Archive for May, 2011

Ubuntu, Apache, VirtualHosts, and SSL – part 2

In my first post about Ubuntu, Apache, VirtualHosts, and SSL I covered generating self-signed certificates and implementing them for Apache VirtualHosts. What I didn’t cover was — if you implemented this without a correct base configuration — you’d end up with some unexpected results if you tried to visit your base domain over SSL.

It’s simple to resolve this. First, edit /etc/apache2/ports.conf and modify as follows:

  
  # If you add NameVirtualHost *:443 here, you will also have to change
  # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
  # to 
  # Server Name Indication for SSL named virtual hosts is currently not
  # supported by MSIE on Windows XP.
+ NameVirtualHost *:443
  Listen 443
  

If you were reading closely, you know what to do next. Modify sites-available/default-ssl file and change the directive as follows:

Now, restart apache:

/etc/init.d/apache2 reload

Your base SSL domain will now display the expected DocumentRoot, but the certificate will contain the URL localhost.localdomain. To fix this run, as root:

make-ssl-cert generate-default-snakeoil --force-overwrite

— From /usr/share/doc/apache2.2-common/README.Debian.gz

If you install the ssl-cert package, a self-signed certificate will be
automatically created using the hostname currently configured on your computer.
You can recreate that certificate (e.g. after you have changed /etc/hosts or
DNS to give the correct hostname) as user root with:

make-ssl-cert generate-default-snakeoil –force-overwrite

Questions, comments, and feedback regarding this guide and welcome!

, , , , ,

Leave a comment

The configuration defaults for GNOME Power Manager have not been installed

A friend brought me a Ubuntu system with the following issue:

On entering gdm, the login prompt was displayed on a black background and the following message appeared in the top-right corner:

“The configuration defaults for GNOME Power Manager have not been installed correctly. Please contact your computer administrator.”

Trying to log in as any user account was unsuccessful.

I don’t remember where I found the fix, but here’s what I did to fix it:

Once the gdm login screen appears, press CTRL-ALT-F1, which will switch you to a text-based login prompt, and log in using an account that has sudo privleges.

Run the following command:

sudo dpkg --configure -a

It may take a minute or two to complete. After that:

sudo reboot

After the reboot, when gdm appears you should have your colored background and the message should not appear.

Questions, comments, and feedback on this are welcome.

,

Leave a comment

Forcing SSL for phpMyAdmin

After configuring WordPress to force SSL in the administration area, I was in phpMyAdmin and realized that it’s also not configured to do the same by default.

From the phpMyAdmin Wiki, add the following line at the end of your /etc/phpmyadmin/config.inc.php file

$cfg['ForceSSL'] = TRUE;

This will cause sessions to force SSL.

If you’re having issues making this work for you, check out my article involving Apache and SSL.

Questions, comments, and feedback are welcome.

, , , ,

Leave a comment

Forcing the WordPress administration over SSL

From the WordPress administration over SSL guide, add the following directive to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

This will cause logins and admin pages to force SSL sessions.

If you’re having issues making this work for you, check out my article involving Apache and SSL.

Questions, comments, and feedback are welcome.

, , , ,

Leave a comment

convmv – Useful linux filename conversion utility

Every now and then I’ll run into an issue with a website’s uploader. They ask me to upload a picture, but then when I click their upload button, none of my pictures appear in the dialog. After troubleshooting for a few, it turns out that they’re limiting file masks to [*.jpg, *.jpeg, *.bmp, *.png] etc. But — because I copied my pictures over from a windows installation, they have all-capital file extensions. Linux uses a case-sensitive file system, so it regards these as different. Renaming a file to a lowercase extension [*.jpg] caused it to show up in the dialog which is what I wanted — but manually renaming thousands of pictures in dozens of directories was out of the question.

I could have written a bash script to do the renaming in a few minutes but I found something better — convmv. This simple utility makes filename conversions / renaming a breeze. By default, it runs in ‘test’ mode so that you can see what will happen before it does the job.

For my case, I needed to rename all the files to lowercase, so I used:

convmv --lower *

That showed me a verbose listing of everything it would do (test mode). However, I wanted to do the entire Pictures folder and everything under it. The new command from my Pictures folder became:

convmv --lower -r *

To get it to actually do the job, I had to specify --notest as well.

convmv --lower -r --notest *

It did it’s work within seconds and everything was lowercase. In my opinion, much easier and better than a bash script.

Convmv has plenty of other options, so next time you need to do filename conversion, check it out.

Questions, comments, feedback? Please share in the comments below. Thank you.

,

Leave a comment

Integrating Smart 404 into the Suffusion WordPress theme

By default, WordPress does very little for a user who lands on a 404 or ‘Not Found’ page. The WordPress Smart 404 plugin can help with this, by attempting to match terms from the URL to published articles. This is something you want especially if you change your categories or tags because your old tag- and category-based URLs will not display anything useful to your visitors. Instead of losing them to a 404 page, show them what they’re looking for — or at least come close.

I use the Suffusion theme here on my blog, and I know it’s a very popular plugin as well, so here’s how to integrate Smart 404 nicely within Suffusion.

Obviously make sure you have both the Suffusion theme and the Smart 404 plugin installed and activated.

Open the theme editor by going to Appearance > Editor and load the 404.php file, change it to include the smart404_suggestions PHP function call as follows:

  
+ <?php
+ if (function_exists('smart404_suggestions')) {
+ echo &quot;<br /><br />Here's some posts that may be close to what you were looking for:";
+ smart404_suggestions();
+ echo "<br /><br />You might also try searching.";
+ }
+ ?&gt;
  </p>
  </div><!--/entry -->

This wraps the smart404_suggestions function nicely in a PHP function_exists call, which will prevent PHP errors if you later decide to uninstall the plugin.

Be aware that if you update your theme at any point, you may have to redo this edit.

Questions, comments, and feedback about this are welcome and appreciated. Thank you!

,

Leave a comment

How to install BCM4318 Airforce One 54g in Ubuntu Natty

Getting the Broadcom BCM4318 [Airforce One 54g] working under Ubuntu Natty only relies on getting the proper wireless firmware installed. Kudos to NMI who did the in-depth testing on this one.

In Synaptic package manager, install the firmware-b43-installer package. Or, at a terminal, enter the following:

sudo apt-get install firmware-b43-installer

This should install the necessary firmware and enable your wireless device within moments.

It sounds like this may be related to the BCM4328 chipset issue.

Please share any feedback you have in the comments below. Thank you.

, , ,

Leave a comment

How to tell if your Linux installation is 32-bit or 64-bit

Occasionally you may need to check to see if you’re running 32-bit or 64-bit Linux installation, such as when you’re installing third-party software and they offer 64-bit specific versions.

Fortunately, there’s a very easy way to tell. Simply open a terminal and run the following command:

uname -i

You’ll receive one of the following as output:

i386 indicates 32-bit.

x86_64 indicates 64-bit.

Note that this only states what OS version you’re running, and not necessary the capabilities of the hardware — such can be the case if you installed 32-bit Linux on 64-bit hardware.

If you want to find out if your processor actually supports the 64-bit instruction set (‘long mode’), run the following:

cat /proc/cpuinfo | grep lm

Example output:

flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm arat dts tpr_shadow vnmi flexpriority ept vpid

The ‘lm’ in the flags indicates 64-bit support. Without it, the processor is certainly 32-bit.

 

Leave a comment

Synology DiskStation on a subdomain with dynamic IP address

If you have a Synology DiskStation and already have a hostname (for your website, blog, or other) you can set up your DiskStation on a dedicated subdomain easily — even if you have a dedicated IP address.

First, determine what subdomain you’re going to assign to your device, based on the domain name you already have. For example, you might own example.com and want ds.example.com to point to your DiskStation. That’s perfectly fine — it’s your choice.

Next, get yourself a free dynamic IP hostname at a service like DynDNS. They provide Dynamic DNS hosts for free, and it only takes a few minutes to sign up. It doesn’t matter what domain you pick, but you only get one. For the purpose of this guide, I’ll say that I signed up for example.dyndns.orgIf you are using the Synology Dynamic DNS service, you have this already. Continue.

Once you’re signed up and activated your domain, you need to set up automatic updating. You can do this through the DiskStation itself under Control Panel > DDNS, or with a router that supports Dynamic IP updating (most routers).

ds_ddns2

Now your client will keep your hostname up to date automatically, even if your IP address changes.

The next step is to assign your new DynDNS hostname to a DNS CNAME record. You want to add a CNAME record for ds.example.com that points to example.dyndns.org. Specific instructions will vary by your DNS registrar, so consult them if you’re not sure exactly how to add the record. Keep in mind it may take up to 24+ hours for the DNS record to propagate, so if it doesn’t work right away, try again later.

Once the DNS zone has propagated, you should be able to access your DiskStation at your new hostname ds.example.com, and the DynDNS client will keep your hostname updated.

If you want to create an SSL cert for HTTPS access, create it for ds.example.com using the instructions found here: https://mikebeach.org/2012/11/13/startssl-ssl-certificate-on-synology-nas-using-subdomain

Questions, comments, and feedback about this are welcome.

,

Leave a comment

Ubuntu, Apache, VirtualHosts, and SSL

The goal of this guide is to provide you with an Apache SSL configuration with a unique self-signed certificate for each VirtualHost.

These self-signed certificates are not intended for e-commerce or public-facing web sites. Rather, they are intended for SSL encryption of administration areas on personal websites or administration programs that have HTTP interfaces. Of course, if you have a commercially-signed certificate, you can skip the certificate-generation part of the guide, and proceed to implementing it in a VirtualHost configuration.

Written for Apache on Ubuntu Server 10.04.

First, install the base Apache SSL certificate and enable the Apache SSL module

sudo apt-get install ssl-cert
a2enmod ssl

This installs a base SSL certificate and a generic ‘default-ssl’ site configuration. We will be generating per-domain self-signed certificates later. We will also not be using the ‘default-ssl’ site configuration.

Generating Certificates

Generate a hostname-specfic SSL certificate by following these instructions quoted

— From /usr/share/doc/apache2.2-common/README.Debian.gz

To create more certificates with different host names, you can use
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt
This will ask you for the hostname and place both SSL key and certificate in
the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile
directive in the apache config (you don’t need the SSLCertificateKeyFile in
this case as it also contains the key). The file /path/to/cert-file.crt should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private .

Example:

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/example.com.crt

Implementation

Now that the key is generated, we’re going to create an Apache VirtualHost configuration for SSL connection. Chdir to /etc/apache2/sites-available and copy (for example) example.com.conf to example.com-ssl.conf

Next, edit the example.com-ssl.conf file and make the following changes:

* At the beginning of the file (before the tag, add:

Example:

...

* Change the defined port number in the tag from 80 to 443

Example:

...

...

* At the end of the file, after the tag, add

Example:
...

* Within the tag, add the following directives:

SSLEngine On
# The following should point to your SSL cert file in /etc/ssl/private
SSLCertificateFile    /etc/ssl/private/example.com.crt

— From /etc/apache2/sites-available/default-ssl

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
#   A self-signed (snakeoil) certificate can be created by installing
#   the ssl-cert package. See
#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
#   If both key and certificate are stored in the same file, only the
#   SSLCertificateFile directive is needed.
SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem

* Add the SSL workaround for MSIE in your section as follows:

BrowserMatch "MSIE [2-6]" 
nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

— /usr/share/doc/apache2.2-common/README.Debian.gz

SSL workaround for MSIE
———————–
The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):
BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.

Lastly, enable the newly-created site and reload apache:

a2ensite example.com-ssl.conf

Enabling site example.com-ssl.conf.

Run '/etc/init.d/apache2 reload' to activate new configuration!

(This creates the symlink from /etc/apache2/sites-enabled to your config file in /etc/apache2/sites-available – you can also create it manually if your configuration requires it)

/etc/init.d/apache2 reload

* Reloading web server config apache2                                   [ OK ]

Of course, make sure after all of this that your firewall isn’t blocking port 443.

Questions, comments, and feedback regarding this guide and welcome!

, , , ,

Leave a comment