SitesLinksOttawaLifePhotosTravelToolsJournalBlog
See More Stuff
Next
Saturday, June 29, 2019

Stratford Year 15

Stratford

We stayed at Green Chair B&B which is fantastic. They let us use the back yard and had a blow-up pool which EAH loved. Dinner out at Pearl Sushi. Jana arrived to see Henry VIII with us at the studio. It was quite good for a propaganda play, but they added some modern dress elements which I hated.

We had cupcakes to start, and York St. sandwiches for lunch by the river. Dinner at Mone-Thai before seeing Mother's Daughter at the Studio. It was fantastic. And we had time to stop for a beer at Hearld Hous Brewing Co. before heading home. Really great night.

We had take-out Sirkel for breakfast, then went to town for ice cream. We walked to the Festival for an afternoon showing of Merry Wives. It was very good but the slapstick knob was turned up a bit too high, and I found the portrayal of the french doctor almost offensive, but the audience loved it. Anyway, a great show set in the 50s.

Take-out from Downie St. Burgers. We went to the Avon to see Private Lives, which was excellent.

Sunday, June 9, 2019

CBC Radio Archive (Part5)

CBC Radio, Ideas, 2018

CBC Radio, Ideas, 2018

CBC Radio, Ideas, 2018

CBC Radio, Ideas, 2018

Steven Pinker and Ken Dryden: 'Where there's a way, there's a will' (important)

CBC Radio, Ideas, March 2018

When NHL legend Ken Dryden was about to publish his book, Game Change, he got in touch with Harvard psychologist and linguist, Steven Pinker, who was about to publish Enlightenment Now. Their common ground: what does it actually take to change someone's mind? Pinker also happens to have grown up in Montreal, and idolized the former Canadiens goaltender. The two talk to Paul Kennedy about the relationship of rhetoric and reason.

Hall of Fame goaltender Ken Dryden wants to change not just the rules of hockey, but the entire culture of the sport. There are simply too many serious head injuries, and the thinking behind the rules governing the game has lagged behind the realities of how it's actually played. Pulitzer Prize winning psychologist Steven Pinker believes that Enlightenment values have had their stock lowered on both the right and left, and he would like to see them resurrected — values like reason, science, humanism and progress. Too often, truth gets personalized. And we lose sight of the fact that life for most people has improved compared to any other epoch in history. And we owe that improvement, he argues, to the Enlightenment.

Progress in particular almost appears antiquated as an ideal. But both are firm believers in the notion that it is still viable, perhaps more than ever. Whether it's a sport in particular, or a society in general, changes for the better not only can be made; they have been made.

Into the Gray Zone with neuroscientist Adrian Owen (important)

CBC Radio, Ideas, March 2018

Dr. Adrian Owen's ground-breaking research demonstrates that some patients who were once considered to be in a vegetative state have some level of awareness and are able to respond to simple commands.

Imagining playing tennis lights up specific parts of the brain. Imagining walking through the patient's home lights up other distinct parts of the brain. Using these for simple yes or no questions, neuroscientists can communicate with some patients, learning how aware they are of their surroundings, or even simply asking them whether they are in pain.

Censorship and Identity: Free speech for me but not for you (important)

CBC Radio, Ideas, March 2018

Anti-racist black lesbian, Linda Bellos, was disinvited from giving a talk at Cambridge University because of her views on "trans politics". Whether it's redressing historical wrongs, new hate speech legislation, or safe spaces as a human right: when does the desire to accommodate aggrieved groups become censorship? - A debate among public intellectuals at London's Battle of Ideas.

The politics of outrage is especially intense on university campuses. Dalhousie University student activist Masuma Khan angered many when she posted on Facebook that people should boycott Canada Day because of its 400 year history of genocide. She said: "white fragility can kiss my ass". A fellow student then filed a complaint that her post was blatant discrimination against white people. At the University of Berkeley, free counselling was offered to students who felt they might be adversely affected by the words of Ben Shapiro, a right-wing commentator who was invited to speak on campus. In the larger world, free speech is sometimes shut down by ultra-conservatives. At Poland's annual nationalist rally, some participants said that Muslims living in the country should be placed under surveillance and made to wear arm-bands. In France, many nationalists want to limit or rid the country of new immigrants. The populist Sweden Democrats has targeted journalists because it believes they are endangering traditional Swedish values.

- Nick Gillespie is a libertarian journalist and editor-in-chief of Reason.com.
- Toby Young is co-founder of the West London Free School and associate editor at The Spectator.
- Jodie Ginsberg is the chief executive of Index on Censorship.
- Trevor Phillips is the founding chair of the Equality and Human Rights Commission. He is also co-founder of the diversity analytics research company.
- Frank Furedi is a public intellectual, author and professor emeritus of sociology at the University Of Kent.

- The Populist Explosion: How the Great Recession Transformed American and European Politics by John B. Judis, Columbia Global Reports, 2016.
- Free Speech: Ten Principles for a Connected World by Timothy Garton Ash, Yale University Press, 2017.
- Free Speech on Campus by Howard Gillman, Erwin Chemerinsky, Yale University Press, 2017.
- On Censorship by Salmon Rushdie, The New Yorker, May 11, 2012.
- A Nation of Snowflakes by Adam Swerer, The Atlantic, September 26, 2017.
- The Two Clashing Meanings of 'Free Speech' by Teresa M. Bejan, The Atlantic, December 2, 2017.
- 11 Canadian Books That Have Been Challenged, CBC Books, February 28, 2018.
- The Age of Offence by Ira Wells, Literary Review of Canada, April 2017.

Enright Files: Your brain on digital technology (important)

CBC Radio, Ideas, March 2018

Nicholas Carr is a prominent American journalist and author who sees our minds as being hopelessly susceptible to the endless distractions and rapid-fire barrage of information the Internet serves up to us. He further argues that rather than being a transformative tool for democratic participation change, the Internet has made our participation in civil society more fleeting. Nicholas Carr wrote The Shallows: What The Internet is Doing to our Minds.

Google, Apple, Facebook and Amazon came to dominate their markets by creating better products that people wanted. But to Franklin Foer, their hegemony poses grave dangers for democracy, let alone the principle of competition. He sees a handful of huge corporations monopolizing our attention and shaping our consciousness itself, not to mention our economies. Imagine if governments in Western democracies did as much to monopolize our attention and influence our minds and our way of life as big tech companies do today. Franklin Foer is a former editor of The New Republic Magazine, and he's the author of World Without Mind: The Existential Threat of Big Tech.

Last November Michael Enright spoke with Jean Twenge — a professor of psychology at San Diego State University — about her research into the effects of smartphones and social media on kids. Also taking part in that discussion was Clive Thompson, a widely-read Canadian technology journalist and the author of Smarter Than You Think: How Technology Is Changing Our Minds For The Better.

Is there a culture war against populism? (important)

CBC Radio, Ideas, March 2018

Is it a positive wave or a troubling pattern? In this age of anxiety over joblessness and immigration, populist leaders in Hungary, Poland, Turkey, Sweden and the Philippines are tapping in. Is populism, as the 1960's American historian Richard Hofstadter called it, "a paranoid style of politics"? Or is it what others describe as "the essence of democratic politics"? A debate among public intellectuals at London's Battle of Ideas.

Marine Le Pen will call herself a democrat. But that doesn't mean she is a democrat. You know Trump uses the phrase 'very fine people' to describe people who go to Charlottesville with supremacist ideas. That doesn't mean they're very fine people. – Elif Shafak

I think there's a silent cultural war against populism, it basically symbolizes the fact that for the first time since the end of the Cold War, the traditional establishment feels their basic values are being sort of challenged. – Frank Furedi

Globalization has given the political elites a sense of greater control and it's given non-elites a sense of economic loss, and a sense of loss of sovereignty. – David Goodhart

Good Cheer is a Great Idea!

CBC Radio, Ideas, February 2018

Almost twenty years ago, Paul Kennedy produced an IDEAS documentary about Samuel de Champlain's "L'Ordre de Bon Temps", which basically kept early French colonists at Port Royal, Nova Scotia alive through the brutal winter of 1606. Paul Kennedy recently learned that a group of foodie friends in Ottawa has turned Champlain's historic meal into an annual celebration. They gather together in the middle of every winter, to prepare a feast for family and friends, basically inspired by the menu and the recipes provided during that original broadcast.

The resistance of Black Canada: State surveillance and suppression (important)

CBC Radio, Ideas, February 2018

Canada's history of suppressing Black activism is coming to light like never before, thanks to researchers like PhD student Wendell Adjetey. Wendell's historical research uncovers evidence of clandestine government surveillance in the 20th century, while also bringing to life overlooked parts of this history. His work highlights the struggles and setbacks of Black activists in the 20th century, helping us understand the ripple effect of those legacies today.

I think the attempted suppression is rooted in a white supremacy that creates this idea that all things that are not white are dangerous and bad and scary and in need of watching. – Syrus Marcus Ware, visual artist and core team member of Black Lives Matter Toronto.

We as Canadians have contributed handsomely to a myth that makes us feel morally, politically, legally superior to the US at least on the question of race. It's a myth that allows us to think that we don't profit from those structures. – Saje Mathieu, historian, University of Minnesota.

Sheldon Taylor is a historian who completed his PhD at the University of Toronto, where he developed courses on African-Canadian history and the African diasporic experience. His PhD dissertation is called Darkening the complexion of Canadian society: black activism, policy-making and black immigration from the Caribbean to Canada, 1940s–1960s.

Simone Browne is an associate professor in the Department of African and African Diaspora Studies at the University of Texas, Austin. She is the author ofDark Matters: On the Surveillance of Blackness.

Robyn Maynard is an activist, writer and author of Policing Black Lives: State Violence in Canada from Slavery to the Present.

On Tyranny: 20 lessons from the 20th century (important)

CBC Radio, Ideas, February 2018

Authoritarianism is on the rise around the world. And Timothy Snyder wants to push back against this tide. A history professor at Yale University who's written widely on Europe and the Holocaust, takes an unusual approach in his little book, On Tyranny: Twenty Lessons from the Twentieth Century. It's not a sweeping historical analysis, but a collection of observations and suggestions on what forms resisting authoritarianism can take.

"What is patriotism? Let us begin with what patriotism is not. It is not patriotic to dodge the draft and to mock war heroes and their families. It is not patriotic to discriminate against active-duty members of the armed forces in one's companies, or to campaign to keep disabled veterans away from one's property… The president is a nationalist, which is not at all the same thing as a patriot. A nationalist encourages us to be our worst, and then tells us that we are the best… A patriot, by contrast, wants the nation to live up to its ideals, which means asking us to be our best selves."

"Before you deride the 'mainstream media', note that it is no longer mainstream and easy, and actual journalism that is edgy and difficult. So try for yourself to write a proper article, involving work in the real world: traveling, interviewing, maintaining relationships with sources, researching in written records, verifying everything… Journalists are not perfect, any more than people in other vocations are perfect. But the work of people who adhere to journalistic ethics is of a different quality than the work of those who do not."

"Fascists despised the small truths of daily existence, loved slogans that resonated like a new religion, and preferred creative myths to history or journalism. They used new media, which at the time was radio, to create a drumbeat of propaganda that aroused feelings before people had time to ascertain facts. And now, as then, may people confused faith in a hugely flawed leader with the truth about the world we all share. Post-truth is pre-fascism."

A book lover, his library and the Scottish Enlightenment

CBC Radio, Ideas, February 2018

Two hundred and fifty years ago, a relatively remote and economically-challenged country called Scotland became the surprising host to one of the most exciting intellectual developments in the world. Magically, the best and the brightest minds were being promoted and distributed by enterprising and adventurous publishers, in places like Edinburgh, Glasgow and Aberdeen. Not surprisingly, a select group of printers with rare genius rose to meet an obvious need.

Edinburgh bibliophile Dr. William Zachs takes Paul Kennedy through his library of amazing books that were published in Scotland during the heyday of the Scottish Enlightenment. At the time, Adam Smith, David Hume, James Boswell and The Encyclopaedia Britannica were runaway best sellers. But obscure titles from a wide range of intellectual disciplines reveal the astounding diversity of Caledonian cogitation.

Gabrielle Scrimshaw on liberating the past and embracing the future (important)

CBC Radio, Ideas, February 2018

Gabrielle Scrimshaw is a vibrant voice among a younger generation of First Nations leaders. She holds an MBA from Stanford University, and is completing her Masters in Public Administration at Harvard.

Gabrielle Scrimshaw grew up in Hatchet Lake First Nation, Saskatchewan. She left home at age 17 to study at the University of Saskatchewan, and then the University of Toronto. Along the way she co-founded the Aboriginal Professional Association of Canada.

Gabrielle Scrimshaw delivered the third annual Vancouver Island University Indigenous Speaker Series in November 2017.

Whose Lives Matter? (important)

CBC Radio, Ideas, February 2018

The Black Lives Matter movement demands serious answers from our society to questions about race, culture and prejudice. This episode features Janaya Khan, d'bi. young and Sandra Hudson in a panel discussion from the Stratford Festival Forum.

"You know, when I think of 'whose lives matter?' I think of — what are our lives worth? Is my life worth a noise complaint, is that enough to end it? When I call the police for help, because maybe I'm having an episode...and that need for help is seen as something threatening?" – Janaya Khan

"Allowing ourselves to believe that we can really change an entire system, just like our ancestors did — I think that's what it's going to take to really, truly shift this system — for everyone." – Sandra Hudson

"I want us to ask ourselves: what does it take for me to care about something beyond my own lived experience. What does it take for me to invest in a set of principles that are going to guide my performance in this game (of life)?" – d'bi. young

Imagining the singularity: What happens when computers transcend us? (important)

CBC Radio, Ideas, February 2018

"It could literally be the best thing that ever happened in all of human history if we get this right. And my main concern with this transition to the machine intelligence era is that we get that superintelligence done right, so it's aligned with human values. A failure to properly align this kind of artificial superintelligence could lead to human extinction or other radically un-desirable outcomes." – Nick Bostrom, Professor of Professor of Philosophy and Director of the Future of Humanity Institute at the University of Oxford.

We don't really know how to instill human values in a machine. Doina Precup, a computer scientist from McGill University suggests that one strategy might be simply having them learn by watching us — like children do.

Another challenge might be that a computer superintelligence could be superhuman without being very human-like — making it challenging for us to relate to. Chris Eliasmith, Director of the Centre for Neuroscience at the University of Waterloo, says we should be able to create machines which duplicate the functions of a brain — he's working on creating machine intelligence modelled on the organization and function of the human brain.

Science fiction writer and futurist Madeline Ashby points out that this is part of a long history of humanity thinking about creation — whether it's in ancient religious stories, or the more modern stories of creation that perhaps started with Frankenstein and continue through modern science fiction.

As Theologian James McGrath points out, we have a long history of imagining our relationship with beings that are superior to us, and many of these are cautionary tales.

Robin Hanson, an economist and futurist has explored this scenario in his book The Age of Em, and comes to a surprising conclusion. An uploaded life would not be a fantasy world of virtual-reality paradises. It would be a working world in which uploaded minds labour to earn their electricity and server space.

Why is there so much poverty in a rich country like Canada? (important)

CBC Radio, Ideas, February 2018

A discussion from the Stratford Festival.

"Poverty exists in our society because we've chosen for it to exist. Poverty is the entirely predictable outcome of policy choices and the legal infrastructure that we've created for building our economy and redistributing wealth in our society." – Fay Faraday – Social justice lawyer.

"Our employers should have the responsibility for our health and safety when we go to work, and for our working conditions. And — I don't think it's too much to ask for, that we should be able to pay our bills?" – Deena Ladd – Toronto-based Workers Action Centre.

"So demand leadership from our political leaders because they have a huge say in the poverty that happens in our society, and a way for us to eliminate poverty in our society." – Debora De Angelis – United Food and Commercial Workers Union of Canada.


Writer Heather O'Neill finds wisdom in an eccentric father's advice (important)

CBC Radio, Ideas, February 2018

Heather O'Neill is one of Canada's top fiction writers — winning awards, accolades, and readers for her vivid novels. But it was an unpredictable path to success: she comes from humble Montreal roots. She was raised by her single father — a janitor who wryly listed his real occupation as professor of philosophy. He offered his book-obsessed daughter a set of rules for life. In conversation, and in her Henry Kreisel Lecture at the Canadian Literature Centre in Edmonton, Heather O'Neill describes her dad's colourful advice to her, as well as the surprising people who made her into a passionate writer and reader, and helped her bridge the class divide that restricted her father's own life.

Andrew Feinstein exposes "the shadow world" of global arms (important)

CBC Radio, Ideas, January 2018

Buying and selling weapons is a huge, and highly secretive, business — for governments, aerospace and defence companies, and black market profiteers alike. In this UBC Wall Exchange talk from Vancouver, former South African politician and current U.K. corruption researcher Andrew Feinstein argues that the arms trade does not make us more secure. In fact, he contends that it fuels conflict, undermines economic progress and democracy, and — with its unintended consequences — endangers citizens everywhere.

Western-made weapons used against civilians in the war in Yemen. Guns meant to arm American-allied soldiers in Syria, used against those same soldiers. Armoured vehicles from Canada, used by Saudi security forces against their own citizens. It seems the ultimate route of weapons is never predictable, and that is just one of the troubling issues that author Andrew Feinstein raises in his exploration of the shadow world of global arms.

The Scottish Enlightenment: The invention of modern mind and culture (important)

CBC Radio, Ideas, January 2018

Sheila Szatkowski — author of Enlightenment Edinburgh: A Guide — provides a walking tour of intellectual hotspots. Arthur Herman — author of How the Scots Invented the Modern World — adds historical and cultural context. On Burns' Night, it seems appropriate for everybody to feel just a little bit Scottish.

Wade Davis: Light at the edge of the world (important)

CBC Radio, Ideas, January 2018

In our age, many societies look like they're hurtling towards disorder and disunity. For all of our technological sophistication, the centre isn't holding, great civilisations seem less united than ever. Wade Davis thinks we need to pay more attention to the values, the voices, and the concerns of Indigenous peoples. We have a lot to learn by listening more carefully. Wade Davis in a discussion with Paul Kennedy, with excerpts from a lecture at the Ontario Heritage Trust.

Travels through Trump's America one year later (important)

CBC Radio, Ideas, January 2018

It’s been one year since Donald Trump’s inauguration. His official swearing-in compelled many Americans reflect on what America actually is now, politically, socially and culturally. Contributor David Zane Mairowitz is originally from America, and has been living in Europe for over fifty years. He returned to the U.S. in the spring of 2017 to travel through six southern states, where he recorded his encounters with everyday people at restaurants, churches -- and gun shows. His aim: to gain insight into an America he’s now struggling to comprehend.

Making art that matters: The 2017 Sobey Art Award

CBC Radio, Ideas, June 2018, Part 1, Part 2

Part 1 profiles the four finalists: Raymond Boisjoly, Divya Mehra, Bridget Moser and Jacynthe Carrier. Part 2 profiles the 2017 Sobey Art Award winner, Ursula Johnson.


First Nation, Second Nation: A discussion about the state of Indigenous people in Canada today

CBC Radio, Ideas, January 2018

In a country where just about all of us are immigrants, Indigenous people are creating new structures and rediscovering old values. A discussion from the Stratford Festival featuring Leanne Betasamosake Simpson, Jarrett Martineau and Alexandria Wilson.

Decoding prehistoric art with Jean Clottes

CBC Radio, Ideas, January 2018

The songs and stories of prehistoric humans are gone. All that remains of their culture is their art. It's the one thing that can bridge the vast, silent chasm of time between then and now. IDEAS contributor Neil Sandell introduces us to the French archaeologist Jean Clottes, a man who's devoted his lifetime trying to decipher the rich, enigmatic world of cave art.

Ken Dryden on changing the idea of hockey (important)

CBC Radio, Ideas, January 2018

Game Change, the book written by NHL legend, Ken Dryden, is on one level about the increasing number of concussions hockey players have. But it's also about changing the way decision-makers make decisions. As he tells host Paul Kennedy, being right isn't enough. That's why Dryden has turned the old adage "where there's a will, there's a way" on its head. He argues passionately that if there's a way, there's a will.

First Nations in the first person: Telling stories & changing lives

CBC Radio, Ideas, January 2018

The stories of three Indigenous people told in their own words. Sandra Henry of Winnipeg is a former social worker. Brielle Beardy-Linklater is an Indigenous transgender activist from the Nisichawayasihk Cree Nation. Theodore Fontaine is an author and a former chief of the Sagkeeng First Nation in Manitoba.

The Enright Files on suffering, sorrow and the search for meaning (important)

CBC Radio, Ideas, January 2018

This month's edition of The Enright Files explores how the works of Viktor Frankl, Anton Chekhov and Joan Didion wrestle meaning and solace from tragedy, horror and suffering


Sailing Alone Around the World

CBC Radio, Ideas, April 2013

In 1895 a retired Canadian sea captain set off to sail alone around the world. It had never been done, and it took Joshua Slocum three years, but the book of his adventures made him famous. Since then, fewer than 200 people have sailed in his wake and two of them are also Canadian. IDEAS contributor Philip Coulter explores this greatest challenge sailors set for themselves — possibly the greatest of all human challenges.

Have insomnia? Blame the Romantic poets

CBC Radio, Ideas, December 2017

In Hunt's studies of English poets of the Romantic period she zeros in on references to sleep, or lack thereof. By tying references like "anguish and agony" of the "unfathomable hell within," with her readings of medical texts and historical accounts from that period she reveals how the poems reflect a major shift in how insomnia was understood.

"There were any number of threats to peaceful repose," says Roger Ekirch, a historian at Virginia Tech University. "Illness kept many people awake at night — the cold, the heat, the unholy trinity of early modern entomology: lice, fleas and bedbugs, and that's just the beginning. Most homes rattled in a breeze and never were people more vulnerable to [fears of] Satanic demons."

Revisiting Glenn Gould's revolutionary radio documentary, 'The Idea of North'

CBC Radio, Ideas, December 2017

Glenn Gould's landmark documentary, The Idea of North, first aired on CBC Radio on December 28, 1967.

In his boldly experimental program about the Canadian north, the pianist used a technique he called "contrapuntal radio," layering speaking voices on top of each other to create a unique sonic environment situated in the space between conversation and music.

In Return to North: The Soundscapes of Glenn Gould, CBC contributor Mark Laurie talks to four people who knew Gould intimately, and reinterprets Gould's contrapuntal technique to explore the landscape of Gould's life — and his ideas about music and radio.

Shakespeare in the Funny Pages

CBC Radio, Ideas, December 2017

What if Shakespeare's characters escaped from the play that they're in, and went off on a grand adventure of their own, freed from the chains of their creators imagination? What if they lived in the modern era and communicated with cellphones and autocorrect? Well, all things are possible through the magic of the human mind. In this episode, a panel discussion from the Stratford Festival featuring Mya Gosling and Conor McCreery in conversation. The discussion is moderated by the Stratford Festival's literary and editorial director, David Prosser.

Playdoh's Republic: Children as natural philosophers (important)

CBC Radio, Ideas, December 2017

Why were we born? Is life just a dream? What makes something wrong or right? Children often ask questions like these — sometimes to the exasperation of their parents. But children really want to know why the world is the way it is. And they want to know how we know. Maybe that's because they're open, curious and inquisitive — they're natural philosophers.

Journalism in the age of fake news (important)

CBC Radio, Ideas, December 2017

Established news media no longer have the monopoly on how we consume our news, and "fake" news is proliferating. Now purveyors of false news are saturating social media, emboldened by a U.S. president who regularly derides mainstream journalists as creators of fake news. In panel discussions at the Banff Centre, part of The Democracy Project, journalists ponder reporting in an age where political leaders attack them to discredit their work.

Facebook, Google, Apple and Amazon are manipulating our lives and threatening our democracy (important)

CBC Radio, Ideas, December 2017

The internet began with great hope that it would strengthen democracy. Initially, social media movements seemed to be disrupting corrupt institutions. But the web no longer feels free and open, and the disenfranchised are feeling increasingly pessimistic. The unfulfilled promise of the internet has been a long-term concern of Digital Media and Global Affairs expert Dr. Taylor Owen, who delivers the 2017 Dalton Camp Lecture in Journalism. He argues the reality of the internet is now largely one of control, by four platform companies — Google, Facebook, Amazon and Apple — worth a combined $2.7 trillion — and their impact on democracy is deeply troubling.

How filmmakers and fishers saved Fogo Island (important)

CBC Radio, Ideas, December 2017

A little over fifty years ago, while the rest of the country was celebrating Canada's Centennial, the friendly folks on Fogo Island — most of whom were fishers — were ordered to abandon their homes and resettle in larger communities on the larger island of Newfoundland. Memorial University's Extension Department invited the National Film Board of Canada to visit Fogo, and interview people about their future. At the end of what is now called The Fogo Process, they voted to stay put, form a cooperative, and take over the fish plant. It became a model for alternative democracy around the world.

Conservative with age: Why your political stripes change over time (important)

CBC Radio, Ideas, December 2017

No one really knows who first coined the saying, "If you're not a socialist at twenty, you have no heart, and if you're not a conservative at forty, you have no brain." It wasn't British Prime Minister Winston Churchill or Oscar Wilde, though it's often attributed to them. The smart money seems to be on a rather obscure French jurist from the 19th century, Anselme Batbie.

Whatever the source, it's been repeated for well over a century because it seems to ring true. Youthful ideals give way to the pragmatism as the years go by. But why do so many of us seem to follow in the footsteps of that old adage? Why do others resist it? And what does the adage reveal about the way we come to hold our political beliefs?

The enduring power of Albert Camus' L'Étranger (important)

CBC Radio, Ideas, December 2017

It's been 75 years since Albert Camus published L'Étranger — usually translated as The Stranger or The Outsider. And it continues to be the most translated book from French into English. Given how intense questions about "the other" are across the globe — who really belongs where and who doesn't — Camus' book is even more relevant than ever. Radio Canada producer Danny Braun speaks with a novelist, a rapper, some academics and a former death row inmate to delve into the enduring appeal of L'Étranger — both to the intellect and to the heart.

Award-winning authors on balancing chaos and control

CBC Radio, Ideas, December 2017

A parent's fear. A child coping. The final stops of life. These are the ways that some top Canadian writers — all winners of 2017 Governor General's Literary Awards — addressed our challenge to create an original piece of writing on the theme of chaos and control. They reveal where their imaginations travelled, from the most intimate moments of family life, to the largest of cultural questions. Featuring talk and readings from: Hiro Kanagawa, Cherie Dimaline, Richard Harrison, and Oana Avasilichioaei.

Borges' Buenos Aires: The Imaginary City

CBC Radio, Ideas, December 2017 Part1, Part2

The Argentinian writer Jorge Luis Borges had a profound influence on the shape of modern literature. And he himself was profoundly shaped by the city he grew up in — Buenos Aires – a city that plays a major role in many of his stories. One of the great experimental writers of the 20th century, Borges believed that a story is a doorway to a world larger than itself, and that the act of reading is an essential part of both the making and the meaning of the story: the writer and the reader are in a great river, together.

Philip Coulter goes on a walking tour of Borges' Buenos Aires, in the company of the celebrated writer, Alberto Manguel, who used to read to the blind Borges as a teenager, and who, like Borges before him, is now director of the National Library in Buenos Aires.

Precarious Work: David Weil on the disappearing company job (important)

CBC Radio, Ideas, December 2017

For most of the 20th century, everyone — from the janitor to the CEO — was employed by "the company". But increasingly, large corporations are outsourcing work to small companies, often abroad. For workers, this change means lower wages, fewer benefits and an intensified widening of income inequality, with huge financial gains going to the top one percent. In a lecture and subsequent interview with Paul Kennedy, scholar and Barack Obama appointee, David Weil, talks about precarious work and the disappearing company job.

A fissured workplace is becoming our new norm, and having a radical impact on widening income inequality, according to scholar and Obama-appointee, the former Labor Standards Regulator, David Weil. Professor Weil coined the term to explain how many large companies — Apple, The Marriott Hotel, Amazon — are no longer direct employers of the people behind their products and services.

The Enright Files on changing the way we think about the natural world (important)

CBC Radio, Ideas, December 2017

Our relationship with the natural world may be our most important, aside from our relationship with each other, yet it has become seriously out of balance. Humans have wrought enormous destruction to the environment, to other species and to the global climate in the name of progress and improving our quality of life. In this month's edition of The Enright Files, Michael speaks to three people who are changing the way we think about our relationship with the natural world, from one-on-one relationships with animals to the massive, unwieldy issue of our impact on a geological scale.

- Brian Brett: Growing up as a "parrot among crows," androgyny and human-animal relationships
- Peter Wohlleben on The Hidden Life of Trees
- Katharine Hayhoe on changing minds about climate change

Making a better world with a culture of 'citizen eaters' (important)

CBC Radio, Ideas, December 2017

Michael S. Carolan is the author of No One Eats Alone: Food as a Social Enterprise. He gave a public talk in Toronto in the autumn of 2017, and made the following provocative argument: we can change our relationship to food — how's it's made, distributed and even consumed — by changing our relationships with each other, and maybe open up the possibility of creating a better world.

CBC Radio, Ideas, 2017

How Martin Luther invented the modern world (important)

CBC Radio, Ideas, November 2017

It has been 500 years since Martin Luther supposedly nailed his 95 theses to the door of the Castle Church in Wittenberg, Germany. There's no proof he ever did that — and it may not matter. We're still living in the aftershocks of the religious, political and social revolution that he began. This program looks at Martin Luther's legacy, and why he still evokes impassioned debate today.

Why democracy depends on how we talk to each other (important!!)

CBC Radio, Ideas, November 2017

Does democracy have a future? It's a question is being asked in democracies everywhere. People are frustrated with politics and politicians. And politicians appear weary of democracy. Now populist uprisings to protect the status quo are threatening the foundations of democracy itself. Michael Sandel is a world-renowned political philosopher at Harvard University — and the 2017 LaFontaine-Baldwin lecturer. But he doesn't "lecture" in the usual sense of the term: he interacts with his audience, not only answering their questions but asking them questions to make them think and reflect

Roaming Imagination: What the stories we tell about bears say about us

CBC Radio, Ideas, November 2017

Bears hold a powerful place in the human psyche. From early cave drawings and myths as old as language itself, to modern scientific research, the family Ursidae has captivated the imaginations of humans around the world. At the heart of our obsession are contradictions: a magnetism that draws us in and fear that pushes us away. Contributing producer Molly Segal explores the stories we share about bears, what they say about us and our future.

Friesen Prize winner Dr. Alan Bernstein: Team science will save the world! (important)

CBC Radio, Ideas, November 2017

As an individual, he may be one of Canada's top scientists, respected the world over. But Dr. Alan Bernstein believes collaboration is what takes science to the next level. The 2017 Friesen Prize winner is enthused about the richness and diversity of scientific research today, as he details in his public talk. He also speaks one-on-one with Paul Kennedy about his trajectory in medical and health science, working on stem cells, blood cell formation, and cancer. He's also explains why — despite those personal accomplishments — he's devoted to bringing great minds together.

Confronting the 'perfect storm': How to feed the future (important)

CBC Radio, Ideas, November 2017, Part1, Part2

We're facing what could be a devastating crisis—how to feed ourselves without destroying the ecosystems we depend on. We already produce enough food to feed everyone on the planet. Yet 800 million people are undernourished, while another 2 billion are overweight or obese. And at the same time, almost one third of the food we produce goes to waste. In partnership with the Arrell Food Institute at the University of Guelph we seek out creative solutions to a looming disaster. In this episode we hear from waste expert Tammara Soma and international food security expert Tim Benton

In Canada we waste about a third of the food we produce. And yet four million Canadians experience food insecurity. In partnership with the Arrell Food Institute at the University of Guelph, we hear from Dawn Morrison whose work focuses on Indigenous food sovereignty and Bryan Gilvesy, a long-horn cattle rancher who puts sustainability first.

Naked in the Mirror: Stephen Greenblatt on our obsession with Adam & Eve

CBC Radio, Ideas, November 2017

Professor Greenblatt, author of The Rise and Fall of Adam and Eve, believes this compelling and contradictory tale of the first man and woman is masterly storytelling that goes straight to the core of some of our most vital human questions.

The 2016 U.S. Election: We had no idea it would be like this (important)

CBC Radio, Ideas, November 2017

When Hillary Clinton announced that she would run for President, everyone knew the 2016 United States election could be a historic one. We had no idea how historic or unprecedented this election would become. On this month's edition of The Enright Files, we revisit The Sunday Edition's coverage of the candidates and the turmoil within their parties in the months leading up to the election — and the growing unease around what the election would mean for the U.S. and the rest of the world.

- Joan Walsh, National Correspondent for The Nation magazine and political analyst for MSNBC.
- Thomas Frank, columnist with Harper's Magazine, and author of What's Wrong with Kansas: How Conservatives Won the Heart of America and Listen, Liberal: or Whatever Happened to the Party of the People.
- David Frum, former speechwriter for President George W. Bush, conservative commentator and senior editor at the Atlantic Magazine.
- Arlie Hochschild, Professor Emerita in the department of sociology at the University of California at Berkeley and author of Strangers in Their Own Land: Anger and Mourning on the American Right.
- Moustafa Bayoumi, Canadian-American associate professor of English at Brooklyn College and author of How Does It Feel to Be a Problem: Being Young and Arab in America.
- Patricia J. Williams, James L. Dohr Professor of Law at Columbia University and author of The Alchemy of Race and Rights and Seeing a ColorBlind Future: The Paradox of Race.

The 2017 CBC Massey Lectures - In Search of a Better World (important)

CBC Radio, Ideas, November 2017

A call to action for our times, Payam Akhavan's 2017 CBC Massey Lectures, In Search of a Better World: A Human Rights Odyssey, is a powerful survey of some of the major human rights struggles of our times — and what we can do about it.

Renowned UN prosecutor and human rights scholar Payam Akhavan has encountered the grim realities of contemporary genocide throughout his life and career. Deceptive utopias, political cynicism, and public apathy, he says, have given rise to major human rights abuses: from the religious persecution of Iranian Bahá'ís that shaped his personal life, to the horrors of ethnic cleansing in Yugoslavia, the genocide in Rwanda, and the rise of the Islamic State.

But he also reflects on the inspiring resilience of the human spirit, and the reality that we need each other, to set us free from ideology and go about building that better world.

Democracy Undermined? Debating the impact of Donald Trump's presidency on democracy (important)

CBC Radio, Ideas, November 2017

The Munk Debates put it starkly: Be It Resolved, American democracy is in its worst crisis in a generation, and Donald J. Trump is to blame. Andrew Sullivan and E. J. Dionne argue in favour of the resolution, Kimberley Strassel and Newt Gingrich against.

Creating a city for all: The future of cities in the 21st century (important)

CBC Radio, Ideas, October 2017

Athens, Rome, Venice. History offers many examples of cities that were their own world, independent mini-states that offered freedom of ideas and a model for social cohesion — alternative societies that have often been in conflict with the larger surrounding state. Cities still drive social progress, but many factors are changing our modern world, and cities are again being forced to retool and rethink how they work.

- Sevaun Palvezian isChief Executive Officer of the Toronto non-profit CivicAction.
- Gil Penalosa is founder and chair of 8 80 Cities.
- Lorna Day is Director of Urban Design for the City of Toronto

Meat on the table: Can we justify consuming animals? (important)

CBC Radio, Ideas, October 2017

If you typically eat three meals a day, then it's a choice you make more than one thousand times a year. And if you're like most people, that choice probably involves meat or dairy, or both. On top of that, many of the clothes we wear are made from animals. But can something that nearly everybody on the planet is doing ━ and has been doing for millions of years ━ be immoral?

For Gary Francione, the answer is a resounding "yes". But Nicolette Hahn Niman sees Francione's abolitionist view as unnecessarily extreme ━ even harmful. She is a California beef rancher, lawyer, and the author of Righteous Porkchop and Defending Beef: The Case for Sustainable Meat Production.

Sex, Truth and Audio Tape: Shifting identities on a changing sexual landscape (important)

CBC Radio, Ideas, October 2017, Part1, Part2

It's often been said that everything in the world is about sex, except sex itself — sex is about power. So what are we to make of today's sexual landscape, where we see the most diverse range of orientations and expressions of sexuality in history? Lesbian, gay, queer, cis, pansexual, leather daddies, stone butch, asexual... the list keeps growing. And there is entrenched push-back against that expansion. So who gets to say what about whom? And as the sexuality landscape broadens, what will it mean?

The Harvey Weinstein story has unleashed a veritable tsunami of sexual assault and harassment claims. And there's a huge gender gap at work: overwhelmingly, men are the accused perpetrators; women, the victims. IDEAS producer Mary O'Connell explores the motivations, conscious and unconscious, behind this disturbing dynamic.

El Sistema: How the power of music helped change Venezuelan lives

CBC Radio, Ideas, October 2017

In 1975 the Venezuelan economist and musician Jose Antonio Abreu started an after-school music programme for street kids in Caracas. It was primarily a social action project- how to solve a problem of lawlessness and aimlessness among youth — but it was also about encouraging a love of music for its own sake. El Sistema became a revolutionary movement that has transformed the lives of hundreds of thousands of children — and also helped create a few generations of musicians and a nation of music lovers. Jose Antonio Abreu died last month, and we're re-broadcasting this documentary about El Sistema as a tribute to a great visionary.

Dark tower of dreams: Inside the Walled City of Kowloon

CBC Radio, Ideas, October 2017

The infamous "Walled City of Kowloon" was once the most populous spot on the planet. With 1.2 million people per square kilometre, it was a gigantic squatter's village. Nobody planned it, but somehow it worked, until it was demolished, just before the British handed Hong Kong back to China. Paul Kennedy speaks with photographer Greg Girard, and urban designer Suenn Ho, about what the Walled City meant to them, and him

The Enright Files on Vladimir Putin's Russia (important)

CBC Radio, Ideas, October 2017

Since 2000, Russia has been Vladimir Putin's state. Putin has served as president for 13 years since 2000, in addition to four years as prime minister from 2008 to 2012.

In that time, Putin has been credited with bringing relative prosperity and stability to Russia, restoring to Russia the geopolitical heft it enjoyed in the Soviet days, and outmaneuvering the West in global trouble spots like Syria and Ukraine.

Russia may no longer be seen as an existential threat to the world, but Putin is regarded as a brazen provocateur and troublemaker, a supporter of rogue regimes and an underminer of the electoral process in Western democracies. Most notoriously, he's been accused of meddling in the 2016 U.S. election, perhaps even colluding with the Donald Trump campaign to defeat Hillary Clinton.

And there are many in Russia who think of him more as a czarist or Stalinist than as a democratic leader. Putin's regime has a reputation for being thuggishly, even murderously repressive toward opposition leaders, anti-corruption crusaders and journalists. Ask a lot of people what's the best way to get rich in Russia, and they'll tell you—be a friend of Vladimir Putin's.

The edge of musical thinking: Capturing the spirit of tango and vibrato

CBC Radio, Ideas, October 2017

In this episode of Ideas from the Trenches, we feature two musicians from the Schulich School of Music at McGill University who are deeply immersed in investigating the evolution of their art forms and the conflicts within. Flutist and PhD student Hannah Darroch takes us into a controversy known as 'the Vibrato Wars', centring on an all-important 'wobble' in the note that either expresses the human spirit or is "worse than cholera," depending on whom you ask. And cellist Juan Sebastian Delgado is a recent PhD graduate who searches out the essence of tango in today's challenging 'nuevo tango' music.

Master of his own design: Conversations with Frank Gehry

CBC Radio, Ideas, 2017, Part1, Part2

Canadian-born Frank Gehry has been called the greatest architect of our time. And yet he's still a rebel in his field. His sensual, sculptural buildings reject the cold minimalism and glass boxes of Modernism, and the ornate flourishes of post-modernism. Gehry, now 88, became famous in his late 60s, when his extraordinary design for the Guggenheim Museum became a reality twenty years ago in Bilbao, Spain. A complex and engaging man, who's been open about his disdain for the media, gave IDEAS producer Mary Lynk a rare chance to talk with him in California.

Therefore Choose Life: The Lost Massey Lecture by George Wald (important)

CBC Radio, Ideas, October 2017

In 1970, outspoken Harvard biologist George Wald became the first natural scientist to give the CBC Massey Lectures. The Nobel Prize winner championed diversity—biological and philosophical, as well as the value of both life and death. He also spoke out about long-term negative consequences of social inequality, and environmental pollution; and he took a public stand against the war in Vietnam. Wald's Massey broadcasts were a huge success. But he never got around to publishing them as a book. Now Lewis Auerbach, who produced the 1970 Wald lectures, has recovered the typescripts and tells the remarkable backstory of Wald and his Massey talks, which have only now been published.

Decolonization: The Next 150 on Indigenous Lands

CBC Radio, Ideas, September 2017

Every year thousands of academics from across the country gather for the Congress of the Humanities and Social Sciences. It's the largest annual gathering of scholars in Canada.

This year Congress was hosted by Ryerson University with the theme "The Next 150 on Indigenous Lands."

The future of work (important)

CBC Radio, Ideas, September 2017 Part1, Part2, Part3

AI and robots seem to be everywhere, handling more and more work, freeing humans up — to do what? In this 3-part serie, contributor Jill Eisen explores the digital revolution happening in our working lives. Artificial intelligence is on the verge of replacing our own intelligence. It took decades to adjust to machines out-performing human and animal labour. What will happen when robots and algorithms surpass what our brains can do? Some say digital sweatshops—repetitive, dull, poorly paid and insecure jobs—are our destiny. Others believe that technology could lead to more fulfilling lives.

The biggest innovation in the world of work in the last decade has been the rise of online platforms which connect workers and customers. Uber and Airbnb are the most well known, but there are dozens of others. Upwork connects businesses with independent professional, TaskRabbit, handy and jiffy are platforms for various home services, Amazon Mechanical Turk is on-line marketplace for small computer tasks called micro-tasks, and the list goes on.

The future of work has become one huge, nerve-wracking question mark. Technology was once believed to be our deliverance. We'd be working shorter hours, and about the only stress we'd have would be to figure out what to do with all our leisure time. But technology hasn't quite delivered on that promise. We're working longer hours, there are fewer jobs and and a lot less job security. In Part 3 of her series on the future of work, Jill Eisen looks at the promise of technology — and how it can lead to a better world.

Autonomy: The unexpected implications of self-driving vehicles

CBC Radio, Ideas, September 2017

We're racing down the highway to autonomous cars, whether it takes 10, 20 or 30 years. But what happens to our economy, the shape of our cities, and even our century-old car-centric culture once the vehicles arrive? Contributing producer Sean Prpick steers through the excitement, opportunities, roadblocks, and unmarked curves as we are driven into the future by a technology that may understand us better than we understand it.

The Politics of the Professoriat: Political diversity on campus (important)

CBC Radio, Ideas, September 2017

Universities are supposed to be dedicated to the exchange of ideas. But according to social psychologist Jonathan Haidt, campuses now skew so far to the left that they've become what he calls "political monocultures" in which voices that stray too far from liberal orthodoxy are shouted down. Paul Kennedy speaks with Professor Haidt – and with other scholars who have been thinking about the complex question of diversity on campus.
- Igor Grossmann is director of the Wisdom and Research Lab, based at Waterloo University, in Ontario.
- ​Jonathan Haidt is Professor of Ethical Leadership in the Stern School of Business at New York University.
- Heather Mac Donald, a lawyer by training, is a Thomas W. Smith fellow of the Manhattan Institute.

Tuesday, May 14, 2019

PHP MySQL (MariaDB) in AWS Micro with Amazon Linux 2

Introduction

This shows how to migrate your webserver from Amazon Linux to Amazon Linux 2. The initial Amazon Linux setup guides are here and here, but they're very old and I've included the necessary bits for first-timers below.

If you don't already have an AWS account

You can start with a free account. To sign up, you just provide: email, password, billing info, enter a capcha, and they auto-dial your home phone and get you to enter a pin.

After you receive your confirmation email, you need to sign in to the AWS Management Console

But what if someone keylogs your AWS password? You're exposed to billing-by-usage liability. Get multi factor authentication at aws.amazon.com/mfa. You can purchase a device from onlinenoram.gemalto.com.

Instance & Region

The initial free offering was a t1.micro, and there was only one eastern america region (Nothern Virginia). When you launch an EC2 instance you have to choose an availability zone within a region.

The current free offering is a t2.micro. But you have to consider the unlimited option and the t3 alternatives. For reference, I ran a LAMP stack with peaks of 200 users per day with the t1.micro with no noticeable lag. For this application, the on-demand total cost is USD $14.40/mo for the t1.micro instance and $1.22 for the EBS.

The key difference between t1.micro and t2.micro is the way the CPU bursting happens. It is not possible to predict or control the performance of t1.micro. With the T2 instance types, you can accumulate points that can be redeemed within 24 hours to get predictable performance. During a burst, when you run out of credits it falls back to the Baseline CPU Performance. (cloudacademy.com)
T2 standard was misunderstood due to its CPU throttling over baseline. Amazon introduced T2 unlimited as a way to overcome the CPU throttling with a pay for credit mechanism. The new introduction – T3, is a T2 unlimited with some subtle variations. (cloudsqueeze.ai)
t1.micro:  0.6 GiB, 1 vCPUs,                    poor network,     $0.0200/hour 
t2.micro:  1.0 GiB, 1 vCPUs (for 2h 24m burst), moderate network, $0.0116/hour 
t3.micro:  1.0 GiB, 2 vCPUs (for 2h 24m burst), moderate network, $0.0104/hour 
t3a.micro: 1.0 GiB, 2 vCPUs (for 2h 24m burst), moderate network, $0.0094/hour
(ec2instances.info)

t2.micro: 1 vCPUs, Baseline per vCPU = 10%
t3.micro: 2 vCPUs, Baseline per vCPU = 10%
(amazon.com)

Note that "1 vCPUs for a 2h 24m burst" is the same as "10% of 1 vCPU in a 24 hour period", and that t3.micro is effectively 20% of a vCPU. There is a good explanation at roberttisdale.com. On a t2.micro, you're constantly earning enough credits to drive the CPU at 10%. If your server load is a constant 10%, then you never earn any extra and never burst. If your customer demand is a constant 11% then your server is capped at 10% and your users have to wait.

The micro instance provides different levels of CPU resources at different times (up to 2 ECUs). By comparison, the m1.small instance type provides 1 ECU at all times. The following figure illustrates the difference. (archive.org)

They don't explicitly say, but the figure suggests that the t1.micro background level should be ~20% of an ECU in order to not have peaks throttled. So it's not clear if a t2 is weaker than a t1, but a t3 is certainly stronger than t1.

CPU credits on a running instance do not expire. For T3 and T3a, the CPU credit balance persists for seven days after an instance stops. For T2, the CPU credit balance does not persist between instance stops and starts. (amazon.com)
In standard mode, if the instance is running low on accrued credits, performance is gradually lowered to the baseline performance level. In unlimited mode, the instance can run at higher CPU utilization for a flat additional rate per vCPU-hour. T3 and T3a instances are launched as unlimited by default. T2 instances are launched as standard by default. (amazon.com)
T3 uses Intel Xeon processors and provides 30% price performance over T2. T3a uses AMD EPYC processors and provides 10% price performance over T3. (amazon.com)

concurrencylabs.com has a very extensive article explaining the price, latency and service difference between different regions.

May 3rd, 2019

On-Demand Linux:

US East (Ohio)       t3a.micro $0.0094/hr = $82/yr
                      t3.micro $0.0104/hr = $91/yr
US East (N.Virginia) t3a.micro $0.0094/hr = $82/yr
                      t3.micro $0.0104/hr = $91/yr
Canada (Central)     t3a.micro (not available)
                      t3.micro $0.0116/hr = $102/yr
(amazon.com)

Reserved Linux, standard 3-year term, partial upfront:

US East (Ohio)       t3a.micro $49.00 + $1.39/mo = $33/yr
                      t3.micro $55.00 + $1.53/mo = $37/yr
US East (N.Virginia) t3a.micro $49.00 + $1.39/mo = $33/yr 
                      t3.micro $55.00 + $1.53/mo = $37/yr
Canada (Central)     t3a.micro (not available)
                      t3.micro $61.00 + $1.68/mo = $40/yr
                      
(amazon.com)

Note that I don't consider the EBS region difference cost because as described above it is only 8% of my total cost. Also, T3a is the better deal but I'm willing to pay the extra $3/yr to be hosted in Canada.

Therefore for a personal LAMP stack in eastern Canada that doesn't generate income you should use T3 in standard mode in Canada (Central) aka Montreal.

Concepts

If you're new to AWS, you'll also need to get familiar with these concepts.

Amazon EBS volumes are off-instance storage that persists independently from the life of an instance. ... can be attached to a running Amazon EC2 instance and exposed as a device within the instance. (aws.amazon.com/ebs)
An Elastic IP address is associated with your account not a particular instance, and you control that address until you choose to explicitly release it. Unlike traditional static IP addresses, however, Elastic IP addresses allow you to mask instance or Availability Zone failures by pro grammatically remapping your public IP addresses to any instance in your account. (aws.amazon.com/ec2)

This means that you don't want to "terminate" because that kills your EBS. Instead you start/stop your EC2. But each time it gets a new IP, so you need to assign it an elastic IP which you can then point to from DNS.

New t3.micro Instance

At first I tried "64-bit (Arm)", but that was only available in a1.medium and larger. Also, you have to select the region in the top-bar before using the "Launch Instance" wizard.

AWS Management Console
In the top-bar, select "Canada (Central)" in the Region drop-down.
In the top-bar, select "Services" > "EC2"
In the side-bar, select "EC2 Dashboard"
Click the "Launch Instance" button

Amazon Linux 2 AMI (HVM), SSD Volume Type
64-bit (x86)
Select
t3.micro

Next: Configure Instance Details

 Number of instances: (default) 1
 Purchasing option: (default) [unchecked] Request Spot instances
 Network: (default) VPC
 Subnet: (default) No preference
 Auto-assign Public IP: (default) Use subnet setting (Enable)
 Placement group: (default) [unchecked] Add instance to placement group
 Capacity Reservaton: (default) Open
 IAM role: (default) None
 CPU options: (default) [unchecked] Specify CPU options
 Shutdown behavior: (default) Stop  
 Enable termination protection: [checked] Protect against accidental termination
 Monitoring: (default) [unchecked] Enable CloudWatch detailed monitoring
 EBS-optimized instance: (mandatory) [checked] Launch as EBS-optimized instance
 Tenancy: (default) Shared  
 T2/T3 Unlimited: [unchecked] Enable

 Note that termination protection just prevents you from accidentally trashing 
 your instance when you just meant to power it off. And that by not allowing
 unlimited, you are not exposed to increased costs due to increased CPU.

Next: Add Storage

 Size (GiB): (default) 8
 Volume Type: (default) General Purpose SSD (gp2)
 Delete on Termination: (default) [checked]

Next: Add Tags

 (none)

Next: Configure Security Group

 Name: VPC-WebServerSecurityGroup
 Description: VPC-WebServerSecurityGroup

 SSH   TCP  22 1.2.3.4/32
 HTTP  TCP  80 0.0.0.0/0, ::/0
 HTTPS TCP 443 0.0.0.0/0, ::/0

 Note: we need 22 since that's in the default SSHD config,
 but we'll restrict to IP and later will change the port.

Review and Launch
Launch
Choose an existing key pair // if you don't have one, see below
WebServerKey 
Acknowledge
Launch Instances

If you've never created an EC2 instance before, you'll need to create a keypair like this:

 # continue
 - create a new key pair
 - name: WebServerKey
 # create and download your key pair 
 // this is WebServerKey.pem that you will use later with putty

After that, navigate to the EC2 dashboard where you can see the instance starting up.

Left-click the blank instance name and give it something meaningful.

In the Description tab below your new instance, take note of its Public IP.

Basic SSH

Clone your existing putty config but use the new IP and port 22. Connect to your instance with putty.

If you've never connected to an EC2 instance before and you just created WebServerKey.pem above, then you'll need to do the following.

If you're on windows, download putty.

The WebServer.pem key won't work with putty, you have to convert it. Download puttygen.

puttygen
 conversions > import key > WebServerKey.pem
 key passphrase: INVENT_A_STRONG_PASSWORD
 confirm passphrase: STRONG_PASSWORD_AGAIN
 save private key > WebServerKey.ppk
 exit

You now have an encrypted .ppk version of your plaintext .pem key. I'd suggest deleting, encrypting, or storing the .pem on a thumb drive.

Use putty to connect:

session.saved_sessions: amazon
session.host: YOUR_PUBLIC_DNS_FROM_ABOVE
session.port: 22
session.type: SSH
window.lines_of_scrollback: 2000
window.colours.use_system_colours: checked
connection.data.auto-login_username: ec2-user
connection.ssh.auth.private_key_file_for_authentication: WebServerKey.ppk

Session > Save
then double-click: amazon
- accept unknown thumbrint (only happens once)
- enter your .ppk passhprase

You're in! Now let's make it bullet proof.

Harden SSH

sudo yum -y update

That will probably pickup a bunch of updates.

Next make a copy of the config we're about to copy. We'll download it as a local backup later.

mkdir /tmp/org
sudo cp /etc/ssh/sshd_config /tmp/org
sudo chmod 644 /tmp/org/sshd_config

Now we'll harden the SSHD config.

sudo vi /etc/ssh/sshd_config

Ensure the following are in place.

# change the port to the custom SSH port from your security group
# this makes it a little bit harder for people to attack you as they
# now have to scan all ports to discover which is your SSH port
Port 12345

# Explicitly require strong protocol 2 (which is the default)
Protocol 2

# change this to no, we never want root access over SSH
PermitRootLogin no

# explicitly disable weak authentication systems
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes

# EC2 uses keys for remote access
PasswordAuthentication no
PermitEmptyPasswords no

# Explicitly disable Kerberos Authentication
KerberosAuthentication no

# Explicitly disable GSSAPI Authentication
GSSAPIAuthentication no

# explicitly disable x11 forwarding, we will never connect with a gui
X11Forwarding no

Reboot. This will pickup the SSHD changes and anything from the yum update.

sudo shutdown -r now

In the AWS Console remove the temporary port 22 entry from your security group so that you just have something like this.

VPC-WebServerSecurityGroup
 HTTP             TCP    80 0.0.0.0/0
 HTTP             TCP    80 ::/0
 HTTPS            TCP   443 0.0.0.0/0
 HTTPS            TCP   443 ::/0
 Custom TCP Rule  TCP 12345 1.2.3.4/32

Re-connect with putty now using the custom port. Note that the instance will have a new public IP.

No Lighttpd

Note that in the previous posts I used the Lighttpd webserver but packages from Amazon Linux 1 aren't available on Amazon Linux 2.

Here's what happens if you try the old packages.

Don't do this:

$ sudo yum -y install lighttpd lighttpd-fastcgi
No package lighttpd available.
No package lighttpd-fastcgi available.

$ sudo yum -y install mysql mysql-server
No package mysql-server available.
Package mariadb.x86_64 1:5.5.60-1.amzn2 will be installed

$ sudo yum -y install php-cli php-mysql php-mbstring php-xml
Package php-mysql is obsoleted by php-mysqlnd, trying to install php-mysqlnd-5.4.16-45.amzn2.0.6.x86_64 instead

Install LAMP

First, have a look at the default users and groups on your system.

sudo cat /etc/passwd
sudo cat /etc/group

I make a local backup of these for my records.

Tutorial: Install a LAMP Web Server on Amazon Linux 2

Apache web server
PHP 7.2
MariaDB (a community-developed fork of MySQL)
Amazon Linux 2 

The above doesn't include SSL (Tutorial: Configure Apache Web Server on Amazon Linux 2 to Use SSL/TLS) or the [php-mbstring php-xml] extensions that I require.

Here's the whole package that I use:

sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
sudo yum install -y httpd mariadb-server
sudo yum install -y mod_ssl
sudo yum install -y php-mbstring php-xml

Result:

Installing php-pdo, php-mysqlnd, php-fpm, php-cli, php-json, mariadb
      
===============================================================================
 Package                         Arch                    Version               
===============================================================================
Installing:
 mariadb                         x86_64                  3:10.2.10-2.amzn2.0.3 
 php-cli                         x86_64                  7.2.16-1.amzn2.0.1    
 php-fpm                         x86_64                  7.2.16-1.amzn2.0.1    
 php-json                        x86_64                  7.2.16-1.amzn2.0.1    
 php-mysqlnd                     x86_64                  7.2.16-1.amzn2.0.1    
 php-pdo                         x86_64                  7.2.16-1.amzn2.0.1    
Installing for dependencies:
 mariadb-common                  x86_64                  3:10.2.10-2.amzn2.0.3 
 mariadb-config                  x86_64                  3:10.2.10-2.amzn2.0.3 
 php-common                      x86_64                  7.2.16-1.amzn2.0.1    
Updating for dependencies:
 mariadb-libs                    x86_64                  3:10.2.10-2.amzn2.0.3 

  Installing : php-json-7.2.16-1.amzn2.0.1.x86_64          
  Installing : php-common-7.2.16-1.amzn2.0.1.x86_64        
  Installing : php-pdo-7.2.16-1.amzn2.0.1.x86_64           
  Installing : 3:mariadb-config-10.2.10-2.amzn2.0.3.x86_64 
  Installing : 3:mariadb-common-10.2.10-2.amzn2.0.3.x86_64 
  Updating   : 3:mariadb-libs-10.2.10-2.amzn2.0.3.x86_64   
  Installing : 3:mariadb-10.2.10-2.amzn2.0.3.x86_64        
  Installing : php-mysqlnd-7.2.16-1.amzn2.0.1.x86_64       
  Installing : php-cli-7.2.16-1.amzn2.0.1.x86_64           
  Installing : php-fpm-7.2.16-1.amzn2.0.1.x86_64           

Installed:
  mariadb.x86_64 3:10.2.10-2.amzn2.0.3     
  php-cli.x86_64 0:7.2.16-1.amzn2.0.1  
  php-fpm.x86_64 0:7.2.16-1.amzn2.0.1  
  php-json.x86_64 0:7.2.16-1.amzn2.0.1
  php-mysqlnd.x86_64 0:7.2.16-1.amzn2.0.1  
  php-pdo.x86_64 0:7.2.16-1.amzn2.0.1

Dependency Installed:
  mariadb-common.x86_64 3:10.2.10-2.amzn2.0.3          
  mariadb-config.x86_64 3:10.2.10-2.amzn2.0.3          
  php-common.x86_64 0:7.2.16-1.amzn2.0.1

Dependency Updated:
  mariadb-libs.x86_64 3:10.2.10-2.amzn2.0.3

========================================================================================
 Package                                      Arch                Version               
========================================================================================
Installing:
 httpd                                        x86_64              2.4.39-1.amzn2.0.1    
 mariadb-server                               x86_64              3:10.2.10-2.amzn2.0.3 
Installing for dependencies:
 apr                                          x86_64              1.6.3-5.amzn2.0.2     
 apr-util                                     x86_64              1.6.1-5.amzn2.0.2     
 apr-util-bdb                                 x86_64              1.6.1-5.amzn2.0.2     
 bison                                        x86_64              3.0.4-6.amzn2.0.2     
 generic-logos-httpd                          noarch              18.0.0-4.amzn2        
 httpd-filesystem                             noarch              2.4.39-1.amzn2.0.1    
 httpd-tools                                  x86_64              2.4.39-1.amzn2.0.1    
 jemalloc                                     x86_64              3.6.0-1.amzn2.0.1     
 m4                                           x86_64              1.4.16-10.amzn2.0.2   
 mailcap                                      noarch              2.1.41-2.amzn2        
 mariadb-backup                               x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-cracklib-password-check              x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-errmsg                               x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-gssapi-server                        x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-rocksdb-engine                       x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-server-utils                         x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-tokudb-engine                        x86_64              3:10.2.10-2.amzn2.0.3 
 mod_http2                                    x86_64              1.14.1-1.amzn2        
 perl-Compress-Raw-Bzip2                      x86_64              2.061-3.amzn2.0.2     
 perl-Compress-Raw-Zlib                       x86_64              1:2.061-4.amzn2.0.2   
 perl-DBD-MySQL                               x86_64              4.023-6.amzn2         
 perl-DBI                                     x86_64              1.627-4.amzn2.0.2     
 perl-Data-Dumper                             x86_64              2.145-3.amzn2.0.2     
 perl-IO-Compress                             noarch              2.061-2.amzn2         
 perl-Net-Daemon                              noarch              0.48-5.amzn2          
 perl-PlRPC                                   noarch              0.2020-14.amzn2       

  Installing : apr-1.6.3-5.amzn2.0.2.x86_64                                
  Installing : apr-util-bdb-1.6.1-5.amzn2.0.2.x86_64                       
  Installing : apr-util-1.6.1-5.amzn2.0.2.x86_64                           
  Installing : perl-Data-Dumper-2.145-3.amzn2.0.2.x86_64                   
  Installing : httpd-tools-2.4.39-1.amzn2.0.1.x86_64                       
  Installing : jemalloc-3.6.0-1.amzn2.0.1.x86_64                           
  Installing : m4-1.4.16-10.amzn2.0.2.x86_64                               
  Installing : bison-3.0.4-6.amzn2.0.2.x86_64                              
  Installing : perl-Net-Daemon-0.48-5.amzn2.noarch                         
  Installing : 3:mariadb-errmsg-10.2.10-2.amzn2.0.3.x86_64                 
  Installing : httpd-filesystem-2.4.39-1.amzn2.0.1.noarch                  
  Installing : perl-Compress-Raw-Bzip2-2.061-3.amzn2.0.2.x86_64            
  Installing : generic-logos-httpd-18.0.0-4.amzn2.noarch                   
  Installing : mailcap-2.1.41-2.amzn2.noarch                               
  Installing : mod_http2-1.14.1-1.amzn2.x86_64                             
  Installing : httpd-2.4.39-1.amzn2.0.1.x86_64                             
  Installing : 1:perl-Compress-Raw-Zlib-2.061-4.amzn2.0.2.x86_64           
  Installing : perl-IO-Compress-2.061-2.amzn2.noarch                       
  Installing : perl-PlRPC-0.2020-14.amzn2.noarch                           
  Installing : perl-DBI-1.627-4.amzn2.0.2.x86_64                           
  Installing : perl-DBD-MySQL-4.023-6.amzn2.x86_64                         
  Installing : 3:mariadb-backup-10.2.10-2.amzn2.0.3.x86_64                 
  Installing : 3:mariadb-tokudb-engine-10.2.10-2.amzn2.0.3.x86_64          
  Installing : 3:mariadb-rocksdb-engine-10.2.10-2.amzn2.0.3.x86_64         
  Installing : 3:mariadb-cracklib-password-check-10.2.10-2.amzn2.0.3.x86_64
  Installing : 3:mariadb-gssapi-server-10.2.10-2.amzn2.0.3.x86_64          
  Installing : 3:mariadb-server-10.2.10-2.amzn2.0.3.x86_64                 
  Installing : 3:mariadb-server-utils-10.2.10-2.amzn2.0.3.x86_64           

Installed:
  httpd.x86_64 0:2.4.39-1.amzn2.0.1                                       
  mariadb-server.x86_64 3:10.2.10-2.amzn2.0.3

Dependency Installed:
  apr.x86_64 0:1.6.3-5.amzn2.0.2                                          
  apr-util.x86_64 0:1.6.1-5.amzn2.0.2
  apr-util-bdb.x86_64 0:1.6.1-5.amzn2.0.2                                  
  bison.x86_64 0:3.0.4-6.amzn2.0.2
  generic-logos-httpd.noarch 0:18.0.0-4.amzn2                             
  httpd-filesystem.noarch 0:2.4.39-1.amzn2.0.1
  httpd-tools.x86_64 0:2.4.39-1.amzn2.0.1                                 
  jemalloc.x86_64 0:3.6.0-1.amzn2.0.1
  m4.x86_64 0:1.4.16-10.amzn2.0.2                                         
  mailcap.noarch 0:2.1.41-2.amzn2
  mariadb-backup.x86_64 3:10.2.10-2.amzn2.0.3                             
  mariadb-cracklib-password-check.x86_64 3:10.2.10-2.amzn2.0.3
  mariadb-errmsg.x86_64 3:10.2.10-2.amzn2.0.3                             
  mariadb-gssapi-server.x86_64 3:10.2.10-2.amzn2.0.3
  mariadb-rocksdb-engine.x86_64 3:10.2.10-2.amzn2.0.3                     
  mariadb-server-utils.x86_64 3:10.2.10-2.amzn2.0.3
  mariadb-tokudb-engine.x86_64 3:10.2.10-2.amzn2.0.3                      
  mod_http2.x86_64 0:1.14.1-1.amzn2
  perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.amzn2.0.2                      
  perl-Compress-Raw-Zlib.x86_64 1:2.061-4.amzn2.0.2
  perl-DBD-MySQL.x86_64 0:4.023-6.amzn2                                   
  perl-DBI.x86_64 0:1.627-4.amzn2.0.2
  perl-Data-Dumper.x86_64 0:2.145-3.amzn2.0.2                             
  perl-IO-Compress.noarch 0:2.061-2.amzn2
  perl-Net-Daemon.noarch 0:0.48-5.amzn2                                   
  perl-PlRPC.noarch 0:0.2020-14.amzn2

========================================================================================
 Package                           Arch                           Version               
========================================================================================
Installing:
 mod_ssl                           x86_64                         1:2.4.39-1.amzn2.0.1  
Installing for dependencies:
 libtalloc                         x86_64                         2.1.13-1.amzn2        
 sscg                              x86_64                         2.3.3-2.amzn2.0.1     

  Installing : libtalloc-2.1.13-1.amzn2.x86_64     
  Installing : sscg-2.3.3-2.amzn2.0.1.x86_64       
  Installing : 1:mod_ssl-2.4.39-1.amzn2.0.1.x86_64 

Installed:
  mod_ssl.x86_64 1:2.4.39-1.amzn2.0.1

Dependency Installed:
  libtalloc.x86_64 0:2.1.13-1.amzn2                                             
  sscg.x86_64 0:2.3.3-2.amzn2.0.1

============================================================================
 Package                        Arch                     Version            
============================================================================
Installing:
 php-mbstring                   x86_64                   7.2.16-1.amzn2.0.1 
 php-xml                        x86_64                   7.2.16-1.amzn2.0.1 
Installing for dependencies:
 libxslt                        x86_64                   1.1.28-5.amzn2.0.2 
 oniguruma                      x86_64                   5.9.6-1.amzn2      

  Installing : oniguruma-5.9.6-1.amzn2.x86_64           
  Installing : libxslt-1.1.28-5.amzn2.0.2.x86_64        
  Installing : php-xml-7.2.16-1.amzn2.0.1.x86_64        
  Installing : php-mbstring-7.2.16-1.amzn2.0.1.x86_64   

Installed:
  php-mbstring.x86_64 0:7.2.16-1.amzn2.0.1                                       
  php-xml.x86_64 0:7.2.16-1.amzn2.0.1

Dependency Installed:
  libxslt.x86_64 0:1.1.28-5.amzn2.0.2                                           
  oniguruma.x86_64 0:5.9.6-1.amzn2

Now look again to see what new users and groups have been added.

sudo cat /etc/passwd
sudo cat /etc/group

New entires:

apache
nginx
mysql

Also, get a local backup of all the config files we're about to modify.

sudo cp /etc/httpd/conf/httpd.conf /tmp/org
sudo cp /etc/httpd/conf.d/ssl.conf /tmp/org
sudo cp /etc/httpd/conf.modules.d/00-mpm.conf /tmp/org
sudo cp /etc/my.cnf /tmp/org
sudo cp /etc/php.ini /tmp/org

Then use something like WinSCP to copy these to local.

WinSCP 4.3.5
Installation package
winscp435setup.exe > agree with defaults

Host: 1.2.3.4
Port: 12345
User: ec2-user
Password: [blank]
Private key file: WebServerKey.ppk
File protocol: SFTP (don't allow scp fallback)
> save > login > [enter password when prompted]

After the copy delete the temp files.

sudo rm -rf /tmp/org

Setup and harden Apache

Start the Apache web server.

sudo systemctl start httpd

Note, in the following, apache may fail to start because of bad config. In that case you will get an error like "Job for httpd.service failed because the control process exited with error code." To see the actual error code, you issues the status command.

systemctl status httpd.service

Configure the Apache web server to start at each system boot.

sudo systemctl enable httpd

Add ec2-user to the apache group.

sudo usermod -a -G apache ec2-user

Close your terminal and log back in to pickup the change then issues these commands so that ec2-user and future members of the apache group can modify apache files.

sudo chown -R ec2-user:apache /var/www
sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \;
find /var/www -type f -exec sudo chmod 0664 {} \;

In a browser go to the IP of your EC2 instance, i.e. http://1.2.3.4/ to view the Apache test page. Use the browser to inspect the response and see that etag and version info are exposed.

Response Headers:
 Accept-Ranges: bytes
 Connection: Upgrade, Keep-Alive
 Content-Length: 3630
 Content-Type: text/html; charset=UTF-8
 Date: Sun, 05 May 2019 16:50:47 GMT
 ETag: "e2e-585b840220000"
 Keep-Alive: timeout=5, max=100
 Last-Modified: Thu, 04 Apr 2019 18:08:00 GMT
 Server: Apache/2.4.39 () OpenSSL/1.0.2k-fips
 Upgrade: h2,h2c

We don't want that. Also note the HTTP/2 error in your logs:

sudo cat /var/log/httpd/error_log
[http2:warn] [pid 3358] AH10034: The mpm module (prefork.c) is not supported by 
mod_http2. The mpm determines how things are processed in your server. HTTP/2 has 
more demands in this regard and the currently selected mpm will just not do. This is an 
advisory warning. Your server will continue to work, but the HTTP/2 protocol will be 
inactive.

You can additionally verify that your test page doesn't support HTTP/2 by entering your public IP at http2.pro.

Also observe that your current Server MPM is prefork:

httpd -V
Server version: Apache/2.4.39 ()
...
Server MPM:     prefork
  threaded:     no

We'll harden apache and resolve these issues as follows.

For reasoning see geekflare, vaulted.io, stackoverflow.com.

Note that I've added AllowOverrideList to completely disable htaccess.

Note that since the remaining Options command doesn't include Indexes, that means directory listing is forbidden.

Note that ProxyErrorOverride was added to resolve what appears to be a bug in the default config of apache/php. See howtoforge.com and stackoverflow.com for details. Here is what happens in the default config:

example.com/fake.php ->
 Browser output: "File not found."
 Error.log: [proxy_fcgi:error] [client] AH01071: Got error 'Primary script unknown\n'
example.com/fake.html -> default 404 page
example.com/fake/fake.php -> default 404 page

The problem here is that if you specify a custom error document it won't be processed for 404 of *.php in the root folder. And this resolved via ProxyErrorOverride.

sudo vi /etc/httpd/conf/httpd.conf

Delete the existing <Directory "/var/www/html"> node.
Delete the existing <Directory "/var/www/cgi-bin"> node.
And make the following edits:

<Directory />
    AllowOverride none
    AllowOverrideList none
    Require all denied

    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"

    Header unset Etag
    FileETag None
    
    RewriteEngine On
    RewriteCond %{SERVER_PROTOCOL} ^HTTP/0\.9$
    RewriteRule ^ - [F]
    RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
    RewriteRule ^ - [F]
</Directory>
...
<Directory "/var/www">
    Options FollowSymLinks
    Require all granted
    ProxyErrorOverride on
</Directory>
...
<Location "/">
  <LimitExcept OPTIONS GET HEAD POST>
    Deny from all
  </LimitExcept>
</Location>
...
ServerTokens Prod
ServerSignature Off
TraceEnable off
Timeout 60
rmdir /var/www/cgi-bin
sudo vi /etc/httpd/conf.modules.d/00-mpm.conf

Change this:

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_event_module modules/mod_mpm_event.so

To this:

#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule mpm_event_module modules/mod_mpm_event.so

Restart apache.

sudo systemctl restart httpd

Observe that your Server MPM is now event/threaded:

httpd -V
Server version: Apache/2.4.39 ()
...
Server MPM:     event
  threaded:     yes (fixed thread count)

Observe that your error log now shows a successful mpm notice

sudo cat /var/log/httpd/error_log
[mpm_event:notice] [pid 30266:tid 139623658481856] AH00489: 
 Apache/2.4.39 () OpenSSL/1.0.2k-fips configured 
 -- resuming normal operations

Observe that your public IP at http2.pro now indicates HTTP/2 is supported.

Reload your public IP in the browser, and observe that the etag and version are removed. And that X-Frame and X-XSS are added. You may need to CTRL+F5.

Response Headers:
 Accept-Ranges: bytes
 Connection: Upgrade, Keep-Alive
 Content-Length: 3630
 Content-Type: text/html; charset=UTF-8
 Date: Sun, 05 May 2019 16:59:46 GMT
 Keep-Alive: timeout=5, max=100
 Last-Modified: Thu, 04 Apr 2019 18:08:00 GMT
 Server: Apache
 Upgrade: h2,h2c
 X-Frame-Options: SAMEORIGIN
 X-XSS-Protection: 1; mode=block

To convince yourself that HTTP/0.9 and HTTP/1.0 are blocked, you can add a HTTP/1.1 line and save and restart apache and refresh your test page. You'll get the forbidden response instead.

To convince yourself that only OPTIONS GET HEAD POST are permitted, remove GET from LimitExcept and save and restart apache and refresh your test page. You'll get the forbidden response instead.

To convince yourself that directory listing is disabled, add a folder and file and attempt to visit the folder. You'll get the forbidden response instead.

Confirm that apache doesn't run as root. The ps command should display one process running as root (which allows apache to listen on port 80) and the rest as the apache user.

ps -ef |grep http

Confirm that everything except the web content files are owned by root.

sudo ls -la /etc/httpd
sudo ls -la /var/log/httpd
sudo ls -la /usr/lib64/httpd

We must define domain mappings via virtualhosts.conf. But the first one defined will also act as the default/primary server for unspecified server names, so lets adapt the default html to explicitly indicate those as invalid.

mv /var/www/html /var/www/_invalid
vi /var/www/_invalid/index.html
i
invalid
[esc]:wq

For this to work you must change:

sudo vi /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"

To:

DocumentRoot "/var/www/_invalid"

Note that all *.conf in the /conf.d/ are picked up at the end of the /etc/httpd/conf/httpd.conf via:

IncludeOptional conf.d/*.conf

So, create the following:

sudo vi /etc/httpd/conf.d/virtualhost.conf
<VirtualHost *:80>
  ServerName invalid
  DocumentRoot /var/www/_invalid
</VirtualHost>
<VirtualHost *:80>
  ServerName example.com
  DocumentRoot /var/www/example.com
</VirtualHost>
<VirtualHost *:80>
  ServerName another.com
  DocumentRoot /var/www/another.com
</VirtualHost>

For this to work the DocumentRoot paths must exist.

mkdir /var/www/example.com
vi /var/www/example.com/index.html
i
example
[esc]:wq

mkdir /var/www/another.com
vi /var/www/another.com/index.html
i
another
[esc]:wq

If your local box is Windows, you can edit your hosts so that a test domain maps to the IP of your AWS box.

C:\Windows\System32\drivers\etc\hosts

1.2.3.4 example.com
1.2.3.4 www.example.com
1.2.3.4 another.com
1.2.3.4 www.another.com
1.2.3.4 fake.com
sudo systemctl restart httpd

You should get the following results in your browser:

1.2.3.4          contents of /var/www/_invalid/index.html
fake.com         contents of /var/www/_invalid/index.html
example.com      contents of /var/www/example.com/index.html
www.example.com  error 404
another.com      contents of /var/www/another.com/index.html 
www.another.com  error 404

I want to always strip away the www, but we'll do that after we've setup SSL.

SSL

In this setup I'm using one cert from LetsEncrypt with SubjectAltNames for each domain.

I think that the install of mod_ssl created a key and self-signed cert at the default paths from /etc/httpd/conf.d/ssl.conf

sudo ls -la /etc/pki/tls/certs/localhost.crt
-rw-r--r-- root root /etc/pki/tls/certs/localhost.crt

sudo ls -la /etc/pki/tls/private/localhost.key
-rw------- root root /etc/pki/tls/private/localhost.key

Migrate the cert and key from the existing server. Replace the contents of the existing .crt and .key file on your new server.

sudo vi /etc/pki/tls/certs/localhost.crt
 -----BEGIN CERTIFICATE-----
 ...
 -----END CERTIFICATE-----

sudo vi /etc/pki/tls/private/localhost.key
 -----BEGIN PRIVATE KEY-----
 ...
 -----END PRIVATE KEY-----

The default config allows a wide range of crypto. There is no reason to support anything but the modern algorithms that work with your certificate.

Note that the OpenSSL terms don't match the TLS specification. You can find a map at openssl.org. And the definition of the SSLCipherSuite directive is at apache.org.

sudo vi /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
  SSLEngine on
  SSLProtocol -ALL +TLSv1.2
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>

Now append to your virtual hosts file. I would like to just add the ServerName and DocumentRoot. In fact this works because it gets the SSL settings from the _default_ entry in ssl.conf, but your phpinfo $_SERVER['SERVER_PORT'] will report 80 and $_SERVER['HTTPS'] will be undefined because the SSL directives weren't explicitly in your VirtualHost. See a similar issue on serverfault.com. For this reason, I've duplicated the full SSL config in each VirtualHost.

sudo vi /etc/httpd/conf.d/virtualhost.conf
<VirtualHost *:443>
  ServerName example.com
  DocumentRoot /var/www/example.com
  SSLEngine on
  SSLProtocol -ALL +TLSv1.2
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
sudo systemctl restart httpd

Now you should be able to access both of the following urls. We'll set this up with LetsEncrypt auto-renewal later.

http://example.com/index.html
https://example.com/index.html

Rewrites

For SSL sites, I only want urls of the form https://example.com/index.html, which means redirecting www and http. For non-SSL sites, I only need to redirect the www. I liked the suggestion of simonecarletti.com but to use that outside a virtualhost, you need all your destinations to be SSL.

Here's a scenario where you have example.com as SSL and another.com without SSL. Also, I've added custom 404 handlers for both.

sudo vi /etc/httpd/conf.d/virtualhost.conf
<VirtualHost *:80>
  ServerName invalid
  DocumentRoot /var/www/_invalid
  ErrorDocument 404 /index.html
</VirtualHost>

<VirtualHost *:80>
  ServerName another.com
  ServerAlias www.another.com
  DocumentRoot /var/www/another.com
  ErrorDocument 404 /index.html

  RewriteEngine On
  RewriteCond %{HTTP_HOST} ^www\. [NC]
  RewriteRule ^/(.*) http://another.com/$1 [R=301,L,NE]
</VirtualHost>

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com

  RewriteEngine On
  RewriteRule ^/(.*) https://example.com/$1 [R=301,L,NE]
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com
  ErrorDocument 404 /index.html

  SSLEngine on
  SSLProtocol -ALL +TLSv1.2
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

  RewriteEngine On
  RewriteCond %{HTTP_HOST} ^www\. [NC]
  RewriteRule ^/(.*) https://example.com/$1 [R=301,L,NE]
</VirtualHost>
sudo systemctl restart httpd

Now you should have the following behaviour:

1.2.3.4 -> index.html
1.2.3.4/blah -> error page
fake.com -> index.html
fake.com/blah -> error page

another.com -> index.html
www.another.com -> another.com -> index.html
another.com/blah -> error page

http://example.com -> https://example.com
https://www.example.com -> https://example.com
http://www.example.com/index.html?one=two#three -> https://example.com/index.html?one=two#three

PHP Config

sudo vi /etc/php.ini
# It looks like this is the default now, so this may be unnecessary.
cgi.fix_pathinfo = 1

# I use short tags
short_open_tag = On

# Simpler logs
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT

# decrease max post size so you don't waste time on bogus payloads
# this also limits the size of attack packets and reduces the risk of overflow
post_max_size = 1M

# http://tympanus.net/codrops/2009/08/31/solving-php-mysql-utf-8-issues/
# UTF8
[mbstring]
mbstring.language = Neutral
mbstring.internal_encoding = UTF-8
mbstring.encoding_translation = Off
mbstring.http_input = auto
mbstring.http_output = UTF-8
mbstring.detect_order = auto
mbstring.substitute_character = none
default_charset = UTF-8

Restart php.

sudo systemctl restart php-fpm

Create a test php page.

vi /var/www/example.com/test.php
hello <? echo "world"; ?> <?php echo " again"; ?>

You should be able to see this at http://example.com/test.php
It should say: hello world again

Create a phpinfo page, view it, and save it to pdf for future reference.

vi /var/www/example.com/phpinfo.php
<? phpinfo(); ?>

Afterwards delete it because it contains sensitive information.

rm /var/www/example.com/phpinfo.php

Setup and harden DB

Configure the db server to start at each system boot.

sudo systemctl enable mariadb

Secure the database server. It's default config is for development and test.

sudo systemctl start mariadb
sudo mysql_secure_installation
[enter]   # existing root mysql password is blank
Y         # yes set a root mysql password
password  # choose a password
password  # enter it again
Y         # remove anonymous users
Y         # disallow root login remotely
Y         # remove the test db
Y         # reload privilege tables now

The default config listens to the network.

# this shows that it is listening
sudo netstat -tap | grep mysql
sudo vi /etc/my.cnf
# ensure you already have this line
symbolic-links=0

# append this line to the [mysqld] block to disable TCP/IP listening
skip-networking

# append these to the [mysqld] block to set utf8 as your default
character-set-server=utf8
collation-server=utf8_general_ci

# I forget why I append this line to the [mysqld] block
skip-external-locking

Restart MySQL for the settings to take effect and look at netstat again to see that it's no longer listening.

sudo systemctl restart mariadb
sudo netstat -tap | grep mysql

Here is the full list of port uses. Note that nothing is on port 22 (the standard SSH port).

sudo lsof -i -P

Note that even with all that utf8 config, you still need to explicitly select utf8 in your php mysqli constructor like this $db->set_charset('utf8'); if you want $db->character_set_name() to return utf8 instead of latin1.

We will now create all the databases that we wish to migrate. If you don't remember which databases you created, you can use show databases; in mysql on your live box.

mysql -u root -p 
password

SELECT User, Host, Password FROM mysql.user;
--- no passwords in the returned list should be blank

SELECT * FROM mysql.db;
--- empty result means the anonymous access to test tables has been deleted

CREATE DATABASE db1name CHARACTER SET utf8;
CREATE USER 'db1user'@'localhost' IDENTIFIED BY 'db1password';
GRANT ALL PRIVILEGES ON db1name.* TO 'db1user'@'localhost';

CREATE DATABASE db2name CHARACTER SET utf8;
CREATE USER 'db2user'@'localhost' IDENTIFIED BY 'db2password';
GRANT ALL PRIVILEGES ON db2name.* TO 'db2user'@'localhost';

exit

Next you must migrate all your database contents with commands like the following.

Old box:

mysqldump --user=db1user --password=db1password --skip-lock-tables --databases db1name > /tmp/db1name.sql

New box:

mysql -D db1name -u db1user -p
db1password
source /tmp/db1name.sql
exit

Be sure to delete the SQL from the /tmp folder once you're done.

Migrate Content

Next you must migrate all your webserver files.

Old box:

/var/www/lighttpd/example.com/
/var/www/lighttpd/another.com/

New box:

/var/www/example.com/
/var/www/another.com/

Once your files are uploaded, you'll need to create any symlinks that exist on your source server.

Old box:

sudo find /var/www/lighttpd -type f | sort > /tmp/files1.txt
sudo find /var/www/lighttpd -type l | sort > /tmp/links1.txt

Create necessary symlinks on the new box.

New box:

sudo find /var/www -type f | sort > /tmp/files2.txt
sudo find /var/www -type l | sort > /tmp/links2.txt

Diff the outputs to confirm the migration was identical.

Backup Initial Config

Get a local backup of the modified files.

mkdir /tmp/org
sudo cp /etc/ssh/sshd_config /tmp/org
sudo chmod 644 /tmp/org/sshd_config
sudo cp /etc/httpd/conf/httpd.conf /tmp/org
sudo cp /etc/httpd/conf.d/ssl.conf /tmp/org
sudo cp /etc/httpd/conf.modules.d/00-mpm.conf /tmp/org
sudo cp /etc/my.cnf /tmp/org
sudo cp /etc/php.ini /tmp/org

Then use WinSCP to copy these to local and delete the temp files.

sudo rm -rf /tmp/org

Go Live

Restart you new box to ensure all the settings take effect. Edit your hosts file to test the new server before swapping your elastic IP. You can move an elastic IP across regions, so I created a new one in the new region, assigned it, then updated my dns records at my domain registrar to point to the new IP.

Once the DNS has fully propagated you are now live and can shutdown and archive the old box.

Local Backup

You really should setup AMI backups, but it's not unreasonable to want a local copy of the data as well. I always have a local copy of the source code, but I want a way to fetch nightly backups of the database. You can achieve that by hosting an encrypted dump of the db at a randomly named folder and get your local machine to fetch it each night.

Choose a web location for the backup.

mkdir /var/www/example.com/randomFolderName/

Create the backup script.

sudo mkdir /backup
sudo chown ec2-user:ec2-user /backup
vi /backup/go.sh
#!/bin/sh

# call this script with no arguments to create an encrypted dump of all your databases
# call this script with a file name as the only argument to decrypt that file
#
# here's how to setup a cron job to call this script nightly
# this example runs on the 5th minute fo the 4th hour each day, i.e. 4:05am
# watch-out, that's the time of the server, which may not be your local time
# the output of the cronjob will be appended to /backup/chron.log
#
# crontab -e
# 5 4 * * * /backup/go.sh 2>&1 >> /backup/chron.log

if [ "$1" = "" ]; then

  today=`date +%Y_%m_%d`
  if [ -e $today -o -e $today.dat ]; then
    echo "$today already exists"
    exit
  fi
  echo `date`
  mkdir $today

  mysqldump --user=user1 --password=password1 --skip-lock-tables --databases database1 > ./$today/database1_$today.sql
  mysqldump --user=user2 --password=password2 --skip-lock-tables --databases database2 > ./$today/database2_$today.sql

  tar czf - $today | openssl des3 -salt -k password | dd of=$today.dat
  rm -rf $today
  rm -f /var/www/example.com/randomFolderName/*
  mv $today.dat /var/www/example.com/randomFolderName/
  echo "finished"

elif [ -f "$1" ]; then

  dd if="$1" | openssl des3 -d -k password | tar xzf -

else

  echo "$1 doesn't exist"

fi
chmod 700 /backup/go.sh

Create the cronjob.

crontab -e
5 4 * * * /backup/go.sh 2>&1 >> /backup/chron.log

Windows Scheduler

To get a windows box to automatically wake up each night and download your backup, you can use the windows scheduler and the background intelligent transfer service (bits).

First create a local bat file that will fetch your backup from the web.

bitsadmin /TRANSFER jobname /DOWNLOAD http://site1.com/randomFolderName/%DATE:~6,4%_%DATE:~3,2%_%DATE:~0,2%.dat C:\Backups\%DATE:~6,4%_%DATE:~3,2%_%DATE:~0,2%.dat

Next, schedule a task to wake the computer and run the script. I'm assuming that your computer is configured to automatically go back to sleep after an idle period.

Start > Control Panel > Administrative Tools > Task Scheduler

[right sidebar] > Create Task

General
 Name: Fetch Database
 [checked] Run with highest privileges

Triggers
 New
  Daily
  Start: 2am (some time shortly after your web backup becomes available)
 Ok

Actions
 New
  Action: Start a program
  Program/script: C:\Backups\fetch.bat (or whatever you named the above script) 
 Ok

Conditions
 [checked] Wake the computer to run this task
 
Ok

Your task now appears in the "Active Tasks" list in the Task Scheduler.

Alarms

It's a good idea to setup some AWS alarms to let you know when your systems are operating outside their expected range. Basic Monitoring metrics (at five-minute frequency) for Amazon EC2 instances and EBS volumes are free of charge.

In the AWS Console, on your new instance:

[right-click] EC2 Instance > CloudWatch Monitoring > Add/Edit Alarms > Create Alarm

[checked] send a notification to: your contact info
Whenever: Average of CPU Utilization
Is: >= 40 Percent
For at least 1 consecutive period of 5 minutes

Create Alarm > Close

I've only exceeded that CPU range when there was a bug in my code and php was stuck in a loop.

[right-click] EC2 Instance > CloudWatch Monitoring > Add/Edit Alarms > Create Alarm

[checked] send a notification to: your contact info
Whenever: Average of Network Out
Is: >= 150000 Bytes
For at least 1 consecutive period of 6 hours

Create Alarm > Close

I've only exceeded that Network range when re-imaging a box or when I was under attack.

It's fairly easy to adjust the alarms to your system after it's been running for a few days as the alarms console shows you a graph of each and the red line after which the alarm would fire.

You probably also want a billing alarm.

[top-bar] Services > Billing > Billing preferences 
 > [check] Receive Billing Alerts > Save preferences
 > Manage billing alerts
 (note that billing alerts appear in the N.Virginia region, 
 regardless of where you have your instances)
[side-bar] Billing > Create Alarm > EstimatedCharges > ...

AMI Backups

The AMI is your best backup option. This is a snapshot of your disk and your instance details (micro, etc). From the AMI you can launch a new box and move over your IP in a few minutes. Ideally you'll create an AMI from your instance and take snapshots of your instance every 24 hours and keep the last week and perhaps a few older copies. We'll want to configure the creation of these snapshots to happen automatically.

We'll setup nightly Amazon EBS Snapshots of our instance. They can later be used as the basis for an AMI.

Something has to issue the nightly command, and that something must contain an unprotected copy of the credential that allows the snapshot to occur. First we'll create a constrained credential to reduce the risk of its exposure, then we'll piggyback on our existing local database backup script to kickoff the amazon snapshot. Your server is probably more likely to be attacked then your devbox.

IAM Credential

In the AWS Console, select IAM. If you haven't used this yet, you'll have zero groups, users and roles. First we'll create a group that can create snapshots and then we'll create a user and assign them that group. The backup script will connect as this user.

Groups
Create New Group
 Group Name: snapshot
 Continue
 Policy Generator
 Select
   Effect: Allow
   AWS Service: Amazon EC2
   Actions: Create Snapshot
            Delete Snapshot
            Describe Snapshots
   ARN: *
   Add Statement
  Continue
 Continue
Create Group

Users
Create New Users  
 User Name 1: snapshot
 [checked] generate and access key for each user 
 Create
 Download Credentials
 Close Window

Users
 snapshot
  Groups > Add User to Groups > snapshot > Add to Groups

Snapshot

We'll use the following command from the AWS API Reference.

ec2-create-snapshot volume_id -d "Nightly Backup"

To find your volume_id, go the the AWS Console, select EC2, select Volumes from the sidebar, scroll right to the Attachment Information column which will show your WebServer instance, then scroll left and record the Volume ID.

First we have to setup the tools.

Download and unzip the latest tools. I used these. The latest link will be posted here. No install is required.

You have to have Java installed.

Run the following commands for a dos console to create your first snapshot.

SET JAVA_HOME=C:\Program Files (x86)\Java\jre1.8.0_191
SET PATH=%PATH%;%JAVA_HOME%\bin

SET EC2_HOME=C:\Amazon\ec2-api-tools-1.7.5.1
SET PATH=%PATH%;%EC2_HOME%\bin

SET AWS_ACCESS_KEY=AAAAAAAAAAAAAAAAAAAA
SET AWS_SECRET_KEY=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
SET EC2_URL=https://ec2.ca-central-1.amazonaws.com

ec2-create-snapshot vol-11111111 -d "Nightly Backup"

Run the following command to show existing snapshots.

ec2-describe-snapshots

You can filter that to only show the snapshots of a particular volume.

ec2-describe-snapshots --filter "volume-id=vol-11111111"

You can further restrict that to only show the snapshots of a particular volume that are tagged as "Nightly Backup", thus avoiding any ones you created manually.

ec2-describe-snapshots --filter "volume-id=vol-11111111" --filter "description=Nightly Backup"

Here's a windows script to create a snapshot and delete old nightly backup snapshots from a particular volume. You can call this from the script that you already setup to run nightly.

@echo off

SET JAVA_HOME=C:\Program Files (x86)\Java\jre1.8.0_191
SET PATH=%PATH%;%JAVA_HOME%\bin

SET EC2_HOME=C:\Amazon\ec2-api-tools-1.7.5.1
SET PATH=%PATH%;%EC2_HOME%\bin

SET AWS_ACCESS_KEY=AAAAAAAAAAAAAAAAAAAA
SET AWS_SECRET_KEY=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
SET EC2_URL=https://ec2.ca-central-1.amazonaws.com

SET EC2_VOLUME=vol-22222222

REM  This command lists all snapshots:
REM
REM  ec2-describe-snapshots
REM  
REM  SNAPSHOT        snap-11111111   vol-22222222    completed       2014-04-12T20:29:58+0000        100%    333333333333    8       Nightly Backup
REM  SNAPSHOT        snap-11111111   vol-22222222    completed       2014-04-12T20:29:58+0000        100%    333333333333    8       Nightly Backup
REM  SNAPSHOT        snap-11111111   vol-22222222    completed       2014-04-12T20:29:58+0000        100%    333333333333    8       Created by CreateImage(i-44444444) for ami-55555555 from vol-22222222
REM  SNAPSHOT        snap-11111111   vol-33333333    completed       2014-04-12T20:29:58+0000        100%    333333333333    8       Nightly Backup
REM
REM  This command lists only snapshots:
REM  - from the given volume
REM  - with the nightly backup tag
REM  - sorted from oldest to newest, http://ss64.com/nt/sort.html
REM  - note that whitespace above is actually a tab character so it counts as one space
REM 
REM  ec2-describe-snapshots --filter "volume-id=vol-22222222" --filter "description=Nightly Backup" | sort /R /+49

echo List interesting snapshots:
call ec2-describe-snapshots --filter "volume-id=%EC2_VOLUME%" --filter "description=Nightly Backup" | sort /R /+49

REM  This loop finds the selected snapshots that are older than 7 days:
REM  usebackq - use `` to delimit the command to be executed so that it can contain ""
REM  skip=7   - skip the first 7 rows, so we keep a week's worth of backups
REM  tokens=2 - select the 2nd column, delimited by spaces
REM  note: that the | must be escaped as ^|

echo Delete old snapshots:
FOR /F "usebackq skip=7 tokens=2" %%G IN (`ec2-describe-snapshots --filter "volume-id=%EC2_VOLUME%" --filter "description=Nightly Backup" ^| sort /R /+49`) DO (
  echo Delete %%G
  call ec2-delete-snapshot %%G
)

REM  Create the snapshot after we delete old snapshots so that our list won't contain any 
REM  pending entries that would mess up our assumptions about the poistion of the date at /+49

echo Create a snapshot:
call ec2-create-snapshot %EC2_VOLUME% -d "Nightly Backup"

Let's Encrypt

My original setup with lighttpd is here, and I've just done the minimum to get that working on Amazon Linux2 with Apache. There is probably an easier official way at this point, but I didn't experiment.

On the source box:

cd /tmp
sudo tar -zcvf letsencrypt.tar.gz /etc/letsencrypt
sudo tar -zcvf certbot.tar.gz /etc/lighttpd/ssl

On the destination box:

cd /tmp

sudo tar -xvzf letsencrypt.tar.gz
rm letsencrypt.tar.gz
sudo mv /tmp/etc/letsencrypt /etc

sudo tar -xvzf certbot.tar.gz
rm certbot.tar.gz
sudo mv /tmp/etc/lighttpd/ssl /etc/httpd/certbot
sudo rm -f /etc/httpd/certbot/intermediate.pem
sudo rm -f /etc/httpd/certbot/ssl.pem

On the source box:

rm -f /tmp/letsencrypt.tar.gz
rm -f /tmp/certbot.tar.gz 

On the destination box:

sudo vi /etc/httpd/certbot/certbot-renew
#!/bin/sh

echo certbot-renew $(date)
/etc/httpd/certbot/certbot-auto renew --debug --quiet --post-hook "/etc/httpd/certbot/certbot-deploy"
sudo vi /etc/httpd/certbot/certbot-deploy
#!/bin/sh

echo certbot-deploy $(date)

cp /etc/letsencrypt/live/holtstrom.com/cert.pem /etc/pki/tls/certs/localhost.crt
cp /etc/letsencrypt/live/holtstrom.com/privkey.pem /etc/pki/tls/private/localhost.key
cp /etc/letsencrypt/live/holtstrom.com/chain.pem /etc/pki/tls/certs/server-chain.crt

systemctl restart httpd
sudo vi /etc/httpd/conf.d/ssl.conf
# uncomment this line
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
sudo vi /etc/httpd/conf.d/virtualhost.conf
# add this line to each ssl block
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# test the deploy
sudo /etc/httpd/certbot/certbot-deploy
# observe good permission and ownership
sudo ls -la /etc/pki/tls/certs/localhost.crt
-rw-r--r-- 1 root root

sudo ls -la /etc/pki/tls/private/localhost.key
-rw------- 1 root root 

sudo ls -la /etc/pki/tls/certs/server-chain.crt
-rw-r--r-- 1 root root 
# test the renew
sudo /etc/httpd/certbot/certbot-renew

# it failed, so try to replace with updated script
sudo rm -f /etc/httpd/certbot/certbot-auto
cd /etc/httpd/certbot
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto

# try again
sudo /etc/httpd/certbot/certbot-renew

# still failure
# found advice here

# hack it
sudo vi /etc/httpd/certbot/certbot-auto

# replace this
elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then

# with this
elif grep -i "Amazon Linux" /etc/issue > /dev/null 2>&1 || \
    grep 'cpe:.*:amazon_linux:2' /etc/os-release > /dev/null 2>&1; then

# try again
sudo /etc/httpd/certbot/certbot-renew

# successful output doesn't look like much, you can remove the --quiet
# to see that it doesn't attempt renewal because the certs aren't due yet
certbot-renew Wed May 15 03:14:58 UTC 2019
yum is /bin/yum
yum is hashed (/bin/yum)
Package 1:openssl-1.0.2k-16.amzn2.1.1.x86_64 already installed and latest version
Package ca-certificates-2018.2.22-70.0.amzn2.noarch already installed and latest version
Package python-devel-2.7.14-58.amzn2.0.4.x86_64 already installed and latest version
Package 1:mod_ssl-2.4.39-1.amzn2.0.1.x86_64 already installed and latest version

# Later, when there was work to do, I see it failed
# I have this in the log:
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: [Errno 2] No such file or directory: '/var/www/lighttpd/example.com'.

# needed to fix the paths in this file
sudo vi /etc/letsencrypt/renewal/example.com.conf
# setup the chronjob
sudo crontab -e

38 3 * * * /etc/httpd/certbot/certbot-renew >> /etc/httpd/certbot/chron.log 2>&1

Reminders

# restart apache
sudo systemctl restart httpd

# find out why apache failed to start
systemctl status httpd.service

# restart php
sudo systemctl restart php-fpm

# php error logs
sudo cat /var/log/php-fpm/www-error.log

# see your full list of servers
sudo netstat -plnt

# watch the db log
sudo tail -n 200 -f /var/log/mariadb/mariadb.log

# see what's actually going over the wire
sudo tcpdump port 80 -A | strings
aws
Sunday, February 10, 2019

Global Warming

After a conversation with a friend, I intend to investigate the following three topics:

    Is it true that in 10k years we had a global temp delta of ~3.5 deg C?
    Do we know why global temp change has happened in the past?
    What (if anything) makes it different this time?

And as a meta-investigation:

    Discover if what I consider to be "reasonable convincing answers" others consider to be "unreasonable unconvincing claims", and if possible why.
    Discover if the answers are easy to find to test my belief that many people are intentionally uninformed.

Therefore rather than constructing an argument in a direction, I'll list sources in the order I find them and my interpretations of them.


ice core chart goes here


XKCD - Earth Temperature Timeline - Sep 12, 2016


Phys.ORG - Cooling or warming climate? - Aug 11, 2014


Phys.ORG - 30 years of above-average temperatures - Feb 26, 2015

Tuesday, January 1, 2019

Beer in Ottawa

Ordered By Preference:

Daniel O'Connell's Irish Pub
Bar Laurel
Tooth and Nail Brewing Company
Pubwells Restaurant
The Wood On Wellington
The Hintonburg Public House
Vimy Brewing Company
Bar Robo
Elmdale Oryster House & Tavern
Mill St. Brew Pub
The Carleton
Orange Monkey Bar & Billiards

Not Pub-Crawled Yet:

The Third
10Fourteen
Royal Oak
Bar Lupulus
Foolish Chicken
The Soca Kitchen
Beyond the Pale Brewing Company
Happy Goat Coffee Co.
Pub Italia
Heart & Crown
The Wellington Gastropub
Clocktower Brew Pub
Westboro Barley Mow
Churchills
Whispers Pub & Eatery
Bowman's Bar & Grill
Quinn's
House of TARG
The Belmont
Next