Categories
Blog Training

Hands-on descriptions of implementing IPv6, DNSSEC, HTTPS and other goodies on your Web server

Posted on

Reproduced with permission, from the original joint Blog posting by Dan Mygind and Karima Saimi on: https://writeit.dk/?p=823 as part of their deliverables for the course “Open Standards Everywhere”. The other deliverable is for the Internet Society UK Chapter Web site to benefit from a increasing in security score as shown below. This has been undertaken

The Internet Society has since 1992 worked to “promote the open development, evolution and use of the Internet for the benefit of all people throughout the world”, as it says in it’s mission.

As part of this mission, the Internet Society are promoting modern, secure and open internet standards; in recent years standards such as IPv6, DNSSEC and HTTPS.

In 2020, they decided to provide training for their different chapters’ members in order to raise awareness of these standards and spread the knowledge among the internet community.

I was so lucky to be selected together with Karima Saini for training as members of the Internet Society’s UK chapter
and on May the 8th, we participated in an online course conducted by Dan York, Director for web strategy and project leader for Open Standards Everywhere.

As part of the Internet Society’s adherence to openness, you can see the course here. (It is also available in Spanish and French).

Documentation for upgrading web servers
Dan and his colleagues at the non-profit organisation have done a great job to help as many as possible to start upgrading personal/organisations’/companies’ web servers to modern and safe standards.

Jump over to Github and read the extensive documentation. You don’t have to read it all, you can focus on the documentation for the web server(s) you are using in your organisation. There’s descriptions for Apache and Nginx web servers, both with or without a Content Delivery Network (CDN).

Four reference servers
There’s even 4 reference servers, an Apache webserver, an Apache webserver with CDN, an nginx webserver and an nginx webserver with CDN.

Where to start?
You can get an idea what the current state of your website is with regards to using the recommended internet standards. The Dutch internet.nl have a comprehensive test of your web server’s setup for IPv6, signed domain names (DNSSEC), secure connection (HTTPS) and different security options.
You simply enter the name of your domain and you will get a percentage score for your web server. The closer to 100% the better. Don’t be too worried if your web server is far from 100%. Many are. The good news is that you also get a comprehensive report telling you in which areas your website is lacking. Combined with the Github-documentation from Internet Society, you can start to plan the necessary upgrades to your web servers.
internet.nl does not test for HTTP/2, but here you can use http2.pro to test your site.

IPv6 should be supported by hosting providers, but isn’t always
When planning upgrades to the UK server, it quickly became apparent that real life is always a bit messier than a course environment.
Firstly, the UK chapter-server is running on a server with other services and sites so the changes had to be applied by a system administrator and some of them had to be coordinated with the other sites and services, which limited the changes we could make. The system administrator, Christian de Larrinaga, was very helpful in doing the assessment and carry out the necessary changes that could be applied without disrupting other services and sites.
Secondly, some of the necessary changes were even out of Christian de Larrinaga’s hands. For example, the chapter’s website was not deemed IPv6-ready even though the web server got an IPv6-address. However, because the name servers do not have IPv6 addresses, this affected overall assessment.

The name servers are hosted by OpenSRS and Christian de Larrinaga is in dialogue with OpenSRS, trying to persuade them to upgrade their name servers to IPv6. Many of the other chapters have experienced similar challenges with providers who are not ready for IPv6.

Didn’t make it to Hall of Fame
We didn’t make it to the Hall of Fame for websites with a 100% test score on internet.nl, but did manage to improve the UK chapter’s score from 50% to 55%. So there’s still room for improvement. As there is for this website …