Make a Private/Public Key Pair, Self Signed, No Password

This is take straight from http://devsec.org/info/ssl-cert.html. I’m getting it on my blog, as a reference to myself, so I can make a key pair quickly in the future.

Make a new ssl private key:

* Generate a new unencrypted rsa private key in PEM format:

openssl genrsa -out privkey.pem 1024

You can create an encrypted key by adding the -des3 option.

#
To make a self-signed certificate:

* Create a certificate signing request (CSR) using your rsa private key:

openssl req -new -key privkey.pem -out certreq.csr

( This is also the type of CSR you would create to send to a root CA for them to sign for you. )

* Self-sign your CSR with your own private key:

openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem
July 15, 2009 | 1 Comment »

Load Balancing Techniques

Load balancing is a term that describes a method to distribute incoming socket connections to different servers. It’s not distributed computing, where jobs are broken up into a series of sub-jobs, so each server does a fraction of the overall work. It’s not that at all. Rather, incoming socket connections are spread out to different servers. Each incoming connection will communicate with the node it was delegated to, and the entire interaction will occur there. Each node is not aware of the other nodes existence.

Why do you need load balancing?
Simple answer: Scalability and Redundancy.

Scalability

If your application becomes busy, resource limits, such as bandwidth, cpu, memory, disk space, disk I/O, and more may reach its limits. In order to remedy such problem, you have two options: scale up, or scale out. Load balancing is a scale out technique. Rather than increasing server resources, you add cost effective, commodity servers, creating a “cluster” of servers that perform the same task. Scaling out is more cost effective, because commodity level hardware provides the most bang for the buck. High end super computers come at a premium, and can be avoided in many cases.

Redundancy

Servers crash, this is the rule, not the exception. Your architecture should be devised in a way to reduce or eliminate single points of failure (SPOF). Load balancing a cluster of servers that perform the same role provides room for a server to be taken out manually for maintenance tasks, without taking down the system. You can also withstand a server crashing. This is called High Availability, or HA for short. Load balancing is a tactic that assists with High Availability, but is not High Availability by itself. To achieve high availability, you need automated monitoring that checks the status of the applications in your cluster, and automates taking servers out of rotation, in response to failure detected. These tools are often bundled into Load Balancing software and appliances, but sometimes need to be programmed independently.

How to perform load balancing?

There are 3 well known ways:

  1. DNS based
  2. Hardware based
  3. Software based

Read the rest of this entry »

June 13, 2009 | 10 Comments »

tar pipe ssh

I always have to look this up when I need it, so storing on my blog, so I can look it up faster. This is way faster than “scp”, for deep directories or directories with lots of files.

tar cf - whatever | ssh remotehost " ( cd /some/path ; tar xf - ) "
ssh remotehost "( cd /somewhere ; tar cf - something ) " | tar xf -
November 25, 2008 | No Comments »

Using tmpfs for MySQL tmpdir setting

This is incredible, by the way. Any time MySQL needs to use a tmp table on disk, you can make it use RAM disk instead.

WARNING: if the tmpfs partition you make isn’t big enough, MySQL will not be able to complete queries. Make sure you have enough RAM to do this.

mkdir /tmp/mysqltmp
chown mysql:mysql /tmp/mysqltmp

id mysql
# example:   uid=502(mysql) gid=503(mysql) groups=503(mysql)

#to set up on server restart, put in fstab something like (replace gid, uid with number from above)
tmpfs    /tmp/mysqltmp    tmpfs   rw,gid=503,uid=502,size=2G,nr_inodes=10k,mode=0700 0 0

mount /tmp/mysqltmp

# you don't need this:
# mount -o size=2g,gid=520,uid=518,nr_inodes=10k,mode=0700 -t tmpfs tmpfs /tmp/mysqltmp

#edit my.cnf, adding
tmpdir=/tmp/mysqltmp/

restart mysql

Read the rest of this entry »

| 1 Comment »

Storing IPv6 IPs in MySQL

Intro to IPv6:
ipv6.l.google.com has IPv6 address 2001:4860:0:2001::68
2001:4860:0:2001::68 is short notation for:
2001:4860:0000:2001:0000:0000:0000:0068

IPv6 is 128 bit. There are 2^128 IPv6 IPs. That’s 340 undecillion.

I have a whole lot more detail on what IPv6 is, saving that for a later presentation, let’s jump to something fun. This is what I need your help with. What are the considerations you have to make when developing your applications for IPv6? Here’s one:

Imagine you want to store a list of IPv6’s in a MySQL table. Maybe this is a list of IPs allowed to connect to your application, or maybe it’s a list of IP to server assignments.

IPv6 is 128 bit. This is larger than will fit in any single MySQL numeric data type. (Note: postgres has ip/netmask data types and functions to do calculations on them. It will also listen on the IPv6 network stack, MySQL won’t. But, that’s another story. The challenge for now is, storing IPv6 IPs in MySQL)

Read the rest of this entry »

April 25, 2008 | 4 Comments »

Index for God Sake!

Taken from:

http://mysqlhow2.com/viewtopic.php?t=8

If you have a database that is returning slow result you might want to optimize your queries and do indexing.

But how to tell which of the queries need to be optimized.

Lets look at the rulsts of the querey without returning all the results:
You will use the EXPLAIN clause
Explain clause will show rows returned in your query. (The more rows the slower the return)

Read the rest of this entry »

February 6, 2008 | 1 Comment »

Install Qmail by copy/paste

Install Qmail by copy/paste

Install qmail by copy/paste… I suggest in small blocks at a time

Code:

#!/bin/sh

SERVERNAME=`hostname`

cd /usr/local/src/

wget http://qmail.linocomm.net/netqmail-1.06.tar.gz
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
wget http://qmail.org/moni.csi.hu/pub/glibc-2.3.1/daemontools-0.76.errno.patch
wget http://qmail.org/moni.csi.hu/pub/glibc-2.3.1/ucspi-tcp-0.88.errno.patch

# install qmail:
umask 022
mkdir -p /package
cp daemontools-0.76.tar.gz /package

chmod 1755 /package
tar -xzf netqmail-1.06.tar.gz
tar -xzf ucspi-tcp-0.88.tar.gz
cd /package
tar -xzf daemontools-0.76.tar.gz

mkdir /var/qmail
cd /usr/local/src/netqmail-1.06
echo " /usr/sbin/groupadd nofiles
/usr/sbin/useradd -g nofiles -d /var/qmail/alias alias
/usr/sbin/useradd -g nofiles -d /var/qmail qmaild
/usr/sbin/useradd -g nofiles -d /var/qmail qmaill
/usr/sbin/useradd -g nofiles -d /var/qmail qmailp
/usr/sbin/groupadd qmail
/usr/sbin/useradd -g qmail -d /var/qmail qmailq
/usr/sbin/useradd -g qmail -d /var/qmail qmailr
/usr/sbin/useradd -g qmail -d /var/qmail qmails" > IDS

/bin/sh IDS

make setup check

./config-fast $SERVERNAME
cd /usr/local/src/ucspi-tcp-0.88
patch -p1 < ../ucspi-tcp-0.88.errno.patch
make
make setup check
cd /package/admin/daemontools-0.76
patch -p1 < /usr/local/src/daemontools-0.76.errno.patch
package/install

echo "./Maildir/" > /var/qmail/control/defaultdelivery
echo 120 > /var/qmail/control/concurrencyincoming
echo 120 > /var/qmail/control/concurrencyremote
echo 120 > /var/qmail/control/concurrencylocal

chmod 644 /var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyremote
chmod 644 /var/qmail/control/concurrencylocal

echo '#!/bin/sh
# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default
' > /var/qmail/rc

echo "exec env – PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"
" >> /var/qmail/rc

chmod 755 /var/qmail/rc
mkdir /var/log/qmail

# the qmailctl script­:
echo '#!/bin/sh

# For Red Hat chkconfig
# chkconfig: – 80 30
# description: the qmail MTA
' > /var/qmail/bin/qmailctl

echo 'PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`

case "$1' in
start)
echo "Starting qmail"
if svok /service/qmail-send ; then
svc -u /service/qmail-send
else
echo qmail-send supervise not running
fi
if svok /service/qmail-smtpd ; then
svc -u /service/qmail-smtpd
else
echo qmail-smtpd supervise not running
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
echo "Stopping qmail…"
echo " qmail-smtpd"
svc -d /service/qmail-smtpd
echo " qmail-send"
svc -d /service/qmail-send
if [ -f /var/lock/subsys/qmail ]; then
rm /var/lock/subsys/qmail
fi
;;
stat)
svstat /service/qmail-send
svstat /service/qmail-send/log
svstat /service/qmail-smtpd
svstat /service/qmail-smtpd/log
qmail-qstat
;;
doqueue|alrm|flush)
echo "Flushing timeout table and sending ALRM signal to qmail-send."
/var/qmail/bin/qmail-tcpok
svc -a /service/qmail-send
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
echo "Sending HUP signal to qmail-send."
svc -h /service/qmail-send
;;
pause)
echo "Pausing qmail-send"
svc -p /service/qmail-send
echo "Pausing qmail-smtpd"
svc -p /service/qmail-smtpd
;;
cont)
echo "Continuing qmail-send"
svc -c /service/qmail-send
echo "Continuing qmail-smtpd"
svc -c /service/qmail-smtpd
;;
restart)
echo "Restarting qmail:"
echo "* Stopping qmail-smtpd."
svc -d /service/qmail-smtpd
echo "* Sending qmail-send SIGTERM and restarting."
svc -t /service/qmail-send
echo "* Restarting qmail-smtpd."
svc -u /service/qmail-smtpd
;;
cdb)
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
chmod 644 /etc/tcp.smtp.cdb
echo "Reloaded /etc/tcp.smtp."
;;
help)
cat << HELP
stop — stops mail service (smtp connections refused, nothing goes out)
start — starts mail service (smtp connection accepted, mail can go out)
pause — temporarily stops mail service (connections accepted, nothing leaves)
cont — continues paused mail service
stat — displays status of mail service
cdb — rebuild the tcpserver cdb file for smtp
restart — stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue — schedules queued messages for immediate delivery
reload — sends qmail-send HUP, rereading locals and virtualdomains
queue — shows status of queue
alrm — same as doqueue
flush — same as doqueue
hup — same as reload
HELP
;;
*)
echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|help}"
exit 1
;;
esac

exit 0
' >> /var/qmail/bin/qmailctl

ln -s /var/qmail/bin/qmailctl /etc/rc.d/init.d/qmail
ln -s ../init.d/qmail /etc/rc.d/rc0.d/K30qmail
ln -s ../init.d/qmail /etc/rc.d/rc1.d/K30qmail
ln -s ../init.d/qmail /etc/rc.d/rc2.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc3.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc4.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc5.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc6.d/K30qmail

chmod 755 /var/qmail/bin/qmailctl
ln -s /var/qmail/bin/qmailctl /usr/bin

mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log

echo '#!/bin/sh' > /var/qmail/supervise/qmail-send/run
echo "exec /var/qmail/rc
" >> /var/qmail/supervise/qmail-send/run

echo '#!/bin/sh' > /var/qmail/supervise/qmail-send/log/run
echo "exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t n40 s5242880 /var/log/qmail
" >> /var/qmail/supervise/qmail-send/log/run

cd /var/qmail/control
ln -s ../outgoingip outgoingip

echo '#!/bin/sh' > /var/qmail/supervise/qmail-smtpd/run
echo 'QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd 2>&1' >> /var/qmail/supervise/qmail-smtpd/run

echo '#!/bin/sh' > /var/qmail/supervise/qmail-smtpd/log/run
echo "exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t n40 s5242880 /var/log/qmail/smtpd
" >> /var/qmail/supervise/qmail-smtpd/log/run

mkdir -p /var/log/qmail/smtpd
chown qmaill /var/log/qmail /var/log/qmail/smtpd

chmod 755 /var/qmail/supervise/qmail-send/run
chmod 755 /var/qmail/supervise/qmail-send/log/run
chmod 755 /var/qmail/supervise/qmail-smtpd/run
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run

ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service
sleep 10
qmailctl stop

#create system aliases:
echo postmaster > /var/qmail/alias/.qmail-root
echo postmaster > /var/qmail/alias/.qmail-postmaster
ln -s .qmail-postmaster /var/qmail/alias/.qmail-mailer-daemon
chmod 644 /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-postmaster

echo '127.:allow,RELAYCLIENT=""' >>/etc/tcp.smtp
qmailctl cdb

/etc/rc.d/init.d/sendmail stop
rpm -e --nodeps sendmail

# link qmail version of sendmail:
rm /usr/lib/sendmail
rm /usr/sbin/sendmail
ln -s /var/qmail/bin/sendmail /usr/lib
ln -s /var/qmail/bin/sendmail /usr/sbin

qmailctl start
January 29, 2008 | No Comments »

Creating an SSL key, CSR and self-signed cert

cd /etc/pki/tls
cd private
openssl genrsa -des3 -out `hostname`.key 1024
  # password: whatever you want

# TO MAKE IT HAVE NO PASSPHRASE (optional):
cp `hostname`.key `hostname`.key.orig
openssl rsa -in `hostname`.key.orig -out `hostname`.key

# MAKE THE CSR
cd ../csr
openssl req -new -key ../private/`hostname`.key -out `hostname`.csr
  # answer the questions

# MAKE THE SELF-SIGNED CERT:
cd ../certs
openssl x509 -req -days 1800 -in ../csr/`hostname`.csr -signkey ../private/`hostname`.key -out `hostname`.crt
| No Comments »
« Older Entries