Technology

HOW TO : Apache and SELinux

Quick note for future reference..

If you ever run into errors like this

[code]
<pre>Starting httpd: Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
(13)Permission denied: httpd: could not open error log file /etc/httpd/logs/error_log.
Unable to open logs
[FAILED]
[/code]
And you are scratching your head why Apache is throwing these errors, even when the said directory and files exist. And you have the right permissions!! Check if you have SELinux running and being enforced.
On RHEL, you can check if SELinux is running by
[code]cat /selinux/enforce [/code]
The two values are 0 and 1. 0 means, SELinux is not being enforced and 1 means it is.
You can quickly disable SELinux temporarily by
[code]echo 0 >/selinux/enforce [/code]
If you want to disable it permanently (i.e. survive reboots), you have to edit the file /etc/selinux/config and change the SELINUX line from enabled to disabled.

Overheard : Random comments about technology

Here are some interesting titbits from a executive summary event hosted by Redhat/Intel that I attended yesterday.

We decreased the execution times for our orders from 1.5 seconds to 5 milliseconds

This from an executive managing the technology organization for a large trading company. Imagine the geekiness in accomplishing this :).

For every 450 smartphones that get activated a server is added to support them

This from an Intel executive. So if there are 500000 android phones being activated every day.. that’s around 1111 servers being added just to serve the android fans :).

1 in 4 servers currently runs Linux

This from a Redhat executive. If anyone doubts that Linux is mainstream.. they are living under a rock 🙂

August 19, 2011 by admin Linux OverHeard Technology Uncategorized Web 0

HOW TO : Use grep to search for credit card numbers

I was looking for a quick way to search for credit card numbers in a file and ran across this excellent post by Adrian Rollett. I tweaked his suggestion a bit to show some additional data.

Original suggestion

[code] grep ‘$^\|[^0-9]$\{1\}$[345]\{1\}[0-9]\{3\}\|6011$\{1\}[-]\?[0-9]\{4\}[-]\?\[0-9]\{2\}[-]\?[0-9]\{2\}-\?[0-9]\{1,4\}$$\|[^0-9]$\{1\}’ FILE_TO_SEARCH [/code]

My modification

[code] grep ‘$[345]\{1\}[0-9]\{3\}\|6011$\{1\}[ -]\?[0-9]\{4\}[ -]\?[0-9]\{2\}[-]\?[0-9]\{2\}[ -]\?[0-9]\{1,4\}’ –color -H -n FILE_TO_SEARCH [/code]

The modified command will show the name of the file the number was found and at which line. You can tweak it further using additional options for grep. A good reference guide can be found here.

August 17, 2011 by admin HOWTO Linux Technology Uncategorized 0

HOW TO : Export and import certificates using keytool

Keytool is a java utility to manage SSL key databases (stores). Here are a couple of options for using this tool

List the certificates in the keystore

[code]keytool -list -keystore NAME_OF_KEYSTORE_FILE [/code]

Export a particular certificate from the keystore

[code]keytool -export -alias ALIAS_NAME_OF_CERT -keystore NAME_OF_KEYSTORE_FILE [/code]

Import a certificate into the keystore

[code]keytool -import -alias ALIAS_NAME_YOU_WANT -keystore NAME_OF_KEYSTORE_FILE -file NAME_OF_CERT_FILE_TO_IMPORT [/code]

July 20, 2011 by admin HOWTO Networking Technology Uncategorized 1

HOW TO : Use netcat (nc) on Windows 7

netcat is a swiss army tool for network/security professionals. You can use it to listen on certain ports or connect to certain ports. For example, say, you configured your firewall to allow TCP 80 traffic to your web server. But your web server is not built yet and you want to validate the rule. You can run netcat on your workstation to listen on port 80, assign the IP address of the web server to your workstation and test the rule.

If I am not mistaken, nc comes as a default tool in most of the Linux distros. You can download the windows port of the tool at http://www.securityfocus.com/tools/139

The command to have netcat listen on a specific port is “nc -l PORT_NUMBER”. If you run this on a Windows 7 machine, you will get this dreaded message “local listen fuxored: INVAL”. The fix is to run it with a -L option. So the command would like this

[code]nc -L -p 80[/code]

The -L means “listen harder, re-listen on socket close” :).. Have to dig deeper and see what it really means though. I will leave that for another blog post.

And if you want to validate that netcat is indeed listening on that port, you can connect to that port from another workstation by using nmap.

July 14, 2011 by admin HOWTO Networking Technology Uncategorized Windows 17

Facebook is popular…but still

I wanted to signup for the service offered by the Techcrunch 2011 Disrupt winner, GetAround (which by the way is a pretty cool service) and went to their website. And what do I see? I need a facebook account to use their service. I know Facebook is popular, but how fair is it to require a potential customer to have a Facebook account??

May 25, 2011 by admin Rantings Technology Uncategorized Web 2

HOW TO : Enable global reverse proxy with certain exclusions in Apache

Say you want to enable reverse proxy on a site powered by Apache Web Server where all traffic to the web site it reverse proxied to a different server, but you want to exclude certain paths from being reverse proxies. I don’t know why you would want to do that :).. but we ran into that scenario at work and I wanted to document the config for future reference. The picture below shows a high level view of the traffic

Ensure the following modules are being loaded in Apache.

[bash]

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so

[/bash]

In the virtual host configuration for kudithipudi.org add the following lines

[bash]

ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /static !
ProxyPass /media !
ProxyPass / http://INTERNAL_SERVER:8888
ProxyPassReverse / http://INTERNAL_SERVER:8888

[/bash]

March 8, 2011 by admin HOWTO Technology Uncategorized Web 0

HOW TO : Trick to find out your IP address from a web server farm

This is a quick trick I came up with to find out the IP address of a client that is trying to access a farm of web servers that you have access to. The diagram below shows the network path for a typical web server.

You have a client that might be sitting behind a (or multiple) proxy server. And there is a load balancer involved because you have multiple web servers for redundancy.

We were recently working on some rewrite rules for our web servers at work and we needed to find out what IP address the web servers were seeing the client traffic come from. Couple of challenges

Which web server do you check? The load balancer can send you traffic to any server.
What IP address are you going to look for? Wait that is the original problem right :).

The web servers usually write an entry to the error log when they serve a 404 error. So we can use that to figure out which web server you are hitting and what IP address the web server is seeing you as. Here’s the trick

On the client side go to http://WEBSITE_ADDRESS/Get_Me_My_IP (or some other URL, which you know doesn’t exist on the web site)
On the server side, grep for “Get_Me_My_IP” in the web server error logs

Here is an example, I ran on this website (https://kudithipudi.org)

Client Side : Go to https://kudithipudi.org/what_is_my_ip
Server Side : grep for “what_is_my_ip”

[bash]
root@samurai:/var/log/apache2# grep -i what_is_my_ip access_kudithipudi.log
199.27.130.105 – – [04/Mar/2011:16:07:18 +0000] "GET /what_is_my_ip HTTP/1.0" 40 4 5495 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/2 0110218 Firefox/3.6.14 ( .NET CLR 3.5.30729; .NET4.0E)"
[/bash]

From this entry I can figure out that my client is appearing as “199.27.130.105” to the web server.

March 4, 2011 by admin HOWTO Technology Uncategorized Web 0

HOW TO : Setup Global Redirect in Lighttpd

If you have ever managed a web application, you know you have to take it down at times :). And you usually want to show an simple page stating that you are down for maintenance. Here is a simple way to setup a “maintenance” splash page. The assumption is that you have a Linux server to host the maintenance page.

Configure lighttpd (HTTP Server) on the server using instructions from this article on Cyberciti.
Edit the lighttpd.conf file and add the following line in your site configuration

[bash] server.error-handler-404 = "index.html" [/bash]

Name your maintenance page as index.html and upload it to the document root (in this example, it is /var/www/html)

You are essentially telling the web server to display index.html whenever the user is trying to access content that is not present on the server. And since there is no content on the server other than the index.html, the web browser will always display the index.html page..

February 11, 2011 by admin HOWTO Linux Networking Technology Uncategorized Web 0

HOW TO : Dowload content from Oracle Metalink (Support) using wget

The usual process for a DBA to download files from Oracle Metalink (support) site is

Login to Metalink from his/her workstation
Download the file
Upload the file to the database server
Use the file

Say your database is in a data center and your workstation doesn’t have high speed connectivity to the data center, you can use the following trick to download content to a l[u]inux server in the data center that has Internet connectivity (and hopefully it is not your database server 🙂 ).

Log into Metalink from your workstation
Grab the link to the file/content you want to download (for example, we recently tried to download clusterware for Oracle 11G, and the link was http://download.oracle.com/otn/linux/oracle11g/linux.x64_11gR1_clusterware.zip)
Log into a server in your data center (it should have connectivity to the Internet and also to your database server)
Download the file using wget

[bash]wget http://download.oracle.com/otn/linux/oracle11g/linux.x64_11gR2_clusterware.zip –user ORACLE_ID –password ORACLE_ID_PASSWORD[/bash]

Replace the link with the link to your content and use your Oracle ID and password.

The file downloaded will have a strange name since wget appends the sessionID to the end of the file. In the example I used above, the name of the file was “linux.x64_11gR2_clusterware.zip\?e\=1297470492\&h\=a66b265cc967a68c611052cb8e54356f“
Rename the file and strip off the unnecessary data in the name using mv

February 10, 2011 by admin Databases Linux Technology Uncategorized 3