profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/FernandoMiguel/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Fernando Miguel FernandoMiguel London, UK https://FernandoMiguel.net Geek. DevSecOpsie. Solution Architect. Cloud Native.

99designs/aws-vault 5297

A vault for securely storing and accessing AWS credentials in development environments

FernandoMiguel/sshremotekeys 72

Managing SSH keys remotely to control access to hosts

FernandoMiguel/BuildKit 35

A playground and examples of docker-compose vs buildx bake

FernandoMiguel/AWS-Trust-CrossAccounts 32

Examples for establishing Cross Account Trust relationship on AWS

FernandoMiguel/TLSguide 8

SSL/TLS Workshop/Reference Guide

FernandoMiguel/MFAguide 6

Multi-Factor Authentication

FernandoMiguel/cloudmapper 3

CloudMapper creates network diagrams of AWS environments

FernandoMiguel/ecs-cleaner 1

Cleans up stale and unused ECS task definitions, ECR images and EC2 instances

startedclockfort/GitHub-Backup

started time in 3 days

issue openedclockfort/GitHub-Backup

github entreprise

how can this be used to connect to a private github entreprise server, instead of github.com?

created time in 3 days

issue comment99designs/aws-vault

rotate fails "resource: user null"

Did you eventually figure it out @FernandoMiguel ? I'm having the same issue of on resource: user null<user_name> (for a completely different system though), and this thread is the only thing that shows up with some google searches 😢 .

I don't recall @timotheeg . Haven't had issues in a long time

FernandoMiguel

comment created time in 4 days

issue commentachillesrasquinha/pipupgrade

ValueError: unconverted data remains: .539842

If you delete ~/.config/pipupgrade it starts working, so I'm guessing it's this line, maybe the DB entry's _updated_at changed format?

thanks @meesha7

mrichman

comment created time in 10 days

issue commenthashicorp/terraform-provider-consul

Failed to update service. Request decode failed: json: unknown field "SocketPath"

can the changelog pls mention the restriction of newer version of consul? this should be a major release, not a minor version.

sindar225

comment created time in 13 days

issue commentaws/containers-roadmap

[ECR] [request]: support custom domains, or alternate URIs for repositories

Sorry, I should have provided some context..

Here is an trimmed excerpt of the nginx conf I am using in the nginx container task which runs as an ECS Fargate service (scaled to 2 replicas)

   server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
        chunked_transfer_encoding on;
        client_max_body_size 0;
        server_name     _;

        ########################################################################
        # from https://cipherli.st/                                            #
        # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
        ########################################################################
    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
        # Disable preloading HSTS for now.  You can use the commented out header line that includes
        # the "preload" directive if you understand the implications.
        #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
    
        ##################################
        # END https://cipherli.st/ BLOCK #
        ##################################

        location / {
                proxy_pass              https://<aws acct id>.dkr.ecr.ap-southeast-2.amazonaws.com;
                proxy_set_header        Host                "<aws acct id>.dkr.ecr.ap-southeast-2.amazonaws.com";
                proxy_set_header        X-Real-IP           $remote_addr;
                proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto   "https";
                proxy_read_timeout      900;
        }
    }

Yes, I am using a self-signed cert generated on the nginx container itself during init that is referred to in the nginx.conf

ARG ECR_FQDN=ecr.mydomain.com
ARG BASE_NGINX_IMAGE=nginx:latest

FROM ${BASE_NGINX_IMAGE}

RUN mkdir -p /etc/ssl/private
RUN chmod 700 /etc/ssl/private

RUN openssl req -x509 -nodes -days 365                 \
    -newkey rsa:2048                                    \
    -keyout /etc/ssl/private/nginx-selfsigned.key       \
    -out /etc/ssl/certs/nginx-selfsigned.crt            \
    -subj "/C=AU/ST=NA/L=NA/O=MyOrganisationName/CN=${ECR_FQDN}"    

RUN openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

COPY ./nginx.conf /etc/nginx/nginx.conf

EXPOSE 80 443

Note I am referencing my desired target ECR_FQDN within the dockerfile as a buildarg and then generating the self-signed cert based off this for the SAN/subject..

However, I have actually realised it seems to not matter what fqdn is used as I recently have tested accessing the nginx proxy with different ones and it all still worked fine..

So, in summary, I have an ALB listening on https using a real ACM SSL cert with fqdn such as <ecr.mydomain.com> assigned to the ALB and the listener group target is setup with the ecs fargate cluster task build as a HTTPS forwarding group to the registered IP targets for the ecs fargate tasks (which of course is auto managed by fargate/ecs service).

So nginx is making the https calls to the aws ECR private registry as a proxy from the HTTPS calls to the ALB...

I am no security expert but this looks like a fully SSL chained request through each hop to the target ECR and from client and works a treat for us to do all the above.

So far anyway I haven't had/encountered any issues..

Obviously there is an inherent dependency here now on the availability/throughput of the ecs-fargate-nginx-proxy task, however being a fargate task this can easily be scaled to multiple fixed replicas or tied to an ASG/CW event trigger to scale up/down on demand metrics etc as desired of course to make sure the proxy can handle your workloads..

HTH

Quite a bit off-topic, but if you only have the LB accessing your nginx, you can use a much nicer, secure, smaller nginx config Here's the config from Mozilla https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 You may have to set tls 1.2 tho.

Alternatively, you can use caddy server as the reverse proxy, since it is far more modern than nginx and cloud native.

philippmoehler0440

comment created time in 24 days

push eventFernandoMiguel/kb

Fernando Miguel

commit sha 2a7e700e4d4f434d0d4731b091a65481375ee077

.gitconfig Signed-off-by: Fernando Miguel <github@FernandoMiguel.net>

view details

push time in a month

push eventFernandoMiguel/kb

Fernando Pereira

commit sha 801960a6d11f3a6be6c61199f9c4f3d6efe71320

.trash Signed-off-by: Fernando Pereira <Fernando.Pereira@enverus.com>

view details

Fernando Pereira

commit sha dae1b4b2d867da89c775d2a3e03b944013d723c5

nextdns Signed-off-by: Fernando Pereira <Fernando.Pereira@enverus.com>

view details

push time in a month

issue openedhashicorp/terraform-aws-consul

support prefix_list_ids in aws_security_group_rule

prefix_list_ids (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#prefix_list_ids) is a newer way to allow CIDR ranges to be added to Security Groups.

Is anyone working on adding these to the module? ideally they would be null unless someone passed them on

created time in a month

issue commentiann0036/iamlive

Feature Request: Distribution via brew once we have a 1.0.0

$ brew reinstall iamlive
==> Downloading https://github.com/iann0036/iamlive/releases/download/v0.39.0/iamlive-v0.39.0-darwin-amd64.zip
Already downloaded: /Users/fernando/Library/Caches/Homebrew/downloads/2444c47064f209508488b18131f349c69cfd3ac6e54b177d73ba67f7b84dea25--iamlive-v0.39.0-darwin-amd64.zip
==> Reinstalling iann0036/iamlive/iamlive
Error: send_io() function is unimplemented on this machine
Please report this issue:
  https://docs.brew.sh/Troubleshooting
/usr/local/Homebrew/Library/Homebrew/utils/fork.rb:79:in `send_io'
/usr/local/Homebrew/Library/Homebrew/utils/fork.rb:79:in `block (3 levels) in safe_fork'
/usr/local/Homebrew/Library/Homebrew/utils.rb:417:in `ignore_interrupts'
/usr/local/Homebrew/Library/Homebrew/utils/fork.rb:73:in `block (2 levels) in safe_fork'
/usr/local/Homebrew/Library/Homebrew/utils/fork.rb:34:in `open'
/usr/local/Homebrew/Library/Homebrew/utils/fork.rb:34:in `block in safe_fork'
/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
/usr/local/Homebrew/Library/Homebrew/utils/fork.rb:33:in `safe_fork'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:868:in `build'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:419:in `install'
/usr/local/Homebrew/Library/Homebrew/reinstall.rb:62:in `reinstall_formula'
/usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:102:in `block in reinstall'
/usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:96:in `each'
/usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:96:in `reinstall'
/usr/local/Homebrew/Library/Homebrew/brew.rb:122:in `<main>'

Traceback (most recent call last):
	2: from /usr/local/Homebrew/Library/Homebrew/build.rb:221:in `<main>'
	1: from /usr/local/Homebrew/Library/Homebrew/build.rb:221:in `open'
/usr/local/Homebrew/Library/Homebrew/build.rb:221:in `recv_io': file descriptor was not passed (msg_controllen=0 smaller than sizeof(struct cmsghdr)=12) (SocketError)
	1: from /usr/local/Homebrew/Library/Homebrew/build.rb:217:in `<main>'
/usr/local/Homebrew/Library/Homebrew/build.rb:256:in `rescue in <main>': private method `puts' called for nil:NilClass (NoMethodError)
Traceback (most recent call last):
	16: from /usr/local/Homebrew/Library/Homebrew/brew.rb:122:in `<main>'
	15: from /usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:96:in `reinstall'
	14: from /usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:96:in `each'
	13: from /usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:102:in `block in reinstall'
	12: from /usr/local/Homebrew/Library/Homebrew/reinstall.rb:62:in `reinstall_formula'
	11: from /usr/local/Homebrew/Library/Homebrew/formula_installer.rb:419:in `install'
	10: from /usr/local/Homebrew/Library/Homebrew/formula_installer.rb:868:in `build'
	 9: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:33:in `safe_fork'
	 8: from /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
	 7: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:34:in `block in safe_fork'
	 6: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:34:in `open'
	 5: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:37:in `block (2 levels) in safe_fork'
	 4: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:37:in `fork'
	 3: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:45:in `block (3 levels) in safe_fork'
	 2: from /usr/local/Homebrew/Library/Homebrew/formula_installer.rb:880:in `block in build'
	 1: from /usr/local/Homebrew/Library/Homebrew/sandbox.rb:99:in `exec'
/usr/local/Homebrew/Library/Homebrew/utils.rb:322:in `safe_system': Failure while executing; `/usr/bin/sandbox-exec -f /private/tmp/homebrew20210712-17534-1xe6f23.sb nice /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby -W1 -- /usr/local/Homebrew/Library/Homebrew/build.rb /usr/local/Homebrew/Library/Taps/iann0036/homebrew-iamlive/iamlive.rb` exited with 1. (ErrorDuringExecution)
	16: from /usr/local/Homebrew/Library/Homebrew/brew.rb:122:in `<main>'
	15: from /usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:96:in `reinstall'
	14: from /usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:96:in `each'
	13: from /usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:102:in `block in reinstall'
	12: from /usr/local/Homebrew/Library/Homebrew/reinstall.rb:62:in `reinstall_formula'
	11: from /usr/local/Homebrew/Library/Homebrew/formula_installer.rb:419:in `install'
	10: from /usr/local/Homebrew/Library/Homebrew/formula_installer.rb:868:in `build'
	 9: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:33:in `safe_fork'
	 8: from /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
	 7: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:34:in `block in safe_fork'
	 6: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:34:in `open'
	 5: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:37:in `block (2 levels) in safe_fork'
	 4: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:37:in `fork'
	 3: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:39:in `block (3 levels) in safe_fork'
	 2: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:65:in `rescue in block (3 levels) in safe_fork'
	 1: from /usr/local/Homebrew/Library/Homebrew/utils/fork.rb:65:in `puts'
/usr/local/Homebrew/Library/Homebrew/utils/fork.rb:65:in `write': Broken pipe (Errno::EPIPE)
dgomesbr

comment created time in 2 months

issue commentmicrosoft/vscode

crashes and closes on startup

Can be closed

FernandoMiguel

comment created time in 2 months

startedalin23/Lunar

started time in 3 months

issue commentAzure/azure-sdk-for-go

Implement missing service principal operations in graphrbac

is there any update on this new release with the new code ?

twendt

comment created time in 3 months

issue openedAkihiroSuda/lima

ubuntu minimal

should we use https://cloud-images.ubuntu.com/minimal/daily/hirsute/current/ instead of https://cloud-images.ubuntu.com/hirsute/current/ ?

the minimal is half the size

created time in 3 months

startednorouter/norouter

started time in 3 months

startedAkihiroSuda/lima

started time in 3 months