create self signed cert

Thanks to jpmens@gmail.com

Generate CA

#!/usr/bin/env bash
#(@)generate-CA.sh - Create CA key-pair and server key-pair signed by CA

# Copyright (c) 2013-2016 Jan-Piet Mens <jpmens()gmail.com>
# All rights reserved.
# 
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# 
# 1. Redistributions of source code must retain the above copyright notice,
#    this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. Neither the name of mosquitto nor the names of its
#    contributors may be used to endorse or promote products derived from
#    this software without specific prior written permission.
# 
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

#
# Usage:
# ./generate-CA.sh  creates ca.crt and server.{key,crt}
# ./generate-CA.sh hostname creates hostname.{key,crt}
# ./generate-CA.sh client email creates email.{key,crt}
#
# Set the following optional environment variables before invocation
# to add the specified IP addresses and/or hostnames to the subjAltName list
# These contain white-space-separated values
#
# IPLIST="172.13.14.15 192.168.1.1"
# HOSTLIST="a.example.com b.example.com"

set -e

export LANG=C

kind=server

if [ $# -ne 2 ]; then
 kind=server
 host=$(hostname -f)
 if [ -n "$1" ]; then
  host="$1"
 fi
else
 kind=client
 CLIENT="$2"
fi

[ -z "$USER" ] && USER=root

DIR=${TARGET:='.'}
# A space-separated list of alternate hostnames (subjAltName)
# may be empty ""
ALTHOSTNAMES=${HOSTLIST}
ALTADDRESSES=${IPLIST}
CA_ORG='/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net'
CA_DN="/CN=An MQTT broker${CA_ORG}"
CACERT=${DIR}/ca
SERVER="${DIR}/${host}"
SERVER_DN="/CN=${host}$CA_ORG"
keybits=2048
openssl=$(which openssl)
MOSQUITTOUSER=${MOSQUITTOUSER:=$USER}

# Signature Algorithm. To find out which are supported by your
# version of OpenSSL, run `openssl dgst -help` and set your
# signature algorithm here. For example:
#
# defaultmd="-sha256"
#
defaultmd="-sha512"

function maxdays() {
 nowyear=$(date +%Y)
 years=$(expr 2032 - $nowyear)
 days=$(expr $years '*' 365)

 echo $days
}

function getipaddresses() {
 /sbin/ifconfig |
  grep -v tunnel |
  sed -En '/inet6? /p' |
  sed -Ee 's/inet6? (addr:)?//' |
  awk '{print $1;}' |
  sed -e 's/[%/].*//' |
  egrep -v '(::1|127\.0\.0\.1)' # omit loopback to add it later
}


function addresslist() {

 ALIST=""
 for a in $(getipaddresses); do
  ALIST="${ALIST}IP:$a,"
 done
 ALIST="${ALIST}IP:127.0.0.1,IP:::1,"

 for ip in $(echo ${ALTADDRESSES}); do
  ALIST="${ALIST}IP:${ip},"
 done
 for h in $(echo ${ALTHOSTNAMES}); do
  ALIST="${ALIST}DNS:$h,"
 done
 ALIST="${ALIST}DNS:localhost"
 echo $ALIST

}

days=$(maxdays)

if [ -n "$CAKILLFILES" ]; then
 rm -f $CACERT.??? $SERVER.??? $CACERT.srl
fi

if [ ! -f $CACERT.crt ]; then

 #    ____    _    
 #   / ___|  / \   
 #  | |     / _ \  
 #  | |___ / ___ \ 
 #   \____/_/   \_\
 #                 

 # Create un-encrypted (!) key
 $openssl req -newkey rsa:${keybits} -x509 -nodes $defaultmd -days $days -extensions v3_ca -keyout $CACERT.key -out $CACERT.crt -subj "${CA_DN}"
 echo "Created CA certificate in $CACERT.crt"
 $openssl x509 -in $CACERT.crt -nameopt multiline -subject -noout

 chmod 400 $CACERT.key
 chmod 444 $CACERT.crt
 chown $MOSQUITTOUSER $CACERT.*
 echo "Warning: the CA key is not encrypted; store it safely!"
fi


if [ $kind == 'server' ]; then

 #   ____                           
 #  / ___|  ___ _ ____   _____ _ __ 
 #  \___ \ / _ \ '__\ \ / / _ \ '__|
 #   ___) |  __/ |   \ V /  __/ |   
 #  |____/ \___|_|    \_/ \___|_|   
 #                                  

 if [ ! -f $SERVER.key ]; then
  echo "--- Creating server key and signing request"
  $openssl genrsa -out $SERVER.key $keybits
  $openssl req -new $defaultmd \
   -out $SERVER.csr \
   -key $SERVER.key \
   -subj "${SERVER_DN}"
  chmod 400 $SERVER.key
  chown $MOSQUITTOUSER $SERVER.key
 fi

 if [ -f $SERVER.csr -a ! -f $SERVER.crt ]; then

  # There's no way to pass subjAltName on the CLI so
  # create a cnf file and use that.

  CNF=`mktemp /tmp/cacnf.XXXXXXXX` || { echo "$0: can't create temp file" >&2; exit 1; }
  sed -e 's/^.*%%% //' > $CNF <<\!ENDconfig
  %%% [ JPMextensions ]
  %%% basicConstraints        = critical,CA:false
  %%% nsCertType              = server
  %%% keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
  %%% nsComment               = "Broker Certificate"
  %%% subjectKeyIdentifier    = hash
  %%% authorityKeyIdentifier  = keyid,issuer:always
  %%% subjectAltName          = $ENV::SUBJALTNAME
  %%% # issuerAltName           = issuer:copy
  %%% ## nsCaRevocationUrl       = http://mqttitude.org/carev/
  %%% ## nsRevocationUrl         = http://mqttitude.org/carev/
  %%% certificatePolicies     = ia5org,@polsection
  %%% 
  %%% [polsection]
  %%% policyIdentifier     = 1.3.5.8
  %%% CPS.1      = "http://localhost"
  %%% userNotice.1     = @notice
  %%% 
  %%% [notice]
  %%% explicitText            = "This CA is for a local MQTT broker installation only"
  %%% organization            = "OwnTracks"
  %%% noticeNumbers           = 1

!ENDconfig

  SUBJALTNAME="$(addresslist)"
  export SUBJALTNAME  # Use environment. Because I can. ;-)

  echo "--- Creating and signing server certificate"
  $openssl x509 -req $defaultmd \
   -in $SERVER.csr \
   -CA $CACERT.crt \
   -CAkey $CACERT.key \
   -CAcreateserial \
   -CAserial "${DIR}/ca.srl" \
   -out $SERVER.crt \
   -days $days \
   -extfile ${CNF} \
   -extensions JPMextensions

  rm -f $CNF
  chmod 444 $SERVER.crt
  chown $MOSQUITTOUSER $SERVER.crt
 fi
else
 #    ____ _ _            _   
 #   / ___| (_) ___ _ __ | |_ 
 #  | |   | | |/ _ \ '_ \| __|
 #  | |___| | |  __/ | | | |_ 
 #   \____|_|_|\___|_| |_|\__|
 #                            

 if [ ! -f $CLIENT.key ]; then
  echo "--- Creating client key and signing request"
  $openssl genrsa -out $CLIENT.key $keybits

  CNF=`mktemp /tmp/cacnf-req.XXXXXXXX` || { echo "$0: can't create temp file" >&2; exit 1; }
  # Mosquitto's use_identity_as_username takes the CN attribute
  # so we're populating that with the client's name
  sed -e 's/^.*%%% //' > $CNF <<!ENDClientconfigREQ
  %%% [ req ]
  %%% distinguished_name = req_distinguished_name
  %%% prompt   = no
  %%% output_password  = secret
  %%% 
  %%% [ req_distinguished_name ]
  %%% # O                       = OwnTracks
  %%% # OU                      = MQTT
  %%% # CN                      = Suzie Smith
  %%% CN                        = $CLIENT
  %%% # emailAddress            = $CLIENT
!ENDClientconfigREQ

  $openssl req -new $defaultmd \
   -out $CLIENT.csr \
   -key $CLIENT.key \
   -config $CNF
  chmod 400 $CLIENT.key
 fi

 if [ -f $CLIENT.csr -a ! -f $CLIENT.crt ]; then

  CNF=`mktemp /tmp/cacnf-cli.XXXXXXXX` || { echo "$0: can't create temp file" >&2; exit 1; }
  sed -e 's/^.*%%% //' > $CNF <<\!ENDClientconfig
  %%% [ JPMclientextensions ]
  %%% basicConstraints        = critical,CA:false
  %%% subjectAltName          = email:copy
  %%% nsCertType              = client,email
  %%% extendedKeyUsage        = clientAuth,emailProtection
  %%% keyUsage                = digitalSignature, keyEncipherment, keyAgreement
  %%% nsComment               = "Client Broker Certificate"
  %%% subjectKeyIdentifier    = hash
  %%% authorityKeyIdentifier  = keyid,issuer:always

!ENDClientconfig

  SUBJALTNAME="$(addresslist)"
  export SUBJALTNAME  # Use environment. Because I can. ;-)

  echo "--- Creating and signing client certificate"
  $openssl x509 -req $defaultmd \
   -in $CLIENT.csr \
   -CA $CACERT.crt \
   -CAkey $CACERT.key \
   -CAcreateserial \
   -CAserial "${DIR}/ca.srl" \
   -out $CLIENT.crt \
   -days $days \
   -extfile ${CNF} \
   -extensions JPMclientextensions

  rm -f $CNF
  chmod 444 $CLIENT.crt
 fi
fi

 Generate Client

#!/bin/bash

#  generate-client - Create client key-pair for MQTT signed by CA

#

#  The key is not encrypted so that the certificate can be used on

#  embedded devices.

# Copyright 2015 Jerry Dunmire <jedunmire-AT-gmail>

# All rights reserved.

# 

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are met:

# 

# 1. Redistributions of source code must retain the above copyright notice,

#    this list of conditions and the following disclaimer.

# 2. Redistributions in binary form must reproduce the above copyright

#    notice, this list of conditions and the following disclaimer in the

#    documentation and/or other materials provided with the distribution.

# 3. Neither the name of mosquitto nor the names of its

#    contributors may be used to endorse or promote products derived from

#    this software without specific prior written permission.

# 

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

#

# Usage:

#   ./generate-client.sh client_name

#     creates client_name{key,crt}

set -e

if [ -n "$1" ]; then

    client="$1"

else

   echo "ERROR: missing client_name argument." >&2

   echo "USAGE: $0 client_name" >&2

   echo "exiting... " >&2

   exit 1

fi

[ -z "$USER" ] && USER=root

DIR=${TARGET:='.'}

# CA_ORG set to match generate-CA.sh

CA_ORG='/O=MQTTitude.org/emailAddress=nobody@example.net'

CACERT=${DIR}/ca

CLIENT="${DIR}/${client}"

CLIENT_DN="/CN=${client}$CA_ORG"

keybits=2048

openssl=$(which openssl)

function maxdays() {

    nowyear=$(date +%Y)

    years=$(expr 2032 - $nowyear)

    days=$(expr $years '*' 365)

    echo $days

}

days=$(maxdays)

if [ ! -f $CACERT.crt ]

then

    echo "ERROR: Could not find CA certificate: $CACERT.crt" >&2

    echo "Exiting..." >&2

    exit 1

fi

if [ ! -f $CLIENT.key ]

then

    echo "--- Creating client key and signing request"

    echo "--- WARNING: key is not encrypted, keep it safe!"

    $openssl genrsa -out $CLIENT.key $keybits

    $openssl req -new \

        -out $CLIENT.csr \

        -key $CLIENT.key \

        -subj "${CLIENT_DN}"

    chmod 400 $CLIENT.key

fi

if [ -f $CLIENT.csr -a ! -f $CLIENT.crt ]

then

    echo "--- Creating and signing client certificate"

    $openssl x509 -req \

        -in $CLIENT.csr \

        -CA $CACERT.crt \

        -CAkey $CACERT.key \

        -CAserial "${DIR}/ca.srl" \

        -out $CLIENT.crt \

        -days $days \

        -addtrust clientAuth

    chmod 444 $CLIENT.crt

fi

16 commands to check hardware information on Linux

1. lscpu

The lscpu command reports information about the cpu and processing units. It does not have any further options or functionality.

$ lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                4
On-line CPU(s) list:   0-3
Thread(s) per core:    1
Core(s) per socket:    4
Socket(s):             1
NUMA node(s):          1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 23
Stepping:              10
CPU MHz:               1998.000
BogoMIPS:              5302.48
Virtualization:        VT-x
L1d cache:             32K
L1i cache:             32K
L2 cache:              2048K
NUMA node0 CPU(s):     0-3

2. lshw - List Hardware

A general purpose utility, that reports detailed and brief information about multiple different hardware units such as cpu, memory, disk, usb controllers, network adapters etc. Lshw extracts the information from different /proc files.

$ sudo lshw -short

H/W path        Device      Class       Description
===================================================
                            system      ()
/0                          bus         DG35EC
/0/0                        processor   Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz
/0/0/1                      memory      2MiB L2 cache
/0/0/3                      memory      32KiB L1 cache
/0/2                        memory      32KiB L1 cache
/0/4                        memory      64KiB BIOS
/0/14                       memory      8GiB System Memory
/0/14/0                     memory      2GiB DIMM DDR2 Synchronous 667 MHz (1.5 ns)
/0/14/1                     memory      2GiB DIMM DDR2 Synchronous 667 MHz (1.5 ns)
/0/14/2                     memory      2GiB DIMM DDR2 Synchronous 667 MHz (1.5 ns)
/0/14/3                     memory      2GiB DIMM DDR2 Synchronous 667 MHz (1.5 ns)
/0/100                      bridge      82G35 Express DRAM Controller
/0/100/2                    display     82G35 Express Integrated Graphics Controller
/0/100/2.1                  display     82G35 Express Integrated Graphics Controller
/0/100/19       eth0        network     82566DC Gigabit Network Connection
/0/100/1a                   bus         82801H (ICH8 Family) USB UHCI Controller #4
/0/100/1a.1                 bus         82801H (ICH8 Family) USB UHCI Controller #5
/0/100/1a.7                 bus         82801H (ICH8 Family) USB2 EHCI Controller #2
/0/100/1b                   multimedia  82801H (ICH8 Family) HD Audio Controller
/0/100/1c                   bridge      82801H (ICH8 Family) PCI Express Port 1
/0/100/1c.1                 bridge      82801H (ICH8 Family) PCI Express Port 2
/0/100/1c.2                 bridge      82801H (ICH8 Family) PCI Express Port 3
/0/100/1c.2/0               storage     JMB368 IDE controller
/0/100/1d                   bus         82801H (ICH8 Family) USB UHCI Controller #1
/0/100/1d.1                 bus         82801H (ICH8 Family) USB UHCI Controller #2
/0/100/1d.2                 bus         82801H (ICH8 Family) USB UHCI Controller #3
/0/100/1d.7                 bus         82801H (ICH8 Family) USB2 EHCI Controller #1
/0/100/1e                   bridge      82801 PCI Bridge
/0/100/1e/5                 bus         FW322/323 [TrueFire] 1394a Controller
/0/100/1f                   bridge      82801HB/HR (ICH8/R) LPC Interface Controller
/0/100/1f.2                 storage     82801H (ICH8 Family) 4 port SATA Controller [IDE mode]
/0/100/1f.3                 bus         82801H (ICH8 Family) SMBus Controller
/0/100/1f.5                 storage     82801HR/HO/HH (ICH8R/DO/DH) 2 port SATA Controller [IDE m
/0/1            scsi3       storage     
/0/1/0.0.0      /dev/sda    disk        500GB ST3500418AS
/0/1/0.0.0/1    /dev/sda1   volume      70GiB Windows NTFS volume
/0/1/0.0.0/2    /dev/sda2   volume      395GiB Extended partition
/0/1/0.0.0/2/5  /dev/sda5   volume      97GiB HPFS/NTFS partition
/0/1/0.0.0/2/6  /dev/sda6   volume      97GiB Linux filesystem partition
/0/1/0.0.0/2/7  /dev/sda7   volume      1952MiB Linux swap / Solaris partition
/0/1/0.0.0/2/8  /dev/sda8   volume      198GiB Linux filesystem partition
/0/3            scsi4       storage     
/0/3/0.0.0      /dev/cdrom  disk        DVD RW DRU-190ACheck out the following post to learn more about lshw

Get hardware information on Linux with lshw command

3. hwinfo - Hardware Information

Hwinfo is another general purpose hardware probing utility that can report detailed and brief information about multiple different hardware components, and more than what lshw can report.

$ hwinfo --short
cpu:                                                            
                       Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz, 2000 MHz
                       Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz, 2000 MHz
                       Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz, 2666 MHz
                       Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz, 2666 MHz
keyboard:
  /dev/input/event2    AT Translated Set 2 keyboard
mouse:
  /dev/input/mice      Microsoft Basic Optical Mouse v2.0
graphics card:
                       Intel 965G-1
                       Intel 82G35 Express Integrated Graphics Controller
sound:
                       Intel 82801H (ICH8 Family) HD Audio Controller
storage:
                       Intel 82801H (ICH8 Family) 4 port SATA IDE Controller
                       Intel 82801H (ICH8 Family) 2 port SATA IDE Controller
                       JMicron JMB368 IDE controller
network:
  eth0                 Intel 82566DC Gigabit Network Connection
network interface:
  eth0                 Ethernet network interface
  lo                   Loopback network interface
disk:
  /dev/sda             ST3500418AS
partition:
  /dev/sda1            Partition
  /dev/sda2            Partition
  /dev/sda5            Partition
  /dev/sda6            Partition
  /dev/sda7            Partition
  /dev/sda8            Partition
cdrom:
  /dev/sr0             SONY DVD RW DRU-190A
usb controller:
                       Intel 82801H (ICH8 Family) USB UHCI Controller #4
                       Intel 82801H (ICH8 Family) USB UHCI Controller #5
                       Intel 82801H (ICH8 Family) USB2 EHCI Controller #2
                       Intel 82801H (ICH8 Family) USB UHCI Controller #1
                       Intel 82801H (ICH8 Family) USB UHCI Controller #2
                       Intel 82801H (ICH8 Family) USB UHCI Controller #3
                       Intel 82801H (ICH8 Family) USB2 EHCI Controller #1
bios:
                       BIOS

... TRUNCATED ...

Check out our previous post on hwinfo
Check hardware information on Linux with hwinfo command

4. lspci - List PCI

The lspci command lists out all the pci buses and details about the devices connected to them.
The vga adapter, graphics card, network adapter, usb ports, sata controllers, etc all fall under this category.

$ lspci
00:00.0 Host bridge: Intel Corporation 82G35 Express DRAM Controller (rev 03)
00:02.0 VGA compatible controller: Intel Corporation 82G35 Express Integrated Graphics Controller (rev 03)
00:02.1 Display controller: Intel Corporation 82G35 Express Integrated Graphics Controller (rev 03)
00:19.0 Ethernet controller: Intel Corporation 82566DC Gigabit Network Connection (rev 02)
00:1a.0 USB controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #4 (rev 02)
00:1a.1 USB controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #5 (rev 02)
00:1a.7 USB controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #2 (rev 02)
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller (rev 02)
00:1c.0 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 1 (rev 02)
00:1c.1 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 2 (rev 02)
00:1c.2 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 3 (rev 02)
00:1d.0 USB controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #1 (rev 02)
00:1d.1 USB controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #2 (rev 02)
00:1d.2 USB controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #3 (rev 02)
00:1d.7 USB controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #1 (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev f2)
00:1f.0 ISA bridge: Intel Corporation 82801HB/HR (ICH8/R) LPC Interface Controller (rev 02)
00:1f.2 IDE interface: Intel Corporation 82801H (ICH8 Family) 4 port SATA Controller [IDE mode] (rev 02)
00:1f.3 SMBus: Intel Corporation 82801H (ICH8 Family) SMBus Controller (rev 02)
00:1f.5 IDE interface: Intel Corporation 82801HR/HO/HH (ICH8R/DO/DH) 2 port SATA Controller [IDE mode] (rev 02)
03:00.0 IDE interface: JMicron Technology Corp. JMB368 IDE controller
04:05.0 FireWire (IEEE 1394): LSI Corporation FW322/323 [TrueFire] 1394a Controller (rev 70)

Filter out specific device information with grep.

$ lspci -v | grep "VGA" -A 12

5. lsscsi - List scsi devices

Lists out the scsi/sata devices like hard drives and optical drives.

$ lsscsi
[3:0:0:0]    disk    ATA      ST3500418AS      CC38  /dev/sda 
[4:0:0:0]    cd/dvd  SONY     DVD RW DRU-190A  1.63  /dev/sr0

6. lsusb - List usb buses and device details

This command shows the USB controllers and details about devices connected to them. By default brief information is printed. Use the verbose option "-v" to print detailed information about each usb port

$ lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 002: ID 045e:00cb Microsoft Corp. Basic Optical Mouse v2.0
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

On the above system, 1 usb port is being used by the mouse.

7. Inxi

Inxi is a 10K line mega bash script that fetches hardware details from multiple different sources and commands on the system, and generates a beautiful looking report that non technical users can read easily.

$ inxi -Fx

8. lsblk - List block devices

List out information all block devices, which are the hard drive partitions and other storage devices like optical drives and flash drives

$ lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 465.8G  0 disk 
├─sda1   8:1    0    70G  0 part 
├─sda2   8:2    0     1K  0 part 
├─sda5   8:5    0  97.7G  0 part /media/4668484A68483B47
├─sda6   8:6    0  97.7G  0 part /
├─sda7   8:7    0   1.9G  0 part [SWAP]
└─sda8   8:8    0 198.5G  0 part /media/13f35f59-f023-4d98-b06f-9dfaebefd6c1
sr0     11:0    1  1024M  0 rom

9. df - disk space of file systems

Reports various partitions, their mount points and the used and available space on each.

$ df -H
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda6       104G   26G   73G  26% /
none            4.1k     0  4.1k   0% /sys/fs/cgroup
udev            4.2G  4.1k  4.2G   1% /dev
tmpfs           837M  1.6M  835M   1% /run
none            5.3M     0  5.3M   0% /run/lock
none            4.2G   13M  4.2G   1% /run/shm
none            105M   21k  105M   1% /run/user
/dev/sda8       210G  149G   51G  75% /media/13f35f59-f023-4d98-b06f-9dfaebefd6c1
/dev/sda5       105G   31G   75G  30% /media/4668484A68483B47

10. Pydf - Python df

An improved df version written in python, that displays colored output that looks better than df

$ pydf
Filesystem Size Used Avail Use%          Mounted on                                 
/dev/sda6   96G  23G   68G 24.4 [#.....] /                                          
/dev/sda8  195G 138G   47G 70.6 [####..] /media/13f35f59-f023-4d98-b06f-9dfaebefd6c1
/dev/sda5   98G  28G   69G 29.2 [##....] /media/4668484A68483B47

11. fdisk

Fdisk is a utility to modify partitions on hard drives, and can be used to list out the partition information as well.

$ sudo fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x30093008

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63   146801969    73400953+   7  HPFS/NTFS/exFAT
/dev/sda2       146802031   976771071   414984520+   f  W95 Ext'd (LBA)
/dev/sda5       146802033   351614654   102406311    7  HPFS/NTFS/exFAT
/dev/sda6       351614718   556427339   102406311   83  Linux
/dev/sda7       556429312   560427007     1998848   82  Linux swap / Solaris
/dev/sda8       560429056   976771071   208171008   83  Linux

12. mount

The mount is used to mount/unmount and view mounted file systems.

$ mount | column -t
/dev/sda6    on  /                                            type  ext4             (rw,errors=remount-ro)
proc         on  /proc                                        type  proc             (rw,noexec,nosuid,nodev)
sysfs        on  /sys                                         type  sysfs            (rw,noexec,nosuid,nodev)
none         on  /sys/fs/cgroup                               type  tmpfs            (rw)
none         on  /sys/fs/fuse/connections                     type  fusectl          (rw)
none         on  /sys/kernel/debug                            type  debugfs          (rw)
none         on  /sys/kernel/security                         type  securityfs       (rw)
udev         on  /dev                                         type  devtmpfs         (rw,mode=0755)
devpts       on  /dev/pts                                     type  devpts           (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs        on  /run                                         type  tmpfs            (rw,noexec,nosuid,size=10%,mode=0755)
none         on  /run/lock                                    type  tmpfs            (rw,noexec,nosuid,nodev,size=5242880)
none         on  /run/shm                                     type  tmpfs            (rw,nosuid,nodev)
none         on  /run/user                                    type  tmpfs            (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
none         on  /sys/fs/pstore                               type  pstore           (rw)
/dev/sda8    on  /media/13f35f59-f023-4d98-b06f-9dfaebefd6c1  type  ext4             (rw,nosuid,nodev,errors=remount-ro)
/dev/sda5    on  /media/4668484A68483B47                      type  fuseblk          (rw,nosuid,nodev,allow_other,blksize=4096)
binfmt_misc  on  /proc/sys/fs/binfmt_misc                     type  binfmt_misc      (rw,noexec,nosuid,nodev)
systemd      on  /sys/fs/cgroup/systemd                       type  cgroup           (rw,noexec,nosuid,nodev,none,name=systemd)
gvfsd-fuse   on  /run/user/1000/gvfs                          type  fuse.gvfsd-fuse  (rw,nosuid,nodev,user=enlightened)

Again, use grep to filter out only those file systems that you want to see

$ mount | column -t | grep ext

13. free - Check RAM

Check the amount of used, free and total amount of RAM on system with the free command.

$ free -m
             total       used       free     shared    buffers     cached
Mem:          7975       5865       2110          0         24        622
-/+ buffers/cache:       5218       2757
Swap:         1951        921       1030

14. dmidecode

The dmidecode command is different from all other commands. It extracts hardware information by reading data from the SMBOIS data structures (also called DMI tables).

# display information about the processor/cpu
$ sudo dmidecode -t processor

# memory/ram information
$ sudo dmidecode -t memory

# bios details
$ sudo dmidecode -t bios

Check out the man page for more details.

15. /proc files

Many of the virtual files in the /proc directory contain information about hardware and configurations. Here are some of them

CPU/Memory information

# cpu information
$ cat /proc/cpuinfo

# memory information
$ cat /proc/meminfo

Linux/kernel information

$ cat /proc/version
Linux version 3.11.0-12-generic (buildd@allspice) (gcc version 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu7) ) #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013

SCSI/Sata devices

$ cat /proc/scsi/scsi 
Attached devices:
Host: scsi3 Channel: 00 Id: 00 Lun: 00
  Vendor: ATA      Model: ST3500418AS      Rev: CC38
  Type:   Direct-Access                    ANSI  SCSI revision: 05
Host: scsi4 Channel: 00 Id: 00 Lun: 00
  Vendor: SONY     Model: DVD RW DRU-190A  Rev: 1.63
  Type:   CD-ROM                           ANSI  SCSI revision: 05

Partitions

$ cat /proc/partitions 
major minor  #blocks  name

   8        0  488386584 sda
   8        1   73400953 sda1
   8        2          1 sda2
   8        5  102406311 sda5
   8        6  102406311 sda6
   8        7    1998848 sda7
   8        8  208171008 sda8
  11        0    1048575 sr0

16. hdparm

The hdparm command gets information about sata devices like hard disks.

$ sudo hdparm -i /dev/sda

/dev/sda:

 Model=ST3500418AS, FwRev=CC38, SerialNo=9VMJXV1N
 Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs RotSpdTol>.5% }
 RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=4
 BuffType=unknown, BuffSize=16384kB, MaxMultSect=16, MultSect=16
 CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=976773168
 IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
 PIO modes:  pio0 pio1 pio2 pio3 pio4 
 DMA modes:  mdma0 mdma1 mdma2 
 UDMA modes: udma0 udma1 udma2 udma3 udma4 udma5 *udma6 
 AdvancedPM=no WriteCache=enabled
 Drive conforms to: unknown:  ATA/ATAPI-4,5,6,7

 * signifies the current active mode

Summary

Each of the command has a slightly different method of extracting information, and you may need to try more than one of them, while looking for specific hardware details. However they are available across most linux distros, and can be easily installed from the default repositories.

On the desktop there are gui tools, for those who do not want to memorise and type commands. Hardinfo, I-nex are some of the popular ones that provide detailed information about multiple different hardware components

Check what Debian version you are running on your Linux system

The easiest way on how to check what Debian version you are running is to simply read a content of /etc/issue file. Example:

root@debian:~# cat /etc/issue
Debian GNU/Linux 7 \n \l

However, the above command may not show the current Debian update point releases. Thus you may get more accurate info with the following command:

root@debian:~# cat /etc/debian_version
7.7

An alternative way is by use of lsb_release command. This command may be missing by default so you may need to install it first:

# apt-get install lsb-release

Once you install the above package run the following command to see what debian version you are running on your debian box:

# lsb_release -da
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 7.7 (wheezy)
Release: 7.7
Codename: wheezy

For systemd debian version you may also use hostnamectl:

# hostnamectl 
   Static hostname: debian
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 4c983dae19f6403ca2c555c3867beb14
           Boot ID: 3b399eb976d04569a8514a1d666a4d81
    Virtualization: oracle
  Operating System: Debian GNU/Linux 8 (jessie)
            Kernel: Linux 3.16.0-4-amd64
      Architecture: x86-64

https://linuxconfig.org/check-what-debian-version-you-are-running-on-your-linux-system 

9 cách phát âm chữ A trong tiếng Anh

Chữ A trong tiếng Anh có cách phát âm khá phong phú, gây khó khăn không nhỏ cho người học khi mỗi lúc lại thấy nó được phát âm một kiểu.

Nhưng điều thú vị là 90% cách phát âm chữ A là tuân theo quy luật mà chúng ta hoàn toàn có thể nắm bắt được một cách dễ dàng.

Ví dụ bạn thấy A trong chữ "can" (có thể), "ban" (cấm), "pan" (cái chảo)… sẽ được phát âm là /æ/, nhưng chỉ cần thêm chữ E vào sau từ đó như "cane" (cái gậy), "bane" (nguyên nhân), "pane" (miếng kính) thì ngay lập tức cách phát âm chữ A sẽ thành /ei/. Đến đây ta mới thấy, tiếng Anh không “vô kỷ luật” như ta vẫn tưởng.

Thực chất chữ A được phát âm theo 9 cách, tùy thuộc khi chữ A được ghép với chữ nào trước và sau nó. Và chỉ cần bạn từng biết đến nó thì sẽ dễ dàng nhận ra và từ đó trở về sau, bạn sẽ thấy đọc những từ chứa chữ A dễ dàng và thú vị hơn rất nhiều. Và toàn bộ 26 chữ cái tiếng Anh từ A tới Z đều có những nguyên tắc phát âm dễ nhận ra, dễ tổng kết mà bạn hoàn toàn có thể học và nhớ được chúng.

Dưới đây là 9 cách phát âm chữ A trong tiếng Anh.

Chữ A thường được phát âm là /æ/

1. ant /ænt/ (n) con kiến

2. bag /bæg/ (n) cái túi

3. ban /bæn/ (v) cấm đoán

4. bat /bæt/ (n) con dơi

5. cat /kæt/ (n) con mèo

6. chat /tʃæt/ (v) nói chuyện phiếm, tán gẫu

7. clap /klæp/ (v) vỗ tay

8. dance /dænts/ (v) nhảy, khiêu vũ

9. fantastic /fænˈtæstɪk/ (a) tuyệt vời

10. gag /gæg/ (v) nói đùa

11. jazz /dʒæz/ (n) nhạc jazz

12. lap /læp/ (n) vạt áo, vạt váy

13. mad /mæd/ (adj) điên, tức giận

14. man /mæn/ (n) người đàn ông

15. map /mæp/ (n) bản đồ

16. mathmatics /ˌmæθˈmætɪks/ (n) môn toán

17. sad /sæd/ (adj) buồn

18. sandwich /ˈsænwɪdʒ/ (n) bánh sandwich

19. stand /stænd/ (v) đứng

20. tan /tæn/ (adj) màu rám nắng

Chữ A thường được phát âm là /eɪ/ khi nó đứng trước be, ce, ke, me, pe, te, se, ze

1. babe /beɪb/ (n) đứa trẻ

2. face /feɪs/ (n) mặt

3. lace /leɪs/ (n) dây buộc

4. bake /beɪk/ (v) nướng

5. cake /keɪk/ (n) bánh ngọt

6. fake /feɪk/ (adj) giả tạo

7. lake /leɪk/ (n) hồ

8. make /meɪk/ (v) làm, tạo ra

9. fame /feɪm/ (v) danh tiếng

10. game /geɪm/ (n) trò chơi

11. name /neɪm/ (n) tên

12. same /seɪm/ (adj) giống nhau

13. tape /teɪp/ (n) cuộn băng

14. date /deɪt/ (n) ngày

15. fate /feɪt/ (n) số phận, định mệnh

16. hate /heɪt/ (v) ghét

17. mate /meɪt/ (n) bạn

18. base /beɪs/ (n) cơ sở, nền móng

19. chase /tʃeɪs/ (v) đuổi bắt

20. gaze /geɪz/ (v) nhìn chằm chằm

Chữ A thường được đọc là /ɑː/ khi nó đứng trước chữ r và nó tạo thành tổ hợp /a:r/

1. bar /bɑːr/ (n) quán bar

2. car /kɑːr/ (n) xe ô tô

3. carp /kɑːrp/ (n) cá chép

4. cart /kɑːrt/ (n) xe đẩy

5. charge /tʃɑːrdʒ/ (n) phí, giá tiền

6. chart /tʃɑːrt/ (n) biểu đồ

7. large /lɑːrdʒ/ (a) rộng

8. Mars /mɑːrz/ (n) sao hỏa

9. star /stɑːr/ (n) ngôi sao

10. start /stɑːrt/ (v) bắt đầu

d. Chữ A thường được đọc là /ɔː/ khi nó đứng trước l, ll, lk

1. ball /bɔːl/ (n) quả bóng

2. call /kɔːl/ (v) gọi điện

3. chalk /tʃɔːk/ (n) viên phấn

4. fall /fɔːl/ (n) mùa thu

5. fallout /ˈfɔːlaʊt/ (n) bụi phóng xạ

6. hall /hɔːl/ (n) hội trường

7. install /ɪnˈstɔːl/ (v) lắp đặt

8. mall /mɔːl/ (n) trung tâm thương mại

9. talk /tɔːk/ (v) nói chuyện

10. tall /tɔːl/ (adj) cao

e. Chữ A cũng được đọc là /ɔː/ khi nó đứng trước u, w

1. auction /ˈɔːkʃən/ (n) buổi đấu giá

2. audience /ˈɔːdiənts/ (n) khán giả

3. audio /ˈɔːdiəʊ/ (n) âm thanh

4. audit /ˈɔːdɪt/ (n) kiểm toán

5. auditorium /ˌɔːdɪˈtɔːriəm/ (n) thính phòng

6. author /ˈɔːθər/ (n) tác giả

7. caught /kɔːt/ (v) bắt (quá khứ của catch)

8. law /lɔː/ (n) luật pháp

9. saw /sɔː/ (v) nhìn (quá khứ của see)

10. straw /strɔː/ (n) rơm

Tuy nhiên trong một số trường hợp khi A đứng trước u, w, nó sẽ được đọc là /æ/

1. aunt /ænt/ (n) cô, dì

2. laugh /læf/ (v) cười to

Hoặc đôi khi đứng trước u, w, nó sẽ được đọc là /əʊ/

gauche /gəʊʃ/ (adj) vụng về

Chữ A thường được đọc là /er/ khi nó đứng trước re, ir

1. chair /tʃer/ (n) cái ghế

2. dare /der/ (v) dám (làm gì)

3. despair /dɪˈsper/ (v) thất vọng

4. fair /fer/ (adj) công bằng

5. fare /fer/ (n) giá vé

6. hair /her/ (n) tóc

7. mare /mer/ (n) ngựa cái

8. repair /rɪˈper/ (v) sửa chữa

9. scare /sker/ (n) sự sợ hãi

10. square /skwer/ (n) quảng trường

11. stair /ster/ (n) cầu thang

12. stare /ster/ (v) nhìn chằm chằm

Chữ A thường được đọc là /ɪ/ khi nó đứng trước ge

1. advantage /ədˈvæntɪdʒ/ (n) lợi ích, lợi thế

2. manage /ˈmænɪdʒ/ (v) quản lý

3. marriage /ˈmerɪdʒ/ (n) sự kết hôn

4. message /ˈmesɪdʒ/ (n) tin nhắn

5. package /ˈpækɪdʒ/ (n) gói hàng, bưu kiện

6. passage /ˈpæsɪdʒ/ (n) đoạn văn

7. usage /ˈjuːsɪdʒ/ (n) cách sử dụng

8. village /ˈvɪlɪdʒ/ (n) ngôi làng

9. vintage /ˈvɪntɪdʒ/ (n) sự cổ điển

10. voyage /ˈvɔɪɪdʒ/ (n) chuyến du ngoạn trên biển

Exceptions (Ngoại lệ)

1. garage /gəˈrɑːʒ/ (n) ga ra để xe

2. massage /məˈsɑːdʒ/ (n) mát xa

Chữ A thường được đọc là /ə/ khi nó đứng đầu từ có hai âm tiết trở lên và âm tiết đầu tiên không mang trọng âm

1. abandon /əˈbændən/ (v) từ bỏ

2. abbreviation /əˌbriːviˈeɪʃən/ (n) bài tóm tắt, sự viết tắt

3. about /əˈbaʊt/ (adv) về

4. above /əˈbʌv/ (prep) ở trên

5. abroad /əˈbrɔːd/ (adv) ở nước ngoài

6. academy /əˈkædəmi/ (n) học viện, viện hàn lâm

7. accept /əkˈsept/ (v) chấp nhận

8. account /əˈkaʊnt/ (n) tài khoản

9. accuse /əˈkjuːz/ (v) buộc tội

10. achieve /əˈtʃiːv/ (v) đạt được

11. addition /əˈdɪʃən/ (n) sự thêm vào

12. ahead /əˈhed/ (a) ở phía trước

13. align /əˈlaɪn/ (v) sắp cho thẳng hàng

14. appealing /əˈpiːlɪŋ/ (a) hấp dẫn

15. appointment /əˈpɔɪntmənt/ (n) sự hẹn gặp

16. aside /əˈsaɪd/ (adv) về một bên, sang một bên

17. assignment /əˈsaɪnmənt/ (n) việc được giao

18. attach /əˈtætʃ/ (v) gắn liền

19. attack /əˈtæk/ (v) tấn công

20. attract /əˈtrækt/ (v) hấp dẫn

Chữ A được đọc là /eɪ/ khi nó đứng trước y, i.

1. bait /beɪt/ (v) mắc mồi

2. chain /tʃeɪn/ (n) chuỗi, dãy

3. daily /ˈdeɪli/ (adj) hàng ngày

4. lain /leɪn/ (v-pp) nằm (quá khứ của lie)

5. lay /leɪ/ (v) đặt, để

6. main /meɪn/ (adj) chính

7. Monday /ˈmʌndeɪ/ (n) thứ Hai

8. nail /neɪl/ (n) móng tay

9. pain /peɪn/ (n) sự đau đớn

10. paint /peɪnt/ (v) vẽ

11. pray /preɪ/ (v) cầu nguyện

12. rain /reɪn/ (v) mưa

13. remain /rɪˈmeɪn/ (v) còn lại

14. train /treɪn/ (n) tàu hỏa

15. trait /treɪt/ (n) đặc điểm

16. tray /treɪ/(n) cái khay

17. Tuesday /ˈtuːzdeɪ/ (n) thứ Ba

http://vnexpress.net/tin-tuc/giao-duc/hoc-tieng-anh/9-cach-phat-am-chu-a-trong-tieng-anh-3397017.html

Optimizing HTTPS on Nginx

Step 1: Connection credentials caching

Almost all of the overhead with SSL/TLS is during the initial connection setup, so by caching the connection parameters for the session, will drastically improve subsequent requests (or in the case of SPDY, requests after the connection have closed – like a new page load).

All we need is these two lines:

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;

This will create a cache shared between all worker processes. The cache size is specified in bytes (in this example: 20 MB). According to the Nginx documentation can 1MB store about 4000 sessions, so for this example, we can store about 80000 sessions, and we will store them for 180 minutes. If you expect more traffic, increase the cache size accordingly.

I usually don’t recommend lowering the ssl_session_timeout to below 10 minutes, but if your resources are sparse and your analytics tells you otherwise, go ahead. Nginx is supposedly smart enough to not use up all your RAM on session cache, even if you set this value too high, anyways.

Step 2: Disable SSL

– Say, what?

Techically SSL (Secure Sockets Layer) is actually superseded by TLS (Transport Layer Security). I guess it is just out of old habit and convention we still talk about SSL.

SSL contains several weaknesses, there have been various attacks on implementations and it is vulnerable to certain protocol downgrade attacks.

The only browser or library still known to mankind that doesn’t support TLS is of course IE 6. Since that browser is dead (should be, there is not one single excuse in the world), we can safely disable SSL.

The most recent version of TLS is 1.2, but there are still modern browsers and libraries that use TLS 1.0.

So, we’ll add this line to our config then:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

That was easy, now on to something more complicated (which I made easy for you):

Step 3: Optimizing the cipher suites

The cipher suites are the hard core of SSL/TLS. This is where the encryption happens, and I will really not go into any of that here. All you need to know is that there are very secure suits, there are unsafe suites and if you thought browser compatibility issues were big on the front-end, this is a whole new ballgame. Researching what cipher suites to use, what not to use and in what order takes a huge amount of time to research. Luckily for you, I’ve done it.

First you need to configure Nginx to tell the client that we have a preferred order of available cipher suites:

ssl_prefer_server_ciphers on;

Next we have to provide the actual list of ciphers:

ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5

All of these suites use forward secrecy, and the fast cipher AES is the preferred one. You’ll lose support for all versions of Internet Explorer on Windows XP. Who cares?

Step 4: Generate DH parameters

If you want an explanation, read the DHE handshake and dhparam part on the Mozilla wiki. I’m not doing that here.

Create the DH parameters file with 2048 bit long safe prime:

$ openssl dhparam 2048 -out /etc/nginx/cert/dhparam.pem

And add it to your Nginx config:

ssl_dhparam /etc/nginx/cert/dhparam.pem;

Note that Java 6 doesn’t support DHParams with primes longer than 1024 bit. If that really matters to you, something is a bit wrong somewhere.

Step 5: Enable OCSP stapling

Online Certificate Status Protocol (OCSP) is a protocol for checking the revocation status of the presented certificate. When a proper browser is presented a certificate, it will contact the issuer of that certificate to check that it hasn’t been revoked. This, of course, adds overhead to the connection initialization and also presents a privacy issue involving a 3rd party.

Enter OCSP stapling:

The web server can at regular intervals, contact the certificate authority’s OCSP server to get a signed response and staple it on to the handshake when the connection is set up. This provides for a much more efficient connection initialization and keeps the 3rd party out of the way.

To make sure the response from the CA is not tampered with, we also set up Nginx to verify response using the CA’s root and the intermediate certificates, similar to what we did when we first to enable HTTPS on Nginx (remember the order here is important):

cat AddTrustExternalCARoot.crt PositiveSSLCA2.crt > trustchain.crt

I am using a Positive SSL certificate so AddTrustExternalCARoot.crt is the root certificate and PositiveSSLCA2.crt is the intermediate. Replace with your issuer’s certificates accordingly. If you don’t have your CA’s root certificate, it should be available from their web site or you have to contact them.

Next, enable stapling and verification:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;
resolver 8.8.8.8 8.8.4.4;

You also need to provide one or more DNS servers for Nginx to use. Here I’m using Google’s public DNS servers, but you are free to use whichever works for you (if you don’t like Google or are worried about privacy, OpenDNS might be a good option for you). The resolvers are used in a round-robin fashion, so make sure all of them are good ones.

Step 6: Strict Transport Security

Even though you already should have made all regular HTTP requests redirect to HTTPS when you enabled SPDY, you do want to enable Strict Transport Security (STS or HSTS) to avoid having to do those redirects. STS is a nifty little feature enabled in modern browsers. All the server does is to set the response header Strict-Transport-Security with a max-age value.

If the browser have seen this header, it will not try to contact the server over regular HTTP again for the given time period. It will actually interpret all requests to this hostname as HTTPS, no matter what. You can even tell the browser to enable the same behaviour on all subdomains. It will make MITM attacks with SSLstrip harder to do.

All you need is this little line in your config:

add_header Strict-Transport-Security "max-age=31536000" always;

The max-age is set in seconds. 31536000 seconds is equivalent to 365 days.

If you want HSTS to apply to all subdomains, you use this config instead:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

That’s it.

Wrap-up

I know how annoying it is to follow guides like this. You just want the config, right?
Well, here it is:

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/nginx/cert/bjornjohansen.no.certchain.crt;
        ssl_certificate_key /etc/nginx/cert/bjornjohansen.no.key;

        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 60m;

        ssl_prefer_server_ciphers on;

        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

        ssl_dhparam /etc/nginx/cert/dhparam.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;
        resolver 8.8.8.8 8.8.4.4;

        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Strict-Transport-Security "max-age=31536000" always;

        # Rest of your regular config goes here:
        # […]
}

Now that you’re done, go check your site on Qualsys SSL Labs test. You should have an «A+» rating.

Have fun, be safe, encrypt everything!

BTW: Now that you have HTTPS properly set up, it is time to look at HTTP Public Key Pinning (HPKP).

Source https://bjornjohansen.no/optimizing-https-nginx