`Pelican <http://blog.getpelican.com/>`_ is a static site generator.
`Pelican <http://blog.getpelican.com/>`_ is a static site generator. It's
It's written in Python, focusing on blogs, using reStructuredText, Jinja2 and Fabric (but you can use Markdown and makefiles and has provisions for normal web pages as well).
written in Python, focusing on blogs, using reStructuredText, Jinja2 and Fabric
It's a pythonic tool that's easy to use and was a breeze to setup.
(but you can use Markdown and makefiles and has provisions for normal web pages
as well). It's a pythonic tool that's easy to use and was a breeze to setup.
Installing Pelican
Installing Pelican
------------------
------------------
As Pelican is a static blog/ website generator, all we're doing is in your workstation. All you need to have server-wise is a bog-standard web server (like Apache or Nginx). Everything else is done on your local machine. I installed Pelican from Debian (it's currently available in testing)
As Pelican is a static blog/ website generator, all we're doing is in your
workstation. All you need to have server-wise is a bog-standard web server (like
Apache or Nginx). Everything else is done on your local machine. I installed
Pelican from Debian (it's currently available in testing)
.. code:: shell
.. code:: shell
...
@@ -61,12 +65,16 @@ Create a blog directory and an empty blog ::
...
@@ -61,12 +65,16 @@ Create a blog directory and an empty blog ::
> Do you want to upload your website using GitHub Pages? (y/N)
> Do you want to upload your website using GitHub Pages? (y/N)
Done. Your new project is available at blog
Done. Your new project is available at blog
Since Pelican uses OpenSSH, you can use servers defined in your SSH preferences. Now, lets configure the blog to our liking.
Since Pelican uses OpenSSH, you can use servers defined in your SSH preferences.
Now, lets configure the blog to our liking.
Configuration
Configuration
-------------
-------------
In the blog directory there are the 2 configuration files: pelicanconf.py for configuring Pelican and publishconf.py for configuration that are only for publishing using Make or Fabric. Pelican also creates standard Makefile and fabfile.py for you. I've made the following modifications to pelicanconf.py: ::
In the blog directory there are the 2 configuration files: pelicanconf.py for
configuring Pelican and publishconf.py for configuration that are only for
publishing using Make or Fabric. Pelican also creates standard Makefile and
fabfile.py for you. I've made the following modifications to pelicanconf.py: ::
TIMEZONE = 'Asia/Jerusalem'
TIMEZONE = 'Asia/Jerusalem'
PATH = "content"
PATH = "content"
...
@@ -81,11 +89,20 @@ And to publishconf.py: ::
...
@@ -81,11 +89,20 @@ And to publishconf.py: ::
CATEGORY_FEED_ATOM = None
CATEGORY_FEED_ATOM = None
I've set the timezone to mine (so that the time of published articles is correct), add everything under contents/static as static contents to be uploaded to the server, disabled showing of categories of articles and creating feeds for them, disabled saving of articles by tags and set pages (which are simple web pages unlike articles which are blog entries) to show on the menu. Next, themes.
I've set the timezone to mine (so that the time of published articles is
correct), add everything under contents/static as static contents to be uploaded
to the server, disabled showing of categories of articles and creating feeds for
them, disabled saving of articles by tags and set pages (which are simple web
pages unlike articles which are blog entries) to show on the menu. Next, themes.
Themes
Themes
------
------
Pelican comes with a default theme (the same as used by Pelican's website) but I wanted something more understated so I took at look at `https://github.com/getpelican/pelican-themes <https://github.com/getpelican/pelican-themes>`_ and chose pelican-mockingbird. Either clone it or add it as a git submodule (depends on if you're using Git to version control your blog or not)
Pelican comes with a default theme (the same as used by Pelican's website) but I
wanted something more understated so I took at look at
`https://github.com/getpelican/pelican-themes
<https://github.com/getpelican/pelican-themes>`_ and chose pelican-mockingbird.
Either clone it or add it as a git submodule (depends on if you're using Git to
version control your blog or not)
.. code:: shell
.. code:: shell
...
@@ -96,12 +113,16 @@ and set the theme to that by adding the following to pelicanconf.py: ::
...
@@ -96,12 +113,16 @@ and set the theme to that by adding the following to pelicanconf.py: ::
THEME = "./pelican-mockingbird"
THEME = "./pelican-mockingbird"
I've also edited :code:`base.html` and :code:`article.html` inside of :code:`pelican-mockingbird/templates` to suite my liking. Next, let us add a new entry.
I've also edited :code:`base.html` and :code:`article.html` inside of
:code:`pelican-mockingbird/templates` to suite my liking. Next, let us add a new
entry.
Adding an entry
Adding an entry
---------------
---------------
Create a ReStructuredText file inside of contents. The filename is for personal use and not critical. The heading is the article name and you can add the following for Pelican to use: ::
Create a ReStructuredText file inside of contents. The filename is for personal
use and not critical. The heading is the article name and you can add the
following for Pelican to use: ::
:date: 2014-04-19
:date: 2014-04-19
:slug: this-will-the-filename
:slug: this-will-the-filename
...
@@ -114,7 +135,12 @@ After we added the content we want to upload it to our web server (I use fabric)
...
@@ -114,7 +135,12 @@ After we added the content we want to upload it to our web server (I use fabric)
fab publish
fab publish
If you don't have keys set for the server it will ask you for your password to the server.
If you don't have keys set for the server it will ask you for your password to
Last thing, you can create pages, create a pages directory inside contents and save the files there. Their format is the same as articles but they'll have a somewhat template applied and they will be shown in the menu. A good example will an 'About Me' page.
the server. Last thing, you can create pages, create a pages directory inside
contents and save the files there. Their format is the same as articles but
they'll have a somewhat template applied and they will be shown in the menu. A
good example will an 'About Me' page.
That's it, you now have Pelican installed, configured and published to your web site. If you want to see a real life example, clone `my blog <https://git.shore.co.il/nimrod/blog>`_.
That's it, you now have Pelican installed, configured and published to your web
site. If you want to see a real life example, clone `my blog
You have a website and you want to encrypt the traffic going in and out of your webserver. Since you heard about the attacks currently known at SSL and TLS, you want to configure your server to not be vulnerable to any. In a perfect world (or if you control your clients) all you have to do is allow TLS 1.2 and AES-GCM with elliptic-curve Diffie-Hellman key exchange only (AESGCM+ECDH when using openssl) and you're set. This combination is secure, fast, offers perfect forward secrecy and at the time of writing there are no known attacks that make it crackable in a reasonable time. So what's the problem? With a public website you don't control the web browser the visitor uses. If he or she is using IE on Windows XP or Android 2.x the browser doesn't support TLS 1.2 or AES-GCM and the visitor can't access the website. How do you keep your website secure yet reasonably accessible?
You have a website and you want to encrypt the traffic going in and out of your
webserver. Since you heard about the attacks currently known at SSL and TLS, you
want to configure your server to not be vulnerable to any. In a perfect world
(or if you control your clients) all you have to do is allow TLS 1.2 and AES-GCM
with elliptic-curve Diffie-Hellman key exchange only (AESGCM+ECDH when using
openssl) and you're set. This combination is secure, fast, offers perfect
forward secrecy and at the time of writing there are no known attacks that make
it crackable in a reasonable time. So what's the problem? With a public website
you don't control the web browser the visitor uses. If he or she is using IE on
Windows XP or Android 2.x the browser doesn't support TLS 1.2 or AES-GCM and the
visitor can't access the website. How do you keep your website secure yet
reasonably accessible?
Known attacks on SSL and TLS
Known attacks on SSL and TLS
----------------------------
----------------------------
First, SSL 2.0 is insecure (it's even disabled by default in IE7) so we'll not be using it. Version roll back attacks allow a man in the middle to change the response from the client to force a lower grade (read the lowest grade possible) cipher suite.
First, SSL 2.0 is insecure (it's even disabled by default in IE7) so we'll not
The BEAST attack exploits a weakness in CBC ciphers in TLS 1.0. But fixes all major browsers have been released for quite some time, so we're going to assume that the client is secure and CBC ciphers are safe to use (reasonable assumption, but still an assumption).
be using it. Version roll back attacks allow a man in the middle to change the
CRIME and BREACH exploit a weakness in compression and RC4 is considered to be weak although not broken like DES or MD5.
response from the client to force a lower grade (read the lowest grade possible)
cipher suite. The BEAST attack exploits a weakness in CBC ciphers in TLS 1.0.
But fixes all major browsers have been released for quite some time, so we're
going to assume that the client is secure and CBC ciphers are safe to use
(reasonable assumption, but still an assumption). CRIME and BREACH exploit a
weakness in compression and RC4 is considered to be weak although not broken
like DES or MD5.
IE in Windows XP
IE in Windows XP
----------------
----------------
All version of IE that are available on Windows XP offer RC4 and 3DES as the best ciphers available. Unfortunately Chrome uses the Windows scrypt library so it has the same limitation. For a user this means that if you're on Windows XP you should be using an up-to-date version of Firefox to have the best experience until you can move from Windows XP (or Windows in general). For the website manager it leaves you with 2 options, either add support for either 3DES or RC4 ciphers with SHA1 hashes (for openssl, add RC4-SHA or 3DES-SHA at the end of the cipher list) or ask users to use Firefox if they're still on XP. I chose the latter rather then the former, but I have that luxury.
All version of IE that are available on Windows XP offer RC4 and 3DES as the
best ciphers available. Unfortunately Chrome uses the Windows scrypt library so
it has the same limitation. For a user this means that if you're on Windows XP
you should be using an up-to-date version of Firefox to have the best experience
until you can move from Windows XP (or Windows in general). For the website
manager it leaves you with 2 options, either add support for either 3DES or RC4
ciphers with SHA1 hashes (for openssl, add RC4-SHA or 3DES-SHA at the end of the
cipher list) or ask users to use Firefox if they're still on XP. I chose the
latter rather then the former, but I have that luxury.
What are we left with?
What are we left with?
----------------------
----------------------
Since modern browser browsers that support SSL 3.0 support TLS 1.0, we'll be using TLS 1.0 or newer. Any AES cipher (AES-GCM preferred) with ECDH key exchange (preferred) or DH key exchange and SHA2 (preferred) or SHA1 hashes and disable compression. On my server (OpenBSD firewall/ load-balancer/ SSL terminator and reverse-proxy) with the included OpenSSL and Nginx the configuration is as followed ::
Since modern browser browsers that support SSL 3.0 support TLS 1.0, we'll be
using TLS 1.0 or newer. Any AES cipher (AES-GCM preferred) with ECDH key
exchange (preferred) or DH key exchange and SHA2 (preferred) or SHA1 hashes and
disable compression. On my server (OpenBSD firewall/ load-balancer/ SSL
terminator and reverse-proxy) with the included OpenSSL and Nginx the
Take note that I first disable what I don't want, then allow what I do want in the order I prefer. I've also disabled DH key exchange with AES-GCM since all browsers that support AES-GCM support ECDH so I've opted for that (the reasoning being that ECDH is faster than DH so it's preferable).
Take note that I first disable what I don't want, then allow what I do want in
the order I prefer. I've also disabled DH key exchange with AES-GCM since all
browsers that support AES-GCM support ECDH so I've opted for that (the reasoning
being that ECDH is faster than DH so it's preferable).
Final words
Final words
-----------
-----------
This is not enough to call your site secure. I haven't mentioned secure cookies, HSTS, input sanitation, cross-site scripting, OCSP, certificate strength, implementation vulnerabilities (such as OpenSSL's heartbleed) or any of the other security considerations. For testing purposes I used `sslscan <http://sourceforge.net/projects/sslscan/>`_ and `Calomel's SSL validation add-on for Firefox <https://calomel.org/firefox_ssl_validation.html>`_. You can also `SSLLabs' SSL test <https://www.ssllabs.com/ssltest/index.html>`_.
This is not enough to call your site secure. I haven't mentioned secure cookies,
