today

CV.md

@@ -46,6 +46,30 @@ I hope I'll fit into your picture: viktor@szepe.net
   an English video: https://www.youtube.com/watch?v=8o3g85SeDQ8
 - make mistakes
 
+# Szépe Viktor dolgozna egy Vállalatnak
+
+HTTP alapú szolgáltatások üzemeltetésével foglalkozok: applikációk, API-k, honlapok.  
+Ezirányú tapasztalataim értékes visszacsatolást jelenthetnek a fejlesztő csapatuknak.  
+(A közlekedési jelzőlámpa példával élve: a fejlesztők a zöldet látják, én a sárgát és a pirosat.)  
+A figyelmem az üzembiztonságon és a sebességen van.
+
+ Úgy szoktam mondani, hogy *pozitív jövőképe legyen a projektnek*.
+
+Debian alapú webszervereket építek és üzemeltetek. Email kézbesítéssel is foglalkozok.  
+A jegyzeteim és a programjaim nyílt forrásúak: https://github.com/szepeviktor/
+
+Emellett WordPress - jobb szó híján - szakértő is vagyok.
+Ismerem a magot (core) és bővítményeket is fejlesztek: https://profiles.wordpress.org/szepeviktor#content-plugins
+
+Rám bízhatnak *feature* fejleszést is (sablon, bővítmény, UI) de az nem része a napi rutinomnak.
+
+A support videók a kedvenceim: https://www.youtube.com/user/szepeviktor (angolul is vannak)
+
+ Annyit írnék még, hogy tömegtermelésben nem sok hasznomat veszik, mert alapos munkát végzek,
+ és úgy érzékelem, hogy ez a kettő üti egymást.
+
+Remélem bele illek a képbe valahogyan: viktor@szepe.net
+
 ## Magyarul az önéletrajz
 
 - webhely sebesség tervezés és optimalizálás (mobilon is)

Git-pull.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+git pull

Hosting.md

@@ -36,7 +36,7 @@
 
 ## CDN
 
-- [keycdn](https://www.keycdn.com/cdn-europe) 10×Europe, Made in Switzerland
+- [keycdn](https://www.keycdn.com/?a=18666) 10×Europe, Made in Switzerland
 
 ## Shared hosting
 

backup/system-backup.sh

@@ -18,7 +18,8 @@
 # Usage
 #
 # Format storage
-#     /usr/bin/mkfs.s3ql --authfile "$AUTHFILE" "$STORAGE_URL"
+#     /usr/bin/mkfs.s3ql "$STORAGE_URL"
+#
 # Save encryption master key!
 #
 # Edit DB_EXCLUDE, STORAGE_URL, TARGET
@@ -42,6 +43,7 @@
 #DB_EXCLUDE="excluded-db1|excluded-db2"
 DB_EXCLUDE=""
 
+#STORAGE_URL="local:///media/backup-server.sshfs"
 STORAGE_URL="swiftks://auth.cloud.ovh.net/REGION:COMPANY-SERVER-s3ql"
 TARGET="/media/provider.s3ql"
 # [swiftks]
@@ -54,19 +56,34 @@ AUTHFILE="/root/.s3ql/authinfo2"
 
 set -e
 
-Error() {
-    local STATUS="$1"
-
-    shift
+Onexit() {
+    local -i RET="$1"
+    local BASH_CMD="$2"
 
-    echo "ERROR ${STATUS}: $*" 1>&2
+    set +e
 
     #if /usr/bin/s3qlstat ${S3QL_OPT} "$TARGET" &> /dev/null; then
     if [ -e "${TARGET}/.__s3ql__ctrl__" ]; then
         /usr/bin/s3qlctrl ${S3QL_OPT} flushcache "$TARGET"
         /usr/bin/umount.s3ql ${S3QL_OPT} "$TARGET"
     fi
 
+    if [ "$RET" -ne 0 ]; then
+        echo "COMMAND: ${BASH_CMD}" 1>&2
+    fi
+
+    exit "$RET"
+}
+
+Error() {
+    local STATUS="$1"
+
+    set +e
+
+    shift
+
+    echo "ERROR ${STATUS}: $*" 1>&2
+
     exit "$STATUS"
 }
 
@@ -151,19 +168,20 @@ Check_db_schemas() {
 }
 
 Get_base_db_backup_dir() {
+    local BACKUP_DIRS
     local XTRAINFO
 
     # shellcheck disable=SC2012
-    ls -tr "${TARGET}/innodb" \
-        | while read -r BASE; do
-            XTRAINFO="${TARGET}/innodb/${BASE}/xtrabackup_info"
-            # First non-incremental is the base
-            if [ -r "$XTRAINFO" ] && grep -qFx "incremental = N" "$XTRAINFO"; then
-                echo "$BASE"
-                return 0
-            fi
-        done
-        return 1
+    BACKUP_DIRS="$(ls -tr "${TARGET}/innodb")"
+    while read -r BASE; do
+        XTRAINFO="${TARGET}/innodb/${BASE}/xtrabackup_info"
+        # First non-incremental is the base
+        if [ -r "$XTRAINFO" ] && grep -qFx "incremental = N" "$XTRAINFO"; then
+            echo "$BASE"
+            return 0
+        fi
+    done <<< "$BACKUP_DIRS"
+    return 1
 }
 
 Backup_innodb() {
@@ -254,6 +272,8 @@ Umount() {
     /usr/bin/umount.s3ql ${S3QL_OPT} "$TARGET" || Error 32 "Umount failed"
 }
 
+trap 'Onexit "$?" "$BASH_COMMAND"' EXIT HUP INT QUIT PIPE TERM
+
 declare -i CURRENT_DAY="$(date --utc "+%w")"
 
 # On terminal?

mail/README.md

@@ -79,7 +79,8 @@ https://toolbox.googleapps.com/apps/checkmx/
 
 - Encoded (base64 or QP) headers: `conv2047.pl -d`
 - Body and attachments: `munpack -t`
-- Syntax highlight: headers.vim for vim, email.syntax for mcedit
+- Syntax highlight: `headers.vim` for vim, `/input/mc/email.syntax` for mcedit
+- Enveloped-data (application/pkcs7-mime): `cat smime.p7m | base64 -d | openssl smime -verify -inform DER`
 
 
 ## Settings

monitoring/ocsp-check.sh

@@ -2,7 +2,7 @@
 #
 # Display OCSP response.
 #
-# VERSION       :2.2.0
+# VERSION       :2.2.1
 # DATE          :2016-06-19
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # URL           :https://github.com/szepeviktor/debian-server-tools
@@ -16,25 +16,28 @@ HOST="$1"
 
 set -e
 
-[ -n "$HOST" ]
-
 Onexit() {
     local -i RET="$1"
     local BASH_CMD="$2"
 
     set +e
 
+    # Cleanup
     rm -f "$CERTIFICATE" "$CA_ISSUER_CERT" &> /dev/null
 
     if [ "$RET" -ne 0 ]; then
-        echo "ERROR: ${BASH_CMD}" 1>&2
-        exit 100
+        echo "COMMAND WITH ERROR: ${BASH_CMD}" 1>&2
     fi
+
+    exit "$RET"
 }
 
+trap 'Onexit "$?" "$BASH_COMMAND"' EXIT HUP INT QUIT PIPE TERM
+
+[ -n "$HOST" ]
+
 CERTIFICATE="$(mktemp -t "${0##*/}.XXXXXXXX")"
 CA_ISSUER_CERT="$(mktemp -t "${0##*/}.XXXXXXXX")"
-trap 'Onexit "$?" "$BASH_COMMAND"' EXIT HUP INT QUIT PIPE TERM
 
 # Get certificate
 openssl s_client -connect "${HOST}:443" -servername "$HOST" < /dev/null > "$CERTIFICATE" 2> /dev/null

security/fail2ban-conf/jail.local

@@ -4,7 +4,7 @@
 #          localhost                        Googlebot
 #                      own IP                              Amazon CloudFront
 #                             proxy                                                                                                                 PayPal IPN
-ignoreip = 127.0.0.0/8 @@IP@@ 88.151.99.143 66.249.64.0/19 54.72.0.0/13 54.80.0.0/12 54.240.128.0/18 54.224.0.0/12 205.251.192.0/18 216.137.58.0/23 173.0.81.1
+ignoreip = 127.0.0.0/8 @@IP@@ 88.151.99.143 66.249.64.0/19 54.72.0.0/13 54.80.0.0/12 54.240.128.0/18 54.224.0.0/12 205.251.192.0/18 216.137.32.0/19 173.0.81.1
 # WARNING! multiline error gh-1432
 
 # ignorecommand = /path/to/command <ip>

webserver/WordPress.md

@@ -205,19 +205,21 @@ $redis_server = array(
 Resource optimization
 
 ```bash
+# CDN, Page Cache, Minify
+wp plugin install w3-total-cache --activate
+wp plugin install https://github.com/szepeviktor/fix-w3tc/releases/download/v0.9.4.2/w3-total-cache.0.9.4.2.zip --activate
+
 # safe redirect manager
 wp plugin install safe-redirect-manager --activate
 
-# ?
-wp plugin install resource-versioning <--> autoptimize --activate
-# define( 'AUTOPTIMIZE_WP_CONTENT_NAME', '/static' );
-
-# Redis or ngx_http_memcached_module
+# WP-FFPC
+# backends: APCu, Redis, Memcached with ngx_http_memcached_module
 # https://github.com/petermolnar/wp-ffpc
 wp plugin install https://github.com/petermolnar/wp-ffpc/archive/master.zip --activate
 
-# CDN, Page Cache, Minify
-wp plugin install w3-total-cache --activate
+# Autoptimize ?
+#wp plugin install resource-versioning <--> autoptimize --activate
+# define( 'AUTOPTIMIZE_WP_CONTENT_NAME', '/static' );
 ```
 
 Set up CDN.

webserver/apache-conf-available/ssl-mozilla-intermediate.default

@@ -0,0 +1,96 @@
+<IfModule mod_ssl.c>
+
+	# Pseudo Random Number Generator (PRNG):
+	# Configure one or more sources to seed the PRNG of the SSL library.
+	# The seed data should be of good random quality.
+	# WARNING! On some platforms /dev/random blocks if not enough entropy
+	# is available. This means you then cannot use the /dev/random device
+	# because it would lead to very long connection times (as long as
+	# it requires to make more entropy available). But usually those
+	# platforms additionally provide a /dev/urandom device which doesn't
+	# block. So, if available, use this one instead. Read the mod_ssl User
+	# Manual for more details.
+	#
+	SSLRandomSeed startup builtin
+	SSLRandomSeed startup file:/dev/urandom 512
+	SSLRandomSeed connect builtin
+	SSLRandomSeed connect file:/dev/urandom 512
+
+	##
+	##  SSL Global Context
+	##
+	##  All SSL configuration in this context applies both to
+	##  the main server and all SSL-enabled virtual hosts.
+	##
+
+	#
+	#   Some MIME-types for downloading Certificates and CRLs
+	#
+	AddType application/x-x509-ca-cert .crt
+	AddType application/x-pkcs7-crl .crl
+
+	#   Pass Phrase Dialog:
+	#   Configure the pass phrase gathering process.
+	#   The filtering dialog program (`builtin' is a internal
+	#   terminal dialog) has to provide the pass phrase on stdout.
+	SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
+
+	#   Inter-Process Session Cache:
+	#   Configure the SSL Session Cache: First the mechanism
+	#   to use and second the expiring timeout (in seconds).
+	#   (The mechanism dbm has known memory leaks and should not be used).
+	#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
+	SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+	SSLSessionCacheTimeout 300
+
+	#   Semaphore:
+	#   Configure the path to the mutual exclusion semaphore the
+	#   SSL engine uses internally for inter-process synchronization.
+	#   (Disabled by default, the global Mutex directive consolidates by default
+	#   this)
+	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
+
+
+	#   SSL Cipher Suite:
+	#   List the ciphers that the client is permitted to negotiate. See the
+	#   ciphers(1) man page from the openssl package for list of all available
+	#   options.
+	#   Enable only secure ciphers:
+	SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+	# SSL server cipher order preference:
+	# Use server priorities for cipher algorithm choice.
+	# Clients may prefer lower grade encryption.  You should enable this
+	# option if you want to enforce stronger encryption, and can afford
+	# the CPU cost, and did not override SSLCipherSuite in a way that puts
+	# insecure ciphers first.
+	# Default: Off
+	SSLHonorCipherOrder on
+
+	#   The protocols to enable.
+	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+	#   SSL v2  is no longer supported
+	SSLProtocol all -SSLv3
+
+	#   Allow insecure renegotiation with clients which do not yet support the
+	#   secure renegotiation protocol. Default: Off
+	#SSLInsecureRenegotiation on
+
+	#   Whether to forbid non-SNI clients to access name based virtual hosts.
+	#   Default: Off
+	SSLStrictSNIVHostCheck off
+
+	SSLCompression off
+
+	#SSLSessionTickets off ?
+
+	# OCSP Stapling (could also be in every virtual host)
+	SSLUseStapling On
+	SSLStaplingResponderTimeout 5
+	SSLStaplingReturnResponderErrors off
+	SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_gcache_data(128000)"
+	SSLStaplingStandardCacheTimeout 36000
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet