Setup IKEv2 service on Ubuntu 16.04

Reference: http://dcamero.azurewebsites.net/strongswan-ubuntu-1604-ios-9.html

This article is simplified and slightly modified from the reference for a general purpose IKEv2 VPN proxy running on a fresh installed Ubuntu 16.04.

1. Use letsencrypt to obtain a certificate for your domain (e.g. vpn.example.com)
Note: During my configuration process, the certificates must be pointed directly from the ipsec configuration files instead of a link, or you may get a “Permission Denied” error.

2. Install strongSwan and MS-CHAPv2 plugin for username / password authentication


3. Configure ipsec

Sample /etc/ipsec.conf configuration:
This is a basic configuration that allows username / password authentication and multiple connections for each user.

Continue reading

WoSign and StartCom Distrusted

WoSign and StartCom CA will get distrusted soon.
I have switched to GeoTrust and Comodo.

Google Security Blog:
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html

Mozilla’s Announcement:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

Update from Apple:
https://support.apple.com/en-us/HT204132

A list of WoSign issues from Mozilla:
https://wiki.mozilla.org/CA:WoSign_Issues

Article from former StartCom employee:
https://archive.is/8bSp6

(Original link)
https://www.letsphish.org/

More articles:

WoSign’s secret purchase of StartCom; WoSign threatened legal actions over the disclosure
http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html

Why I stopped using StartSSL (Hint: it involves a Chinese company)
https://archive.is/W9cY8

Another way to debug “File not found” error on LNMP

It is possible that the mysterious "File not found" errors will occur on complex nginx configurations, php-fpm workers only write a "Primary script unknown" message to stderr, thus the information for debugging is limited.

Recently I found a powerful tool strace which can trace I/O operations of any process, with this tool, we will be able to figure out the path php-fpm workers actually tried to read.

Simply use strace -p pid to attach a php-fpm worker, then start requesting on client side.