 

Terraform is distributed as a binary package for all supported platforms and architectures and must first be installed on your machine.

Check out the releases CHANGELOG for more information on the latest release and choose the version that is required for your Operating System and your project. If you just getting started with Terraform , I suggest you to get the latest release.

Download Terraform

You can  download a version of Terraform from the releases service.

Install Terraform – Windows

  1. Download terraform for windows 
    • Note: Terraform is packaged as a zip archive, so after downloading Terraform, unzip the package. Terraform runs as a single binary named terraform. Any other files in the package can be safely removed and Terraform will still function
  2. Copy files from the zip to “c:\terraform” for example. That’s our terraform PATH.
  3. The final step is to make sure that the terraform binary is available on the PATH.

General Information

  • The PATH is the system variable that your operating system uses to locate needed executables from the command line or Terminal window.
  • The PATH system variable can be set using System Utility in control panel on Windows, or in your shell’s startup file on Linux.

Windows 10 and Windows 8

  • In Search, search for and then select: System (Control Panel)

  • Click the Advanced system settings link.

  • Click Environment Variables.

  • In the section System Variables, find the PATH environment variable and select it. Click Edit. If the PATH environment variable does not exist, click New.

  • In the Edit System Variable (or New System Variable) window, append at the end of the PATH environment variable the value of terraform path ex.”c:\terraform;” .

  • Click OK. Close all remaining windows by clicking OK.
  • Reopen Command prompt window, and run terraform.

Windows 7

  1. From the desktop, right click the Computer icon.
  2. Choose Properties from the context menu.
  3. Click the Advanced system settings link.
  4. Click Environment Variables. In the section System Variables, find the PATH environment variable and select it. Click Edit. If the PATH environment variable does not exist, click New.
  5. In the Edit System Variable (or New System Variable) window, append at the end of the PATH environment variable the value of terraform path ex.”c:\terraform;” . Click OK. Close all remaining windows by clicking OK.
  6. Reopen Command prompt window, and run terraform.

Windows XP

  1. Select Start, select Control Panel. double click System, and select the Advanced tab.
  2. Click Environment Variables. In the section System Variables, find the PATH environment variable and select it. Click Edit. If the PATH environment variable does not exist, click New.
  3. In the Edit System Variable (or New System Variable) window, append at the end of the PATH environment variable the value of terraform path ex.”c:\terraform;” . Click OK. Close all remaining windows by clicking OK.
  4. Reopen Command prompt window, and run terraform.

Install Terraform – Linux

  1. Download terraform for linux 

    • Note: Terraform is packaged as a zip archive, so after downloading Terraform, unzip the package. Terraform runs as a single binary named terraform. Any other files in the package can be safely removed and Terraform will still function
  2. Install unzip
  3. Unzip and set path.

Install Terraform – Mac OS

The easiest and quickest way to install Terraform is using Homebrew.

Or Manually if the latest version is not ideal for your needs.

  1. Download terraform for macos
    • Note: Terraform is packaged as a zip archive, so after downloading Terraform, unzip the package. Terraform runs as a single binary named terraform. Any other files in the package can be safely removed and Terraform will still function
  2. Extract files from the zip to “$HOME/Downloads/terraform” for example.
  3. The final step is to make sure that the terraform binary is available on the PATH.
  4. Copy binary to a place in the path such as /usr/local/bin/terraform

Verify Install

When you’re done, you should be able to run the terraform command and get the usage information: