12 August 2019

Webserver upgrade

I just upgraded the server that hosts this website and made various improvements. In particular, I upgraded from Ubuntu 14.04, whose support ended in April 2019, to Ubuntu 18.04. This upgrade was long overdue because the old version started to become a security risk. While I doubt that in the few months that passed since the security patches stopped, any severe vulnerabilities in sshd or Apache were found, it is good to know that the server is on a supported version again. The old Ubuntu version also caused compatibility and software deployment problems and blocked progress on various projects. I threw out the old server completely and replaced it with a new server and a clean Ubuntu 18.04 LAMP installation. I never do distro upgrades because they tend to break a lot of things. In fact, I used to do distro upgrades and I've never managed to have a properly working Linux at the end of the "upgrade". That was ten years ago though. Maybe things improved in the meantime, but I still like having a clean slate again.

Additionally, I finally enabled full IPv6 support. I created the DNS AAAA records and enabled IPv6 on the system. This change, too, was long overdue. IPv6 is not new technology and should be considered the standard internet protocol nowadays.

Speaking of technologies that aren't new and should be in use for years already, I finally set up HTTPS support. My website will now be exclusively available via HTTPS. Back when Let's Encrypt was created, which coincided roughly with the creation of this website, it was still quite tedious to get a certificate and set everything up. Not anymore! The helpful utility certbot makes it much easier. There weren't any issues apart from the fact that the guide I was following recommended blocking port 80 after HTTPS (which uses port 443) is set up. That was very bad advice because the standard Let's Encrypt certificate renewal mechanism uses HTTP on port 80. You will be unable to renew your certificate, and your website will become unreachable in exactly 90 days, which is the certificate validity period of certificates issued by Let's Encrypt. Luckily, certbot has a certificate renewal dry run mode (--dry-run) to test renewal, which revealed this problem right away.

Back when my website was hosting two blog posts, I thought that I don't really need HTTPS to serve my content. Plain text is easy and simple and the website is just an archive for myself anyway. After all, I had fewer readers than fingers. On one hand. Excluding the thumb and the pinky. I have no clue how many readers I have right now because most of the page views come from bots, mainly search engines and crawlers. However, in the meantime, I was contacted by kind and interesting people through my website, and I'm very happy about that. Frankly, I didn't expect to get any responses at all.

When I started putting executable files for download on my website, my justification for not using HTTPS was no longer valid: You shouldn't serve executables without at least authentication. Now I'm hosting various Tampermonkey / Greasemonkey scripts too and these mustn't be tampered with on the way to the user. So it's good that I can finally tick enabling HTTPS off on my todo list, which is longer than I'd like it to be.

For the users of my Tampermonkey / Greasemonkey scripts: It is highly recommended to reinstall the scripts via HTTPS to have a secure channel to apply future script updates through. Either way, your scripts will continue to work and during script updates, old HTTP links will be redirected to secure HTTPS links. If you take no action, the script itself will still be transferred via HTTPS after the redirection, so your security will still be enhanced.

I also reworked some of the PHP code that runs this website. As you might know, the entirety of this website, including the blog engine, is written by me for fun. The code has aged surprisingly well, which is something I can rarely say about code I read and write. The stability and maturity of the PHP environment helped a lot. Also, the lean and minimalist design of the website has paid off and I learned that good comments are incredibly valuable for understanding the code again after a few years.

All the changes I mentioned here are largely invisible to the users of this website, however, this was important maintenance work. Sometimes I wonder if it's worth the time. I could just use a service that does everything for me and slap WordPress on it. But where's the fun in that? I feel like I can't express myself freely when everything's just a template to be filled in. Besides, the server keeps me on my toes when it comes to web technology and Linux environments.