asyd's blog

varnish: Send a client always on the same backend

asyd — Tue, 09 Mar 2010 17:43:23 +0000

I’m now very close to migrate from akamai to varnish at work. However, since we doesn’t have session replications on the application server, I was required to send a client always on the same backend, even if the user is not authentified. In a first try, we thought about use a cookie, valued by the name of the server, and write some VCL to define the backend based on the cookie value.

However, thanks to the varnish developper (through the channel) phk pointed me they actually working on a director method to implements this behavior. While this feature is not yet available on a release, it’s present in the trunk (I’m using r4602).

Here the source code:
if (vs->criteria == c_client) { /* * Hash the client IP# ascii representation, rather than * rely on the raw IP# being a good hash distributor, since * experience shows this not to be the case. * We do not hash the port number, to make everybody behind * a given NAT gateway fetch from the same backend. */ SHA256_Init(&ctx); AN(sp->addr); SHA256_Update(&ctx, sp->addr, strlen(sp->addr)); SHA256_Final(sign, &ctx); hp = sign; }


Here how to define your director:

director rtl client {

        { .backend = www1rtl; .weight = 1; }

        { .backend = www2rtl; .weight = 1; }

}



OpenSSO strict cookie value
asyd — Mon, 22 Feb 2010 22:36:43 +0000
At my work, we’re currently working on a new J2EE platform to host our webapp applications, based on Tomcat 6 (6.0.24 to be precise). After deployed few fully public webapps without any issue, we start to deploy some other webapps with an authenticated part. The authentication is based on OpenSSO, using REST APIs. The cookie is created to OpenSSO, then set (client side) by one of our own webapplication. This cookie is validate using isValidToken REST API on every application the user goes. However, we’re not able to get authentication working on the preproduction environment, while it working perfectly on the dev environment. After some investigations with the developpers, we notice the OpenSSO’s cookie value was truncated.
After reading this post on the tomcat’s user mailing list, we start to configure tomcat. Few hours after, I was thinking about change the tomcat configuration is only a workaround, without fixing the original problem. Thanks to the OpenSSO’s IRC channel, someone (Allan Foster) pointed me to com.iplanet.am.cookie.c66Encode configuration variable. You can enable it in the console, Configuration, servers and sites, click on default paramaters, and then advanced tab. Set the value to true, and voila! Everything is now working good!



Using it’s all text on Mac OS X
asyd — Tue, 15 Sep 2009 12:13:11 +0000
Introduction
As a system administrator, I dislike to edit text in Firefox (or any other webbrowser), for example to write a new post on this blog, or edit some contents in drupal. This morning, I was looking for a Firefox extension allowing to use an external editor (in my case vim, for sure) to edit contents of textarea. This extension is pretty simple, you only need to configure which command to run to edit the file.
However there is a big trouble with Mac OS X, indeed, I was not able to find a command line to open a new terminal tab and lauching vim with the file to edit. Indeed, something like:


% open -a iTerm /usr/bin/vim


is working fine, however, it’s not possible to do something like:


% open -a iTerm /usr/bin/vim -- /tmp/file_to_edit


That’s very inconvenient, isn’t it! So, the only way I found to achieve that is to write an AppleScript to open a new iTerm, using vim profile (which runs vim as startup), and then open the file by sending text to vim from the AppleScript. But, once gain, I run out of luck. Indeed, the filename computed by it’s all text contains spaces, and vim expect escaped spaces. So, I look for a way to replace string in AppleScript, but… guess what? it’s seem very difficult (because I need to create another file..). So the only simple solution I found is to create a shell script that create a symbolic link in /tmp to the file to edit.. Here we go!
Configuration
iTerm

Open your bookmarks manager, and create a new bookmark like

that:

Open a terminal, create the directory ~/bin, create the file

editfile with the following contents (replace bbonfils

with your login name):

#!/bin/zsh
 
extension=${1:e}
link="/tmp/firefox."$$".${extension}"
 
ln -s "$1" $link
 
/Users/bbonfils/bin/editfile.scpt $link

Create a new file named editfile.scpt with the following contents:
#!/usr/bin/osascript

on run argv
        tell application "iTerm"
                activate
                make new terminal
                tell the last terminal
                        launch session "vim"
                        tell the last session
                                write text "^[[:e " & item 1 of argv
                        end tell
                end tell
        end tell
end run

Ensure both are executable chmod +x, and then configure it’s all text

to use the first script to open file (/User/bbonfils/bin/editfile), and

now it should work!
The last word
Note I can’t remove the link in the script, since all of them are executed in background,

if you add a rm in the think, the link will be removed few seconds after you start vim,

so your textarea contents won’t be updated.
And yes, I know, it’s ugly, if you have a better way to achieve that, please post it in comments!



Networking, QoS and OpenSolaris
asyd — Sat, 12 Sep 2009 15:37:24 +0000
OpenSolaris 200906 comes with some very interesting features about networking management. One is flowadm, allowing to manage network streams in a very simple and elegant way. For example, the next commands allow me to restrict the bandwith for my HTTP server.



flowadm add-flow -l bge0 -a transport=tcp,local_port=80 httpflow

flowadm set-flowprop -p maxbw=8 httpflow




wget -O /dev/null http://eva0/empty

2009-09-12 17:32:07 (971 KB/s) - « /dev/null »



As you can see it’s very simple! The following properties can be applied to a stream:

maxbw: Sets  the  full  duplex  bandwidth  for  the  flow.
priority: Sets the relative priority for the flow.
cpus: Allocate packets of the flow to a processor set, for systems that have multiple

processor sets. (this property is not yet available, maybe in 200911?)

References:
Configuring Virtual Networks
Configuring Resource Management on Data Links



pound, a little example that redirect / to /opensso for a given virtual host
asyd — Sun, 09 Aug 2009 15:33:45 +0000
It’s the first time I’m using pound (a http reverse proxy), and I was a little disappointed about its configuration. My use case is very simple, for a given virtual host (idp.asyd.net in my case) I want to redirect from / to /opensso. Since pound seems not very well documented, here my configuration to achieve that:
ListenHTTP
   Address  0.0.0.0
   Port  80
   Service
      HeadRequire "Host: idp.asyd.net"
      URL "^/$"
      Redirect "http://idp.asyd.net/opensso"
   End
   Service
      HeadRequire "Host: idp.asyd.net"
      Backend
         Address 127.0.0.1
         Port 8080
      End
   End
End




OpenSSO, OpenID and Yubikey, the perfect personal SSO: cheap, and secure
asyd — Mon, 03 Aug 2009 08:23:51 +0000
As a new owner of an yubikey, I was looking the best way to integrate it with the web application I already use. While there is already an available OpenID provider which support Yubikey authentication, I prefer to manage my own system, using OpenSSO for sure 



First, let me introduce the yubikey. This USB key act as an OTP (One Time Password) device, each time you press the button, the key compute a new password. This pasword must be verify, in the case of Yubikey, this is done by query a Webservices on a yubico (the company) server. Yubikey offers a lot of advantages than others classical OTP devices, including:

The yubikey is see as an USB keyboard (class HID), no driver required!
No battery, more longlife than anothers devices
Very cheap, around 20 euros (ordered by 10, from France), transport and taxes included

So, why choose OpenSSO? For few years know, OpenSSO provides an extension to act as an OpenID provider, and an authentication class is available for the Yubikey. 

References:

Build the OpenSSO extension for OpenID
Build the Yubikey authentication class




LDAP: A quick way to get the number of subentries
asyd — Mon, 20 Jul 2009 08:27:04 +0000
I actually manage a LDAP directory with a lot of entries (almost 1,5 millions entries in the same OU). In order to check the replication state, I was looking for a way to count the number of entries in this OU. Thanks to Ludovic Poitou (once again), this information is available via an hidden attribute in the OU.


% ldapsearch -Wxh ldap1 -D "cn=Directory Manager" -b 'ou=people,ou=ssousers,dc=asyd,dc=net' -s base '(objectClass=*)' 'numsubordinates'

[..]

dn: ou=people,ou=ssousers,dc=asyd,dc=net

numsubordinates: 1386931


Depends on the directory server, it’s also possible to get the number of entries for a given backend (the following code was tested for Sun Directory Server 5.2):


% ldapsearch -Wxh ldap1 -D 'cn=Directory Manager' -b 'cn=monitor' -s base '(objectclass=*)' 'backendmonitordn'

[..]

dn: cn=monitor

backendmonitordn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

backendmonitordn: cn=monitor,cn=ssoUsers,cn=ldbm database,cn=plugins,cn=config

backendmonitordn: cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config




% ldapsearch -Wxh lynx -D 'cn=Directory Manager' -b 'cn=monitor,cn=ssoUsers,cn=ldbm database,cn=plugins,cn=config' -s base '(objectclass=*)' 'ldapentrycount'

[..]

dn: cn=monitor, cn=ssoUsers, cn=ldbm database, cn=plugins, cn=config

ldapentrycount: 1408974





How to convert a PKCS#12 to JKS
asyd — Thu, 02 Jul 2009 13:20:28 +0000
Most of system administrators use OpenSSL (which is not a good idea, but it’s an another story) to manage their PKI. While OpenSSL is good to create/convert X509 certificates from PEM/DER to PKCS#12 (and vice versa, for sure) it doesn’t understand the JKS (Java KeyStore) format. JKS are used in Java world, for example Glassfish application server, OpenDS and so more. In this post, I’ll explain how to convert a PKCS#12 to a JKS using portecle. portecle is a small, but very useful application (written in Java) to manipulate keystores.

Download portecle, extract it, and lauch it using java -jar portecle.jar (note that Java 6 seems required for version 1.4.x)
Open your PKCS#12 file, provide the password
Click on Tools/Change KeyStore Type/JKS menu
If you don’t want to use the default password (which is password), click on the menu keystore password
Save it, that’s all folks!


You can know list the contents of your JKS using keytool:


% keytool -list -v -keystore yourkeystore.jks





Quick (and dirty?) howto: Solaris IPMP with VLAN tagging
asyd — Wed, 24 Jun 2009 15:06:20 +0000
Here the following commands I use to create a IPMP (IP Multipathing) groups (master/slave):


#!/bin/sh

# Plumb physical interfaces

ifconfig nge1 plumb

ifconfig nge2 plumb
# Plumb 802.1q interfaces

ifconfig nge544001 plumb

ifconfig nge544002 plumb
# Configure interfaces

ifconfig nge544001 group hosts deprecated -failover up

ifconfig nge544002 group hosts deprecated -failover standby up
# Add logicial interface

ifconfig nge544001 addif 10.16.244.60 netmask 255.255.252.0 up


You can also tweak the multipath daemon by editing /etc/default/mpathd to decrease the value to detect a NIC failure.

Solaris 10 IPMP Documentation reference




Writing a daemon in groovy
asyd — Wed, 10 Jun 2009 08:29:38 +0000
I actually need to write a little daemon based on the JVM (I’ll explain why in a future post). As the groovy fan I am, I was looking for a ready to use receipt, this one is interesting but show only how to write, not to read   After getting some help from Guillaume here a working sample:

import java.net.ServerSocket
import net.asyd.nagios.Hello
 
def listenPort = 4242
 
def server = new ServerSocket(listenPort)
 
while(true) {
    server.accept { socket ->
        println "new connexion"
 
        socket.withStreams { input, output ->
 
            def reader = input.newReader()
 
            def buffer = reader.readLine() 
 
            output << "Hello world " + buffer + "\n"
 
        }
    }
}

As you can see it’s very simple, thanks to groovy, once again. A thread will be create for each client.