Nginx as origin for S3 with authentication, with CDN on top

We recently had a small problem with our content delivery system. The setup is as follows:

– AWS S3 bucket that requires authentication
– EC2 instance, running Nginx with ngx_aws_auth
– ELB load balancer in front of the EC2 instance
– CDN configured to use the ELB as the origin

The problem was that the content could be loaded directly from the Nginx, or from the load balancer, but when trying to load the content through the CDN, we’d get an AWS error message about a mismatching signature:

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your key and signing method.
</Message>
<AWSAccessKeyId>REDACTED</AWSAccessKeyId>
<StringToSign>
GET x-amz-date:Tue, 05 Apr 2016 12:15:35 GMT /REDACTED_URL_TO_ASSET
</StringToSign>
<SignatureProvided>xHLCuT9r7sAUbONvHaDeWDigCGs=</SignatureProvided>
<StringToSignBytes>
REDACTED
</StringToSignBytes>
<RequestId>AACF04EB41AB61DC</RequestId>
<HostId>
REDACTED
</HostId>
</Error>

Continue reading

Posted in IT | Tagged , , , , | Leave a comment

Nginx: Reject request if header is not present

It was surprisingly difficult to find a full working example of this, so here’s my take on “How to make Nginx require that a certain header is present with a certain value in the incoming request”:

nginx.conf:

http {
  map $http_x_mycustomheader $is_mycustomheader_not_ok {
      default "1";
      MyApprovedValue "0";
  }
  
  ... 
}

mysite.conf:

server {
  ...
    location / {
      if ($is_mycustomheader_not_ok) {
        return 403;
      }
    }
  ...
}

To allow requests that contain the header with any value except an empty value, all you need is:

mysite.conf:

server {
  ...
    location / {
      if ($http_x_mycustomheader = "") {
        return 403;
      }
    }
  ...
}

I don’t know how to accept requests where the header is set to any value including an empty value. If anyone has an example, please leave a comment.

Posted in IT | Leave a comment

Obi-Wan Kenobi’s flashlightsaber

Obi-Wan's flashlightsaber

Obi-Wan’s flashlightsaber

I happened to find this 3D-printable model of Obi-Wan Kenobi’s lightsaber, so I decided to see if me and my 3D-printer were up to the task. There’s also an article about designing the lightsaber model in the Ultimaker blog.
Continue reading

Posted in Electronics, Making stuff | Leave a comment

Inns and Cathedrals added to the tile counter

The Carcassonne tile counter I made a year ago has now been extended with tiles from the Inns and Cathedrals extension: Tile counter incl. Inns and Cathedrals.

Posted in Games | Leave a comment

Wooden Tsuro tiles

Well, plywood, really. With printed paper glued on top to make the paths. What I actually want is a set of tiles where the paths and the background are made of different coloured wood veneer, but that would require investing in some new tools and spending a lot of time cutting the pieces. So, for now, I’ll settle for the plywood tiles so I can start playing.

IMG_1120-tsuro-full-set-top

Making the tiles

I started with a piece of cheap hardware store-grade 6,5mm plywood, which I cut into 44mm squares.

IMG_1091-tsuro-cut-pieces

Continue reading

Posted in Games, Making stuff | 3 Comments

The number of uses of the word “fuck” in Tim Minchin’s “The Pope Song”

This is a breakdown of how many times Tim Minchin uses the word “fuck” or some derivative thereof during the performance of “The Pope Song”, as performed in the Royal Albert Hall with The Heritage Orchestra.

fuck-count

The lyrics have 454 words in total.

“motherfucker” is used 42 times (9%)
“motherfucking” is used 11 times (2%)
“fucker” is used 4 times, 3 of which as part of “kiddie fucker”
“fucking” is used 17 times (4%)
“fuck” by itself is used 33 times (7%)

Other words comprise 76% of the words in the song (347).

Posted in Language | Leave a comment

Carcassonne tile counter

While playing Carcassonne this Christmas, the discussion turned towards optimal playing, and how that would require memorizing the distribution of different tiles in the deck, as well as keeping in mind which tiles have already been played. We thought that making decisions based on knowing what’s left in the deck, instead of guessing, would make for a more interesting game. But, since we didn’t feel like memorizing all the cards, we figured it would be easier to just keep a list of which cards have been played and which ones were still available.

I created a simple web page that can be used as such a list for the base game of Carcassonne: Carcassonne tile counter.

Posted in Games | Leave a comment

WordPress 4.0 not vulnerable

Related to my previous post, I emailed WordPress lead developers about the vulnerability, and got this response from Andrew Nacin:

We’re aware of the report and have been investigating. If you are running the latest version of WordPress (4.0), you have nothing to worry about.

EDIT 2014-11-21: WordPress 4.0.1 is out, with several security fixes unrelated to the major vulnerability discovered by klikki.fi. There are also security releases in the 3.x series.

Posted in IT | Leave a comment

Comments disabled due to WordPress vulnerability

UPDATE 2014-11-10: WP 4.0 is not vulnerable.

The commenting feature on this blog has been temporarily disabled (using the Disable Comments-plugin) due to an apparently discovered vulnerability in all current versions of WordPress. The details of the vulnerability have not been published yet, but WordPress will publish fixed versions in the next few days.

I’m not certain disabling the comments will fully fix the vulnerability since no details have been published, but disabling commenting on all WordPress sites is something I’d recommend to everyone, just in case.

More information about the vulnerability in Finnish:
https://www.viestintavirasto.fi/tietoturva/tietoturvanyt/2014/11/ttn201411041006.html
http://klikki.fi/adv/wordpress_ennakko-fi.html

EDIT: There are rumours that the vulnerabilities are even worse. In order to prepare for that, I’ve now disabled write access to the database from my blog user, and removed write access to the file system as well, until more actual information is available. I’ve also wrapped an extra layer of tinfoil around my head.

Posted in IT | Tagged , , | Leave a comment

OS X 10.10 Yosemite phones home

After OS X 10.10 Yosemite came out, a lot of people noticed the OS sending private information to Apple’s servers without the user’s consent. I haven’t updated to Yosemite yet, and I might not update at all, largely because of such disturbing findings. Apple has released a statement saying “we take privacy seriously”, but sending my data anywhere should be my decision to make, not Apple’s.

In case I do decide to update to Yosemite later, I’ve compiled here all the settings changes that I need to do first thing after the update:

Disabling Continuity

“Continuity” is the name of the feature that allows you to continue working on the same files even though you switch devices. Unfortunately, this means that pretty much all your data and files(including ones you didn’t save!) need to be sent to Apple.

If you do not want files to be automatically sent to Apple’s iCloud servers, turn the feature off using the following method:

Click on the Apple icon (top-left of your screen),
Select System Preferences,
Click on iCloud, and
Deselect the “Documents & Data” checkbox.
You can continue to upload and download documents to iCloud using Apple’s iWork for iCloud apps. But your edited and unsaved documents will no longer be saved to iCloud, and you will lose automatic access to them on iOS 8 devices.
(http://www.ibtimes.co.uk/apple-mac-os-x-yosemite-secretly-uploading-private-data-icloud-servers-1471901)

Disabling Spotlight suggestions

By default, all your searches done through Finder and Safari are sent to Apple and/or Bing in order to give you autocomplete functionality in the search.

Luckily, Yosemite’s search-snooping can be switched off in seconds. In Mac OS X’s System Preferences, the functions can be found under “Spotlight” and then “Search Results.” From there you need to disable “Spotlight Suggestions,” “Bookmarks and History,” and “Bing Web Searches.” If you use Safari you will then need to disable the same “Spotlight Suggestions” function in the browser (under “Preferences” and then “Search”) to avoid having terms you type into its address bar shared with Apple by default too.
(http://www.wired.com/2014/10/how-to-fix-os-x-yosemite-search/)

Disabling sending location data

OS X sends real time “anonymous” location data to Apple.

To stop the sending of the location data to Apple, you need to disable Location Services.

Open System Preferences
Click on Security
Under the General tab
Click the Unlock button in the corner and enter your Admin password
Select the checkbox next to “Disable Location Services”
Close System Preferences
(http://osxdaily.com/2010/09/20/disable-the-sending-of-location-services-data-to-apple-from-a-mac/)

These are the ones I’ve found on the web so far. If you know of more things that Yosemite phones home about, please leave a comment below.

Posted in IT | Leave a comment