Category Archives: Apache 2.2 Linux

Compile freedts 1.00 on EL6

Just a note to myself, maybe you will find this usefull as well.

In order to compile freedts-1.00 you need to have the GCC, unixODBC and unixODBC-devel packages installed.

Next download and un-tar the freedts package.
wget ftp://ftp.freetds.org/pub/freetds/stable/freetds-1.00.tar.gz

for some reason the ‘ODBC_INC’ variable isnt set properly in the configure script. This will lead to an ‘sql.h not found’ message when the –with-unixodbc switch is used. the fix for this is:

Locate the sql.h file on your system:
find / -iname sql.h -print

edit the freetds ./configure script and add the variable. Given example is specific for my system. Make sure you alter it accordingly.
ODBC_INC=”/usr/include”

Next configure the compiler
./configure –with-tdsver=7.0 –with-unixodbc=/usr/local –includedir=/usr/include

Make the install using in sequence:
make
make install
make clean

 

Howto: change the notification subject and allow KB images in GLPI version 0.90.3

For version 1.9.2 review: https://sysengineers.wordpress.com/2017/06/27/glpi-9-1-2-fix-inline-images-kb/

 

GLPI released their new version 0.90.3.
With new each release two questions seem to be very persistent. These questions are:

  1. How can we change the default notification prefix: [GLPI ] in the email  subject.
  2. How do we enable images in the KB articles.

In this article you will be able to read my personal  opinion on the matter and how to change this GLPI behavior.

Why do you want to change the GLPI  notification prefix.

The most obvious reason is to allow your customer to quickly identify your companies tickets. The rule of thumb in modern system view design is enabling users to quickly: ‘scan, select. act’ Changing the subject to something intuitive enables your customers to do so.

Another point of interest is the possibility to daisy-chain multiple installations of GLPI. By configuring the notification subjects and schemes correctly you can daisy chain multiple installations allowing cross organization enterprise environments to be set up. This is impossible when all installations identify themselfs as ‘GLPI [key].’

How to alter the code to support your custom prefix in GLPI 0.90

In order to alter the subject prefix in GLPI 0.90,  firstly you need to configure your prefix in the Administration>Entities>[your entity]>notifications>Prefix for notifications. Changing this configuration field will correctly alter the prefix to that of your liking. No further code-hacks are required or advised.

Why do you want images in your KB.

Well this is -in my humble opinion- an no brainer. One images shows more detail then i can describe in a thousand words. Images also help speed up the resolution process, especially during nightly hours. It also allows the engineer to intuitively compare the version of the actual situation with the situation documented. Is it all positive then? no, there are some downsides to consider as well.

An image doesn’t replace the engineers know-how and sometimes you want to explicitly trigger this knowledge by not showing any images. Updated applications might look different, actually slowing down the resolution process. Another more technical downside is web server storage. All images need to be stored somewhere and might needlessly clutter the support-system. My point of view is that you need to decide whats best for your situation. Sadly GLPI doesnt allow you to choose yet, it forces images to be removed. If you do need image support, please apply the code-hack below.

Be aware, This wont enable image export to pdf.

How to enable images in the KB

First we need to enable the INSERT function that enables us to add images using the TinyMCE editor. In order to do this two changes need to be made.

In the inc/html.class.php file on line:3837 and line:3871 comment out ( // ) the lines that reads _html = _html.replace .. See screenshots for more details.

Optionally you can enable the ‘image’ button by adding image to the ‘theme_advanced_buttons2 : ‘ line. See images underneath for more details.

 

The next step is to enable the images to be shown. Without this change the HTMLAWED plugin will add a denied tag to the actual images effectivly telling the browser not to show the image. Additionally the resulting HTML code including the denied: tag will be stored in database also disabling this specific image after the next code modification. Enabling the images afterward requires an search and replace statement in the database. (See comments below).

In the file /lib/htmlawed/htmLawed.php on line 47 add ‘;src: data’ to the end of the line.

Make sure you use an screenshot tool that generates an inline HTML image on the clipboard. Greenshot is an free alternative that does this out of the box.

Enjoy!

Apache and SSL

Yesterday someone remarked: With Apache you cant implement multiple SSL certificates behind one and the same IP address. This remark is actually not quite correct. A good opportunity to explain the basics behind SSL and explain why SSL implementations on servers with multiple sites can be challenging.

Understanding SSL.

SSL is an acronym for ‘Secure Socket Layer’ and is a method to encrypt traffic between client and host. SSL uses a key-pair that is provided by a digital certificate to encrypt the communication. To do this, SSL needs inform the client how to decrypt the traffic prior to the actual communication. This is done by the so called, SSL-handshake, in which a public-key is shared with the client.

Each of the parties (client and host) now have a public and private key available. With this so called keypair both parties are able to encrypt and decrypt the traffic that is being send. Please view the Deffie-Hellman key exchange wikipedia for a clear example of this algorithm.

The Deffie-Hellman example also illustrates the risk of a client losing or sharing its private key.

What is an certificate

In most cases an certificate has multiple purposes. One is obviously to encrypt the traffic. An additional task is to identify the host to the client. The host is usually identified using its public DNS name. By means of the CN (Common Name) field of the certificate, the client is able tot verify that the CN in the certificate is equal to the DNS adres the client is visiting. If either one is not equal, the client will generate an warning.

Why do you still get an warning when you use a valid DNS name in your certificates CN field? Well an additional check is necessary. An external Certificate Authority needs to back your claim. This is done by signing the certificate using an certificates private key that is only known by the Certificate Authority. The client is now able to check (with the public key of that CA) the validity of your certificate and its claim.

You might now understand why there was such a buzz over Diginotar making its private key available to hackers using its auto-signing process.

What is a SOCKET

The second principle to understand is the ‘socket.’ Litteraly a socket is an communication endpoint used by an application to send data. Its important to realize that a socket only contains protocol information (like TCP/UDP or ICMP) and various settings like timeout. Usually IP information isnt given in the socket definition. If a programmer wants the socket to be open on a specific device he usually needs to ‘explicitly bind’ the socket to that IP.

So an socket is nothing more than a ‘door’ to the network that an application can programmatically use to send data over an networked device.

Apache and SSL

In case of Apache httpd SSL is implemented on a listening IP:Port. When a client connects to Apache using the ip:port configured in httpd.conf the first thing that is performed is the SSL handshake. As we noted, the SSL handshake is performed prior to sending actual data. When this is completed, the http request header is send (encrypted) to the Apache instance.

When Apache implements multiple sites behind one socket, called virtual hosts, it uses the ‘http GET header’ to determin the right content (virtual host). Apache can only do this when it received a valid requestheader, that can only be offered after SSL has been implemented.

Now here is the issue.
The http request header we are talking about actually contains a DNS site name, for instance: http://www.google.com. GET /. Now the certificate used also has ‘CN=www.google.com’. In which case there wont be any problem. All checks out, no certificate error.

Now the second site hosted in a different virtual host, provided by the same Apache instance is called using the http request header: logon.google.com. GET /. Now all hell breaks loose because our certificate still contains ‘CN=www.google.com’. The name doesnt match, and a certificate error is risen.

the reason for this is that SSL is actually being implemented by Apache, but prior to the actual request being send. There is no mechanism in place to determine the correct certificate, containing the correct CN prior to the http call.

Possible solutions?

When you are using multiple subdomains behind the same top level domain, for instance: http://www.mysite.com, service.mysite.com, mail.mysite.com. The solution might be to use a so called ‘wildcard’ certificate. This certificates CN name looks like: CN=*.mysite.com and will match correctly against all the subdomains.

When you are using mutiple top level domain sitesnames like: http://www.google.com, http://www.mysite.com, implementing SNI might be a solution. Be warned, SNI has a limited backwards compatibility. The client needs to support SNI to work property.

You could use multiple ports on the server and SSL on the various ports. This will require your visitors to add a port to the url like: https://www.google.com (default 443), https://www.mysite.com:445 (non default).

Alternativly use multiple IPs to bind the ssl. This will enable you to keep the default port 443. Requesting mulitple public IPs to do so might be costly, but is the most elegant solution (next to SNI).

Any questions?
Feel free to post them below 🙂

 

 

 

 

Backup script for GLPI (http://www.glpi-project.org)

If you are using the great GLPI tool, you will notice that the market value of the data inside will increase rapidly. This usually also implicates that it is ‘wise’ to back this data up.

There are many ways to do so using nice plugins, even nicer gui`s and apps. I (headstrong that I am), wanted something very basic and functional, easy to configure, and that will work in an environment that has multiple GLPI installations. Answer to my question: build something for your own.

So i scripted something for Linux that will allow you to backup the entire GLPI tree (where the uploaded files reside), and the sql database.

Because we use a deduped backup storage (datadomain), i dont have to worry about duplicate data. If you need to, then add something to clean the backup store. This script doesn’t account for that 🙂

This is the script:


#!/bin/bash
# Wrote by Chris
# Goal is to easly backup glpi in a multi installation environment.

GLPI_DIR='/var/www/glpi_0805';
BACKUP_DIR='/backup/nfsloc';
LOGFILE='/var/log/backup.log';

############################################################################
#Dont change anything after this point, unless you know what you are doing #
#No guarantees, une this script at own risk                                #
############################################################################

# Do some generic stuff here
# Add checks if you like 🙂
#############################
MYSQLDUMP=`which mysqldump`;
AWK=`which awk`;
FIND=`which find`;
DATE=`date +%d.%m.%Y`;
LOGTIME=`date +"%d-%m-%Y %H:%m"`;
DBCONFIG=`find $GLPI_DIR -name "config_db.php"`;
DBNAME=`grep "dbdefault" $DBCONFIG | awk -F '=' '{ gsub(/\047/,""); gsub(/\;/,""); gsub(/ /,""); print $2;}'`;
GLPISIZE=`du -sh $GLPI_DIR`;

#
# Start working....
############################
echo -e "$LOGTIME \t## New backup started ##" >> $LOGFILE;
echo -e "$LOGTIME \tpacking: $GLPISIZE.. into $BACKUP_DIR/backup.$DATE.tar.bz2 ..." >> $LOGFILE;
tar -cjPf $BACKUP_DIR/backup.$DATE.tar.bz2 $GLPI_DIR >> $LOGFILE;
echo -e "$LOGTIME \tCreating mysqldump into $BACKUP_DIR/sqldump.$DATE.sql ..." >> $LOGFILE;
mysqldump $DBNAME > $BACKUP_DIR/sqldump.$DATE.sql;
# Go back to original working directory.
echo -e "$LOGTIME \tAll done..." >> $LOGFILE;
echo "all done! ";

exit 0;

If you want to install this script follow the following instructions:


#This is for Oracle Enterprise Linux / RedHat EL distro`s
#Your environment might be slightly different.
cd /opt
mkdir ./scripts
cd scripts
vi ./backup.sh
#insert the code above into the editor and save the lot using ':wq'
#alter the top of the script to match your environment.
chmod +x ./backup.sh
#next create a symbolic link to the cron.daily, this might be different in your linux distro (see manual pages on your distro using 'man cron').
ln -s /opt/scripts/backup.sh /etc/cron.daily/backup
#monitor the /var/log/backup.log for details

Happy backing up 🙂

(Dont forget to clean the backup dir on a regular basis if you dont have the luxury of an deduping storage)

mod_access.so missing in apache 2.2.19? Check This!

Hi there admins,

Today I spend an hour figuring out why the “Order” directive in apache 2.2.19 resulted in errors.

Knowing that “Order” was previously provided by “mod_access.so” i started my quest in figuring out why that module was missing. What did i find?

Mod_access was renamed or recompiled to “mod_authz_host.so”.
as described here…

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html

after adding the module again it worked like a bliss 🙂

Howto compile apache 2.2.x?, heres a hint 🙂

./configure --prefix=/u01/proxy/ #Where to install?\
--enable-ssl=shared \
--enable-proxy=shared \
--enable-proxy-connect=shared \
--enable-proxy-ftp=shared \
--enable-proxy-http=shared \
--enable-proxy-ajp=shared \
--enable-proxy-balancer=shared \
--enable-cache=shared \
--enable-file-cache=shared \
--enable-mem-cache=shared \
--enable-disk-cache=shared \
--enable-deflate=shared \
--enable-http=shared \
--enable-dav=shared \
--enable-vhost-alias=shared \
--enable-rewrite=shared \
--enable-so=shared \
--with-ssl=/usr/bin/openssl > ./reviewlog.txt
make >> ./reviewlog.txt
make install >> ./reviewlog.txt
make clean

http://httpd.apache.org/docs/2.2/new_features_2_2.html#module