Browsed by
Month: June 2010

Apache 2.2 with SSL on Windows

Apache 2.2 with SSL on Windows

There are a few services I run that I need to access over the web that I do not want anyone watching (phpMyAdmin, for example). The simple solution is to encrypt this traffic with SSL certificates. Here is how I did it on Windows with Apache 2.2:

  • Install the latest Apache 2.2 with OpenSSL: http://httpd.apache.org/download.cgi.
  • Open the Command Prompt and browse to [apache 2.2 path]/bin.
  • Enter openssl req -config ../conf/openssl.cnf -new -out foo.csr -keyout foo.pem. Fill out this information the best you can but you can leave most of it blank. The most notable exceptions are the PEM Pass Phrase fields and the Common Name field (which should be the domain name you will use this certificate on). It is best that you leave the Challenge Password at the end blank.
  • Enter openssl rsa -in foo.pem -out foo.key. You will be asked to reenter the password you entered in the last step.
  • Enter openssl x509 -in foo.csr -out foo.crt -req -signkey foo.key -days 3650. You can replace 3560 with however long you want to certificate to be valid for.
  • You will now wind up with four files: foo.crt, foo.csr, foo.key, and foo.pem. At this point you really only need foo.crt and foo.key and may delete the other two (unless you want to sign more certificates later on).
  • Move your two remaining files somewhere safe (not any place where the web server will be able to serve them to clients).
  • Open [apache 2.2 path]/conf/httpd.conf in your favorite text editor. Uncomment out the line LoadModule ssl_module modules/mod_ssl.so.
  • Open [apache 2.2 path]/conf/extra/httpd-ssl.conf. Uncomment out the line Listen 443.
  • In Windows Explorer browse to [apache 2.2 path]/conf and open up the configuration for the site you want to SSL enable. Make sure you are setup to listen on port 443 if you are running a virtual host. Add the lines SSLEngine on, SSLCertificateFile "[foo.crt path]", and SSLCertificateKeyFile "[foo.key path]".
  • Restart Apache 2.2: net stop apache2.2 and net start apache2.2

Some notes:

  • Certificates can only be used for whole domains or virtual hosts as opposed to a single directory. However with some clever allows, denies, and redirects in your web root you can do just about anything.
  • Only one SSL connection per IP on the same server is allowed. This is by design within SSL.
  • These certificates are self-signed. That means that anyone who views your new secure site will most likely be greeted with a warning they must accept before continuing. You setup the certificates yourself so you know there is nothing fishy going on but they might not know that. If you want to avoid this you will have to put out the cash to Verisign or someone else who can offer the same service.
  • Check out the SSLCipherSuite and SSLCARevocationFile directives (which you will notice are missing in my instructions) to further lock down your site.
  • Remember that if you ever change your certificate in any way the client may need to remove their old certificate before they will be able to view the site again.
  • I generally replace foo with the domain name.
  • Since this was always meant as a quick-and-dirty howto you can find more information at the Apache site.
  • I am running Windows XP SP3, Apache 2.2.14, and the included OpenSSL 0.9.8k.
Manually Empty Linux Swap and Control Linux Swap Usage

Manually Empty Linux Swap and Control Linux Swap Usage

I have noticed that the Linux versions of VMware products love their swap usage. I do not know if this is a “fault” of Linux or the VMware software but it annoys and slows me down. After looking around for an elegant solution I just decided to take the brute force method to emptying my swap: running sudo swapoff -a;sudo swapon -a as (make sure you have enough free RAM to fit the contents of swap).

There is also the option of swappiness included with the 2.6.x+ kernel. Just edit /etc/sysctl.conf to include the line vm.swappiness=0. Either change the existing value or, if it does not exist, add it (changing/adding this value will require a reboot or running sudo sysctl vm.swappiness=value). vm.swappiness can be between 0 and 100 (inclusive) where 0 will try to never swap anything and 100 will aggressively swap. If you would rather just change the value until next reboot use the line sysctl vm.swappiness=value (replacing value with an appropriate value). You can view the current value with the command cat /proc/sys/vm/swappiness. Ubuntu 10.04, for example, has a default value of 60.

Update 2011.02.14
While searching for something completely unrelated I came across this from the Community Ubuntu Documentation:

#!/bin/bash

err="not enough RAM to write swap back, nothing done"
mem=`free|grep Mem:|awk '{print $4}'`
swap=`free|grep Swap:|awk '{print $3}'`
test $mem -lt $swap && echo -e $err && exit 1
swapoff -a && swapon -a

Stick it into a script, make it executable, and it will let you know if you have enough free RAM to empty the swap before doing it.

Tether Motorola Droid with Windows 7

Tether Motorola Droid with Windows 7

As a follow up to my Tether Motorola Droid with Ubuntu 9.10 and Ubuntu 10.04 article I have decided to post the steps for Windows 7.

  • Grab and install the latest Droid Drivers: http://www.motorola.com/Support/US-EN/Support-Homepage/Software_and_Drivers/USB-and-PC-Charging-Drivers/
  • Grab and install the latest OpenVPN: http://www.openvpn.net/index.php/open-source/downloads.html
  • Grab the latest Android SDK and extract it: http://developer.android.com/sdk/
  • Create a file called azilink.ovpn file and enter into it:

    dev tun
    route-method exe
    remote 127.0.0.1 41927 tcp-client
    ifconfig 192.168.56.2 192.168.56.1
    route 0.0.0.0 128.0.0.0
    route 128.0.0.0 128.0.0.0
    socket-flags TCP_NODELAY
    ping 10
    dhcp-option DNS 192.168.56.1

  • Create a file called azilink.bat and enter into it:

    "[path to android sdk]\tools\adb.exe" forward tcp:41927 tcp:41927
    openvpn "[path to azilink.ovpn]"

  • Set your Droid to debugging mode: Settings -> Applications -> Development -> USB debugging
  • Grab and install the latest Azilink .apk file onto your Droid: http://azilink.googlecode.com/ (This can be done by pointing the Droid’s web browser directly to the download link or loading it onto the SD card. Either way you may need to go to Settings -> Applications -> Unknown sources to allow it to be installed.)
  • Start up Azilink on your Droid and select Service active.
  • Right-click azilink.bat and select Run as Administrator.

If all these steps went well you should be able to access the Internet on your computer via Azilink’s tethering capabilities. Be sure to check out the About screen in the Azilink application on the Droid to see if any of that applies to you.

A few things worth mentioning:

  • This method does not require your Droid to be rooted.
  • I am under the impression that these steps will also work for Windows Vista but I can not confirm that.
  • I am under the impression that these steps will also work for Windows XP with the route-method exe line removed from azilink.ovpn but I can not confirm that.
  • I am running Droid firmware 2.1, OpenVPN 2.1.1, Azilink 2.0.2, and MotoConnect 4.6.0.