I accept the Devember2020 Challenge

I am a student at Western Governor’s University rn. I am getting a degree in computer science, but I know that isn’t enough. I am even worried that college’s price per performance ratio is worse than the RX 6800

Anyway, have a Linode server already and it’s a project that I have been working on off and on since June of 2019. Thus I don’t really know if that qualifies as elligible for Devember. Besides, web-dev, while being a useful skill, is not what I want to be my main focus in life. I want to work as a Security Engineer. I haven’t decided what aspect of security I want to focus on specifically though (i.e OS Security, Network Security, etc…). I think Linux kernel security would be fun. But I just like to explore. I’m like a friggin’ ADHD squirrel… though it may not help that I actually do have ADHD. If something interests me in the moment I just go at it. Sometimes I get quite focused on that one thing - hyperfocus is another symptom of ADHD. Anyway, another reason that I don’t want to use my website project as my Devember project is because it is sorta like a portfolio. Lots of people, especially freelancers, use them. But since I am going into programming I thought I might as well learn a bunch of things along the way instead of using something like WordPress. Note though, that if you do try to go to it right now, I have most of the content on my local machine for ease of development (cache is annoying), and the server only serves a “test” message to the client. This is because I am redesigining the entire [static] website’s design, so I don’t want the embarrassingly designed old website to be seen anymore xD.

Anyway, I know this is getting really really long now, but I say all that because I want my Devember project to be a blog CMS. I think I want to write it in PHP. PHP, however, isn’t a language I want to focus on in my career though. Python is. But, while my very first exposure to programming was a Python program I wrote in 8th grade, I have become very accustomed to C and C++. Thus I find Python to be a bit difficult for me to abstract out programs in. (Haha, I helped a vetinary major write the final project for our C class and he just sat there dumbfounded as I abstracted the program out with him. Finally, when I caught a bug before we even tried to compile it for the first time, he looked at me and said that I thought just like a computer.) Anyway, I did the PHP course on CodeCademy awhile back and found that it had a good mix of Python and C syntax. Thus I think it may be a good transitional language for me to try. I know most people say transitioning to languages is easy, but consider C’s for loop and Python’s for loop (which should actually be called a foreach loop). Also it is a perfect language to use for the blog backend for my website. And since I am learning SQL now, it just feels like that may be the right thing to do. If you want to know why I want a blog, well it is because I like to write. I am gonna at least try to put monthly content on the blog, and most of it will probably honestly be works of fiction. Some may be linux tutorials, and still others may be political or pursuasive in nature. Just whatever I feel like and whenever I feel like… the internet had bloggers before it had YouTubers lol.

Yeah I know this is a very roundabout way of explaining everything. I am sorry, and I hope you guys can get enough of the picture to offer support, encouragement, and constructive criticism (I don’t take kindly to hurtful criticism either… You have been warned). Also I have a github account at CodeDragon5793 and my website from earlier is at https://codedragon.dev. I have another domain which will host the blog at https://linuxdragon.dev but apache does not have a VirtualHost configured for it right now so you’ll get an error.

I am failing at this right now. I need some help, basically I don’t know how to get started. Also I just watched the video that Wendell posted in the original thread and that helped me a little - particularly Jarvis’ number 2 point. (Also his number 1 point, and number 3, 4, and 5…xDD). Also, awhile ago, I changed my lanugage over to Python. I am gonna try to use the Flask web framework: https://flask.palletsprojects.com

Congrats on your college journey. I have a C.S. degree with a minor in Mathematics. And I work in IT (not ideal, but it pays the bills). My wife just enrolled in Western Governor’s University to pursue her Masters in Nursing. she starts in February. The cost is pretty steep, but since it is a self paced program, you can get the biggest bang for you buck as long as you put in the effort and regularly complete the units. I don’t know of any traditional schools that would allow this.

So to get started, there is another user that is working on a CMS type system. You may want to do a forum search for CMS.

As far ass getting started, the whole point of Dev-ember is to work on things that you may have been putting off. That could be learning a language, transitioning, or doing something that you have never done before. you don’t actually have to have a working product at the end of the event. It is all about the journey.

I can’t talk much about python since my core languages are C and Java, with some C++, C#, Perl, and Ruby thrown here and there. I dabble in JavaScript but hate it and don’t get the appeal.

Performing a quick look at the Flask site, I would run through the tutorials that they provide.

*Note: Both of your sites are not being served right now. just a heads up.

Yeah, I just resized my Linode to go from the $10/month plan to the $5/month. Plus I have also transitioned to Nginx from Apache and will be moving personal services, Nextcloud and Bitwarden, to run on my home network - inspired by Wendell’s HA-Proxy WI video and forum post. Also I was experimenting with the Python WSGI server so that would be why I get a 502 bad gateway… the WSGI server isn’t running right now. I got it to work with a test “Hello world” application, then I had to stop it with Ctrl+C and work on getting a SystemD service running - which was rather difficult since I installed the program with Pip rather than my distrobution’s package manager. Anyway, after getting the SystemD service working, I abandoned my tinkering in favor of working on the actual Flask application. That being said, https://codedragon.dev is an entirely static site so it only has a rather pathetic placeholder html file in the document root. Additionally, I haven’t given an update in awhile, but I found PyCharm due to some amazing folks in “The Linux Gamer” discord community. (He’ll always be The Linux Gamer to me). The same person also introduced me to Peewee, so that, combined with the immense productivity boost provided by PyCharm (namely help with import statements) has made my application start to take some pretty good shape. Anyway, I have made significant progress since that last post. I had been using the Flask Documentation to help me figure stuff out, like you suggested (before you even suggested that), and I am even using the “flaskr” example code as a basis for my own code. I’ll be posting the first git commit to a new project later today probably, so I’ll share the link once I get that.

P.S. I find Nginx syntax to be rather easy to work with and simpler to comprehend than Apache’s spaghetti.

Python and flask behind nginx? Fun.

Since you’re into security, try to setup https if you haven’t already, and try to maybe figure out how to optionally do client side certs with nginx and then pass that identity to a flask app.

It’s could be a nice base from which one can start building a beyondcorp/open network compatible single sign on systems – which are very useful today in the industry, especially since 2020 and wfh and stuff.

All I have to do is have a uWSGI server bind to a Linux socket on port 3130 for example. Then I block inbound traffic to that port with my firewall. Finally, Nginx will proxy_pass all https requests to that particular domain to the uWSGI server which then serves the flask app… simple.

P.S you’re too late on the SSL recommendation, my website doesn’t even support http. Even the first request a browser makes will be automatically connected over HTTPS because my domain is on Google’s HSTS list. Even if it wasn’t I already have a pretty strict HSTS header sent to the browser. The only thing I haven’t set is the TLS handshake preferences… only because I am new to Nginx though.

Excellent, now onto browser / client side certs for mutual tls/https auth.

What? My server has nothing to do with the client-side. That’s why TLS is predominantly server-bound… it is easier to trust 1 million servers to be configured correctly vs 7 billion+ browsers to be configured correctly. Also, I just said that the only thing that I haven’t done is set up TLS handshake preferences, but only because I am new to Nginx… Hence I intend to do that, but it isn’t a priority because, tbf, most modern browsers will choose the higher encryption. Since my server only supports TLS 1.2 and TLS 1.3, it’s in pretty good shape for now… especially considering it doesn’t even serve a website.

Oh totally, I meant in the spirit of Devember and self improvement it’d be a thing to try next if you wanted to do any kind of security consulting.

It’s not about trusting 10B browsers, it’s about trusting the 100 or a 1000 browsers that a company wants to ensure are the only ones that can access some web apps. Most orgs big enough to care about security enough to even consider paying a consultant are about 100people up and will have server admins and network admins and client side device certificates their employees browsers would have to use in addition to (most likely very wonky) VPN setups and a combination of samba shares and cloud deployed semi third party managed web apps.

Getting exposure to how browser certs work early would give you a leg up.

VPNs almost always only provide a false sense of security. Secondly, all of that sounds boring and is not at all what I want to do. No I want to be the guy that, for example, finds a bug in Chromium’s code, patches it and then submits that for review with Google’s bug bounty program. That’ll probably be a side-hustle tbh… at least at first.

There’s only a few people good enough willing to spend time on that… Google only pays somewhere between 1 and 10 million per year… in aggregate to everyone. It’s just statistically unlikely you’ll be able to make a living being that guy.

Don’t get me wrong, it’s really cool to want that, but unless you’re an 8year old bootstrapping your first webserver you’re probably around 10 years worth of learning behind – what I mean is it takes lots of time and dedication and talent and skill, and then you spend 6 months or a year almost full time looking for a 50k usd bug. I’d hedge my bets against you in this case (and i mean that gently in a non offending way).

I’d also like to be the guy/gal that walks into a room in Cupertino, presses enter on their laptop, and crashes iPhones of everyone nearby just to get their attention, after Apple repeatedly claiming they didn’t have a bug and after having asked the researchers to demo it - demo you shall get. But I’m just too stupid/lazy for that. (btw, it’s a true story from 2018/2019, she’s awesome, and her friends are who you’d be competing with/against for finding bugs).

I’d settle for being the guy to hand one nail to someone putting them into the corporate VPNs coffin (but I’m stupid and lazy and don’t have the time and what do I know)

Ever heard of a side hustle? Also I was using that as an example.

Pardon my language, but that’s a retarded thing to say.

A little late, but I finally figured out enough git to push this to, in this case, my Gitlab repository: