Brablc.com

If you protect your private beta release from public with AuthType and you are using RewriteRule from mod_rewrite, you will soon find, that combination of <Location> and  Satisfy does not work for you – it does not allow access to the subdirectory as expected.

<VirtualHost *:80>
 ServerName beta.example.com
 DocumentRoot /var/www/example

 <Location />
 AuthType basic
 AuthName "Top Secret Beta!"
 AuthUserFile /etc/httpd/htpasswd.beta
 Require valid-user
 </Location>

 <Location /upload-callback>
 Allow from all
 Satisfy Any
 </Location>

 <Directory /var/www/example>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule !\.(swf|pdf|php|js|ico|txt|gif|jpg|png|css|rar|zip|tar\.gz)$ /index.php [L]
 </Directory>
</VirtualHost>

With this setup, the subdirectory will require valid user – because mod_rewrite is applied before <Location> and changes the URL, which no longer matches. You can change this by adding an alias:

Alias /upload-callback /var/www/example/index.php

Now all URLs will go through your nice url generator index.php, but the specified URL will be checked against <Location> and give access based on the Allow directive (in this case to everyone).

It looked like a straightforward job – upgrade my heavily customized Bugzilla from 3.6.1 to security fix 3.6.2.  I know I just need to run cvs up to get my files updated to the latest Bugzilla_Stable branch and resolve conflicts. But wait we want to get new files and prune empty directories, so I typed cvs up -Dp. No warnings, ok, go ahead run ./checkconfig go to Bugzilla – oops too many changes – version 4.1 is up. Ok, downgrade and next time use cvs up -Pd, if I have typed cvs up -pD I would finished with a warning about missing date. But cvs up -Dp was understood as -D with value p, that got actually ignored.

Downgrading took quite a couple of hours – Bugzilla caches complete database structure in bz_schema, which is not recommended to be touched – but this time the problem was change of type in table fielddefs for some columns like classification and component.

Debugging seemed quite a lot like the movie Inception - on each deeper level you spent more time and you understand less.

We have some jQuery code, that we use on all our company sites, however, this code did not work on Drupal sites. jQuery call to position() was returning “static” instead of expected object with top and left properties. We thought we should use newer jQuery (instead of 1.2.6), but this throwed “too much recursion” error in Firebug – which we tried to solve with patch from bug http://drupal.org/node/335741 . However, neither upgrade nor that patch really helped. The reason why position() did not work was hidden here: /sites/all/modules/jquery_update/compat.js (I was looking at linked files and this one sounded suspiciously).

And indeed, these helpers caused the problem:

// UPGRADE: The following css helpers should now be used as:
// .css("top") or .css("top","30px")
jQuery.each("top,left,position,float,overflow,color,background".split(","), function(i,n){
  jQuery.fn[ n ] = function(h) {
    return h == undefined ?
      ( this.length ? jQuery.css( this[0], n ) : null ) :
      this.css( n, h );
  };
});

We have replaced position with xposition and our jQuery works as expected even with version 1.2.6.

So I switched from Google Tasks to Toodledo to see what is all this Get Things Done about.

Some hints about GTD:

• Context is just a funny name for tag, that allows GTD to become a business model.
• Folder is just a funny name for tag, that allows GTD to become a business model.

Now some words about Toodledo web application:

[-] It does not look nice, it is slow to edit.
[-] I have not found any group operations (like renaming a tag, changing a folder).
[+] It can import from simple text file, line by line.

Some words about the Toodledo Firefox Extension

[+] It looks good and is quite fast.
[-] In order to edit a task you need two clicks.
[-] Does not allow Due by, Due on, Due after, Optionally due specification.
[-] The standalone popup form for adding tasks looks as if it were completely different application.
[-] Due Date does not offer Today as default. You have to select date manually.

And finally the paid iPhone application (native one):

[-] You cannot apply context filter when you are filtering by something else.
[-] You cannot associate a phone call or anything with a contact from your contact list.

And hints about general features:

[-] Task with set Due Date and Due Time will be shown as overdue only on Day+1.
[-] The default reminder 1 hours before task is due is a strange limitation of the free version. The paid one allows 15 minutes to 14 days. But I want to be notified just at a time (phone calls for instance).
[-] Tags are not clickable when you want to add them, you have to type them – so the chance, that you mistype is high.
[-] The notes stored with task strip line breaks.

But so far it is still better than primitive Google Tasks.

From various reasons I ended up with some sophisticated rights settings for my subversion repository, the main idea is to grant access based on group. So I need that the files are created with proper group and with write right on the group.

For the command line ans svn+ssh access I created following files (based on some advice, which I found 4 years ago and did not notice a link):

/usr/local/bin/svn

#!/bin/sh
umask 002
/usr/bin/svn.orig "$@"

/usr/local/bin/svnserver

#!/bin/sh
umask 002
/usr/bin/svnserve.orig "$@"

As big surprise you will find that the web interface modifies files in the subversion repository - it removes write permission on group. I have solved this by adding following line to viewvc.cgi:

--- viewvc.cgi.orig     2009-10-25 09:55:34.738716284 +0100
+++ viewvc.cgi  2009-10-25 09:51:14.914726062 +0100
@@ -58,4 +58,5 @@

 server = sapi.CgiServer()
 cfg = viewvc.load_config(CONF_PATHNAME, server)
+os.umask(0002)
 viewvc.main(server, cfg)

The scenario is – you provide only webhosting for certain domain – and you want emails to go wherever MX record points to. So you turn off mail services in the Plesk control panel, but keep receiving mails back with This address no longer accepts mail. when you send emails via your server.

You can check that there is no local delivery for this domain:

postmap -s /var/spool/postfix/plesk/virtual_domains

But the trick is that you have to set emails to this address to be rejected instead of bounced (what seems to be the default). My guess is that the bounce check comes before the local delivery check.

Recently I have been migrating my Plesk based machine leased from 1&1 to a newer server and I have not found any tips how to perform the migration properly. So here is my suggestion:

1. Inform your users that they should not modify any data, turn any possible application into read only mode.
2. Switch off MTA (qmail or postfix) on old machine – good SMTP servers will try to deliver repeatedly.
3. Transfer your data using Plesk migration tool
4. Redirect all common traffic to the new machine (see bellow)
5. Remove the messages about read only usage on the new machine.
6. Change DNS settings of your main domain to point to the new machine.
7. Transfer the domain using 1&1 Control Panel from one package to another – do not be worry about legal steps, the transfer is fully internal and takes just hours to complete.

Iptables rules to forward traffic from one machine to another

I’m pretty sure, this list can be reduced, but this worked well for me and allowed monitoring of the traffic being forwared per port number.

NEWIP="87.106.22.204"

iptables -I FORWARD 1 -p tcp -m tcp -d $NEWIP -j ACCEPT
iptables -I FORWARD 1 -p tcp -m tcp -s $NEWIP -j ACCEPT
iptables -I FORWARD 1 -p udp -m udp -d $NEWIP -j ACCEPT
iptables -I FORWARD 1 -p udp -m udp -s $NEWIP -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination $NEWIP:80
iptables -t nat -A POSTROUTING -p tcp -m tcp -d $NEWIP --dport 80 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination $NEWIP:443
iptables -t nat -A POSTROUTING -p tcp -m tcp -d $NEWIP --dport 443 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 25 -j DNAT --to-destination $NEWIP:25
iptables -t nat -A POSTROUTING -p tcp -m tcp -d $NEWIP --dport 25 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 465 -j DNAT --to-destination $NEWIP:465
iptables -t nat -A POSTROUTING -p tcp -m tcp -d $NEWIP --dport 465 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 993 -j DNAT --to-destination $NEWIP:993
iptables -t nat -A POSTROUTING -p tcp -m tcp -d $NEWIP --dport 993 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -j DNAT --to-destination $NEWIP:53
iptables -t nat -A POSTROUTING -p tcp -m tcp -d $NEWIP --dport 53 -j MASQUERADE
iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination $NEWIP:53
iptables -t nat -A POSTROUTING -p udp -m udp -d $NEWIP --dport 53 -j MASQUERADE

So we have Bugzilla installed from CVS in some directory and we run ./checksetup.pl – it shows that we need a bunch of modules, but they do not install – all you can see is fail message like – NOT OK.

We need some basic packages to work with CPAN on Plesk 9 machines, you have to install some modules:

yum install gcc make

But make needs to be explicitly set in CPAN (may be for CentOS only):

perl -MCPAN -e shell
cpan> o conf make /usr/bin/make
cpan> o conf commit

This will get rid of the Writing Makefile for — NOT OK problem.

But Bugzilla needs DBI::mysql and this needs extra care because of test. But first of all we install mysql libraries:

yum install mysql-devel

And now the installation itself:

/usr/bin/perl install-module.pl DBD::mysql

but it will leave the package downloaded somewhere like

cd /root/.cpan/build/DBD-mysql-4.013

go there and now prepare test database:

echo 'CREATE DATABASE test;' | mysql -u admin -p`cat /etc/psa/.psa.shadow`

and having this make the package:

perl Makefile.PL  --testuser=admin --testpassword=`cat /etc/psa/.psa.shadow`
make
make test
make install

Now repeat the ./checksetup.pl and install other missing modules.

I have just migrated to Plesk 9.2.2 and there is now postfix instead of qmail, so my procmail rules stopped working. Fortunately Plesk changed the MTA but has left the way they filter email, so if you want to use procmail filtering on Plesk you can just copy your .procmailrc file to /var/qmail/mailnames/$DOMAIN/$MAILBOX and run following:

#!/bin/bash

for PROCMAIL in `find /var/qmail/mailnames/ -maxdepth 3 -name .procmailrc`; do
    chown root: $PROCMAIL
    chmod 644 $PROCMAIL
    DIR=`dirname $PROCMAIL`
    FROM="/usr/bin/deliverquota \./Maildir"
    TO="/usr/bin/procmail -m -o HOME=$DIR $DIR/.procmailrc"
    sed -i $DIR/.qmail -e "s@$FROM@$TO@"
done

And here just an example of .procmailrc file

SHELL=/bin/sh
DIR=${HOME}/Maildir

# Bayes 99% and spam including 20 points goes away
:0
* ^X-Spam-Status:.*BAYES_99
* ^X-Spam-Level: ...................
/dev/null

# Bayes 99% spam is sure spam
:0
* ^X-Spam-Status:.*BAYES_99
${DIR}/.SpamBayes/