Saturday 4 May 2019

AWS - S3 + CloudFront + AWS Certificate Manager = http + https site (or redirect)

To host a static page in an S3 bucket with https you need to use 'Certificate Manager' in the N.Virginia zone or the certs it makes will not be detected/usable in cloudfront

While the certs are being generated/validated, pop over to the 'S3 Management Console' and make a bucket that has the same name as the domain you want to host the site/redirect on. Once the bucket generates go to the properties tab of the bucket and click on the tile labeled 'Static Web Hosting' and enable it by filling out the requested info and clicking save.

Once you have the bucket ready and the certs have been generated/validated, you can then go to the 'CloudFront Management' page. From here click 'create distribution' and then the 'get started' button on the 'web' section.
Select your S3 bucket in the 'Origin Domain Name' box, then select restrict bucket access and then create new identity and name the id as you see fit.
Select 'Yes, Update Bucket Policy', to get the config wizard to sort the needed access to the bucket.
Set Viewer Protocol Policy to 'Redirect HTTP to HTTPS'.
Set Alternate Domain Names (CNAMEs) to match your domain.
Set SSL cert to custom and select your cert generated/issued by Certificate Manager

Ensure 'Custom SSL Client Support' is not set to Legacy Clients Support ..... unless you want a $600/month extra charge on your bill

Set Security Policy to TLSv1.2_2018
click create distribution and then wait for the page to say it is in 'deployed' state

Note: if your pages are not loading or you get a error along the lines of
<Message>Access Denied</Message>
Its most likely that your S3 buckets are not correctly linked up, to check this get the S3 bucket URL from the 'Static website hosting' section of your bucket's properties page and compare it to what is set in the 'CloudFront Management' page for the distribution you created.

Saturday 27 April 2019

Plex Remote access - Why do you say disabled = error

So this has been bugging me for some time now, but for some reason Plex considers 'Remote Access' being disabled as an error and 'decorates' the remote access menu entry in the settings menu with a red exclamation point eg.

Now, I could understand it showing an error flag there if it was enabled and not able to contacted by the Plex cloud connection test servers, but come on showing it as an error coss its turned off that's just plain wrong

I have searched all over the place to find an article on how to stop this behavior, but all I could find were people having issues with
A> trying to turn on remote access
B> people trying to turn off remote access

So I decided to look into the matter myself, and finally found the file responsible for the colour of the icon, this is at a path like this  ' /usr/local/share/plexmediaserver-plexpass/Resources/Plug-ins-4610c6e8d/WebClient.bundle/Contents/Resources/chunk-2-4a32fe3f94e5216b5ceb-plex-3.95.2-25e2ffd.css '
now this file is compacted, which makes it a pain to read through but using search you can find the icon's html ids in the file, they all begin with 'RemoteAccessStateIcon-' and are all clustered together one after the other in the file

So the 'fix' is to make all the icons 100% transparent by setting their hex codes to ' #00000000 ', thus rendering them invisible on the page

Note 1. If you apply this fix you will have to re-apply it every time you update Plex ... and the path will change, but it should be of the same form.

Note 2. I did also find the .js file responsible for putting the icons there in the first place, but all my attempts at editing that resulted in the webpage not loading, for reference that file is at the path
and again this file has had all the newlines etc stripped out of it, making it hard to understand

Tuesday 3 July 2018

Updated : Proxmox pve 5.2-5 (and Proxmox 6.x) disable subscription nag

In Proxmox pve 5.2-5 (and Proxmox 6.x) the location of the file that renders the subscription notification has changed.

It is now '/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js'

To disable the message locate the line

" if (data.status !== 'Active') { "

 and comment it out, then add the line

"  if (false) { "

 directly below the one you just commented out.

The section will look like this 

var data =;
               //if (data.status !== 'Active') {
               if (false) {
                       title: gettext('No valid subscription'),

This will not magically give you a full subscription, but it will stop the message popping up

Sunday 22 April 2018

Samsung Android 8.0, How to disable Bixby

Finally after having to use 3rd party apps to suppress Bixby for many many months, I have found a way of disabling it which :-

A > does not need a Samsung account
B > does works even on the latest update (as of 22/4/2018)
C > persists across reboots
D > does not require a 3rd party app
E > does not need root access

the process is as follows,

1> connect to the device over adb from your computer (note you need adb tools for this

2> access the device shell (adb shell)

3> disable the apps with the following commands
      pm disable-user
      pm disable-user
      pm disable-user
      pm disable-user
      pm disable-user
      pm disable-user
      pm disable-user

Bixby should no longer open when pressing the button on the side of the phone

Wednesday 5 July 2017

Windows server 2008 R2 and OSCP

So I was working on cleaning up some CAs and subCAs recently and came across this interesting bit of info.
An Online Responder can be installed on any computer running Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 Enterprise, or Windows Server 2008 Datacenter
so whilst a CA won't stop you / warn you about enabling OSCP links in the AIA section, it will only work if the specified http:// link defined in the AIA section is hosted on a ENT or DC version of server 2008 R2, and if you enable OSCP via the link then various systems will take that as preferred then fail if the responder service is not running.


Saturday 3 June 2017

UniFi / Ubiquiti Networks - How to set managment VLAN for switch

Ever wondered how to configure a UniFi switch to use a different VLAN (1 is the default) for its management interface ?

Well today I ran into that exact problem, the existent management VLAN was 16 so obviously having the switch's management interface on VLAN 1 was no good.

After a fair bit of searching google and the Ubiquiti Networks forums I was beginning to lose hope! , it seemed no one knew how to change it, there was even a feature request post asking for the very feature I was now in need of.

However I persevered and dug through both the CLI of the switch and the cloud key management controller interface until ....... I found the needed option, tucked away under the services heading of the configuration tab of the switch.

so here is an image of it 

I hope this helps some of you out in the future.

Wednesday 8 February 2017

Remote reboot over IPC

Rebooting remote systems can normally be done using ' shutdown /i ' however this runs in your locally logged in user context.

So what if you want to use a username and password that is not understood by your local system. I came across that issue today and the solution is quite simple ... but you have to know it can be done.

first establish a IPC connection to the target system

NET USE \\<TargetSystemIP/Name>\IPC$ <UserPassword> /USER:<Domain>\<UserName>

then issue the reboot command via that

shutdown /r /t 3 /c " <comment for reboot> " /m \\<TargetSystemIP/Name>

wait a moment and the target system will reboot