Category Archives: Computers

Adding Trusted Root Certificate Authorities to iOS (iPad, iPhone)

Posted on January 20, 2012 | Leave a comment

As manager of a web administration team, we’ve encountered several teams who have had trouble adding internal Certificate Authorities to iPads and iPhones…  and I don’t blame them, it’s not obvious.

To add private CA certs to your iPhone or iPad, you will need:

  • The iPhone Configuration Utility (windows or mac)
  • Your iPhone or iPad physically connected via cable to said windows or mac machine.  It’s tempting to try to add the resulting .mobileconfig by downloading it wirelessly over a browser, but it will not be trusted.
  • The cert file(s)

Once the above requirements are met, do the following:

  1. Start the iPhone Configuration Utility.
  2. Under “Library”, select “Configuration Profiles”
  3. Click the Add New button on the top left.
  4. Fill out the mandatory general information tab contents
  5. Under the Credentials section, add the CA cert or certs.
  6. Attach your iOS device if it is not already connected.
  7. Select your device in the iPhone Configuration Utility, and select its Configuration Profiles tab.
  8. You should see the profile you just created with an “install” button on the right – click it.
  9. On your device, you will see a profile installation dialog – hit the install button and follow directions.

That’s all, the CA profile should be installed and verified with a geen check.   I hope this helps some of you out there.

This process can also be used to install client SSL certs on the iPad.

→ Leave a comment

Posted in Web Technology

Ten Times Faster

Posted on April 26, 2011 | Leave a comment

The past few days, Comcrap seems to have been playing IP games, perhaps in doing maintenance on their network. On Sunday my external IP changed to a very different number and I altered my DNS settings accordingly for people to be able to get to my webserver. Then on Monday morning it switched back! Oh, I guess that makes sense, if they are doing maintenance (IPv6support, PLEASE!) and need to isolate some of their infrastructure. The problem is that a few hours later, service to my house was dropped completely.

This is bad because, while I have a caching reverse proxy in the cloud, all dynamic parts of my websites are hosted on my home server. Particularly, my wife’s photography business that is taking off was not able to serve clients. Groan. Maybe I should bite the bullet and beef up the memory of the cloud server. “Next to nothing” costs for my current cloud server profile times two (as a result of doubling the memory) I guess would be “near nothing” costs….

At any rate, while considering all this, I had the downed connection to deal with. The standard reboot the cable modem deal did not solve the problem like it had in the past. Since my neighbor had Internet, a call to Comcrap was in order. The tech, Jeremy, was actually pretty nice, but after a while said he would have to call me back. Oh well.

While I was waiting for the callback, I figured now was the perfect time to install the new $22 5 Port Gigabit switch that I had bought from Fry’s, and move the WRT54G to the side to just serve wifi clients. My servers and desktop will like being able to talk to each other fast! I did so, rearranging the wires and all that, and cleaned things up a bit. Things were nice and fast now between my main server and my Untangle home gateway. Happy! Ten Times faster.

Comcrap called back saying things should work now, but had me unplug the cable modem for a few minutes before plugging it back in. I was testing directly with my laptop connected to it (I know, bad, as the average PC is hacked in 32 seonds or some such when unprotected facing the net!), and the connection worked.

The other thing I wanted to address with Comcrap was what my speed should be looking like. I had tested it the other day with speedtest.net and gotten only 1.4 Mb down and 0.3 Mb up, whereas my neighbor was getting 30 down and 5 up! I went to speedtest again to give Jeremy the results, and lo and behold, I was getting 33 Mb down! Wow! I wondered what they had fixed. Happily, I thanked him for his help and let him go.

Now putting all back together with the Untangle server as the gateway, I tested again… UGH – back to 1.4 Mb downloads. I got the same when testing from my server. This meant only one thing – that Untangle must be causing the problem. I went to the Untangle server and disabled the spam, virus, phish, and attack sensors, and also the web filtering, openvpn, and even firewall, leaving it pretty much as a router with no blocks. STILL 1.4 Mb down. UGH.

Poking around in the networking config, I saw the advanced link hiding in the corner, and sure enough, in there was the QoS – Quality of Service – section. Memories came back – I had set QoS a long time ago to prevent certain clients on the internal network from hogging too much bandwidth (Ok, teenagers downloading movies). The thing with this is, QoS asks you to tell it what your download and upload speeds are, which back then were 1.5 down and 0.367 up. By setting these, QoS knows what rates to throttle the connections back to. The down side was that QoS now effectively imposed its own cap on ALL traffic based on what I had told it, and as Comcrap updated service over the years, I never saw it.

Lesson learned: either don’t use QoS or remember to update your settings with accurate download/upload throughput speeds! Otherwise you will be capping your access un-necessarily.

→ Leave a comment

Posted in Networking

Apache Load Balancer Persistence

Posted on July 8, 2009 | Leave a comment

Apache 2.2′s load balancer is pretty neat. However, to get persistence to work properly, you have to be careful. Here we are setting the balancer manager to watch a client cookie called BALANCEID, and each member has a particular route string tied to it that is set in the cookie. It’s important to note that the cookie format must be: something.routestring, ie, nat.server1. If it is just server1, it will not work.

ProxyPass / balancer://mycluster/ stickysession=BALANCEID
ProxyPassReverse / http://localhost:71/
ProxyPassReverse / http://localhost:72/
<Proxy balancer://mycluster>
 BalancerMember http://localhost:71 route=server1
 BalancerMember http://localhost:72 route=server2
</Proxy>

Now there’s the issue of the client cookie being set. What if you are load balancing a third party app or webserver and can’t easily get the cookie set on the client? No problem! While it didn’t work in 2.2.3 (in particular, the BALANCER_ROUTE_CHANGED var being set), when I tried in 2.2.11, I was able to set the cookie myself based on which balancer member was selected:

# Set session cookie if BALANCER_ROUTE_CHANGED, containing BALANCER_WORKER_ROUTE env variable, which is set to the route above
# Note that cookie value should be a session id, followed by a period, followed by the route.
# Since session id cookie usually not advised to be mutable, best create own cookie with anything you want
# for the session part, just make sure to have a period and route part last
### Used for setting cookie LoadModule headers_module modules/mod_headers.so
Header add Set-Cookie "BALANCEID=balancer.%{BALANCER_WORKER_ROUTE}e; path=/;" env=BALANCER_ROUTE_CHANGED
# Just give some debug info in the header, don't use once you have it working
Header add X-Var "BALANCER_ROUTE_CHANGED=%{BALANCER_ROUTE_CHANGED}e" env=BALANCER_ROUTE_CHANGED
Header add X-Var "BALANCER_WORKER_ROUTE=%{BALANCER_WORKER_ROUTE}e" env=BALANCER_WORKER_ROUTE
Header add X-Var "BALANCER_SESSION_ROUTE=%{BALANCER_SESSION_ROUTE}e" env=BALANCER_SESSION_ROUTE

Presto! Session persistence, all handled at the reverse proxy load balancer level.

→ Leave a comment

Posted in Apache

Apache: Handling weak browsers

Posted on April 28, 2009 | Leave a comment

Normally most webservers these days that hold sensitive information allow SSL ciphers of 128 bit or higher. However, it would be nice to redirect older browsers to a different page, suggesting that they upgrade their browser to one supporting decent encryption. This can be done in Apache with mod_rewrite and enabling lower strength ciphers. Read on to see example configuration code…

The following belongs in your SSL VirtualHost:

# if the SSL key does not contain 3 characters
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE}  <128
# AND there were some arguments in the URL (it was followed by ?something)
RewriteCond %{QUERY_STRING} .
# Redirect to lowcrypt, passing the requested URL as an argument with the
# original args (QUERY_STRING) intact
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%{SERVER_NAME}%{REQUEST_URI}?%{QUERY_STRING} [R,NE,L]

# if the key does not contain 3 characters
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE} <128
# Redirect to lowcrypt, passing the requested URL as an argument
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%{SERVER_NAME}%{REQUEST_URI} [R,NE,L]

# You can tweak this to your liking, but here is a rather permissive example
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+SSLv2:+EXP:+eNULL

Note that to test this with firefox, I had to do the following to allow weak ciphers and disable strong ones:

  1. Point the Firefox browser to, “about:config”
  2. For filter, enter “ssl”
  3. Disable SSL v3 by setting "security.enable_ssl3 = false"
  4. Enable SSL v2 by setting "security.enable_ssl2 = true"
  5. I found that I had to go in and actually enable an SSL V2 cipher as well: "security.ssl2.rc2_40 = true"

Works great!

→ Leave a comment

Posted in Apache

Apache: time-sensitive redirects, backdoor entry

Posted on April 3, 2009 | Leave a comment

Apache’s mod_rewrite can be used to do time-sensitive redirects… handy if you have to make a scheduled change at an inconvenient time. But even better, what if you need to get to the original site? This example also includes a url /backdoorthat sets a 15 min cookie, redirects to the main page, and an exclusion to not redirect anyone who has that cookie set. Cool stuff.

    RewriteEngine On
    # Start redirecting after this datetime
    RewriteCond %{TIME_YEAR}%{TIME_MON}%{TIME_DAY}%{TIME_HOUR}%{TIME_MIN} >200904040900
    # Don't redirect certain paths
    RewriteCond %{REQUEST_URI} !^/favicon.ico
    RewriteCond %{REQUEST_URI} !^/webservices
    RewriteCond %{REQUEST_URI} !^/backdoor
    # Don't redirect if backdoor cookie is active
    RewriteCond %{HTTP_COOKIE} !backdoor
    # Do the rewrite
    RewriteRule .* http://mynewhostname/ [R,L]

    # Allow back door access to old site (this site) - hit /backdoor and they get a cookie for
    # 15 mins such that they won't be redirected while it is active.
    RewriteRule ^/backdoor http://myoldhostname/ [CO=backdoor:yes:myoldhostname:15:/]

→ Leave a comment

Posted in Apache