Caching both HTTPS and HTTP Drupal sites behind HAproxy and Varnish

Scenario: you have a Drupal site behind a proxy such as HAproxy, sending traffic to a Varnish backend (which in turn sends to the Nginx or Apache backend).

You want to serve cached pages from Varnish for both HTTP and HTTPS. Perhaps you've tried this and you found that behind HTTPS, your site had no CSS or JS. This is because it's serving a page object that was cached as HTTP, or it's not caching at all, but Drupal is serving the markup with http:// links and your browser won't allow that to be displayed under https:// .


Yubikey 2FA on Qubes redux - adding a backup key

Previously I wrote about adding Yubikey 2FA authentication in Qubes (not for using Yubikey on remote sites, but on 2FA of your Qubes system itself), explaining a couple of the differences in my technique compared to the official docs (e.g I don't believe in backdooring with a password in absence of your Yubikey, especially since with a usbVM, that VM can read the password as you type it!


Monitoring Certificate Transparency logs for fraudulent SSL certs with Scumblr

I read with interest this article by Facebook, about detecting (possibly) fraudulent SSL certificates being issued by CAs.

I wasn't previously aware of Google's Certificate Transparency initiative, but it seems like a good idea. Basically there exists a sort of blockchain of public, append-only logs of all SSL certs that are being issued (at least, where the CA is cooperating to publish that info?).


Verifying your key/identity on with Qubes and Split GPG

You are using Qubes with Split-GPG, but you want to verify your GPG key at, via the command-line with bash and curl (you're not storing the key on Keybase's servers).

The verification command is a curl request but includes calls to the gpg command-line client. You have two problems:

1) Your GPG VM is not connected to the network (for good reason)
2) Another VM that is connected to the network, can't use the gpg command.


Batch updating TemplateVMs in Qubes 3.0

If you are a Qubes user like me, you probably have a number of TemplateVMs which your App/USB/ProxyVMs are based off of (e.g, you aren't using the same template for all VMs, as you would otherwise develop a fair bit of irrelevant bloat across them all).

If so, you've probably discovered that keeping all those templates up to date with security updates is rather cumbersome when doing so manually.


An introduction to Terraform (and a neat way to try Drupal 8)

At Drupalcamp Melbourne 2015, I gave a talk about Terraform and how it can be used to keep the state of your infrastructure in configuration management.

What is Terraform?

People who are familiar with Puppet or Chef and similar config management tools will probably grasp the concept of Terraform.


'So, what is it you exactly do?' - Part seven, communication

Admittedly there is an irony in having a massive delay between the last article in this series and this one, aptly to be regarding 'communication' :) Sorry for the silence. It seems some of these articles have inspired some interest in the work I do, and as a result, I have been running off my feet with new business. There are worse problems to have.


Yubikey in Challenge Response mode with Qubes

EDIT: this is still worth/necessary reading, but see an April 2016 update where I describe further improvements, including supporting a backup key in case you've lost your first.

I bought a new Yubikey for use with Qubes, but I had some issues with the challenge-response instructions in the documentation.

That is:



Subscribe to Blog