Revamped Boyet – redux

In less than a week, after almost ten years (!), the GoDaddy hosting plan I had for this site will expire. Transferring it and all its existing content to Microsoft Azure (and securing it along the way) has been a journey and a half, let me tell you, and over the past month or so – you may have noticed when stuff didn’t work – I’ve been finalizing all the tweaks I had to do. For future reference, here in no particular order were some of the last minute fine-tuning I had to do.

Quick recap

Some of the relevant posts along the way:

• Making an Azure static website secure
• Making an Azure static website EVEN MORE secure
• Content Security Policy is hard, and then there’s Pinterest and AddThis
• Securing boyet.com, part 1: static sites
• GoDaddy shared Windows hosting compromised
• Securing boyet.com, part 2: secondboyet
• Securing boyet.com, part N: DONE!
• Case-sensitive website on AWS

Fixing the Content Security Policy

I alluded to this in that blog post about Pinterest and AddThis, but finally fixed it properly. Instead of working out all of the various URLs that a page may go to to download some script or images or whatever, just use a generic https: keyword.

  <system.webServer>
    <rewrite>
      <outboundRules>
        <rule name="CSP">
          <match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" />
          <action type="Rewrite" value="
            default-src 'self' https:;
            script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; 
            img-src 'self' https: data:; 
            style-src 'self' https: 'unsafe-inline'; 
            font-src 'self' https:;" />
        </rule>
      </outboundRules>
    </rewrite>
  </system.webServer>

Much easier to understand.

unsafe-eval???

OK, OK, OK, I have to add that the unsafe-eval you see there is not going to last long: the admin backend for GraffitiCMS (which is the blogging engine I still use for this site and a couple of others) needs it – yeah, barf! – but I’m slowly rewriting the admin site using DevExpress ASP.NET controls. (It took me a while to work out why the backend for boyet.com was working just fine, but that for 64SAINT.com wasn’t – I thought it was the admin code, but no, it turned out to be this unsafe-eval thing. The programmer’s life, eh? Sigh.)

Doing some proper redirection

Quick bit of background here: on GoDaddy, the blog post URLs for this site were of the form http://blog.boyet.com/blog/blog/foo/bar. Too long to explain why, that triple-repeated blog has annoyed me for years, but with the migration they were going to be changed to https://boyet.com/blog/foo/bar. For some reason, I originally had two rewrite rules: one to remove the blog subdomain, and one to remove the first blog folder name (see that Pinterest post for an example of this with 64SAINT.com). And then came the head-desk moment when I realized I could rewrite them as one:

  <rule name="Remove the old blog prefix and folder in one go">
    <match url="^blog/(files|blog|archive|volvo1800s|javascriptlessons|[..etc..])/(.*)" ignoreCase="true" />
    <action type="Redirect" url="https://boyet.com/{R:1}/{R:2}" redirectType="Permanent" />
    <conditions>
      <add input="{HTTP_HOST}" pattern="^blog\.boyet\.com$" />
    </conditions>
  </rule>

Three cheers for regex. Gone were the entries from the 404-redirection log I have where the server was applying the “remove subdomain” rule but not the next “remove folder name” rule. Yay.

Fixing Amazon image references

A long while back I used to add a “Now Playing” block to the end of blog posts (see this post for an example). I wrote a little helper extension for Windows Live Writer that would interrogate iTunes to find out what I was listening to, and then go online to request a link to the album from Amazon, along with an image of the album, and inject the lot into the post. That Amazon-request bit was linked to my Amazon seller id, so that, in theory, if someone clicked on the “Now Playing” album image and bought the album, I’d get 2 cents. Well, I made so little money from this (if any, to be honest), Amazon finally cancelled my seller id. Oh well, never mind.

However, those album images all came from an Amazon site called http://ecx.images-amazon.com. It turns out that that site is http only, not https. Since boyet.com was now secure, it was causing an error and the image was not being retrieved or displayed. I finally found out that Amazon have a secure site that serves up these album images: https://images-na.ssl-images-amazon.com. All I had to do was run a quick SQL command on my Posts table to make the replacement. Now you know.

Pro Font Awesome

So, because I joined the Kickstarter for making version 5.0 of Font Awesome at the $50 level, I got the Pro version. Brilliant! And the mug, of course.

The FontAwesome mug

So, as part of this move to Azure I decided I should update my sites from version 3.5 to use this Pro version instead. Updated everything as they recommended, but, my oh my, their CDN can be s-l-o-w sometimes. I eventually switched to self-hosting instead, and my sites are now much faster. Just a thought, if you also have purchased Pro Font Awesome.

  Loading links to posts on similar topics...