Marginally nefarious crime writer. Many of those crimes involve computers.
I keep forgetting about the single quotes in this incantation. Writing it down won’t improve my memory, but I’ll know where to look it up.
To see a field (e.g. referers) from Apache’s combined access.log:
# cat /var/log/apache/logname | awk '($11 !~ /sitename|\-/) {print $11}'
This strips out references from the site itself, plus entries with a – in the field. Mostly useful when testing anti-referer-spam stuff.
I just upgraded my Web server’s operating system and applications. As part of this, I upgraded to the latest mod_security rule set. I started with mod_security to block referer spam, but I’m also using it to block connections from blacklisted addresses. mod_security has a steep learning curve, and I’ve had to tweak my rules more than once.
With these upgrades, my anti-referer-spam rules stopped working. Incoming requests with referer spam headers were logging to my access log and showing up in my reports. I asked on the mod-security-users mailing list, and was told that mod_security wasn’t supposed to work the way I was using it.
I’m not sure why it worked. I don’t want to roll back my other upgrades. It’s time to reassess the problem.
I can block referer spam with mod_rewrite, but that requires maintaining rewrite rules across a variety of other sites on my server, and integrating referer spam rules with the rewrite rules those servers need. That would quickly become ugly.
I want the mod_security RBL functionality, and I intend to use some of its other functions later, so mod_security will stay on my server. Mod_security is big and complex, mainly because the real world is big and complex, and trying to debug my simple referer spam problem lead me towards some very complicated debugging. So I stepped back and thought, and decided to try an alternative approach.
Apache has the ability to separate logs based on environment variables. Mod_security can set environment variables.
I changed my mod_security rules like so:
SecRule REQUEST_HEADERS:REFERER "(?i:(porn))" deny,status:412,setenv:spam
If a request contains a refering site that contains the case-insensitive string porn, the client will receive a 412 response. (I considered a 406 response, but my research says that 412 is most appropriate. mod_security will also set the environment variable spam to 1.
On the Apache side, I changed my access log configuration:
CustomLog "|/usr/local/sbin/rotatelogs /var/log/mwl/mwl_spam_log.%Y-%m-%d-%H_%M_%S 86400 -300" combined env=spam
CustomLog "|/usr/local/sbin/rotatelogs /var/log/mwl/mwl_access_log.%Y-%m-%d-%H_%M_%S 86400 -300" combined env=!spam
Apache checks the environment for every request before logging. If a log message has the environment variable spam, it is logged to the spam log. If that variable is not set, the request is logged to the regular access log.
I think that in the long run, this setup will be easier to troubleshoot.
I support too many servers and applications to manage separate user databases for each. LDAP is a must. If an application can’t hook up to LDAP, I don’t want it. WordPress can be configured to use LDAP, and has several different LDAP plugins. I’ve had mixed results with PHP LDAP plugins. I usually find that having the application trust Apache’s authentication, and attaching Apache to LDAP, gives better results in my environment.
Note that my WordPress installations usually have only one or two registered users. They are administrators. Most people cannot register. If you want to hook hundreds of LDAP users into WordPress, and manage them completely through LDAP, you’ll need to find an LDAP-specific plugin that meets your needs. In this environment, where I’m just looking for administrator password synchronization, it’s good enough.
This particular Web server runs Ubuntu 10.04 with Apache and WordPress 3.1. To enable LDAP auth in Apache, run:
# a2enmod authnz_ldap
# /etc/init.d/apache2 restart
On the WordPress side, install for the HTTP Authentication plugin. This tells WordPress to trust the Web server’s authentication.
WordPress won’t read a list of usernames from basic auth. You’ll need to create your users. (Again, this is for a couple of admin accounts, not for massive user databases.)
WordPress protects its administrative directory, /wp-admin/, automatically redirecting requests to the page wp-login.php. For this plugin to work, we must require LDAP auth to the one file wp-login.php. Here’s the Apache configuration for the WordPress directory.
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType Basic
AuthName "Web Admins Only"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldapserver1.domain.com/dc=domain,dc=com" STARTTLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
require ldap-group cn=wordpressadmins,ou=groups,dc=domain,dc=com
Note that my LDAP servers do not require a LDAP login to validate a user. If yours do, you’ll need to add the username and password to this configuration.
Restart Apache, open a new browser, go to the site, and hit the Login button. You should get an Apache login window. Enter your username and password, and you’ll reach the WordPress control panel.
You’re now handing your LDAP username and password to WordPress. You do have WordPress available over SSL, don’t you? Configure Apache so that http://wordpress.domain.com is also available as https://wordpress.domain.com, and add the following near the top of wp-config.php.
//we like SSL
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
WordPress will now pass user credentials and cookies over SSL.
Over the last fifteen years or so, hand-coded HTML has transformed from “how it is done” to “a baroque eccentricity” to “an amusing peccadillo” to “what is WRONG with you, dude?”
My personal Web site, http://www.michaelwlucas.com, has now been updated. It’s as boring as ever, except for the awesome art. Let me know if you see any problems. Those of you who prefer the old version can see it at www-old, but I won’t update it again.
For an unrelated project, I learned how to make WordPress permalinks. I made that change on the blog this morning. My testing shows that they work, and that incoming links are redirected correctly.
If you should see a problem, please drop me a note.
For those who missed the announcement, FreeBSD 9 has replaced sysinstall with a new installer. It’s based on the PC-BSD installer’s back end and a text-based front end by Nathan Whitehorn. So, what is this new installer we’ve waited sixteen years for? I decided to find out.
As an official snapshot with the BSD installer isn’t yet available, I grabbed one of nwhitehorn’s recent snapshots. The back end is not integrated, but let’s see what the front end looks like. I assume there will be changes between this February snapshot and the next official snapshot. For my testing, I used a VM running Microsoft Virtual PC (for ease of screenshots) with ACPI disabled (so the install would finish).
Booting the image, I saw:
A recovery shell and a live CD are great, but I want to install.
The next screen tells me to select a keyboard. By virtue of alphabetical order, the default is Armenian. When I arrow down to find the US keyboard, there’s several different options. I know exactly what kind of keyboard I have, it’s an Endurapro with the mouse pointer between the G and the H. But that’s not an option. Fortunately, I use a Dvorak layout, and that is an option.
I’m now asked for a hostname, and then allowed to choose optional components.
Of course I want source code!
I will miss the ability to choose “the smallest distribution possible,” but in reality, upgrading added the entire base system anyway.
Now we partition the disk.
Ooooh, a “guided” method. That sounds newbie-friendly. Let’s try that.
We want to use the whole disk.
Wait a minute… where are /var, /tmp, /usr, and all the other partitions? Don’t tell me that one of the last survivors of proper partitioning is stumbling into the one large root filesystem trap? Ick. (I assume that the other partitioning methods will let you create proper partitions.)
Note that these are GPT partitions, not MBR partitions (slices).
Highlighting a partition and pressing ENTER shows details.
We can set a label in the installer, which is a nice feature. And it appears that two ESC takes you out of this submenu into the main menu. That seems odd, but perhaps it’s related to this being in Virtual PC. Arrow over to EXIT and hit ENTER to get the final confirmation screen.
“Are you sure?” Save and Abort aren’t exactly answers to that question – actually “save” is kind of ambiguous in this context. Save your existing data? Yes, we’re sure, choose Save. The filesystem is initialized:
The installer verifies the files on disk and begins installing.
We must watch for a panic in the background, versus a simple lock order reversal. This is -current, either one can happen and both are displayed by default.
While watching this, I wanted to hit ALT-F2 and see just how well the ports were extracting. That’s apparently no longer an option.
After extracting everything, I was prompted for the root password, then for a network interface.
I took the default.
Why yes, I would like DHCP with my host, thank you.
Now I’m asked for the services I want enabled at boot.
Compared to sysinstall there aren’t many choices, but I’m all right with being offered only the lowest common denominators. Far more vexing is how the network configuration gracelessly handled the unplugged network interface. While CTRL-L redrew the screen, a new link down message reappeared every second or so. I’d never tried Virtual PC before, and apparently I need to decipher the network configuration.
Once I choose the essential services, I’m asked if I want to add users. When I say yes, it drops me to text mode for the usual adduser(8) dialog.
All right, the network message is getting pretty annoying now.
After adding my user, I get the final screen.
You can change many of your optional settings, plus set the time zone. You get the usual warnings about removing the CD-ROM from the drive, and then reboot into the new install.
Overall, I like many of the changes. It doesn’t have many of the libdialog annoyances that plague sysinstall. I dislike the guided partitioning system, or more exactly the lack of actual partitioning therein. I do not want /tmp files filling my hard disk!
The good news is, with the separation between the front end and the back end, changing the installer will be much simpler than it ever was with sysinstall. For all the petty annoyances in this installer, it’s a big step in the right direction. I want to commend the creators for actually pushing Sysinstall Replacement Attempt #82,319 to completion.
I installed Apache on a diskless FreeBSD-9/amd64 server. Once I added SSL, the web server wouldn’t start. It died with:
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:17 2011] [alert] Child 1733 returned a Fatal error... Apache is exiting!
Google says that the fix for this is to define AcceptMutex flock somewhere in httpd.conf. Google shows dozens of mailing list discussions that give this advice, but without explanation. Every so often, someone whinges about it not working, and doesn’t get a response.
This is an example of what I call “Occult IT.” There are certain recipes that people just follow, without understanding why. We stumble around, grasping for invocations and incantations that will fix our problem. I don’t just want the ritual that will solve the problem; I want to know why the problem happened and deepen my understanding of the issue.
Besides, adding AcceptMutex flock didn’t work.
To identify the problem, I set LogLevel to debug in httpd.conf and tried starting httpd again.
[Mon Mar 21 16:03:18 2011] [debug] prefork.c(1018): AcceptMutex: flock (default: flock)
I didn’t have that configuration setting in my httpd.conf, but it’s the Apache default anyway. So, what are my other choices?
Apache documentation says that the AcceptMutex setting determines how Apache serializes incoming requests. The flock setting dictates how Apache locks the LockFile.
My configuration doesn’t have a defined LockFile, so choosing how we lock it isn’t going to help.
I don’t like lock files. Bad stuff happens to them. Let’s try a locking method without a lockfile. The documentation lists two different classes of locking mechanisms. flock and fcntl work on lock files. posixsem, pthread, and sysvsem use the in-memory mechanisms of semaphores and/or mutexes to provide locking.
As I don’t like lock files, I’ll try one of the in-memory mechanisms.
AcceptMutex posixsem
And Apache starts and runs perfectly.
I can’t find any details on the differences between these in-memory mechanisms, from a system administrator’s point of view. I imagine that the System V mechanism wouldn’t work if you’d removed that support from your kernel. But the point is:
Do not rely on occult IT. Read The Fine Manual.
Yes, The Great Committer was an April Fools’ gag. I didn’t expect anyone to actually believe it, but it gathered a few laughs, so I’m content.
Far more successful was the FreeBSD and NetBSD to merge gag that Dan Langille and I pulled back in 2003. The United Nations Fretbsd.org site has long since expired, but Dan archived it. (Eight years later, and I still giggle madly about the moose in that one.) That one actually sucked in a reporter from an reputable tech site, who pestered Dan and I for details all day.
John Baldwin really did surpass PHK’s commit total, however, and deserves credit for working so hard on FreeBSD. I heard from John on Friday, and while I’m not going to be so gauche as to copy his email here, I can honestly say that I am relieved that I did not displease The Great Committer.
I’m pleased to be the first to announce that the FreeBSD Project is reorganizing. This will appear on the FreeBSD home page next week, but journalistic ethics decree that I must act when I get a scoop.
FreeBSD has always been something of a meritocracy, where the respect given to committers is directly proportional to the amount and quality of code they commit. This is tracked in the commit statistics. For many years, Poul-Henning Kamp (phk@) was the undisputed leader, but in 2010 his total was exceeded by relative newcomer John Baldwin (jhb@). Baldwin’s commits show no sign of slowing, and if he continues at this pace, he will soon overtake the combined totals of Foundation President Robert Watson and embedded emeritus Warner Losh.
The FreeBSD Project has a variety of leadership roles and teams, such as the Core Team, the Ports Management team portmgr, and so on. These teams have helped FreeBSD’s broad developer base coordinate their efforts, work together, and streamline FreeBSD’s internal processes.
Effective immediately, all such teams are disbanded.
John Baldwin is to be henceforth known as The Great Committer. He alone will dictate the FreeBSD Project’s direction and where its resources will be allocated. All commits will be credited to The Great Committer, as all commits will touch his work in some way and hence would not be possible without His knowledge, experience, and all-around wisdom.
“It’s clear that our current model just doesn’t work,” said Robert Watson. “In the sixteen years the FreeBSD Project has existed, and the decades BSD had before it, we’ve had at least four distinct generations of leadership. We’ve developed processes for mentoring and grooming our own leaders, letting people move on when they wanted. Frankly, it’s a lot of work, and I don’t know how many more decades we could keep that up. The Great Committer won’t put up with that sort of churn, I’m sure. Once you’re a FreeBSD committer, you’re in for life. However long that is.”
“I’m really glad that The Great Committer has taken this step,” said Wilko Bulte, FreeBSD core team member. “People think that the FreeBSD Core Team made all these high-level decisions, when really we broke up fights and inducted new members. All that email and discussion took a lot of time. Now that The Great Committer has condescended to claim his rightful place, we can get back to doing what’s important — namely, doing everything we can to increase the already bounteous glory of The Great Committer.”
Security Officer Colin Percival said, “We’ve worked tirelessly to ensure FreeBSD’s security. I don’t even know how many man-months I’ve spent auditing code and investigating reports, let alone other members of the FreeBSD Security Team. But now, The Great Committer has decreed that FreeBSD is secure. All praise to The Great Committer!”
The Public FreeBSD Developer Track at BSDCan 2011 will now alternate between technical talks and praising The Great Committer. In addition to learning about exciting features such as Capcisum, attendees will practice making index-finger-and-pinky “Beastie Horns” to salute The Great Committer. Attendees will also witness the unveiling of the official The Great Committer banners, forty feet tall and hand-painted on silk.
No active OpenBSD developers could be bothered to comment, but Jason Dixon, OpenBSD slacker, stated “It’s about time the FreeBSD bums realized that they needed a benevolent despot. Maybe they’ll do something useful now.” A phone call to the NetBSD Foundation got a recording that the Board of Directors could be reached at the pub.
The FreeBSD Foundation is raising funds for a 200-foot golden statue of The Great Committer, to be erected near the University of California Berkeley campus. Its stern visage will remind the university denizens of their second-greatest three-letter claim to fame. The Great Committer has declared that there are no rumors that the statue’s eyes will be lasers that will automatically target users of lesser operating systems.
Meanwhile, The Great Committer has ordered that someone bring him a sandwich. And a beer. And Bill Gates’ lunch money.
You can contribute to the Foundation through DonateNow or in person at BSDCan. There’s no guarantee that the Foundation will use your particular donation to fund the statue, but they will assuredly use it for FreeBSD.
NOON UPDATE: It seems that The Great Committer has declared that HAMMER will be the new default filesystem.
There’s a new review of Absolute FreeBSD at the Java Users Group Lugano Web site. I can’t find a way to link to this particular review, so this link goes to the review page. I expect it will eventually scroll off the bottom.
I do try to batch reviews, but four years after the book hit the shelves, I think I’d have to wait quite a while for the next one.
While I’ve said that only silence or thanks is appropriate for a negative review, thanks are also appropriate for a positive review. Thank you, Celestino Bellone, for taking the time to write up your impressions.