Category Archives: internet

Astaro ASG as OpenVPN Access Server client

Just about four weeks ago I posted about the resurrection of the .ovpn to .apc converter script. In the meantime Alois told me in the comments that while this was nice it didn’t work for current versions of the OpenVPN Access Server and the .ovpn files it creates.

Well, since there’s been nothing much else to do I did some more work on the script and I can now happily say that it now also converts the new .ovpn format to an .apc the Astaro can understand. Unfortunately, there’s a little catch: the OpenVPN Access Server relies on ‘tls-auth’ for client connections and the Astaro neither knows of that concept not provides a method to import the needed key file. So I had to do some creative manipulation to make the Astaro do my bidding to include the necessary config statements. In addition, you will need to manually copy the key file to the Astaro to make everything work as expected. To make things as easy as possible, the script will tell you what to do.

If you’re interested, check out the latest version of ovpn-to-apc.sh on Gitorious. If it works for you, let me know. If it doesn’t, let me know, too.

Kleine Erfolgserlebnisse

Vorher

Check name    Uptime    Downtime    Outages   Response time
#######       58.54%    9h 57m 02s    189      9649ms

Nachher

Check name    Uptime    Downtime    Outages   Response time
#######       100.00%   0h 00m 00s     0        647ms

.ovpn to .apc Converter Revisited

The Astaro Security Gateway (ASG) is a great firewall and remote access solution. The only flaw of it being that Astaro, too, tries to build a walled garden around their suite of products. One major drawback here is that while the ASG has outstanding capabilities as a remote access server, there’s no easy way to use it as a client to connect to an OpenVPN SSL server. The main show stopper is that the ASG expects to get all it’s connection information from a .apc file while OpenVPN at best provides a .ovpn file which has a completely different structure.
Back in 2009 Patrick Schneider provided a simple bash script that would convert .ovpn files together with the needed certificates and key files into a .apc file the ASG could read. Unfortunately the script stopped working with newer ASG releases. Since I needed the functionality for a current project, I resurrected the code, polished and updated it a bit. The result can now be found on Gitorious: the new OVPN-to-APC converter script. Feel free to clone and enhance.

Update: Just pushed a new version to Gitorious that now handles the new .ovpn format provided by the OpenVPN Access Server as well.

Nginx + Dokuwiki and nice URLs

After almost tearing my hair out while trying to get those two to fully work together, I found the solution in the end. While most of the things that can be read here and there are right and true, all solutions I found one the web have one problem: After activating nice URLs in Dokuwiki, you won’t be able to use ACLs anymore with Nginx as the web front end.
The solution is quite simple, there’s an additional global rewrite needed:

rewrite ^/?$ /doku.php last;

The reason being that if you rely on “try_files” doing the right thing, it will do what you want for normal pages. But it will trigger a 302 redirect for admin pages, thereby losing all the POST data that should have been sent. Using the rewrite will keep the POST data and thus make the ACLs editing work again, even with pretty URLs.

Slowing down

This has been a very hectic couple of weeks. Not only the beta testing for the (now not so) new Netgear ReadyNAS boxes with ARM architecture: the Duo v2 and the NV+ v2. But also building add-ons for the new interface. Currently available are:

Especially the new web interface was a major obstacle there for in some situations it behaves quite different than the old and trusty Frontview. But now that I’ve got the hang of it I’m quite confident that more stuff is going to follow soon. And of course updates to the ReadyNAS Sparc stuff that has been put on hold for doing the ARM thing ;) Since I’ve just upgraded this site to WordPress 3.3, I might do an add-on for that as well – we’ll see.

For now it’s relaxing time – at least until the end of the week.

Fixing PHP-FPM’s SCRIPT_NAME Bug The Brute Force Way

It’s not really news that PHP in it’s CGI or FPM flavor has slight to modest problems getting it’s environment right when using Apache as the front end web server, especially the $_SERVER[‘SCRIPT_NAME’] variable many scripts rely on to determine their true location on the hard drive. This erratic behavior is heavily documented in bug reports 51983 and 55208. As is common practice for the PHP-FPM team, their approach is to sit still and wait until this bug goes away on it’s own. This approach, proven to work for many politicians, may however not work for those folks, that need a solution to the problem at hand. A quite simple solution that unfortunately requires to recompile PHP is the following brute force patch for PHP 5.3.8:

--- php-5.3.8/sapi/fpm/fpm/fpm_main.c.org   2011-07-18 23:03:44.000000000 +0200
+++ php-5.3.8/sapi/fpm/fpm/fpm_main.c.  2011-11-24 18:29:37.000000000 +0100
@@ -1084,6 +1084,7 @@
 {
    char *env_script_filename = sapi_cgibin_getenv("SCRIPT_FILENAME", sizeof("SCRIPT_FILENAME") - 1 TSRMLS_CC);
    char *env_path_translated = sapi_cgibin_getenv("PATH_TRANSLATED", sizeof("PATH_TRANSLATED") - 1 TSRMLS_CC);
+   char *env_redirect_url = sapi_cgibin_getenv("REDIRECT_URL", sizeof("REDIRECT_URL") - 1 TSRMLS_CC);
    char *script_path_translated = env_script_filename;
    char *ini;
    int apache_was_here = 0;
@@ -1118,6 +1119,16 @@
 
        /* Hack for buggy IIS that sets incorrect PATH_INFO */
        char *env_server_software = sapi_cgibin_getenv("SERVER_SOFTWARE", sizeof("SERVER_SOFTWARE") - 1 TSRMLS_CC);
+                if (env_redirect_url &&
+                        strncmp(env_server_software, "Apache", sizeof("Apache")-1) == 0) {
+                        /*
+                         * If we have an env_redirect_url and the web server is Apache
+                         * it's very likely that env_redirect_url is the one we really
+                         * want
+                         */
+                        env_script_name = _sapi_cgibin_putenv("SCRIPT_NAME", env_redirect_url TSRMLS_CC);
+                }
+
        if (env_server_software &&
            env_script_name &&
            env_path_info &&
@@ -1159,7 +1170,7 @@
        if (CGIG(fix_pathinfo)) {
            struct stat st;
            char *real_path = NULL;
-           char *env_redirect_url = sapi_cgibin_getenv("REDIRECT_URL", sizeof("REDIRECT_URL") - 1 TSRMLS_CC);
+           // char *env_redirect_url = sapi_cgibin_getenv("REDIRECT_URL", sizeof("REDIRECT_URL") - 1 TSRMLS_CC);
            char *env_document_root = sapi_cgibin_getenv("DOCUMENT_ROOT", sizeof("DOCUMENT_ROOT") - 1 TSRMLS_CC);
            char *orig_path_translated = env_path_translated;
            char *orig_path_info = env_path_info;

Best Summing-up of Google’s new Search App for iPad

Yep its great and now they can move on to a decent Google+ app for iPad.
–Carlos Rodrigues

[ More ]

So nutzt man Facebook richtig

Sehr geehrter Herr Xxxxxx,

sind Sie der Michael Xxxxxx aus der Xxxxxxxxxxstr. 46, in XXXXX Xxxxxxxx-
Wenn ja, ich bin der Allianz-Fachmann von Ihrem Nachbar Gunter Xxxxxxx. Der hat Ihren autositz beschädigt.
Damit ich den Schaden begleichen kann, benötige ich Ihre Bankverbindung.

Mit freundlichen Grüßen
Mathias Xxxxxxx
Allianz Agentur Xxxxxx-Xxxxxxx

Wozu einen Brief schreiben, wenn man doch über Facebook wahllos (die falschen) Leute anschreiben kann?

The Day The Routers Died

Can’t believe I missed that.

I especially like the part about “those who stay silent”.

Make your ReadyNAS a Wake-on-LAN Hub

Today an interesting request came up in the ReadyNAS forums: Would it be possible to build an add-on that could send Wake-on-LAN (WoL) packets to any host on your local network? You bet it is ;) Took me a bit time to fiddle in the password protection but here you go:

Version for the x86 ReadyNAS line: ReadyWOL_0.1-readypro-0.1.3.bin
Version for the Sparc ReadyNAS line: ReadyWOL_0.1-readynas-0.1.3.bin

After installation you can wake any machine on your LAN by requesting a special URL from your ReadyNAS. And once you’ve properly configured your router, you can even wake up machines while you’re on the road.

Google Maps: Almost Off By One (street) Error

Almost Off By One

To be fair: Google is not alone there. All major navigation systems try to send visitors through the gardens of my neighbors because of this small glitch.

Neuer Rekord für “Skype for Mac (beta)”

Gerade eben hat die neue Skype for Mac (beta) einen neuen Rekord in der Kategorie “kürzeste Verweildauer auf meinem Mac” aufgestellt. Installieren, Starten, Gruseln, Runterschmeissen – das war alles in weniger als 60 Sekunden durch. Die neue “Schaltzentrale” ist für mich total unbrauchbar. Skype for Mac beta - Main Screen
Es interessiert mich nicht, wann ich zuletzt mit wem aus meiner Kontaktliste gechattet habe – was übrigens neben “ich schick’ mal schnell die Datei” meine Hauptanwendung von Skype ist -, aber ich muss alle meine wichtigen Kontakte im Schnellzugriff haben. Naja. Die alte 2.8.0.863 wird ja hoffentlich noch ‘ne Weile funktionieren.

P.S.: Ich bin da nicht allein

SABnzbd and Python on the ReadyNAS

Since many ReadyNAS users seemed to have problems getting SABnzbd to run on their ReadyNAS, I decided to give it a try. The result:

To make those work, Python must be installed on the ReadyNAS as well. As usual, there’s Python for ReadyNAS (Intel) and Python for ReadyNAS (Sparc). Setup instructions:

Continue reading

Speed up SSH Logins

Ever since some upgrade of my Ubuntu workstation it would took forever (10-15 seconds) to login to remote hosts using ssh. The solution is quite easy. Edit /etc/ssh/ssh_config and make sure you have set the following options:

    GSSAPIAuthentication no
    AddressFamily inet

Since I made these changes ssh logins again work in no time.

As If You Were In China

ChinaChannel FireFox AddonThe Firefox add-on China Channel offers internet user outside China to surf the web as if they were in China. Take an unforgetable virtual trip to China and experience the technical expertise of the Chinese Ministry of Information Industry (supported by western companies).
Or watch the video first.