Categories
Computers Linux

Combine subversion, WebSVN and a web page in one Apache site

In my last post I wrote about how to get libapache_mod_auth_pam to play nicely with Apache2. This post is about putting it all together, complete with WebSVN and a default web page so that one can write an introductory text to the users using the site.

Getting subversion up and running on Apache was explained in the last post. The problem with that, however, is that the Location directive means that all content on the site is directed to dav_svn. Hence, it is not possible to access an index.html page in the root, nor the /websvn folder. If you try, you will just get the message “Could not open the requested SVN filesystem”.

Of course, the simple solution to this would be to put the dav_svn module one folder down in the site structure (e.g. http://svn.example.com/repositories/<repository>) by changing the Location directive to <Location /repositories/>. But that is ugly.

I assume there are many ways to solve this but here is how I did it.

  1. First, create two sites – svn.example.com and websvn.example.com (or whatever you want to call them).
  2. Configure the site svn.example.com as explained in the previous post
  3. Configure the site websvn.example.com as you would any other static site, adding a index.html file in the root with whatever content you want to have there
  4. Now, before the Location directive in the svn.example.com site definition, add the following:

  5. RewriteEngine on
    RewriteRule ^/$ index.html [R]
    ProxyPass /websvn/ http://websvn.example.com/websvn/
    ProxyPassReverse /websvn/ http://svn.example.com/websvn/
    ProxyPass /index.html http://websvn.example.com/index.html

  6. Finally, you may also want to add SSL support for the svn.example.com site but I won’t go into that here

To make this work, a couple of Apache2 modules must be enabled, namely: proxy, proxy_http and rewrite.

What the above does is that it rewrites accesses to the root URL / to /index.html. Then, all requests to either /index.html or /websvn are proxied to the other site (which does not have dav_svn enabled so they work fine there).

With everything in place, you should be able to access http://svn.example.com for the index.html page, http://svn.example.com/websvn for the WebSVN interface to the repositories – and anything else for the real repositories.

A prettier solution would be if the Location directive for Apache supported negated regular expressions but I have come to the conclusion that it doesn’t – at least not the version I am using (2.2.8).

Categories
Computers Linux

Apache >

Categories
Computers Linux

Install Rub

Categories
Computers Photography

For the love of colours

Every new web site, document template or just about any other type of production typically needs a set of matching colours. This can sometimes take too much time from the real work of finishing that prototype or document on time. Wouldn’t it be great if someone had already done the job.

To my joy I found out that someone already had. Or actually, 137,200 people have. They are all using the site www.colourlovers.com. Give it a try!

Colourlovers.com sample

Categories
Computers Linux

Trackpad issue on Acer Aspire One under Ubuntu 8.4.1

I am holding out for the OneLinux distribution specifically targeted for the Acer Aspire One. Meanwhile I have installed Ubuntu 8.4.1 according to the instructions on the Ubuntu community forums. Everything works fine apart from the trackpad which just dies on me sometimes. And when it dies it will not come back. As a matter of fact it doesn’t even help to restart the computer. I have to boot Ubuntu 8.4.1 from the CD and the reboot from the internal HD to get the trackpad operational again.

First I thought I had managed to mess things up when I opened up the AAO to insert more memory but the more I studied it the more convinced I became that the issue is in fact software related.

The trackpad never stops working in the middle of something – only when the computer has been suspended (but not every time). When the system boots up OK I can see the following two lines in the output to dmesg:


[ 25.547798] Synaptics Touchpad, model: 1, fw: 7.2, id: 0x1c0b1, caps: 0xd04771/0xa40000
[ 25.601159] input: SynPS/2 Synaptics TouchPad as /devices/platform/i8042/serio2/input/input7

However, on occasions when the mouse is not operational after a reboot, these lines are absent and instead there is one line:


[ 24.997164] psmouse.c: Failed to reset mouse on isa0060/serio2

Clearly something is not working as it should. This is really annoying and I do hope that the 8.10 release will fix it. Meanwhile, if anyone is experiencing the same issue – please let me know.

Categories
Computers Linux

Prevent ssh dictionary attacks

If you are like me you may be running a few Linux servers that are exposed to the Internet. To manage them you have probably enabled ssh login and opened up your firewall for such traffic. Maybe you have been thinking of the risk of being attacked and perhaps you have glanced at /var/log/auth.log. Chances are that you then realised that the Internet is not the friendly place it used to be.

Now, the risk of this may be minor. Naturally you are using complex passwords (who are not?) and of course you have disabled any logins by the root account. Naturally, you use certificates instead of passwords when logging in remotely. And while on the subject – may I add a feature request for openssh to restrict remote login using password on the basis of IP range?

So, I had done all that and still felt a little uneasy. Then I found the project Denyhosts. It is a Python based tool written by Phil Schwartz that tails the auth.log file, acting on multiple incorrect logins from the same host. Suspicious hosts are added to /etc/deny.hosts so that they can’t even connect to the ssh server.

I have been running the script on two computers for a couple of weeks. On average, one or two attackers are caught each day. Currently I am running both systems stand-alone but shortly I may join up with the large number of sites that aggregate attacker information to foil them before they even start attacking my machines.

Denyhosts is not new. In fact, the latest release is almost two years old. But it is small, can be configured in a jiffy and gets the job done. To install on a Ubuntu box, just type “sudo apt-get install denyhosts”.

Good job, Phil!

Categories
Computers Mac

Install git on Mac OS X 10.4

The other day I wrote about how I compiled and installed support for git on Mac OS X 10.5. I also use a laptop with Mac OS X 10.4 and thought naïvely that the same would work on Tiger. I was sorely mistaken.

Apparently git has a few dependencies which must have been met on Leopard but caused errors on Tiger. The dependencies are to the packages expat and asciidoc. To compile support for those the following can be done prior to running the installation of git.


# Install expat
wget http://switch.dl.sourceforge.net/sourceforge/expat/expat-2.0.1.tar.gz
tar -xvzf expat-2.0.1.tar.gz
cd expat-2.0.1
./configure
make
sudo make install


# Install asciidoc
wget http://www.methods.co.nz/asciidoc/asciidoc-8.2.7.tar.gz2
tar -xvzf asciidoc-8.2.7.tar.gz2
cd asciidoc-8.2.7
sudo ./install.sh

Once this is done, the installation of git should go smoothly.

Categories
Computers Windows

Exchange 2007 certificate problem with Symbian phones

Earlier this year we (or rather, myself) migrated to Exchange 2007 at work. We are not a big company but even so (or perhaps because of it) we have a rather heterogeneous set of client devices. People connect using Outlook 2003, Outlook 2007, Entourage 2008, Evolution, Apple Mail, Thunderbird and all kinds of mobile phones for both standard IMAP/SMTP (with encryption of course) or Microsoft licensed ActiveSync.

Before the migration we had a frontend Exchange server and three backend servers but after the switch we have just one Exchange 2007 server. Immediately after the switch, people started complaining that non-Microsoft mobile phones could not sync against the server using ActiveSync.

Since we are rather literate when it comes to computers we had set up an internal public-key infrastructure with a root certificate authority under SSL. The Windows domain included a certificate authority running as a subordinate authority which, in turn, had signed the SSL certificate for the Exchange 2007 server. All was done according to step-by-step guides from Microsoft. When accessing the web mail or using ActiveSync from Microsoft based mobile phones it worked. But it just wouldn’t work from Symbian phones – despite the fact that they had licensed the ActiveSync technology from Microsoft.

We tried all kind of settings before we eventually found the problem. It turns out that Exchange 2007 uses a relatively new (but still quite old) feature in SSL certificates called “Subject Alternative Name”. It is a feature that allows the certificate to be used for multiple host names and not just a single Common Name. The combination of Exchange 2007 and the subordinate Windows certification authority caused this extension to be set as “Critical” in the certificate which makes the certification check fail for any client that does not understand the Subject Alternative Name – which is exactly the case for Symbian phones.

The solution was simply to create a certificate by using OpenSSL alone and flag the extension as non-critical. The common name used in the certificate is still the only name used by ActiveSync clients so they have no problem with this change. The new host names in the certificate are to my understanding only used by Outlook 2007.

Categories
Computers Linux

Making a movie out of a set of images

Images captured at a certain interval (e.g. from a network camera in your home) can easily be converted into a movie. The simplest way to do this is to use the Linux package mencoder available as a package for most standard distributions.

For Ubuntu 8.04, mencoder can be installed just by typing

sudo apt-get install mencoder

Some tutorials on mencoder are based on an old version of the software and following them will not work. Instead the errors from mencoder will appear to indicate that some codecs are missing on the system. Installing them may solve the issue (it didn’t in my case) but will probably just waste your time.

The correct command to convert all JPEG images in a folder into a movie is

mencoder "mf://*.jpg" -mf fps=30 -o output.avi

Adjust the frame rate according to the frequency the images were taken or to make the movie go faster or slower. It is also possible to use the -speed parameter.

Categories
Computers Mac

Rails boilerplate project

After doing a couple of Rails projects I found myself doing the same setup for each project. On top of the template project I wanted user authentication support with mail activation. Whenever it was time to implement a new project I didn’t quite remember the exact process and ended up spending too much time searching for how-to-articles. This article is a summary of the steps required to create a project with support for user authentication based on restful_authentication.

To be able to implement this you will need to have a sufficiently new installation of Rails. I am using 2.1.1 but it may work on later or earlier versions. In addition, you will need to have support for git since the restful_authentication plugin has moved to a git repository.

The name “myproject” should be replaced with whatever project name you want to use.

Create project folder

$ rails myproject
$ cd myproject

css.php