server migration schedule and status

This is an archive of a topic from NESdev BBS, taken in mid-October 2019 before a server upgrade.
View original topic
server migration schedule and status
by on (#178633)
With 2/3rds of the server being on my desk at work and the other third arriving tomorrow (Wednesday), I figure it is a good time to let everyone know what will be happening


08/31 - Hardware testing / burn-in
09/01 - initial configuration
09/02 - install server in rack alongside current server. forums and wiki will stay up and running on current server but hosted sites (such as Blargg's Home) may be down at times during the weekend
09/03-04 - the forums and wiki will be cloned over and tested. once tested, the old server will be locked and traffic transferred to the new server
09/05 - old server will be powered down and removed from the ISP

I will try and keep everyone updated during migration over the weekend
Re: server migration schedule and status
by on (#178780)
one of the server's two IP addresses have been disable in preparation for the new server going in the rack. I am heading to the ISP in a few minutes :)
Re: server migration schedule and status
by on (#178787)
server migration has been delayed until Wednesday... the ISP has been moving their support staff to a different location and the network admin is on vacation until then. :|

it was nice of them to update us on these changes... oi
Re: server migration schedule and status
by on (#179190)
We were able to get the new server in the rack :) migration to soon follow
Re: server migration schedule and status
by on (#179423)
Nesdev.com will be down for a while tonight starting around midnight MST for server migration.
Re: server migration schedule and status
by on (#179440)
forums are now back up, as is the nesdev.com index. currently working on the wiki
Re: server migration schedule and status
by on (#179443)
the wiki should now be good to go as well
Re: server migration schedule and status
by on (#179447)
The speed difference, even with HTTPS/SSL negotiation, is tremendous (on both forum and wiki). Woot.

However, the DH params for SSL need to be regenerated and higher security applied:

https://www.ssllabs.com/ssltest/analyze ... Results=on

"This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B." Details:

* https://weakdh.org/
* https://weakdh.org/sysadmin.html

Assuming nginx (I checked the Server HTTP header):

Code:
This can take a while on some systems (depends on CPU, etc.) so be patient:

openssl dhparam -out /etc/nginx/dhparam.pem 2048

nginx.conf (or whatever):

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;

The ciphers list I provided here differs from what you might see on the weakdh.org site. The list I provided comes directly from https://raymii.org/s/tutorials/Strong_S ... nginx.html for present-day nginx (I don't know what version you're using).

Hope this helps!
Re: server migration schedule and status
by on (#179449)
Since the migration I have to enter a captcha on every login. I like nes trivia but is there a reason behind it? Ssl migration? Cookie leftover?
Re: server migration schedule and status
by on (#179457)
Quote:
Since the migration I have to enter a captcha on every login

Same here. It doesn't help that the answers seem to be case sensitive, or that it isn't apparent how one should formulate the answer even if one knows the answer (is our princess "in another castle", or in "another castle"?).
Re: server migration schedule and status
by on (#179462)
I disagree with requiring a CAPTCHA on the first login attempt, not just sign-up or after multiple failures. This also means that the number of computers through which I participate will dwindle as their persistent cookies expire.

I can't even see whether I have the power to turn it off because when I try to log in to the Administration Control Panel on my first attempt to log in in the past 20 hours, I get "You exceeded the maximum allowed number of login attempts. In addition to your username and password you now also have to solve the CAPTCHA below." I will treat this failure as a demotion of my privileges here from administrator to global moderator for the period starting now and presumably ending when WhoaMan explains the reason for this policy change.
Re: server migration schedule and status
by on (#179463)
tepples wrote:
I can't even see whether I have the power to turn it off because when I try to log in to the Administration Control Panel on my first attempt to log in in the past 20 hours, I get "You exceeded the maximum allowed number of login attempts. In addition to your username and password you now also have to solve the CAPTCHA below." I will treat this failure as a demotion of my privileges here from administrator to global moderator for the period starting now and presumably ending when WhoaMan explains the reason for this policy change.


None of the privileges have changed, seems to be a bug with the migration. I will look in to it and try to figure out what is happening.
Re: server migration schedule and status
by on (#179464)
WhoaMan wrote:
None of the privileges have changed, seems to be a bug with the migration. I will look in to it and try to figure out what is happening.


Well good to know that it's know some kind of nes trivia bullying :lol:
Re: server migration schedule and status
by on (#179466)
it has to do with the proxy using the server's IP address so it appears as all users are logging in with the same IP
Re: server migration schedule and status
by on (#179467)
I disagree with HTTPS-only
Re: server migration schedule and status
by on (#179474)
the maximum attempts problem should be fixed now
Re: server migration schedule and status
by on (#179475)
Quote:
the maximum attempts problem should be fixed now

Yep. Works on my end at least.
Re: server migration schedule and status
by on (#179476)
zzo38 wrote:
I disagree with HTTPS-only


Google insists.

What's your specific complaint?
Re: server migration schedule and status
by on (#179480)
Banshaku wrote:
I like nes trivia but is there a reason behind it?

I like NES hardware trivia because it shows that new users know how to read and search our wiki.

But there's a difference between NES hardware trivia and trivia related to specific nonfree NES games that not everybody with an NES owns. True, Super Mario Bros. came bundled with most NES consoles, either by itself or in a multicart that also included Duck Hunt or Tetris. But the Challenge Set had Super Mario Bros. 3, all toploaders (Famicom and NES-101) lacked a pack-in, and not all used consoles include some form of SMB. In addition, we have SNESdev, where not everybody has All-Stars, and GBDev, where not everybody has SMB Deluxe or even specifically a Game Boy Color for that matter.

"Bullying" someone to explore another resource available from the same domain (namely our wiki) is more tolerable than "bullying" someone to buy a particular publisher's nonfree game (namely SMB).

mic_ wrote:
It doesn't help that the answers seem to be case sensitive, or that it isn't apparent how one should formulate the answer even if one knows the answer (is our princess "in another castle", or in "another castle"?).

Or even "World 8" or "World 8-4", formulations that might be resistant to osmosis. At least when I made a set of hardware questions, I tried to include multiple formulations, such as "BCD" or "decimal mode", and only cover things on the wiki.

WhoaMan wrote:
None of the privileges have changed, seems to be a bug with the migration.

It's not that permissions were explicitly taken away as much as that without reauthenticating to the ACP, I could exercise only the powers of a global mod until you fixed it.

WhoaMan wrote:
the maximum attempts problem should be fixed now

Thank you.

Are you having your reverse proxy generate a header such as X-Forwarded-For or X-Real-IP and then feeding that to phpBB as the REMOTE_ADDR?

dougeff wrote:
zzo38 wrote:
I disagree with HTTPS-only

Google insists.

I thought Google Search's cleartext penalty insisted on the site being available through HTTPS with <link rel="canonical"> pointing to an HTTPS page, not that the server force a redirect from HTTP to HTTPS. Or has Google Search begun to use HSTS and HTTP-to-HTTPS redirects as a rank signal as well? (HSTS is an HTTP header telling the browser to rewrite the scheme for all HTTP requests to the same hostname to HTTPS for at least the next month.)
Re: server migration schedule and status
by on (#179507)
Somehow, this broke the layout on redlinked any editing wiki pages.
Re: server migration schedule and status
by on (#179520)
Polipo now only works on one site I visit regularly; I need a proxy that supports HTTPS. Any suggestions?
Re: server migration schedule and status
by on (#179522)
tepples wrote:
Banshaku wrote:
I like nes trivia but is there a reason behind it?

I like NES hardware trivia because it shows that new users know how to read and search our wiki.

"Bullying" someone to explore another resource available from the same domain (namely our wiki) is more tolerable than "bullying" someone to buy a particular publisher's nonfree game (namely SMB).
I agree with you about these things; you should make the question about the hardware and not about any game. In addition to be more tolerable than "bullying" someone to buy a particular publisher's nonfree game, it is also more tolerable then "bullying" someone to look at an external resource (even if that external resource is free); to look only at resources available on the same website for free is better.

Quote:
dougeff wrote:
zzo38 wrote:
I disagree with HTTPS-only
Google insists.
I thought Google Search's cleartext penalty insisted on the site being available through HTTPS with <link rel="canonical"> pointing to an HTTPS page, not that the server force a redirect from HTTP to HTTPS. Or has Google Search begun to use HSTS and HTTP-to-HTTPS redirects as a rank signal as well? (HSTS is an HTTP header telling the browser to rewrite the scheme for all HTTP requests to the same hostname to HTTPS for at least the next month.)
HSTS is terrible and does not improve security or anything else. HTTPS-only also doesn't help. If you do need redirects to HTTPS for Google, well, you can know that Google itself redirects to HTTPS only for certain user-agents, so you can do the same (possibly using the same list). There are things that can be done to improve security:
  • Implement HPKP ("no-user-recourse" is bad though, but that is a client-side concern and is not a server-side concern).
  • Set cookies as non-scriptable.
  • When users login over HTTPS, set the cookies as secure-only.
  • Allow encrypted private messages (encrypted on the client side if the user agrees to execute the encryption program) to be sent to users who have enabled encrypted private messages in their profile.
  • Allow users connecting through HTTPS to use their own encryption keys if they wish to do so. (This one is probably the most difficult one to implement.)
Re: server migration schedule and status
by on (#179529)
Myask wrote:
Somehow, this broke the layout on redlinked any editing wiki pages.

For the record, this seems to have been fixed.
Re: server migration schedule and status
by on (#179533)
The palette page on the wiki has an issue showing Bisqwit's palette.

https://wiki.nesdev.com/w/index.php/PPU_palettes

"Error creating thumbnail: Unable to save thumbnail to destination
NES palette generated with Bisqwit's tool"
Re: server migration schedule and status
by on (#179536)
@Tepples

I was aware about the captcha for new users which was nes trivia related, it just that I was surprised that it was asking it it all the time. I kind of had a hunch that something went wrong with the migration so I posted my comment to know why it was happening suddenly.

As for bullying, I was just joking about the fact that the question was asked every time and now it was over, thus the smilley to convey that I was not serious about my previous comment.
Re: server migration schedule and status
by on (#179561)
The "Unable to save thumbnail to destination" messages on the Wiki are server-side and need to be addressed. A good page where this is present is the Emulators - Under development section, which uses {{mbox}} to display a coloured info box and an icon.

I'm willing to bet the path for saving thumbnails on the filesystem changed, or if it didn't, the permissions of who can write there might now be more relevant (I believe the webserver changed to nginx, which means FastCGI + php5-fpm are probably involved, which means nightmares relating to user/group and file/dir permissions when compared to Apache and the ITK mpm). https://www.mediawiki.org/wiki/Topic:Qmkwqlxoor706ddt has some details.
Re: server migration schedule and status
by on (#179564)
calima wrote:
The palette page on the wiki has an issue showing Bisqwit's palette.

https://wiki.nesdev.com/w/index.php/PPU_palettes

"Error creating thumbnail: Unable to save thumbnail to destination
NES palette generated with Bisqwit's tool"

Yeah, it would seem all thumbnails are in trouble. https://wiki.nesdev.com/w/index.php/Fil ... g_seam.gif
Re: server migration schedule and status
by on (#179575)
we should now have thumbnails on the wiki