Howto install red5 server and java on Ubuntu Server 14.04 LTS

Install Oracle Java 8:

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

Webupd8 ppa repository also providing a package to set environment variables.

sudo apt-get install oracle-java8-set-default

Install Red5:

sudo apt-get install libtomcat6-java

download tarball from:

https://github.com/Red5/red5-server/releases/download/v1.0.6-RELEASE/red5-server-1.0.6-RELEASE-server.tar.gz

extract it somewhere. i.e. under /opt with tar xvzf command

/opt/red5-server-1.0.6-RELEASE/

create a file named red5 under /etc/init.d

sudo vi /etc/init.d/red5

add these lines:

#!/bin/sh

### BEGIN INIT INFO
# Provides:             red5
# Required-Start:       $remote_fs $syslog
# Required-Stop:        $remote_fs $syslog
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description:    Red5 server
### END INIT INFO


start() {
  cd /opt/red5-server-1.0.6-RELEASE/ && nohup ./red5.sh > /dev/null 2>&1 &
  echo 'Service started' >&2
}

stop() {
  cd /opt/red5-server-1.0.6-RELEASE/ && ./red5-shutdown.sh > /dev/null 2>&1 &
  echo 'Service stopped' >&2
}

case "$1" in
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    stop
    start
    ;;
  *)
    echo "Usage: $0 {start|stop|restart}"
esac

save this file and exit then make it executable

sudo chmod ugo+x /etc/init.d/red5

then turn the autostart on if you prefer it to automatically start during bootup

sudo sysv-rc-conf red5 on

Now you can start/stop the red5-server with the service command

sudo service red5 start
sudo service red5 stop
sudo service red5 restart

Please note, if you are setting up a prod-environment you should also create a dedicated user/group running this process so that it is not run under root-privileges.

Configuring ntp on Ubuntu Server 14.04 LTS

Check how the server is set, “RTC time” is your hardware clock…

root@ubuntu01:/# timedatectl

      Local time: Wed 2015-10-28 14:51:18 CET
  Universal time: Wed 2015-10-28 13:51:18 UTC
        RTC time: Wed 2015-10-28 13:52:41
        Timezone: Europe/Stockholm (CET, +0100)
     NTP enabled: yes
NTP synchronized: no
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2015-10-25 02:59:59 CEST
                  Sun 2015-10-25 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2016-03-27 01:59:59 CET
                  Sun 2016-03-27 03:00:00 CEST

The ntp daemon ntpd calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance.

install ntpd:

root@ubuntu01:/# sudo apt-get install ntp

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libopts25
Suggested packages:
  ntp-doc
The following NEW packages will be installed:
  libopts25 ntp
0 upgraded, 2 newly installed, 0 to remove and 95 not upgraded.
Need to get 474 kB of archives.
After this operation, 1,677 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://se.archive.ubuntu.com/ubuntu/ trusty/main libopts25 amd64 1:5.18-2ubuntu2 [55.3 kB]
Get:2 http://se.archive.ubuntu.com/ubuntu/ trusty-updates/main ntp amd64 1:4.2.6.p5+dfsg-3ubuntu2.14.04.5 [419 kB]
Fetched 474 kB in 0s (831 kB/s)
Selecting previously unselected package libopts25:amd64.
(Reading database ... 58224 files and directories currently installed.)
Preparing to unpack .../libopts25_1%3a5.18-2ubuntu2_amd64.deb ...
Unpacking libopts25:amd64 (1:5.18-2ubuntu2) ...
Selecting previously unselected package ntp.
Preparing to unpack .../ntp_1%3a4.2.6.p5+dfsg-3ubuntu2.14.04.5_amd64.deb ...
Unpacking ntp (1:4.2.6.p5+dfsg-3ubuntu2.14.04.5) ...
Processing triggers for ureadahead (0.100.0-16) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Setting up libopts25:amd64 (1:5.18-2ubuntu2) ...
Setting up ntp (1:4.2.6.p5+dfsg-3ubuntu2.14.04.5) ...
 * Starting NTP server ntpd  [ OK ]
Processing triggers for libc-bin (2.19-0ubuntu6.6) ...
Processing triggers for ureadahead (0.100.0-16) ...

Configure ntp.conf with your pool, mine is the swedish pool found at

http://www.pool.ntp.org/zone/se
root@ubuntu01:/# vi /etc/ntp.conf

change these:

server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org

to these:

server 0.se.pool.ntp.org
server 1.se.pool.ntp.org
server 2.se.pool.ntp.org
server 3.se.pool.ntp.org

Checking that ntp is started at boot time

root@ubuntu01:/# sysv-rc-conf --list

acpid
apache2      0:off      1:off   2:on    3:on    4:on    5:on    6:off
apparmor     S:on
apport
atd
console-setu
cron
dbus
ddclient     1:off      2:on    3:on    4:on    5:on
dns-clean    1:on       2:on    3:on    4:on    5:on
friendly-rec
grub-common  2:on       3:on    4:on    5:on
halt         0:on
iptables-per 0:off      1:off   2:on    3:on    4:on    5:on    6:off
irqbalance
killprocs    1:on
kmod
mysql
networking
ntp          1:off      2:on    3:on    4:on    5:on
ondemand     2:on       3:on    4:on    5:on
pppd-dns     1:on       2:on    3:on    4:on    5:on
procps
rc.local     2:on       3:on    4:on    5:on
reboot       6:on
resolvconf
rsync        0:off      1:off   2:on    3:on    4:on    5:on    6:off
rsyslog
screen-clean 0:off      1:off   2:on    3:on    4:on    5:on    6:off
sendsigs     0:on       6:on
single       1:on
ssh
sudo
udev
umountfs     0:on       6:on
umountroot   0:on       6:on
unattended-u 0:off      6:off
urandom      0:on       6:on    S:on

looks okay, so lets reload the new config…

root@ubuntu01:/# service ntp reload

verify the daemon is running with the pstree -p command

root@ubuntu01:/# pstree -p

        │             
        ├─ntpd(1716)
        ├─rsyslogd(688)─┬─{rsyslogd}(689)
        │               ├─{rsyslogd}(690)
        │               └─{rsyslogd}(691)
        ├─sshd(939)─┬─sshd(1970)───sshd(1971)
        │           └─sshd(32233)───sshd(32316)───bash(32317)───sudo(32449)───bash(32452)───pstree(1972)
        ├─systemd-logind(685)
        ├─systemd-udevd(289)
        ├─upstart-file-br(704)
        ├─upstart-socket-(707)
        └─upstart-udev-br(284)

Sweet, now sync the system clock with the hwclock:

root@ubuntu01:/# hwclock --systohc

and verify:

root@ubuntu01:/# timedatectl

      Local time: Wed 2015-10-28 15:10:15 CET
  Universal time: Wed 2015-10-28 14:10:15 UTC
        RTC time: Wed 2015-10-28 14:10:15
        Timezone: Europe/Stockholm (CET, +0100)
     NTP enabled: yes
NTP synchronized: no
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2015-10-25 02:59:59 CEST
                  Sun 2015-10-25 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2016-03-27 01:59:59 CET
                  Sun 2016-03-27 03:00:00 CEST

All done!

 

Howto set up Git over Https with Apache on Ubuntu Server 14.04

Welcome,

In this post we will look at setting up Git over https (git-http-backend) with Apache on a Ubuntu Server 14.04 LTS. We will require users to be authenticated with basic auth before accessing the central git-repositories, both when reading from and writing to any repository.

Let’s start by installing git on our Ubuntu system:

root@ubuntu01:~# apt-get upgrade
root@ubuntu01:~# apt-get install git
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  git-man liberror-perl
Suggested packages:
  git-daemon-run git-daemon-sysvinit git-doc git-el git-email git-gui gitk
  gitweb git-arch git-bzr git-cvs git-mediawiki git-svn
The following NEW packages will be installed:
  git git-man liberror-perl
0 upgraded, 3 newly installed, 0 to remove and 3 not upgraded.
Need to get 3,346 kB of archives.
After this operation, 21.6 MB of additional disk space will be used.

Setting up Git over Https with Apache is basically just enabling a CGI-script that is provided with Git called git-http-backend on the server.

We can find out the location of git-http-backend on our system by searching for it:

root@ubuntu01:/etc/apache2/mods-enabled# find / -name git-http-backend
/usr/lib/git-core/git-http-backend

Now, in order for the git-http-backend to work properly with Apache we need to enable these modules: mod_cgi, mod_alias, and mod_env. On my system I already have mod_alias and mod_env up and running so I only need to enable mod_cgi:

root@ubuntu01:/etc/apache2# a2enmod cgi
Enabling module cgi.

For security purposes, it is generally a good practice to execute CGI-scripts as a different user than the web server user, hence we create the unprivileged user and group called git, we will also install and make use of the apache2 suexec packages:

First, you create a git group:

root@ubuntu01:/opt# groupadd git

You can easily restrict the git user to only doing Git activities with a limited shell tool called git-shell that comes with Git. If you set this as your git user’s login shell, then the git user can’t have normal shell access to your server. To use this, specify git-shell instead of bash or csh for your user’s login shell. To do so, you must first add git-shell to /etc/shells if it’s not already there:

root@ubuntu01:/opt# more /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen

So git-shell is not enabled, let’s enable it, first we need to find out the path:

root@ubuntu01:/opt# find / -name git-shell
/usr/bin/git-shell
/usr/lib/git-core/git-shell

Okay, so let’s add the /usr/bin/git-shell to /etc/shells

root@ubuntu01:/opt# vi /etc/shells

root@ubuntu01:/opt# more /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen
/usr/bin/git-shell

Now create a home directory for the git user at /opt/git

root@ubuntu01:/opt# mkdir git

Now create a git user. We’ll make this user a member of the git group, with a home directory of /opt/git, and with a shell of /usr/bin/git-shell

root@ubuntu01:/opt# useradd -s /usr/bin/git-shell -g git -d /opt/git git

Make the git user and group the owner of the /opt/git folder:

root@ubuntu01:/opt# chown git:git git/

Now, I’ve decided to use a subdomain called git with my domain so that the url will look similar to this: https://git.example.com  For this to work I need to add a subdomain record to my DNS-configuration. I will use a CNAME-record for this.

add_subdomain_git

With the host-command I can now verify that the new record does resolve in dns:

root@ubuntu01:/opt/git# host -t CNAME git.creang.com
git.creang.com is an alias for creang.com.

Now, let’s set up a VirtualHost in Apache for this subdomain:

root@ubuntu01:/opt/git# vi /etc/apache2/sites-enabled/vhosts-default.conf
        <VirtualHost *:443>
                ServerName git.creang.com
                DocumentRoot /opt/git
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                <Directory /opt/git>
                        Options ExecCGI Indexes FollowSymLinks
                        AllowOverride All
                        Require all granted
                </Directory>
                SSLEngine on
                SSLCertificateFile /etc/apache2/ssl-stuff/myCert.crt
                SSLCertificateKeyFile /etc/apache2/ssl-stuff/myKey.key
                SSLCertificateChainFile /etc/apache2/ssl-stuff/myCA.crt
                <Location />
                        AuthType Basic
                        AuthName "Private Git Access"
                        AuthUserFile /opt/git/.htpasswd
                        Require valid-user
                </Location>
                SuexecUserGroup git git
                ScriptAlias /git /var/www/sbin/git-http-backend-wrapper
        </VirtualHost>

Now install apache2-suexec:

root@ubuntu01:/etc/apache2# apt-get install apache2-suexec
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  apache2-suexec-pristine
The following NEW packages will be installed:
  apache2-suexec apache2-suexec-pristine

Enable suEXEC Support so that the git user and group can be used when running the CGI-Script:

root@ubuntu01:/etc/apache2# a2enmod suexec
Enabling module suexec.

To work with the SuExec security model a wrapper script needs to be create that configures the environment when SuExec executes the script. The script simply sets the correct environment variable and calls git-http-backend.

root@ubuntu01:/var/www# mkdir sbin
root@ubuntu01:/var/www# vi ./sbin/git-http-backend-wrapper

#!/bin/bash
PATH_INFO=$SCRIPT_URL
GIT_PROJECT_ROOT=/opt/git
REMOTE_USER=$REDIRECT_REMOTE_USER
export GIT_HTTP_EXPORT_ALL=true
/usr/lib/git-core/git-http-backend

Change owner to git user and group on this folder and script and make it executable:

root@ubuntu01:/var/www# chown -R git:git sbin/

root@ubuntu01:/var/www# chmod 755 ./sbin/git-http-backend-wrapper

Now create the htpasswd-file. This will require the apache-utils package, install if not installed already:

root@ubuntu01:/etc/apache2# apt-get install apache2-utils

Create the file, replace with your user:

root@ubuntu01:/etc/apache2# htpasswd -c /opt/git/.htpasswd jbilander
New password:
Re-type new password:
Adding password for user jbilander

Make the git user and group owner of this file:

root@ubuntu01:/etc/apache2# chown git:git /opt/git/.htpasswd

Restart Apache:

root@ubuntu01:/etc/apache2# service apache2 restart

Now create a repository in /opt/git

root@ubuntu01:/opt/git# git init --bare --shared=group projectA.git
Initialized empty shared Git repository in /opt/git/projectA.git/

Set the git user and group as the owner, recursively, of this repo:

root@ubuntu01:/opt/git# chown -R git.git projectA.git/

Set the repo to http.receivepack true:

root@ubuntu01:/opt/git# cd projectA.git/

root@ubuntu01:/opt/git/projectA.git# git config --file config http.receivepack true

The config file will now look like this:

root@ubuntu01:/opt/git/projectA.git# more config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = true
        sharedrepository = 1
[receive]
        denyNonFastforwards = true
[http]
        receivepack = true

Now lets access and clone this repo from a client over https. I will do this from the command line just to show how, you may prefer to use a gui client here like SmartGit:

C:\Projects>git.exe clone https://git.creang.com/git/projectA.git myProjectA.git
Cloning into 'myProjectA.git'...
Username for 'https://git.creang.com': jbilander
Password for 'https://jbilander@git.creang.com':
warning: You appear to have cloned an empty repository.
Checking connectivity... done.

I used another name here for the repository folder just for instructional purposes. You can leave that out if you want the same name on the client side as on the server side. Please note, if you are using a self-signed-certificate you can ignore any warning with this configuration on the client side:

git config --global http.sslVerify false

Maybe even better you can add your certificate to your trust store. I will not  show how to do that here though.

Let’s try to add a new file and commit and push to the server repo:

Create a new file:

C:\Projects\myProjectA.git>notepad test.txt
C:\Projects\myProjectA.git>git.exe add test.txt
C:\Projects\myProjectA.git>git.exe commit -m "a first commit"

[master (root-commit) da37104] a first commit
 1 file changed, 1 insertion(+)
 create mode 100644 test.txt

Push to the remote repository on the server:

C:\Projects\myProjectA.git>git.exe push origin master

Username for 'https://git.creang.com': jbilander
Password for 'https://jbilander@git.creang.com':
Counting objects: 3, done.
Writing objects: 100% (3/3), 217 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To https://git.creang.com/git/projectA.git
 * [new branch]      master -> master

All done! and it works :) Now time to grab some coffee…

Howto protect your wordpress blog from comment and trackback spam with Akismet

Welcome,

We will here learn to activate and protect our wordpress blog from comment and trackback spam. We will use the popular Akismet plugin.

akismet

After installing wordpress you automatically get a notice about the available Akismet-plugin under the Plugins-menu and the possibility to upgrade to the latest version of Akismet. Let’s do that.

You can update Akismet-plugin either by clicking the “update now” or do it manually, we will do the latter.

akismet_update_info

“Update now” will open this dialog:

update_now_dialog

However, I will not do the update this way but rather prefer to do it manually…

Manually updating the akismet-plugin:

root@ubuntu01:/usr/src/download# wget https://downloads.wordpress.org/plugin/akismet.3.1.2.zip

install unzip if you don’t have it installed already.

root@ubuntu01:/usr/src/download# apt-get install unzip

Unpack

root@ubuntu01:/usr/src/download# unzip akismet.3.1.2.zip

Set the same owner and group that you have for the wordpress folder.

root@ubuntu01:/usr/src/download# chown -R nobody:www-data ./akismet

move the old akismet plugin away or delete it. I’m moving it to the download folder here and call it akismet_old

root@ubuntu01:/usr/src/download# mv /var/www/creang/wp-content/plugins/akismet/ ./akismet_old

Move the new updated folder in place

root@ubuntu01:/usr/src/download# mv akismet /var/www/creang/wp-content/plugins/

Now when the plugin is in place, Activate the plugin by clicking “Activate”

akismet_activate1

Follow the instructions:

akismet_activate2

Get your API key…

akismet_activate3

Signing up for Akismet with wordpress.com…

akismet_activate4

akismet_activate5

Choose your plan, I chose the basic plan here…

akismet_activate6

Choose wether you want to donate an annual amount or not…

akismet_activate7

Pulling the slider to $0 makes the payment info disappear…

akismet_activate8

After clicking the continue button…

akismet_activate10

click to automatically save your api key…

akismet_activate11

akismet_activate12

All done!

Now, let’s see what happens when a comment is made:

akismet_update5

“Your comment is awaiting moderation”

This comment can be taken care of by the admin/moderator under the comments section…

akismet_update6

Setting up SNI with Apache 2.4

Welcome,

In this tutorial we will look at setting up SNI with Apache 2.4. With SNI you can use multiple SSL certificates in Apache with one IP-address.

Since Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a transport layer security (TLS) called SNI. SNI can secure multiple Apache sites using a single SSL Certificate and use multiple SSL Certificates to secure various websites on a single domain (e.g. www.yourdomain.com, site2.yourdomain.com) or across multiple domains (www.domain1.com, www.domain2.com)—all from a single IP address. The benefits of using SNI are obvious: you can secure more websites without purchasing more IP addresses or additional hardware.

SNI is supported by many common browsers:

Desktop Browsers
Internet Explorer 7 and later
Firefox 2 and later
Opera 8 with TLS 1.1 enabled
Google Chrome:
Supported on Windows XP on Chrome 6 and later
Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).

Note: No versions of Internet Explorer on Windows XP support SNI

Mobile Browsers
Mobile Safari for iOS 4.0 and later
Android 3.0 (Honeycomb) and later
Windows Phone 7 and later

Now, looking at our Apache installation at location /etc/apache2/mods-available we can see that the ssl-module is in there ready to be enabled:

root@ubuntu01:/etc/apache2/mods-available# ls -al
...
-rw-r--r-- 1 root root  3404 Jan  7  2014 ssl.conf
-rw-r--r-- 1 root root    97 Jan  3  2014 ssl.load

Determining if the ssl-module is already enabled can be done with the following command…

root@ubuntu01:/etc/apache2/mods-available# apachectl -M

…or by listing the /etc/apache2/mods-enabled folder

root@ubuntu01:/etc/apache2/mods-enabled# ls -al

We can see that it’s not enabled already so let’s enable it:

root@ubuntu01:/etc/apache2/mods-enabled# a2enmod ssl

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart

To verify that the symlinks now have been created we can list the content of mods-enabled folder:

root@ubuntu01:/etc/apache2/mods-enabled# ls -al
...
lrwxrwxrwx 1 root root   26 Jul  6 11:53 ssl.conf -> ../mods-available/ssl.conf
lrwxrwxrwx 1 root root   26 Jul  6 11:53 ssl.load -> ../mods-available/ssl.load

Now create a folder where we will put the certificates and keys. I chose to call it ssl-stuff:

root@ubuntu01:/etc/apache2# mkdir ssl-stuff

Copy your certificate www_example_com.crt, your unencrypted key www_example_com.key and your Authority’s certificate file ca.crt

Please note:

  • If the contained private key is encrypted, the pass phrase dialog is forced at startup time.
  • SSLCertificateChainFile became obsolete with Apache version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Since we are using Apache 2.4.7 the obsolete SSLCertificateChainFile  directive is not concerning us.

Set the permissions so that only the owner can read/write the decrypted key in ssl-stuff

root@ubuntu01:/etc/apache2/ssl-stuff# chmod 600 www_example_com.key

Now edit your vhosts file:

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName www.example.com
    DocumentRoot /var/www/example
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    <Directory /var/www/example>
      Options Indexes FollowSymLinks
      AllowOverride None
      Require all granted
    </Directory>
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl-stuff/www_example_com.crt
    SSLCertificateKeyFile /etc/apache2/ssl-stuff/www_example_com.key
    SSLCertificateChainFile /etc/apache2/ssl-stuff/ca.crt
    JkMount /manager/* ajp13_worker
    JkMount /manager ajp13_worker
    JkMount /examples/* ajp13_worker
    JkMount /examples ajp13_worker
 </VirtualHost>
</IfModule>

Now restart Apache and access the https site from a browser that supports SNI. If you set it up correctly, you will access the site without any warnings or problems. You can add as many websites or SSL Certificates as you need adding more VirtualHost-configurations similar to above.

root@ubuntu01:/etc/apache2/sites-available# service apache2 restart

Howto set up Tomcat 8 with Apache 2.4 and mod_jk on Ubuntu

Welcome,

In this walkthrough we will look at installing the binary distribution of Tomcat 8 on Ubuntu Server 14.04 LTS. Please note that we will not use Tomcat-native package here. Apache 2.4 will be used as a front optionally handling static content and ssl-termination while dynamic content will be served by the Tomcat-server through the Apache JServ Protocol (AJP 1.3) with apache module mod_jk.

apache_tomcat_setup

First we need to install a Java Runtime that the Tomcat-server will run in. I chose the server-jre8-version for obvious reason. The Server JRE is a runtime environment specifically targeted for deploying Java in server environments and it is available for 64-bit Linux, Solaris and Windows platforms. The Server JRE includes tools for JVM monitoring and tools commonly required for server applications, but does not include browser integration (the Java plug-in).

The Server JRE can be downloaded from this location: http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html

At the time of my download, this was the latest version available:

 server-jre-8u45-linux-x64.tar.gz

Download it to /usr/src/download or any other location you prefer and unpack.

root@ubuntu01:/usr/src/download# tar xvzf server-jre-8u45-linux-x64.tar.gz

That will create the folder /usr/src/download/jdk1.8.0_45

Change the owner recursively on that folder, I’m using root as user and group here.

root@ubuntu01:/usr/src/download# chown -R root:root jdk1.8.0_45/

Move the folder to your desired location, I chose /opt here since that folder is typically for third-party add-on software.

root@ubuntu01:/usr/src/download# mv jdk1.8.0_45/ /opt

To make it obvious that this is the Server JRE I created a symlink pointing to that folder.

root@ubuntu01:/opt# ln -s jdk1.8.0_45/ server_jre

root@ubuntu01:/opt# ls -al
drwxr-xr-x  8 root   root     4096 Apr 10 19:22 jdk1.8.0_45
lrwxrwxrwx  1 root   root       12 Jul  1 11:18 server_jre -> jdk1.8.0_45/

Just to verify this is the correct java version

root@ubuntu01:/opt/server_jre/bin# ./java -version
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)

That’s all for the Java installation, now let’s download and install Tomcat.

Tomcat installation:

Download Tomcat binary distribution:

root@ubuntu01:/usr/src/download# wget http://apache.mirrors.spacedump.net/tomcat/tomcat-8/v8.0.23/bin/apache-tomcat-8.0.23.tar.gz

Unpack

root@ubuntu01:/usr/src/download# tar xvzf apache-tomcat-8.0.23.tar.gz

Move to /opt

root@ubuntu01:/usr/src/download# mv apache-tomcat-8.0.23 /opt/

create symlink in /opt folder

root@ubuntu01:/usr/src/download# cd /opt/
root@ubuntu01:/opt# ln -s apache-tomcat-8.0.23/ tomcat

For security purposes, Tomcat should be run as an unprivileged user. We will create a new user (tomcat) and group (tomcat) that will run the Tomcat-service.

root@ubuntu01:/opt# groupadd tomcat

Then create a new tomcat user. We’ll make this user a member of the tomcat group, with a home directory of /opt/tomcat, and with a shell of /bin/false

root@ubuntu01:/opt# useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

Change to the new user and group recursively on the tomcat folder structure

root@ubuntu01:/opt# chown -R tomcat:tomcat apache-tomcat-8.0.23

Now it should look like this when listing the /opt folder:

root@ubuntu01:/opt# ls -al
drwxr-xr-x  9 tomcat tomcat  apache-tomcat-8.0.23
drwxr-xr-x  8 root   root    jdk1.8.0_45
lrwxrwxrwx  1 root   root    server_jre -> jdk1.8.0_45/
lrwxrwxrwx  1 root   root    tomcat -> apache-tomcat-8.0.23/

Now, comment out the port 8080 connector in server.xml…(we will only enable AJP on port 8009)

root@ubuntu01:/opt# cd tomcat/conf/
root@ubuntu01:/opt/tomcat/conf# vi server.xml
<!-- <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> -->

Make sure the ajp-connector is not disabled…

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Configure Tomcat Web Management Interface. Put this in your tomcat-users.xml in between the <tomcat-users> tags, choose your username and password.

root@ubuntu01:/opt/tomcat/conf# vi tomcat-users.xml
  <role rolename="manager-gui"/>
  <user username="admin" password="password" roles="manager-gui"/>

Because we want to be able to run Tomcat as a service, we will set up an Upstart script. Create and install a Tomcat Upstart script:

root@ubuntu01:/opt/tomcat/conf# vi /etc/init/tomcat.conf

Put this content in the new file:

description "Tomcat Server"

start on runlevel [2345]
stop on runlevel [!2345]
respawn
respawn limit 10 5

setuid tomcat
setgid tomcat

env JAVA_HOME=/opt/server_jre
env CATALINA_HOME=/opt/tomcat

# Modify these options as needed
env JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom"
env CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

exec $CATALINA_HOME/bin/catalina.sh run

# cleanup temp directory after stop
post-stop script
  rm -rf $CATALINA_HOME/temp/*
end script

Tomcat can now be started/stopped by the service command. It will also startup automatically on boot.

root@ubuntu01:/opt/tomcat/conf# service tomcat start
tomcat start/running, process 5666

The log file is located at /var/log/upstart/tomcat.log

root@ubuntu01:/var/log/upstart# tail tomcat.log

Looking at the log file after startup…

tomcat_upstart_log

…we can see the following message in the log output:

org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib

Ignore this message. The library referred to is bundled into an OS specific libtcnative.so (or dll for windows) loaded via JNI. It allows Tomcat to use OS functionalities not provided in the Java Runtime (such as sendfile, epoll, OpenSSL, OS level functionality (random number generation, system status, etc), and native process handling (shared memory, NT pipes and Unix sockets). Tomcat will run just fine without it, these features allows making Tomcat a general purpose webserver. We will however only use Tomcat as a backend-server working together with the Apache-webserver, hence we ignore this message.

Installing and configuring mod_jk

root@ubuntu01:/var/log/upstart# apt-get install libapache2-mod-jk

Preparing to unpack .../libapache2-mod-jk_1%3a1.2.37-3_amd64.deb ...
Unpacking libapache2-mod-jk (1:1.2.37-3) ...
Setting up libapache2-mod-jk (1:1.2.37-3) ...
apache2_invoke: Enable module jk
 * Restarting web server apache2

Now with the following command we can see that the module jk_module has indeed been loaded.

root@ubuntu01:/var/log/upstart# apache2ctl -M

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 jk_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 status_module (shared)

In the jk.conf file we can see where the workers.properties file is located:

root@ubuntu01:/var/log/upstart# cd /etc/apache2/mods-available/
root@ubuntu01:/etc/apache2/mods-available# more jk.conf

# Configuration Example for mod_jk
# used in combination with Apache 2.2.x

<IfModule jk_module>

    # We need a workers file exactly once
    # and in the global server
    JkWorkersFile /etc/libapache2-mod-jk/workers.properties

    # Our JK error log
    # You can (and should) use rotatelogs here
    JkLogFile /var/log/apache2/mod_jk.log

    # Our JK log level (trace,debug,info,warn,error)
    JkLogLevel info

    # Our JK shared memory file
    JkShmFile /var/log/apache2/jk-runtime-status

…we can see that the workers.properties is located under /etc/libapache2-mod-jk

Edit the workers.properties file, put in your path to your tomcat_home and java_home:

#
# workers.tomcat_home should point to the location where you
# installed tomcat. This is where you have your conf, webapps and lib
# directories.
#
workers.tomcat_home=/opt/tomcat

#
# workers.java_home should point to your Java installation. Normally
# you should have a bin and lib directories beneath it.
#
workers.java_home=/opt/server_jre

Make sure the other settings are correctly put in here, should look similar to this:

worker.list=ajp13_worker
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=localhost
worker.ajp13_worker.type=ajp13
worker.ajp13_worker.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=ajp13_worker

Finally to configure the URLs that Apache should pass through the Tomcat, edit your VirtualHost directive:

root@ubuntu01:/etc/libapache2-mod-jk# cd /etc/apache2/sites-available/
root@ubuntu01:/etc/apache2/sites-available# vi vhosts-default.conf
<VirtualHost *:80>
        ServerName www.example.com
        DocumentRoot /var/www/example
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Directory /var/www/example>
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>
        JkMount /manager/* ajp13_worker
        JkMount /manager ajp13_worker
        JkMount /examples/* ajp13_worker
        JkMount /examples ajp13_worker
</VirtualHost>

As you can see we are using the www.example.com domain here just for instructional purpose. Since I’m not the owner of that domain and cannot make any DNS-configuration, such as adding an A-record, for that domain I will put in an entry into my client computer host file just to get this example working. The document root I set to /var/www/example so let’s create that folder first. That location is where any static content optionally will be placed if any, it depends on how you do your jkmount-mappings above. As we can see anything with /manager or /examples will be mapped to Tomcat and the rest will be searched for, by Apache, in the /var/www/example folder.

root@ubuntu01:/var/www# mkdir example

In the client machine I now temporarily set a record to map the url www.example.com to my servers ip-address. I’m using a windows client machine here and editing the hosts-file in notepad as Administrator (right-click-> Run as Administrator). Windows will first look in the host-file and then resolve names with DNS which is exactly the order of precedence we want here in order for this example to work.

C:\Windows\System32\drivers\etc\hosts
85.225.140.7  www.example.com

After a reload of Apache…

root@ubuntu01:/etc/apache2/sites-available# service apache2 reload

We can now point the browser on the windows client machine to try out if everything works:

tomcat_examples

The Tomcat examples webapp is indeed working. Now trying /manager…

tomcat_manager_auth_required

After login with your admin/password this is what welcomes you…

tomcat_manager

That is all for now. Everything works as expected. Please consider if you really want the /manager mappings to be enabled all of the time. For security reasons I prefer to enable that mapping only when I have to do some deployment. Keep in mind that any password sent over http is sent “in the clear” for any eavesdropper to pick up, you better use https in that case. I will later blog about setting up SSL using SNI with Apache. Edit! Now available here: http://www.creang.com/howtoforge/setting_up_sni_with_apache_2_4/

Howto set up WordPress on Ubuntu LAMP-server [Ubuntu Server 14.04 LTS]

Welcome,

In this blog-post we will look at setting up WordPress on our LAMP-server running on Ubuntu Server 14.04 LTS.

lamp

After installing LAMP in Ubuntu Server 14.04 LTS we start by configuring MySQL. We want to make sure to use UTF-8 character-set everywhere possible. Let’s start to find out what we got by default when it comes to collation and character sets in MySQL. Login as root to MySQL from a terminal or ssh-shell…

mysql_login

Now type in the following SQL and hit return:

mysql> show variables where variable_name like 'ch%' or variable_name like 'col%';

this will give you a response similar to the table below:

+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8                       |
| character_set_connection | utf8                       |
| character_set_database   | latin1                     |
| character_set_filesystem | binary                     |
| character_set_results    | utf8                       |
| character_set_server     | latin1                     |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
| collation_connection     | utf8_general_ci            |
| collation_database       | latin1_swedish_ci          |
| collation_server         | latin1_swedish_ci          |
+--------------------------+----------------------------+
11 rows in set (0.00 sec)

We see here that we have some records with latin1 and also collation_connection is utf8_general_ci rather than utf8_unicode_ci. The argument for using utf8_unicode_ci instead of utf8_general_ci can be read here. Maybe you even want to go with utf8mb4  as default…

[mysqld]
init_connect='SET collation_connection = utf8mb4_unicode_ci; SET NAMES utf8mb4;'
character-set-server=utf8mb4
collation-server=utf8mb4_unicode_ci
skip-character-set-client-handshake

…However, I’m perfectly fine with using only the original utf8 (utf8mb3) as default, since I do not need more than the first 65,536 codepoints (which uses 1 to 3 bytes per character). I’m not planning to blog in full Cantonese any time soon :)  If you are in need for full coverage of CJVK (Chinese, Japanese, Vietnam, Korean) you should go with utf8mb4 that uses 1 to 4 bytes per character. You can read more about MySQL and uft8mb4 here.

Let’s do the configuration:

In /etc/mysql we have the config-file my.cnf

root@ubuntu01:~# cd /etc/mysql/
root@ubuntu01:/etc/mysql# ls -al
total 24
drwxr-xr-x  3 root root 4096 Jun 22 19:42 .
drwxr-xr-x 94 root root 4096 Jun 23 16:14 ..
drwxr-xr-x  2 root root 4096 Jun 22 19:42 conf.d
-rw-------  1 root root  333 Jun 18 15:04 debian.cnf
-rwxr-xr-x  1 root root 1220 Jan 21 22:31 debian-start
-rw-r--r--  1 root root 3704 Jun 20 15:19 my.cnf

Put the following entries in the config-file my.cnf under the [mysqld] section:

[mysqld]
init_connect='SET collation_connection = utf8_unicode_ci; SET NAMES utf8;'
character-set-server=utf8
collation-server=utf8_unicode_ci
skip-character-set-client-handshake

Restart MySQL-daemon:

 root@ubuntu01:/etc/mysql# service mysql restart

Now, running the show variables statement again shows this:

+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8                       |
| character_set_connection | utf8                       |
| character_set_database   | utf8                       |
| character_set_filesystem | binary                     |
| character_set_results    | utf8                       |
| character_set_server     | utf8                       |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
| collation_connection     | utf8_unicode_ci            |
| collation_database       | utf8_unicode_ci            |
| collation_server         | utf8_unicode_ci            |
+--------------------------+----------------------------+
11 rows in set (0.00 sec)

Looks okay now. We can test that the default values works as expected by creating a dummy database…

mysql> create database junk_db;
Query OK, 1 row affected (0.00 sec)

…and look with what parameters it was created:

mysql> show create database junk_db;

| junk_db  | CREATE DATABASE `junk_db` /*!40100 DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci */ |

1 row in set (0.00 sec)

Nice! Both character set and collation were the expected ones. Now create a dummy table in this db…

mysql> use junk_db;
Database changed

mysql> create table junk_table (name varchar(255));
Query OK, 0 rows affected (0.00 sec)

…and look how it was created:

mysql> show create table junk_table;

| junk_table | CREATE TABLE `junk_table` ( `name` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci    |

1 row in set (0.00 sec)

Same thing here. Looks just as it should. Please note that the default engine is InnoDB which is the one I want by default. Now drop this database…

mysql> drop database junk_db;
Query OK, 0 rows affected (0.00 sec)

…and create the WordPress database. I prefix it with wp_ and then using the domain name just for clarity:

mysql> create database wp_creang;
Query OK, 1 row affected (0.00 sec)

Show all databases in MySQL:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wp_creang          |
+--------------------+
4 rows in set (0.01 sec)

Verify that the database was created with utf8 and utf8_unicode_ci…

mysql> show create database wp_creang;

| wp_creang | CREATE DATABASE `wp_creang` /*!40100 DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci */ |

1 row in set (0.00 sec)

Create a user that we later will use with wordpress to connect to this database, again I’m giving it a suitable name for clarity. Password_here should of course be substituted with your chosen password.

mysql> create user wpuser_creang@localhost identified by 'password_here';
Query OK, 0 rows affected (0.00 sec)

Give the user full permission to access and manipulate this database:

mysql> grant all privileges on wp_creang.* to wpuser_creang@localhost;
Query OK, 0 rows affected (0.00 sec)

Now, just to verify everything looks okay, switch to the internal MySQL database:

mysql> use mysql
Database changed
 mysql> select host,user,password from user;
             
| localhost | wpuser_creang    | *E6B......... |
+-----------+------------------+---------------+
6 rows in set (0.00 sec)
 mysql> select host,db,user from db;
+-----------+-----------+---------------+
| host      | db        | user          |
+-----------+-----------+---------------+
| localhost | wp_creang | wpuser_creang |
+-----------+-----------+---------------+
1 row in set (0.00 sec)

Everything looks okay here, so let’s make the change take effect:

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Now having the db prepared let’s download and install WordPress:

WordPress installation

Make a download folder under /usr/src or in any other preferred location

root@ubuntu01:/etc/mysql# cd /usr/src/
root@ubuntu01:/usr/src# mkdir download
root@ubuntu01:/usr/src# cd download/

Download the latest WordPress tarball:

root@ubuntu01:/usr/src/download# wget http://wordpress.org/latest.tar.gz

Unpack, This will create a directory called wordpress in your download directory.

root@ubuntu01:/usr/src/download# tar xvzf latest.tar.gz

Install php5-gd and libssh2-php

root@ubuntu01:/usr/src/download# apt-get update
root@ubuntu01:/usr/src/download# apt-get install php5-gd libssh2-php

Copy the sample config

root@ubuntu01:/usr/src/download# cd wordpress/
root@ubuntu01:/usr/src/download/wordpress# cp wp-config-sample.php wp-config.php

And put this in your newly created wp-config.php, I use VIM to edit the file…

root@ubuntu01:/usr/src/download/wordpress# vi wp-config.php
/** The name of the database for WordPress */
define('DB_NAME', 'wp_creang');

/** MySQL database username */
define('DB_USER', 'wpuser_creang');

/** MySQL database password */
define('DB_PASSWORD', 'password_here');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', 'utf8_unicode_ci');

define( 'WP_POST_REVISIONS', 5 );

The last entry makes sure only five revisions of posts are kept in the database. The default is 30 but I do not want that many in order to keep the db small and tidy. Put in whatever value you want here.

Now when the configuration is done create a folder that will work as a home directory for this site under Apache webserver. I chose the domain name as folder name for clarity. Under Ubuntu Server the apache directory is located at /var/www

root@ubuntu01:/usr/src/download/wordpress# cd /var/www/
root@ubuntu01:/var/www# mkdir creang

Listing the www-folder now shows this:

root@ubuntu01:/var/www# ls -l
drwxr-xr-x 2 root root 4096 Jun 20 16:11 creang
drwxr-xr-x 2 root root 4096 Jun 18 15:04 html

Now, copy or move the wordpress folder content into this folder. I’m using rsync to copy it over:

root@ubuntu01:/var/www/creang# cd /usr/src/download/
root@ubuntu01:/usr/src/download# rsync -avP wordpress/ /var/www/creang/

Create an uploads-folder under the wp-content folder.

root@ubuntu01:/usr/src/download# cd /var/www/creang/wp-content/
root@ubuntu01:/var/www/creang/wp-content# mkdir uploads

Change the owner of the files recursively to your user and group. I’m using nobody and www-data here.

root@ubuntu01:/var/www/creang/wp-content# cd ..
root@ubuntu01:/var/www/creang# chown -R nobody:www-data *

Apache config:

Let’s start by checking what version of apache we have:

root@ubuntu01:/var/www/creang# apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built:   Mar 10 2015 13:05:59

Ok, so we have apache 2.4. We will set this site up as one of several name-based web sites on a single IP-address. For the 2.4-version of Apache the examples for this can be found here.

Now, just making sure apache listens to port 80, check the contents of ports.conf:

root@ubuntu01:/var/www/creang/wp-content# cd /etc/apache2/
root@ubuntu01:/etc/apache2# more ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

We can also see if apache is running and what address it is bound to by this command:

root@ubuntu01:/etc/apache2# netstat -nap
Active Internet connections (servers and established)
Proto Local Address Foreign Address State   PID/Program name
tcp   0.0.0.0:80    0.0.0.0:*       LISTEN  8270/apache2

Okay, so everything looks as it should. Apache listens on port 80 already. Now, start by editing the apache2.conf

root@ubuntu01:/etc/apache2# vi apache2.conf

Set servername to something suitable, like localhost:

# Global configuration
#
ServerName localhost

Now, comment out the Directory /var/www, we don’t need that directory enabled any longer.

#<Directory /var/www>
#       Options Indexes FollowSymLinks
#       AllowOverride None
#       Require all granted
#</Directory>

Disable the default configuration file /etc/apache2/sites-enabled/000-default.conf

root@ubuntu01:/etc/apache2/sites-enabled# a2dissite 000-default.conf
Site 000-default disabled.

The a2dissite-command does the removal of the symlink in folder sites-enabled. We double check that the job is done.

root@ubuntu01:/etc/apache2/sites-enabled# ls -al
drwxr-xr-x 2 root root 4096 Jun 20 17:11 .
drwxr-xr-x 8 root root 4096 Jun 20 16:51 ..

Indeed empty. Now copy the default config file as a skel for our new config file. I use the name vhosts-default.conf

root@ubuntu01:/etc/apache2/sites-available# cp 000-default.conf vhosts-default.conf

Now, having both the .com and the .se domain with the same name I want them all to point to the same site redirecting to www.creang.com regardless if you type creang.com, creang.se or www.creang.se in your browser they will all redirect to www.creang.com. This will require a little DNS-configuration and some Apache-config as well. In DNS, I set up both www-subdomains as CNAME-records pointing to the naked domain name. Like this.

creang.com
----------
@    A      85.225.140.7
www  CNAME  creang.com.
creang.se
----------
@    A      85.225.140.7
www  CNAME  creang.com.

Two A-records are set up to point to the public IP-address of the server. They will be updated automatically via ddclient should my ip-address change, read more about how to configure that here.

Now, with these records in place we now configure our vhosts-default.conf like this:

<VirtualHost *:80>
        ServerName creang.com
        ServerAlias creang.se
        ServerAlias www.creang.se
        RedirectMatch 301 (.*) http://www.creang.com$1
</VirtualHost>
<VirtualHost *:80>
        ServerName www.creang.com
        DocumentRoot /var/www/creang
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Directory /var/www/creang>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
</VirtualHost>

The first VirtualHost section takes care of the redirect. Since this is a permanent redirect I went with 301, good for SEO-purposes. The second section points out the document root and sets some permissions where AllowOverride All is important for enabling the use of .htaccess-files, which we will use from WordPress in order to enable mod_rewrite and the use of clean urls.

Create a .htaccess file under /var/www/creang

root@ubuntu01:/etc/apache2# cd /var/www/creang/
root@ubuntu01:/var/www/creang# touch .htaccess
root@ubuntu01:/var/www/creang# chown nobody:www-data .htaccess
root@ubuntu01:/var/www/creang# chmod 664 .htaccess

Enable the rewrite module:

root@ubuntu01:/var/www/creang# a2enmod rewrite

Enable our site (adding the symlink to sites-enabled)

root@ubuntu01:/etc/apache2/sites-available# a2ensite vhosts-default.conf

A quick check shows the symlink was added:

root@ubuntu01:/etc/apache2/sites-enabled# ls -al
drwxr-xr-x 2 root root 4096 Jun 20 20:11 .
drwxr-xr-x 8 root root 4096 Jun 29 16:29 ..
lrwxrwxrwx 1 root root   38 Jun 20 18:07 vhosts-default.conf -> ../sites-available/vhosts-default.conf

Now we need to restart our apache server in order for the new wordpress site to come alive. Be aware that if you have configured your machine with a public IP-address then maybe you should set a temporary firewall rule in place first, so that only you (your ip-address) are allowed to access the server during setup of wordpress. Not so fun if anyone hijacks your wordpress installation.

Maybe something similar to below in order to allow only clients from a specific IP-range…and don’t forget to temporary remove the any-client-accept-rule and verify that the new rule takes full effect before continuing. Delete this rule later when you go live.

iptables -I INPUT 4 -p tcp --dport 80 -m iprange --src-range 85.229.17.1-85.229.17.254 -j ACCEPT

Restart or reload Apache service

 root@ubuntu01:/etc/apache2# service apache2 restart

Point your browser to your url. You should now see the welcome screen.

wp_initial_config

Type in your info and just click Install WordPress and you are done! :)

wp_confirm_install

Well…Almost done!, we want to use clean urls, login to you site with your newly created user…

wp_login

After login, go to Settings->Permalinks

wp_permalinks_settings

And choose your preferred way of displaying urls. Mine is using custom structure with both category and postname giving me urls such as this one:

http://www.creang.com/howtoforge/howto_set_up_your_perfectly_silent_home_server/

wp_permalinks

After “Save Changes” you will now have something similar to this in your .htaccess file:

root@ubuntu01:/var/www/creang# more .htaccess

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
# END WordPress

Out of curiosity we can take a peek at the wordpress db and now see how the tables in the wp database were created. Since WordPress 4.2 utf8mb4 is used whenever possible, read more about it here https://make.wordpress.org/core/2015/04/02/the-utf8mb4-upgrade/

mysql> use wp_creang;

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wp_creang   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
11 rows in set (0.00 sec)
mysql> show create table wp_comments;

...ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci

Indeed utf8mb4 is used here.

That’s all for now. In the next blog-post we will look at setting up the WordPress-plugin Akismet to protect comments and contact forms from spam. Edit! Now available here.

 

Howto set up a Miraclebox 7 with Swedish cable provider comhem

Welcome,

The other day I decided to try out a Miraclebox 7 HD C/T2 Hybrid, using it with the Swedish cable provider comhem. The reason for this was I wanted to see if it was possible to record broadcasts unencrypted and later be able to play it back on any device, such as a computer. Here’s a walkthrough as to what I did…

miraclebox7_pic1

First of all, in order to be able to do recordings in an unencrypted way with comhem you need to use the built-in card reader with the Miraclebox.

miraclebox7_pic2
One built-in card-reader at the top and two CA-module slots underneath, and a front usb-port to the left.

You will not be able to record every HD-channel unencrypted although you are legally paying for a subscription with several HD-channels in the plan. Only Svt1 HD and Svt2 HD and all of the SD-channels will be available for recording. This has to do with the pairing comhem uses for the other HD-channels meaning the card has to be paired with your Set-top-box or CA-module (CI+). Comhem does not allow pairing with this box, but you can of course, with this box, put your card in a supported CA-module (CI+)…

comhem_ca_modul_med_ci_plus

…and then put the paired module (with card) in one of the CA-slots in the miraclebox, but that will make the recordings encrypted and locked for playback to that particular box only. That was not the mission of this project. However, most people does only have the basic-plan with comhem which does only come with two HD-channels (Svt1 HD and Svt2 HD), both of which does not require pairing but decryption, hence can be recorded unencrypted with the miraclebox built-in card-reader provided you have a card and a subscription with comhem. In that case, it makes perfect sense to use the built-in card reader since you will be able to record, in an unencrypted fashion, every channel you subscribe to. Please note that the following channels, as of June 2015, does not require a card, but only a set-top-box in order to be tuned into.

  • 1, SVT1
  • 2, SVT2
  • 4, TV4
  • 6, TV6
  • 14 FOX
  • 15 TV4 Fakta
  • 42 Axess TV
  • 125 Kunskapskanalen
  • 153 SVTB/SVT24

Now when we have the background, let’s start by flashing the box with the latest and greatest firmware. The fw can be downloaded from the miraclebox site here: fw_download_site

Now download and unzip the file m7-v2-11-87-ci-.zip and put the unzipped file FAC.MIRACLEBOX.7hdpvr.CIP.v2.11.87.ird on a usb-stick. Put that usb stick into one of the usb slots in the miraclebox (front- or back-side doesn’t matter which one).

miraclebox7_fwupdate2
Usb-stick with new firmware plugged into back-side usb port.

The box will automatically pick up that the new firmware is available.

miraclebox7_fwupdate3
Start the fw-upgrade by pressing the red button

 

miraclebox7_fwupdate4

Just wait until done. When finished and rebooted, choose “cable” and start the channel search…

miraclebox7_channel_search_cable

 

miraclebox_channel_search1

miraclebox_channel_search2

miraclebox_channel_search3

Now, you should be all set for watching and recording your channels. Please note that you need to plug in your comhem card into the card-reader otherwise you won’t be able to watch any encrypted channels in your subscription-plan. This is what will meet you in that case, see below. The chip-on-card should face downwards when inserted into the box.

miraclebox_encrypted_channel

The miraclebox 7 does not have any internal hard-drive slot so you have to use either a usb-drive/stick or some sort of network attached storage. The box will read ntfs drives which is a good thing for plug-and-play operability when moving your recordings to a PC or the like for playback or editing.

Borrowing a friends card temporarily just to try out the quality of a HD-recordings shows this:

recordings_folder

The recording creates a folder named Recordings with three files in it. The ts-file is the container with the video and sound muxed together. Opening the ts-file in tsMuxeR shows that, besides the video, the recording picks up both the MPEG-Audio track and the AC3 5.1-channel track. And the resolution of the video is 720p at 50 fps, sweet :)

recording_details

Recording a normal SD-channel gives typically these result:

recording_details2

My findings: It works very well to do unencrypted recordings with this box, but one thing to consider is that this box has only one tuner which makes it impossible to record any encrypted channel while watching another. You need a box with at least two tuners in that case. Maybe the VU+ Duo2 or Miraclebox 9 HD C/T2 TWIN is a better option in that case.

Please note that sharing any of your recordings with others can be subject of piracy and is not something I support, that is something you must avoid doing. You are allowed to keep copies of your recordings for your own personal use.

Miraclebox 7 features:

miraclebox7_features

Howto set up automatic dynamic DNS update using ddclient [Ubuntu]

Welcome

Does your ISP only offer you a dynamically allocated public ip-address through dhcp? You are not alone! Dynamic-DNS to the rescue! As we all may know, a DNS A-record i.e. example.com resolves to a particular ip-address i.e. 1.2.3.4. You normally set this record manually by logging in to your DNS-provider-account. However, if your ISP does not offer you a static ip-address it can be a hassle to run i.e. a webserver, should the ip-address suddenly change making your DNS-record point to a now obsolete address. Visitors lost in cyberspace. The way around this is to set up a deamon running on your server that regularly checks for changes in the ip-address, typically every 5 minutes, and make changes to your dns-account when needed. In this blog-post we will look at setting up ddclient for this purpose. We will use the Linux Ubuntu-distro when doing this. Let’s do it.

First install ddclient:

apt-get install ddclient

This will install and start a configuration wizard. Type in your data.

ddclient1

I choose “other” here since my dns-provider is not listed.

ddclient2

ddclient3

ddclient4

ddclient5

ddclient6

My NIC was named em1 which can be shown running the ifconfig command

ddclient7

ddclient8

ddclient9

ddclient10

ddclient11

That was the last entry, now I get this at the prompt when finishing:

update-rc.d: warning:  stop runlevel arguments (1) do not match ddclient Default-Stop values (0 1 6)

This warning can be ignored. Checking with sysv-rc-conf  we can see that the ddclient service is configured to be on for runlevels 2,3,4,5 as it should be.

root@ubuntu01:~# sysv-rc-conf --list ddclient
ddclient     1:off      2:on    3:on    4:on    5:on

Let’s check what /etc/default/ddclient now looks like

root@ubuntu01:~# more /etc/default/ddclient

# Configuration for ddclient scripts
# generated from debconf on Tue Jun 23 11:47:25 CEST 2015
#
# /etc/default/ddclient

run_ipup="false"

run_daemon="true"

daemon_interval="300"

Ok, so everything looks nice and dandy here. deamon-mode true and update interval check every 300 seconds (5 minutes). Now take a peek what we got in /etc/ddclient.conf

root@ubuntu01:~# more /etc/ddclient.conf
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

protocol=dyndns2
use=if, if=em1
server=dns.loopia.se/XDynDNSServer/XDynDNS.php
login=creang.com
password='password_here'
creang.com,creang.se

Ok, so no using of ssl here, I want the deamon to use ssl when calling my dns-provider-account for security reasons, so I put that as well in the config file, also my dns-provider does only support system=custom

ssl=yes
custom=yes

Please note that the line use=if, if=em1 will check for any change in ip-address against the NIC. This is viable if you have the public-ip assigned directly to your network interface, like I have. If you are running your server behind a router/firewall using NAT-forwarding then you will want to configure the use of requesting a web-page in order to fetch your current public ip-address, like this:

use=web, web=dns.loopia.se/checkip/checkip.php, 
web-skip='Current IP Address:'

Now, all done!

Just restart the service with:

 root@ubuntu01:~# service ddclient restart

We can now see that the deamon is running just fine with the pstree -p command

ddclient_pstree

ddclient running as process 1348, runs every 300 seconds, five minutes

root@ubuntu01:~# ps -ef|grep ddclient
root  1348  1  0 13:10 pts/0  00:00:00 ddclient - sleeping for 110 seconds

Should you want to re-run the configuration wizard, use this command:

dpkg-reconfigure ddclient

Double check that everything is working correctly with this command:

root@ubuntu01:~# ddclient -daemon=0 -debug -verbose -noquiet
...
DEBUG:    get_ip: using if, em1 reports 85.225.140.7
SUCCESS:  creang.com: skipped: IP address was already set to 85.225.140.7.
SUCCESS:  creang.se: skipped: IP address was already set to 85.225.140.7.

Howto set up your perfectly silent home server [Ubuntu Server 14.04 LTS]

Welcome.

This guide will walk you through setting up a dead-silent Linux home server with Ubuntu Server 14.04.2 LTS that you can have running twenty-four-seven-365 in your living room without getting annoyed by any fan or hard-drive noise. This server has no moving parts in it except for the AC/DC-current running through the electronics. Let’s dig in!

First let’s get some appropriate hardware. After doing some research I went for the Shuttle DS57U barebone which is a fanless Slim-PC. You can find a great review of it here: Shuttle DS57U Review

This barebone comes with everything except hard-drive, memory modules and operating system. The barebone alone will set you down at around $230 (1900 SEK), sales tax excluded, price as of june 2015.

Since the focus of this project is not to get away cheap but to have a stable, dead-silent server, I went on the prowl for a suitable SSD and then of course a pair of SO-DIMMs. Also, I will have a lot of writes to this machine so I went for a more expensive datacenter ssd, the Samsung 845DC Pro-series that will stand the test of time. You may want to go for a cheaper alternative here, this Samsung-drive however, will also have protection from exposure to data corruption or loss caused by unexpected power outages.

Procurement-list (prices as of June 2015 in Sweden, VAT excl.):

  • 1 x Shuttle DS57U – Celeron 3205U 1.5 GHz, $230 (1900 SEK)
  • 2 x Kingston Valueram/8GB, KVR16LS11/8, $110 (2x$55) (880 SEK)
  • 1 x Samsung 845DC Pro 400GB SSD Data Center, $315 (2560 SEK)

Ok, so lets install the hardware…this is pretty straight forward. Flip the case and unscrew the two screws holding each lid. Slide forward and open.

shuttle_open_case

Now, unscrew the drive-guide and fixate it to the ssd, use the two black screws coming with the shuttle case.

ssd_mounted_in_guide

Plug the ssd into the hard-drive slot and fixate it by putting the screw back in place. Put the two SO-DIMMs in the memory slots, be gentle and don’t touch the memory modules more than necessary holding only on the edges, make sure they snap in-place correctly. The result will look like this.

shuttle_ssd_and_memory_installed

Now, put the covers back on, and connect all the wires and fire up the machine. Hit Del or Esc to enter Bios-setup.

bios_setup_hit_del_or_esc

Ok, so because this machine is a server and we want it to always be ON we change the setting “Power-On after Power-Fail” to [Power On]. Disable EuP Function to enable this alternative.

bios4

Now, save and exit. Having downloaded and burnt the Ubunto-iso-image before, now is the time to plug in an external usb-dvd-drive into the Shuttle and load it with the Ubuntu-dvd-media. You can of course use a prepared, with Ubuntu, usb-stick if you rather use that for installation. Reboot and start the installation.

external_dvd_usb_drive

When asked about partitioning, I chose to use all available space on the ssd to be used for the Ubuntu-installation, but you can of course choose to partition your drive in any way you prefer. When asked which software to install I selected OpenSSH-server and LAMP-server since I will later install and run wordpress on this box using LAMP (Linux, Apache, MySQL, PHP).

software_installation

Now point your ssh-client to the ip-address of your Shuttle-server. If you use dhcp, you can find out what ip-address the machine got after bootup by typing the command ifconfig from a terminal. I get up to five public ip-addresses (dhcp-assigned) from my ISP so I will use one dedicated to this machine. I will later blog about how to configure automatic dynamic-dns updates should the ip-address change. Edit! Now available here howto-set-up-automatic-dynamic-dns-update-using-ddclient

The DS57U comes with two built-in NICs so you might want to use one for your home internal network (192.168.X.X) plugged into your broadband router and one plugged into a (dumb) switch sitting first in line with the connection toward your ISP. Or maybe you prefer to team the NICs for redundancy, I will however start with using just one NIC with a public IP-address. Let’s start to secure and configure this beast.

Log in with SSH and become root with “sudo -s”, the -s option gives you a root-shell. Just type exit and hit return whenever you want to exit from this shell.

jbilander@ubuntu01:~$ sudo -s
[sudo] password for jbilander:
root@ubuntu01:~#

putty

Run these two commands as root to get the latest updates installed

root@ubuntu01:~# apt-get update
root@ubuntu01:~# apt-get upgrade

Let’s start by disabling ipv6. I know some people say this is not conforming to best practice but I don’t care :) I’m not going to run ipv6 on this machine so I want to get rid of it. To disable ipv6, you have to open /etc/sysctl.conf using any text editor (I use VIM) and insert the following lines:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Comment out anything related to ipv6 in /etc/hosts

# The following lines are desirable for IPv6 capable hosts
#::1     localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters

Change sshd to only listen to ipv4, in file /etc/ssh/sshd_config change to:

AddressFamily inet

In /etc/dhcp/dhclient.conf delete the entries below…

dhcp6.name-servers, dhcp6.domain-search,
dhcp6.fqdn, dhcp6.sntp-servers;

…and put in the semi-colon after the last entry (ntp-servers). It should now look like this:

request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, domain-search, host-name, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes, ntp-servers;

Now, after a reboot we should be all set, and no more using of tcp6 or udp6, right?. Running the command netstat -nap however shows this:

udp        0 0.0.0.0:3704                           739/dhclient
udp        0 0.0.0.0:68                             739/dhclient
udp6       0 :::52382                               739/dhclient

Why the udp6-entry when we have deleted all the dhcp6-entries in dhclient.conf? It appears to be a bug, read here, I guess I’ll have to live with it for the time being.

Lets set up a firewalling using iptables:

Iptables comes with Ubuntu by default but does not have any rules added to it by default, hence no blocking of traffic by default. I’m going to configure the machine to listen to port 22 and 80 only, allowing ssh and http incoming traffic from any source, and block all other incoming traffic. There is one accept-rule that we need to ensure so that our server can function correctly. The loopback device. Services on the computer need to be able to communicate with each other by sending network packets to each other through the loopback device. Add these rules one-by-one from the command-line for a basic configuration:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP

You can double check the entries with command iptables -S to verify.

Now, persist the change with these two commands:

apt-get update
apt-get install iptables-persistent

Should you need to delete a rule you can do it by this command giving the -D option and row number, in this case input-rule number four will be deleted: iptables -D INPUT 4

If you need to add a new rule at a certain row i.e. 5, maybe open up for incoming https traffic (port 443) then use this command

iptables -I INPUT 5 -p tcp --dport 443 -j ACCEPT

Line numbers and rules will be shown by this command:

iptables -L --line-numbers

If you do any changes to iptables from now on, persist the change with this command before rebooting:

iptables-save > /etc/iptables/rules.v4

Reboot machine!

That’s all for now, in the next blog we will look at howto configure LAMP-server and setup wordpress on this server. Edit! Now available here: howto_set_up_wordpress_on_ubuntu_lamp_server