After initially being rather hesitant about moving away from NetNewsWire, I’ve moved completely over to using tt-rss and Reeder. The tipping point was af_feedmod, which by configuring an xpath provides a mechanism to get entire articles instead of just summaries. So now instead of having to click on “read more” links, I have everything stored for offline reading on my iPhone :-)
Alternatives for Google Reader
As a long time Google Reader user, I’ve been looking at alternatives for use on the desktop, laptop and mobile devices.
I’ve had a go with tt-rss which running as a web application on one of my colo servers is perfect for desktop use as I see the same feed (with read/unread and starred) wherever I login to it from, but does require an active internet connection which is not possible on disconnected laptops, granted Google reader has the same issue. For my iPhone, I installed the tt-rss Fever API plugin and installed Reeder on the iPhone to give my offline reading.
I’ll see how it goes…
Installing ownCloud 5 on Ubuntu 12.04 with nginx and percona
Starting with a base install of Ubuntu 12.04 server, install the pre-reqs, these include the reqs for LDAP auth and external storage on a SMB server
sudo apt-get install nginx php5-fpm php5 php5-json php5-gd curl php5-curl\ libcurl3-gnutls libapr1 libaprutil1 libcurl3 libaprutil1-ldap libcap2\ libltdl-dev libltdl7 libtool m4 php-pear php-xml-parser php5-cli\ php5-dev shtool ssl-cert php5-ldap smbclient |
stop the nginx and php5-fpm services
sudo service nginx stop sudo service php5-fpm stop |
create a directory for owncloud to exist in
sudo mkdir -p /var/www |
get the latest source for owncloud from http://owncloud.org/support/install/
wget http://download.owncloud.org/community/owncloud-5.0.0.tar.bz2 |
untar the source
tar -xvf owncloud |
move the source into place
sudo mv owncloud /var/www/ |
create a data directory for the data
sudo mkdir -p /var/www/owncloud-data |
remove the default nginx config from site-enabled
sudo unlink /etc/nginx/sites-enabled/default |
create a new file for sites available, something like this
sudo nano /etc/nginx/sites-available/owncloud |
link the file to sites-enabled
sudo ln -s /etc/nginx/sites-available/owncloud /etc/nginx/sites-enabled/owncloud |
edit php-fpm to use a unix socket instead of a TCP socket
sudo nano /etc/php5/fpm/pool.d/www.conf |
comment out
listen = 127.0.0.1:9000 |
and add
listen = /var/run/php5-fpm.sock |
Uncomment the permissions
listen.owner = www-data listen.group = www-data listen.mode = 0660 |
For the SSL certificate, this might be of use
I usually use Percona instead of the Ubuntu build of MySQL
import the Percona gpg key
sudo gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A sudo gpg -a --export CD2EFD2A | sudo apt-key add - |
now edit sources.list
sudo nano /etc/apt/sources.list |
add these lines
# for percona deb http://repo.percona.com/apt precise main deb-src http://repo.percona.com/apt precise main |
now install percona
sudo apt-get update sudo apt-get install percona-server-common-5.5 percona-server-server-5.5 libmysqlclient18 libmysqlclient16 |
with the database server installed, now create the database
mysql -uroot -p CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password'; CREATE DATABASE IF NOT EXISTS owncloud; GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED BY 'password'; |
add the components for mysql
sudo apt-get install php5-mysql libaprutil1-dbd-mysql |
create the config file to use the mysql server
sudo nano /var/www/owncloud/config/autoconfig.php |
add the following lines
<?php $AUTOCONFIG = array( "dbtype" => "mysql", "dbname" => "owncloud", "dbuser" => "owncloud", "dbpass" => "password", "dbhost" => "localhost", "dbtableprefix" => "", "adminlogin" => "Administrator", "adminpass" => "Admin-password", "directory" => "/var/www/owncloud-data", ); |
reset the directory permissions
sudo chown -R www-data:www-data /var/www/owncloud sudo chown -R www-data:www-data /var/www/owncloud-data sudo chmod 777 /var/www/owncloud-data/ |
You should now be able to start the services
sudo service php5-fpm start sudo service nginx start |
and login to the application using the username and password from autoconfig.php
Building keepalived from source on Ubuntu 12.04 for HAProxy
Presuming that HAProxy has been built from GIT.
Download the latest source for keepalived
wget http://www.keepalived.org/software/keepalived-1.2.7.tar.gz |
untar the archive
tar -zxvf keepalived-1.2.7.tar.gz |
now build keepalived
cd keepalived-1.2.7 ./configure make sudo make install |
link it from /usr/local/sbin to /usr/sbin
sudo ln -s /usr/local/sbin/keepalived /usr/sbin/keepalived |
now configure keepalived to start automatically
create the init file
sudo nano /etc/init.d/keepalived |
as per attached file init.d.keepalived.txt
make it executable
sudo chmod +x /etc/init.d/keepalived |
now set the runlevels
sudo sudo update-rc.d keepalived defaults |
now enable services to bind to the VRRP address
sudo nano /etc/sysctl.conf |
add the line
net.ipv4.ip_nonlocal_bind=1 |
to test startup, use the supplied sample
sudo mkdir /etc/keepalived sudo cp /usr/local/etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf |
test startup
sudo /etc/init.d/keepalived start |
to test that it is working
ip address list |
this will show the keepalived addresses on the active server.
Convert pfx to jks
Java keystores use the jks format, this is functionally similar to a pfx file in that you have a store and a password.
To convert from pfx to jks
keytool -importkeystore -srckeystore pfxkeystore.pfx -srcstoretype pkcs12 -destkeystore jkskeystore.jks -deststoretype JKS |
IPv4 DDNS on Cisco for dns.he.net
As dyndns.com has reduced the capabilities of their free service, I looked around for other free providers of Dynamic DNS service.
After testing several, I decided to move my DNS hosting to Hurricane Electric as they include Dynamic DNS service with their free service (for up to 50 domains), and it removes the requirement to use CNAMEs as with the dyndns.com free service.
The configuration as below is for IPv4 dynamic addressing as provided by most Internet Service Providers on xDSL or Cable (broadband) connections when using the free DNS and DDNS service as provided by dns.he.net
The below has been tested on a Cisco 1812 running c181x-advipservicesk9-mz.151-4.M4.bin on a BT FTTC connection which uses PPPoE over VDSL where the PPPoE interface has a dynamic address. It has also been tested on a Cisco 877 running c870-advipservicesk9-mz.151-4.M4.bin on several other UK ADSL and ADSL2+ connections
It does not cover changing the IPv4 termination address for a he.net IPv6 Tunnel.
In Global mode
ip ddns update method HTTP add http://<f.q.d.n>:<password>@ipv4.dyn.dns.he.net/nic/update?hostname=<h>&myip=<a> |
Then on the dynamic addressed interface (usually Dialer 1)
ip ddns update hostname <f.q.d.n> ip ddns update <method-name> host ipv4.dyn.dns.he.net |
<method-name> This is the name that you want to give the DDNS update, I usually use dyn.he.net
<f.q.d.n> This is fully qualified domain name that is configured for Dynamic DNS on the dns.he.net control panel<password> This is the password for the fully qualified domain name that is configured for Dynamic DNS on the dns.he.net control panel
<h> This is an internal Cisco IOS variable for the hostname that it gets from the configuration on the interface
<a> This is an internal Cisco IOS variable for the dynamic address on the interface
Presuming that the method name is dyn.he.net, the dynamic hostname being used is router.domain.com and the password is SuperSecretPassword the completed configuration commands should look something like this
In Global mode
ip ddns update method dyn.he.net HTTP add http://router.domain.com:SuperSecretPassword@ipv4.dyn.dns.he.net/nic/update?hostname=<h>&myip=</h> |
Then on the dynamic addressed interface (usually Dialer 1)
ip ddns update hostname router.domain.com ip ddns update dyn.he.net host ipv4.dyn.dns.he.net |
It is not possible to copy and paste all of the config directly into a console session as the line that begins with “add” contains a question mark.
To enter a question mark ? in IOS, press and hold ctrl, press v, release both keys, then press ?
Achieving an MTU of 1500 on BT FTTC
The BT FTTC service uses PPPoE as its mode of connection via the VDSL modem.
Although the default Ethernet MTU is 1500, when using PPPoE, 8 bytes are used for the PPPoE header, this then reduces the MTU to 1492.
There are some devices such as the Vodafone SureSignal (a 3G Femotocell), that have an embedded IPSec client that will not connect over a connection that has an MTU of below 1500. There are other applications such as the Cisco AnyConnect client that can also have issues with an MTU of below 1500
There is however a method to increase the MTU to 1500 which has been documented in RFC 4638. This method is to increase the MTU on the interface running the PPPoE connection to 1508 which are called “Baby Jumbo Frames”, and to then instruct the PPPoE client to use an MTU of 1500. The BT FTTC service supports this method, as do some modern Cisco routers such as the ISR 1812, this then enables you to run an MTU of 1500 over the connection.
To enable this method, there are two extra commands that you need to enable on the physical interface the you are using for PPPoE connection
The first part is to set the interface to use baby jumbo frames
mtu 1508 |
The second part is to set the PPPoE dialler to negotiate an MTU of 1500 as per RFC 4638
pppoe-client ppp-max-payload 1500 |
A complete interface config would look something along the lines of
interface FastEthernet0
description BT FTTC PPPoE mtu 1508 no ip address ip access-group FastEthernet0 in no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly in duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 pppoe-client ppp-max-payload 1500 no cdp enable |
The Dialer interface does does not need to be changed, neither do any internal interfaces.
With these changes you should have an MTU of 1500 over the connection, devices and/or applications that had issues with an MTU of 1492 should no longer be affected.
Install a private root CA certificate for OpenSSL in Ubuntu 12.04
To install the root certificate into the openssl “certificate store” store it needs to be in pem (as opposed to DER) format
Copy the .pem format certificate into /etc/ssl/certs
in the directory /etc/ssl/certs run the below, where myca.pem is the root CA certificate in pem format.
ln -s myca.pem `openssl x509 -hash -noout -in myca.pem`.0 |
not that it is a ` not a ‘
any applications that use the openssl “certificate store” should now accept the root cert
Convert pfx to pem
Rather than use the certificate creation tools on Linux for web servers, I find it quicker and less error prone to create the certificate on Windows and then convert to pem format on the Linux server, this is particularly useful for internal certificates…
So, create the certificate on Windows and export it as a pfx file noting the password that you used
copy the pfx file onto the Linux box
create the pem
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem |
create the key file
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out certificatekeypass.key |
to enable the key file to be used without entering a password (useful for a webserver…), remove the password
openssl rsa -in certificatekeypass.key -out certificatekey.key |
you can now use the certificate.pem and certificatekey.pem in the web server configuration
To use crt files instead of pem files
export the certificate
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt |
create the key file
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out certificatekeypass.key |
to enable the key file to be used without entering a password (useful for a webserver…), remove the password
openssl rsa -in certificatekeypass.key -out certificatekey.key |
Building HAProxy from GIT on Ubuntu 12.04
Starting with a base install of Ubuntu 12 with openssh installed
As HAProxy will be built from source, there are some pre-reqs
sudo apt-get install build-essential libssl-dev libpopt-dev git libpcre3-dev |
now get the haproxy source and build it
git clone http://git.1wt.eu/git/haproxy.git/ haproxy cd haproxy make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 sudo make install |
link it from /usr/local/sbin to /usr/sbin
sudo ln -s /usr/local/sbin/haproxy /usr/sbin/haproxy |
Create the directory to use
sudo mkdir /usr/share/haproxy |
now configure HAProxy to start automatically, create the init file as per attached file init.d.haproxy.txt
sudo nano /etc/init.d/haproxy |
make it executable
sudo chmod +x /etc/init.d/haproxy |
now set the runlevels
sudo update-rc.d haproxy defaults |
Now create the file that enables it
sudo nano /etc/default/haproxy |
# Set ENABLED to 1 if you want the init script to start haproxy. ENABLED=1 # Add extra flags here. #EXTRAOPTS="-de -m 16" |
add a haproxy user
sudo adduser --system haproxy |
copy the rest of the files into place
sudo mkdir /etc/haproxy sudo mkdir /etc/haproxy/errors sudo cp ~/haproxy/examples/errorfiles/* /etc/haproxy/errors |
The build can be updated with
cd ~/haproxy git pull make clean make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 sudo make install |
Then restarting haproxy to use the updated version
sudo service haproxy restart |