Mostly about my amusement

Author: Jan Dembowski (page 18 of 96)

Tabs and spaces

Self? Remember this:

tr 't' ' ' | sed -e 's/  */ /gp'

You’ll need it later.

At work I use bash, sed, [e]grep, cut, tr, and occasionally awk if I can’t get out what I need from the others. These aren’t used as scripts per se, just some tools I use to massage data.

Need that formatted, irregular, multi-line text file broken up and ripped into another format for processing? Sure, not a problem. Most people would (correctly) use PERL but I never got into it that much. I hardly ever get the same situation twice and deal with new data all the time.

But I do need to remove tabs and multiple spaces almost every time. While I always remember the tr part, I always need to rethink the sed regular expression. So here I am, writing a post to myself to keep it in my mind.

OK then, I can use Google+ now

That was quick. I’m now able to turn on Google+ on my Google App domain. If your Google Apps then try logging into your “Manage this domain” link, select “Organization & Users”, then Services. If the option is available you will be able to scroll down, find it, and turn it on. It’s that simple.

There caveats is that this looks like a work in progress. I’m not able to get Google+ working via my Android phone or either my wife’s iPhone or iPad. But the web page works fine and I’m able to login using my Google Apps account.

Now does anyone know how to get all their FaceBook friends to migrate to Google Plus? That’ll be a fun social engieering effort.

SNI on CentOS 5.6[7] with mod_gnutls

Edit: Geez. Since I set up this post, I noticed that the compaq8000.conf example was missing small bits like oh, the mod_gnutls parts. This update now contains the missing portion.

I’d read Ipstenu’s blog post “Request: Multiple Domains, One IP SSL Certificates” and thought that that shouldn’t be too hard. Simply put, this is a request for the configuration of an Apache web server to be able to distinguish between requested SSL sites but with only one IP address being used.

Virtual hosts on Apache is a real resource saver. With just one server you can have as many different websites and on this server I have at least 4 running. But in order to get it working Apache must support Server Name Indication. You can read up on SNI at Wikipedia for more details.

I use Ubuntu LTS because it’s got long term support and has features that I like. But I had previously been a RedHat user from RedHat 4.0 and on. Using RPM I would roll my own packages for work and hobby. How hard can it be to setup CentOS 5.6 on one of my spare PCs?

It turned out that that was sort of true for me and after some trial and error I got it working with gnutls. I’ve been using Ubuntu LTS for so long that my RHEL (CentOS) experience is dated. I was able to get multiple SSL based virtual hosts working on a CentOS 5.6 but that involved unwittingly updating to CentOS 5.7 without realizing it, and I also had to enable the CentOS testing repo.

Installing CentOS and add the testing repo

First get CentOS 5.6 installed. I have an old Compaq Presario 8000 in the basement for playing around so I torrented the CentOS 5.6 DVD and did a plain server install.

Once installed, I ran the following commands to bring the fresh installation up to speed.

yum update
chkconfig --add httpd
chkconfig --del iptables
reboot

That upgraded about 120 RPMs and took longer than the initial install but I was updated unknowingly to CentOS 5.7! The next 2 commands added Apache2 to be started up automatically and shut off iptables. I didn’t want to play with firewall rules and I set SELINUX=disabled in /etc/sysconfig/selinux.

My basement server is 192.168.1.9 and I put in 2 names into my internal DNS server jan-basement and compaq8000. I created two new self-signed certificates for those two names and put the new files into the /etc/pki/tls/certs and /etc/pki/tls/private directories.

I could have rolled my own mod_gnutls RPM but I prefer to use packages created by CentOS. To do that I had to edit the /etc/yum.repos.d/CentOS-Testing.repo file and change enable=0 to enable=1.

[ c5-testing]
name=CentOS-5 Testing
baseurl=http://dev.centos.org/centos/$releasever/testing/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing
# CentOS-Testing:
# !!!! CAUTION !!!!
# This repository is a proving grounds for packages on their way to CentOSPlus and CentOS Extras.
# They may or may not replace core CentOS packages, and are not guaranteed to function properly.
# These packages build and install, but are waiting for feedback from testers as to
# functionality and stability. Packages in this repository will come and go during the
# development period, so it should not be left enabled or used on production systems without due
# consideration.

See that caution? That’s the part that worries me because the c5-testing repo is where I found the mod_gnutls RPM. I believe using that RPM should be fine but check with CentOS support forums.

Install the mod_gnutls RPM and create configs

Once you enable that repo, perform the following commands as root:

# Install the mod_gnutls RPM via yum
yum install mod_gnutls
# Create the sym-link for the module
ln -s /usr/lib/httpd/modules/libmod_gnutls.so /etc/httpd/modules/mod_gnutls.so
# Rename the ssl.conf to ssl.conf-old. This will disable mod_ssl from loading.
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf-old

Next up, create the configuration files and directories for your vhosts. I like to place my vhosts into /var/www/vhosts.

mkdir -p /var/www/vhosts/jan-basement
mkdir /var/www/vhosts/compaq8000

Create a conf file for each vhost and put these lines into them:

<VirtualHost 192.168.1.9:80>

        ServerName compaq8000
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/vhosts/compaq8000/
        <Directory />
                Options FollowSymLinks -Indexes
                AllowOverride All
        </Directory>

        ErrorLog /var/log/httpd/compaq8000-error.log

        LogLevel warn

        CustomLog /var/log/httpd/compaq8000-access.log combined
        ServerSignature On

</VirtualHost>

<VirtualHost 192.168.1.9:443>
	GnuTLSEnable on
	GnuTLSCertificateFile /etc/pki/tls/certs/compaq8000.crt
	GnuTLSKeyFile /etc/pki/tls/private/compaq8000.key

        ServerName compaq8000:443
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/vhosts/compaq8000/
        <Directory />
                Options FollowSymLinks -Indexes
                AllowOverride All
        </Directory>

        ErrorLog /var/log/httpd/compaq8000-ssl_error.log

        LogLevel warn

        CustomLog /var/log/httpd/compaq8000-ssl_access.log combined
        ServerSignature On

</VirtualHost>

I repeated the same with the other vhost but replaced the compaq8000 with jan-basement.

The RPM puts /etc/httpd/conf.d/mod_gnutls.conf with all the lines commented out. Rather than play with that file, I just created a small new file /etc/httpd/conf.d/fix-up.conf with these lines in it.

ServerName jan-basement
NameVirtualHost 192.168.1.9:80
NameVirtualHost 192.168.1.9:443
LoadModule gnutls_module modules/mod_gnutls.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
Listen 443

You can probably leave out the ServerName and the NameVirtualHost on port 80. My home DNS is not a robust as it could be…

Now re-start httpd with a simple “service httpd restart”. If all goes well, and your DNS is setup correctly, then you should now have two virtual hosts that serve out the correct different SSL certs for each one,

You couldn’t get it working with mod_ssl?

I couldn’t get it working reliably. With initial installation of CentOS I was able to get Apache2 to reply back with the correct SSL certs. But after I tore it all down and re-did it again, I got inconsistent results. On my Ubuntu LTS servers (which this blog runs on) I had a similar issue and I think that’s why I use mod_gnutls today. It works reliably and I’ve had no issues with multiple SSL certificates on one IP address.

Caveats

This worked out on my unused basement server but there are several concerns I have.

1. CentOS 5.6 updates to 5.7 (final) when I did yum update

That was a shock to me. I get that CentOS wants to keep things current but I had thought that I would be updating within the 5.6 branch. On my PC going to 5.6 may not be a big deal but if you run a VPS make sure you can restore you backup and check with your host provider. It should be fine but gotchas on production servers is a huge no-no.

2. Adding the CentOS Testing repository

The nice thing about using pre-made packages is that you don’t personally have to maintain them. If Apache2 gets an update will this RPM work continue to work? It depends on how the module is compiled. It might be safer to find a good mod_gnutls SRPM and keep that ready to be built a a just in case.

3. Backups are your friend

CentOS stores it’s Apache2 configs in /etc/httpd and before anyone tries this at a minimum they should keep fresh copies of that directory somewhere safe.

That seemed like a lot of work for your curiosity

Nah! While solving problems like this is part of my day to day work routine, this has always been my hobby. Some people work in their wood shop, I work on my software  configs and these sorts of problems are fun. And now I’m more up to date with CentOS as a result.

Doing this with Ubuntu LTS is much easier because the software is supported right out of the box. SNI on Ubuntu is just a matter of configuration and all the necessary software is part of the distribution. But if you are going to use CentOS and want SNI to work, then this could work out for you.

I want to use Google+ but can’t justify doing so

Like many people in my age group *cough* 40+ *COUGH!!* I rely on social websites such as Facebook and Twitter. Facebook lets me maintain a way to keep in touch with friends that I’ve not seen in years and Twitter permits me to follow the daily minutia of some really interesting people.

For me it’s a social phenomenon and totally kills the art of writing letters to friends. We’re all addicted to it on one form of another and technology has improved where our smart phones provides us easy two way access to this data.

I am a confirmed fan of Google. I want them to be successful and like that they try to compete in so many technological arenas. I migrated my email system to Google Apps because it provides such an easy way to manage my users. And I don’t have to stay up nights adapting strategies for combating SPAM.

All that said, I have no use for Google+. I’m a Google Apps user and have successfully migrated my Google access to the apps platform using my domain name. Google+ doesn’t permit that yet so I can either use a different account or pass on Google+.

I went through the exercise of using my apps account for all Google access. My Android phone is setup for it, my email, search history, Google Chrome, etc. In order to use the new social site I use another browser such as Internet Explorer. That’s not too cumbersome but someday they’ll sort out the access for people like me. I don’t want to maintain both accounts so here I am.

When Google+ supports app users, I’ll give it a serious look. But for now I’ll stick with Facebook.

See? Life does imitate art

I’m playing with the basement wireless AP when I saw this popup on Twitter.

https://twitter.com/#!/gothamist/status/123033078770835457

Which of course made me think about Support Your Local Sheriff.

Pa Danby: If that gun had gone off, it’d of blowed right up in my face.
Jason McCullough: Now it wouldn’t have done my finger a hell of a lot of good either, would it? What can I do for you, Mr. Danby?

Officer William Reddin blocked the hammer with his finger (good thing too!) and I am sure the real life situation was more intense than James Garner’s version, but still I got a giggle out of the headline.

We are your typical American consumers

Sometimes you plan on buying one thing and end up getting something slightly different.

As part of my job responsibility, I provide support after hours. It’s not something that happens frequently because the first and second level support is really good. If a problem is escalated to me during my personal time, I don’t question it because I am treated as a last resort.

Last month I had a problem that started at Sunday 5 PM-ish and lasted till just after midnight. My home office line is a pair of cordless phones with old batteries and they kept dying on me. The rotten phones only had speakerphone on the handsets and not on the base station!

That was last month. This past week Lily had all day meetings and was working from home. The same thing happened to her so today we got a replacement at Costco.

Her: That model has a base speakerphone and a total of 4 cordless phones.

Me: Yes, that’s true, but we’re looking for just one cordless phone and speakerphone base station.

Her: It’s $65.

Me: Yes, but it’s got three more phones. What are we going to do with the other three?

Her: It’s $65. On sale. Best Buy’s would probably be more expensive and this one is normally $80.

So we got this unit. it’s a discontinued AT&T phone but it works well. I’ve put the three spares in the kids bed rooms and the guest room. I haven’t said a word to the kids, I wonder how long it will be before they notice?

It’s a neat phone. I kept getting “Messages available” even though there was none on the base station. It was from Vonage; the phone got the message notification that I had messages and was letting me know. Cool! The old ones never did that.

10th anniversary of 9/11

It’s Sunday morning on the 10th anniversary. A few days ago while watching the coverage my son asked me if I “recovered from that day”. He’s 9 years old and wasn’t born until December 2001. That’s an odd question for me. I had nothing to recover from. I’ve never suffered from anxiety and as far I am aware, I did not really know the people who were murdered.

It’s an event that can’t be dealt with rationally so it has to be put aside. Each life is unique and precious and losing one is an unthinkable tragedy. Try to put 2,977 lives in your head and visualize them, see all the other lives they touched and the bright futures extinguished.

I can’t do it so I put it aside.

I don’t think that the country hasn’t recovered yet and I don’t believe the politicians will ever let us do so. There is just too much political gain for playing the “Terrorist” card.

The Smithsonian Channel had on a special last night and this included interviews with Cheney and Richard Clarke. From a historical perspective that’s 100% spot on. They were there, they made critical decisions before and after. It was a good contrast, Clarke was knowledgeable and an authority and Cheney was, well Dick Cheney.

What I found appalling was that Cheney even today still maintains that endless war was the way to go. We may still be a super power but there is only so much blood and money you can spend on war. A mistake was made and we ended up in Iraq.

We should have spent treasure taking out the actual murders but hey, that would interfere with Cheney’s idea of militarizing the world.

Have I mentioned it’s Sunday? I’m taking the kids to mass for the 8 AM and will say an additional prayer for the dead.

The Gakkenflex is a cool kit camera

My son received a camera from his uncle, a cool Fuji STX-2 SLR with a 50mm lens. The girl wanted to have a camera too. So rather than get another film camera from eBay, I went to Makershed and ordered a Gakkenflex kit.

I mean, fair is fair right?

This is a TLR camera meaning it has two lenses. The top one is a viewfinder and the two lenses focus together. The kit took less than an hour to assemble and the results have been fun. If you’ve ever assembled a Gundam MG kit then you will have no problems with the instructions or the assembly. Just in case Makershed provides a link to the English PDF version of the instructions.

This camera takes 35mm film and I’ve already shot 2 rolls of 200 Fuji SO film. It’s light and small but not too much so. It’s not tough, my girl already cracked the viewfinder gear when she had a er, disagreement with her brother.

I’m still getting the girl to take photos but she’s learning and having fun. Someday I may get a real TLR with 120 film, but for now this will work nicely.

I must be on a Jon Stewart roll

Okay, if you follow Fox news and you buy into the whole “class warfare” nonsense, then you too are an imbecile. You can still watch Fox news (no idea why myself) but don’t buy the spin.

When Warren Buffet talks about closing loop holes, people should understand that he know’s what he’s talking about. He should be the sort of person Fox would listen to: self-made and wealthy. He’s a smart and very successful. So now he’s a socialist…? How did they form that conclusion?

Read up on it over at the Atlantic Wire. Naturally they have videos and those are worth watching. It’s fun to note that you can’t even talk about raising taxes with some people but they have no problem raising taxes on everyone else.