unflyingobject

No news there, but some neat tricks:
To test a certificate:

> cat mycert.crt mycert.key > mycert.pem

> openssl s_server -cert mycert.pem -www

and then check https://localhost:4433

To strip a passphrase from an RSA keyfile:

> openssl rsa -in mykey.key -out newkey.pem

Whenever someone says you should "use make to create hash links" what they really mean is you should use Makefile.crt that comes with mod_ssl to create hash symlinks for Apache. This file doesn't come with OS X Server however, so either grab one from the mod_ssl source distribution (from the pkg.sslcfg directory) or use the script described here.

All taken from this brilliant Q&A.

I've said this before, but one thing that baffles me is in all the benchmarks and performance comparisons, people tend to compare a fresh copy of Windows against a fresh copy of OS X. I think this is completely false. Every self-respecting reviewer should, first of all install all the software they would normally in a production machine, preferably use the reviewed system as their main system for a while.

We all know what happens to Windows, and to some extent to OS X after you start installing stuff on them. But what I'd like to see is a benchmark of Windows with over 100 third party apps installed on it. This is exactly how many apps I have in my Applications folder (96 items in /Applications + sub-folders for stuff like browsers, games and server tools).

 > system_profiler SPApplicationsDataType | egrep ":$" | wc -l

     269

That's exactly how many apps I have on my system altogether, not counting system-level stuff. With that many apps in the registry, I would bet it would take the Windows PC longer to boot up than the Mac to finish the benchmark. If it would start up at all.

And this all comes back to the cost issue as well. Ask any Windows-using media professional and they'll tell you that you shouldn't install anything else except your bare necessities on your production workstation. That you should essentially have one machine for your video work and another for your email and P2P. But now you're already paying for 2 machines, aren't you?

filipp@fiBook.local [Metadata]  > curl -v http://127.0.0.1/~filipp/collective/show.php?id=rss

* About to connect() to 127.0.0.1 port 80

*   Trying 127.0.0.1... * connected

* Connected to 127.0.0.1 (127.0.0.1) port 80

> GET /~filipp/collective/show.php?id=rss HTTP/1.1

User-Agent: curl/7.13.1 (powerpc-apple-darwin8.0) libcurl/7.13.1 OpenSSL/0.9.7l zlib/1.2.3

Host: 127.0.0.1

Pragma: no-cache

Accept: */*



< HTTP/1.1 200 OK

< Date: Sat, 24 Feb 2007 10:27:41 GMT

< Server: Apache/1.3.33 (Darwin) PHP/5.2.0

< X-Powered-By: PHP/5.2.0

< Set-Cookie: PHPSESSID=4fnmhuf56d5h3ifqg6qcai8k12; path=/

< Expires: Thu, 19 Nov 1981 08:52:00 GMT

< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

< Pragma: no-cache

< Transfer-Encoding: chunked

< Content-Type: text/xml

AND

filipp@fiBook.local [Metadata]  > curl -v http://localhost/~filipp/collective/show.php?id=rss

* About to connect() to localhost port 80

*   Trying ::1... * connected

* Connected to localhost (::1) port 80

> GET /~filipp/collective/show.php?id=rss HTTP/1.1

User-Agent: curl/7.13.1 (powerpc-apple-darwin8.0) libcurl/7.13.1 OpenSSL/0.9.7l zlib/1.2.3

Host: localhost

Pragma: no-cache

Accept: */*



< HTTP/1.1 200 OK

< Date: Sat, 24 Feb 2007 10:28:51 GMT

< Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7l DAV/2

< Last-Modified: Sat, 24 Feb 2007 10:05:15 GMT

< ETag: "3747e6-d1b-b6aecc0"

< Accept-Ranges: bytes

< Content-Length: 3355

< Content-Type: text/plain

When I open the page in a browser, the first one is returned regardless if I use localhost.

Just a silly Listen directive somewhere I'm sure, but goes to show what can happen when you start monkeying around with multiple web servers on the same machine.

The sitemap generation process may seem a little daunting at first but it's actually quite simple, even when you're just using RapidWeaver. All you have to do is download their Sitemap Generator script. Then make a local export of your RW site (ie ~/Sites/mysite.com). The sitemap generator has 3 modes of operation, we're interested in having it generate the map based on the directory structure, so config.xml would be:

<site base_url="http://mysite.com/" store_into="/Users/filipp/sitemap.xml.gz" verbose="1">

  <directory path="/Users/filipp/Sites/mysite.com" url="http://mysite.com" default_file="index.html" />

</site>

Then just run sitemap_get.py and copy the resultant sitemap.xml.gz to your hosting site's root directory. The whole idea here is to match your RW export with your site's root on the server.

There are some really good ones here occasionally. They're holding a competition now and some of last years best clips are also available online. Many of them obviously expect you to understand the language, but there are also a few "universal" ones, like this local carpark ad, for instance. Or this one, that's actually in English.

After a power outage, this started happening:

Feb 14 15:36:35 www serveradmin: servermgr_nat: nat config:Error:Cannot launch natd

The Appple front-ends (like serveradmin) are not very verbose so I've found a good troubleshooting step to be to run the underlying deamon with the same config files, manually:

www:/etc/nat root# natd -config /etc/nat/natd.conf.apple

natd: unknown protocol (null). Expected tcp or udp

Aha! Indeed, the last line looks weird:

redirect_port (null) (null):3050

When it should be something like:

 -redirect_port proto targetIP:targetPORT[-targetPORT]

                 [aliasIP:]aliasPORT[-aliasPORT]

                 [remoteIP[:remotePORT[-remotePORT]]]

Digging a little deeper, we find that natd.conf.apple is actually re-written every time you serveradmin start nat (so modifying it directly is pointless). The values are populated from /etc/nat/natd.plist. If the latter doesn't exist, it's it's created from /etc/nat/natd.plist.default.

Since I was convnced I hadn't modified my natd.plist, I just did a

> mv natd.conf.apple natd.conf.apple.old

> mv natd.plist natd.plist.old

> serveradmin start nat

And that got things running again. What's really weird is the cause of this:

www:/etc/nat root# diff natd.plist natd.plist.old 

18a19,25

><key>redirect_port</key>

>  <array>

>    <dict>

>        <key>targetPortRange</key>

>            <integer>3050</integer>

>        </dict>

>  </array>

How that targetPortRange got there, I still don't know...

Feb 12 23:35:35 server launchd: edu.cmu.andrew.cyrus.master: exited with exit code: 75

Feb 12 23:35:35 server launchd: edu.cmu.andrew.cyrus.master: respawning too quickly! throttling

Feb 12 23:35:35 server launchd: edu.cmu.andrew.cyrus.master: 1 more failure without living at least 60 seconds will cause job removal

Feb 12 23:35:35 server launchd: edu.cmu.andrew.cyrus.master: will restart in 10 seconds

Feb 12 23:35:45 server master[14119]: empty option value on line 14 of configuration file

Feb 12 23:35:45 server master[14119]: exiting

That's just launchd's special way of saying that that cyrus is not starting up. The question is - what conf file is it talking about?
Let's check:

> man cyrus-master

OK, so there's two of them - /etc/cyrus.conf and /etc/imapd.conf. The first one had a comment on line 14, but the second one:

tls_common_name:

Setting a CN fixed the problem and cyrus was purring like a kitten again:

Feb 12 23:40:42 server master[14244]: process started

Feb 12 23:40:43 server ctl_cyrusdb[14245]: verifying cyrus databases

Feb 12 23:40:43 server ctl_cyrusdb[14245]: skiplist: recovered /var/imap/mailboxes.db (30 records, 5008 bytes) in 0 seconds

Feb 12 23:40:43 server ctl_cyrusdb[14245]: skiplist: recovered /var/imap/annotations.db (0 records, 144 bytes) in 0 seconds

Feb 12 23:40:43 server ctl_cyrusdb[14245]: done verifying cyrus databases

Feb 12 23:40:44 server master[14244]: ready for work

I got acquinted with YAML during my short run-in with Ruby on Rails (more on this some other day, hopefully). Their official description is:

YAML(tm) (rhymes with "camel") is a straightforward machine parsable data serialization format designed for human readability and interaction with scripting languages such as Perl and Python.

Absolutely brilliant stuff. What it gives you, is a simple (no joke!) portable data format that's truly human-readable (indentation, baby!) and can easily be parsed into virtually any programming language's native data structure.

For example, in PHP (via the excellent Spyc library), this is how my webapp's DB settings would look like:

database:

    host: localhost

    name: collective_development

    username: name

    password: passwd

    type: mysql

    charset: utf-8

Then you just do

include 'lib/spyc.php5';

$c = Spyc::YAMLLoad( 'lib/collective.yml' );

And your whole configuration is accessible in a PHP array:

$link = mysql_connect( $c['database']['host'], $c['database']['username'], $c['database']['password'] );

For my thesis, I'm building a simple (there's that word again!) publishing backend that basically just accepts any kind of media, gives you an interface to catalogue it, creates Torrent metafiles, etc and then spits out XHTML and RSS. For this to look nice, I decided to use Apache's mod_rewrite to use simple canonical URI's (like show/get/11, genre/Horror etc), so my rule looked something like this (L flag means it's the last rule and NC that the regex is case-insensitive)

RewriteRule ^([a-z]+)/(.*)? shows.php?p=$1&id=$2 [L,NC]

But then you hit the age-old problem. You have some files (like images, css, javascript etc) that you want the browser to access directly, without the redirect. I must have tried a bazillion different permutations of Rewrite conditions, but then ended up with these two:

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_FILENAME} !-f

Which, put before your RewriteRule, simply say:

Only apply the rule if the accessed file or directory doesn't exist on the server

Perfect. Mind you, there's also a "-U" switch which the Apache docs say should do the same thing, but I simply couldn't get it to work.

A really good way to learn these is to, in your httpd.conf set:

RewriteLog /private/var/log/httpd/rewrite_log

RewriteLogLevel 9

And just follow the output of that while your working on these.

Here's also some good practical RewriteRule documentation.Oh, and there's also a handy RewriteRule cheatsheet over at ILJD.

Long story short, I needed a server-side Python interpreter. For this there's two options (that I know of) - install Zope and run it along or in place of your existing web server (probably what any intelligent being would do), or go the hard way and run mod_python instead. The latest version works with either httpd 2.0 or later so it won't run OOtB on OS X. I figured since I'm upgrading my Apache anyway, I may as well grab the latest version. Turns out there's actually no OS X package out there for that (not counting the XAMPP monster, which is Intel-only). OK, no biggie I'll roll it myself - and why not make it UB as well.

> ./configure --prefix=/usr/local/httpd-2.2 --enable-isapi --disable-mem-cache --enable-mime-magic --enable-ssl \

--enable-http --enable-dav --enable-cgi --enable-rewrite --enable-so --enable-headers --with-ldap --enable-dbd \

--enable-auth-digest --enable-authnz-ldap --enable-authn-anon --enable-mods-shared=most --enable-ldap --enable-cache

I think those features should make it more or less usable also in a real server environment.

Then, due to a bug in GNU libtool, you have to manually replace all the sys_lib_search_path_spec lines in two files - srclib/apr/libtool and srclib/apr-util/xml/expat/libtool to

sys_lib_search_path_spec="/Developer/SDKs/MacOSX10.4u.sdk/usr/lib"

After compiling and installing I had to go through the config files to make it more of a drop-in replacement for Apache 1.3. So that it works nicely with what's already there without actually replacing anything. Simply start with config/httpd.config and work through it and all the included files to check for any "incompatibilities" with OS X (document rooot, the www user, homedirs, tmp dirs, the usual).

Finally you just need an interface to control the server. Some fancier distros come with PrefPanes, mine simply has a StartupItem with the service name "Apache 2.2". You set this up by adding something in /etc/hostconfig (like APACHE22=-YES-) and then the relevant StartupItem into /LibraryStartupItems. So finally, to start our new server:

> sudo SystemStarter start "Apache 2.2"

You can't use launchd because it's not appropriate for wrapping things like apachectl.

Currently things seem to run nicely, I'm still testing stuff before maybe building a package. WebDAV works, which is nice.

It's incredible how many things you have to keep in mind to finally get a successful build out, a lot due to the fact that configure scripts don't seem to do any sanity checking between the different switches. For example, you can enable DAV, but if you forget to add any auth modules, nothing will work. Or the fact that --with-ldap and --enable-ldap are two different things - and you only find out that the first one (which isn't even mentioned in --help, btw) is compulsory if you want to add any kind of LDAP support. It took a lot of TTA to finally get this far...

The G3 "Series" PowerBook is a really good machine for your parents - it looks "mature", it's "laptop enough" to take it to the cottage if needed, has a big screen (although pretty dim by today's standards), runs a browser and email just fine and is cheap. Ours had a problem with the power connect though, requiring them to wedge something under the power connector for it to work. Obviously just a bad contact - a perfect opportunity for some light hardware work. Not to mention a great excuse to buy some new tools:

• 
  
• The small Panavise that is simply awesome. I don't understand why they don't recommend these anywhere. Here it's about 40 EUR, but it's well worth it.
• 
  
• A new soldering iron. I got a fairly cheap Velleman to replace my old iron. Works well but the stand is pretty useless and it doesn't come with a sponge.
• 
  
• Some soder-wick and obviously some nice, thin lead-free solder
• 
  
• #8 (50mm) torx. This will be your new best friend if you work a lot with Apple laptops. I got a Velleman which was cheap (3 EUR) and came pre-magnetized.
• 
  

If you haven't soldered in a while (or ever), there's a really nice tutorial over at Makezine.com as well as a primer on using a multimeter.

The plastic on these old G3 PowerBooks is pretty brittle by now from all the heat and long age, so you have to be extra careful! The problem turned out be a cold solder joint on the power connector. Works just fine now.

Working with hardware can be really rewarding - both in terms of fun and money. It's nice to work on something that you can actually touch, for a change. Sad that, in the long run, PC hw hacking is kind of a dying art because of all the crazy integration going on. I would not have been able to pull this off with a MacBook, I bet. That thing's just one big (actually small) logic board on the inside. So it's nice that there's still things like the Makezine.

My next hardware project's going to be building a RS 232 to USB adapter + some logging software for my trusty and obsolete Protek 506.