And the next time you make a change you only have to do
git ftp push
When you get an errors like these:
zo 19 dec 2021 23:11:50 CET: Retrieving last commit from sftp://******:***@s*******/public/sites/*********/.
* Trying *********:22...
* Connected to ******* (********) port 22 (#0)
* Found host ******** in /home/******/.ssh/known_hosts
* Set "ecdsa-sha2-nistp256" as SSH hostkey type
* Closing connection 0
curl: (79) Error in the SSH layer
zo 19 dec 2021 23:11:50 CET: fatal: Could not get last commit. Use 'git ftp init' for the initial push. Can't access remote 'sftp://******:***@********'. Network down? Wrong URL? exiting..
I had to check my DHCP configuration for a Dell Wyse Thin Client. But when you configure specific options like 161 and 162 you don’t see that options in a Wireshark capture during a Windows DHCP request.
For me, this was a pain in the ass for a long time. When I connect to a Windows server through RDP/RDS it sometimes takes more than 2 minutes to connect to a server. Today after some waiting, and waiting and some more waiting I did a deep dive with Wireshark to figure out why it was so slow.
Azure domain joined Windows 10 device (Laptop)
Connection over a Cisco Anyconnect VPN
Remote Desktop Manager (Devolutions)
Native RDP client
Remote VS local
I know for sure the issue should be in my setup. Because when I connect first to a jump host (RDP) and then connect to other domain-joined servers everything was connected almost immediately after I put in my user credentials.
What to do (TL;DR)
There are four things you have to modify to speed up the initial remote desktop connection speed:
Disable SSL / TLS1.0
Disable Netbios on the VPN network adapter
Disable automatic proxy settings in Windows
Change the credential to domain.local\admin or [email protected] instead of domain\admin
Disable SSL / TLS1.0
No, you don’t have to negotiate what protocol you have to use to connect a server. Use TLS1.2 or I don’t want to connect with you 😉 So:
Start > Run > Regedit
Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
If the TLS 1.0 and Client folders doesn’t exists create these keys
Create a 32 DWORD value with the name Enabled
Value data: 0 (Hex)
Restart the client
Disable Netbios on the VPN adapter
What I was seeing in my Wireshark capture is that RDP was trying to broadcast to get information over NETBIOS. You have a DNS server so you don’t need a legacy broadcast protocol! Unfortunately, I don’t have any screenshot of the capture but you can always check yourself 😉
Change the VPN Adapter and reboot the computer:
Disable the proxy
After connection to a server with RDP and you enter the credentials Windows is trying constantly to WPAD.domain.local to autoconfigure itself. WPAD stands for Web Proxy Auto-Discovery and I think you never want to autoconfigure a MITM ehh proxy device. You always want to have full control of your device. So, disable this to speed up the connection and make your device more secure.
Go to settings
Search for proxy
Switch the Automatically detect settings to Off
Change the login name
I found out that this is the most annoying and time consuming one. I always use DOMAIN\User when I connect to a server. But this is what happens:
Kerberos is doing a DNS query on _kerberos._tcp.dc._msdcs.domain.domain.tld and of course he will never can find that double domain A record. But if you change the logon name to domain.tld\admin or [email protected] Kerberos will find the A record and connects immediately 🙂
And even now it’s possible to tune the Kerberos authentication further and fix the last KRB5KDC_ERR_PREAUTH_REQUIRED error you can see in the screenshot. Maybe next time but for now I’m happy with the initial connection speed 🙂
It can be fun to reverse engineer some android applications. I think it’s better to do this on your workstation instead of your phone because it’s way more flexible and you don’t ruin your phone when you break things 😉
In my case, I use Debian 11. But of course, you can do this with any OS.
An app you want to debug
OWASP ZAP Proxy
APK Export (Android App)
OWASP ZAP Proxy
I use the snap package for ZAP because it’s easy to install and you’ve always the latest version.
$ sudo snap install zaproxy --classic
Start ZAP and export the dynamic certificate (tools > options)
Click on the save button an place the file somewhere on your disk.
My web hosting company don’t support subdomain SSL certificates. And because Google’s Chrome in July is required HTTPS on all websites (otherwise you get an error your website isn’t safe) I had some deadline to make my blog HTTPS. Cloudflare is a nice reverse proxy solution and the basic plan is free to use also.
So what I did was create a cloudflare account and put my website behind it. After I did that I forced the HTTPS and voila my website was HTTPS. The steps you must take.
Note: this trick will also work if you want to use cloudflare as a reverse proxy to prevent DDoS, to optimize your site security, hide your hosting party backend and make your website a lot faster. If you use a raspbery Pi for example at your home location you can put cloudflare between the visitor and your home IP and save you a lot of trouble.
If you use the wordfence plugin also be sure your PHP version is higher than 5.6. Otherwise you get some errors and conflicts (more info)
Go to cloudflare an create an account
Configure your DNS
(temporary) disable your DNSSEC at you domain if that is enabled (cloudflare cannot succesfully transfer your DNS otherwise). For me I had to create a ticket with my domain register company
Cloudflare give you 2 new name servers. Ask your domain registry company to change these DNS name servers if you can change it by yourself
After a succesfull DNS nameserver change cloudflare shows in the portal everything is ok:
Optimize your cloudflare for wordpress in the cloudflare wordpress plugin and enable HTTPS rewrites
Now edit your url in the settings >general in your wordpress
And finaly go to cloudflare and enable always uses HTTPS under crypto
Now everything is done and your website is fully HTTPS at the frontend (with automatic HTTP > HTTPS URL rewrites). Because my backend don’t have an SSL certificate all the data between cloudflare and my hosting company is still unencrypted. So this is a nasty workaround but you don’t have any problem with Chrome HTTPS problems in the near future anymore.