Tuesday, August 26, 2008

make web app friendly with a ssl accelerator

The point of an ssl wrapper/accelerator is to manage the ssl encryption and session on 1 single proxy server that can then split the traffic to a bunch of web server behind without encryption.
userss-----ssl------>proxys------cleartext------>bunch of web server

That improves the performance cause:
  • we are able to route sensitively connection to multiple web app server
  • SSL accelerator/wrapper can manage much more SSL session than a web service like apache (at least twice more for my benchmark)
  • We can cache content on the SSL accelerator server with a basic cache service (e.g squid)
  • And much much more scalability

here my case:
  • SSL accelerator/wrapper by pound (with or without ssl accelerator card)
  • reverse proxy by squid
  • php web app served by apache2 or lighttpd

How to tell the web app that the connection with the users are indeed encrypted but must stay unencrypted between the proxy and the web server.

Let's use header like X_FORWARDED_PROTO which would be either "http" or "https" and use it in our webapp PHP code as follow:...
if ( [webapp setting :: behind ssl accelerator] = true):
 if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
   // apps is behind a ssl accelerator
   $what__is_served_to_user = $_SERVER['HTTP_X_FORWARDED_PROTO'];
   $what_webapp_must_serve = http
 }
}
...
NB: the first webapp setting condition is to avoid hackers to use this headers in their browser to fool the webapp in case there is no ssl wrapper. remove it if you don't care about security for that feature


So now we tell your own ssl accelerator to set the headers properly. in case of pound :...
AddHeader "X-Forwarded-Proto: https"
...
Voila

NB: Squid could be the SSL wrapper and the caching service together if it was possible to legally provide it with openssl compiled in. unfortunately the GPL and openssl license does not fit together and SQUID devs not ready to move to gnutls nor provide a license exception and my company don't want to enter in illegal position. However i packaged squid with openssl (like redhat do whatever it's not legal) and it works great as SSL wrapper as well.
Posted by at 10:27 PM 1 comments
Labels:

Sunday, August 24, 2008

christmas before christmas

here come the LVM snapshot merge feature :
http://kerneltrap.org/Linux/LVM_Snapshot_Merging

That's awesome for us(sysadmin) for instance to create snapshot of the system
before a big upgrade/move whatever risky ..then if we screw up deeply :
we can now just rollback. thanks you santa..i mean thank you Mikulas
Patocka.

See another situation : gave us flexibility with PM or clients that
change their mind when it's too late : just anticipated before big move
then rollback.

Just wait a bit to get it upstream or ask me gently to provide a new kernel packages.
Posted by at 9:08 PM 0 comments
Labels:

Tuesday, May 20, 2008

Hide files/folder on linux/unix system

There is different way to achieve this aim ; let's see them.

1- the dot solution + permission
As the quick easiest solution you can always use the dot solution with restricted 700 permissions
mkdir .secretfolder && chmod 700 .secretfolder
Then the folder and any file i nto it won't be seen from a simple ls command or a GUI browser with default settings. but the file are not really hiden and can still be seen with ls -a command or enabling the "show hidden file" in your favorite file browser.
So this is not really a solution

2- the encryption or "what you really wanna achieve" solution
You want to hide some file/folder to keep them secret in other world : having some data confidentiality : encryption is THE path to data confidentiality.
For so you can use GPG encryption (GnuPG) or a basic encrypted file system to store your secret information.

3- the mount point or "hyperspace link" solution
That solution come from the fact that any mount point can be a proper nonempty folder. See the example below :

let create a folder where we gonna store our secret data.
mkdir /mnt/folder
Let put some secret data into it :
echo "this my secret password = password" > /mnt/folder/mysecretpassword.txt
So now let's hide it by assuming i have a usb disk device (sdb1) connected to my computer (or any other device like a disk partition)
mount /dev/sdb1 /mnt/folder
Now let verify this file are hidden
ls -al /mnt/folder
folder1 folder2 usbdiskinfo.txt

As you see all our hidden folder and file that was into /mnt/folder are not browseable/accessible anymore until we keep it as a mount point.
To access those hidden file again is just a matter of mounting the device and "voila".

Synthesis
Personally the solution 2 is the proper solution to the original problem you want to resolve ;
hiding file does not really bring any confidentiality but just placebo effect.
here the moral of the situation : always step back on your problem to figure out what you really want to achieve.
Posted by at 9:14 PM 2 comments
Labels:

Wednesday, February 13, 2008

When microsoft run their business on top of Linux.

How funny is that ?!
And so controversial while Microsoft sending so much FUD about Linux.

Here the original article

In this situation, my Grand-ma always has this advice :
" put your mouth where your actions are !"

Steve Ballmer should listen to you, Grand-ma.
Posted by at 12:33 PM 0 comments
Labels: ,

Wednesday, January 30, 2008

Wilson Prom national park and 90 miles beach

Spent my 3 days weekend (thanks to Australian Day) in melbourne then Wilson Promontory national park (the most southerly point of Australia mainland) then the 90 miles beach.

Meet 4 friends over there : Marius, juju, Stephane and Catherine.

Was such a nice weekend. And as proud Australian resident (but not citizen), we fired up the barbi and put some lamb chop for a typical Australian day.

Click here to view the photos.
Posted by at 12:20 PM 0 comments

Tuesday, January 29, 2008

python function to feed your /etc/shadow with the md5 version of your password

First you must do your own function to generate a randomize proper password. we call it "plain" here.
Then that function gonna generate the hashed string from that "plain" password :


import random, string,  crypt

def get_crypted(plain):
    # generate the salt
    SALT_PRE = "$1$"
    SALT_CORE = string.letters + "./"
    SALT_LEN = 11
    salt = SALT_PRE
    for i in range (SALT_LEN - len(SALT_PRE)):
        salt+= random.choice(SALT_CORE)
    return crypt.crypt(plain, salt)


Posted by at 4:42 PM 0 comments

Monday, January 21, 2008

Mount external LVM partitions

AIM = remount LVM or mount external drive manage with LVM..

as stupid as 1.2.3 :

pvscan and(or) vgscan to get all the devices and volume lists mange by lvm

vgchange -a y (just in case)

then the usual mount.. for instance:
mount -t ext3 /dev/mapper/vg-slash /mnt/ext-slash

hiphop.
Posted by at 1:57 PM 25 comments
Labels:
Subscribe to: Posts (Atom)