Month: November 2015

Lets Encrypt nginx SSL certificate renewal via cron

Add below as a cron entry.

/path/letsencrypt/letsencrypt-auto --server --renew-by-default -a webroot --webroot-path /webroot/ --email youremail --text --agree-tos --agree-dev-preview -d -d auth
/etc/init.d/nginx reload

Then configure nginx SSL like below.

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5:!3DES;

You may want to replace openssl default Diffie-Hellman (DH) key for enhanced security.
/usr/bin/openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Then add below into nignx SSL config:
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Q: What if I want to put SNI for all the domain including reverse proxy?
A: Put conditional redirect in nginx for ACME to point the same path and add sni with -d switch

location /.well-known/acme-challenge { alias /weboot/.well-known/acme-challenge; }
location / { return 301 https://$server_name$request_uri; }

Remember this will expose your domain structure in certificate.

F5 AAM Cache for app generated pages

Dynamic content requires cache-control(max-age) and/or expires header to be cached.

The headers also need to be honoured from AAM policy which is not enabled by default.

Debug header decode:
wainfodecode [X-WA-INFO header content]

Force cache clean up:

Check cache stats:
tmsh show ltm profile web-acceleration [iapp name].app/[iapp name]_optimized-acceleration

Reset stats:
tmsh reset-stats ltm profile web-acceleration [iapp name].app/[iapp_name]_optimized-acceleration

Run HTTP POST request from chrome developer tools

Do this from developer mode console.

May need to load a page from the same domain to avoid cross domain validation failure.

var xhr = new XMLHttpRequest();'POST', 'http://url_here', true);
xhr.setRequestHeader('Content-type', 'application/json');
xhr.onload = function () {
// do something to response