Apache
Error: Fatal Python error: PyEval_AcquireThread: NULL new thread state
This might be cause of various issue.
1, mod_wsgi is compiled for a different Python version and/or a different Python installation than the Python virtual environment
2, Python installation it is trying to use at runtime
3, If mod_wsgi
and mod_python
are both enabled.
In my case, I figured out the third cause. for fixing disabled mod_python
because I was running website under wsgi wrapper.
sudo a2dismod python
sudo service apache2 restart
Error: Authz_core:error Client Denied by Server Configuration
I have upgraded apache2.2 to 2.3, now a strange error I faced. Existing Apache authorization directives are not working,
I have done a modification that fixed the issue
Error :
[Wed Jan 28 04:29:51.468839 2015] [authz_core:error] [pid 29764:tid 139708675897088] [client 117.247.186.108:46348] AH01630: client denied by server configuration: /opt/web-home/raspberrypi/facecount/static-assets/images/detect.png
This changes the way that access control is declared from
Order allow, deny
Allow from all
to :
Require all granted
his means that the total configuration for a Directory
is now something like:
<Directory /path/to/directory>
Options FollowSymlinks
AllowOverride none
Require all granted
</Directory>
Restart apache and it’ll all work nicely.
HowTo: Tomcat Logging – log customized with {X-Forwarded-For}
Tomcat is allowing us to track back logs with enamours of information by customizing the log pattern. There is preset patten is available, we can also implement is in single line
I enabled few more information like execution time , request size , cookies etc..
Default tag should be like this
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
Common : %{X-Forwarded-For}i %l %u %t “%r” %s %b
Combined : %{X-Forwarded-For}i %l %u %t %r %s %b %{User-Agent}i %{Referer}i %{Cookie}i
You can change either Common or Combined
I have implemented my own pattern like below, so it should more detailed
pattern="%h %{X-Forwarded-For}i %l %u %t "%r" %s %b "%{User-Agent}i" "%{Referer}i" "%{Cookie}i" %T"
Access Log pattern new look
----------------------------- 192.168.1.185 - - - [18/Mar/2014:10:52:06 +0530] "GET /ajax/norm/list/status?ids=23%2C11%2C9%2C7%2C6%2C5%2C2%2C1%2C HTTP/1.1" 200 42 "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" "http://192.168.1.188/norm/list" "JSESSIONID=4FD1DBEB911CD2E19AA4798F9A26DCA8" 0.007 -----------------------------Log Details : 192.168.1.185 : Remote host name (or IP address if resolveHosts is false) – : X-Forwarded-For – : Remote logical username – : Remote user that was authenticated [18/Mar/2014:10:52:06 +0530] : Date and time, in Common Log Format GET /ajax/norm/list/…… : First line of the request (method and request URI) HTTP/1.1 : Request protocol 200 : HTTP status code of the response 42 : Bytes sent, excluding HTTP headers (Content size) Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0: User Agent http://192.168.1.188/norm/list : Referer JSESSIONID=4FD1DBEB911CD2E19AA4798F9A26DCA8 : Cookie header 0.007 : Time taken to process the request, in seconds
Once every thing has been done you can restart the tomcat to make it effect, more options are given below
%a – Remote IP address%A – Local IP address
%b – Bytes sent, excluding HTTP headers, or ‘-‘ if zero
%B – Bytes sent, excluding HTTP headers
%h – Remote host name (or IP address if resolveHosts is false)
%H – Request protocol
%l – Remote logical username from identd (always returns ‘-‘)
%m – Request method (GET, POST, etc.)
%p – Local port on which this request was received
%q – Query string (prepended with a ‘?’ if it exists)
%r – First line of the request (method and request URI)
%s – HTTP status code of the response
%S – User session ID
%t – Date and time, in Common Log Format
%u – Remote user that was authenticated (if any), else ‘-‘
%U – Requested URL path
%v – Local server name
%D – Time taken to process the request, in millis
%T – Time taken to process the request, in seconds
%I – current request thread name (can compare later with stacktraces)
%f – X-Forwarded-For IP address
%F – X-Forwarded-For address
HowTo: How to setup basic authentication in tomcat
Container-managed authentication methods control how a user’s credentials are verified when a web app’s protected resource is accessed. When a web application uses basic authentication (BASIC in the web.xml file’s auth-method element), Tomcat uses HTTP basic authentication to ask the web browser for a username and password whenever the browser requests a resource of that protected web application. With this authentication method, all passwords are sent across the network in base64-encoded text.
Note: using basic authentication is generally considered insecure because it does not strongly encrypt passwords, unless the site also uses HTTPS or some other form of encryption between the client and the server (for instance, a virtual private network). But, if you’re just starting to use Tomcat, or if you just want to test container-managed security with your web app, basic authentication is easy to set up and test. Just add <security-constraint> and <login-config> elements to your web app’s web.xml file, and add the appropriate <role> and <user> elements to your CATALINA_BASE/conf/tomcat-users.xml file, restart Tomcat, and Tomcat takes care of the rest.
The example below shows a web.xml excerpt from a club membership web site with a members-only subdirectory that is protected using basic authentication. Note that this effectively takes the place of the Apache web server’s .htaccess files.
For app based Basic authentication you have to edit the web.xml in //webapps/Your-app/WEB-INF/web.xml
For ROOT basic auth CATILINA_HOME/conf/web.xml
web.xml security tags looks like this
<security-constraint> <web-resource-collection> <web-resource-name> Subdir test </web-resource-name> <url-pattern> /* </url-pattern> <http-method> GET </http-method> <http-method> POST </http-method> </web-resource-collection> <auth-constraint> <!-- the same like in your tomcat-users.conf file --> <role-name> manager </role-name> </auth-constraint> </security-constraint> <login-config> <auth-method> BASIC </auth-method> <realm-name> iTest Web app resources</realm-name> </login-config> <security-role> <description> </description> <role-name> manager </role-name> </security-role>
tomcat-users.xml uncomment or add new tag for user credentials
<role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> <user username="anand" password="password" roles="manager"/>
HowTo: Increase The Maximum Number Of Open Files / File Descriptors (FD)
Sometimes we will get the error message is like “too many files open“, it is because of you have reached the limits of opened file, You could always try doing a ulimit -n 2048. This will only reset the limit for your current shell and the number you specify must not exceed the hard limit.
Each operating system has a different hard limit setup in a configuration file. For instance, the hard open file limit on Solaris can be set on boot from /etc/system.
[anand@planetcure ~]$ cat /proc/sys/fs/file-max 172214
This show the maxmimum number of opened files for the single user, you can also use the below commad.
# ulimit -Hn # ulimit -Sn
We can set this as System-wide and userlevel, for Global user configuration we can use /etc/sysctl.conf file under Linux operating systems. So you can increase the maximum number of open files by setting a new value in kernel variable /proc/sys/fs/file-max as follows (login as the root):
System-wide File Descriptors (FD) Limits
# sysctl -w fs.file-max=100000
The command allows to extend the new limit as 100000. You need to append the variable “fs.file-max = 100000” in the file /etc/sysctl.conf for the permanent set. It won’t be change after the reboot.
#sysctl -p
Verify by using below command
#sysctl fs.file-max
User-level File Descriptors (FD) Limits
Some of the case we need to specify the different level of setting for the particular users. This will override the sysetm wide settings and give the new limits for the users.
To specific limits by editing /etc/security/limits.conf file, we can all so use this file for all user limits
For apache:
httpd soft nofile 1024 httpd hard nofile 2048
All user limits
* soft nofile 1024 * hard nofile 2048
Save and close the file. You have to re-login to the console to get the new value.
su httpd -c "ulimit -Hn" su httpd -c "ulimit -Sn"
Howto: Install ssl with tomcat Appserver.
Five easy steps to enable SSL for tomcat application server.
1, generate Key store
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore planetcure-in.jks
It ask few information that we would like to publish along with the SSL
==Certificate information==
Common Name : *.planetcure.in
Organization name: Xtermpro
Country/Region name: myregion
City/Locality: mycity
State/Province: mystate
2, Generate CSR
CSR it to submit to the SSL provider for digital signing Now you receive CRT file from the SSL provider, you may see the signing information in it.
keytool -certreq -alias server -file planetcure-in.csr -keystore planetcure-in.jks
3, Import CA
You may also receive a public CA from the certificate Authority, now you need to import it. This will be called as intermediate CA
keytool -import -alias intermediate -trustcacerts -file intermediateCA.cer -keystore planetcure-in.jks
4, Now this is the final stage you have to import cert file , you can see that their is another key already installed in the key store that is generated along with the keystore generation, it have to replace with the valid certificate.
keytool -import -alias server -trustcacerts -file planetcure-in.crt -keystore planetcure-in.jks
This will give the success output, now move to the configuration changes.
5, Edit the server.xml for the valid entries. Default tomcat SSL port is 8443, here I user 443 .
<Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${catalina.home}/conf/keystore/planetcure-in.jks" keystorePass="keystorepassword" keyAlias="server" clientAuth="false" sslProtocol="TLS"/>
that’s it, now restart the web server to make the changes effect .
Howto: mounting remote folder using ssh with fstab
Mostly I suggest nfs for network share and it is easy to share over network, also for windows I use samba services, Here I found the suitable solution for remote share mount with out setup any server file share services. We can directly mount folders using SSH , so fuse is working behind this.
For this kind of setup you need to install few packages listed below
fuse-2.7.4-8.el5.i386.rpm fuse-libs-2.7.4-8.el5.i386.rpm fuse-sshfs-2.4-1.el5.i386.rpm
Direct download package repositories,
ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/
Installation steps :
cd /home/downloads wget ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/fuse-libs-2.7.4-8.el5.i386.rpm wget ftp://195.220.108.108/linux/epel/5/i386/fuse-sshfs-2.4-1.el5.i386.rpm wget ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/fuse-2.7.4-8.el5.i386.rpm rpm -ivh fuse*.rpm
Password-less authentication
ssh-copyid -i ~/.ssh/id_rsa.pub anand@192.168.1.6
Mounting fstab entries like this
vi /etc/fstab sshfs#anand@192.168.1.6:/backup/ISO-files /mnt/ISO fuse delay_connect,idmap=user,uid=1000,gid=1000,umask=0,allow_other,_netdev,workaround=rename 0 0
Save the fstab an make it auto moutn
mount -a
Now execute “mount” command, so you can see the entries like this.
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) root@192.168.1.6:/backup/ISO-files on /mnt/ISO type fuse.sshfs (rw,nosuid,nodev,allow_other)
Enjoy the share.
Howto: Install Ruby on Rails with Cpanel
Installing Ruby on Rails on cPanel
Start the installation steps with root privileged or sudo user or you have to submit a tickte to your hosting provider for enabling Ruby on rails in you hosting account.
For detailed information about RubyGems: commands and system, read their User Guide Manuals at: www.rubygems.org/
– To install Ruby on Rails:
SSH to the server and run this command:
- /scripts/installruby
If LIBSAFE is installed on your server, you need to add the directive /usr/bin/ruby to the exception list to prevent buffer overflow errors. SSH to the server and run this command:
- echo “/usr/bin/ruby” >> /etc/libsafe.exclude
The local path to the binary package is:
/usr/bin/gem
To check on the current version installed on your server:
- /usr/bin/gem -v
To list all installed gems:
- /usr/bin/gem -l
– To uninstall Ruby on Rails:
- List all the gems installed on your server and remove them all using the following command:
- /usr/bin/gem uninstall NAME_OF_GEM
The cPanel/WHM, by default, installs the following Gems:
rails, mongrel, fastthread, actionmailer, actionpack, activerecord, activeresource, activesupport, cgi_multipart_eof_fix, daemons, gem_plugin, rake. For example, to uninstall the Gem: rails, we’ll run this command:- /usr/bin/gem uninstall rails
Sample output:
Successfully uninstalled rails version 0.1.6 - Remove Gem directories and the binary package using the following commands (in that order):
- /bin/rm -rf /usr/lib/ruby
- /bin/rm -rf /home/cprubygemsbuild
- /bin/rm -fv /root/.gem
- /bin/rm -fv /usr/bin/gem
- Remove all ruby directories added to a client’s root directory. The local path is: /home/USER/ruby/
- Restart the cPanel (un-necessary but do it any way)
- /sbin/service cpanel restart
script : Start the tomcat as service.
This script is used to start the sevrlet container as service, which is using common-daemon for starting java process.
#!/bin/sh # # tomcat Start/Stop the Tomcat servlet container. # # chkconfig: 345 55 55 # description: Tomcat servlet container. # processname: tomcat ############################################################################## # # Small shell script to show how to start/stop Tomcat using jsvc # If you want to have Tomcat running on port 80 please modify the server.xml # file: # # <!-- Define a non-SSL HTTP/1.1 Connector on port 80 --> # <Connector className="org.apache.catalina.connector.http.HttpConnector" # port="80" minProcessors="5" maxProcessors="75" # enableLookups="true" redirectPort="8443" # acceptCount="10" debug="0" connectionTimeout="60000"/> # Download and install dependency package # http://mirror.symnds.com/software/Apache//commons/daemon/binaries/commons-daemon-1.0.15-bin.tar.gz # # Source function library. . /etc/rc.d/init.d/functions set +x JAVA_HOME=/usr/local/jdk1.7.0_45 CATALINA_HOME=/usr/local/apache-tomcat-6.0.37 DAEMON_HOME=/usr/local/apache-tomcat-6.0.37 TOMCAT_USER=tomcat TMP_DIR=/var/tmp CATALINA_OPTS='-Xms512M -Xmx1024M' CLASSPATH=\ $JAVA_HOME/lib/tools.jar:\ $DAEMON_HOME/bin/commons-daemon.jar:\ $CATALINA_HOME/bin/bootstrap.jar prog=tomcat start() { echo $"Starting $prog: " # # Start Tomcat # $DAEMON_HOME/bin/jsvc \ -user $TOMCAT_USER \ -home $JAVA_HOME \ -Dcatalina.home=$CATALINA_HOME \ -Djava.io.tmpdir=$TMP_DIR \ -outfile $CATALINA_HOME/logs/catalina.out \ -errfile '&1' \ $CATALINA_OPTS \ -cp $CLASSPATH \ org.apache.catalina.startup.Bootstrap # # To get a verbose JVM #-verbose \ # To get a debug of jsvc. #-debug \ } stop() { echo $"Stopping $prog: " # # Stop Tomcat # PID=`cat /var/run/jsvc.pid` kill $PID } status() { if ! $JAVA_HOME/bin/jps -mlvV | grep -v "Jps" > /dev/null then echo "Stopped : $prog is no not running" else echo "Running process for tomcat" echo "==========================" $JAVA_HOME/bin/jps -mlvV | grep -v "Jps" fi } case "$1" in start) start ;; stop) stop ;; restart) stop sleep 2 start ;; status) status ;; *) echo "Usage $0 {start|stop|restart|status}" exit 1;; esac
Info: NFS Server&Client Setup
Server Side
NFS share with read/write privilege for the specified UID and GID, So even root will denied to write or read in that particular mount point and completly secure from everything.
Install required packages of NFS server.
apt-get install nfs-kernel-server nfs-common portmap
After the installation of NFS server edit /etc/exports fileand add a line as follows.
/mnt/nfs 192.168.0.0/24(rw,sync,anonuid=106,anongid=114,no_subtree_check) ↓ ↓ ↓ NFSsharepath | network | Options(Here we need to set user id and group id of tomcat user)
Restart nfs server after making necessary changes in the exports file.
#service nfs-kernel restart
Client side Linux
Install nfs client packages on NFS client machine. Mount nfs share in the client machine.
apt-get install portmap nfs-common
Make the following entry in /etc/fstab/
192.168.1.175:/mnt/nfs /home/nfs nfs rsize=8192,wsize=8192,timeo=14,intr ↓ ↓ ↓ Network share details Mount point Filesystem
Client Side Windows
Install nfs services for windows through control panel add or remove windows component wizard.
Edit Windows registery and make changes as follows in the registery.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ClientForNFS \CurrentVersion\Default
1, Create two DWORD values namely AnonymousUid and AnonymousGid
2, Set these values to the UID and GID as set in the NFS server for tomcat user (Eg:-106,114)
3, Restart NFS service.
Go to all programs- Administrative tools- Services for network filesystem and Start service of ClientForNFS.
Select properties of clientfornfs and set permissions as per the requirement. (Eg:- Read&write permission for the