waffel’s Weblog

März 13, 2014

no running imapd / slapd under gentoo

Einsortiert unter: administration,webmaster — Thomas Wabner @ 2:46 nachmittags

Today, I discovered that my mailserver was down on a root server (running gentoo). I tried to search why and whats the problem.

  1. I see error messages, that some processes cannot connect to ldap
  2. I tried to use phpldapadmin to check whats wrong. Here I got the next error: Fatal error: Cannot redeclare password_hash()
  3. I changed the used php version from php-5.5 to php-5.4 … phpldapadmin again works, but I cannot login
  4. I see imapd segmentation faults in dmesg in libwrappers …so I guess there is a problem with sys-apps/tcp-wrappers
  5. I rebuild tcp-wrappers, restarting nearly all processed from /etc/init.d without success
  6. I get deeper into the logfiles of my server (needed to take a look into the live logfiles (which logs all into one file, which is heavy under a root server with many hosted domains)
  7. I see an error, that some processes (one was also slapd) cannot read /etc/hosts.deny
  8. I see, that only root has the permission to read /etc/hosts.deny
  9. I change the permission to get all a read of this file
  10. Restarting slapd and all stuff works again … what a pain

Feels like one of my living years are gone … sometimes I love, but sometimes I hate gentoo.

I do not know who has changed the permissions on this file … but if I found he/it … *g*

September 7, 2013

no CSS in mediawiki anymore

Einsortiert unter: administration,webmaster — Thomas Wabner @ 5:22 nachmittags
Tags: , , ,

After upgrading my gentoo system, I discovered a problem with one of my new mediawiki installations:

No CSS anymore!

That’s frustrating. Looking with my browser tools, I see, that the load.php from mediawiki returns nothing. Searching around and found only one place which helped:

https://bugs.php.net/bug.php?id=64836 <– the bug entry on php.

Now I tried to downgrade my gentoo package sys-apps/file back to 5.11 and restarting my apache … viola … it works.

emerge =sys-apps/file-5.11

Now the load.php works again and it looks like, that this has nothing to do with mediawiki itself.

November 17, 2009

create self signed multi domain certificate

Einsortiert unter: administration,webmaster — Thomas Wabner @ 6:29 nachmittags
Tags: , , , , , , , , ,

I have a domain mydomain.com with some sub level domains like

Now I need a self signed certificate for all these domains because I want to use them over HTTPS. There are some steps to do this. First of all: you don’t need for this propose your own root certificate. You should replace all occurrence of mydomain.com with your own domain name and sub domains.

On the gentoo server where the apache should host the domains, I have to create the certificate. I do following steps:

  1. Generate a private key
    openssl genrsa -des3 -out mydomain.key 1024
    
  2. Generate a CSR (Certificate Signing Request)
    openssl req -new -key mydomain.key -out mydomain.csr
    
    Country Name (2 letter code) [DE]:DE
    State or Province Name (full name) [Sachsen]:Sachsen
    Locality Name (eg, city) [Leipzig]:Leipzig
    Organization Name (eg, company) [My Company Ltd]:mydomain.com
    Organizational Unit Name (eg, section) []:Information Technology
    Common Name (eg, your name or your server's hostname) []:mydomain.com
    Email Address []:thomas dot wabner at mydomain dot com
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
  3. Remove Passphrase from Key
    cp mydomain.key mydomain.key.org
    openssl rsa -in mydomain.key.org -out mydomain.key
    
  4. Generating a Self-Signed Certificate

    To include all required subdomains a extensions file must be used. For example I have created a file /home/waffel/ssl/mydomain_extensions with following content:

    [ mydomain_http ]
    nsCertType      = server
    keyUsage        = digitalSignature,nonRepudiation,keyEncipherment
    extendedKeyUsage        = serverAuth
    subjectKeyIdentifier    = hash
    authorityKeyIdentifier  = keyid,issuer
    subjectAltName          = @mydomain_http_subject
    [ mydomain_http_subject ]
    DNS.1 = www.mydomain.com
    DNS.2 = nexus.mydomain.com
    DNS.3 = trac.mydomain.com
    DNS.4 = svn.mydomain.com
    

    The last command to create the certificate is:

    openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt -extfile /home/waffel/ssl/mydomain_extensions -extensions mydomain_http
    

In the apache configuration for the ssl host’s I have enabled the ssl module with following content:

...
ServerAlias svn.mydomain.com trac.mydomain.com nexus.mydomain.com

        ErrorLog /var/log/apache2/ssl_mydomain_error_log
        <IfModule log_config_module>
                TransferLog /var/log/apache2/ssl_mydomain_access_log
        </IfModule>

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/mydomain.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
        SSLCertificateChainFile /etc/ssl/cacert.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/localhost/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        <IfModule log_config_module>
                CustomLog /var/log/apache2/ssl_mydomain_request_log \
                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        </IfModule>
...

For example if you need such certificate to connect your maven with a self installed nexus repositiory over https you can follow the article from ahoehma.

A more detailed description with some background information about the certificate creation can be found here.

Juni 19, 2008

Disable live site with apache rewrite rules

Einsortiert unter: html,Uncategorized,webmaster — Thomas Wabner @ 12:52 nachmittags
Tags: , ,

Any times I have to work on a live site like http://www.capella-fidicinia.de or http://www.cryo-tekk.de. All these sites are Joomla instances and Joomla doe’s not allow to disbale the site complete. You can only put the site “offline” with a setting in the administration module. After putting such site into the offline mode, nobody can anymore change the content and the user got a inforation bar on the site.

But often I will change complete the layout (testing new skin, working on the existing skin and so on). But the user should not see my changes because it is very ugly if you browse to a side and with every click the layout changes.

My Joomla instances running behind a apache2 webserver as a virtual host. To put the site complete offline and inform the user about maintainance you can put the follow into you virtual host configuration:


RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^194.136.37.140$
RewriteRule .* /var/www/domains/www.cryo-tekk.de/htdocs/maintainance.html [L]

With such entry only the IP adress 194.136.37.140 can see the site. All other IP adresses, which try to access the site are foreward to the maintainance.html site.

For more information about rewrite rules you can have a look here.

The Rubric Theme. Bloggen Sie auf WordPress.com.

Follow

Erhalte jeden neuen Beitrag in deinen Posteingang.

Schließe dich 28 Followern an