DEV Community: Ashutosh Kumar

Enabling HTTPS on your website

Ashutosh Kumar — Sun, 09 Oct 2022 16:31:28 +0000

Most of the websites today on the internet uses HTTPS protocol and there are multiple reasons supporting it. In this article I'll show you how you can use HTTPS on your existing website hosted on NGINX or Apache web server.

What is HTTPS?

The S in HTTPS stands for "secure". HTTPS builds upon the original Hypertext Transfer Protocol (HTTP) standard to offer a more secure browsing experience. It uses Transport Layer Security (TLS) protocol to encrypt the network traffic. HTTPS protects the privacy and integrity of any data in transit and authenticates a website for the end-user.

Advantages of Using HTTPS

Some advantages of using HTTPS are:

Security

It protects users against man-in-the-middle (MITM) attacks that can be launched from compromised or insecure networks. Hackers can use such techniques to steal your customer’s sensitive information.

Confidence

The green padlock which appears on a secured site can give customers peace of mind that your website can be trusted and their information is safe.

Better SEO score

Search Engines prefer sites which supports HTTPS.

What is Let's Encrypt?

To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain.
Let’s Encrypt leverages the Automatic Certificate Management Environment (ACME) protocol to automate the certificate granting process through a challenge-response technique. With Let’s Encrypt, you do this using software that uses the ACME protocol which typically runs on your web host.

What is Certbot?

Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. It is compatible with most operating systems as well as the most popular web server software, such as Apache and NGINX. Certbot is responsible for communicating with Let’s Encrypt to request the certificate, perform any required ACME challenges, install the certificate, and configure the web server. It can also automatically handle the certificate renewal process.

Steps to enable HTTPS on your website

Before we begin you must need a website accessible over HTTP using your desired domain. Breaking this down further, the following components are required:

A server running on Linux with credentials to a standard user account (belonging to the sudo group) and the ability to access the server through SSH or Lish.
A registered domain name with DNS records pointing to the IPv4 (and optionally IPv6) address of your server.
The NGINX/Apache web server software installed on your server and configured for your domain.

1. Installing snapd

Snap is a package manager developed by Canonical (creators of Ubuntu). Software is packaged as a snap (self-contained application and dependencies) and the snapd tool is used to manage these packages. The reason why snaps are becoming popular is because they are applications packaged with all their dependencies to run on all popular Linux distributions from a single build. They update automatically and roll back gracefully.

Since certbot is packaged as a snap, we’ll need to install snapd before installing certbot.

If snapd is not installed, then run the following command:

  sudo apt update
  sudo apt install snapd

Install the core snap using the following command to ensure that you have the latest version of snapd:

  sudo snap install core
  sudo snap refresh core

2. Installing Certbot

The next step is to install Certbot using the snap command.

If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to avoid conflicts with the new Snap package. The exact command to do this depends on your OS. Here assuming that the server is running Ubuntu.

  sudo apt remove certbot

Use Snap to install Certbot.

  sudo snap install --classic certbot

Configure a symbolic link to the certbot executable using the ln command.

  sudo ln -s /snap/bin/certbot /usr/bin/certbot

3. Requesting TLS/SSL Certificate using Certbot

Run Certbot to start the certificate request:

When Certbot runs, it requests and installs certificate file along with a private key file. When used with the NGINX/Apache option (--nginx/--apache), Certbot also automatically edits the configuration files for NGINX/Apache, which dramatically simplifies configuring HTTPS for your web server.

Request a certfifcate and automatically configure it(recommend):

For NGINX:

  sudo certbot --nginx

For Apache:

  sudo certbot --apache

Request a certificate without configuring:

For NGINX:

  sudo certbot certonly --nginx

For Apache:

  sudo certbot certonly --apache

To request the certificate without relying on your NGINX/Apache installation, you can instead use the standalone plugin (--standalone).

During the installation process, Certbot will prompt you for some basic information including your email address and domain name.

Enter email address. The first prompt is to request an email address where Certbot can send urgent notices about the domain or registration. This should be the address of the web server administrator.
Accept terms of service. Certbot next asks you to agree to the Let’s Encrypt terms of service. Use the link in the output to download the PDF file and review the document. If you agree with the terms, enter Y. Entering N terminates the certificate request.
Optionally subscribe to mailing list. Certbot asks if you want to subscribe to the EFF mailing list. You can answer either Y or N without affecting the rest of the installation.
Enter domain name(s). Certbot now requests a domain name for the certificate. For each domain name, you should request separate certificates with and without the www prefix. If you have more than one domain to certify, separate the names with either a space or a comma.
Certbot then communicates with Let’s Encrypt to request the certificate(s) and perform any necessary challenges as defined in the ACME standard (see Challenge Types). In most cases, ownership can be proven through the HTTP challenge, which automatically adds a file on your web server. If you wish to change the challenge type or perform challenge manually, see the Manual section in the Certbot documentation.
If the operation is successful, Certbot confirms the certificates are enabled. It also displays some information about the directories where the certificates and key chains are stored, along with the expiration date. Certificates typically expire in 90 days.

Requesting TLS/SSL Certificate using Certbot

Your website will now use HTTPS. To confirm, go to your website and make sure to enter the URL with the https:/ protocol. If a lock appears to the left of the domain name in the browser's address bar, the certificate is most likely functioning properly. If the certificate is not correctly installed, the browser displays a warning page.

Renewing a TLS/SSL Certificate Using Certbot

Upon installation, Certbot is configured to renew any certificates automatically.

The command to renew certbot is installed in one of the following locations:

/etc/crontab/
/etc/cron.*/*
systemctl list-timers

It is not necessary to manually request an updated certificate or run Certbot again unless the site configuration changes. However, Certbot makes it possible to test the auto-renew mechanism or to forcibly update all certificates.

Test Automated Renewals

You can test automatic renewal for your certificates by running this command:

sudo certbot renew --dry-run

Certbot inspects the certificates and confirms that they are not due for renewal, but simulates the process nonetheless. It displays information about whether the renewal would have been successful.

To manually force Certbot to renew all certificates, use renew command without any options

sudo certbot renew

References

I hope this article helps you in enabling HTTPS on your website.

Questions, suggestions, a word of thanks is always encouraged.

AES Encryption in Linux

Ashutosh Kumar — Fri, 01 Oct 2021 09:42:00 +0000

Ever felt the need of hiding stuff from the world. In this article, I'll show you how you can encrypt and decrypt your data using the AES Encryption technique. We'll use the openssl command for this purpose.

What is Symmetric Encryption?

Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt data. By using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it.

What is Advanced Encryption Standard (AES)?

Advanced Encryption Standard (also known as Rijndael), is one of the best symmetric encryption algorithm. AES is a block encryption algorithm and thus supports five modes which are as follows:

ECB mode: Electronic Code Book mode
CBC mode: Cipher Block Chaining mode
CFB mode: Cipher Feedback mode
OFB mode: Output Feedback mode
CTR mode: Counter mode

In this article, we will encrypt our data using CBC mode. ECB is generally not preferred as it is not secure. The command-line tool that we will use is openssl.

What is OpenSSL

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. OpenSSL supports many different cryptographic operations, such as symmetric key encryption, public/private key pair generation, public-key encryption, hash functions, digital signatures, etc.

openssl comes pre-installed in most Linux distributions. If it is not pre-installed then you can install it using your Linux package manager.

Encrypting a file

The following command is used to encrypt a file:

openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath

After the execution of the command, it will ask you for setting the passphrase (secret key). Without the passphrase, nobody in this world can decrypt your file because brute-forcing AES is very difficult.

Let's learn about the different options that we provided.

openssl is the command-line tool that we are using.
enc is used to specify the cipher name
-aes-256-cbc is the cipher name along with the mode of operation which is CBC(Cipher Block Chaining mode)
-md sha512 specifies which digest to use for the generation of the key from the passphrase. The default value from version 1.1.0 is SHA256. Before version 1.1.0 MD5 was the default digest.
-pbkdf2 specifies to use PBKDF2 (Password-Based Key Derivation Function 2) algorithm
-iter 250000 is overriding the default count of iterations for the password. High values increase the time required to brute-force the resulting file. This option enables the use of the PBKDF2 algorithm to derive the key.
-salt Use salt in Key Derivation Function(KDF). This is the default behaviour and thus this option is not required.

Decrypting a file

Use the same command but add -d option to it. The command is as follows:

openssl enc -aes-256-cbc -d -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath

Encrypting and Decrypting Multiple Files

The above command works only on a single file thus to encrypt and decrypt multiple files you can first convert it into a tar file (you can even compress it) and then apply the same command.

My Personal Preference

I also use the same command but I also add -a and -A options to my command. -a is used for Base64 encode/decode and -A is used with -a to specify base64 buffer as a single line.

Thus the command I use for encryption and decryption is:

Encryption

openssl enc -aes-256-cbc -a -A -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath

Decryption

openssl enc -aes-256-cbc -a -A -d -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath

Fun Fact

This is the same encryption algorithm that was used by Elliot Alderson in the TV series Mr Robot to encrypt data.

References

Unix Stackexchange

I hope this article helped you learn about using AES encryption.

Questions, suggestions, a word of thanks is always encouraged.

Wireless Headset Microphone Issue for Linux

Ashutosh Kumar — Thu, 26 Aug 2021 12:07:00 +0000

Configuring microphone in a bluetooth headset in Linux is a difficult task. I have seen a lot of queries regarding this on several forums. I recently fixed this issue for myself in Manjaro KDE.

Why does this issue arise?

Most of the linux distribution use PulseAudio to manage sound settings. But pulseaudio with default installation only supports A2DP sink profile for High Fidelity Playback. This configuration only supports unidirectional audio transfer (Laptop to Headset). For using headset as both input and output we need to make use of HSP/HFP sink profile which is not present in the default installation of pulseaudio due to it’s buggy nature.

Solution

There are few libraries which adds the support for HSP/HFP in pulseaudio such as oFono and phonesim but it takes a lot of effort to setup and also does not guarantee good results. A better solution is to replace PulseAudio with PipeWire.

What is PipeWire

PipeWire acts as a drop-in replacement for PulseAudio and offers an easy way to set up Bluetooth headsets. It includes out-of-the-box support for A2DP sink profiles using SBC/SBC-XQ, AptX, LDAC or AAC codecs, and HFP/HSP.

Installation for Manjaro KDE

First remove pulseaudio along with all it's dependencies by running the following command:

sudo pacman -Rdd manjaro-pulse pulseaudio pulseaudio-alsa pulseaudio-equalizer pulseaudio-jack pulseaudio-lirc pulseaudio-rtp pulseaudio-zeroconf pulseaudio-bluetooth pulseaudio-ctl sof-firmware
Install pipewire and all the necessary dependencies using the following command:

sudo pacman -S manjaro-pipewire
Now execute the following commands to start the service:

systemctl --user enable pipewire.socket --now

systemctl --user start pipewire.service
Reboot the system
To check if the replacement is working, run the following command and see the output:
```
$ pactl info
...
Server Name: PulseAudio (on PipeWire 0.3.32)
...
```

Installation for Ubuntu Users:

Open your terminal and follow these steps:

We will use a PPA for adding Pipewire to Ubuntu. Execute the following command to do this:

sudo add-apt-repository ppa:pipewire-debian/pipewire-upstream
Update the package list using the following command:

sudo apt update
Install Pipewire using the following command:

sudo apt install pipewire
There is also a dependency that is needed to be installed with Pipewire, otherwise you will face the issue of “Bluetooth headset won’t connect after installing pipewire”. Install the dependency by executing the following command:

sudo apt install libspa-0.2-bluetooth
Now, to install the client libraries:

sudo apt install pipewire-audio-client-libraries
Reload the daemon:

systemctl --user daemon-reload
Disable PulseAudio:

systemctl --user --now disable pulseaudio.service pulseaudio.socket
If you are on Ubuntu 20.04, you also need to “mask” the PulseAudio by:

systemctl --user mask pulseaudio

I am not sure but if possible you can try to run this on other versions too.
After a new update of Pipewire, you also need to enable pipewire-media-session-service:

systemctl --user --now enable pipewire-media-session.service
To check if it is working, run the following command and see the output:
```
$ pactl info
...
Server Name: PulseAudio (on PipeWire 0.3.32)
...
```
If it doesn’t show up then try restarting Pipewire by this command:

systemctl --user restart pipewire
If it’s still not showing your microphone, you can try rebooting once and remove and pair your Bluetooth device again to check if it works now.

If you want to rollback all the changes we did, you can do it by using:

systemctl --user unmask pulseaudio

systemctl --user --now enable pulseaudio.service pulseaudio.socket

References

AskUbuntu

I hope this article helped you in configuring your wireless headphone microphone.

Questions, suggestions, a word of thanks is always encouraged.

How To Merge Multiple PDF/Images to PDF In Ubuntu Linux(ImageMagick)

Ashutosh Kumar — Thu, 07 Jan 2021 07:16:00 +0000

It's not very uncommon that we might need to merge different PDF's or images into one PDF in our daily task. So in this article we will learn about a very powerful command line tool called ImageMagick and learn how to use it.

Installing ImageMagick through apt

ImageMagick comes preinstalled in Ubuntu 20.04 as there are many packages that use this tool as a dependency.

Installing ImageMagick through apt (Advanced Package Tool) is pretty straightforward. The package is already available in standard Ubuntu repository

Open the terminal and execute the following:

First refresh your local package index by executing:

sudo apt update

Next execute the following command to install ImageMagick:

sudo apt install imagemagick

Using ImageMagick to merge multiple images into one PDF

We will use the convert command line tool of ImageMagick to merge multiple images into a single PDF file.

To convert use the following command:

convert image1.jpg image2.png image3.bmp output.pdf

The order of images in the command determines the order in which images are merged in the output.pdf.

If you get the following error while converting to PDF:

convert: attempt to perform an operation not allowed by the security policy 'PDF' @ error/constitute.c/IsCoderAuthorized/408

Jump to Solving the Security Policy Error section where we have discussed how to solve this issue.

Using ImageMagick to merge multiple PDF into one PDF

We will use similar command that we used before but with some extra options so that quality of the output.pdf is good.

To convert use the following command:

convert -density 300 file1.pdf file2.pdf file3.pdf output.pdf

-density sets the dpi that the PDF is rendered at. Setting this to 300/600 will give a fairly good output.

You can also use image and pdf interchangeably in this command which makes it even more powerful.
That is :

convert file1.pdf image1.jpg output.pdf

If you get the following error while converting to PDF:

convert: attempt to perform an operation not allowed by the security policy 'PDF' @ error/constitute.c/IsCoderAuthorized/408

Jump into the next-section of this article to solve this error.

Solving the Security Policy Error

ImageMagick has some security policies disabling some rights for security reasons.
You will have to edit a config file to re-enble the action you need.

Open /etc/ImageMagick-6/policy.xml with your favorite text editor, find the line:

<policy domain="coder" rights="none" pattern="PDF" />

and replace "none" by "read|write"

Step By Step Process to achieve the things mentioned above:

Open the file in terminal and execute:

sudo nano /etc/ImageMagick-6/policy.xml

Find and edit the line:

<policy domain="coder" rights="none" pattern="PDF" />

to :

<policy domain="coder" rights="read|write" pattern="PDF" />

References:
AskUbuntu

After performing the task I would recommend to change the policy.xml back to what it was before. There are many other useful tasks that can be performed using ImageMagick such as resizing images, converting between image formats and many more but that we would cover in some other article.

I hope this article helped you to merge multiple PDF/images into one PDF in Ubuntu Linux.
Questions, suggestions, a word of thanks is always encouraged.

Installing Microsoft Fonts on Linux(Comprehensive Guide)

Ashutosh Kumar — Sat, 26 Dec 2020 15:41:00 +0000

After installing Linux, one of the most important thing to do is installing essential Microsoft Fonts that you will need while working with Microsoft Office Documents, Microsoft Teams, or on the web. It is important to do so as many times you won't be able to process the documents correctly when you try to open it with diffrent font sets.

In this article we will cover how to install all the essential Microsoft Fonts.

Installing Microsoft Core TrueType Fonts on Ubuntu-based Linux distributions

Microsoft Fonts doesn't come pre-installed in Linux. The reason behind it is that these fonts are not Open Source and are owned by Microsoft and many linux distributions don’t provide proprietary software by default to avoid licensing issue. But Microsoft has released its Core TrueType Fonts for free of charge.

Since this is not an Open Source software, you need to first enable the multiverse repository. To do so execute the following command:

sudo add-apt-repository multiverse

Now to install Microsoft Core TrueType Fonts, execute the following command:

sudo apt update && sudo apt install ttf-mscorefonts-installer

After that press OK(using ENTER button) when Microsoft’s End User agreement appears(use TAB for moving the cursor to OK button).

Then press Yes to accept the Microsoft’s agreement.

In case that you accidentally reject the license agreement, you can reinstall the installer with the following command:

sudo apt install –reinstall ttf-mscorefonts-installer

This package installs the following fonts:

Andale Mono
Arial Black
Arial (Bold, Italic, Bold Italic)
Comic Sans MS (Bold)
Courier New (Bold, Italic, Bold Italic)
Georgia (Bold, Italic, Bold Italic)
Impact
Times New Roman (Bold, Italic, Bold Italic)
Trebuchet (Bold, Italic, Bold Italic)
Verdana (Bold, Italic, Bold Italic)
Webdings

Installing Microsoft ClearType Fonts

Microsoft ClearType Fonts was first introduced in Windows Vista and in Office 2007 and since then it has been a part of Windows and thus is very essential when working with Microsoft Documents. The ClearType Fonts Collection includes:

Calibri
Cambria
Candara
Consolas
Constantia
Corbel

To install ClearType Fonts, execute the following command:

wget -q -O - https://gist.githubusercontent.com/Blastoise/72e10b8af5ca359772ee64b6dba33c91/raw/2d7ab3caa27faa61beca9fbf7d3aca6ce9a25916/clearType.sh | bash

Installing Tahoma and Segoe-UI Fonts

Tahoma is a part of TrueType Fonts by Microsoft but is not available in ttf-mscorefonts-installer package and thus need to be installed manually.

To install Tahoma Fonts, execute the following command:

wget -q -O - https://gist.githubusercontent.com/Blastoise/b74e06f739610c4a867cf94b27637a56/raw/96926e732a38d3da860624114990121d71c08ea1/tahoma.sh | bash

Segoe UI font is probably one of the most important font that we will install in this blog. This font is now used by Microsoft in every project and thus can be regarded as the font that will become a standard very soon.

To install Segoe-UI Fonts, execute the following command:

wget -q -O - https://gist.githubusercontent.com/Blastoise/64ba4acc55047a53b680c1b3072dd985/raw/6bdf69384da4783cc6dafcb51d281cb3ddcb7ca0/segoeUI.sh | bash

Installing Other Essential Fonts

This section deals with installing essential fonts that you will require when opening documents containing Maths symbols and thus is used for correct processing of these characters.
We will install the following fonts in this section:

mtextra.ttf
symbol.ttf
webdings.ttf
wingding.ttf
wingdng2.ttf
wingdng3.ttf

To install these fonts, execute the following command:

wget -q -O - https://gist.githubusercontent.com/Blastoise/d959d3196fb3937b36969013d96740e0/raw/429d8882b7c34e5dbd7b9cbc9d0079de5bd9e3aa/otherFonts.sh | bash

References:

It's FOSS

Fun Fact:

After installing Segoe-UI fonts this page will look different on many systems as it uses Segoe-UI font.

We come to an end of this comprehensive guide of installing Microsoft Fonts. I hope this article helped you in doing so.

Questions, suggestions, a word of thanks is always encouraged.