Regex lookahead

Regex is one of the things that I’ve always regret I didn’t learn earlier. Yes it’s complicated, but without a doubt it is worth it. There is one syntax I didn’t know yet. The lookahead

[^a]*

Match everything until you find the letter a. The a itself is not included. Should be handy to parse url’s and such

reapplying a reverted commit

So I made a booboo and already pushed a merge commit.
The merged branch had a few commits that where not ready for develop.
After reverting the merge one commit needed to be reapplied.
But a merge wont work, because it already is merged (and reverted).
What you can do is a cherry pick.

How I created the problem

git merge branch
git push origin develop

Here there was no way back, accept rebasing but that’s also not very easy.

How I solved it.

git revert eaf8c471 -m2
git cherry-pick fa9a6b0

Cherry pick just straight up applies the changes made in the files.
Where a merge applies the git changes.

Keep in mind this will only help if you need a handfull of commits reapplied. Otherwise you will need to find an otherway.
Or cherry pick a lot…

Setup Letsencrypt SSL on raspberry pi

I love letsencrypt. It’s free SSL, it’s saver because of the auto-renewal and it’s so easy to setup. No more emailing around validating company name and whatnot.

If you’ve followed the previous steps you would not have installed git, check with git --version When it gives an error install git first with sudo apt-get install -y git

Now get the letsencrypt software and prepare the folder which letsencrypt will use.

sudo git clone https://github.com/certbot/certbot /opt/letsencrypt
sudo mkdir /var/www/letsencrypt
sudo chown www-data:www-data /var/www/letsencrypt

Add the first part of the letsencrypt config to nginx sudo nano /etc/nginx/sites-enabled/example.com
Before the final } add this:

location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
}

And reload nginx sudo nginx -t && sudo service nginx reload

Getting the ssl certificate

So now we can generate and validate the ssl certificates. With the command below.
The email-address is used only for checks and warnings so I recommend an email which you do check. And of course change the domain. We will get a certificate for both www and non-www domain.

sudo /opt/letsencrypt/certbot-auto certonly -a webroot --webroot-path=/var/www/letsencrypt/ --rsa-key-size=4096 -m letsencrypt@example.com -d example.com -d www.example.com

When running this the first time It might take a long time, just be patient. When it is done we add the certificates to the nginx configuration: sudo nano /etc/nginx/sites-enabled/example.com

listen 443 ssl default_server;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

sudo service nginx reload

Test if ssl is working on both www and non-www. If it’s working then the next step is forcing ssl all the time.

replace:

server {
    listen 80;
    server_name example.com www.example.com;

And replace it with:

server {
    listen      80;
    server_name home.janw.me www.home.janw.me;
    rewrite     ^   https://$server_name$request_uri? permanent;
}
server {
    listen 443 ssl;
    server_name home.janw.me www.home.janw.me;

    ssl_certificate /etc/letsencrypt/live/home.janw.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/home.janw.me/privkey.pem;

As usual reload sudo nginx -t && sudo service nginx reload

Autorenewel

certbot renew

https://caatest.co.uk/home.jwon.nl
https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score

Installing Mysql/MariaDB on a Rapsberry Pi

Here we will install MariaDB. The performance is better and it’s more open source. There are a few differences but nothing you will notice during normal daily use.

Installing mariadb:

sudo apt-get install -y mariadb-server-10.0

Alternative if you don’t want to get out of your comfort zone use mysql:

sudo apt-get install -y mysql-server

During this install you will get asked for a SQL root password. Choose a long secure password. You will need it later to make a database so also store it somewhere save.

After it’s done check the version with mysql --version. It should be 10.0.30-MariaDB or higher.

Creating a database and user

To create a database we are going to login to MySQL with the following command.

mysql -uroot -p

It will ask for the mysql password. After that the commandline will be different. We are going to create a database and a user and connect them.

CREATE DATABASE raspimain_db;

Next we create a user, be sure to replace the password!

CREATE USER 'raspimain_user'@'localhost' IDENTIFIED BY '%%SAFE_PASSWORD%%';

Then we need to connect the user to that database.

GRANT ALL PRIVILEGES ON `raspimain_db`.* TO `raspimain_user`@`localhost`;

Next we 2 commands are pretty self explanatory.

FLUSH PRIVILEGES;
EXIT;

To test if it worked login in to mysql with that user.

mysql -u raspimain_user raspimain_db -p

This time use the password you used to create the user. Check if the raspimain_db is in the list of databases.

SHOW DATABASES;

If it is use EXIT; to exit the mysql promt.

Installing Nginx on a Rapsberry Pi

In this step we are going to install a webserver (nginx). For those who are bit familiar with webservers you might wonder why we are not using apache? I myself are far more familiar with Apache but Nginx just has better performance. And on the not that powerful pi that is important.

Install Nxing

Like with php we want a newer version. So again we will use the buster source. It should install 1.13 (although 1.13 is the newest) To install nginx run the command:

sudo apt-get install -y -t buster nginx

Check the version nginx -v it should be version nginx/1.13.3 or higher

To test if it works enter the IP address in the browser. You should see this page. nginx-default-page

If you see an error most likely IPv6 isn’t supported. Open the nginx config file.

sudo nano /etc/nginx/sites-enabled/default

At the top you should see these lines

    listen 80 default_server;
    listen [::]:80 default_server;

Change them to:

    listen 80 default_server;
    #listen [::]:80 default_server;

Save then restart nginx.

sudo nginx -t && sudo service nginx reload

Then test the page again in the browser.

Setting up a site with php and url

First we will do some global settings open: sudo nano /etc/nginx/nginx.conf
At this part add the last line.

http {

        ##
        # Basic Settings
        ##

        client_max_body_size 64M;

Next open: sudo nano /etc/nginx/sites-enabled/default
Add at the end

upstream php {
    server unix:/tmp/php-cgi.socket;
    server 127.0.0.1:9000;
}

Note: for the example I use example.com replace that with the url you want to use. If you don’t have the url setup yet you can add it to you own host file. Or instead of the url use the IP-address of the Pi.

We will create our own vhost files. PS I’ll be using example.com but use whatever you intend to use. Create the vhost file: sudo nano /etc/nginx/sites-enabled/example.com.conf

server {
    listen 80;

    server_name example.com;
    root /var/www/example.com/public_html;

    index index.php index.html;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    }
}

Next create the folders needed. Set the rights of those files and add a test page.

sudo mkdir /var/www/example.com
sudo mkdir /var/www/example.com/public_html
sudo touch /var/www/example.com/public_html/index.php
sudo chown www-data:www-data /var/www/example.com -R
sudo nginx -t && sudo service nginx reload

In that file add sudo nano /var/www/example.com/public_html/index.php

<?php
phpinfo();

Save and reload the webpage you should see this:

Now we have a basic and functioning webserver with php.
For security sake delete the index.php file

sudo rm /var/www/example.com/public_html/index.php 

Next we will install mysql and configure a database.

Installing PHP7.1 on a Rapsberry Pi

To get a big performance boost we will use PHP 7.1 instead of the older 5.6 which Rasbian still uses by default. But because this is the default we will need to do a few extra tweaks.

In the file sudo nano /etc/apt/sources.list at the end we add:

deb http://mirrordirector.raspbian.org/raspbian/ buster main contrib non-free rpi

After saving create the next file sudo nano /etc/apt/preferences. With the content:

Package: *
Pin: release n=jessie
Pin-Priority: 600

Again save. Make the system aware of this source list with

sudo apt-get update

Now we are ready to install PHP7 with all it’s modules:

sudo apt-get install -y -t buster php7.1-fpm php7.1-curl php7.1-gd php7.1-intl php7.1-mcrypt php7.1-mbstring php7.1-mysql php7.1-opcache php7.1-sqlite3 php7.1-xml php7.1-zip php-apcu

When done check it with php -v it should show a PHP 7.1.8 (or higher).
Now we need to add a few fpm things for nginx to work properly.

sudo nano /etc/php/7.1/fpm/conf.d/90-pi-custom.ini

And add:

cgi.fix_pathinfo=0

upload_max_filesize=64m
post_max_size=64m
max_execution_time=600

Save and next open sudo nano /etc/php/7.0/fpm/pool.d/www.conf Search for $HOSTNAME and change.

;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp

remove the ‘;’ at the start

env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

request_terminate_timeout

Apply these changes sudo service php7.1-fpm reload

Now PHP is ready to use

RaspberryPi, Only allow ssh key login

This is the followup of Opening a Raspberry Pi to the outside world On the internet bots constantly try to hack servers. The Raspberry Pi is popular target. That’s why by default ssh is disabled nowadays.
To make this more secure we will only allow login by ssh key instead of a password. Ssh keys are a lot safer and you also won’t need to type/paste the password on login.

Open file: sudo nano /etc/ssh/sshd_config

Look for PasswordAuthentication
remove the # at the front and change the value to no.

PasswordAuthentication no

As a fall-back we will allow login in from the home network. So at the bottom of the file add. (the 4 spaces in front of the line matter)

Match address 192.168.*.*
    PasswordAuthentication yes

Restart the ssh service. sudo service ssh restart

ssh keys

Generate keys on the raspberry pi: ssh-keygen -t rsa -b 4096 -C "pi-webserver"
Just press enter for both the location and password.
Add your local key. Form your own machine mac/linux/windows.

Open File: sudo nano .ssh/authorized_keys

Paste your public key in this file.
For linux/mac you can find your public key with: cat ~/.ssh/id_rsa.pub

In a new terminal tab/window, try to login again. This way you can change things in the current tab. If something went wrong. You should login without needing to type the password. To check if the password is disabled you should try login in from a different computer and a different ip.