New server

This blog has been hosted since 2008 on a vServer powered by a single core of an Intel Core2 Quad Q6600 commanding over 256 MB RAM and a 12 GB HDD. As OS, we've used Debian Lenny, and we've since long tried to silence the voice inside our heads warning us that security support for Lenny has ended almost 4 years ago. Certainly, there was nothing much to hack (after all, these are static pages), but I normally wouldn't tolerate such a neglect, and I certainly wouldn't encourage it.

Well, we finally hauled our lazy carcasses out of their graves and managed to get a new vServer. Hardware-wise, a huge step up: two Intel Xeon E5-2680 v4 cores with 6 GB RAM and a 320 GB HDD. Software-wise, we've ordered the server with Debian Jessie which was configured very nicely, but with plenty of services we don't need. The first step was thus to clean up and to update the system to Debian Stretch, the current version of 'Testing', which in my opinion represents one of the best choices for a rolling-release server installation that is reasonably up-to-date and yet almost care-free.

From Linux 2.6.20 on our old server to 4.8.11 on the updated new one: what an enormous jump! System administration has also changed significantly: for example, to synchronize the time, one does not any longer rely on a cronjob executing 'ntpdate -s', but uses systemd-timesyncd, and instead of apt-get and apt-cache, one uses apt. Oh yes, my dear dinos, that's how it is! But since the user interface has stayed the same, it is still as easy as ever to administrate the system as long as one is able to read and write (type).

Concerning the webserver, it was haui to suggest Hiawatha. I'd never even heard about it, but after a first look I installed it (there are Debian repositories managed by Chris Wadge) and it instantly grew on me. It's small, lightweight, easy to configure, and has unique features not found in other webservers.

However, just as all other webservers I know, Hiawatha does not correctly deliver compressed scalable vector graphics (svgz). I was tired of that and wanted to avoid the need for patches, and I hence replaced all svgz by svg and the corresponding reference in all my posts:

find . -type f -name "*.svgz" | xargs gunzip -S z
find . -type f -name "*.md"  | xargs sed -i 's/\.svgz/\.svg/g'

This decision turned out to be the right one. Hiawatha transparently compresses content without requiring any user interaction, and the page size of this blog actually decreased by 50% with respect to that delivered by dhttpd, our previous webserver, despite this manual decompression.

Now, concerning the IRC server, InspIRCd seemed to me the most promising candidate. Just look at that! And I wasn't disappointed: with a little help from here and there, I had it running pretty fast. What took some time was the key generation, since I wanted the TLS configuration of the server to comply to the current security standards. After a lot of reading, I've finally generated the key and the certificate

certtool --generate-privkey --ecc --sec-param ultra --outfile key.pem
certtool --generate-self-signed --load-privkey key.pem --template cert.cfg --outfile cert.pem

and configured the gnutls section in InspIRCd:

<module name="m_ssl_gnutls.so">
<gnutls certfile="cert.pem" keyfile="key.pem" priority="SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-MD5:-SHA1:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC">

Note that this is a rather strict configuration that will work not work for clients belonging into a museum. With reasonably up-to-date systems, no problems should be encountered.

I've applied a few other tweaks to the IRC server, but I won't discuss them now as I would first like to see how they perform in practice.