Nat's Geeklog - Just another brick in the Geeklog wall

My Sites	Web Apps	Links	Home
Awesome Moonwalks Moonwalk Admin Rental Orders United Kids Baby Zack TeamSpeak Admin Screamgames DEV Screamgames	SquirrelMail My Directory Library Bugzilla Stylesheet Builder Set Mail Aliases Capacity Graphs UNIX Accounts Text to PDF converter Subversion Depot phpMyAdmin Backups Music Monitoring Logs	Google Google Reader Ajax Apps Slashdot CNN IT Manager's Journal NewsForge User Friendly The Ultimates Netflix Internet Movie Database Weather 77479 Hullaballoo Forums Wells Fargo BMW	Fort Bend County City of Sugar Land Commonwealth Civic Association Commonwealth Elementary AMC First Colony 24

Apache Remote Authentication

Friday, January 29 2010 @ 12:17 PM CST
Contributed by: nat
Views: 13

This started out as a project to take Apache NTLM authentication and offload it to cookie authentication, because the NTLM auth was flaky and would sometimes croak on random pages, given that NTLM authentication was being done for each keepalive. Upon completion of this project, it is determined that ANY authentication process, be it NTLM, Kerberos, RSA SecurID, or other method that can be performed against apache can be used, and offload credentials to cookie authentication. Without further ado, let's look at how it works:

User visits Application Webserver
Application Webserver receives no authentication cookie, redirects user to Authentication Webserver with Application Webservers called URL as the query string.

The user visits the Authentication Webserver and authenticates by whatever means (NTLM, Kerberos, RSA, Basic Auth, other)
Authentication Webserver stores user credentials and the original URL on the Application Server that the user was trying to reach in a randomly named file, and directs Web Client back to the Application Webserver with information about how to get the random data file.

Web Client sends credentials data file info to the Application Webserver
Application Webserver fetches credentials data file from Authentication Webserver, after which the Authentication Webserver deletes credentials file. (Note that credentials are not entrusted to the client and pass from the authentication server to the application server directly.) Application Server generates cookie value associates userid with it, saving for 12 hours.

Application Webserver sends Web Client the authentication cookie lasting 12 hours along with a redirect to the original URL the client called.
Client visits original URL with authentication cookie, server uses the value to look up the userid and populates the REMOTE_USER environment variable, and the user is able to proceed.
After the cookie expires, whatever URL the Web Client hits next will trigger this whole process again

read more (1,372 words) Post a comment
Comments (0)

Apache Load Balancer Persistence

Wednesday, July 08 2009 @ 11:14 AM CDT
Contributed by: nat
Views: 90

Apache 2.2's load balancer is pretty neat. However, to get persistence to work properly, you have to be careful. Here we are setting the balancer manager to watch a client cookie called BALANCEID, and each member has a particular route string tied to it that is set in the cookie. It's important to note that the cookie format must be: something.routestring, ie, nat.server1. If it is just server1, it will not work.


  ProxyPass / balancer://mycluster/ stickysession=BALANCEID
  ProxyPassReverse / http://localhost:71/
  ProxyPassReverse / http://localhost:72/
  <Proxy balancer://mycluster>
        BalancerMember http://localhost:71 route=server1
        BalancerMember http://localhost:72 route=server2
  </Proxy>

Now there's the issue of the client cookie being set. What if you are load balancing a third party app or webserver and can't easily get the cookie set on the client? No problem! While it didn't work in 2.2.3 (in particular, the BALANCER_ROUTE_CHANGED var being set), when I tried in 2.2.11, I was able to set the cookie myself based on which balancer member was selected:


  # Set session cookie if BALANCER_ROUTE_CHANGED, containing BALANCER_WORKER_ROUTE env variable, which is set to the route above
  # Note that cookie value should be a session id, followed by a period, followed by the route.
  # Since session id cookie usually not advised to be mutable, best create own cookie with anything you want
  # for the session part, just make sure to have a period and route part last

  ### Used for setting cookie
  LoadModule headers_module modules/mod_headers.so
  Header add Set-Cookie "BALANCEID=balancer.%{BALANCER_WORKER_ROUTE}e; path=/;" env=BALANCER_ROUTE_CHANGED

  # Just give some debug info in the header, don't use once you have it working
  Header add X-Var "BALANCER_ROUTE_CHANGED=%{BALANCER_ROUTE_CHANGED}e" env=BALANCER_ROUTE_CHANGED
  Header add X-Var "BALANCER_WORKER_ROUTE=%{BALANCER_WORKER_ROUTE}e" env=BALANCER_WORKER_ROUTE
  Header add X-Var "BALANCER_SESSION_ROUTE=%{BALANCER_SESSION_ROUTE}e" env=BALANCER_SESSION_ROUTE

Presto! Session persistence, all handled at the reverse proxy load balancer level.

Post a comment
Comments (0)

Apache: Handling weak browsers

Tuesday, April 28 2009 @ 04:42 PM CDT
Contributed by: nat
Views: 73

Normally most webservers these days that hold sensitive information allow SSL ciphers of 128 bit or higher. However, it would be nice to redirect older browsers to a different page, suggesting that they upgrade their browser to one supporting decent encryption. This can be done in Apache with mod_rewrite and enabling lower strength ciphers. Read on to see example configuration code...

read more (154 words) Post a comment
Comments (0)

Apache: time-sensitive redirects, backdoor entry

Friday, April 03 2009 @ 05:02 PM CST
Contributed by: nat
Views: 85

Apache's mod_rewrite can be used to do time-sensitive redirects... handy if you have to make a scheduled change at an inconvenient time. But even better, what if you need to get to the original site? This example also includes a url /backdoor that sets a 15 min cookie, redirects to the main page, and an exclusion to not redirect anyone who has that cookie set. Cool stuff.

    RewriteEngine On
    # Start redirecting after this datetime
    RewriteCond %{TIME_YEAR}%{TIME_MON}%{TIME_DAY}%{TIME_HOUR}%{TIME_MIN} >200904040900
    # Don't redirect certain paths
    RewriteCond %{REQUEST_URI} !^/favicon.ico
    RewriteCond %{REQUEST_URI} !^/webservices
    RewriteCond %{REQUEST_URI} !^/backdoor
    # Don't redirect if backdoor cookie is active
    RewriteCond %{HTTP_COOKIE} !backdoor
    # Do the rewrite
    RewriteRule .* http://mynewhostname/ [R,L]

    # Allow back door access to old site (this site) - hit /backdoor and they get a cookie for
    # 15 mins such that they won't be redirected while it is active.
    RewriteRule ^/backdoor http://myoldhostname/ [CO=backdoor:yes:myoldhostname:15:/]

Post a comment
Comments (0)

Network and Server Monitoring

Thursday, March 19 2009 @ 04:16 PM CST
Contributed by: nat
Views: 94

One of my passions is automated monitoring and correction of network and server problems. I have the most experience with SiteScope (primarily a commercial website monitoring tool that has branched out to include protocols, application stacks, and whatever custom stuf you want) and Nagios, which is free and open source, and very very configurable.

I would LOVE to form a company implementing these or similar monitoring tools. I've done this a lot at work, and a little bit on the side for a few friends and their companies.

I've been looking around, and it seems that in addition to Nagios, two other contenders are Zenoss and Cacti. I've heard good things about Zenoss, specifically how it is easier to set up than Nagios. I think I may check it out, though I am a fan of Nagios's flexibility.

Apache: Convert uppercase to lowercase

Friday, March 13 2009 @ 04:19 PM CST
Contributed by: nat
Views: 208

We had a requirement from a client whose windows website we were migrating to UNIX that the new site be able to handle mixed case tickers, ie, /pwc, /Pwc, /PWC, /pwC, etc. Using mod_rewrite, it was doable:

    # Take any mixed or uppercase ticker and set to lower
    RewriteMap    lowercase    int:tolower
    RewriteRule ^(/[A-Z]...?)$ ${lowercase:$1} [R,L]
    RewriteRule ^(/.[A-Z]..?)$ ${lowercase:$1} [R,L]
    RewriteRule ^(/..[A-Z].?)$ ${lowercase:$1} [R,L]
    RewriteRule ^(/...[A-Z])$ ${lowercase:$1} [R,L]

This case conversion will be true for any 3 or 4 char URI with an uppercase letter. (It would probably be better to replace the "." above with [a-zA-Z], as it's likely intended for only chars to replace. Above will transform /a/BB as well, which is probably not desired.)

Post a comment
Comments (0)

Jury Duty

Wednesday, December 05 2007 @ 12:14 PM CST
Contributed by: nat
Views: 172

It seems that even selecting a jury in Fort Bend county takes longer than can be done before lunch. I had a deceptively filling steak burrito at a local mexican place, and then decided to spend the remaining 60 of my 90 minute lunch walking around historic Richmond. I noticed an Italian place serving Osso Bucco! Darn, too bad I already ate. Now I almost want to be on the jury so I can go back there as well as another popular looking place or two.

I had the misfortune of walking into a gift shop with a confectionery, and thus walked out with two pieces of peanut butter fudge. Sitting on the bench in the cool afternoon tasting the peanutty treat with the sun on my face really made my day.

I got back to the courtroom with 30 minutes to spare, and I noticed that the jury chairs are nice, padded, blue leather chairs. Did I mention that they recline? I'm dead meat after lunch if I am on the jury!

I wonder if it's OK to have a margarita with lunch? Needless to say, I didn't get selected, so I won't get the opportunity... It's probably also not a good idea to do so during jury days, but having one on the jury selection day can't hurt! Just don't get sloshed. *wink wink*

Interesting note: they pay $40 / day if you are selected on the jury, but not for the jury selection. I guess that's sort of the consolation prize for those who have to return the next day.

Post a comment
Comments (0)

Holy cr@p, I'm watching teen soap operas

Monday, September 04 2006 @ 12:28 AM CDT
Contributed by: nat
Views: 354

I noticed tonight that the baby channel (Noggin) that runs shows like Little Bear, Blues Clues, Barney, etc turns into Teen Soap Opera channel after 5. Wow.... Wife started watching one and didn't want me to switch to something else... and damn, I started following it, too.... There's been a "Degrassi" marathon on tonight that's been on while I've been computing on my laptop. I suppose it's interesting enough for a background show, but it's scary to think that I'd stop computing and do more watching... Like I said, teenage soap opera. More interesting that my wife's soap operas she used to watch, anyway. Is that a bad thing?

Post a comment
Comments (0)

Neat Linux tip

Tuesday, August 15 2006 @ 10:55 AM CDT
Contributed by: nat
Views: 367

Lots of times I have a need to make a backup of a file or such that I end up forgetting about and it sits around taking up disk space. Sometimes in annoyance of this, I have simply skipped making the backup, and have been burned by it. Finally I came up with this alternative:

Make a directory on your desktop called DeleteIn2Weeks. In my case, the full path was /home/guytonw/Desktop/DeleteIn2Weeks
Create the following cron entries: 0 1 * * * find /home/guytonw/Desktop/DeleteIn2Weeks -mtime +14 -type f -exec echo Deleting {} \; 1 1 * * * find /home/guytonw/Desktop/DeleteIn2Weeks -mtime +14 -type f -exec rm {} \;

This is nice because any files put in there will automatically be swept away after a sufficient amount of time. (Hopefully I won't need the backup after 2 weeks' time!)

Post a comment
Comments (0)

Computer games from the past

Tuesday, July 11 2006 @ 05:22 PM CDT
Contributed by: nat
Views: 405

Lately I've been playing Diablo 2 a lot. It came out in the year 2000, and is still selling on shelves today. Nicely enough, Blizzard has released patches over time that have added items and special game events for really high level characters, not to mention changing the dynamics of skill points. OK, OK, I'm geeking out here.

The main reason I started playing was because I did not want to buy a new laptop to play some of the newer games. One day I'll break down, but it's not necessary just yet... At any rate, it's a lot of fun playing online!