Category Archives: Site Updates

Sort of Blogging on the Fediverse

Over at Key Smash!, I’ve been helping beta-test the Pterotype plugin to hook up a self-hosted WordPress to the Fediverse. It gives WordPress an ActivityPub presence, so new posts and comments can be seen in Mastodon, Pleroma, and other ActivityPub-powered networks, and replies from those networks can come back as comments.

But Key Smash! is a simple test case. It’s at the top of the site, there’s no caching, it’s only got a handful of posts, and it hasn’t been bombarded by spammers for years.

So I’ve installed it on here. Older posts won’t federate, but new ones (starting here) should, and replies should show up as comments. With luck they’ll land in the moderation queue instead of the spam queue.

You may be able to follow the site by searching for this post’s URL in Mastodon/etc. Maybe. I need to report a bug in the handling of sites that aren’t at the top level: To find the site I need to search for @blog@www.hyperborea.org/journal – the first time. Then that search stops working, but I can find it at @blog@www.hyperborea.orgjournal instead. But that only works after I’ve searched for the first one.

Well, that’s part of why I set it up here: to help beta test.

Update: You can now follow the blog directly at @blog@www.hyperborea.org

Update (Dec): I turned it off temporarily due to spam problems. Spam comments were visible through ActivityPub, and couldn’t be deleted due to a FK constraint on the Pterotype tables.

Why am I still blogging? (And why about this stuff?)

This blog has been around 15 years. Social media has mostly moved on, to silos like Facebook and Twitter. People don’t follow random personal blogs. Topic-focused sites are what people actually read, and even that mainly following links from silos.

Meanwhile there are so many major things going on that make the things I post about here — comics, fandom, photos of things I found interesting, random tech thoughts — seem trivial.

So why keep a blog going? And why write about trivialities, and not big things like the battles over civil rights, healthcare, environmental protections, war?

As for the first: Some of it is stubbornness. And some of it is wanting to keep part of my writing/photo presence somewhere “permanent” (to the extent that anything online is).

As for the second: I’ve never really liked talking news and politics online. I rarely feel like I can add anything that hasn’t already been said (probably better) by someone else. Also, online conversation has gotten way too toxic. On the other hand, while the little things may be trivial, they add up. They add up to your life. It feels like I might actually have something to say that’s not already been said a thousand times by people more familiar with the issue than I am.

Plus it’s a way to assert some normality in a world that feels decidedly abnormal.

I’m not likely to come up with anything super-profound on the most important topics, but I can make short statements, and I can amplify other voices. And I’m trying to come to grips with the fact that that’s important. I’ve been reading a lot more and posting a lot less over the past year or so, but even if I can’t say anything profound, I shouldn’t stay silent.

So I’ve been microblogging, and linking, and reposting — all things that are better suited for a service that’s built around those use cases. When I have something longer to say, I do try to pull it in here, because a blog post is better than a Twitter thread… But I think more people probably see my retweets than my blog posts, anyway.

Finally pulled the HTTPS switch!

That took a lot longer than I intended.

But I’ve finally made all of Hyperborea.org run over HTTPS.

It’s been possible to view the whole site over HTTPS ever since I turned it on for the admin area of this blog years ago, but I left HTTP as the canonical URL and didn’t redirect anything until I updated the Les Mis section, and later this blog. Now, any page you visit on this entire site should load over an encrypted connection.

(Well, any page except for the old Dillo RPMs page, since that minimalist web browser still only has experimental HTTPS support.)

The problem is when you have decades of hand-crafted web pages to go through, it can take a while to make sure everything embeds only secure or same-origin content. Every image, every script, every video. I had to update lots of absolute links, remove some widgets and ads, update other widgets, embedded videos and metadata…and just a bit at a time in my spare time.

Finally I switched on the redirects this morning. Even that took longer than expected, because I’d forgotten that mod_rewrite rules in a directory override any parent directory’s rules, so I had to copy the HTTP-to-HTTPS rewrite rule to each folder that had its own rewrite rules. Then I had to fix the interaction between mod_rewrite and ErrorDocument that was causing custom errors to redirect to the error template instead of loading it behind the scenes.

Adding the S in HTTPS

I finally moved the public side of this blog over to HTTPS last weekend. Traditionally I’ve preferred to put public info on HTTP and save HTTPS for things that need it – passwords, payment info, login tokens, anything that should be kept private — but between the movement to protect more and more of the web from eavesdropping and the fact that tools are making it harder to split content between open and encrypted sides (the WordPress app sometimes gets confused when you run the admin over HTTPS but keep the public blog on HTTP), I decided it was time.

The last sticking point was putting HTTPS on my CDN, and I’d decided to try getting Let’s Encrypt and CloudFront working together over the weekend. Then Amazon announced their Certificate Manager for AWS, which took care of the hard part. All I had to do was request and approve the (domain-validated) certificate, then attach it. Done!

Downside: Because I opted for the SNI option on the CDN, rather than pay the premium to get unique IP addresses on every CloudFront endpoint, the images won’t work with older browsers like IE6. (Server Name Indication is a way to put more than one HTTPS site on the same IP address.)

On the other hand, the cert I have on the site itself is SHA2-signed (as it should be, now that SHA-1 is no longer sufficient), so it wouldn’t work with older browsers even if I turned off the CDN and kept the images on the server.

It’s the first time I’ve actually broken the ability of older browsers to see any of my personal sites. I’ve broken layouts, sure, but not completely cut them off. In general I’d rather not, but I think I’m OK with it this time because

  1. SHA1 really does have to go, SHA2 is well-established, and it’s not like I’m providing downloads of modern browsers or a critical communications forum for people who are stuck with ancient hardware/software because that’s all that’s available to them.
  2. SNI has been around for TEN YEARS.

And as it turns out, DreamHost’s ModSecurity rules block IE6 to begin with, so the whole site’s already broken in that browser.

So I guess next time I redesign I can finally drop any IE6 workarounds. :shrug:

Moved to a faster server, ALMOST moved to NginX

As of last week, this site is being served to you by a shiny new SSD-backed VPS at DreamHost. I was hoping it would be running NginX as well, but try as I might, I couldn’t get WordPress in a subdirectory to play nice with NginX. Speed Force worked fine, but it’s at the top level of a site. Ramblings and Re-Reading Les Misérables aren’t.

Fortunately, the new virtual servers are faster and cheaper (newer hardware, after all), and with the rest of my sites running NginX I end up with about the same overall memory footprint for two VPSes so that I could put this back on Apache. I suppose that saved me time converting the zillions of .htaccess rules I’ve amassed over the years. And with the faster systems, they’re able to handle more complex/simultaneous actions without timing out or spiking memory.