Using mod_spamhaus to block TOR in Apache

November 18th, 2012
Some web spammers use the Tor Project to hide their wrongdoings. Because of this, I want to block Tor exit nodes from submitting forms on my web sites. However, there are many legitmate uses of the Tor Project, so I don’t want to block GET requests but primarily POST requests.
  1. Run sudo apt-get install libapache2-mod-spamhaus
  2. Open /etc/apache2/mods-enabled/mod-spamhaus.conf for editing (as root)
  3. Edit the MS_METHODS configuration setting. Make sure that POST is included and GET is not. Example:
    MS_METHODS  POST,PUT,OPTIONS,CONNECT
  4. Edit the MS_Dns configuration setting. If the IP address of your server is 198.51.100.222, and the port of your web server is 80 as usual, you start with the port number, reverse the numbers in the IP address and the setting becomes:
    MS_Dns 80.222.100.51.198.ip-port.exitlist.torproject.org
    So, for IP address A.B.C.D and port E, the value becomes E.D.C.B.A.ip-port.exitlist.torproject.org
  5. You may also want to edit the MS_CustomError setting. In my case it looks like this:
    MS_CustomError “Limited access for certain clients. Please contact abuse at 2good.net to get full access to our services.”
  6. Enable the apache module with sudo a2enmod mod-spamhaus
  7. Restart apache with sudo service apache2 restart
Your will get log entries like this:

[Fri Nov 16 04:28:05 2012] [crit] [client 37.59.162.218] mod_spamhaus: address 218.162.59.37.80.222.10.74.109.ip-port.exitlist.torproject.org is blacklisted. Deny connection to forum.taurin.se/index.php, referer: http://forum.taurin.se/index.php?topic=1731.0

Posted in Ubuntu, Web development | No Comments »

Customizing Zend\View\Helper\Navigation\Menu in ZF2

November 9th, 2012

I have created gist: 4045344 with example code for replacing the navigation menu helper in Zend Framework 2.

Posted in Web development | No Comments »

Unable to use Mosh to connect to one of my servers

August 10th, 2012

I’ve only used Mosh: the mobile shell for a  couple of weeks, but I am definitely a convert! However, I couldn’t get mosh to connect to one of my servers (an OpenVZ instance).

The error manifested itself as the client trying to connect to the server but not getting any response:

mosh: Connecting... [To quit: Ctrl-^ .]

Today I decided to debug the issue. As the client actually was trying to connect, I tried to simply start the server:

$ mosh-server new

MOSH CONNECT 60001 rSbp4ENDdzd/TKBOrrEeVg

mosh-server (mosh 1.2.2)
Copyright 2012 Keith Winstein
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 32582]

But when I checked the process list, it wasn’t running anymore:

$ pgrep mosh-server
$

Time to add some verbose output:

$ mosh-server new -v 

MOSH CONNECT 60001 hQ5ab1JjgUytXRZmy5ti6A

mosh-server (mosh 1.2.2)
Copyright 2012 Keith Winstein
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 14208]
forkpty: No such file or directory

This must be important: forkpty: No such file or directory, but what does it mean?

Some googling showed that it meant that /dev/pts was not mounted on my system, and it was indeed not mounted:

$ mount
 /dev/simfs on / type reiserfs (rw,usrquota,grpquota)

(Yes, I’ve also wondered why my host is running ReiserFS.)

So I checked my /etc/fsab:

$ cat /etc/fstab
proc  /proc       proc    defaults    0    0
none  /dev/pts    devpts  rw          0    0

It’s there, but still not mounted? Oh well, easy fix:

sudo mount /dev/pts

After that fix, I could successfully connect to my server with mosh!

Posted in Ubuntu | 1 Comment »

Injecting context into controller?

July 8th, 2012

I’m toying with my own PHP micro-framework. I’m trying to make it both simple and easy; explicit but not verbose. (Good luck to me!)

For testability I have abstracted the Superglobals so that I have full control of them in my tests. Currently they are passed as a parameter to the controller action. Would it make sense to have them injected into the controller instead? It might be simpler, but it is less explicit.

Posted in Web development | No Comments »

Uncaught Syntax error, unrecognized expression: [class^='add:the-comment-list':]

May 28th, 2012

If you get this error in the JavaScript console for your WordPress 3.0.x installation, you need to modify wp-lists.js. Here is the proper patch for the wp-lists.dev.js version:

Posted in Ubuntu, Web development, wordpress | No Comments »

Incorrect result from WordPress plugin_dir_url

May 15th, 2012

Consider this code in akismet.php from the ubiquitous Akismet plugin for WordPress:

define('AKISMET_PLUGIN_URL', plugin_dir_url( __FILE__ ));

My WordPress installation is at /usr/share/wordpress, but the Akismet plugin is installed to /var/lib/wordpress/plugins/akismet/ and there is a symlink (symbolic link) inbetween. This means that __FILE__ is /var/lib/wordpress/plugins/akismet/akismet.php but plugin_dir_url does not understand this, and will incorrectly return:

/wp-content/plugins/var/lib/wordpress/plugins/akismet/

This is not a proper URL for my WordPress installation!

I’m still on WordPress 3.0.something, but it seems like this issue is still a problem in newer versions. There are a number of bug reports for this and similar issues:

I used the WP_fix_for_plugin_basename_to_allow_symlinks_2011-07-28* pair of patches attached to bug report 16953 to solve the issue on my server. It will patch the plugin_basename implementation, which seems to contain the root cause of this issue.

Posted in Web development, wordpress | No Comments »

The Inner-platform API anti-pattern

March 9th, 2012

I learned the term Inner-platform effect the other day and it perfectly describes an API that I have touched upon.

First of all, what is the Inner-platform effect? It basically means that in attempt to make an application as flexible as possible it is implemented so that it creates a new platform that abstracts the original platform. I immediately associated to the API described below.

Let’s see if you can spot the Inner-platform effect in this URL, heavily anonymized but if you have been exposed to it you will probably recognize it immediately.

http://server/execute/clientSystemConnector
?service=createUser&key=id&value=97580
&key=name&value=David%20Eriksson&key=city&value=Ronneby

There are actually three examples of the Inner-platform effect in the above URL. The first is example is the “service” parameter. Instead of having separate URLs for separate services, the service name is a parameter. This means that the server platform first figures out what to about the /execute/clientSystemConnector path component of the URL, then the Inner Platform need to figure out how to handle the different possible values of the service parameter. (Anyone thinking about a giant “switch” statement?)  To avoid the Inner-platform effect, each service should have its own path in the URL.

The second example is blatantly obvious: having key and value parameters that specifies the names and values of the actual parameters. The impact of this “feature” is that the platform  provides a list of keys and a list of values to the inner platform, which must extract the actual parameters for use in the application. Without the Inner-platform effect the application could have received the parameters directly from the original platform.

It is probably not so easy to spot the third example, but it concerns authentication. Authentication (if it could be called that) for the services in this API is based on using different paths for different clients. So the above URL is used by the “clientSystem”. If “anotherClientSystem” need to execute the same service, the URL would be:

http://server/execute/anotherClientSystemConnector
?service=createUser&key=id&value=97580&...

So instead of using the built-in authentication mechanism (HTTP Basic Auth) in the platform, the Inner platform goes its own way.

How would I build an API to avoid the Inner platform? Except addressing the above issues I would also make it a POST (or PUT) request, as it handles the creation of a resource.

POST http://server/user/create HTTP/1.1
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Content-Type: application/x-www-form-urlencoded

id=97580&name=David%20Eriksson&city=Ronneby

Goodbye, Inner Platform!

PS. The origins of the API is probably 8-10 years old by now, and maybe it was a good idea at the time.

PPS. See the Inner-platform effect article on wikipedia for more examples.

Posted in API development, Software Development | 3 Comments »

No application without a library, no web site without an API?

February 21st, 2012

When I wrote the first versions of Dynamite and Unshield (eight and nine years ago!) I decided from the start that each project had to be implemented in two parts: a library (hopefully reusable) and a command line tool using the library. I believe I learned this from cURL and libcurl, and I still consider it a best practice. For the purposes of this article, let’s call it the tool-library pattern.

I don’t do much C/C++ coding these days, even though I have been ogling Spindly – the C89 implementation of SPDY forked from libspdy by cURL author Daniel Stenberg.

For my current clients at work, I do Java coding or webMethods Integration Server development.

When I can spare some and energy for coding at home, it’s mostly web development in PHP, which brings me back to the tool-library pattern: Unfortunately I have not yet started using a smilar practice for my web development.

So what is the web site equivalence to the tool-library pattern? For a web site I mean that the “library” is a web service API that is consumed by the actual web site.  This is called First-Class APIs by Helgi Þormar Þorbjörnsson.

The API does not have to be public, but if it is, any other consumers of the API (for example a Smartphone app) will share the same API (or parts of it).

I’m currently rewriting my Swedish site for colloquial words and expressions from a hack (!) to a proper layered architecture. The next step will be to add new features and I hope to move these into an API.

Posted in Software Development, Web development | No Comments »

Setup a new headless Ubuntu VM in VirtualBox on FreeBSD

February 10th, 2012
  1. Download from http://virtualboxes.org/images/ubuntu-server/
  2. VBoxManage register “/storage2/virtualboxes/Ubuntu server 11.10/Ubuntu server 11.10.vbox”
  3. VBoxManage list vms
    “Ubuntu server 11.10″ {231c28f0-19bb-48d7-9db4-ba29de37e5fd}
  4. VBoxManage modifyvm “Ubuntu server 11.10″ –usbehci off
  5. VBoxManage modifyvm “Ubuntu server 11.10″ –pae on
  6. VBoxManage modifyvm “Ubuntu server 11.10″ –nic1 bridged –bridgeadapter1 em0
  7. VBoxManage sharedfolder add “Ubuntu server 11.10″ –name backup –hostpath /backup
  8. nohup VBoxHeadless –startvm “Ubuntu server 11.10″ -n 2>&1 &
  9. Connect from desktop via VNC to configure and install guest additions (sudo apt-get install virtualbox-guest-dkms)
(Note that my blog converts two dashes to a single long dash above.)

Posted in Ubuntu | No Comments »

Moving a DokuWiki site to a new server

February 7th, 2012

I have customized my DokuWiki installation to allow multiple wikis, similar to running multiple WordPress blogs on different domains. My /etc/dokuwiki/local.php looks like this:

This means that I have multiple DokuWiki sites in my /var/lib/dokuwiki/ directory. To copy only one of them:

  1. Copy the /etc/dokuwiki/hostname directory and symbolic links
  2. Copy the /var/lib/dokuwiki/hostname directory and symbolic links
  3. Copy the template(s) from /var/lib/dokuwiki/tpl/templatename or /var/lib/dokuwiki/lib/tpl/templatename

Posted in Ubuntu | No Comments »

« Previous Entries