Securing Openfire clients

This is an old post. It may contain broken links and outdated information.

The last post on Openfire (discussing how to add SSL/TLS certificates) proved to be pretty popular, and I’ve gotten more than one request for a follow-on about securing Openfire clients—that is, forcing them to communicate with the Openfire server using only an ecrypted SSL/TLS connection rather than cleartext. In this post we’ll go through how to configure three popular IM applications to use SSL/TLS with Openfire. I’ll also add notes about how to enable OTR messaging encryption on two of those IM clients.

Read more

Embedding images in CSS

This is an old post. It may contain broken links and outdated information.

I’ve mentioned before that I’m CSS-stupid, and the practical effect of not knowing how to do damn near anything means that even small modifications to the Bigdinosaur.org main site usually involve a tremendous amount of reading and experimentation. I’ve stuck firmly to the current school of thought in web design, which is that HTML is purely for content, and layout should be done exclusively with CSS, and I’ve managed to produce a very simple but nice-looking site as a result.

However, running the site through a few web performance benchmarking sites led to a universal recommendation: use CSS sprites or CSS image embedding to reduce the number of HTTP connections necessary to load the site. Each HTTP session costs the web server a little bit of overhead (although using Nginx instead of Apache helps a whole lot with keeping the web server processes under control), and one of the ways to ensure your site loads as quickly as possible is to reduce the number of times a client has to ask the web server to send it things.

Read more

Openfire and SSL/TLS certificates

This is an old post. It may contain broken links and outdated information.

I’m a huge fan of StartCom’s StartSSL service—these days there are no few certificate authorities who will get you free or low-cost SSL/TLS certificates, but the customer service experiences I’ve had with StartSSL have been outstanding. They respond to e-mail very quickly, sometimes within minutes, and that’s what keeps me using them.

Bigdinosaur.org has been rocking the HTTPS ever since I came across this Ars Technica article a couple of years ago detailing how to get free SSL/TLS certificates for your web site. Once you start using real CA-generated certificates, you quickly realize how awesome it is to no longer have to deal with the hassle of self-signed certificates and worthless browser security warnings; I wanted a certificate for everything! The easiest way to do that, actually, is with what’s called a “wildcard” certificate, so named becaue instead of being valid for just a single host name, the certificate is valid for several. Shortly after signing up for free class 1 SSL/TLS certs from StartSSL, I went back and paid the fee for a class 2 identity validation, which then gave me the right to get as many class 2 certificates as I wanted—and, more importantly, gave me the ability to request wildcard certificates, too. Rather than deal with several certs for the several hosts that make up Bigdinosaur.org, I opted for a single wildcard certificate that covers *.bigdinosaur.org.

It was great and I installed it everywhere. The Bigdino web server uses it, my firewall uses it, postfix uses it, Murmur (the Mumble voice chat server we used for Minecraft) uses it, and even the Bigdino Openfire Jabber/XMPP instant messaging server uses it. In fact, this morning I got the notice that it had been two years since I’d generated the wildcard certificate, and it needed to be renewed. I spent a few minutes plugging the new certificate in to all the places where it needed to go, but I was a bit stymied by Openfire. I recalled going through some gymnastics to get the certificate installed on it a couple of years ago, but like a fool I didn’t write anything down, and so I had to embark on a long Google hunt to recreate whatever the hell I’d done in 2009.

Openfire makes it pretty darn easy to generate a self-signed certificate, or to generate a certificate signing request that you can send to your certificate authority, but it’s a little more difficult to take an existing certificate and import it. No small part of the problem is caused by Openfire’s web console not actually doing what you think it’s going to do when you attempt to import new certificates. Fortunately, several others have gone down this road before, and so here’s the procedure I pieced together from several different web sites and from posts on Openfire’s forum, particularly this one.

Read more

Serving Minecraft on Ubuntu

This is an old post. It may contain broken links and outdated information.

The first thing I ever saw of Minecraft was this video of an impossible waterslide which stretched up across the sky and down through footless caverns. I was entranced, and started playing shortly after that. Minecraft is primarily a sandbox game where you dig for resources and build things, all in glorious faux 8-bit graphics. Of late its creators have tried to turn it into a really bad Zelda clone, but fortunately it’s possible to ignore all the worthless stupid shit they keep adding and instead play it in the proper manner. It can be played single- and multiplayer, and while I normally hate playing with anyone online, Minecraft is my exception.

In October of 2010 I decided to download the Minecraft server application and take a stab at running my own Minecraft server, so that my buddies and I could have a private place to build things without worrying about random crazy people from the Internet kknocking down our sandcastles. There were some errors along the way, but I’ve settled on some guidelines and methods that have worked out very well for me.

Read more

Postfix, Google Apps, and you

All the cool kids have web servers, but all the REALLY cool kids have web servers with the ability to send e-mail. In days of yore, when dragons roamed the Internet and a web page with a graphical background was considered a novelty, sending e-mail from your home was as easy as setting up sendmail … Read more

Changing Octopress’s header

This is an old post. It may contain broken links and outdated information.

I’ve been wanting to modify Octopress’s default layout for a few days, and had time this afternoon to sit down and puzzle it out. I’m about as facile with CSS as I am with German—I can ask for directions to the closest schnitzelhaus and possibly apologize for accidentally spilling beer on someone’s wife—so this was a process involving a lot of trial and error. Changing around the background colors was easy, and I’ll touch on that first, but what sent me down an entire series of rabbit holes was trying to figure out how to stuff an image up in the title bar area; or, rather, how to stuff up an image into the titlebar area that could be styled by CSS and reflow as the page is resized. Fortunately, by staring intently at the source for both the official Octopress page and also Angelo Stavrow’s blog, I was able to piece together some results that I’m happy with.

Read more

PDFs from man pages

This is an old post. It may contain broken links and outdated information.

I’m constantly consulting man pages as I blunder about in bash, and a way to quickly reference man pages while in the middle of something else is very valuable to me. The easiest way, at least for me, is to have the man pages saved somewhere so that I can consult them without breaking away from whatever deep shell-fu I’m immersed in. There’s a quick way to convert man pages into PDFs on OS X, and a slightly different but similarly quick way to do the same thing on Ubuntu.

Read more

Easy PS1 colors

This is an old post. It may contain broken links and outdated information.

Some time back I found a nifty little function to nicely and neatly add color to my bash prompt, and to do so in a readable and easily editable way. I forget the site where I originally saw the function, so I apologize to its author for displaying it here without attribution, but it’s certainly made my life easier; I have my prompt set to display the time, the user name and host name where I’m logged in, the directory I’m in, and the root/other token. I’m a visual kind of guy, too, so I alter the user/hostname so that it’s a different color for each of the boxes I’m regularly accessing at home.

On GNU/Linux and OS X, the two operating systems I’m most frequently using, the prompt the user most often sees is stored in a variable named PS1. PS1 contains some pretty boring default values for most OSs, especially OS X, but fortunately we can make it a lot more informative and useful by modifying its value in the .bashrc file in your home directory, assuming you’re using bash as your shell—if you’re familiar enough with Unix and/or BSD to use a shell other than bash, you probably have your own ideas what PS1 should look like and probably think including colors in a prompt makes the baby Stallman cry. Or you use emacs for your operating system.

Read more

Reverse-proxying to a Drobo

This is an old post. It may contain broken links and outdated information.

Some time ago, I bought a Drobo FS to use as a home NAS device. My reasons for going with the Drobo instead of either rolling my own with something like FreeNAS or using a faster home NAS box from Synology or QNAP are complex, but they come down to a desire for an extremely simple-to-use NAS that I can throw hard disks into without worrying about doing anything at all with the disk layout (for a lot more on why and how, check part one of my two-part Ars Technica Drobo FS review). I gained many things coming to the Drobo FS from Windows Home Server v1, but one of the things I lost was the ability to easily and securely access the files on my NAS via the web.

The Drobo FS (and, indeed, most Drobo models) have the ability to run homebrew applications directly on the boxes themselves, though one barrier to simply porting a bunch of awesome utilities over and running them is that the Drobo FS runs on an ARM processor and aspiring Drobo app devs need to construct an ARM toolchain & cross-compiling environment in order to produce programs which will run. Drobo provides a small number of ported essential apps on their site, but the apps aren’t well-maintained or officially supported. There are a couple of web servers, an FTP daemon, an NFS daemon, an SSH daemon, and a few other things—enough to get you excited about the possibility of doing something really neat, but not enough to really do more than play around.

Enter DroboPorts, a site maintained by ambitious and skilled Drobo owner Ricardo Padilha, which offers an awesome variety of ported applications and libraries for the Drobo FS, including current versions of bash, OpenSSH, Python, PHP, lighttpd, Ruby, MySQL, and many others (along with instructions on building the aforementioned cross-compiling environment). The Drobo family of boxes will never be renowned for being speed demons or for having scads of free RAM or CPU to throw around on extra processes & applications like these, but there’s certainly enough capacity on board to let you run a web application or two, and this got me excited.

Read more

Setting up Octopress

This is an old post. It may contain broken links and outdated information.

I’m no superhacker, and the reason I at first passed up Octopress (which this blog uses) in favor of things like Wordpress and Drupal and Joomla is because of the wealth of documentation available for those platforms—and, more to the point, the ease of googling for the inevitable error messages. I tend to measure GNU/Linux activities not by the amount of time they take to conclude, but rather by their NTO rating—that’s “Number of Tabs Opened”. Every time I read about a configuration gotcha or pitfall that I need to remember, I’ll pop open a new tab and leave the important info up in its original; when I hit a roadblock or something doesn’t work right, it’s another Firefox tab and another trip to Google. Most of my Linux projects have extremely high NTO ratings, and getting Wordpress and MySQL/MariaDB going was no exception (and it didn’t help that I made an abortive attempt to use PostgreSQL as my back-end database, just for the hell of it).

Installing Octopress, on the other hand, is a relatively simple activity because the preinstall tasks aren’t that complex. There’s no database to configure and no PHP or perl to screw with; in fact, you don’t even need a web server, as Octopress comes with the built-in ability to publish itself to Github. You simply need Git, in order to pull down the software, and a functional Ruby framework, to do the page generating and compiling and publishing.

Here at Bigdinosaur.org, we’re currently running Ubuntu Server 11.10, with Nginx and php-fpm for serving static and dynamic web content. I didn’t have Git or Ruby installed, so I had to install these. There also ended up being two additional prerequisite packages I didn’t have, and not having them prior to installing Ruby caused significant problems with making Octopress work. To save any readers the same frustration I went through, I’ll list them along with everything else below.

Read more