{"@attributes":{"version":"2.0"},"channel":{"title":"Simone Carletti","description":"Simone Carletti's personal website.","link":"https:\/\/simonecarletti.com\/","item":[{"title":"Mermaid View: first-class Mermaid support for Obsidian","link":"https:\/\/simonecarletti.com\/blog\/2026\/02\/obsidian-mermaid-view\/","guid":"https:\/\/simonecarletti.com\/blog\/2026\/02\/obsidian-mermaid-view\/","description":"I've been using **[Obsidian](https:\/\/obsidian.md\/)** for a couple of years now, and it has become my go-to companion for notes, data tracking, and knowledge management. Before landing on Obsidian, I went through quite the journey of note-taking tools: **Evernote**, then **Notion**, then **Bear**. Each had its strengths, but none felt quite right.\n\nWhat won me over with Obsidian was the philosophy: **all your files, directly accessible, in pure Markdown, without some obscure or proprietary wrapping**. Your notes are just files on disk. You own them. You can open them with any text editor, version them with Git, or move them anywhere. No lock-in, no database, no cloud dependency.\n\nThat journey eventually led me to build [**Mermaid View**](\/projects\/obsidian-mermaid-view\/), an Obsidian plugin that brings first-class Mermaid diagram support to Obsidian. Here's the story behind it.\n\n## More than just Markdown\n\nOn top of the Markdown-centric, file-first approach, Obsidian has a very slick interface and surprisingly advanced capabilities. It supports [Mermaid diagrams](https:\/\/help.obsidian.md\/advanced-syntax#Diagram) natively, has excellent [table editing](https:\/\/help.obsidian.md\/Editing+and+formatting\/Advanced+formatting+syntax#Tables), and [callouts](https:\/\/help.obsidian.md\/Editing+and+formatting\/Callouts) that make structured notes feel polished.\n\nMore recently, [Bases](https:\/\/help.obsidian.md\/bases\/base) have been a game changer. They let you query and organize notes like a lightweight database, and I've moved even more data into Markdown files because of it.\n\nWhere Obsidian had limits, I often found a plugin to fill the gap. Ironically, I've never used more than five plugins, a sign that Obsidian already does a lot out of the box. A notable example is [Map View](https:\/\/github.com\/esm7\/obsidian-map-view), which I use often to geolocalize data points on a map.\n\n## The Mermaid gap\n\nThis is where I found a weak spot. [Mermaid](https:\/\/mermaid.js.org\/) is a text-based diagramming language that lets you define charts, flowcharts, sequence diagrams, and more using a simple, readable syntax. No drawing tools, no drag-and-drop; just text that renders into diagrams.\n\nI use Mermaid often to organize my ideas and processes. Sequence diagrams are my most frequent use, but I also reach for flowcharts and other diagram types depending on the task.\n\nObsidian supports Mermaid natively inside Markdown [code blocks](https:\/\/help.obsidian.md\/advanced-syntax#Diagram), but the capabilities are limited. Mermaid code has to be embedded inline within a note. You can't store Mermaid diagrams as separate files, and you can't embed or include them using the standard syntax that works for Canvas, Base, or other Obsidian view types.\n\nFor simple, small diagrams that's fine. But some of my charts are fairly complex, too complex to embed in Markdown. I prefer to version them separately, reference them from multiple notes, and work with them in an environment designed for diagramming rather than prose.\n\n## Enter Mermaid View\n\nI decided to give the [Obsidian Plugin API](https:\/\/docs.obsidian.md\/Plugins\/Getting+started\/Build+a+plugin) a shot and build the tool I wanted. I have to say: the developer extensibility is as good as the experience you have as a user. The API is well-documented, the plugin architecture is clean, and the development loop is fast.\n\nThe result is [**Mermaid View**](\/projects\/obsidian-mermaid-view\/), an **Obsidian plugin that treats Mermaid files as first-class citizens**. You can create dedicated `.mermaid` or `.mmd` files and work with them just like any other Obsidian document.\n\n![Preview mode](\/uploads\/obsidian-mermaid-view\/preview-mode.png)\n\n## Key features\n\n**Native file support.** Mermaid files appear in the file explorer with their own type badge. You can create new ones from the right-click context menu, just like Markdown or Canvas files.\n\n![New Mermaid file menu](\/uploads\/obsidian-mermaid-view\/new-mermaid-menu.png)\n\n**Three view modes.** Toggle between Preview, Split, and Source modes depending on your workflow. Preview renders the diagram full-screen. Split shows the editor and a live preview side by side. Source gives you a full-screen code editor with syntax highlighting and line numbers.\n\n![Split mode](\/uploads\/obsidian-mermaid-view\/split-mode.png)\n\n**Pan and zoom.** Large diagrams are easy to navigate with mouse wheel zoom and click-drag panning. Double-click to reset the view.\n\n**Export.** Save your diagrams as SVG or PNG files for use in other applications. PNG export supports configurable background color and scale factor for high-resolution output.\n\n**Embed in notes.** Include diagrams in your notes using standard Obsidian embed syntax: `![[diagram.mermaid]]`. The autocomplete suggests Mermaid files just like any other note, and the diagram renders inline.\n\n![Embedded diagram](\/uploads\/obsidian-mermaid-view\/embed.png)\n\n**Theme support.** The plugin respects your Obsidian theme, rendering diagrams appropriately in both light and dark modes.\n\n![Dark mode](\/uploads\/obsidian-mermaid-view\/dark-mode.png)\n\n## Get it\n\nIf you use Obsidian and work with Mermaid diagrams, give [Mermaid View](\/projects\/obsidian-mermaid-view\/) a try. The plugin is open source, available under the MIT license on [GitHub](https:\/\/github.com\/weppos\/obsidian-mermaid-view). Installation instructions are on the [project page](\/projects\/obsidian-mermaid-view\/).","pubDate":"Thu, 05 Feb 2026 00:00:00 GMT","category":["Softwares","obsidian","mermaid"]},{"title":"The Art of Invisibility book","link":"https:\/\/simonecarletti.com\/blog\/2018\/01\/book-art-of-invisibility\/","guid":"https:\/\/simonecarletti.com\/blog\/2018\/01\/book-art-of-invisibility\/","description":"\n\n**The Art of Invisibility** ([US](http:\/\/amzn.to\/2FdZzvF) | [UK](http:\/\/amzn.to\/2ADHjIN) | [IT](http:\/\/amzn.to\/2CQNqPX)) is the latest book of Kevin Mitnick, one of the world's most notorious hackers.\n\nDespite what you may think, this book is not a highly technical book. Not at all. In fact, the Art of Invisibility takes a very informative approach: it documents the thousands of ways that others can spy on your activities, and provides suggestions on how to protect your privacy.\n\nIf you are thinking that you have nothing to hide, then you are the perfect reader of this book. But even if you are a _normal_ person, a _simple user_ of today's digital era, then you really want to take a look at some of the information published in this book.\n\n> You might not have anything to hide, my friend. But you have everything to protect.\n\n
\n\n## The basic good practices\n\nIt's hard to properly describe the importance of the topics discussed in this book without incurring the risk of being considered paranoid. Non-technical people often underestimate the value of their own privacy; they think they have nothing to hide, and being non-geeky makes them a non-attractive target. Technical people, instead, quite often underestimate the impact of their digital life.\n\nThis book really touches every aspect of today's life: securing your Wi-Fi and devices, the impact of using a location-enabled device (even your Fitbit or Apple Watch), sending\/receiving emails, using cloud storage, printing private documents (such as your credit score report) perhaps on an office printer, etc.\n\n> A 2012 study sponsored by Xerox and McAfee found that 54 percent of employees say they don't always follow their company's IT security policies, and 51 percent of employees whose workplace has a printer, copier, or multifunction printer say they've copied, scanned, or printed confidential personal information at work. [...]\n>\n> Let's say you, like Adam, also download your credit report at work. You want to print it out, right? So why not send it to the company printer over in the corner? Because if you do, there will be a copy of the PDF file containing your credit history sitting on the hard drive of the printer. You don't control that printer. And after the printer is retired and removed from the office, you don't have control over how that hard drive is disposed of. Some printers are now encrypting their drives, but can you be sure that the printer in your office is encrypted? You can't.\n\nDid you know that even simple actions, such as driving a car, can compromise your privacy?\n\n> In 2011 Alessandro Acquisti, a researcher from Carnegie Mellon University, posed a simple hypothesis: \"I wanted to see if it was possible to go from a face on the street to a Social Security number,\" he said. And he found that it was indeed possible.\n\nI'm quite sure you are aware of how important it is to make sure that your Social Security Number stays private. But even apparently insignificant details like an airplane ticket can disclose important information about us:\n\n> What's in the bar code on the bottom of your plane ticket? What, if anything, might it reveal? In truth, relatively little personal information, unless you have a frequent flyer number. [...]\n>\n> However, the most sensitive part of the bar code is your frequent flyer number.\n\nThe book is as scary as enlightening. It's scary to think how many of our habits may actually represent a reasonable risk to our privacy. The following one is an example I often bring to friends who have the common habit of accepting anyone's request on Facebook.\n\n> Be careful whom you friend. If you have met the person face-to-face, fine. Or if the person is a friend of someone you know, maybe. But if you receive an unsolicited request, think carefully. While you can unfriend that person at any point, he or she will nonetheless have a chance to see your entire profile, and a few seconds is all it takes for someone with malicious intent to interfere with your life.\n\nSometimes it's not personal details at risk, but in fact you may be the one responsible for someone else's privacy.\n\n> \"When I get a rental car,\" says David Miller, chief security officer for Covisint, \"the last thing I do is pair my phone. It downloads all my contacts because that's what it wants to do. In most rental cars you can go in and, if somebody's paired with it, see their contacts.\"\n\nLast but not least, the workplace.\n\n> The American Management Association found that 66 percent of employers monitor the Internet use of their employees, 45 percent track employee keystrokes at the computer (noting idle time as potential \u201cbreaks\u201d), and 43 percent monitor the contents of employee e-mail.\n\n## Advanced invisibility\n\nThe book doesn't lack advanced suggestions for those who want to be truly invisible. An entire chapter is dedicated to the art of invisibility, explaining how to hide your identity and achieve anonymity.\n\nThe truth is that the entire book contains plenty of advice you can reuse to remain anonymous on the internet. Most of them are real stories, like the one about how Edward Snowden protected his identity during the initial communication with Laura Poitras.\n\n## An interesting, practical read\n\nAll in all, the Art of Invisibility is an interesting, very informative, eye-opening read. It is good to be reminded about the importance of protecting our own privacy. Sometimes, it takes very little effort; it's just a matter of being educated.\n\n> In general, though, we can all learn something about how to minimize our fingerprints in the digital world.\n>\n> We can think before posting that photo with a home address visible in the background. Or before providing a real birth date and other personal information on our social media profiles. Or before browsing the Internet without using the HTTPS Everywhere extension. Or before making confidential calls or sending texts without using an end-to-end encryption tool such as Signal. Or before messaging a doctor through AOL, MSN Messenger, or Google Talk without OTR. Or before sending a confidential e-mail without using PGP or GPG.\n>\n> We can think proactively about our information and realize that even if what we're doing with it feels benign, such as sharing a photograph, forgetting to change default log-ins and passwords, using a work phone for a personal message, or setting up a Facebook account for our kids, we're actually making decisions that carry a lifetime of ramifications. So we need to act.\n>\n> This book is all about staying online while retaining our precious privacy. Everyone, from the most technologically challenged to professional security experts, should make a committed practice of mastering this art, which becomes more essential with each passing day: the art of invisibility.\n\nAll the quotes in this post are taken directly from the book itself. I think the content perfectly demonstrates how the book is not intended to turn you into a paranoid person or foster conspiracy theories, but instead increase your awareness of today's digital world.","pubDate":"Sun, 07 Jan 2018 00:00:00 GMT","category":["Security","Books","reviews","security","internet"]},{"title":"How I use StackOverflow","link":"https:\/\/simonecarletti.com\/blog\/2016\/12\/how-i-use-stackoverflow\/","guid":"https:\/\/simonecarletti.com\/blog\/2016\/12\/how-i-use-stackoverflow\/","description":"I consider myself an active [StackOverflow](https:\/\/stackoverflow.com\/) user, despite my activity tending to vary depending on my daily workload. I joined StackOverflow in 2009 and, at the time of writing (December 2016), [I have a reputation](https:\/\/stackoverflow.com\/users\/123527\/simone-carletti) of 124k and I'm ranked in the top 300 users.\n\nEvery once in a while programmers ask me questions such as _How can you be so active?_, _Do you really like StackOverflow or are you just doing it to get more visibility?_, _How much time do you spend on SO per day?_. I decided to collect these answers in a post and try to explain _how I use StackOverflow_.\n\n## Is it really worth it?\n\nLet's be honest: (almost) _nobody does something for nothing_. We all make decisions based on expectations, depending on what actions matter the most to us.\n\nHowever, not all of us measure the value of an action in the same way. For some of us the only way to get rewarded is to earn money, whereas for others visibility or success is worth more than money. For certain people welfare is synonymous with wealth and money; for others it's more directly connected to their lifestyle.\n\nThis concept equally applies to another topic very close to programming: open source. I've spoken with a number of people that thought it was not worth working on open source projects because _it doesn't pay your bills_. However, if you'd ask me, I'll tell you that working on [open source projects](https:\/\/github.com\/weppos) is what made me a better programmer and it positively contributed to my professional career. Working in open source is probably one of the reasons why I am employed today, and I had the chance to work with great people and be involved in amazing coding adventures.\n\nBut let's go back to StackOverflow. I joined StackOverflow because I saw some value in it. Unlike most new users that join today, I didn't need any help at that time. In fact, I asked my first question several months after I originally signed up.\n\nIn 2009 I was already a quite prolific developer, but my activity was mostly confined to the Italian community. The value I saw in StackOverflow was the opportunity to gain experience, reputation, and visibility in the international community.\n\nThat's why I joined StackOverflow. However, there's more than one reason that kept me answering questions for almost seven years.\n\n\n## Keep my mind trained\n\nKeeping my mind trained is definitely the first reason why I've spent a significant amount of time on StackOverflow.\n\nSome people keep their mind trained by solving crossword puzzles, other people prefer [Sudoku](https:\/\/en.wikipedia.org\/wiki\/Sudoku). Personally, I like to keep my mind trained by solving small programming-related problems in different topics such as algorithms, data mining, and programming languages.\n\nFor this reason, I generally tend to ignore large questions that have a lot of possible implementation variables or involve a lot of layers (like Ruby on Rails-related questions that contain code from views, controllers, and database). Instead, I like small, well-defined questions where I can reasonably find an answer in 10 minutes or less.\n\n\n## Improve debugging skills\n\nThe ability to properly debug a piece of software is one of the most valuable skills for a software engineer.\n\nIf debugging your code can be hard, debugging someone else's code is even harder, especially if you don't have physical access to it. The interaction is far more complicated, and you need to guess and ask the minimum amount of appropriate questions to quickly get the information you need.\n\nStackOverflow questions represent an infinite amount of issues to debug. Even picking the right question to spend your time with is a skill that you will learn to master.\n\nSometimes, I even push myself further by trying to debug questions about libraries I don't use, or I don't know. That encourages me to [keep reading other developers' code](\/blog\/2009\/09\/inside-ruby-on-rails-reading-source-code\/). Quick funny story: it happened a couple of times in the past that I was searching for a solution to a problem affecting a particular library I was using, I landed on a StackOverflow question that precisely described my problem, and it was answered with the correct solution. So far, nothing strange, except that the person that provided the solution... was me!\n\n\n## Learn a new language and test your progress\n\nI love learning new programming languages or technologies. I definitely don't use StackOverflow for this task, but instead I rely on books or online resources. However, I found that StackOverflow is a great way to test your progress.\n\nBeing able to answer someone else's questions on a topic you've started to learn a few weeks before is an incredibly rewarding feeling.\n\nAnswering questions on StackOverflow and getting them accepted is not a trivial task these days, given the large number of expert users connected every day. Simple questions tend to be answered very quickly in less than a few minutes, sometimes even before you have the time to finish reading it. More complex questions, instead, take more time but these are definitely not the kind of questions you target when you are learning a new topic.\n\nTherefore, being able to pick a question and properly answer it, with the correct solution and in a reasonable amount of time, is a good way to test your progress while learning a new topic.\n\nI personally identified three phases in the learning process:\n\n1. in the first phase, while I'm actively learning, I tend to read simple questions and figure out the response _without actually trying to answer it_.\n1. in the second phase, when I have a reasonable knowledge base, I start to try to answer some simple questions, either by linking them to the correct solution if it already exists, or posting an answer _if I'm confident it's the appropriate one_. I'm not looking for gaining easy +1, therefore I don't answer the question unless I'm truly confident it's an appropriate solution. The second phase is generally the longest one, and it leads to a gradual transition to the third phase.\n1. the third phase is when you've reached a fairly considerable knowledge of the topic and you are potentially able to answer or debug most of the questions that are open on that subject. Of course, reaching this phase takes a lot of time and it may not necessarily be your goal for each possible subject in computer programming.\n\nGenerally, the second phase is what you should aim toward: being able to successfully understand and answer a reasonable percentage of questions on a specific topic, although in most cases you'll come to the right solution at a slower speed than the most skilled developers. It's fine; the ability to reduce the response time generally comes with more experience, and it may or may not be a goal.\n\n\n## Customer support\n\nEvery once in a while, someone opens a question that is somehow related to [DNSimple](https:\/\/dnsimple.com\/). In most cases, these questions are about connecting software together or domain registration, where DNSimple is one of the ingredients of the recipe.\n\nWhenever possible, and unless a better answer is already present, I like to jump into the conversation and try to provide an answer. If I don't have the necessary knowledge to answer, I generally ping some other DNSimple team member internally and work with them to prepare an appropriate solution to post.\n\nI am subscribed to the [dnsimple](https:\/\/stackoverflow.com\/questions\/tagged\/dnsimple) tag on [StackOverflow](https:\/\/stackoverflow.com\/), and every once in a while I generally search StackOverflow, [ServerFault](https:\/\/serverfault.com\/) and [Webmasters Stack Exchange](https:\/\/webmasters.stackexchange.com\/) for the `dnsimple` keyword.\n\n\n## Online reputation\n\nIn the last years we've heard a lot about the importance of building an _online reputation_. This is one of the most common selling points that SEM agencies use to motivate companies to invest in online activities.\n\nOnline reputation is equally important for people, especially if your primary area of activity is somehow connected to computers, programming or other subjects with a direct connection to the internet.\n\nStackOverflow is a great way to build an online reputation using the approach [_show, don't tell_](https:\/\/en.wikipedia.org\/wiki\/Show,_don't_tell). By properly answering questions on StackOverflow you demonstrate your experience, instead of pretending to have one (or telling other people that you're good at doing something). Of course, it also works the other way around: because questions and answers are public and won't be deleted even after years, you also expose your weaknesses, both in terms of technical and communication skills.\n\nIn the past I've spoken with people who had at least a couple of StackOverflow profiles: a primary one that they used for interactions that could positively influence their online reputation, and a secondary one they used to ask questions that they considered _too dumb_.\n\nRemember, there is no stupid question. Even when the question is simple, what's really important is how you ask it (and whether you properly searched for an appropriate solution, or tried to find one). I personally don't have any problems asking questions that show a lack of knowledge on certain topics. Most of my questions on [dba](http:\/\/dba.stackexchange.com\/) or [vim](http:\/\/vi.stackexchange.com\/) sites are clearly showing that I'm not an expert on those fields, but they also prove my desire to learn and improve.\n\n\n## Online visibility\n\nIf online reputation is directly connected to improving your profile, online visibility is instead directly connected with the amount of exposure you have online.\n\nFor a programmer, GitHub is one of the best places to foster online reputation (as you can provide a link to your open source work when applying for an interview) and online visibility. However, compared to GitHub, StackOverflow is generally more visible on search engines. There isn't a single programmer that I know of that hasn't used StackOverflow at least once in their career to solve a problem they faced.\n\nBecause of its very high ranking on search engines, having a popular profile on StackOverflow may positively impact your online visibility either directly as a ranking mechanism, or indirectly because of (popular) questions that you answered and that are actively visible in the search engine results pages.\n\n\n## School of English\n\nI'm not a native English speaker. Writing in English is still hard for me, much harder than writing in Italian, much harder than reading anything in English written by someone else.\n\nStackOverflow represents an excellent opportunity to train my English writing skills because anyone can edit my answers and fix a typo. StackOverflow keeps a history of all the changes, and I can always review other people's contributions to my posts. This is an excellent way for me to learn from my errors.\n\n\n## Conclusion\n\nAnswering questions on StackOverflow is _generally_ a pleasant experience for me, as it has a positive impact on my personal skills and attitude. However, in order to avoid turning the positive experience into a stressful dependence, I don't consider it as a duty or obligation.\n\nI don't set a minimum number of hours, or days. I don't set a minimum amount of daily reputation. I don't feel bad if I skip some days in the \"last seen\" calendar.\n\nI try to balance my daily activities with the online presence on StackOverflow. I generally limit it to 30 minutes or 1h per day, and in most cases while waiting for the test suite to finish, or the deployment to complete.\n\nTo me, contributing to StackOverflow pays back because it helps me to keep my mind trained, it leverages my skills as a software engineer, with the positive side effect of improving my online visibility and reputation. All these reasons justify the time I _invested_ answering questions in the last seven years.","pubDate":"Tue, 27 Dec 2016 00:00:00 GMT","category":["Programming","stackoverflow","career","productivity"]},{"title":"9 years of 1Password","link":"https:\/\/simonecarletti.com\/blog\/2016\/11\/1password-9years\/","guid":"https:\/\/simonecarletti.com\/blog\/2016\/11\/1password-9years\/","description":"A couple of days ago I was cleaning up my [1Password](https:\/\/1password.com\/) primary vault, and I came across some entries dated 2008. In the software industry, eight years is quite a long period for a software adoption, and a question popped into my head: how long have I been using 1Password for?\n\nIt turns out the answer is 9 years, as the oldest entry I have in my vault was created exactly 9 years ago, on November 2nd 2007.\n\n![](\/uploads\/2016\/1password-oldest-items.png)\n\nI'm a huge fan of 1Password: in these nine years I purchased a new license each time I was asked to upgrade, I purchased separate licenses for all my Apple devices such as iPhone, iPad and Mac, and I even purchased a Windows license back in the day I was still synchronizing some entries with an old virtual machine, when they released their first Windows version.\n\n1Password was one of the first products to bet on cloud sync, and their [Dropbox sync](https:\/\/support.1password.com\/sync-with-dropbox\/) was one of the best features they could ever possibly introduce, second only to the core product itself.\n\nIf I should name five software tools I could not use a device without, 1Password would be on the list, second only to a terminal (such as [iTerm](https:\/\/www.iterm2.com\/)). I could spend hours telling you how awesome 1Password is, but I won't. Instead, I'd like to share with you a few tips that I used over the years to adopt 1Password to my daily business and personal needs.\n\n## Tags can help you to change home or credit card\n\nI recently moved to a new apartment, after 10 years. In the last 10 years I gave my home address to hundreds of sites, including:\n\n- my bank\n- airlines\n- ecommerce sites\n\nFor someone with a very intense online presence like me, physically moving your furniture and clothes from one apartment to another is not always the most painful task of changing address. It certainly is, but it's quite easy to accomplish and very easy to check: when the previous apartment is empty, you're done.\n\nInstead, tracing all the places where you added your address in the past is challenging and it may happen that you buy a new TV on Amazon with the 1click Prime feature, you forget to update the address, and the TV is delivered to the old address (true story).\n\nHere's where the tags are very helpful. I have tags for each of my credit cards, addresses, or settings that are critical and I want to keep track of. When a credit card expires, I can easily click on a tag to determine where it was used, and which accounts I have to update.\n\n![](\/uploads\/2016\/1password-tags.png)\n\nAnd because you can also save notes and other documents in 1Password, you can always tag any offline item you want to keep track of.\n\n## Never travel without a passport copy\n\nI'm a frequent traveler. In the last three years I visited more than 10 countries, flew over 100 trips and lost count of the number of times I had to use my passport. Luckily, so far, nothing bad happened.\n\nHowever, I heard stories from friends who got robbed, or lost their passports while on holiday. If it happened to them, there is a chance that at some point it may happen to me too.\n\nI have a copy of each document in encrypted vaults, but I also keep a copy of the most important travel documents encrypted in 1Password. They are generally lower quality copies, useful in case of emergency. Likewise, I have important numbers stored as entries in 1Password.\n\n![](\/uploads\/2016\/1password-passport.png)\n\nOne of 1Password's killer features (at least to me) is the ability to attach arbitrary documents to items. They also have a specific Passport item, which is really helpful to store the details of your passports as well as a digital copy of it to use in case of emergency.\n\n## More\n\nOther super useful features include:\n\n- Ability to use notes to store sensitive files that need to be backed up, such as private\/public key pairs (I'd love to have a specific entry type for that), TLS\/SSL certificates, recovery codes, etc.\n\n- Ability to keep track of reward programs, such as fidelity cards (again, you can also attach a digital copy)\n\n- Ability to use the \"duplicate password\" feature to audit your passwords and determine, [in case of breach](https:\/\/haveibeenpwned.com\/), which other services may be compromised and have to be immediately updated. I know, you should not use duplicate passwords, but unfortunately passwords existed way before 1Password was created, and I did not trust my brain enough 10 years ago to generate a different password for each service (although I used some nice trick to ensure there was at least a bit of entropy between most of them).\n\n## Conclusion\n\nI love 1Password, because it's not just a simple password manager. Being able to securely store and sync your password is a feature that several tools provide today, including browsers and operating systems (Apple does sync passwords across devices via iCloud).\n\nHowever, 1Password is much more than a simple password manager, and I encourage you to explore (and share) ways to stay secure while simplifying your daily online presence management.","pubDate":"Tue, 08 Nov 2016 00:00:00 GMT","category":"Softwares"},{"title":"Apache redirect www to non-www and HTTP to HTTPS","link":"https:\/\/simonecarletti.com\/blog\/2016\/08\/redirect-domain-http-https-www-apache\/","guid":"https:\/\/simonecarletti.com\/blog\/2016\/08\/redirect-domain-http-https-www-apache\/","description":"The increasing adoption of HTTPS as the default connection protocol for websites has introduced a few new challenges to developers and system administrators, such as the need to consolidate a canonical domain by [redirecting non-HTTP sites to HTTPS](https:\/\/blog.dnsimple.com\/2016\/08\/https-redirects\/), in addition to redirecting www to non-www hostnames (or vice-versa).\n\n\n## Introduction\n\nHere I show how to redirect a site from www to non-www (or vice versa) and from HTTP to HTTPS, using the Apache server configuration. To be clearer, the configuration will redirect the following hostnames:\n\n```\nhttp:\/\/example.com\nhttp:\/\/www.example.com\nhttps:\/\/example.com\n```\n\nto\n\n```\nhttps:\/\/example.com\n```\n\nI'll also show a small change to redirect the non-www to the www version, if you prefer the www.\n\n\n## Apache Configuration\n\nTo configure the redirects, add the following redirect rule either to the Apache config file if you have access to it, or to the `.htaccess` in the root of your site:\n\n```\nRewriteEngine On\nRewriteCond %{HTTPS} off [OR]\nRewriteCond %{HTTP_HOST} ^www\\. [NC]\nRewriteCond %{HTTP_HOST} ^(?:www\\.)?(.+)$ [NC]\nRewriteRule ^ https:\/\/%1%{REQUEST_URI} [L,NE,R=301]\n```\n\nIf instead of `example.com` you want the default URL to be `www.example.com`, then simply change the third and the fifth lines:\n\n```\nRewriteEngine On\nRewriteCond %{HTTPS} off [OR]\nRewriteCond %{HTTP_HOST} !^www\\. [NC]\nRewriteCond %{HTTP_HOST} ^(?:www\\.)?(.+)$ [NC]\nRewriteRule ^ https:\/\/www.%1%{REQUEST_URI} [L,NE,R=301]\n```\n\n\n## How it works\n\nSince I'm not a huge fan of cut-and-paste tutorials, let's try to understand how the configuration works. That would help you to make the necessary modifications, if needed.\n\n```\nRewriteEngine On\n```\n\nThe first line enables the Apache [runtime rewriting engine](http:\/\/httpd.apache.org\/docs\/current\/mod\/mod_rewrite.html#rewriteengine), required to perform the redirect. You may have already enabled it in a previous config in the same file. If that's the case, you can skip that line.\n\n```\nRewriteCond %{HTTPS} off [OR]\nRewriteCond %{HTTP_HOST} !^www\\. [NC]\n```\n\nThese two lines are the redirect conditions; they are used to determine if the request should be redirected. Because the conditions are joined with an [OR], if any of those two conditions returns true, Apache will execute the rewrite rule (the redirect).\n\nThe first condition determines if the request is using a non-HTTPS URL. The second condition determines if the request is using the `www` URL. Notice that I used `www\\.` and not `www.`, because the pattern is a [regular expression](http:\/\/www.regular-expressions.info\/) and the `.` dot has a special meaning here, hence it must be escaped.\n\n```\nRewriteCond %{HTTP_HOST} ^(?:www\\.)?(.+)$ [NC]\n```\n\nThe fourth line is a convenient line I used to avoid referencing the hostname directly in the URL. It matches the HOST of the incoming request, and decomposes it into the `www` part (if any), and the rest of the hostname. We'll reference it later with `%1` in the `RewriteRule`.\n\nIf you know the hostname in advance, you may improve the rule by inlining the URL and skipping this condition (see later).\n\n```\nRewriteRule ^ https:\/\/www.%1%{REQUEST_URI} [L,NE,R=301]\n```\n\nThe [`RewriteRule`](http:\/\/httpd.apache.org\/docs\/current\/mod\/mod_rewrite.html#rewriterule) is the heart of the redirect. With this line we tell Apache to redirect any request to a new URL, composed of:\n\n- https:\/\/www.\n- `%1`: the reference to the non-www part of the host\n- `%{REQUEST_URI}`: the URI of the request, without the hostname\n\nAll these tokens are joined together, and represent the final redirect URI. Finally, we append 3 flags:\n\n- [`NE`](https:\/\/httpd.apache.org\/docs\/current\/rewrite\/flags.html#flag_ne) to not escape special characters\n- [`R=301`](https:\/\/httpd.apache.org\/docs\/current\/rewrite\/flags.html#flag_r) to use the HTTP 301 redirect status\n- [`L`](https:\/\/httpd.apache.org\/docs\/current\/rewrite\/flags.html#flag_l) to stop processing other rules, and redirect immediately\n\n\n## Remarks\n\nAs I've already mentioned, my example uses an extra `RewriteCond` line to extract the hostname, and avoid inlining the hostname in the rule. If you feel this is a performance penalty for you, you can inline the host directly in the rule:\n\n```\nRewriteEngine On\nRewriteCond %{HTTPS} off [OR]\nRewriteCond %{HTTP_HOST} ^www\\. [NC]\nRewriteRule ^ https:\/\/example.com%{REQUEST_URI} [L,NE,R=301]\n```\n\n## Conclusion\n\nThis article provides a simple configuration to redirect www and non-HTTPS requests to the canonical site domain. This is very useful to avoid content duplication issues with search engines, and offer an improved experience to your users.\n\nIf you search online there are dozens of ways to perform a redirect in Apache; this is just one of the possibilities and it may not cover all the possible cases. Hopefully, with the explanation in the _How it works_ section you will be able to customize it to your needs.","pubDate":"Thu, 11 Aug 2016 00:00:00 GMT","category":["Softwares","Internet","servers","apache","htaccess","redirects","https"]},{"title":"Amazon S3\/CloudFront redirect www to non-www and HTTP to HTTPS","link":"https:\/\/simonecarletti.com\/blog\/2016\/08\/redirect-domain-http-https-www-cloudfront\/","guid":"https:\/\/simonecarletti.com\/blog\/2016\/08\/redirect-domain-http-https-www-cloudfront\/","description":"This article assumes you want to redirect a www version of a domain (e.g. `www.example.com`) to the non-www root domain (e.g. `example.com`) with HTTPS, using Amazon S3 static site redirect and CloudFront.\n\n\n## Introduction\n\nBefore we start, there are a few important notes to keep in mind:\n\n- In order to redirect via CloudFront, we will have to configure an Amazon S3 bucket for redirect.\n- If you are already using an Amazon S3 bucket for redirect and you want to enable the HTTPS redirect, then you need to use Amazon CloudFront. It's not possible to use HTTPS on Amazon S3 with a custom domain.\n- If you want the origin domain to redirect via HTTPS, then you MUST have a valid SSL\/TLS certificate that covers that domain. You can use Amazon Certificate Manager to request a new certificate free of charge, or use an existing certificate if you already have one.\n- If you want to redirect the root domain to www, then you must use a DNS hosting provider [such as DNSimple](https:\/\/dnsimple.com\/) that supports CNAME-like features for the root domain. You will need to point the root domain to the Amazon CloudFront distribution endpoint, and [you can't use a CNAME](https:\/\/blog.dnsimple.com\/2014\/01\/why-alias-record\/). At DNSimple [we call it the _ALIAS_ record](https:\/\/support.dnsimple.com\/articles\/alias-record\/).\n- The redirect target doesn't have to be hosted on Amazon S3 or Amazon CloudFront. For example, you can deploy your site `example.com` on Heroku, and use Amazon S3+CloudFront to redirect `www.example.com` to `example.com`.\n\n\n## CloudFront Configuration\n\nTo configure the redirect, [follow the detailed instructions in this article](\/blog\/2016\/07\/redirect-domain-https-amazon-cloudfront). In the referenced article, the _redirecting hostname_ is the hostname that will redirect, whereas the target hostname is the target of the redirect.\n\nFor example, if you want to redirect `http:\/\/www.example.com` and `https:\/\/www.example.com` to `https:\/\/example.com`, then you will have to follow the steps detailed in the article and:\n\n- create a bucket called `www.example.com`, and set up the redirect to `https:\/\/example.com`\n- request or import a certificate for `www.example.com`\n- configure a distribution for `www.example.com`\n- create a CNAME DNS record to point `www.example.com` to the Amazon CloudFront distribution endpoint\n\nInstead, if you want to redirect `http:\/\/example.com` and `https:\/\/example.com` to `https:\/\/www.example.com`, then you will have to follow the steps detailed in the article and:\n\n- create a bucket called `example.com`, and set up the redirect to `https:\/\/www.example.com`\n- request or import a certificate for `example.com`\n- configure a distribution for `example.com`\n- create [an ALIAS record](https:\/\/support.dnsimple.com\/articles\/alias-record\/) to point `example.com` to the Amazon CloudFront distribution endpoint\n\nIf you experience some issues, check the [common errors](\/blog\/2016\/07\/redirect-domain-https-amazon-cloudfront#common-errors) section.","pubDate":"Fri, 05 Aug 2016 00:00:00 GMT","category":["Softwares","Internet"]},{"title":"Redirecting a domain with HTTPS using Amazon S3 and CloudFront","link":"https:\/\/simonecarletti.com\/blog\/2016\/08\/redirect-domain-https-amazon-cloudfront\/","guid":"https:\/\/simonecarletti.com\/blog\/2016\/08\/redirect-domain-https-amazon-cloudfront\/","description":"This article assumes you want to redirect an entire hostname to a different one, and the source hostname (the one that is redirecting) should be configured to accept HTTPS connections and redirect via HTTPS. For example, this is the case if you want to redirect the www-version of a domain, such as `www.example.com`, to the corresponding non-www version, `example.com`.\n\n| Requested | Redirected to |\n|-----------------------------|-------------------------|\n| http:\/\/www.example.com\/ | https:\/\/example.com\/ |\n| http:\/\/www.example.com\/foo | https:\/\/example.com\/foo |\n| https:\/\/www.example.com\/ | https:\/\/example.com\/ |\n| https:\/\/www.example.com\/foo | https:\/\/example.com\/foo |\n\nFor the purpose of this article, we'll use [Amazon S3 static hosting](http:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/WebsiteHosting.html) to configure the redirect, and Amazon CloudFront to handle the HTTPS traffic. In fact, it's not possible to install a certificate for a custom name using Amazon S3 static hosting.\n\n\n## Initial considerations\n\nBefore we start, there are a few important notes to keep in mind:\n\n- As already explained, if you are using a custom domain with Amazon S3 static hosting, then you need to use CloudFront if you want to enable HTTPS. It's not possible to install a custom certificate on Amazon S3.\n- If you want the origin domain to redirect via HTTPS, then you MUST have a valid SSL\/TLS certificate that covers that domain. If you have an existing certificate, then you may use that one, otherwise you will have to get a new SSL\/TLS certificate from a trusted certification authority or a reseller. In this example we'll show how to use the new [AWS Certificate Manager](https:\/\/aws.amazon.com\/blogs\/aws\/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws\/) to request the certificate for free.\n- If you want to redirect the root domain (e.g. `example.com`) then you must use a DNS hosting provider [such as DNSimple](https:\/\/dnsimple.com\/) that supports CNAME-like features for the root domain (it will be explained why later). At DNSimple [we call it the _ALIAS_ record](https:\/\/support.dnsimple.com\/articles\/alias-record\/).\n- The redirect target doesn't have to be hosted on Amazon S3 or Amazon CloudFront. For example, you can deploy your site `example.com` on Heroku, and use Amazon S3+CloudFront to redirect `another-example.com` and `www.another-example.com` to `example.com`, or to redirect the www to the non-www version. This is particularly useful when your site changes domains, and you want a simple alternative to deploy a previous domain with a different certificate to your new domain, and **you have a limit on the number of certificates installed per application** (such as Heroku).\n\n\n## Configuring the Amazon S3 static site with redirect\n\nThe first step is to configure a site in Amazon S3 that will trigger the redirect. The site will be used as the _origin_ for the CloudFront distribution.\n\n1. Create a new Amazon S3 bucket with exactly the same name as the origin domain. For example, if the origin is `www.example-1469917820.com`, then you must give the bucket the same name.\n\n There are several ways to create a new bucket in Amazon S3, and this is beyond the scope of this article. In this particular case, I will use the Amazon AWS web console:\n\n ![](\/uploads\/2016\/aws-https-redirect-bucket-new.png)\n\n You can use the region you prefer. If you don't have a specific preference, leave _US Standard_.\n\n ![](\/uploads\/2016\/aws-https-redirect-bucket-create.png)\n\n1. Configure the bucket to _redirect all requests to another hostname_. Select the bucket from the list, click _Properties_, and in the _Static Website Hosting_ section configure the redirect.\n\n ![](\/uploads\/2016\/aws-https-redirect-bucket-redirect.png)\n\n The value of the **Redirect all requests to** field should be the domain or hostname where you want to redirect the requests. In this example, it's the non-www version of the redirecting domain, but you can use any hostname you want, even on a completely separate domain.\n\n Press _Save_ to confirm.\n\n1. Before we move to the next step, take note of the _Endpoint_. We'll need this hostname in our final step to configure Amazon CloudFront.\n\n ![](\/uploads\/2016\/aws-https-redirect-bucket-endpoint.png)\n\nFor the rest of the article the screenshot will use `www.weppos.net` as the redirect source (instead of `www.example-1469917820.com`) and `simonecarletti.com` as the target (instead of `example-1469917820.com`), as the other hostnames were just examples.\n\n## Installing the SSL certificate\n\nAs already mentioned, in order to redirect via HTTPS **you need a valid SSL certificate for the redirecting hostname**. In this case, since I want to redirect `www.weppos.net`, I need an SSL certificate for it.\n\n- If you already have an existing SSL certificate, you need to [upload the server SSL certificate to IAM](http:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_credentials_server-certs_manage.html#UploadSignedCert).\n\n- If you don't have one, the simplest way to request a certificate for CloudFront is to use the Amazon Certificate Manager (ACM).\n\n ![](\/uploads\/2016\/aws-https-redirect-certificate-manager.png)\n\nHere are the steps to request a new SSL certificate with Amazon Certificate Manager:\n\n1. Go to the ACM page and **make sure to switch to the US East (N. Virginia)** zone (`us-east-1`). In this case, the zone is relevant: you won't be able to use the certificate in CloudFront if it was requested in a different zone.\n\n ![](\/uploads\/2016\/aws-https-redirect-acm.png)\n\n1. Click _Request a certificate_ and in the _Domain name_ section list all the hostnames you want the certificate to cover. Note that you will have to _validate ownership via email_ for each hostname you enter. Keep the list short, and only add the hostnames you really need at this moment. You can always issue another certificate later.\n\n For static site redirects, I generally add only the source hostname, both in www and not www form. Just note that if you want to redirect `www.example.com` to `example.com`, it's sufficient to have only the first host in the certificate.\n\n ![](\/uploads\/2016\/aws-https-redirect-acm-new.png)\n\n1. Click _Review and request_ to continue. Confirm and proceed to the validation.\n\n ![](\/uploads\/2016\/aws-https-redirect-acm-review.png)\n\n1. Read the information, and finalize the request.\n\n ![](\/uploads\/2016\/aws-https-redirect-acm-requesting.png)\n\n1. At the end of the request process you'll get back to the certificate list. You will find the new certificate, with a _pending validation_ warning. This is expected, as you still need to validate the hostnames in order to issue the certificate.\n\n ![](\/uploads\/2016\/aws-https-redirect-acm-pending.png)\n\n1. Monitor your inbox. You will receive a validation email like the following one for each hostname you added into the certificate:\n\n ![](\/uploads\/2016\/aws-https-redirect-acm-email.png)\n\n Click on the links and follow the instructions.\n\n1. Once all the hostnames are validated, Amazon will issue the certificate. The state will change from _pending validation_ to _issued_ in the ACM console.\n\n ![](\/uploads\/2016\/aws-https-redirect-acm-issued.png)\n\nWe are now ready to configure the HTTPS redirect in CloudFront.\n\n\n## Configuring the Amazon CloudFront HTTPS redirect\n\nWe have created a redirect via bucket, and we have an SSL certificate that covers the redirecting hostname. The final step is to configure CloudFront with our HTTPS certificate.\n\n1. Go to the CloudFront page and create a new distribution:\n\n ![](\/uploads\/2016\/aws-https-redirect-cloudfront.png)\n\n1. Select the _Web_ distribution, as we want to use our Amazon AWS bucket as the distribution origin.\n\n ![](\/uploads\/2016\/aws-https-redirect-cloudfront-web.png)\n\n1. Configure the distribution __Origin Settings__. Get the Amazon S3 endpoint you saved before:\n\n ![](\/uploads\/2016\/aws-https-redirect-bucket-endpoint-2.png)\n\n and use it as __Origin Domain Name__.\n\n **Make sure to use the web site endpoint and NOT the REST endpoint**, since the redirect feature is only available in the web site endpoint as explained in the [Amazon documentation](http:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/WebsiteEndpoints.html). **Don't use the endpoint auto-suggested by CloudFront**.\n\n ![](\/uploads\/2016\/aws-https-redirect-cloudfront-new.png)\n\n Disable the SSLv3 protocol (as it's buggy and insecure) and leave the other options to their defaults, unless you have specific needs.\n\n1. Scroll down to the _Distribution Settings_ to configure the SSL certificate.\n\n ![](\/uploads\/2016\/aws-https-redirect-cloudfront-new-2.png)\n\n In the _CNAME_ section add the origin hostname, the one that will be redirecting. In our case, it's `www.weppos.net`.\n\n Select _Custom SSL Certificate_ and, from the drop-down, select the certificate you previously requested or imported in IAM. If the certificate is not there, go back and check that you followed all the instructions contained in this article. See [common errors](#common-errors).\n\n1. Confirm and create the distribution. It will take up to 10-15 minutes for the distribution to be fully deployed.\n\nEach distribution in CloudFront has a unique _CloudFront Domain Name_.\n\n![](\/uploads\/2016\/aws-https-redirect-cloudfront-distribution.png)\n\nYou can query that hostname to check if the redirect was configured properly. Here's an example of a `cURL` request:\n\n```\n$ curl -I -H 'Host: www.weppos.net' do8mh0ymnig5c.cloudfront.net\nHTTP\/1.1 301 Moved Permanently\nContent-Length: 0\nConnection: keep-alive\nDate: Sun, 31 Jul 2016 10:38:54 GMT\nLocation: https:\/\/simonecarletti.com\/\nServer: AmazonS3\nX-Cache: Miss from cloudfront\nVia: 1.1 87d0846629896b470e5be51235aa7aa0.cloudfront.net (CloudFront)\nX-Amz-Cf-Id: 8ZVGdzS-7aXJmsJ849TRuCIaEbp5K_UzSXaNdbFklPsV_UgNZwtz4Q==\n```\n\nNotice the explicit use of the `Host:` header. This is required as we haven't configured the redirecting `www.weppos.net` hostname to resolve to the new CloudFront distribution yet. Therefore, querying `do8mh0ymnig5c.cloudfront.net` without telling Amazon what the request host is may confuse CloudFront.\n\nIf the configuration is correct, the response of the `cURL` request should be similar to the one above. The `Location` header contains the target of the redirect, which is the domain originally configured in our Amazon S3 bucket redirect.\n\n![](\/uploads\/2016\/aws-https-redirect-bucket-redirect-2.png)\n\nIf the configuration of the SSL certificate is correct, the `cURL` request will also work with HTTPS:\n\n```\n\u279c ~ curl -I -H 'Host: www.weppos.net' https:\/\/do8mh0ymnig5c.cloudfront.net\nHTTP\/1.1 301 Moved Permanently\nContent-Length: 0\nConnection: keep-alive\nDate: Sun, 31 Jul 2016 10:38:54 GMT\nLocation: https:\/\/simonecarletti.com\/\nServer: AmazonS3\nAge: 184\nX-Cache: Hit from cloudfront\nVia: 1.1 b1774130b147bea78a7f999710fdf47e.cloudfront.net (CloudFront)\nX-Amz-Cf-Id: r2UGlaEhEq3oO1KstW82VHs_E_kSbgfs3EVlSwXJ9oI6hSp8XS3Zyg==\n```\n\n\n## Pointing the DNS record to CloudFront endpoint\n\nThe final step is to configure the DNS record for the redirecting hostname. The hostname must point to the CloudFront distribution domain name. That way when a user visits the domain, they are redirected to the target URL.\n\nThe specific steps depend on the DNS hosting you use. The following instructions [assume you are using DNSimple](https:\/\/dnsimple.com\/).\n\nThere are two possible configurations:\n\n- if the hostname you want to redirect is a subdomain (e.g. `www.example.com`, `blog.example.com`, ...) then you need to configure a CNAME that points to the Amazon CloudFront distribution endpoint\n\n ![](\/uploads\/2016\/aws-https-redirect-dnsimple-cname.png)\n\n- if the hostname you want to redirect is the root domain (e.g. `example.com`) then [you can't use a CNAME](https:\/\/blog.dnsimple.com\/2014\/01\/why-alias-record\/). The only way to properly configure a redirect in this case is to **use a DNS provider (such as DNSimple) that supports CNAME-like features for the root domain**. At DNSimple [we call it the _ALIAS_ record](https:\/\/support.dnsimple.com\/articles\/alias-record\/).\n\n ![](\/uploads\/2016\/aws-https-redirect-dnsimple-alias.png)\n\nOnce configured, a simple `dig` lookup will tell you if the DNS record resolves correctly.\n\n```\n$ dig www.weppos.net\n\n; <<>> DiG 9.8.3-P1 <<>> www.weppos.net\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63501\n;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;www.weppos.net.\t\t\tIN\tA\n\n;; ANSWER SECTION:\nwww.weppos.net.\t\t3599\tIN\tCNAME\tdo8mh0ymnig5c.cloudfront.net.\ndo8mh0ymnig5c.cloudfront.net. 59 IN\tA\t54.230.25.179\ndo8mh0ymnig5c.cloudfront.net. 59 IN\tA\t54.230.25.196\ndo8mh0ymnig5c.cloudfront.net. 59 IN\tA\t54.230.25.72\ndo8mh0ymnig5c.cloudfront.net. 59 IN\tA\t54.230.25.15\ndo8mh0ymnig5c.cloudfront.net. 59 IN\tA\t54.230.25.60\ndo8mh0ymnig5c.cloudfront.net. 59 IN\tA\t54.230.25.172\ndo8mh0ymnig5c.cloudfront.net. 59 IN\tA\t54.230.25.227\ndo8mh0ymnig5c.cloudfront.net. 59 IN\tA\t54.230.25.185\n```\n\nAs expected, a `cURL` request shows that the domain is **successfully redirecting via HTTPS**:\n\n```\n\u279c ~ curl -I https:\/\/www.weppos.net\nHTTP\/1.1 301 Moved Permanently\nContent-Length: 0\nConnection: keep-alive\nDate: Sun, 31 Jul 2016 10:38:54 GMT\nLocation: https:\/\/simonecarletti.com\/\nServer: AmazonS3\nAge: 3767\nX-Cache: Hit from cloudfront\nVia: 1.1 e5d27f3fb83b3b7e4d92ffc70e7b5a1f.cloudfront.net (CloudFront)\nX-Amz-Cf-Id: bbhgTrFYqkjlwY22NcVIF0j8WpFQAHF-dA8jQXhYlEBtMnBwwK0peg==\n```\n\n\n## Final considerations\n\n- This article explains how to configure the redirect for an entire domain to a different domain. It will not cover single-page redirects, that should be done by setting the redirect on a specific object uploaded to Amazon S3.\n\n\n## Common Errors\n\n### Certificate errors\n\nThe certificate doesn't show up in the list:\n\n- You didn't validate one or more hostnames, and the certificate was not issued\n- You didn't request the certificate in the the `us-east-1` zone\n- You didn't properly import the certificate\n\nThe domain shows a certificate error:\n\n- Check the certificate is not self-signed\n- Check the certificate is not expired\n- Check that the domain you want to redirect is covered by the certificate\n\n### Resolution errors\n\nThe redirecting domain doesn't resolve:\n\n- ```\n curl: (6) Could not resolve host: something.cloudfront.net\n ```\n\n The CloudFront distribution has not been deployed yet. Check the status and make sure it's _Completed_ and not _In Progress_.\n\n- You used a CNAME to redirect a root domain (e.g. `example.com`). [You can't configure a CNAME for the root domain](https:\/\/blog.dnsimple.com\/2014\/01\/why-alias-record\/).\n\n### Redirect errors\n\nThe redirecting domain doesn't redirect:\n\n- Make sure you used the web site endpoint, and NOT the REST endpoint. The redirect feature is only available in the [web site endpoint](http:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/WebsiteEndpoints.html).\n- Check that the DNS are pointing to the CloudFront endpoint, and not to a previous server.","pubDate":"Mon, 01 Aug 2016 00:00:00 GMT","category":["Softwares","Internet"]},{"title":"Running PHP with Caddy server on Mac OSX","link":"https:\/\/simonecarletti.com\/blog\/2016\/05\/caddy-server-php-macosx\/","guid":"https:\/\/simonecarletti.com\/blog\/2016\/05\/caddy-server-php-macosx\/","description":"A few days ago I had to work on a small PHP script. Several years ago [I used to be a PHP developer](https:\/\/simonecarletti.com\/blog\/2009\/03\/design-patterns-in-php\/), but these days I'm using different programming languages and I had to set up my Mac OS from scratch.\n\nSince I wanted a simple and portable solution with a very low impact on my machine, I decided to use [Caddy server](https:\/\/caddyserver.com\/) and try to run PHP with Caddy instead of installing the traditional web servers such as Nginx or Apache.\n\nCaddy is very simple to use: [download the server binary](https:\/\/caddyserver.com\/download), unzip the binary somewhere and run the command `caddy`. The web server will boot, and it will start serving the local directory. [Caddy is also highly configurable](https:\/\/caddyserver.com\/developers) and it supports FastCGI that we can use to run PHP via FastCGI.\n\nIt turned out that running a PHP project with Caddy on Mac OS X is super straightforward.\n\n## Installing PHP and php-fpm\n\nFirst of all, use Homebrew to install the desired version of PHP, for example 5.6.\n\n```shell\n$ brew install php56\n```\n\nSince 2012, PHP includes [php-fpm](http:\/\/php.net\/manual\/en\/install.fpm.php) as part of the standard PHP distribution. You can start it manually by running the `php-fpm` command. This is a good solution if you are not using PHP very often, and you don't want another background process.\n\n```shell\n$ php-fpm\n[20-May-2016 15:27:09] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root\n[20-May-2016 15:27:09] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root\n[20-May-2016 15:27:09] NOTICE: fpm is running, pid 13098\n[20-May-2016 15:27:09] NOTICE: ready to handle connections\n```\n\nOtherwise, you can run `php-fpm` on startup.\n\n```shell\n$ mkdir -p ~\/Library\/LaunchAgents\n$ cp \/usr\/local\/opt\/php56\/homebrew.mxcl.php56.plist ~\/Library\/LaunchAgents\/\n$ launchctl load -w ~\/Library\/LaunchAgents\/homebrew.mxcl.php56.plist\n```\n\nFor more information, run `$ brew info php56`.\n\n## Installing Caddy\n\nThe next step is to install Caddy. Go to [caddyserver.com](https:\/\/caddyserver.com\/) and download the latest version. You don't need any extra feature, as FastCGI support is built into Caddy Core.\n\n![](\/uploads\/2016\/caddy-download.png)\n\nUnzip the package, and save Caddy in a convenient location. Personally, I saved it in my local `~\/bin` directory (which is in my `$PATH`), so that I can run `caddy` without specifying the full path to the binary.\n\n```shell\n$ which caddy\n\/Users\/weppos\/bin\/caddy\n```\n\nTo test that Caddy works correctly, run `caddy`. The output should look like the following one:\n\n```shell\n$ caddy\nActivating privacy features... done.\n:2015\n```\n\nAt this point, if you point your browser to `http:\/\/localhost:2015\/` you should see either a web page or a `404 Not Found` error (depending on where you're running Caddy from).\n\n## Configuring Caddy with PHP\n\nThe final step is to configure Caddy to run your PHP project [via FastCGI](https:\/\/caddyserver.com\/docs\/fastcgi) using `php-fpm`.\n\nCreate a simple Caddy configuration file in the root of your PHP project folder. Call the file `caddy-php.conf` (the name is irrelevant), and enter the following configuration:\n\n```txt\nlocalhost:8080\nfastcgi \/ 127.0.0.1:9000 php\n```\n\nThe first line tells caddy on which port it should listen for incoming requests.\n\nThe second line enables `fastcgi` for the base path and proxies the requests to the address `127.0.0.1:9000` which is the address where the `php-fpm` FastCGI server is listening by default. I also specified an optional preset called PHP, that enables some simple PHP-oriented configurations (such as using `index.php` as index page).\n\n```shell\n$ caddy -conf path\/to\/caddy-php.conf\nActivating privacy features... done.\nlocalhost:8080\n```\n\nOpen your browser at `localhost:8080`, and if the configuration is correct you will see your PHP site. Remember to start `php-fpm` before trying the URL in the browser.\n\n## Final tips\n\nIf all your sites have pretty much the same configuration, you can save the `caddy` configuration file in your home directory, and use it without creating a new configuration for each project.\n\n```shell\n$ cd my-php-project\n$ caddy -conf ~\/caddy-php.conf\n```\n\nIf you don't want to start `php-fpm` on system start, you can use the `launchctl` script provided by Homebrew in combination with Caddy [`startup`](https:\/\/caddyserver.com\/docs\/startup) and [`shutdown`](https:\/\/caddyserver.com\/docs\/shutdown) to start\/stop the process.\n\nCopy the script into your `LaunchAgents` folder (as instructed by `brew info php56`. Note that the file name depends on the exact PHP version you installed).\n\n```shell\nmkdir -p ~\/Library\/LaunchAgents\ncp \/usr\/local\/opt\/php56\/homebrew.mxcl.php56.plist ~\/Library\/LaunchAgents\/\nlaunchctl load -w ~\/Library\/LaunchAgents\/homebrew.mxcl.php56.plist\n```\n\nAnd here's the updated Caddy configuration file:\n\n```txt\nlocalhost:8080\nfastcgi \/ 127.0.0.1:9000 php\nstartup launchctl load -w \/Users\/YOURUSER\/Library\/LaunchAgents\/homebrew.mxcl.php56.plist\nshutdown launchctl unload -w \/Users\/YOURUSER\/Library\/LaunchAgents\/homebrew.mxcl.php56.plist\n```\n\nNote that you need to replace `YOURUSER` with your logged-in username (you can get it with `whoami`). The short path with `~` was not properly expanded.\n\nHere's a final, convenient script I created in `~\/bin\/caddy-php` to run `caddy` configured for PHP with a single command:\n\n```bash\n#!\/usr\/bin\/env bash\n~\/bin\/caddy -conf ~\/caddy-php.conf\n```","pubDate":"Fri, 20 May 2016 00:00:00 GMT","category":["Programming","Softwares"]},{"title":"Things you want to know about Let's Encrypt","link":"https:\/\/simonecarletti.com\/blog\/2016\/02\/things-about-letsencrypt\/","guid":"https:\/\/simonecarletti.com\/blog\/2016\/02\/things-about-letsencrypt\/","description":"[Let's Encrypt](https:\/\/letsencrypt.org\/) is a new certificate authority that entered the internet scene at the [end of 2015](https:\/\/letsencrypt.org\/2015\/12\/03\/entering-public-beta.html).\n\nLet's Encrypt _is not simply another certificate authority_, if for no other reason than the certificates are free, whereas the vast majority of existing certificate authorities sell SSL\/TLS certificates for a price that depends on the [certificate type](\/blog\/2013\/11\/ssl-certificate-types\/).\n\nHowever, Let's Encrypt is not only free. Quoting the homepage: _Let's Encrypt is free, automated, and open_.\n\n![](\/uploads\/2016\/letsencrypt-homepage.png)\n\nBut what does it mean? In this article, I'll share some of the direct consequences of that quote to help you better understand how Let's Encrypt (currently) works. My goal here is not to judge or advertise the service offered by Let's Encrypt (either in a negative or positive way), but rather provide an overview of what you should expect if you use this service, and let you decide whether Let's Encrypt is a good fit for you or not.\n\nIn addition, since I've been closely monitoring and testing the service for the last few weeks for personal and business use, I'll also provide some extra details you should know about the current status of the project and the issued certificates.\n\n## Let's Encrypt is free\n\n[And this is a fact](https:\/\/letsencrypt.org\/howitworks\/). It's also very easy to understand: _any certificate issued by Let's Encrypt is free_ as in beer and you don't need to pay for it (as long as you obtain it directly from the Let's Encrypt website, as other providers may still resell the service in one way or another).\n\nHowever, wording is important here: _it's not true that Let's Encrypt will issue any certificate for free_ (and this is a common misunderstanding). Not because Let's Encrypt charges you for some SSL certificate types, but because there are some types of certificates that Let's Encrypt will not issue at all. I'll talk about the [supported certificates](#supported-certificates) later on in this article.\n\nLet's Encrypt is free to use, but not free to run or operate. Developing, maintaining, and operating a certificate authority is very complex. Indeed, there are non-trivial technical challenges associated with encryption\/cryptography, but also security risks and implications associated with the ability to issue publicly trusted SSL certificates. The reason why I bring this to your attention is because, regardless your opinions about the current or future state\/policies\/decisions\/... of the Let's Encrypt service, you should respect the work of the people directly or indirectly involved with this project.\n\n\n## Let's Encrypt is Automated\n\nThe operational model of Let's Encrypt is designed to be completely automated: no manual intervention should be required to register for the service, request, issue, revoke or renew a certificate.\n\nThe goal is to encourage the development of libraries, tools, and services that can automate the deployment of secure sites. Nowadays the issuance process often involves manual steps (such as the email-based validation) that represent a bottleneck for the automatic deployment and drastically affect a large-scale HTTPS distribution.\n\nIt's easy to understand that this operational model has some limitations, and in fact Let's Encrypt doesn't [support EV and OV certificates](#supported-certificates). This is an important aspect to keep in mind, but keep reading. I'll discuss the various [_limitations_](#limitations) later in this article.\n\nIf you have some programming skills, it's clear that the possibilities offered by Let's Encrypt and a fully automated process are almost infinite: you can integrate it into your service, create a command line tool, script the deployment of a new machine from zero to HTTPS without a single human intervention. I'll talk about integration in the [_Notes_](#notes) section.\n\n\n## Let's Encrypt is Open\n\n

One of the pros of Let's Encrypt is that if you have a question you can generally find the answer in the source code https:\/\/t.co\/bcySyQ1748<\/a><\/p>— Simone Carletti (@weppos) January 24, 2016<\/a><\/blockquote>\n\nAll the Let's Encrypt code and protocol specifications are on [GitHub](https:\/\/github.com\/letsencrypt\/).\n\n[`letsencrypt\/boulder`](https:\/\/github.com\/letsencrypt\/boulder) is the heart of the service. It's the certificate authority source code, written in [Go](https:\/\/golang.org\/). It contains the core modules, the validation authority, the certificate authority, everything.\n\n[`letsencrypt\/letsencrypt`](https:\/\/github.com\/letsencrypt\/acme-spec) is a client, written in Python, that can be used to obtain certificates and extensibly update server configurations automatically. The client is compatible with Let's Encrypt and any other authority that follows the specifications of [the ACME protocol](https:\/\/github.com\/ietf-wg-acme\/acme\/).\n\nThe [ACME specification itself](https:\/\/github.com\/letsencrypt\/acme-spec) is also open source. This protocol was designed to automate the management of domain-validation certificates, based on a simple JSON-over-HTTPS interface.\n\nFrom the practical point of view of a technical person, Let's Encrypt being open source means:\n\n- if something is broken, [you can fix it](https:\/\/github.com\/letsencrypt\/boulder\/pull\/1398)\n- if something is missing, [you can add it](https:\/\/github.com\/letsencrypt\/boulder\/pull\/1357)\n- if something is outdated, [you can update it](https:\/\/github.com\/letsencrypt\/boulder\/pull\/1388)\n- contributors can contribute, but maintainers have to maintain ([and to lead the service](https:\/\/github.com\/letsencrypt\/boulder\/pull\/1437))\n\nFrom the practical point of view of a user, Let's Encrypt being open source means _transparency_.\n\nMoreover, if you have a question or a doubt, you can generally find the answer in the source code or someone can point you there. If you ever had to deal with a certificate authority in the past, you probably know how hard it is to get technical information or knowledgeable support (especially from their first-line customer service).\n\n\n## Beta and Limitations\n\nAt the time of writing (February 2016), Let's Encrypt is in public beta and [it will probably take some time](https:\/\/www.youtube.com\/watch?v=zJ0JMl1B7yY) before the service hits the general availability.\n\nAlthough the original meaning of _beta_ has been drastically altered in recent years, in this case, _beta_ indicates the service still hasn't reached the maturity to be considered stable and complete. Therefore, it is potentially unstable, incomplete, and under heavy development.\n\nIn general, the following statement pragmatically summarizes the current state of the project:\n\n![](\/uploads\/2016\/letsencrypt-beta-warning.png)\n\nIn this section, I'll talk about some of the limitations and outstanding issues that will likely affect your usage of the service.\n\n### Rate-Limiting\n\n> [!WARNING]\n> Read this section carefully. Most people are currently hitting rate limits because they are not aware of the limit or because of an improper usage of the clients\/tools.\n\nIt's not by coincidence that this topic is the first one of the [Beta section](#limitations). It's definitely one of the most popular \"issues.\" During this beta test, Let's Encrypt has very tight rate-limiting in place. They plan to loosen these limits as the beta proceeds.\n\nThere are two rate limits in play:\n\n- Registrations\/IP address: limits the number of registrations you can make in a given time period; currently 10 per 3 hours.\n- Certificates\/Domain: 5 certificates for a _registered domain_ in a sliding window of 7 days.\n\nA _registered_ domain is a combination of a `Top Level Domain + Domain`. Each issued certificate counts against the limit. If you issue a single SAN certificate with multiple domains, each domain will also count against the limit.\n\n> [!NOTE]\n> You should **use the [staging environment](#staging) for testing**, before using the production environment. This will allow you to get things right before issuing trusted certificates and reduce the chance of hitting the rate limits.\n\nOfficial answer about [rate limiting](https:\/\/community.letsencrypt.org\/t\/quick-start-guide\/1631\/6?u=weppos). Rate limits [also apply on renewals](https:\/\/community.letsencrypt.org\/t\/rate-limits-also-on-renewals\/6157?u=weppos) and reissues.\n\n> [!WARNING]\n> Rate limits can't be reset. Once you hit the limit, you'll have to wait until the end of the limit window in order to be able to issue\/reissue\/renew a certificate. You are warned.\n\n\n### Does not work on XP\n\nCertificates issued by Let's Encrypt [don't play well on Windows XP](https:\/\/community.letsencrypt.org\/t\/help-needed-windows-xp-support\/8756\/61?u=weppos). The issue is still under investigation; there is also an [open ticket](https:\/\/github.com\/letsencrypt\/letsencrypt\/issues\/1660). See [compatibility](#compatibility).\n\n### Does not work on Java\n\nJava currently doesn't recognize the certificate because [one of the intermediate certificates is not trusted](https:\/\/community.letsencrypt.org\/t\/will-the-cross-root-cover-trust-by-the-default-list-in-the-jdk-jre\/134?u=weppos). See [compatibility](#compatibility).\n\n### Beta Client\n\nLet's Encrypt is committed to the development of an [official ACME client](https:\/\/letsencrypt.readthedocs.org\/). The client is written in Python and will support the majority of platforms.\n\nThe Let's Encrypt Client is a fully-featured, extensible client for the Let's Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring web servers to use them. Please remember the client is currently beta software.\n\n![](\/uploads\/2016\/letsencrypt-beta-client.png)\n\nThe most relevant (current) limitations of the official client are:\n\n- It only supports Debian-based OSes (such as Debian and Ubuntu). The support for other platforms is either experimental (such as Mac OS X) or not available yet\n- It only supports Apache. The Nginx integration is experimental, however it's also possible to generate a certificate manually using the `certonly` flag.\n- It doesn't support the DNS challenge, hence it's not possible to use it to validate a certificate via DNS. Most [third-party clients](#clients) already support it.\n- It doesn't support Python 3\n\n### Elliptic Curve Cryptography (ECC) support\n\nRight now, all the root and intermediate keys use RSA. Let's Encrypt is planning to generate ECC keys and support [Elliptic Curve Cryptography](https:\/\/blog.cloudflare.com\/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography\/) at some point in 2016.\n\n> Right now all of our root and intermediate keys use RSA. We're planning to generate ECC keys and make an ECC option available to subscribers in 2016.\n> -- [@josh](https:\/\/community.letsencrypt.org\/t\/elliptic-curve-cryptography-ecc-support\/34?u=weppos)\n\n### Internationalized Domain Names support\n\nInternationalized domain names are [currently not supported](https:\/\/community.letsencrypt.org\/t\/internationalized-domain-names\/94?u=weppos). Let's Encrypt will eventually support them, but it's still not clear whether it will be before or after the general availability. There is currently no ETA.\n\n> We would like to support them eventually.\n> -- [@josh](https:\/\/community.letsencrypt.org\/t\/internationalized-domain-names\/94\/3?u=weppos)\n\n\n## Important Notes\n\nSeveral decisions were made as part of the development of the ACME protocol in order to keep Let's Encrypt free, automated and open. Some of these decisions are definitely new and unusual when compared to the existing certificate authorities.\n\nAs I mentioned at the beginning of this post, Let's Encrypt is not a _classic_ certificate authority. In this section I'll summarize the most relevant policies that, for better or for worse, will likely affect your decision to use Let's Encrypt or not.\n\nSome of the following notes, and other questions I will not answer here, are covered in the [frequently asked questions](https:\/\/community.letsencrypt.org\/t\/frequently-asked-questions-faq\/26?u=weppos).\n\n### Compatibility\n\nThe major browsers and platforms are supported, see [Which browsers and operating systems support Let's Encrypt](https:\/\/community.letsencrypt.org\/t\/which-browsers-and-operating-systems-support-lets-encrypt\/4394?u=weppos).\n\nMake sure to double check the post above before installing a Let's Encrypt certificate. Also note that Let's Encrypt will only issue SHA256 signed certificates, hence any client that can't handle SHA256 certs (such as pre-SP3 Windows XP) is not compatible.\n\n> [!WARNING]\n> There are currently some known issues with [Windows XP](#windows-xp) and [Java](#java).\n\n\n### Supported Certificate Types\n\n#### EV Certificates\n\nLet's Encrypt only issues _domain validated_ certificates. Organization validated or extended validation certificates are not issued and [will not](https:\/\/community.letsencrypt.org\/t\/plans-for-extended-validation\/409?u=weppos) be issued because the process can't be automated.\n\n> We expect that Let's Encrypt won't support EV, because the EV process will always require human effort, which will require paying someone. Our model is to issue certificates free of charge, which requires a level automation that doesn't seem compatible with EV.\n> -- [@schoen](https:\/\/community.letsencrypt.org\/t\/green-address-bar\/369\/6?u=weppos)\n\n#### Wildcard Certificates\n\n> [!NOTE] Update Jun 2017\n> Wildcard certificates [may be supported from Jan 2018](https:\/\/letsencrypt.org\/2017\/07\/06\/wildcard-certificates-coming-jan-2018.html) with ACME v2.\n\n~~**Let's Encrypt doesn't support wildcard certificates**: it only issues _single-name_ or _multi-domain_ (SAN) certificates. The decision about not supporting the wildcard domain is a result of technical challenges in the validation process.~~\n\n> Wildcard certs aren't yet supported by the ACME protocol. There has been discussion on the IETF ACME mailing list, as well as issue 97 at the original acme-spec.\n> -- [@jcjones](https:\/\/community.letsencrypt.org\/t\/please-support-wildcard-certificates\/258\/2?u=weppos)\n\n> We're not currently planning to offer wildcard certificates.\n> -- [@schoen](https:\/\/community.letsencrypt.org\/t\/please-support-multi-domain-ssl-certificates-like-the-ones-on-positivessl\/867\/2?u=weppos)\n\n#### Domain limit\n\nThe [current limit](https:\/\/community.letsencrypt.org\/t\/public-beta-rate-limits\/4772\/8?u=weppos) for the SAN multi-domain certificates is 100 domains per certificate. This is a decision and [not a technical limitation](https:\/\/community.letsencrypt.org\/t\/sans-per-cert-and-sni-for-hosting-service\/5105?u=weppos).\n\n> We've set the limit to 100 out of an abundance of caution, as it appears that when you get over 100, some web browsers misbehave. We can probably raise that if anyone wants us to.\n> [@jcjones](https:\/\/community.letsencrypt.org\/t\/public-beta-rate-limits\/4772\/8?u=weppos)\n\n### Staging\n\nLet's Encrypt [provides a staging](https:\/\/community.letsencrypt.org\/t\/testing-against-the-lets-encrypt-staging-environment\/6763?u=weppos) environment you can use for testing, before using the production environment.\n\nYou already know that the production environment [has strict rate limits](#rate-limits). Using staging will allow you to get things right before issuing trusted certificates and reduce the chance of hitting the rate limits.\n\nThere are [no specific limitations](https:\/\/community.letsencrypt.org\/t\/what-are-the-limitations-of-the-staging-server\/8606) in the staging environment, except that issued certificates are not trusted (they are issued by `Happy Hacker Fake CA`) and the certificates are not submitted to the [certificate transparency logs](#certificate-transparency).\n\n### 90-days Expiration\n\n> Let's Encrypt certificates currently have a [ninety-day lifetime](https:\/\/letsencrypt.org\/2015\/11\/09\/why-90-days.html). Web standards do not require any minimum certificate lifetime. As of 2015, the [Baseline Requirements](https:\/\/cabforum.org\/baseline-requirements-documents\/) specify a maximum certificate lifetime of 39 months.\n> The Technical Advisory Board chose a 90-day certificate lifetime to start with, with an expectation that people will want to auto-renew at the 60-day mark.\n>\n> -- [@josh](https:\/\/community.letsencrypt.org\/t\/pros-and-cons-of-90-day-certificate-lifetimes\/4621?u=weppos)\n\nAlong with the decision to [not support wildcard certificates](#supported-certificates), this is one of the most controversial policies. Hate it or love it, **all SSL certificates issued by Let's Encrypt have a 90-day expiration**. There is no exception and you can't obtain a certificate with a longer expiration, let's say 1 year (or longer), as you would normally do today from any other certificate authority.\n\nThe [main goal is to encourage automation](https:\/\/community.letsencrypt.org\/t\/pros-and-cons-of-90-day-certificate-lifetimes\/4621\/18?u=weppos), as well as decrease the risks in case the certificate is compromised or revoked.\n\n### Certificate for public IPs\n\nIt's not possible, and it will not be possible, to issue a certificate for an IP address.\n\n> Let's Encrypt has decided not to issue certificates for bare IP addresses even if this would be permitted by the Baseline Requirements.\n> - [@schoen](https:\/\/community.letsencrypt.org\/t\/certificate-for-public-ip-without-domain-name\/6082\/7?u=weppos)\n\n### Certificate Transparency\n\nLet's Encrypt fully supports [Certificate Transparency](https:\/\/www.certificate-transparency.org\/): all issued certificates are [submitted](https:\/\/letsencrypt.org\/certificates\/) to the Certificate Transparency logs. This is also [discussed](https:\/\/community.letsencrypt.org\/t\/will-you-support-certificate-transparency\/222\/2?u=weppos) on the forum.\n\nYou can search, monitor and audit Let's Encrypt certificates using the [`crt.sh` tool](https:\/\/crt.sh\/?Identity=%25&iCAID=7395).\n\n### Clients\n\nAs I already mentioned, Let's Encrypt is committed to the development of an [official ACME client](https:\/\/letsencrypt.readthedocs.org\/), written in Python.\n\nHowever, there is a [long list of client implementations](https:\/\/community.letsencrypt.org\/t\/list-of-client-implementations\/2103?u=weppos) in several different programming languages. The list is currently divided into clients and libraries.\n\nLibraries generally provide the low-level foundation to communicate with an ACME-compliant certificate authority. You can use a library in an existing project or to create your own tool\/program.\n\nA client is generally a tool or a command line script you can use to issue and manage a certificate, either manually or programmatically. Some libraries also offer a client component.\n\nI personally contributed to the [Let's Encrypt Go client (_lego_)](https:\/\/github.com\/xenolf\/lego) and I had the chance to play with the [Ruby ACME library](https:\/\/github.com\/unixcharles\/acme-client). Both libraries are under development, but they already implement the majority of the methods to request a certificate.\n\n\n## In conclusion\n\nLet's Encrypt certainly looks very promising, and the ability to have a fully automated issuance process for SSL certificates is a big step forward to facilitate the large-scale adoption of HTTPS.\n\nCompetition is generally good for the end users, and in this case we can expect the existing certificate authorities to modernize their issuance process to keep up with Let's Encrypt. However, it's also really unlikely that Let's Encrypt will replace the current market of SSL certificates, mostly because of the lack of support for some types of certificates currently widely adopted, such as the wildcard and EV certificates.\n\nAnd this is probably one of the most important considerations: users have to understand that Let's Encrypt is not the solution to each problem. Let's Encrypt is not trying to be a one-size-fits-all certificate authority and there are a huge number of situations\/configurations where Let's Encrypt will not and maybe should not be applied ([_cit_](https:\/\/community.letsencrypt.org\/t\/pros-and-cons-of-90-day-certificate-lifetimes\/4621\/41?u=weppos)).\n\n[There is still a place](https:\/\/community.letsencrypt.org\/t\/why-should-i-use-any-other-ssl-certificates-anymore\/5821?u=weppos) for other, _non-free_, certificate authorities. The hope is that these authorities will at least be more automated and open.","pubDate":"Mon, 01 Feb 2016 00:00:00 GMT","category":["Security","Internet","letsencrypt","certificates","certificate-authorities"]},{"title":"Using cURL with HTTP\/2 on Mac OS X","link":"https:\/\/simonecarletti.com\/blog\/2016\/01\/http2-curl-macosx\/","guid":"https:\/\/simonecarletti.com\/blog\/2016\/01\/http2-curl-macosx\/","description":"[**cURL**](http:\/\/curl.haxx.se\/) is one of the most powerful tools for testing HTTP requests and responses. Most developers use `curl` to interact with HTTP APIs or to test a website.\n\nStarting [from version 7.43.0, cURL (and `libcurl`) supports HTTP\/2](http:\/\/curl.haxx.se\/docs\/http2.html). You can perform a request using the **HTTP\/2** protocol by passing the `--http2` flag:\n\n```shell\n\u279c curl -I --http2 https:\/\/www.cloudflare.com\/\nHTTP\/2.0 200\nserver:cloudflare-nginx\ndate:Sun, 24 Jan 2016 21:53:48 GMT\ncontent-type:text\/html\nset-cookie:__cfduid=d73309ac5d32f18d2ca9efb414cc0fd111453672428; expires=Mon, 23-Jan-17 21:53:48 GMT; path=\/; domain=.cloudflare.com; HttpOnly\nlast-modified:Thu, 21 Jan 2016 18:44:44 GMT\netag:W\/\"56a1271c-3342\"\nstrict-transport-security:max-age=31536000\nx-content-type-options:nosniff\nx-frame-options:SAMEORIGIN\ncontent-security-policy-report-only:default-src 'self' https:\/\/*; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:\/\/*; img-src 'self' https:\/\/* data:; style-src 'self' 'unsafe-inline' https:\/\/*; font-src 'self' https:\/\/* data:; frame-src https:\/\/*; connect-src 'self' https:\/\/*; report-uri https:\/\/www.cloudflare.com\/csp-report\ncf-cache-status:HIT\nexpires:Mon, 25 Jan 2016 01:53:48 GMT\ncache-control:public, max-age=14400\ncf-ray:269ef92389950e12-MXP\n```\n\nHowever, in order to support HTTP\/2, cURL must be linked to `nghttp2` and the default cURL version shipped with Mac OS X does not. As a result, if you try to pass the `--http2` flag you'll receive the following error:\n\n```shell\n\u279c curl -I --http2 https:\/\/www.cloudflare.com\/\ncurl: (1) Unsupported protocol\n```\n\nTo solve the issue and use cURL with HTTP\/2 in Mac OS X you need to recompile cURL. This is a very easy task if you use [Homebrew](http:\/\/brew.sh\/). Thanks to [this PR](https:\/\/github.com\/Homebrew\/homebrew\/commit\/1a7f172a2fc2512ccb32fafd33995e2a28643f32) you can reinstall cURL via Homebrew and pass the `--with-nghttp2` flag to add HTTP\/2 support along with the necessary dependencies.\n\n```shell\n\u279c brew install curl --with-nghttp2\n```\n\nAlmost done. By default, Homebrew will not replace the `curl` binary shipped with Mac OS X, therefore you need to explicitly \"link\" it if you want to use the new version without specifying the entire path to the binary (which by the way is `\/usr\/local\/Cellar\/curl\/7.46.0\/bin\/curl`):\n\n```shell\n\u279c brew link curl\nWarning: curl is keg-only and must be linked with --force\nNote that doing so can interfere with building software.\n\u279c brew link curl --force\nLinking \/usr\/local\/Cellar\/curl\/7.46.0... 348 symlinks created\n```\n\nClose\/reopen the shell and the `curl` location should now be:\n\n```shell\n\u279c which curl\n\/usr\/local\/bin\/curl\n```\n\nYou can also confirm the version and the custom flag using the command `brew info curl`:\n\n```\n\u279c brew info curl\ncurl: stable 7.46.0 (bottled) [keg-only]\nGet a file from an HTTP, HTTPS or FTP server\nhttp:\/\/curl.haxx.se\/\n\/usr\/local\/Cellar\/curl\/7.46.0 (359 files, 2.5M) *\n Built from source with: --with-nghttp2\n```\n\nIf it's still `\/usr\/bin\/curl`, then make sure cURL was properly installed via Homebrew and you restarted your shell.\n\n## Instructions\n\nTo recap, here's the list of commands to compile and install cURL with HTTP\/2 support in Mac OS X using Homebrew:\n\n```shell\n# install cURL with nghttp2 support\n\u279c brew install curl --with-nghttp2\n\n# link the formula to replace the system cURL\n\u279c brew link curl --force\n\n# now reload the shell\n\n# test an HTTP\/2 request passing the --http2 flag\n\u279c curl -I --http2 https:\/\/www.cloudflare.com\/\n```\n\nA special thanks go to [Daniel Stenberg](http:\/\/daniel.haxx.se\/) for cURL, and to [`@felixbuenemann`](https:\/\/github.com\/felixbuenemann) for the Homebrew patch that made it possible to install cURL with HTTP\/2 with zero effort.","pubDate":"Sun, 24 Jan 2016 00:00:00 GMT","category":["Softwares","curl","http\/2"]}]}}