So, I checked today, and after submission to the Chrome HSTS Preloading List, and we are indeed HSTS preloaded. This list is also used for Safari, Firefox, and IE11/Edge. This means that the most recent browsers will never send an HTTP request to this site, even when visiting for the first time. This greatly reduces the opportunity to perform an unencrypted HTTP Man-in-the-Middle attack against this site.
I know you’re all here for the command, so here it is:
sudo chcon -v -R --type=httpd_sys_content_t /var/www/
It’s no surprise one of the most common SELinux related search terms is “how to disable SELinux.” For the majority of users, the complexities involved in Mandatory Access Control aren’t worth sorting through and they opt to disable it in favor of the classic Linux Discretionary Access Control.
When used correctly, however, SELinux can do a lot for stopping the spread of an attack, or the privileges gained with a successful exploit.
What I’m doing in this oneliner is relatively simple: change the security context recursively for everything in /var/www to “httpd_sys_content_t”. I was able to find the correct security context by running
ls -Z /etc/share/nginx/html – nginx already set these correctly when it installed, since this is the default web server content. If your distribution’s package uses a different SELinux context, just use that instead.
Fix your SELinux configuration instead of throwing the baby out with the bathwater and shutting it off!
I should have known, honestly. But Amazon makes it seem so affordable to license Red Hat. I thought “Hey, this is Red Hat. I’m a big Fedora user, and I build CentOS servers all the time. Surely Red Hat will be like any of those, just better!”
Unfortunately… I’d never licensed Red Hat previously and had no idea of its cost. Amazon currently lists the On-Demand t2.micro RHEL 7 AMI as a whopping $0.073/hr to run. This results in around a $52.56/month bill just for EC2. To compare, a CentOS t2.micro costs $0.013/hr (~$9.36/month) and has the same specs as the prior, 5.6 times as expense instance. If you don’t need to use Red Hat, for less money you could scale way up to a t2.medium which has 4x the memory of a t2.micro, 4x the rate of CPU credits, and 2x the vCPUs. Even that would only cost you $0.052/hr (~$37.44).
What does this mean for me? Well, I’m certainly not going to pay $640/yr to run pretty much the most bare-bones site I could have right now. And if I was going to spend $640/yr on anything, it wouldn’t be 80% licensing fees to Red Hat.
Please don’t take this as me dismissing Red Hat. They have been instrumental in the development of the OS’s I love so much, as well as the Linux community. I’m sure they’re a great company for enterprise-grade clients.
But now it’s time for me to rebuild my stack, on CentOS this time. I may shrink the server size even further and try out CloudFlare – it sounds like a perfect candidate for what I’m doing here.
Off to a fresh start on a new infrastructure provider. WP Engine wasn’t going to work out – their SSL costs were much too high. This site is now proudly secured through Let’s Encrypt, utilizing site-wide HTTPS. HSTS preload headers are also set and submitted for inclusion in browser preload lists. This proper implementation of TLS enables secure transmission of data from this server to you.