Cpanel
HowTo: Generate Certificate for OpenLDAP and using it for certificate authentication.
LDAPS Server Certificate Requirements
LDAPS requires a properly formatted X.509 certificate. This certificate lets a OpenLDAP service listen for and automatically accept SSL connections. The server certificate is used for authenticating the OpenLDAP server to the client during the LDAPS setup and for enabling the SSL communication tunnel between the client and the server. As an option, we can also use LDAPS for client authentication.
Having spent quite some time to make a TLS work, I thought this may be usefull to some :
Creating Self CA certificate:
1, Create the ldapclient-key.pem private key :
openssl genrsa -des3 -out ldapclient-key.pem 1024
2, Create the ldapserver-cacerts.pem certificate :
openssl req -new -key ldapclient-key.pem -x509 -days 1095 -out ldapserver-cacerts.pem
Creating a certificate for server:
1, Create the ldapserver-key.pem private key
openssl genrsa -out ldapserver-key.pem
2, Create a server.csr certificate request:
openssl req -new -key ldapserver-key.pem -out server.csr
3, Create the ldapserver-cert.pem certificate signed by your own CA :
openssl x509 -req -days 2000 -in server.csr -CA ldapserver-cacerts.pem -CAkey ldapclient-key.pem -CAcreateserial -out ldapserver-cert.pem
4, Create CA copy for the client:
cp -rpf ldapserver-cacerts.pem ldapclient-cacerts.pem
Now configure the certificates in slapd.conf, the correct files must be copied on each server:
TLSCACertificateFile /etc/openldap/certs/ldapserver-cacerts.pem TLSCertificateFile /etc/openldap/certs/ldapserver-cert.pem TLSCertificateKeyFile /etc/openldap/certs/ldapserver-key.pem TLSCipherSuite HIGH:MEDIUM:+SSLv2 # personnally, I only check servers from client. # If you do, add this : TLSVerifyClient never
Configure certificate for ldap clients
Key : ldapclient-key.pem Crt : ldapclient-cert.pem
Error: Fatal Python error: PyEval_AcquireThread: NULL new thread state
This might be cause of various issue.
1, mod_wsgi is compiled for a different Python version and/or a different Python installation than the Python virtual environment
2, Python installation it is trying to use at runtime
3, If mod_wsgi
and mod_python
are both enabled.
In my case, I figured out the third cause. for fixing disabled mod_python
because I was running website under wsgi wrapper.
sudo a2dismod python
sudo service apache2 restart
Error: Authz_core:error Client Denied by Server Configuration
I have upgraded apache2.2 to 2.3, now a strange error I faced. Existing Apache authorization directives are not working,
I have done a modification that fixed the issue
Error :
[Wed Jan 28 04:29:51.468839 2015] [authz_core:error] [pid 29764:tid 139708675897088] [client 117.247.186.108:46348] AH01630: client denied by server configuration: /opt/web-home/raspberrypi/facecount/static-assets/images/detect.png
This changes the way that access control is declared from
Order allow, deny
Allow from all
to :
Require all granted
his means that the total configuration for a Directory
is now something like:
<Directory /path/to/directory>
Options FollowSymlinks
AllowOverride none
Require all granted
</Directory>
Restart apache and it’ll all work nicely.
HowTo: Tomcat Logging – log customized with {X-Forwarded-For}
Tomcat is allowing us to track back logs with enamours of information by customizing the log pattern. There is preset patten is available, we can also implement is in single line
I enabled few more information like execution time , request size , cookies etc..
Default tag should be like this
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
Common : %{X-Forwarded-For}i %l %u %t “%r” %s %b
Combined : %{X-Forwarded-For}i %l %u %t %r %s %b %{User-Agent}i %{Referer}i %{Cookie}i
You can change either Common or Combined
I have implemented my own pattern like below, so it should more detailed
pattern="%h %{X-Forwarded-For}i %l %u %t "%r" %s %b "%{User-Agent}i" "%{Referer}i" "%{Cookie}i" %T"
Access Log pattern new look
----------------------------- 192.168.1.185 - - - [18/Mar/2014:10:52:06 +0530] "GET /ajax/norm/list/status?ids=23%2C11%2C9%2C7%2C6%2C5%2C2%2C1%2C HTTP/1.1" 200 42 "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" "http://192.168.1.188/norm/list" "JSESSIONID=4FD1DBEB911CD2E19AA4798F9A26DCA8" 0.007 -----------------------------Log Details : 192.168.1.185 : Remote host name (or IP address if resolveHosts is false) – : X-Forwarded-For – : Remote logical username – : Remote user that was authenticated [18/Mar/2014:10:52:06 +0530] : Date and time, in Common Log Format GET /ajax/norm/list/…… : First line of the request (method and request URI) HTTP/1.1 : Request protocol 200 : HTTP status code of the response 42 : Bytes sent, excluding HTTP headers (Content size) Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0: User Agent http://192.168.1.188/norm/list : Referer JSESSIONID=4FD1DBEB911CD2E19AA4798F9A26DCA8 : Cookie header 0.007 : Time taken to process the request, in seconds
Once every thing has been done you can restart the tomcat to make it effect, more options are given below
%a – Remote IP address%A – Local IP address
%b – Bytes sent, excluding HTTP headers, or ‘-‘ if zero
%B – Bytes sent, excluding HTTP headers
%h – Remote host name (or IP address if resolveHosts is false)
%H – Request protocol
%l – Remote logical username from identd (always returns ‘-‘)
%m – Request method (GET, POST, etc.)
%p – Local port on which this request was received
%q – Query string (prepended with a ‘?’ if it exists)
%r – First line of the request (method and request URI)
%s – HTTP status code of the response
%S – User session ID
%t – Date and time, in Common Log Format
%u – Remote user that was authenticated (if any), else ‘-‘
%U – Requested URL path
%v – Local server name
%D – Time taken to process the request, in millis
%T – Time taken to process the request, in seconds
%I – current request thread name (can compare later with stacktraces)
%f – X-Forwarded-For IP address
%F – X-Forwarded-For address
HowTo: How to setup basic authentication in tomcat
Container-managed authentication methods control how a user’s credentials are verified when a web app’s protected resource is accessed. When a web application uses basic authentication (BASIC in the web.xml file’s auth-method element), Tomcat uses HTTP basic authentication to ask the web browser for a username and password whenever the browser requests a resource of that protected web application. With this authentication method, all passwords are sent across the network in base64-encoded text.
Note: using basic authentication is generally considered insecure because it does not strongly encrypt passwords, unless the site also uses HTTPS or some other form of encryption between the client and the server (for instance, a virtual private network). But, if you’re just starting to use Tomcat, or if you just want to test container-managed security with your web app, basic authentication is easy to set up and test. Just add <security-constraint> and <login-config> elements to your web app’s web.xml file, and add the appropriate <role> and <user> elements to your CATALINA_BASE/conf/tomcat-users.xml file, restart Tomcat, and Tomcat takes care of the rest.
The example below shows a web.xml excerpt from a club membership web site with a members-only subdirectory that is protected using basic authentication. Note that this effectively takes the place of the Apache web server’s .htaccess files.
For app based Basic authentication you have to edit the web.xml in //webapps/Your-app/WEB-INF/web.xml
For ROOT basic auth CATILINA_HOME/conf/web.xml
web.xml security tags looks like this
<security-constraint> <web-resource-collection> <web-resource-name> Subdir test </web-resource-name> <url-pattern> /* </url-pattern> <http-method> GET </http-method> <http-method> POST </http-method> </web-resource-collection> <auth-constraint> <!-- the same like in your tomcat-users.conf file --> <role-name> manager </role-name> </auth-constraint> </security-constraint> <login-config> <auth-method> BASIC </auth-method> <realm-name> iTest Web app resources</realm-name> </login-config> <security-role> <description> </description> <role-name> manager </role-name> </security-role>
tomcat-users.xml uncomment or add new tag for user credentials
<role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> <user username="anand" password="password" roles="manager"/>
HowTo: Increase The Maximum Number Of Open Files / File Descriptors (FD)
Sometimes we will get the error message is like “too many files open“, it is because of you have reached the limits of opened file, You could always try doing a ulimit -n 2048. This will only reset the limit for your current shell and the number you specify must not exceed the hard limit.
Each operating system has a different hard limit setup in a configuration file. For instance, the hard open file limit on Solaris can be set on boot from /etc/system.
[anand@planetcure ~]$ cat /proc/sys/fs/file-max 172214
This show the maxmimum number of opened files for the single user, you can also use the below commad.
# ulimit -Hn # ulimit -Sn
We can set this as System-wide and userlevel, for Global user configuration we can use /etc/sysctl.conf file under Linux operating systems. So you can increase the maximum number of open files by setting a new value in kernel variable /proc/sys/fs/file-max as follows (login as the root):
System-wide File Descriptors (FD) Limits
# sysctl -w fs.file-max=100000
The command allows to extend the new limit as 100000. You need to append the variable “fs.file-max = 100000” in the file /etc/sysctl.conf for the permanent set. It won’t be change after the reboot.
#sysctl -p
Verify by using below command
#sysctl fs.file-max
User-level File Descriptors (FD) Limits
Some of the case we need to specify the different level of setting for the particular users. This will override the sysetm wide settings and give the new limits for the users.
To specific limits by editing /etc/security/limits.conf file, we can all so use this file for all user limits
For apache:
httpd soft nofile 1024 httpd hard nofile 2048
All user limits
* soft nofile 1024 * hard nofile 2048
Save and close the file. You have to re-login to the console to get the new value.
su httpd -c "ulimit -Hn" su httpd -c "ulimit -Sn"
Howto: Install ssl with tomcat Appserver.
Five easy steps to enable SSL for tomcat application server.
1, generate Key store
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore planetcure-in.jks
It ask few information that we would like to publish along with the SSL
==Certificate information==
Common Name : *.planetcure.in
Organization name: Xtermpro
Country/Region name: myregion
City/Locality: mycity
State/Province: mystate
2, Generate CSR
CSR it to submit to the SSL provider for digital signing Now you receive CRT file from the SSL provider, you may see the signing information in it.
keytool -certreq -alias server -file planetcure-in.csr -keystore planetcure-in.jks
3, Import CA
You may also receive a public CA from the certificate Authority, now you need to import it. This will be called as intermediate CA
keytool -import -alias intermediate -trustcacerts -file intermediateCA.cer -keystore planetcure-in.jks
4, Now this is the final stage you have to import cert file , you can see that their is another key already installed in the key store that is generated along with the keystore generation, it have to replace with the valid certificate.
keytool -import -alias server -trustcacerts -file planetcure-in.crt -keystore planetcure-in.jks
This will give the success output, now move to the configuration changes.
5, Edit the server.xml for the valid entries. Default tomcat SSL port is 8443, here I user 443 .
<Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${catalina.home}/conf/keystore/planetcure-in.jks" keystorePass="keystorepassword" keyAlias="server" clientAuth="false" sslProtocol="TLS"/>
that’s it, now restart the web server to make the changes effect .
Howto: mounting remote folder using ssh with fstab
Mostly I suggest nfs for network share and it is easy to share over network, also for windows I use samba services, Here I found the suitable solution for remote share mount with out setup any server file share services. We can directly mount folders using SSH , so fuse is working behind this.
For this kind of setup you need to install few packages listed below
fuse-2.7.4-8.el5.i386.rpm fuse-libs-2.7.4-8.el5.i386.rpm fuse-sshfs-2.4-1.el5.i386.rpm
Direct download package repositories,
ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/
Installation steps :
cd /home/downloads wget ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/fuse-libs-2.7.4-8.el5.i386.rpm wget ftp://195.220.108.108/linux/epel/5/i386/fuse-sshfs-2.4-1.el5.i386.rpm wget ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/fuse-2.7.4-8.el5.i386.rpm rpm -ivh fuse*.rpm
Password-less authentication
ssh-copyid -i ~/.ssh/id_rsa.pub anand@192.168.1.6
Mounting fstab entries like this
vi /etc/fstab sshfs#anand@192.168.1.6:/backup/ISO-files /mnt/ISO fuse delay_connect,idmap=user,uid=1000,gid=1000,umask=0,allow_other,_netdev,workaround=rename 0 0
Save the fstab an make it auto moutn
mount -a
Now execute “mount” command, so you can see the entries like this.
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) root@192.168.1.6:/backup/ISO-files on /mnt/ISO type fuse.sshfs (rw,nosuid,nodev,allow_other)
Enjoy the share.
Info: Configure Redmine on cpanel hosting account with sending and receiving emails.
Wiki : http://en.wikipedia.org/wiki/Redmine
Redmine is a free and open source, web-based project management and bug-tracking tool. It includes a calendar and Gantt charts to aid visual representation of projects and their deadlines. It handles multiple projects. Redmine provides integrated project management features, issue tracking, and support for various version control systems.
The design of Redmine is significantly influenced by Trac, a software package with some similar features.
Redmine is written using the Ruby on Rails framework. It is cross-platform and cross-database. It is part of the Bitnami app library that provides an installer and virtual machine for ease of deployment.
Before starting installation you have to make sure that Ruby on rails is working fine in your environment, If not you can follow the installation document for more help.
Installaing Ruby on Rails with Cpanel : https://enlook.wordpress.com/2013/11/19/howto-install-ruby-on-rails-with-cpanel/
Once you have done, then start the redmine installation steps.
Login to the terminal using primary account logins.
#ssh myaccount@mydomain.com
- Create rails_app folder and redmine folder within it then go inside that folder
# mkdir -p ~/rails_apps/redmine/ # cd ~/rails_apps/redmine/
- Download redmine redmine-2.3.3 or latest stable version, extract it and move the content out of it, then delete the files not being used.
-
# wget http://files.rubyforge.vm.bytemark.co.uk/redmine/redmine-2.3.3.tar.gz # tar -zxvf redmine-2.3.3.tar.gz # mv redmine-2.3.3/* ./ # rm -rf redmine-2.3.3/
-
- Move example files where they can be used
# cd config # mv database.yml.example database.yml # mv configuration.yml.example configuration.yml
- Creating the MySQL Database/User/Password
Login to Cpanel account, Create a database , user and grant full privilege to the new user for the particular database.
- Modifying your database.yml file.
# vi database.yml production: adapter: mysql database: redmine host: localhost username: myaccount_databaseuser password: newpassowd encoding: utf8
- Updating the ~/rails_apps/redmine/public/.htaccess file
# cd ../public/ # pwd
- You should see something similar to this.
/home/myaccountuser/rails_apps/redmine/public
- Add these lines
Options -MultiViews PassengerResolveSymlinksInDocumentRoot on #Set this to whatever environment you'll be running in RailsEnv production RackBaseURI / SetEnv GEM_HOME /home/myaccountuser/rails_apps/redmine/public # set to resolve avoid rails control to the folder for image resolution RewriteEngine On RewriteCond %{REQUEST_URI} ^/images.* RewriteRule .* - [L]
- Create a subdomain eg: projects.mydomain.com
Follow cpanel procedure to create subdomain. - Remove projects folder inside public_html and create symbolic link.
# rm -rf ~/public_html/projects
- Creating the symlink
# ln -s ~/rails_app/redmine/public ~/public_html/projects
- Updating Environment variables in ~/.bashrc file
- Add these lines to the bottom of your ~/.bashrc file
export HPATH=$HOME export GEM_HOME=$HPATH/ruby/gems export GEM_PATH=$GEM_HOME:/lib64/ruby/gems/1.9.3 export GEM_CACHE=$GEM_HOME/cache export PATH=$PATH:$HPATH/ruby/gems/bin export PATH=$PATH:$HPATH/ruby/gems
- after which source your .bashrc file
# source ~/.bashrc
- You will then need to check your rails version
rails -v && rake --version && gem -v
- You should get this message
Rails 4.0.1 rake, version 0.9.2.2 1.8.23
- Running bundle install
# cd ~/rails_apps/redmine/ # bundle install # rake generate_session_store
- Running generate_session_store or generate_secret_token
-
# rake generate_session_store
- If you get an error saying that command is deprecated, run this command instead;
# rake generate_secret_token
-
- Start the site session
# rake db:migrate RAILS_ENV=production
- Configuring outgoing emailsUpdate the setting in configuration.yml
default: email_delivery: delivery_method: :smtp smtp_settings: address: localhost port: 25 domain: mydomain.com authentication: :none enable_starttls_auto: false
Now the redmine have capable to send emails using exim install in the cpanel server.
- Configuring Incomming emails for IMAPCreate a cron job for the script to get continuous email feaching
For the first this script must execute from the terminal, so it will display error if any.
/usr/bin/rake -f /home1/innovat4/rails_apps/redmine/Rakefile --silent redmine:email:receive_imap RAILS_ENV="production" port=143 host=mydomain.com username=projects@mydomain.com password=myemailpassword
For more help follow the official link http://www.redmine.org/projects/redmine/wiki/RedmineReceivingEmails#Enabling-unknown-users-to-create-issues-by-email
Note : Each configuration required rails environment reboot for that you can follow the simple way.
# touch ~/rails_app/redmine/tmp/reboot.txt
Howto: Install Ruby on Rails with Cpanel
Installing Ruby on Rails on cPanel
Start the installation steps with root privileged or sudo user or you have to submit a tickte to your hosting provider for enabling Ruby on rails in you hosting account.
For detailed information about RubyGems: commands and system, read their User Guide Manuals at: www.rubygems.org/
– To install Ruby on Rails:
SSH to the server and run this command:
- /scripts/installruby
If LIBSAFE is installed on your server, you need to add the directive /usr/bin/ruby to the exception list to prevent buffer overflow errors. SSH to the server and run this command:
- echo “/usr/bin/ruby” >> /etc/libsafe.exclude
The local path to the binary package is:
/usr/bin/gem
To check on the current version installed on your server:
- /usr/bin/gem -v
To list all installed gems:
- /usr/bin/gem -l
– To uninstall Ruby on Rails:
- List all the gems installed on your server and remove them all using the following command:
- /usr/bin/gem uninstall NAME_OF_GEM
The cPanel/WHM, by default, installs the following Gems:
rails, mongrel, fastthread, actionmailer, actionpack, activerecord, activeresource, activesupport, cgi_multipart_eof_fix, daemons, gem_plugin, rake. For example, to uninstall the Gem: rails, we’ll run this command:- /usr/bin/gem uninstall rails
Sample output:
Successfully uninstalled rails version 0.1.6 - Remove Gem directories and the binary package using the following commands (in that order):
- /bin/rm -rf /usr/lib/ruby
- /bin/rm -rf /home/cprubygemsbuild
- /bin/rm -fv /root/.gem
- /bin/rm -fv /usr/bin/gem
- Remove all ruby directories added to a client’s root directory. The local path is: /home/USER/ruby/
- Restart the cPanel (un-necessary but do it any way)
- /sbin/service cpanel restart