Securing Apache Content with Basic Authentication on Ubuntu

This will be a brief outline of the steps necessary to secure content under /var/www/app on an Apache 2 web server running on Ubuntu with Basic authentication. The configuration for the Apache server can be found here, but it is pretty standard for serving up https://www.cbaekexample.com.

This was done on Ubuntu 12.04 (Precise Pangolin) using the Apache 2 installation provided in the repositories (i.e. the one provided by running apt-get install apache2, which is version 2.2).

NOTE: this is by no means a suggested configuration for a production server.  Since there are so many different configuration parameters for different scenarios, optional configurations won’t even be mentioned; this is just one of the simplest ways.

Enable Modules

For this example, the auth_basic_module, authz_user_module, and authn_file_module modules will be required. These should already be enabled with the default installation, but just in case they are not, the following commands can be run.

# a2enmod auth_basic
# a2enmod authn_file
# a2enmod authz_user

Create Password File

A file has to be created that will store the credentials that will be used for authentication. In the example below, the file is being created in /etc/apache2/passwords for the users user1 and user2. The file can be created anywhere for any number of users.  The -c flag is only needed when the file is first being created.

# htpasswd -c /etc/apache2/passwords user1
New password: xxx
Re-type new password: xxx
Adding password for user user1
# htpasswd /etc/apache2/passwords user2
New password: xxx
Re-type new password: xxx
Adding password for user user2

Secure Content

The following configuration should be added to the VirtualHost for which the content is being secured. Any content under this directory should be secured for any user in the file created in the previous step.

<Directory /var/www/app>
  AuthType Basic
  AuthName "Secure Content"
  AuthBasicProvider file
  AuthUserFile /etc/apache2/passwords
  Require valid-user
</Directory>

Configuring Tomcat6 with an Apache Proxy on Ubuntu

This will be a brief outline of the steps necessary to configure an app named app on a Tomcat 6 server with an Apache 2 web server as a proxy all on an Ubuntu server. The configuration for the Apache server can be found here, but it is pretty standard for serving up https://www.cbaekexample.com. Here are the specifications:

This was done on Ubuntu 12.04 (Precise Pangolin) using the Tomcat 6 installation provided in the repositories (i.e. the one provided by running apt-get install tomcat6).

NOTE: this is by no means a suggested configuration for a production server.  Since there are so many different configuration parameters for different scenarios, optional configurations won’t even be mentioned; this is just the simplest way to enable Apache as a proxy for Tomcat 6.

Configure Tomcat 6 Connector

By default, the Tomcat server can be accessed directly and will server up the webapp, however the goal is to hide it behind a nice URL, so the connector must be modified. The configuration below limits incoming requests to localhost because the example is assuming Apache is running on the same host, but an IP that is accessible by the Apache server should be used.

# cat /etc/tomcat6/server.xml
...
    <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1"
                  connectionTimeout="20000"
                  URIEncoding="UTF-8"
                  redirectPort="8443"
                  proxyName="www.cbaekexample.com"
                  proxyPort="443"
                  scheme="https" />
...

Enable Proxy Modules

mod_proxy and mod_proxy_http are being used for this setup, so they need to be enabled.

# a2enmod proxy
# a2enmod proxy_http

Enable Proxy in Apache VirtualHost

Assuming a virtual host is already set up in Apache, only two directives are necessary to enable proxying.

# cat /etc/apache2/sites-available/cbaekexample-ssl
...
    <IfModule mod_proxy.c>
        ProxyPass /app http://localhost:8080/app
        ProxyPassReverse /app http://localhost:8080/app
    </IfModule>
...

Configuring a Secure Apache Website on Ubuntu

This will be a brief outline of the steps necessary to configure cbaekexample.com on an Ubuntu server with the following specifications:

This was done on Ubuntu 12.04 (Precise Pangolin) using the Apache 2 installation provided in the repositories (i.e. the one provided by running apt-get install apache2, which is version 2.2). A self-signed certificate will be used, but the procedure should be similar for an actual setup.

Setup hosts File

NOTE: this only needs to be done if a local setup is being configured for demonstration, example, etc. purposes.

The following needs to be added to the /etc/hosts file because cbaekexample.com is not real.

# tail -1 /etc/hosts
192.168.0.1	cbaekexample.com www.cbaekexample.com

Disable Default Sites

NOTE: the following isn’t necessary, but probably a good idea to avoid confusion of what is working and what is not working.  This is probably also a good idea if a real site is being configured.

The following command should be run to disable the default site.

# a2dissite default

Restrict NameVirtualHost

NOTE: this is optional, but probably a good idea if a real site is being configured.

The /etc/apache2/ports.conf file should contain the following to restrict the IPs accepting name based virtual hosts. 192.168.0.1 is being used for example purposes, but this should be the actual server IP address.

# cat ports.conf 
...
Listen 192.168.0.1:80
NameVirtualHost 192.168.0.1:80
...

Create HTTP Site

The following file should be created and enabled to accept and redirect HTTP requests.

# cat /etc/apache2/sites-available/cbaekexample
<VirtualHost 192.168.0.1:80>
    ServerName cbaekexample.com
    ServerAlias www.cbaekexample.com
    Redirect permanent / https://www.cbaekexample.com/
    ErrorLog ${APACHE_LOG_DIR}/www-cbaekexample-error.log
    LogLevel alert
    CustomLog ${APACHE_LOG_DIR}/www-cbaekexample-access.log combined
</VirtualHost>
# a2ensite cbaekexample

Enable SSL and Rewrite modules

The following commands should be run to enable the SSL and rewrite modules.

# a2enmod ssl
# a2enmod rewrite

Configure NameVirtualHosts on SSL port

The /etc/apache2/ports.conf file should contain the following to accept name based virtual hosts on the SSL port. 192.168.0.1 is being used for example purposes, but this should be the actual server IP address.

# cat ports.conf 
...
NameVirtualHost 192.168.0.1:80
...
<IfModule mod_ssl.c>
    NameVirtualHost 192.168.0.1:443
    Listen 443
</IfModule>
...

Create Key and CSR (Certificate Signing Request)

The following command should be run to generate a key file cbaekexample.key and a CSR cbaekexample.csr. The CSR is what would be sent to a CA like Verisign. This is a matter of opinion, but I created the CSR for cbaekexample.com, used cbaekexample.com as the ServerName and used http://www.cbaekexample.com as a ServerAlias. An alternative would be to create keys and CSRs for the domain as well as the www alternative, but that would require two certificates.

# openssl req -new -newkey rsa:2048 -nodes -keyout cbaekexample.key -out cbaekexample.csr

Self-Sign Certificate

NOTE: this only needs to be done if a local setup is being configured for demonstration, example, etc. purposes.

The following command should be run to sign the certificate.

# openssl x509 -req -days 1825 -in cbaekexample.csr -signkey cbaekexample.key -out cbaekexample.crt

Install Certificates

The following commands should be run to install the certificates in the proper locations.

# cp cbaekexample.crt /etc/ssl/certs/
# cp cbaekexample.key /etc/ssl/private/

Create HTTPS Site

The following file should be created and the command run to accept HTTPS requests.

# cat /etc/apache2/sites-available/cbaekexample-ssl
<IfModule mod_ssl.c>
<VirtualHost 192.168.0.1:443>
    ServerAdmin cbaekexample.com@contactprivacy.com
    ServerName cbaekexample.com
    ServerAlias www.cbaekexample.com
    RewriteEngine on
    RewriteCond %{HTTP_HOST} !^www\.cbaekexample\.com [NC]
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/(.*) https://www.cbaekexample.com/$1 [L,R]
    DocumentRoot /var/www
    RewriteLog ${APACHE_LOG_DIR}/www-cbaekexample-ssl-rewrite.log
    RewriteLogLevel 1
    ErrorLog ${APACHE_LOG_DIR}/www-cbaekexample-ssl-error.log
    LogLevel alert
    CustomLog ${APACHE_LOG_DIR}/www-cbaekexample-ssl-access.log combined
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/cbaekexample.crt
    SSLCertificateKeyFile /etc/ssl/private/cbaekexample.key
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
# a2ensite cbaekexample-ssl

Restart Apache

The following command should be run to restart Apache and have the configuration changes take effect.

# service apache2 restart

Setting Environment Variables with Spaces in OS X 10.8 (Mountain Lion)…

For setting the PATH and other environment variables, see here, since it will explain the more appropriate place for them.

Unfortunately, the methods listed in the linked article above don’t work for environment variables with spaces, e.g. MAVEN_OPTS="-Djavax.net.ssl.trustStore=keystore -Djavax.net.ssl.trustStorePassword=password".

To set these, the variables have to be configured as launch daemon arguments.  Here is an example of a file I have:

$ cat /Library/LaunchDaemons/mavenopts.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
	"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>MAVEN_OPTS</string>
	<key>ProgramArguments</key>
	<array>
		<string>launchctl</string>
		<string>setenv</string>
		<string>MAVEN_OPTS</string>
		<string>-Djavax.net.ssl.trustStore=keystore -Djavax.net.ssl.trustStorePassword=password</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>KeepAlive</key>
	<true/>
	<key>LaunchOnlyOnce</key>
	<true/>
</dict>
</plist>

This file can also go in /System/Library/LaunchDaemons instead of /Library/LaunchDaemons, but this is more a matter of philosophy; either location will work.

For more details, here is the Apple documentation: http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/10000172i-SW7-BCIEDDBJ

Setting up Nike Missions with an iPod Nano

This was a little annoying to set up, but these are my recommended steps (assuming iPod Nano and iTunes have already been sync’d at least once for music and other media):

  1. Set up Nike+ account by doing the following:
    1. Go to http://www.nikeplus.com in the default browser
    2. Create an account if one does not already exit
    3. Log in and leave the browser logged in
  2. Register a run on the iPod Nano by doing the following (it must be a run, not a walk):
    1. Tap “Fitness”
    2. Tap “Run”
    3. Tap “Basic”
    4. Tap “None”
    5. Tap “Start Workout”
    6. Shake the device a little bit to register some activity
    7. Tap the pause button
    8. Tap “End Workout”
  3. Sync the iPod with iTunes.  iTunes should prompt whether Nike+ data should be uploaded automatically or not.  This can be changed later by going to the Nike tab under the device settings and checking or unchecking the box.
  4. Once the iPod has been sync’d, the device should be registered with Nike and should be recognized for Nike Missions (http://missions.nike.com)

After registering for Nike Missions and clicking through the introduction screens, a screen should be found that has a button to start a mission.  Clicking this button seems to start the timer (i.e. if the mission were to earn 300 points in 30 minutes, the 30 minute timer would start as soon as the button was clicked), so I’m not sure how this is supposed to work with the iPod Nano since it has no wireless synchronizing capabilities.  For someone like me who carries their iPod to work and sync’s it at home, I’m assuming runs could be registered on the device during the day, a mission timer started in the evening at home, and a sync performed at home while the timer is running.  Time to try it out!

Setting Environment Variables in OS X 10.8 (Mountain Lion)

I was recently trying to install SQL Developer from Oracle and wanted the LDAP function to work, which would require the application to be aware of my ORACLE_HOME, but I could not get the application to become aware of the environment variable when I launched it from the Launcher or the Dock.

Shell Variables

For environment variables that are only going to be used in the terminal, setting them in the .bash_profile is sufficient.  I’m not totally sure how the OS X shell works, but it seems to only read the .bash_profile (doesn’t seem to read .bashrc etc.), and it reads it every time a new terminal is open.

Example

PATH=${PATH}:${HOME}/scripts; export PATH

The problem with using the .bash_profile is that applications in the GUI are not aware of the environment variables (e.g. in my case, launching SQL Developer from the command line activated the features I wanted, but clicking the icon from the Launcher did not activate the features).

Environment Variables

There used to be a mechanism for setting environment variables prior to Mountain Lion by setting them in the ${HOME}/.MacOSX/environment.plist file, but this doesn’t seem to work in Mountain Lion.  They have to be set via launchd in /etc/launchd.conf. Unfortunately, this can’t be done at a user level at the moment (${HOME}/.launchd.conf not currently supported), so it must be done at a global level (affects all users).

Example

setenv ORACLE_HOME /opt/oracle

Path Variables

There is one more way to set the PATH globally for all users. It can be done by adding directories that should be in the path into files under the /etc/paths.d directory.

Example

Here is an example of a file that might be called /etc/paths.d/oracle.

/opt/oracle/bin

Project Sputnik Ready for Mainstream?

I was intially extremely happy with the Dell XPS 13 paired with Ubuntu 12.04, also known as Project Sputnik. Physically, the laptop was very impressive, the first non-Apple laptop I’ve used that I thought could be competitive with the MacBook Air. Also, even after trying all the major Linux distributions, I’ve always been an Ubuntu fan for its stability and large community (I know calling Ubuntu stable might make some people scoff, especially with the migration to Unity, but that is not what this post is about). However, after using the combination for a few weeks, unfortunately, I don’t think this project is ready for the masses…

Here are some of my thoughts in no particular order:

  • The WiFi signal strength meter in Unity shows pretty low signal strength. This may be because the bars on the meter are calibrated differently, but as a simple user, it is more comforting to see all the bars on my MacBook Air lit up than to see only three. To be fair, I haven’t noticed any WiFi performance differences between the two.
  • I read complaints that the Ubuntu installer wiped the entire laptop. I didn’t experience this for myself, so if the partitioning options are a new feature in the install process, they are definitely welcome. I’m still curious why Ubuntu insists on installing the entire system in a single partition when distributions like Fedora install a nice LVM2 layout by default. As a simple user who might want to reinstall the OS if I think I’ve messed up too many system configurations, I’d like to think I could do this without having to back up or lose all of my personal data (e.g. critical development projects).
  • To put it simply, the touchpad behaves inconsistently. Even after tweaking the system settings, it usually requires a pretty heavy tap to register a click, but at other times, clicks register with just a slight brush of my palm. As a simple user or even an advanced user who is just trying to develop, this seems like one of the basic things I should not have to deal with in order to do whatever I need to get done.
  • The way the keyboard lighting works doesn’t make sense. Sometimes it turns on as soon as I start using the keyboard and turns off when I am done (which I assume it’s supposed to do), and other times it remains illuminated. There are also times when it just doesn’t turn on at all even though I have been typing for some time.
  • To put it simply, Unity behaves inconsistently. Everything at the command line and with raw processing (e.g. compilation) work fine, but strange things happen with the GUI, especially considering I am running with a Core i7. Again, as a simple user, these are the kinds of things I do not want to bother me while I am trying to do my work.
    • While extracting a large file (~4GB) in gnome-terminal, keystrokes were not being registered in Chrome. Keystrokes began registering again after the file was extracted.
    • The launcher sometimes gets “stuck” (doesn’t hide) even though it is set in auto-hide mode. I haven’t really found a solution to this other than to hope it auto-hides itself after I put the laptop to sleep.
    • Flash in Firefox works fine, but is inconsistent in Chrome (not Chromium); it works fine for a little while (I’ve accepted that the fan will go on full blast on any non-Windows OS), but then it starts playing all videos at over 2X. This might be a Chrome bug and not an Ubuntu bug, but I haven’t run into this issue on my MacBook Air.
    • Sometimes Thunderbird will close all its Windows, but the process will remain running in the background, consuming ~20% CPU. This causes the fan to kick in and probably consumes more battery, an annoyance that might go undiscovered by a simple user.
    • Unity became unresponsive to the keyboard while updating the Twitter feed. Seriously? With an i7?
    • While some mail in Thunderbird was being copied to the Sent folder, I could not change the volume with the keyboard. Again, seriously? With an i7?
  • Multitouch gestures are nowhere close to what Apple has implemented.
  • After being put to sleep and being woken up multiple times, something with the fan doesn’t seem to work properly. The temperature sensors in the laptop don’t report anything out of the ordinary, but the fan cycles like it’s breathing. For comparison, my MacBook Air has been put to sleep and woken up for a collective 6 days without inconsistent behavior.

To be fair, these are only minor complaints that can mostly be tolerated by intermediate or advanced users who want to troubleshoot and know what’s going on, but from a simple user perspective or maybe even a developer who wants to get things done, these are annoyances that can be avoided by just investing the extra money towards an Apple.