The Buddhafield & The Tower

The Inevitable

If you hang around someone on a regular basis who is very bright, somebody who is pumping out the energy of The Soul, whether you like it or not, you will start to change. It’s very nice to hang around such a person, but there is a catch.

The Quickening

If you are not consciously getting in alignment with this change, it can be very uncomfortable as you start to go through your Karma more quickly. There will be accidents, loss of loved ones, upheavals in work, illness, depression and anger etc —suffering basically.

tower

The Lie!

If you are a Sanyasin of 20 years and you say you do not know what Karma is, then rest assured this is a sub-personality blockage big doo doo lie, bigger than any dog could ever plop on the pavement! And of course it is this that makes the process painful as you attempt to keep your old world in tact and head in the sand.

You know what Karma is! You know what Light is!  It’s time to wake up!

The Solution

To enter into Light requires prayer, meditation, a lot of humble pie. Humble enough to ask for help and to learn more advanced techniques in meditation to make the transition a little smoother. He who emanates the Buddhafield around you, can not transmute all of your Karma. The rules of this manifestation dictate you have to get off your own arse and apply some elbow grease yourself, instead of thinking of yummy silky cheese, and sex with young girls all day.

“Wake up Mr Green”, Film: Revolver (Guy Ritchie)

The post The Buddhafield & The Tower appeared first on Journey Into Light.

Powered by WPeMatico

The Black Star

The Star

Due to our uniqueness as individuals, we all have the opportunity to shine and blossom at things only we can do. Whatever that thing is, nobody else can do it. It’s that simple. It’s that amazing.

Star man character

Jesus Christ was a great Star performer. Wasn’t he just great! Awesome!

The Black Star

The problem arises when the selfish competitive ego wants to shine and excel, but at the expense of others around them and also at the expense of their own health and well-being. This is the Black Star who has a great lust to prove they are better than everybody around them.

Ghengis Khan is reported to have said, “It’s not enough that I succeed. Everyone else must fail.”

Spider-man-comic-book-movies-marvel-venom-600

You might be somebody with a great talent for healing, but if you crave the attention and the limelight, the recognition, the stardom; if you are really determined to prove something – you may well bite off more than you can chew.

Sri Ramana Maharshi openly admitted that trying to heal his Mum was…just too much, thus the cancer, which he said was like ants crawling up and down his arm.

The world never fails to provide gifts with which to learn, and to keep us on track.

So, let us vow to be Happy Healthy Bright Shining Stars! There IS a door with your name on it. Do not sell short of this.

Star man character

Be Well. Be Happy. Be a Star!

The post The Black Star appeared first on Journey Into Light.

Powered by WPeMatico

Analyze the Astro Pi Space Data in Your Web Browser

Introduction On December 9, 2015, two augmented Raspberry Pi single-board computers (aka the Astro Pis) were delivered to the International Space Station (ISS) via the Cygnus spacecraft. Part of British ESA Astronaut Tim Peake’s mission was to run experiments devised by the winners of the Astro Pi school-age student competition in the UK. The Raspberry [&hellip
The post Analyze the Astro Pi Space Data in Your Web Browser appeared first on .

Thanks to Initialstate.com for these Posts and details

Enabling SPDY and Strict-Transport-Security to NginX in Ubuntu 14.04

In Ubuntu 14.04 NginX is been compiled with the SPDY capability. To use it one must enable it inside the server {…} block for each virtual host.
eg.
server {
server_name mprofi.com www.mprofi.com;
root /var/www/mprofi.com;
index index.php;
#
# Added to handle HTTP and HTTPS and SPDY
listen 80;
listen 443 ssl spdy;
ssl_certificate /etc/letsencrypt/live/www.mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.mysite.com/privkey.pem;
#
# ENABLE STRICKT TRANSPORT SECURITY and X-Frame-Options
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options "DENY";
}

Restart NginX
service nginx restart

Powered by WPeMatico

XAMPP – Port 80 Conflict

XAMPP – Port 80 Conflict

The Final Solution!

XAMPP has its own built in netstats button, but you can DIY like this:

 netstat -ano | find ":80"

Shows PID using ports with :80

In my case it was http.exe which is responsible for 6 services in all. I first tried to disable in registry, and was no longer able to see any printers! Sensing deep water, there must be another way. My way was to call a friend, who said, oh, what you wanna do is this. And I said, Great1 Thanks!

net stop http
	

This will show 6 services inc Print Spooler:

	IDEA-PC C:>net stop http
	The following services are dependent on the HTTP Service service.
	Stopping the HTTP Service service will also stop these services.

	   World Wide Web Publishing Service
	   SSDP Discovery
	   Print Spooler
	   HomeGroup Provider
	   Function Discovery Resource Publication
	   Function Discovery Provider Host

	Do you want to continue this operation? (Y/N) [N]: n
	

Then trot over to Services in Windows 8.1, find ‘World Wide Web Publishing Service’. Disable this service which is windows web server and not needed since we use now Apache2. I’ve also set it to manual start.

Port 80 should now be freed up!

Listen 8100 Listen 8080

In case you’re wondering what else might work, before I discovered how to disable the Windows WWW Pub Services on its own, a solution was to get the main server listening on 8100. Edit httpd.conf and add:

	# Listen: Allows you to bind Apache to specific IP addresses and/or
	# ports, instead of the default. See also the <VirtualHost>
	# directive.
	Listen 8100
	Listen 8080
	

NB We set up main conf file to listen also on 8080. This is to listen out for Virtual Hosts set up in httpd-vhosts.conf e.g:

 <VirtualHost *:8080> 
	

This is all rather messy, especially if you want to later port eg a WP installation to a remote server. You have to do a search and replace on all occurences of :8080 in your SQL export file.

However, it did work and may have application to a future task in apache.

Issue free and CA signed SSL certificates for web servers from LetsEncrypt

Introduction:
SSL Certificates provide two functions:
1. Authentication
2. Encryption

Encryption can be achieved without authentication but, for some reason, someone decided to join them together in one certificate. It seem to make sense for banks and serious e-commerce sites which need to be properly authenticated. Therefore when the HTTPS protocol got developed it was not possible to encrypt-only the stream of HTTP. This situation made us dependent to Certificate Authentication Authorities to obtain a certificate even if we only wanted encryption. Now some genius group of people at https://letsencrypt.org/ finally created the possibility to obtaining certificates which preform simple authentication verification, by calling the URL and expecting a specific response, and if successful issues a free 90 days valid and CA signed SSL certificate. For system administrators this process of requesting and install such free certificate has therefore become quite simple. Here is one method of doing just this in a Debian/Ubuntu web server.

STEPS:

Installing LetsEncrypt

apt-get update && apt-get install git
cd /usr/local/lib/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --email user@mydomain.com --agree-tos --help
echo "export PATH=$PATH:/usr/local/lib/letsencrypt" >> /root/.bashrc
. /root/.bashrc

NOTE: Make sure your web site you want to add HTTPS to is already configured and live in your web server.
The reason is that during the process of requesting a certificate, LetsEncrypt will create an extra sub-directory({htdocs}/.well-known/acme-challenge/) and a special temporary file in the htdocs of the site (pointed to by DocumentRoot directive in Apache) then call that file on the site from the LetsEncrypt server to authenticate the URL. If the the URL called is invalid it won’t issue the certificate. For this reason your site needs to be live and you need to give the path of the htdocs. After the authentication process, the temporary file will be erased but not the sub directories. They will stay empty.

Troubleshooting:

InsecurePlatformWarning
If you get the following error message then in Debian Wheezy you can solve it by importing SSl into Python. See below.
InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning

Importing Python SSL support:
python
>>> import ssl
>>> (CTRL-D)

Upgrading LetsEncrypt client program

mv /usr/local/lib/letsencrypt /usr/local/lib/letsencrypt.old
cd /usr/local/lib/
git clone https://github.com/letsencrypt/letsencrypt

Requesting the certificate

Eg. for the domain blog.mydomain.com
letsencrypt-auto certonly --webroot -w /www/clients/blog.mydomain.com/htdocs -d blog.mydomain.com
The certificates and key will be stored in /etc/letsencrypt/live/blog.mydomain.com/ as:
cert.pem : Certificate
chain.pem : CA Certificate
privkey.pem : Private key
fullchain.pem : Combination of the certificate and the CA Certificate

Instead of moving the certificate, just configure Apache or other web server to point to the certs files where they are.
This way a cron job can be created to regularly renew the certificate automatically without manual intervention.
The certificate will be valid for 90 Days only; no exceptions.
This means that the same above command will need to be run every 3 months or earlier with the addition of the option –renew-by-default.
The limit of certificates you can ask for a certain domain is: currently 5 certificates / 7 days.

Renewing the certificate:

In order to renew the certificate automatically it is suggested to use a cron job and adding the option –renew-by-default in the command eg. as follows:
letsencrypt-auto certonly --renew-by-default --webroot -w /www/clients/blog.mydomain.com/htdocs -d blog.mydomain.com
It is recommended to send the output of the command by email to verify if the process was successful.

Extra Info

The certificates of LetsEncrypt are stored in /etc/letsencrypt/ directories in different ways. It is simply NOT recommended to delete any of the certificates, files or symlinks in these directories because the files in the ‘keys’ and ‘csr’ directories are not identified to refer to a specific certificate. So just deleting some files but not others related to the same cert might confuse the client command and you then can’t request any more certificates. The error message from the client program is something like:
letsencrypt TypeError: coercing to Unicode: need string or buffer, NoneType found
If you ever get to that non-return point then just delete all directories: archive, csr, keys, live and renewal BUT not accounts. Then re-issue certificates requests for already existing sites. The certificates will then be renewed and you can then also request new ones.

For more information of the subject see:
https://letsencrypt.readthedocs.org/en/latest/using.html

Comfortable script

If you want to be able to issue a certificate and you want it to self-renew after 80 days, this script might be of some use.
#!/bin/bash
# Purpose: Issue or renew a certificate from LetsEncrypt
# It will also issue an 'at'command to automatically renew the certificate automatically in $RENEW_DAYS days
# Syntax: cert_request.sh -s SITE_NAME -d SITE_HTDOCS
# Changes: 30.12.2015 First implementation of the script
# 10.01.2016 Added checks for the 'letsencrypt-auto' and 'at' programs
#--------------------------------------------------------------
. /root/.bashrc
RENEW_DAYS="80"
# Absolute path to this script.
SCRIPT=$(readlink -f $0)
CERTS_DIR="/etc/letsencrypt/live"
# Absolute path this script is in.
scriptdir=$(dirname $SCRIPT)
encryptprgm="/usr/local/lib/letsencrypt/letsencrypt-auto"
atprgm="/usr/bin/at"
#
# Check the syntax
function usage () {
echo "Usage: cert_request.sh -s SITE_NAME -d SITE_HTDOCS"
echo "-s SITE_NAME Full web site address WITHOUT the 'http://' eg.: www.myblog.com"
echo "-d SITE_HTDOCS The absolute path where WordPress will be installed. eg. /www/sites/www.mysite.com/htdocs"
exit 1
}
#
if [ $# -ne 4 ]; then
echo "ERROR: Wrong number of given argunents."
usage
fi
#
# Make sure the letsencrypt-auto client prgm is installed
if ! [ -e $encryptprgm ] ; then
echo "ERROR: the letsencrypt program isn not installed. Install it and retry."
echo "See instructions at: https://tipstricks.itmatrix.eu/install-new-and-signed-ssl-certificate-for-web-servers"
exit 1
fi
#
# Make sure the 'at' program is installed
if ! [ -e $atprgm ] ; then
echo "ERROR: the 'AT' program isn not installed. Install it and retry."
echo "apt-get install at"
exit 1
fi
#
# Everything look good so far. Lets start.
#
# get the command options
while getopts "s:d:" OPTION
do
case $OPTION in
s) SITE_NAME=$OPTARG
;;
d) SITE_HTDOCS=$OPTARG
;;
h|?|*)
echo "ERROR: argument(s) unknown."
usage
;;
esac
done
#
echo "Requesting certificate at LetsEncrypt"
# Does it exist already, then renew only, otherwise request renewing the cert
if [ -d $CERTS_DIR/${SITE_NAME} ] ; then
echo "The certificate already exists. Requesting a renewal"
RENEW="--renew-by-default"
else
RENEW=""
fi
#
if ($encryptprgm certonly $RENEW --webroot -w $SITE_HTDOCS -d ${SITE_NAME}); then
# Enable the Apache SSL configuration and restart Apache
echo "Certificate request successful."
echo "Issuing a renewal of the certificate in 80 days using 'at' command"
echo "$SCRIPT -s $SITE_NAME -d $SITE_HTDOCS" | $atprgm now + $RENEW_DAYS days
exit 0
else
echo "ERROR: The certificate request/renewal FAILED."
exit 2
fi

Powered by WPeMatico

Configuring HAproxy load balancer in Ubuntu 14.04

Goal:
In this example HTTP requests are proxied directly as HTTP requests to the HTTP web servers. In the case of HTTPS requests, they are handled with the certificates by HAproxy and then proxied to the web servers as HTTP requests.

SSLCertificates:
The certificates for all virtualhosts being proxied are stored as one PEM format file per certificate/key combination in the directory:
/etc/ssl/private/
The CAs are also stored as one PEM format file per CA in the directory:
/etc/ssl/certs/

Steps:
Install HAproxy:
apt-get update && apt-get install haproxy

Configure HAproxy for HTTP and HTTPS load-balancing:

Edit the file /etc/haproxy/haproxy.cfg
Content:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
#
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
#
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
#
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Added to create separate error and access logs
option log-separate-errors
#
# ------- HTTP Frontend --------------
frontend http_in
bind *:80
mode http
reqadd X-Forwarded-Proto: http
default_backend http_out
#
# ------- HTTPS Frontend --------------
frontend https_glwp-in
bind *:443 ssl crt /etc/ssl/haproxy_certs/
mode http
reqadd X-Forwarded-Proto: https
default_backend http_out
#
#------------------------------------
listen stats :2000
mode http
stats enable
stats hide-version
stats realm Haproxy Statistics
stats uri /stats
stats auth admin:mypasswd
#
# ------- HTTP Backend --------------
backend http_out
balance roundrobin
stick-table type ip size 200k expire 60m
stick on src
option forwardfor
option httpclose
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk HEAD /
server web1 webserv1.mynet.net:80 check
server web2 webserv2.mynet.net:80 check
server web3 webserv3.mynet.net:80 check
server web4 webserv4.mynet.net:80 check

Preserving the source IP of client in TCP Proxying

In the above examples the protocols that are being load-balanced are application protocols, where you can retain the Source IP by retrieving it from the HTTP/HTTPS header X-Forwarded-For: (obtained by the option: option forwardfor), but if you use HAProxy as a TCP layer load balancer, in order to retain the source IP(client’s IP) see the following article: http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/
It’s a tiny bit complex to understand and implement, especially in the backend server. I have not tried it yet, so I can’t guarantee its validity therefore I can’t give any examples. From what I understand, the only changes needed to the TCP proxying directives(not explained here) are the following 2 requirements:
1) HAProxy Backend configuration includes the extra entry: source 0.0.0.0 usesrc clientip
2) The backend server network settings needs to be configured to have the HaProxy host IP address as the default Gateway.

This way the backend server sees the source IP of the client as if the client connected directly to the backend server and the responses from the backend server are returned via the HAProxy Host.
To be continued soon with practical examples …..

Happy load-balancing 🙂

Powered by WPeMatico

Testing SSL Connections with SSLyze, Nmap or OpenSSL

Introduction:
OpenSSL is a great tool to check SSL connections to servers. The difficulty here is when one want a full scan of all possible SSL Cyphers and protocols used by a server. That is where SSLyze comes in handy. This tool is a Python script which will scan the target host/port for SSL handshake and report what works/support and what not. Unfortunately this lovely tool is not included in the Ubuntu/Debian distributions, and this is where this post comes handy.

IMPORTANT: Besides executing all the tests below one thing very important (as noted in the This link) is to upgrade OpenSSL to the latest version as follows:
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

SSLyze

Installing the dependencies and tool
cd /root/bin
wget https://github.com/nabla-c0d3/sslyze/archive/0.13.4.tar.gz
tar fvxz 0.13.4.tar.gz
apt-get install python-pip python-dev
pip install nassl

Using SSLyze
python /root/bin/sslyze-0.13.4/sslyze_cli.py --regular www.itmatrix.eu:443

NMAP

Scanning the full server for weaknesses including weak SSL Versions using NMAP.
Note: This operation can take a long time to execute.
apt-get install nmap
nmap -sV -sC www.itmatrix.eu

OR better(for checking the HTTPS,SMTPS,IMAPS,POP3S)
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.itmatrix.eu

OpenSSL

Checking the SSL connection with OpenSSL
echo 'q' | openssl s_client -host www.itmatrix.eu -port 443
Note: In this above case since the SSLv2 support is normally disabled for OpenSSL in Debian/Ubuntu distributions, you will not be able to see if the server is supporting it. To overcome this and enable SSLv2 support(for your testing Linux) then follow the instructions in this site:
http://www.hackwhackandsmack.com/?p=46

NOTE:
For more information regarding protection against DROWN(SSLv2) or POODLE(SSLv3) attacks see:
https://drownattack.com
http://www.softwaresecured.com/2016/03/01/how-to-confirm-whether-you-are-vulnerable-to-the-drown-attack/
http://www.mogilowski.net/lang/de-de/2014/10/23/disabling-sslv3-for-poodle-on-debian/
https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29
https://zmap.io/sslv3/

Go to The IT Matrix website

Powered by WPeMatico

Can’t connect to VSFTPD with Filezilla

Problem:
Because of some incompatibility of the default use of cyphers in VSFTPD FileZilla cannot connect to it.

Solution:
Edit the VSFTPD configuration file /etc/vsftpd.conf and add the following directive:
ssl_ciphers=HIGH

Restart VSFTPD server and use the default settings for new FTP connection with incryption of ‘explicit FTP over TLS’.

Go to The IT Matrix website

Powered by WPeMatico

Thingsee: Weatherproof Streaming GPS & Environment Sensor

An Introduction to Thingsee Working with electronics and getting your project streaming data is so fun and rewarding. But what about when you want to put it outside? Or don’t have access to WiFi? Or, heaven forbid, don’t want to struggle through debugging code and one-off solutions? Well have no fear because the Thingsee One [&hellip
The post Thingsee: Weatherproof Streaming GPS & Environment Sensor appeared first on .

Thanks to Initialstate.com for these Posts and details