This article is a summary of commands to configure the Apache Webserver to extend SSL coded content. Mainly intended as a private mnemonic it's maybe useful for others, too.

Create a RSA private key

(Triple-DES encrypted and PEM formatted):

openssl genrsa -des3 -out ca.key 1024 Decrypted version (officially not recommended) of this private key (lets apache start without asking for a password) via: openssl rsa -in ca.key -out ca.key.unsecure

Generating a self-signed Certificate

Create a Certificate (X509 structure) with the RSA key you've just made:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Informations you are going to be asked for:

• Password to decrypt your key (Enter pass phrase for ca.key:)
  
• Two letter code for geographic informations (Country Name (2 letter code): [AU]
  
• Organization Name (eg, company) [Internet Widgits Pty Ltd]:)
  
• The CN has to be set to the full qualified domain name (F.Q.D.N) your server is known by. (Common Name (eg, hostname) []:)
• Your email address to be incorporated into your certification request. (Email Address []:)

Apache's virtual host configuration

Global settings

• NameVirtualHost *:443 (see Apache docs)

• Listen 10.10.10.10:443 (From which addresses requests are answered, there can be more than one; optional filter)

For each virtual host

<VirtualHost *:443>

ServerName the_server's_name

DocumentRoot "/var/www/foo/htdocs"

<Directory /var/www/foo>
(...)
</Directory>

# Enable/Disable SSL for this virtual host.
SSLEngine on

## SSL Cipher Suite:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#Gentoo Wiki http://en.gentoo-wiki.com/wiki/Apache2/SSL_Certificates#Configuring_Apache
SSLOptions StrictRequire
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/apache2/ca.crt
SSLCertificateKeyFile /etc/ssl/apache2/ca.key.unsecure
<FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/localhost/cgi-bin">
   SSLOptions +StdEnvVars
</Directory>
<IfModule log_config_module>
   CustomLog /var/log/apache2/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost>

---

Links

• How to Create Self-Signed SSL Certificates with OpenSSL
• Another method to start SSL enabled apache.
• Gentoo Wiki
  

I have a server based backup solution, that run quite well. Because I was curious to see the apple desktop solution, I looked around and saw many people talking about deficiencies especially in network functionality. That's why I wanted to draw my own conclusions about the situation with OSX 10.7.2 Lion. Result: It works like a charm in combination with opensource AFP-server "netatalk". But beforehand I made the attempt to get it done with NFS.

NFS

In the first place I've choosen NFS because of its well known transfer rate. Although "Time Machine" recognizes the NFS volume in the first place it quits the backup process afterwards due to incompatibilities:

"afpfs fsctl failed to read settings: 25 Inappropriate ioctl for device"

And yes, I did the sparse bundle trick mentioned later in this text, but "Time Machine" didn't recognize it due to filesystem restrictions I think.

AFP

Linux Configuration

On my linux box I've installed netatalk 2.2 and looked through the manuals and configuration files available:

Edit /etc/netatalk/afpd.conf and add or replace the last line in file:

- -tcp -noddp -uamlist uams_dhx.so,uams_dhx2_passwd.so -nosavepassword

At the end of /etc/netatalk/AppleVolumes.default you have to fill out the path to your backup space and adjust some options:

/path/to/your/backupspace   name   allow:username cnidscheme:dbd options:tm

"name" is the name of the backup volume how you see it on your mac.

"username" means the user with which the mac will identify on the server. Therefor the user also have to exist on the server with the same password.

The AFP server needs "avahi" for the zeroconf protocol. For zeroconf to work properly we need to change:

/etc/sysctl.conf

# Turn off source route verification 

net.ipv4.conf.default.rp_filter = 0

# Disable source validation by reversed path (RFC1812)

net.ipv4.conf.all.rp_filter = 0

Both variables turn off source IP address verification. That's not nice because these settings are recommended for a security hardened system. My reaction was: Oh Apple, what have you done. You are drilling a hole in my system? Disabling source route verification is not state of the art but supposed to be necessary for zeroconf.

The server's network adapter has to be in promiscuous mode.

>> ifconfig eth0 promisc

Mac configuration

The good news first: You do not need to hack your system anymore when you are connecting to netatalk-2.2.

Just in case you need to undo the DHCAST128-hack you have to add "DHCAST128" to the list of disabled authentication methods again. You have the choice to delete the file "/Library/Preferences/com.apple.AppleShareClient" or to launch the following command:

sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array-add “DHCAST128″

Time Machine needs some tweaking:

On the terminal just type

$ defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

After done so you have to login again or reboot your machine.

Limit the size of backup

In my scenario I want to use an external harddrive connected to my linux server. Because the disk shall be used for other data too it is a good idea to limit the size of Time Machine's backup. This is done by creating a sparse bundle image with OSX's disk utility and copy it over to the external harddrive. Sparse bundle is an image which expands as it is filled with data. For that we need to know the name of the client and the MAC address:

Open a terminal and type

>> hostname -s 

to get the short hostname and even if your client is connected via Wifi, like mine, you need the MAC address from the ethernet interface:

>> ifconfig en0 | grep ether

Concatenate these two informations with an underscore, such as "name_XXXXXXXXXXXX" and you'll get the sparse bundle's filename.

Now we have all informations to create the sparse bundle which will keep the backup later on:

>> hdiutil create -size 250g -fs HFS+J -type SPARSEBUNDLE -volname "Backup of foo" fooname_XXXXXXXXXXXX.sparsebundle

where "size" means maximal size of image (mine is 250 gigabyte),

"fs" stands for filesystem,

"volname" is just a name.

For more informations read the manual:

>>man hdiutil

Next task is to copy the newly created sparse bundle to your backup disk.

Start system settings of Time Machine, point it to your afp share on the server

and your initial backup should be on the way.

The existing sparse bundle with its long name is going to be renamed to "hostname.sparsebundle".

----

References:

Gentoo Wiki

Working with ReadyNAS

Time Machine Backups unter Ubuntu

Limit Time Machine's Backup Size

"Time Machine" icon from Author: joshladella005, HomePage: http://joshladella005.deviantart.com

Not long ago my backup situation looked like this: Important data had been mirrored across my local net, actual project`s data had been manually rolled out on DVD. Mirroring worked fine with Unison. Outcome was a historically grown chaos.

When thinking about the design of the backup process and singling out eligible software it became obvious that i didn`t want a homebrew scripting solution. I wanted a clear system to backup a network with different operating systems (MacOS X, Windows, Linux). My search led me to BackupPC.

• Appealing GUI for data restore,
• trouble-free handling of umlauts and blanks in path and file names,
• users have access their own backups,
• handling of mobile devices,
• in-depth documentation,
• Pooling, i.d. identical data is stored only once.

These notes don`t want to be more than a mnemonic rhyme. Maybe you'll find some helpful details don't forget to read the manual. The links at the bottom of this page may lead you through that topic. Pathnames in this article are related to Gentoo Linux, you should find them on other linux flavours, too.

BackupPC basically a webserver is not needed, the webfrontend is the recommended way to administer the server. (screenshots). For that you need a running webserver. (e.g. Apache)

Apache

BackupPC is written in perl. The recommended configuration uses the module mod_perl.

Activate it /etc/conf.d/apache2:

APACHE2_OPTS="-D PERL"

http://localhost/perl-status shows you if and how mod_perl had been installed.

In my scenario apache also serves multiple local domains and is set up for name-based virtual hosts (vhosts). The backup server is accessible via localhost as default vhost.

create /etc/apache2/vhosts.d/backuppc.include with

<Directory /var/www/localhost/cgi-bin>
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlOptions +ParseHeaders
        Options +ExecCGI +Indexes
        AllowOverride AuthConfig 
        Order deny,allow
        Deny from all
        Allow from 192.168.foo 127.0.0.1
        AuthName "backuppc"
        AuthType Basic
        AuthUserFile /usr/local/etc/apache2/.htpasswd
        Require valid-user
</Directory>

/etc/apache2/vhosts.d/00_default_vhost.conf: After the entry

default_vhost.include

the new file has to be included:

Include /etc/apache2/vhosts.d/backuppc.include

Set up users for the web frontend:

htpasswd  /usr/local/etc/apache2/.htpasswd backuppc
htpasswd  /usr/local/etc/apache2/.htpasswd userA
htpasswd  /usr/local/etc/apache2/.htpasswd userB

For use with BackupPC Apache needs to run with backuppc's rights.
httpd.conf:

User backuppc
Group backuppc

/etc/BackupPC/hosts:

localhost   0       backuppc userA
computerB    0       userA
computerC    0       userB

Apache runs as backuppc so trouble may be caused with existing local websites because of missing permissions. For that you can add backuppc to the apache group

usermod -aG apache backuppc

and adjust group permissions of affected paths. Another maybe cleaner approach is to set up another web server (e.g. lighttp), start two instances of apache, second one in a virtual machine or host a server on a separate pc.

BackupPC

For the backup process to run as root with full file permissions, extent backuppc's permissions by visudo. In the example backuppc is granted permission to execute rsync to backup and to mount and unmount partitions like e.g. /boot.

backuppc    ALL=(ALL)       NOPASSWD: /usr/bin/rsync *,/bin/mount *,/bin/umount *

How to backup

Every pc gets his own configuration file:
/etc/BackupPC/pc/hostname.pl

Adjusting the backup command for localhost:

$Conf{RsyncClientCmd} = '/usr/bin/sudo $rsyncPath $argList+';
$Conf{RsyncClientRestoreCmd} = '/usr/bin/sudo $rsyncPath $argList+';

Enabling the root access via sudo should also be done on remote Linux or MacOSX clients.

Mounting of paths that usually are unmounted. If databases should be backed up, here's the place for any commands to dump your database data to a directory backed up by BackupPC.

$Conf{DumpPreUserCmd} = '/usr/bin/sudo mount /boot';
$Conf{DumpPostUserCmd} = '/usr/bin/sudo umount /boot';
$Conf{RestorePreUserCmd} = '/usr/bin/sudo mount /boot';
$Conf{RestorePostUserCmd} = '/usr/bin/sudo umount /boot';

What to backup

$Conf{RsyncShareName}, $Conf{BackupFilesExclude}

defines which paths to backup with exemptions,

$Conf{BlackoutPeriods}

times of the day when no backup should run.

SSH tunnel

The choosen rsync method works flawlessly over a ssl tunnel. i.d. BackupPC does roughly the same as a normal user who logs into a remote client using ssh user@hostname. For the automatic way it's indispensable that user backuppc is able to log in without typing any password. Procedure: For each user in the backup network you'll have to create a key-pair without entering any password:

ssh-keygen -t rsa

The public key id_rsa.pub from user backuppc needs to be copied into ~/.ssh/authorized_keys from userA.

cat backuppc_id_rsa.pub >> ~/.ssh/authorized_keys

In this example of ~/.ssh/authorized_keys an IP filter is set for more security.

from="192.168.foo.foo" ssh-rsa c2EAAAABIwAAA(...)Qb69lo== backuppc@server-hostname

on the server userA's public key has to be added

cat userA_id_rsa.pub >> ~/.ssh/known_hosts

To make the hosts known it's easier to connect via command line - see the testcommand below. To validate the computer's fingerprint to which we want to connect:

ssh-keygen -l

at the prompt:

/etc/ssh/ssh_host_rsa_key.pub

Example known_hosts

computerA,192.168.foo.foo ssh-rsa IwAAAQEAq2PwH9(...)qDmlogB==

The home directory of backuppc must exist.
Testing the connection: Logged in as user backuppc

ssh userA@computerB

you open the tunnel. Is that working BackupPC is told to do it the same way.

$Conf{RsyncClientCmd} = '$sshPath -q -x -l userA $host /usr/bin/sudo $rsyncPath $argList+';
$Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l userA $host /usr/bin/sudo $rsyncPath $argList+';

WOL (wake on lan)

PCs which go into sleep mode after a while are woken up by

Conf{PingCmd} = '/etc/BackupPC/pc/wakeup.sh 00:16:cb:a3:39:64 1 $host';

where /etc/BackupPC/pc/wakeup.sh looks like:

#!/bin/bash
# Any output on stdout confuses BackupPC
wakeonlan $1 &>/dev/null
# time in minutes to wake up comfortable
sleep ${2}m
# is the host accessible?
/bin/ping -c 1 -w 3 $3

Mac OSX boxes: system preferences - energy saver - "Wake for Ethernet network administrator access" activate this. Mac Laptops with Snow Leopard (>2009) can be woken up, if the power supply is connected and the lid stays open.
On Windows you'll find these settings in the network card's property dialog. Where you'll find these settings depends on your hardware.
Example for a SiS 900-based PCI-Fast Ethernet-Adapter: Device manager -> network adapter -> power management -> activate "activate the computer from the stand-by mode" AND "only administration stations can activate stand-by computers".

Links:

• BackupPC's own documentation
• In-depth tutorial
• Search facility for the mailing list backuppc-users' archive
• Access Your Computer Anytime and Save Energy with Wake-on-LAN

Why not Facebook?

I do not have the heart to become a member of Facebook. And I really do not know why so many go to Facebook. Ok, I am told and understood that Facebook gathers many services under one roof. So email and chat is no longer required to stay in contact. Your homepage let alone your personal blog (like this one) can be deleted right away. Or - what a pleasure - write everything twice;-)

That's why I'm not a member of facebook yet.

As @nicbeu you will find me at twitter. One more opportunity to link to my blog. It's even exiting to twitter from my mobile. Yep, i do have a mobile data flatrate now! Likely the last one on this planet. Hopefully some relevant facts come to my mind to share with you.

follow @nicbeu

As part of the exhibition "Wilhelm Beuermann - Bilder aus fünf Jahrzehnten" (pictures from five decades) in the municipal gallery Kubus in Hannover, Germany last year a catalogue of his work has been published. Now it`s available for download.

Beside oil paintings from my father`s estate it also contains the most extensive collection of poems so far and excerpts of the artist`s diary.

Download (135MB)

The book can be ordered directly from me.
Hardcover, EUR 25,- incl. VAT plus shipping.
Please use the contact form.

A selection of paintings from Wilhelm Beuermann's estate had been shown during the exhibition "Paintings from 5 decades".

The pictures i took are now available in an online gallery.

The exhibition was held in fall 2009 at the municipal gallery of Hannover Kubus. Made possible with friendly assistance of the culture department of Hannover.

A richly illustrated catalog of the exhibition has been published.

A collage for the summer break.

Made with Casio FZ-10M, Yamaha DX7, Oberheim Matrix 6, Atari Cubase anytime in the 90s.

Have Fun!

MP3 OGG

GPGTools claims to be an easy to handle solution for OpenPGP on Mac OS X. It gathers relevant tools to integrate privat key encryption into your workflow.

GPGTools is a project that bundles OpenPGP apps for OS X. The installer combines the tools

GPG key-chain access to manage your keys,

GPGMail for handling of PGP mails in Apple Mail,

MacGPG2 to install and access the underlying cryptographic apps,

GPGServices for working with plain text files and the copy-paste buffer.

All of these are originally supported by the GPGTools team.

Enigmail the addon for Mozilla Thunderbird

is also included in the GPGTools installer.

Add-on found to use GnuPG with Apple Mail under Snow Leopard!

A few months ago I decided to use MacOS Snow Leopard on my new Macbook Pro not Linux. Unfortunately Apple Mail didn't work together with GNU Privacy Guard. As a temporary work around I'd used a self-compiled commandline version of gnupg as mentioned on the privacy guard website. Encrypted mails I could decrypt to read them in a text editor.

Today I'd investigated this topic again and found this thread mentioning an inofficial add-on that works right out-of-the-box!

Just download http://dl.dropbox.com/u/112247/GPGMail.mailbundle.zip, quit apple mail and copy the downloaded file to /User/Library/Mail/Bundles/.

Happy encrypting!

Continue reading "GPG for Apple Mail on Snow Leopard"