Compile Turck MMCache with your PHP

Warning: This article/tutorial is more the 45 days old. As such the information contained within could be, by now, out of date. Please read all information to make sure that this article/tutorial will work with your current version of the Operating System

Pre-requisite: You already have Apache and PHP running on your OS X 10.3.3 (Please refer to my previous tutorial)

STEP 1

Download the source of Turck MMCache from:
http://turck-mmcache.sourceforge.net/

STEP2

decompress the source and go to the source path

STEP3

type the following: (assuming you have installed php under /usr/local)

shell> export PHP_PREFIX=”/usr/local” <- or your installed PHP path
shell> $PHP_PREFIX/bin/phpize
shell> ./configure –enable-mmcache=shared –with-php-config=$PHP_PREFIX/bin/php-config

(if configure results in error)

shell> aclocal

and retry STEP3

shell> make
shell> sudo make install

after ‘make install’ you will see something like :
Installing shared extensions: /usr/local/lib/php/extensions/no-debug-non-zts-20020429/

STEP4

add below to the bottom of your php.ini (/usr/local/lib/php.ini)

zend_extension=”/usr/local/lib/php/extensions/no-debug-non-zts-20020429/mmcache.so”
mmcache.shm_size=”16″
mmcache.cache_dir=”/tmp/mmcache”
mmcache.enable=”1″
mmcache.optimizer=”1″
mmcache.check_mtime=”1″
mmcache.debug=”0″
mmcache.filter=””
mmcache.shm_max=”0″
mmcache.shm_ttl=”0″
mmcache.shm_prune_period=”0″
mmcache.shm_only=”0″
mmcache.compress=”1″

Please refer to http://turck-mmcache.sourceforge.net/ for information about configuring the options of the Turck MMCache

STEP 5

make directory:

shell> mkdir /tmp/mmcache

 

STEP 6

Restart your apache server

shell> sudo apachectl restart

In your Turck MMCache source directory there should be a file named “mmcache.php”, copy that to your Sites directory:

shell> sudo cp /[turck_mmcache_path]/mmcache.php ~/Sites

Then you should be able to access online mmcache control panel at http://localhost/~[user]/mmcache.php

There are a lot of configuration that you can do with it, please refer to http://turck-mmcache.sourceforge.net/ for details

How to play with sed command

Attention: Cet article/tutorial est ‰gé de plus de 45 jours. Ainsi les informations qu’il contient peuvent être, maintenant, dépassé. Merci de lire toutes les informations qu’il contient pour vous assurez que cet article fonctionnera bien sur votre système

Materials and methods

ifconfig command line, Control operator | (pipe), sed command line, Regular Expressions.

man sed(1).
man sh(1).
man bash(1).
man ifconfig(8).
man regex(3)

The sed utility reads the specified files, or the standard input if no
files are specified, modifying the input as specified by a list of com-
mands. The input is then written to the standard output.

sed options used for this example

-e command
Append the editing commands specified by the command argument to
the list of commands.

-n
By default, each line of input is echoed to the standard output
after all of the commands have been applied to it. The -n option
suppresses this behavior.

Sed Regular Expressions
The sed regular expressions are basic regular expressions (BRE’s, see
man regex(3) for more information). In addition, sed has the following two
additions to BRE’s:

1. In a context address, any character other than a backslash (“\”)
or newline character may be used to delimit the regular expression
by prefixing the first use of that delimiter with a backslash.
Also, putting a backslash character before the delimiting character
causes the character to be treated literally. For example, in the
context address \xabc\xdefx, the RE delimiter is an “x” and the
second “x” stands for itself, so that the regular expression is
“abcxdef”.

2. The escape sequence \n matches a newline character embedded in the
pattern space. You can’t, however, use a literal newline character
in an address or in the substitute command.

One special feature of sed regular expressions is that they can default
to the last regular expression used. If a regular expression is empty,
i.e. just the delimiter characters are specified, the last regular
expression encountered is used instead. The last regular expression is
defined as the last regular expression used as part of an address or sub-
stitute command, and at run-time, not compile-time. For example, the
command “/abc/s//XXX/” will substitute “XXX” for the pattern “abc”.

Pratical work and exercise

We will use sed command to parse the output of ifconfig command.

Regular expression exercise

1. We will use a String to simulate our output

setenv MyString ” abc cba –bvd (frty) 4546464 abc–”

2. We will search the content of MyString between two indices [start pattern] [stop pattern]

echo $MyString | sed -n -e “s/^.*abc //g” -n -e “s/c-.*//p”

#The index [start pattern] is found
echo $MyString | sed -n -e “s/^.*(//g” -n -e “s/).*//p”
#The index [start pattern] is not found
echo $MyString | sed -n -e “s/^.*( //g” -n -e “s/).*//p”

#The index [start pattern] is found but the start index has moved
echo $MyString | sed -n -e “s/^.*([a-z]//g” -n -e “s/).*//p”
#The index [start pattern] is not found
echo $MyString | sed -n -e “s/^.*([0-9]//g” -n -e “s/).*//p”

3. To know some a little more : Step with awk and grep

#ctrl + c to stop
netstat -w1 | awk ‘/[0-9]/ {print $3,$6}’

kill -9 `ps -aux | grep netstat | awk ‘{print $2}’`

man grep(1)
man awk(1)
man netstat(1)
man kill(1)
man ps(1)

4. PHP bridge : Regular Expression Functions

preg_grep()
preg_match_all()
preg_match()
preg_quote()
preg_replace_callback()
preg_replace()
preg_split()

Final Script exercise

#!/bin/sh
# Copyright (C) 2003 OpenJaguar
#
# This programme is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#

getInterfaces=`ifconfig -lu`

echo ” ”

for Interface in $getInterfaces; do

getInet=`ifconfig $Interface | sed -n -e “s/^.*inet //g” -n -e “s/ netmask.*//p”`
getEther=`ifconfig $Interface | sed -n -e “s/^.*ether //p”`
getmtu=`ifconfig $Interface | sed -n -e “s/^.*mtu //p”`

echo “interface” $Interface

for inet in $getInet; do
getBcast=`ifconfig $Interface | sed -n -e “s/^.*$inet.*.broadcast//p”`

if [ “${inet}” != “–>” ]; then
echo ” inet” $inet

if [ “${getBcast}” != “” ]; then
echo ” broadcast” $getBcast
fi
fi

done

if [ “${getEther}” != “” ]; then
echo ” mac” $getEther
fi

if [ “${getmtu}” != “” ]; then
echo ” mtu” $getmtu
fi

echo ” ”

done

Installing ProFTP with MySQL Support

Warning: This article/tutorial is more the 45 days old. As such the information contained within could be, by now, out of date. Please read all information to make sure that this article/tutorial will work with your current version of the Operating System

Taken from http://www.afp548.com/
ProFTPd, for the pro?
by Didde Brockman

The FTP server installed by default on Mac OS X Server is good enough for most administrators looking to enable users to upload or download files from their home directories or Share Points, but that’s about it. When you’re looking at a rather complex directory structure and a lot of different users it gets a bit complicated.

After a few hours of looking through the different possible solutions which might suit our demands, I decided to write down a list of the features the server had to include. As it would be hosting a wide variety of Web sites through Apache with individual clients wanting access to their files it’d have to be scaleable to the degree where we could add FTP users easily without having to use the fairly slow Workgroup Manager application. Also we didn’t want them to be able to SSH into the machine as this could be seen a potential security risk.

So, what we needed was a server software which would contain its own users and groups database separate from Apple’s NetInfo.

ProFTPd is used on large sites like SourceForge and several others so I figured it should be able to handle a large enough load of users. While I was reading through the documentation for it I stumbled across a component (add-on) that enables user verification through an SQL database like PostGreSQL or MySQL. This seemed like the perfect solution for us since we then could create a simple Web application to add users and groups to the database which ProFTPd authenticates against. I decided to give it a try…

The installation process might seem complicated if one is not used to the idea of a command line interface, but it’s pretty straight forward actually. The process below demands root privileges, I trust you to use sudo or be logged in as root. I decided to use MySQL for this setup since it’s included with Mac OS X server, also I will assume you already have it up and running. If not, there are plenty of good articles out there to cover that matter. Believe me, it’s a very simple process.
Installation outline
These are the steps I am going to walk you through.

1. We will download ProFTPd and the add-on enabling it to authenticate through the MySQL database.

1. Configure two database tables, users and groups, which will be used for user management.

1. Integrate our new and shiny FTP server with xinetd.

Get it?
First we should get the software we’re going to need. So head on over to a directory where you’re comfortable with putting temporary stuff. I use my own /usr/local/play for it, but any directory of your choice will do just fine.

As of the writing of this article the latest stable version is 1.2.7, so that’s the version we’re going to download.

% curl -O ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.7.tar.gz
% tar xvfz proftpd-1.2.7.tar.gz
% cd proftpd-1.2.7

Ok, now that we’ve got ProFTPd we should get the module required to enable it to authenticate through a database. The files in question belong in proftpd-1.2.7/contrib. If you’re looking for more information about this module, head on over to http://www.lastditcheffort.org/~aah/proftpd/mod_sql/.

% cd contrib
% curl -O http://www.lastditcheffort.org/~aah/proftpd/mod_sql/src/mod_sql-4.08.tar.gz
% tar xvfz mod_sql-4.08.tar.gz

We’re now ready to configure and compile, but we need to tell ProFTPd that we want use MySQL for authentication by handing a couple of directives to it.

% cd ..
% ./configure –with-modules=mod_sql:mod_sql_mysql \
–with-includes=/usr/local/include \
–with-libraries=/usr/lib/mysql

Then we make, and install…

% make
% make install

ProFTPd will land in /usr/local/sbin and its configuration file will be located at /usr/local/etc/proftpd.conf. The one thing I really like about this server is the Apache style configuration file. If you feel comfortable with httpd.conf, you will like the syntax proftpd.conf.

Now that we have ProFTPd ready to run we will create the necessary database and tables for authentication. I’ll use the Terminal to interface with MySQL but if you prefer to use a GUI application for it, more power to you. The naming conventions I’ll be using are not “standard”, meaning you can name your own anything you like, as long as it will be reflected in the configuration file we will build later on.

% mysql -u root -p
> Password:

mysql> create database ftpauth;
mysql> use ftpauth;

mysql> create table usertable (
> userid text,
> passwd text,
> homedir text,
> shell text,
> uid int,
> gid int);

mysql> create table grouptable (
> groupname text,
> gid int,
> members text);

What we just did was to create a database named ftpauth. Along with that we constructed a table called usertable which will contain the users ProFTPd will be letting in. Also the table grouptable was made here. It will be the container for the groups which the users will be inserted into.

Finally we want to create a user in the database who can connect and select (lookup) the relevant information to be able to authenticate an FTP session. Since we’re going to be running both the MySQL and ProFTPd on the same machine we only let our user, proftpd connect from the localhost which is good from a security perspective.

mysql> grant select on ftpauth.* to proftpd@localhost identified by ‘myPasswd’;
mysql> flush privileges;

xinetd
You have a choice to make right here. You could run ProFTPd in “StandAlone” mode, or you could integrate it with xinetd. The default FTP server is run through the latter. What it means is that you don’t have to boot ProFTPd manually or through a startup item, xinetd will take care of that for you. Basically it does all the listening on port 21 and spawns a child process when needed. I would recommend using xinetd since you can control your FTP server through the Server Settings application just like you would with the default FTP server.

Please note if you decide to run it in “StandAlone” mode it will have to be reflected in proftpd.conf. Simply replace “inetd” with “StandAlone”.

What we want to do is to tell xinetd that there’s no point of using the old FTP server anymore. So, here’s what we do:

% pico /etc/xinetd.d/ftp

… Then we want to comment out these lines:

server = /usr/libexec/xftpd
server_args = -a

… And add this line:

server = /usr/local/sbin/proftpd

This way, if you ever change your mind you simpy remove our added line and remove the # in front of the two lines we edited and you will be back from where you started.

Finally we need to tell xinetd to use the new settings:

% kill -HUP `cat /var/run/xinetd.pid`

proftpd.conf
Now we have both ProFTPd and MySQL ready to serve. We just need to give ProFTPd some parameters so it can connect to our database and look through the tables we just created. Below is my sample configuration file. Please note that it is far from complete. It simply illustrates how to point the authentication to the database. You can create your own secure and customized configuration based on the documentation available from http://www.proftpd.org/.

The directives conserning SQL are the ones we want to talk about further as the others only relate to the actual configuration of ProFTPd.

ServerName “My new and Shiny ProFTPd server!”

# Could use “StandAlone”, but we want xinetd to handle incoming connections
ServerType inetd

ServerAdmin admin@myplace.com

# Hide as much info as possible to outsiders
ServerIdent on “Welcome. Please login…”
DeferWelcome on

DefaultServer on

Port 21
Umask 022

User root
Group wheel

# Lock users into their home directories
DefaultRoot ~

# The passwords in the MySQL are encrypted using PASSWORD().
# Otherwise we could have used “Plaintext”.
SQLAuthTypes Backend

SQLAuthenticate users*

# This string is used to connect to the database. As you notice,
# the names and values match the ones we created earlier.
# database_name@host database_user database_user_password
SQLConnectInfo ftpauth@localhost proftpd myPasswd

# Here we tell ProFTPd the names of the database columns in the “usertable”
# we want it to interact with. Again, as you notice, the names and values
# match the ones we created earlier.
SQLUserInfo usertable userid passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the “grouptable”
# we want it to interact with. Again, as you notice, the names and values
# match the ones we created earlier.
SQLGroupInfo grouptable groupname gid members

What just happened? Well, first we told ProFTPd how to connect to our dear database containing the user and group information. We also described the layout, or rather – the names of the columns which are interesting for authentication. If you recall, we created a database named ftpauth, two tables; usertable and grouptable. Also we granted access to these to a specific user named proftpd who only can select, not delete or update, and from the localhost only.
Connecting with our testuser
I sure want to give this beast a testdrive now, don’t you? There has been a lot of work and less play, but now we’re almost there. We just need to create a user to login in with, and along with that we can throw him in a group as well.

Get into MySQL again…

% mysql -u root -p
> Password:

mysql> insert into grouptable (
groupname,
gid,
members
)
values(
‘testgroup’,
65001,
‘testuser’
);

… And so, there we have the group of our soon to be user. Now we just need him.

mysql> insert into usertable (
userid,
passwd,
homedir,
shell,
uid,
gid
)
values(
‘testuser’,
PASSWORD(‘anotherPasswd’),
‘/Library/WebServer/testuser_website’,
‘/bin/tcsh’,
64001,
65001
);

testuser now has an account he can use. He will only have access to /Library/WebServer/testuser_website, belong to the group of gid 65001 which is our testgroup and his password is not stored in plaintext in the database, but since we told ProFTPd to authenticate using the backend method it work.

Congratulations. You now should have a working setup where you easily can add FTP-only users to you machine setup without having to involve NetInfo or any passwd files. What you really need to do is to test it all out right away…

If the login fails, then try to run ProFTPd directly from the Terminal. This way you’ll see if there is a problem with the configuration file or if something else is out of bounds. You should see something like this if you have set ProFTPd to run in xinetd mode.

% /usr/local/sbin/proftpd
localhost – Fatal: Socket operation on non-socket
localhost – (Running from command line? Use `ServerType standalone’ in config file!)

What now?
I really recommend that you read through the documentation and FAQ’s available at http://www.proftpd.org/ so you can create your own secure configuration file which suits your needs.

Also, don’t forget to look up the powerful /usr/local/bin/ftpwho and /usr/local/bin/ftptop commands as they can easily be part of a script which monitors your FTP traffic. You should also head on over to http://www.lastditcheffort.org/~aah/proftpd/mod_sql/ and read about the MySQL module’s logging capabilities as it can actually log FTP actions into the database.

Mac OS X server also ships with Tomcat which means you could use Jsp (or PHP if that is your preference) to administer users and groups through simple HTML forms. Or maybe you could put together a small string parser Jsp which read a bunch of users, passwords and groups from a text file (or another datasource) and batched them all into the database. Quite nice, maybe that will be part two of this article.

Enjoy and good luck!

Wireless networking via GPRS and Nokia 6310i

Alert!: Warning: This article/tutorial is more the 45 days old. As such the information contained within could be, by now, out of date. Please read all information to make sure that this article/tutorial will work with your current version of the Operating System

 

FYI James’ Note: I have updated the original article so it also demonstrates the steps needed in Ireland.

The Nokia 6310i is a tri-band mobile phone with GPRS and Bluetooth built in. Making a Bluetooth connection between Mac OS X and the phone is very easy … establishing a GPRS connection to the Internet is not.

Read the rest of the article for step by step instructions for getting an Apple Macintosh running Mac OS X 10.1.5 online with GPRS via a Nokia 6310i mobile phone and Bluetooth. GPRS is taking off now in Europe – these instructions will be of most use to a British or Irish reader. I’m not sure of the status of GPRS in the States.

INSTRUCTIONS:

1. Ensure your Nokia 6310i has latest software (enter *#0000# on the phone). Mine came with 4.07 (??-04-02) so I took it to the nearest Nokia centre for a free upgrade to 4.80 (11-07-02).

For Irish users in Dublin I know of two off hand: One in Blackrock on the main street, and the other on Dawson Street in the City Centre.

To get to Dawson Street:

South Side:
Follow the Outer Orbital (Purple) to Junction 4. Turn left following signs for Inner Orbital (Orange) Junction 7

North Side:
Follow the Outer Orbital (Purple) to Junction 20. Turn right following signs for Inner Orbital (Orange) Junction 37-> 38-> 39-> 40-> 2-> 3-> 4-> 6-> 9-> 10-> 12-> 13-> 14-> 11-> 7.

City Centre:
Follow the Innter Orbital (Orange) to Junction 7

Parking is available on Innter Orbital Junction 7

2. Open a GPRS account with your mobile phone service provider. This has been tested on O2 IRL and UK
3. Switch on Bluetooth on the Nokia.

4. On your Nokia 6310i under Settings >> GPRS Modem Settings >> Active Access Point, select Access Point 1. Then Edit the Active Access Point to give it a sensible name (e.g. ‘O2 GPRS’). Scroll down once more and enter your mobile phone service provider’s Access Point Number (APN) On O2 IRL this is ‘open.internet’ and on O2 UK it is ‘mobile.o2.co.uk’

For more networks visit http://www.taniwha.org.uk/gprs.html

5. Download Apple’s Bluetooth Technology Preview version 2.1 software and install.

6. Download Nokia GPRS Modem Scripts from Ross Barkman’s website.
http://www.taniwha.org.uk/

7. Unpack the modem scripts and drop them into Library:Modem Scripts.

8. Plug D-Link DWB-120M Bluetooth USB Adapter into a spare USB socket on your Mac.

9. Run the System Preferences application, select Bluetooth. Make sure “Discoverable” is selected. I also selected “Use Encryption” and “Show Bluetooth status in the menu bar”.

10. Now select the “Paired Devices” tab and click on “New” to pair your computer with your Nokia. Both devices will ask for a passkey. Any number will work but enter the same number in each device. The Nokia should now be paired with your Mac. It took me a couple of attempts to get this to work.

11. In System Preferences select “Show All” then select “Network” and create a new location with a suitable name e.g. ‘GPRS’.

12. Select the Active Network Port to “Bluetooth-modem”.

13. Under the TCP/IP tab, enter the Domain Name Servers for O2 IRL enter ‘62.40.32.33’ and ‘62.40.32.34’ or for O2 UK enter ‘193.113.200.200’ and ‘193.113.200.201’ and Search Domains for O2 IRL o2.ie and for O2 UK o2.co.uk. Click on “Apply Now”.

14. Under the PPP tab, enter a name for your service provider (e.g. ‘O2 IRL’ or ‘O2 UK’), then in the Telephone Number field enter your APN (for O2 IRL this is ‘open.internet’ and for the O2 UK it is ‘mobile.o2.co.uk’) – that’s right, enter the APN in the telephone number field. It’s all taken care of in the modem script.

15. Enter an account name and password for your service provider (e.g. O2 username: ‘web’, password: ‘password’).

16. Select “Save password” then under PPP options make sure the “Send PPP echo packets” and “Use TCP header compression” options are unselected. Click on “Apply Now”.

17. Under the Modem tab, select one of the Nokia GPRS scripts. In Ireland you must select CID1 (‘Nokia GPRS CID1’) but in the UK it should not matter. Click on “Apply Now” and close System Preferences. If the first script you try doesn’t work, try the others.

18. Open the Internet Connect application and select the ‘bluetooth-modem’ port. Your APN should appear in the Telephone Number field. Click on “Connect”. You won’t hear a dialling tone during the connect process.

19. The first time your Nokia makes a GPRS connection, it will ask for authorisation. Once the call is established, select Bluetooth >> View Paired Devices >> Options >> Request conn. authorisation >> No to remove the authorisation dialog.

Making a PHP/MySQL Guest Online Script

By: Dean Shelley (deano) Posted: 28-Jul-02, 16:08:28 Rated: General/Experienced

Alert!: Warning: This article/tutorial is more the 45 days old. As such the information contained within could be, by now, out of date. Please read all information to make sure that this article/tutorial will work with your current version of the Operating System

The theory is pretty simple, a visitors IP is stored in the database for 5 minutes until that person doesn’t visit another page with the code on. Then we delete any IP’s that haven’t been updated for over 5 or so minutes.

We then count how many entries there are in that database table and then display them.

NOTE: You may need to change the $_SERVER[REMOTE_ADDR] to $REMOTE_ADDR if the script isnt registering ip’s properly.

First of all we will need to create a table for the visits to be stored on, save the below as
table.php then upload it to your browser and run, make sure you enter all the variables needed.

in order to connect to your database.

# Database Connection Variables
$server = “localhost”;
$database = “database”;
# In $database enter the database you will be using to
# run your guest online table on.
$username = “username”;
$password = “password”;
# Connect to the database
$connection = mysql_connect($server,$username,$password);
mysql_select_db($database,$connection);
mysql_query(“CREATE TABLE visitors (
ip varchar(20) NOT NULL,
date int(10) DEFAULT ‘0’ NOT NULL
)”)
or die (“Cannot Create Table, MySQL said”.mysql_error());

echo (“Table Created!”);
?>

Now upload that an run, in your browser, if you get any errors it may be your database or the variables you entered.

Below is the users online script i will explain in comments in the script.

# Database Connection Variables
$server = “localhost”;
$table = “visitors”;
# In the table install script we called the table visitors, so
# do the same here.
$database = “database”;
# In $database enter the database you will be using to
# run your guest online table on.
$username = “username”;
$password = “password”;

# Connect to the database
$connection = mysql_connect($server,$username,$password);
mysql_select_db($database,$connection);

# Enter how long you want the visitors to be stored on
# the database before being deleted.
$minutes = 5;
# Convert the minutes to seconds to work with the timestamp
$seconds = $minutes*60;

# Now calculate what the time would be based upon
# what you entered for minutes
$past = time()-$seconds;

# Create a variable for the current timestamp
$now = time();

# Check to see if this visitor has already visited the site.
# The WHERE is just like a condition you would have
# in an if() statement, ip is the field. in the table we
# want to see if it matches the ip of the visitor.
# You can add additional statements using AND or OR
# just like you would in the if() funciton

if ( mysql_num_rows(mysql_query(“SELECT * FROM $table WHERE ip=”$_SERVER[REMOTE_ADDR]””)) != 0 ) {
# If there is an entry with that IP update that row with
# the new/current time

mysql_query(“UPDATE $table SET date=”$now” WHERE ip=”$_SERVER[REMOTE_ADDR]””) or die (“Error – Unable to update visit”);

# Note the ‘or die’ will display whatever you enter in
# the brackets and not the default mysql error.
} else {
# If this visitor hasnt been to the site before we want
# to enter their ip and time of visit on the database.
mysql_query(“INSERT INTO $table VALUES (“$_SERVER[REMOTE_ADDR]”,”$now”)”) or die (“Error – Unable to insert records”);

}

# Now we want to delete all the old entries off the
# database where they havent visited another page
# for 5 or so minutes
mysql_query(“DELETE FROM $table WHERE date < $past”) or die (“Error – Unable to delete old visits”);

# We are now going to get the amount of visitors by
# counting all entries in the table

$visitors = mysql_result(mysql_query(“SELECT COUNT(*) FROM $table”),0);

# We use mysql_result() to get the amount of rows there
# are in the table, when used with SELECT COUNT(*)
# it will count all the rows in that table.
# the other alternative would be to use this:
# $visitors = mysql_num_rows(mysql_query(“SELECT * FROM $table”));
# Both methods would produce the same result

echo (“<b>” . $visitors . “</b> guests online”);

?>

Thats it, all finished! If you have any questions just email-me.

Securing your computer with TCP wrappers

Attention: Cet article/tutorial est ‰gé de plus de 45 jours. Ainsi les informations qu’il contient peuvent être, maintenant, dépassé. Merci de lire toutes les informations qu’il contient pour vous assurez que cet article fonctionnera bien sur votre système

Protecting against intruders using TCP wrappers

The reality of the Internet today is that you have to protect your system from intruders.
Probably the two most basic steps you can take toward insuring internet security on your Mac OS X system are 1) turning off unnecessary services and 2) installing tcpwrappers on your system. Before we can do either of these, it’s important to understand how internet services are activated under Unix.

Understanding how inetd works

Many of the common Unix internet services (FTP, telnet, rlogin, POP, finger, etc.) are launched by a daemon called inetd (important note: we are speaking here only of the server component of these services. Nothing in this article affects whether or not you can use outgoing client-side services). Since on many systems these systems may not be in constant use, they are only activated when necessary. Rather than running a separate process for each service, inetd “listens” on the port associated with each service. When a remote system tries to connect to a service, inetd activates the service in question and hands off the connection to it. inetd is controlled by the file /etc/inetd.conf. A few lines from a sample /etc/inetd.conf file look like this:


ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l
#login stream tcp nowait root /usr/libexec/rlogind rlogind
#nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd
#ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd
#shell stream tcp nowait root /usr/libexec/rshd rshd
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
telnet stream tcp nowait root /usr/libexec/tcpd telnetd

The file consists of one line per service, with seven fields per line. All fields must be present for each service. Comments can be inserted by beginning a line with a “#” character; hence a service can be deactivated by placing the “#” character in front of it. The seven fields are as follows:

service name – the name of the service (taken from NetInfo if it is running, and from /etc/services otherwise). Both NetInfo and /etc/services associate a name with the TCP or UDP port number that the service uses.
socket type – the type of socket that the service requires (stream,dgram,raw,rdm,seqpacket)
protocol – the protocol (examples aretcp,udp,rpc/tcp orrpc/udp)
wait/nowait[.max] – should be nowait unless this socket is a datagram (dgram);
user[.group] – the user (and optionally the group) that the server will run as
server programme – the path to the programme that will be run
server programme arguments – the arguments that are passed to the programme (including the arg[0] which is normally the name of the program)

Generally you’ll only have to change the last two fields to configure tcpwrappers.

Turning off Unnecessary Services
The first step toward securing your system is to turn off all unnecessary internet services. You can do this either in the Services Tab of Network Preferences, or by commenting out lines in inetd.conf. Unlike some Unix vendors, Apple has done a pretty good job of turning off dangerous services for you, but my rule of thumb is this: if you aren’t sure that you need it, turn it off.
After you change your inetd configuration, you need to restart inetd. Assuming you are using the command line and that you are root, do the following:


g3> ps ax _ grep inetd _ grep -v grep
488 ? I 0:00 inetd
g3> kill -HUP 488

The first command lists all processes on the system that contain the string “inetd” (but not “grep”), along with their process ID number (or PID) and other information. The second command restarts the daemon with PID 488, which is this case is inetd. I know there are geekier ways to accomplish the same thing with only one line of typing, but this way is easier to understand.

Understanding TCP Wrappers
If we just turn off all external internet services, we can create a reasonably secure system without too much effort. Naturally, though, you’ll probably want to run some of the more common services, such as FTP or telnet (though I recommend turning off telnet and using the vastly more secure SSH instead). This is where tcpwrappers, or tcpd, comes in.
tcpd acts as an intermediary between inetd and the server programme to be run, providing a filtering “wrapper” that allows connections to be allowed or denied based on the host or network address. Let’s take a closer look at the entries in inetd.conf that allow tcpd to be run:


#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
telnet stream tcp nowait root /usr/libexec/tcpd telnetd

Here, the first line is the default entry for the telnet server; it simply tells inetd that whenever it sees an incoming connection to the telnet port, it should lauch the telnet server, located at /usr/libexec/telnetd. I’ve disabled this default behavior by commenting out the line. The second line, on the other hand, tells inetd to lauch tcpd instead (located at /usr/libexec/tcpd –this is where Apple puts tcpd by default on MacOS X Server; if by any chance you’re using another version of Unix or you installed it yourself, it might be elsewhere).

When tcpd is launched, it checks the file /etc/hosts.allow to see whether or not the connection should be passed on to the server programme in question. There is also an optional /etc/hosts.deny file. The default version of tcpd installed on MacOS X Server, however, is compiled with an option allowing a more flexible access control language that can be contained entirely within the hosts.allow file, making hosts.deny unnecessary.

The /etc/hosts.allow File
There are many different options available in the tcpd access control language. Complete documentation is available in the hosts_access(5) and hosts_options(5) man pages, but we’ll cover the most common usages here. Here are a few sample lines from a fictional hosts.allow file:


ALL : localhost : allow
telnetd : .goodguys.com, 192.168.17.24 : allow
ftpd : mybuddy.good.com, 192.168.39., 10.162.23.0/255.255.255.0 : allow
ALL : ALL : deny

The basic format of a line in hosts.allow is as follows:


daemon_list : client_list : option : option …

daemon_list is a list of daemons to which the options refer. For clarity, I usually list only one daemon per line unless I’m using a wildcard such as ALL.
client_list is a list of clients to which the allow/deny options refer. The client list can be in a variety of formats:

Explicit hostname: can be either a fully-qualified domain name (e.g. foo.somewhere.com) or a local hostname specified in NetInfo.
Explicit IP Address: This is pretty much self-explanatory; just list the IP addresses that you want to allow or deny.
Pattern-matched hostname or IP Address: by adding a leading or trailing “.” to a hostname or IP address, you can match anything within a domain or network. For example, if you list “.stepwise.com”, then any machine with a DNS name inside the stepwise.com domain will match. If you list “192.168.33.”, then any machine with an IP address whose first three fields are “192.168.33” will match.
Net/mask pair: If you don’t understand the inner workings of IP addressing, don’t worry about this one. Basically, a host address matches if “net” matches the bitwise AND of the host address and “mask”. The end result is similar to a pattern-matched IP address, except that matched addresses can cross the octet boundaries in IP addresses. For example, the net/mask pair “10.168.23.0/255.255.254.0” would match any host IP address in the range from 10.168.23.0 to 10.168.24.255.
NIS Netgroup: The host matches if it is a member of the specified netgroup. If you’re not using NIS, you don’t need to worry about this one.
options can be in the form keyword or keyword value. The two basic option keywords are “allow” and “deny”. Not surprisingly, “allow” causes tcpd to transfer all matching connections to the specified server program, and “deny” causes the connection to be dropped. The other common option is to “spawn shell command”, which causes the specified shell command to be executed as a separate process. This can be used to do things like finger the remote host. See the hosts_options(5) man page for an example of how to do this; personally I prefer to just drop the incoming connection silently. There are a variety of other options available to do things such as change the UID or GID of the server process or to manage the state of the connection. See the man page for details.

Logging Denied Connections
The logging of attempted (and failed) logins is done using the syslog facility.
By examining /etc/syslog.conf, you’ll see


# The authpriv log file should be restricted access; these
# messages shouldn’t go to terminals or publically-readable
# files.
authpriv.*;remoteauth.* /var/log/secure.log

This line will cause tcpwrappers to log any attempted logins to /var/log/secure.log.
Another option, is to add a line as follows:

*.info /var/log/allmessages

This will log any and all notifications of actions on your system. You can then use one of the common log sifting programmes to notify you of any unusual activity. This will be covered in a future article on Stepwise – Editor

Note that any time you make changes to syslog.conf, you’ll need to notify the syslogd process by sending it a -HUP signal, as shown above with inetd.

It is also worth repeating that you should never use tabs in the /etc/syslog.conf file, only spaces.

Putting It All Together
Let’s take a look at the entire process. Assume we have two machines, a server called server.mydomain.com at IP address 10.15.124.2, and a remote client called client.otherdomain.com at IP address 192.168.54.28. We are running MacOS X Server with the default install of tcpd and the following files:


#cat inetd.conf

ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l
telnet stream tcp nowait root /usr/libexec/tcpd telnetd

#cat hosts.allow

ALL : localhost : allow
telnetd : .apple.com, 204.138.245.1 : allow
ftpd : www.apple.com, 204.138.245.1, 204.138.245.0/255.255.255.0 : allow
ALL : ALL : deny

Note that we have a “default deny” rule at the end of hosts.allow. This means that anything not explicitly allowed will be denied. This is a good cautious security policy; by default anything not explicitly denied is allowed.

The first rule allows anything from the local machine; if we type “telnet 127.0.0.1” or “ftp localhost” at the command line we will loop back to the local service. This is as it should be; you need to include this if you are going to use the default deny rule.

If publicsource.apple.com telnets to server.mydomain.com, this is what happens:

Inetd sees an incoming connection on TCP port 23. It checks NetInfo and sees that this is the telnet service, and scans /etc/inetd.conf for instructions on what to do with a telnet connection.
/etc/inetd.conf tells inetd to run /usr/libexec/tcpd. tcpd checks /etc/hosts.allow for instructions on whether to allow the connection.
The daemon list of the first line of /etc/hosts.allow matches all daemons, so tcpd proceeds to the client list. The client list lists only localhost. Since the incoming connection is not from localhost, tcpd proceeds to the next line.
The daemon list of the second line lists telnetd. This matches the incoming connection, so once again tcpd proceeds to the client list. Since publicsource.apple.com is in the apple.com domain, the first element of the client list matches the incoming connection. tcpd then proceeds to the options list and sees the “allow” keyword.
All criteria having been satisfied, tcpd passes off the connection to the real telnetd.
publicsource.apple.com attempts to ftp to server.mydomain.com, we see the following:

inetd passes off the connection to tcpd as above.
tcpd processes the first two lines as above and finds no matches.
The daemon list for the third line matches “ftpd”, so tcpd proceeds to the client list. This time there is no domain name match. There is a similar IP address listed, but it is not an exact match.
No matches are found in the client list of the third line, so tcpd proceeds to the fourth line. The wildcard ALL matches all daemons, so we proceed to another ALL wildcard that matches all clients. The keyword is “deny”, so the connection is dropped, and a message is logged to the appropriate file.
That’s very complicated, but don’t worry. The tcpwrappers packages provides tcpdmatch, a tool that will allow you to do all this testing without short-circuiting your brain.
Normally tcpdmatch will directly use the installed /etc/inetd.conf and /etc/hosts.allow files, but there is an alternative mode that allows you to do these tests without messing with your system directly.

By copying the above sample hosts.allow and inetd.conf to a new directory, and then executing the following command, you can see just what the results will be.

The first case (publicsource.apple.com telnets to your machine) will result in this output.


g3> tcpdmatch -d -i inetd.conf telnetd publicsource.apple.com
warning: publicsource.apple.com: hostname alias
warning: (official name: www.publicsource.apple.com)
client: hostname www1.publicsource.apple.com
client: address 17.254.0.132
server: process telnetd
matched: hosts.allow line 2
option: allow
access: granted

The key bit of information the final line: access: granted.

If however we test the second case (publicsource.apple.com trying to ftp to our host):


g3> tcpdmatch -d -i inetd.conf ftpd publicsource.apple.com
warning: publicsource.apple.com: hostname alias
warning: (official name: www.publicsource.apple.com)
client: hostname www1.publicsource.apple.com
client: address 17.254.0.132
server: process ftpd
matched: hosts.allow line 4
option: deny
access: denied

Once again, the key bit of information is the final line access: denied.

Remember that whenever you change your hosts.allow file, you need to restart inetd in order for the changes to take effect.

Original article by Jay Swan.

Slight editing and preparation for PHPmac.com by John Lunney.

Hope this helps you secure your computer

Enabling SSL on Mac OS X 10.1.5

Alert!: Attention: Cet article/tutorial est ‰gé de plus de 45 jours. Ainsi les informations qu’il contient peuvent être, maintenant, dépassé. Merci de lire toutes les informations qu’il contient pour vous assurez que cet article fonctionnera bien sur votre système

 

FYI This article was taken from the Apple Developer Connection (ADC) and credit is due entirly to that site.

One script needs to be downloaded for this process. Click Here to Download

Configuring SSL-------------------
The first thing you need to do is generate the keys and certifications for the server. This requires using the Terminal. For sanity’s sake, create a directory (Folder) on the desktop called KeyGen.
Start by generating some random data to seed the PRNG (Pseudo Random Number Generator), which is used to generate the keys.
Using the following commands, you will generate a file containing random data:

cd /
openssl md5 * > ~/Desktop/KeyGen/rand.dat

You can view the contents of this new file you’ve created by typing:

less ~/Desktop/KeyGen/rand.dat

You should see something like this:

MD5(Applications)= d41d8cd98f00b204e9800998ecf8427e
MD5(Desktop DB)= 978c9f12cac7a8985d6e9832a48264a4
MD5(Desktop DF)= ff3a2de40b6e6c53d882337bd551d271
MD5(Desktop Folder)= d41d8cd98f00b204e9800998ecf8427e
MD5(Developer)= d41d8cd98f00b204e9800998ecf8427e
MD5(Library)= d41d8cd98f00b204e9800998ecf8427e
MD5(Network)= d41d8cd98f00b204e9800998ecf8427e
MD5(System)= d41d8cd98f00b204e9800998ecf8427e
MD5(TheFindByContentFolder)= d41d8cd98f00b204e9800998ecf8427e
MD5(TheVolumeSettingsFolder)= d41d8cd98f00b204e9800998ecf8427e
MD5(Trash)= d41d8cd98f00b204e9800998ecf8427e
MD5(Users)= d41d8cd98f00b204e9800998ecf8427e
MD5(Volumes)= d41d8cd98f00b204e9800998ecf8427e
MD5(bin)= d41d8cd98f00b204e9800998ecf8427e
MD5(cores)= d41d8cd98f00b204e9800998ecf8427e
MD5(dev)= d41d8cd98f00b204e9800998ecf8427e
MD5(etc)= d41d8cd98f00b204e9800998ecf8427e
MD5(mach)= 1d04c74bca1afc36bddb405b5c61d43e
MD5(mach.sym)= 1d04c74bca1afc36bddb405b5c61d43e
MD5(mach_kernel)= 04b63e48cad1ef442929e3f5f3185b9e
MD5(private)= d41d8cd98f00b204e9800998ecf8427e
MD5(sbin)= d41d8cd98f00b204e9800998ecf8427e
MD5(tmp)= d41d8cd98f00b204e9800998ecf8427e
MD5(usr)= d41d8cd98f00b204e9800998ecf8427e
MD5(var)= d41d8cd98f00b204e9800998ecf8427e

Now, move to the KeyGen directory for the rest of this work.

cd ~/Desktop/KeyGen

Keep in mind that the more you have in a given directory, the longer the

rand.dat

will be. Feel free to create this file from whatever directory you feel would suit your needs.

Using this random data, you can now create an RSA private key and a CSR (Certificate Signing Request) for your server. An important part of private key cryptography is making sure that the parties involved in a transaction are who they say they are. This is accomplished through a third party — a trusted Certificate Authority (CA). The CA issues certificates that identify the parties, and confirms that the keys are correct and are cryptographically “signed.” Generating the CSR is the cryptographical equivalent to filling out a passport application. The CA will return the certificate (like a passport) which is used for identification and authentication.

You’re going to be self-signing the keys, so you’ll also be creating a CA key for the signature. The keys and certificates you create are purely for testing purposes. If you need to set up a production server, you should send your CSR to a proper CA, such as Verisign, for signing.

To create the RSA private key, issue the following command:

openssl genrsa -des3 -out server.key -rand rand.dat 1024

You will be asked for a passphrase in the creation of this key. Do not forget this passphrase! You’ll have to do this all over if you forget the passphrase. You will need this passphrase later on in the process.

You have just created the “SSLCertificateKeyFile”, as it is called in the httpd.conf — a 1024 bit RSA key encrypted with Triple-DES in PEM format. You’ll be plugging this into the configuration file for Apache soon.

Now you’re ready to create a CSR (Certificate Signing Request), which is what you would normally send to a CA for signing. You’re going to sign it yourself.

openssl req -new -key server.key -out server.csr

You’ll be asked for some information when you start this. Most of it is pretty self explanatory, but one item, in particular, is not. Here’s what you’ll be asked for:

Country Name (2 letter code) [AU]: (enter your country code here)
State or Province Name (full name) [Some-State]: (Enter your state here)
Locality Name (eg, city) []: (enter your city here)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (enter something here)
Organizational Unit Name (eg, section) []: (enter something here)
Common Name (eg, YOUR name) []: (this is the important one)
Email Address []: (your e-mail address)

The entry for “Common Name” is the one that seems like it should be one thing, but is, in fact, another. For this entry, you want to enter your “Server Name” as it appears in your httpd.conf (which you’ll be modifying soon). As this is just a development environment, you can enter 127.0.0.1, which is the default IP for “localhost”. Now, keep in mind that using 127.0.0.1 is not the same as using “localhost”. The strings either match, or they don’t — Unix is like that.

Looking at your KeyGen directory, you should have this:

[localhost:~/Desktop/KeyGen] bob% ls -la
total 12
drwxr-xr-x 5 bob staff 126 Sep 14 17:01 .
drwx—— 38 bob staff 1248 Sep 14 16:57 ..
-rw-r–r– 1 bob staff 970 Sep 14 16:58 rand.dat
-rw-r–r– 1 bob staff 729 Sep 14 17:01 server.csr
-rw-r–r– 1 bob staff 963 Sep 14 16:59 server.key

Now you need to create a CA for signing the key. The process is similar to what you’ve just done, but there are some differences.

The first thing you need to do is create a key for your CA. It’s just like your server.key – a Triple-DES encrypted, 1024 bit RSA key.

openssl genrsa -des3 -out ca.key -rand rand.dat 1024

Again, you’ll be asked for a passphrase, which, again, you should not forget.
Now you will create a self-signed CA Certificate using the RSA key you just made.

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

You’ll be asked for the passphrase for the key you just made, and, again, you’ll be asked to enter information about yourself. The main difference is that here, when you are asked for your “Common Name”, you want to enter your name — not the server name or IP address. This certificate is not associated with your server — it’s associated with you. It should look something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:TX
Locality Name (eg, city) []:San Antonio
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bogus CA
Organizational Unit Name (eg, section) []:Bogus CA for Dev
Common Name (eg, YOUR name) []:Bob Davis
Email Address []:bobdavis@mac.com

Now you have 5 files in your directory — a CA key and certificate, a server key and certificate signing request, and the random data collected at the very beginning.

The next step is the important one. This is where you sign the server.key with your ca.crt. This will provide the security assurance that browsers need to establish a secure connection. It provides the identification and verification part of the public key encryption system where the keys themselves provide the mechanism for the encryption and decryption.

The easiest way to do this is to use the sign.sh script contained either in the mod_ssl source you downloaded (it’s in the

pkg.contrib sub-directory

) or wherever you put it after downloading it by itself.

Copy the script to your working directory and issue the following command:

./sign.sh server.csr

You should get something like this, but with the information you entered for the server.csr:

CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:’US’
stateOrProvinceName :PRINTABLE:’TX’
localityName :PRINTABLE:’San Antonio’
organizationName :PRINTABLE:’Testing’
organizationalUnitName:PRINTABLE:’Testing’
commonName :PRINTABLE:’127.0.0.1′
emailAddress :IA5STRING:’bobdavis@mac.com’
Certificate is to be certified until Sep 14 23:09:20 2002 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

For the questions “Sign the certificate?” and “1 out of 1 certificate requests certified, commit?”, you just need to type “y” (without quotes) and hit enter/return.

Looking at your working directory now, you’ll see that you have a number of new files and directories in KeyGen.

[localhost:~/Desktop/KeyGen] bob% ls -la
total 36
drwxr-xr-x 12 bob staff 364 Sep 14 18:16 .
drwx—— 38 bob staff 1248 Sep 14 18:12 ..
-rw-r–r– 1 bob staff 1298 Sep 14 17:55 ca.crt
drwxr-xr-x 3 bob staff 58 Sep 14 18:09 ca.db.certs
-rw-r–r– 1 bob staff 111 Sep 14 18:09 ca.db.index
-rw-r–r– 1 bob staff 3 Sep 14 18:09 ca.db.serial
-rw-r–r– 1 bob staff 963 Sep 14 17:52 ca.key
-rw-r–r– 1 bob staff 970 Sep 14 16:58 rand.dat
-rw-r–r– 1 bob staff 2679 Sep 14 18:09 server.crt
-rw-r–r– 1 bob staff 729 Sep 14 17:01 server.csr
-rw-r–r– 1 bob staff 963 Sep 14 16:59 server.key
-rwxr-xr-x 1 bob staff 1784 Sep 14 17:59 sign.sh

Now, make a directory in your

/etc/httpd

called

ssl.key

 

sudo mkdir /etc/httpd/ssl.key

You’ll be prompted for your login password (you have to be in the admin group to use sudo), and the directory will be created.

Move all of the contents of your working directory to the

ssl.key

directory you just made. In a production system, it would be a very, very bad idea to keep your CA keys, certs and such on the server. If the security of the server is compromised, the ca.crt could be used to “sign” certificate signing requests on any machine. In other words, it gives anyone the power to impersonate you on the internet. Since you’re just using this for testing, and the certificates have bogus information in them, it’s not so terribly important. It is worth noting that this practice would be considered irresponsible on a server accessible to the outside world.

sudo cp -r * /etc/httpd/ssl.key/

From now on we will be working in the

/etc/httpd

directory, so change to that directory:

cd /etc/httpd

One more step — and it’s another step that would not have a place in a production environment, but definitely makes life with your development system better: you’re going to remove the passphrase requirement from the server key by removing its encryption.

As things stand, when you start Apache, you will be prompted for a passphrase to read the private key. While this is fine for those who start and stop Apache manually from the command line every time, it does create some problems for those of us who have Apache (a.k.a. Web Sharing) start up automatically every time the system reboots. The system will hang on startup, patiently waiting for a passphrase that will never come — because there’s no way to enter the passphrase you’ve given the key! You’ll have to either boot into Mac OS 9 or boot into verbose mode to clear this problem if you forget.

Removing the pass phrase requirement is dangerous in a production environment, but acceptable for testing (especially if you enter information in your certificate request that makes it clear that this is a testing certificate, and not for production use).

Enter the following:

cd ssl.key
sudo cp server.key server.key.original
sudo openssl rsa -in server.key.original -out server.key
cd ..

You’ll be asked for your passphrase for both the

sudo

command (your system passphrase) and the RSA command (the passphrase for the key). Comparing the two files server.key and server.key.original will show that they are now very different and that server.key.original contains a line stating, “Proc-Type: 4,ENCRYPTED”, that the decrypted file lacks.

Now, you have all of the files you need to make mod_ssl work with Apache. But you still need to configure the Apache server to use mod_ssl. Apple’s engineers have thoughtfully provided Apache compiled with EAPI, which allows modules to be included in Apache without recompiling the server. It makes it a lot easier to enable various modules as you need them.

Stop your web server if you haven’t already, either by using the Sharing control panel or through the command line using:

sudo apachectl stop

The file you want to edit is

/etc/httpd/httpd.conf

. The first thing you want to do is make a backup of the file. Keeping in mind that this directory is owned by root, you will have to use

sudo

for all of these commands. So, change directories to /etc/httpd and then make a copy of your httpd.conf.

sudo cp httpd.conf httpd.conf.backup

Now edit your httpd.conf file using the editor of your choice. I use emacs, so the instructions here are for emacs.

sudo emacs httpd.conf

You will need to add the following just below where the Listen directive is. If you have any personal listen directives comment then out by placing a # infront of the line:

## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##

<IfModule mod_ssl.c>
Listen 443
Listen 80
</IfModule>

Adding these lines tells the server to be aware of traffic on port 80 (the standard HTTP port) and port 443 (the HTTPS port). This allows your SSL aware Apache installation to serve non-secure documents on port 80, while it is serving secure documents on 443.

When you have added the previous directive you need to find the lines that read:

#LoadModule ssl_module libexec/httpd/libssl.so

and a little further down:

#AddModule mod_ssl.c

You need to remove the comments (#) to activate these lines. You can quickly search for these lines by using CMD + s (in emacs) and typing “ssl”.
The two lines should now look like this:

LoadModule ssl_module libexec/httpd/libssl.so

AddModule mod_ssl.c

Now find the “ServerName” directive and make sure it has 127.0.0.1 for it’s entry.

ServerName 127.0.0.1

Finally, just below the last line of the current httpd.conf, enter the following information which covers some of the global SSL directives and the specific directives for the port based virtual hosts.

<IfModule mod_ssl.c>
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# inintial Directives for SSL

SSLProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel info
##
## SSL Virtual Host Context
##
<VirtualHost 127.0.0.1:80>
#Just to keep things sane…
DocumentRoot “/Library/WebServer/Documents”
ServerName 127.0.0.1
ServerAdmin bobdavis@mac.com
SSLEngine off
</VirtualHost>
<VirtualHost 127.0.0.1:443>
# General setup for the virtual host
DocumentRoot “/Library/WebServer/Documents”
#ServerName has to match the server you entered into the CSR
ServerName 127.0.0.1
ServerAdmin bobdavis@mac.com
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol all -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Path to your certificates and private key
SSLCertificateFile /etc/httpd/ssl.key/server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/Library/WebServer/CGI-Executables”>
SSLOptions +StdEnvVars
</Directory>
# correction for browsers that don’t always handle SSL connections well
SetEnvIf User-Agent “.*MSIE.*”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/httpd/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
</VirtualHost>
</IfModule>

At this point, save your document (CTRL-x CTRL-s) and close emacs (CTRL-x CTRL-c).

There are many directives you can add to the SSL configuration for your machine, including extended logging, restrictions on ciphers used, encryption levels, etc. Full documentation is included in the Apache documents provided with MacOS-X (

/Library/Documentation/Services/apache_mod_ssl/index.html

) or on-line at http://www.modssl.org/.

Now it’s time to start your SSL enabled web server. You have the option of using either the command line or the Sharing control panel to start your web server. Since you have removed the passphrase requirement from your server key, it’s very simple. Either start Web Sharing from the control panel, or type either of the following lines into the command line:

sudo httpd -D SSL
sudo apachectl start

You will be asked for your system password, and you’ll get the output of Apache starting. It’s that simple. If you have Web Sharing set to start at startup it will start normally (this is why we removed the passphrase requirement).

Now test your installation using the browser of your choice. Mozilla provides more information and allows you to accept unknown Certificate Authorities very easily. MicroSuck’s Internet Explorer 5 still has issues with unknown certificate issuers — and will fail authentication.

Using Mozilla, you’ll see the little open lock in the right corner has become a closed, illuminated lock. Success! You have enabled mod_ssl in your MacOS-X development environment.

Installing a Privacy-Enhancing Web Proxy

Alert!: Attention: Cet article/tutorial est ‰gé de plus de 45 jours. Ainsi les informations qu’il contient peuvent être, maintenant, dépassé. Merci de lire toutes les informations qu’il contient pour vous assurez que cet article fonctionnera bien sur votre système

Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious junk. It is based on the Internet Junkbuster. It can filter adult content, banner ads, change headers, disable cookies, etc. It is simple to install and very effective.

Download and Install Privoxy

------------

Click Here to download Privoxy. When it finishes unzip the file using Stuffit and open the resulting package, Privoxy.pkg.

Follow the on-screen instructions to install Privoxy.

When complete you can either restart your Mac or in the terminal type:

sudo /Applications/Privoxy.app/PrivoxyStart.sh

 

Configure Mac OS X to use the Proxy Server

------------

Picture 1

Open System Prefrences and Click the Network icon to open the Networking Prefrence Pane. As shown in the above picture

Picture 2

Click the Proxies tab in the Network pane. If you are using on a normal modem or Airport make sure to choose that insted of normal Ethernet.

Picture 3

Enter the proxy server address as in the above picture. For most people running on one computer, the IP 127.0.0.1 will suffice. If you are using the proxy on more then one box enter the IP of the computer you installed Privoxy on in all the boxes. Privoxy’s default port is 8118 and if you have not specified otherwise that should do too. Click Apply in the bottom right of the Network Pref Pane and restart all your browsers.

There my be some applications that do not like the new proxy server, Entourage for example. To fix this disable the proxy in the application. For example in Entourage goto Mail and New Prefrences and then click the Proxies tab. In this table uncheck the Mail proxy.

To see if the installiation was sucessful click here. To configure your Proxy visit http://p.p.

That should work, if it doesn’t email me j@phpmac.com

Top 5 things to do with the Terminal

Attention: Cet article/tutorial est ‰gé de plus de 45 jours. Ainsi les informations qu’il contient peuvent être, maintenant, dépassé. Merci de lire toutes les informations qu’il contient pour vous assurez que cet article fonctionnera bien sur votre système

I have compiled a list of the top 5 things you as a user can do with the terminal in OS X.

Please Note: These commands have been tested and work under OS X 10.1.

5. Who am I?

At number 5 is the who am i function. This is a nice function incase you forget who you are… it’s surprising how many times it really happens.

[localhost:~] jamesnp% who am i
jamesnp ttyp1 Oct 19 18:21

 

4. Instant Calendar

One of my personal favourites of the terminal is the ability to get an acurate calender of any month/year you choose with the cal function.

[localhost:~] jamesnp% cal
October 2001
S M Tu W Th F S
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31

 

3. Word Count

Opening a simple text file in Appleworks or Word is time consuming. Insted you can simply open up your terminal, type wc filename. It returns the number of lines, words and characters in the file.

For example take the following extract from a poem:

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a yellow wood, and I –
I took the one less travelled by,
And that has made all the difference.

Save the file as poem.

[localhost:~] jamesnp% wc poem
5 37 184 poem

5 lines, 37 words, and 184 characters.

2. Wall

Wouldn’t it be great to send everyone logged on to your computer a little message saying whatever you want? Well… Yes, you guessed it; with UNIX you can!

Assume root access. This can be done with su

Type wall then type your message. Pres Cntrl-D and everyone logged into you will get the message!

[localhost:/Users/jamesnp] root# wall

this is a wall message

And everyone logged on gets:

Broadcast Message from jamesnp@localhost

(/dev/ttyp1) at 18:46 …

this is a wall message

 

1. kill

Any application ever stopped working in OS X? Not showing up in the Force Quit dialogue, but you know it’s running?

With kill you can kill any application running on the entire system!

First find out what you want to kill, type ps aux. Choose what you want to kill and take note of its PID.

Now type sudo kill 000 where 000 is your PID.

If it still doesn’t quit add -9, ie. sudo kill -9 000 where 000 is the PID