Running BIND9 and ISC-DHCP

Most people use a NAT router at home for connecting to the Internet, and most consumer-grade NAT routers offer some limited version of DHCP for automatically handing out IP addresses to desktops and laptops and game consoles and smartphones and some limited version of DNS for making sure all the devices on the network know what all the other devices are called. However, the feature set and functionality of these cut-down DHCP and DNS instances are almost always too limited to handle more than the simplest of network designs; sometimes, you need to be able to do more. For example, if you wanted to set up a separate DHCP zone for handing out addresses to untrusted wireless clients versus trusted clients, or if you wanted to do something more awesome like implement the Upside-Down-Ternet, you’d need something a lot more configurable than the little NAT router’s applications.

There are lots of options, but it’s easiest to just pull out the big guns and set up BIND9, the current version of the DNS software that powers the Internet, along with the ISC’s DHCP server. DNS and DHCP are like peas and carrots, as the saying goes—DHCP hands out the addresses, but doesn’t communicate to other network hosts who has what address; DNS knows how to correlate names to addresses but doesn’t hand out addresses itself. In this post, we’ll set up DNS and DHCP on Ubuntu, and then configure them to work together.

(NB. This blog entry ended up being bloody huge, because I don’t just list the configuration options to set but rather go into detail on what each one does. I’d intended to bang the post out in a single evening, but instead it’s taken a couple of hours over three days to complete. I hope it is informative and helpful!)

Read more

Using @font-face with Octopress

This is an old post. It may contain broken links and outdated information.

Octopress comes with awesome support for Google Web Fonts, which lets you quickly and easily add fonts to your web site from Google’s large library, but Google Web Fonts have their drawbacks. Using one Google Web Font will have little impact on your site’s load time, but every additional font you add to your web page increases the page’s load time, as clients must use additional HTTP requests to pull the web fonts from Google’s servers while at the same time loading your page and its contents. Plus, sometimes you want to use a (free and legal) font that’s not in Google’s library.

There’s a workaround—a CSS method named @font-face (more info), which allows you to host your own fonts on your web server and serve them to clients along with your page. At first glance, this doesn’t seem too terribly different from simply including fonts from a web source like Google, but hosting your own fonts via @font-face on a web server with keepalive is much quicker than pulling them from a separate server, as far fewer HTTP sessions have to be used to load the page and its contents. Fewer sessions means faster page loading!

While Octopress comes with a ready-made method of adding Google Web Fonts, it’s not set up out of the box to use @font-face-served fonts. However, it’s pretty easy to change the configuration!

Read more

Nginx: stable or dev?

This is an old post. It may contain broken links and outdated information.

Like most open source projects, Nginx has more than one “branch” of code—that is, more than one version available for public consumption. Ignoring platform-specific versions, the two main branches are “stable”, and “development”.

This is a common dichotomy. For projects divided thusly, the “stable” branch is intended to be a thoroughly tested, minimally-bugged, production-ready version of the application which can be deployed in real life. Conversely, the “development” branch usually has more features, but is typically a lot more rough and potentially buggy, having undergone less testing. Stable is for production, development is so that users can test upcoming features.

Read more

Securing Openfire clients

This is an old post. It may contain broken links and outdated information.

The last post on Openfire (discussing how to add SSL/TLS certificates) proved to be pretty popular, and I’ve gotten more than one request for a follow-on about securing Openfire clients—that is, forcing them to communicate with the Openfire server using only an ecrypted SSL/TLS connection rather than cleartext. In this post we’ll go through how to configure three popular IM applications to use SSL/TLS with Openfire. I’ll also add notes about how to enable OTR messaging encryption on two of those IM clients.

Read more

Embedding images in CSS

This is an old post. It may contain broken links and outdated information.

I’ve mentioned before that I’m CSS-stupid, and the practical effect of not knowing how to do damn near anything means that even small modifications to the Bigdinosaur.org main site usually involve a tremendous amount of reading and experimentation. I’ve stuck firmly to the current school of thought in web design, which is that HTML is purely for content, and layout should be done exclusively with CSS, and I’ve managed to produce a very simple but nice-looking site as a result.

However, running the site through a few web performance benchmarking sites led to a universal recommendation: use CSS sprites or CSS image embedding to reduce the number of HTTP connections necessary to load the site. Each HTTP session costs the web server a little bit of overhead (although using Nginx instead of Apache helps a whole lot with keeping the web server processes under control), and one of the ways to ensure your site loads as quickly as possible is to reduce the number of times a client has to ask the web server to send it things.

Read more

Openfire and SSL/TLS certificates

This is an old post. It may contain broken links and outdated information.

I’m a huge fan of StartCom’s StartSSL service—these days there are no few certificate authorities who will get you free or low-cost SSL/TLS certificates, but the customer service experiences I’ve had with StartSSL have been outstanding. They respond to e-mail very quickly, sometimes within minutes, and that’s what keeps me using them.

Bigdinosaur.org has been rocking the HTTPS ever since I came across this Ars Technica article a couple of years ago detailing how to get free SSL/TLS certificates for your web site. Once you start using real CA-generated certificates, you quickly realize how awesome it is to no longer have to deal with the hassle of self-signed certificates and worthless browser security warnings; I wanted a certificate for everything! The easiest way to do that, actually, is with what’s called a “wildcard” certificate, so named becaue instead of being valid for just a single host name, the certificate is valid for several. Shortly after signing up for free class 1 SSL/TLS certs from StartSSL, I went back and paid the fee for a class 2 identity validation, which then gave me the right to get as many class 2 certificates as I wanted—and, more importantly, gave me the ability to request wildcard certificates, too. Rather than deal with several certs for the several hosts that make up Bigdinosaur.org, I opted for a single wildcard certificate that covers *.bigdinosaur.org.

It was great and I installed it everywhere. The Bigdino web server uses it, my firewall uses it, postfix uses it, Murmur (the Mumble voice chat server we used for Minecraft) uses it, and even the Bigdino Openfire Jabber/XMPP instant messaging server uses it. In fact, this morning I got the notice that it had been two years since I’d generated the wildcard certificate, and it needed to be renewed. I spent a few minutes plugging the new certificate in to all the places where it needed to go, but I was a bit stymied by Openfire. I recalled going through some gymnastics to get the certificate installed on it a couple of years ago, but like a fool I didn’t write anything down, and so I had to embark on a long Google hunt to recreate whatever the hell I’d done in 2009.

Openfire makes it pretty darn easy to generate a self-signed certificate, or to generate a certificate signing request that you can send to your certificate authority, but it’s a little more difficult to take an existing certificate and import it. No small part of the problem is caused by Openfire’s web console not actually doing what you think it’s going to do when you attempt to import new certificates. Fortunately, several others have gone down this road before, and so here’s the procedure I pieced together from several different web sites and from posts on Openfire’s forum, particularly this one.

Read more

Serving Minecraft on Ubuntu

This is an old post. It may contain broken links and outdated information.

The first thing I ever saw of Minecraft was this video of an impossible waterslide which stretched up across the sky and down through footless caverns. I was entranced, and started playing shortly after that. Minecraft is primarily a sandbox game where you dig for resources and build things, all in glorious faux 8-bit graphics. Of late its creators have tried to turn it into a really bad Zelda clone, but fortunately it’s possible to ignore all the worthless stupid shit they keep adding and instead play it in the proper manner. It can be played single- and multiplayer, and while I normally hate playing with anyone online, Minecraft is my exception.

In October of 2010 I decided to download the Minecraft server application and take a stab at running my own Minecraft server, so that my buddies and I could have a private place to build things without worrying about random crazy people from the Internet kknocking down our sandcastles. There were some errors along the way, but I’ve settled on some guidelines and methods that have worked out very well for me.

Read more

Postfix, Google Apps, and you

This is an old post. It may contain broken links and outdated information.

All the cool kids have web servers, but all the REALLY cool kids have web servers with the ability to send e-mail. In days of yore, when dragons roamed the Internet and a web page with a graphical background was considered a novelty, sending e-mail from your home was as easy as setting up sendmail (or your preferred MTA) and letting ‘er rip. Things are different these days, though, as spammers long ago ruined it for everyone and made doing your own e-mail a lot more difficult.

If you’re doing your web hosting through an actual hosting provider, then chances are you already have some avenue available for your web server or its applications to send e-mail; if you’re hosting out of your basement or closet, though, like I am, it can be a little more complicated. The first obstacle is that most ISPs will block the standard SMTP TCP ports; even if you get past that (by having an unblocked business-class connection, for example), damn near every operating e-mail system in the world blacklists the IP address ranges used by ISPs for customer connections, in order to stop infected home PCs from drowning them with viagra spam.

Here again spammers have peed in the pool, because no mail server will just happily relay messages.

The solution is mail relaying, where you send e-mail to a trusted e-mail server, which then sends it on to your recipient. Here again spammers have peed in the pool, because no mail server on the Internet is set up to just happily relay messages—in fact, any mail server that is configured as a so-called “open relay” will quickly find itself blacklisted by every other mail server.

But there is an easy way that your web server and its appliations can send e-mail outside of your LAN, and that way is to relay your mail through Google. Specifically, through a Google Apps Standard e-mail address.

This is a tutorial that’s been done elsewhere in lots of different ways—googling around for “postfix gmail relay” or “relay postfix through google apps” will net you scads and scads of results. I’m going to add to the pile by going through the method that I settled on. I was interested in setting up e-mail because I wanted to be notified of changes to the Bigdinosaur.org Minecraft wiki, and DokuWiki has a nice customizable notification system.

Read more

Changing Octopress’s header

This is an old post. It may contain broken links and outdated information.

I’ve been wanting to modify Octopress’s default layout for a few days, and had time this afternoon to sit down and puzzle it out. I’m about as facile with CSS as I am with German—I can ask for directions to the closest schnitzelhaus and possibly apologize for accidentally spilling beer on someone’s wife—so this was a process involving a lot of trial and error. Changing around the background colors was easy, and I’ll touch on that first, but what sent me down an entire series of rabbit holes was trying to figure out how to stuff an image up in the title bar area; or, rather, how to stuff up an image into the titlebar area that could be styled by CSS and reflow as the page is resized. Fortunately, by staring intently at the source for both the official Octopress page and also Angelo Stavrow’s blog, I was able to piece together some results that I’m happy with.

Read more

PDFs from man pages

This is an old post. It may contain broken links and outdated information.

I’m constantly consulting man pages as I blunder about in bash, and a way to quickly reference man pages while in the middle of something else is very valuable to me. The easiest way, at least for me, is to have the man pages saved somewhere so that I can consult them without breaking away from whatever deep shell-fu I’m immersed in. There’s a quick way to convert man pages into PDFs on OS X, and a slightly different but similarly quick way to do the same thing on Ubuntu.

Read more