Generate a self signed ssl certificate

To generate a self signed certificate without a password just need to issue 3 commands:

openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

server.key -> key
server.csr => certificate signing request
server.crt => certificate

If you want to have a password protected key file just add in the first command the des3 switch:

openssl genrsa -des3 -out server.key 1024

But remember that to use it, you will be prompted with the password challenge (not a very good ideia on an Apache restart…).

Qmail + Vpopmail – Rebuild maildirsize file

Let’s say some program or script that doesn’t support maildirquota was poking around with a user maildir and you need to recalculate the user maildirsize file (recalculate the quota), you just need to:

cd /home/vpopmail/domains/domain.com/user/Maildir
rm maildirsize
vuserinfo -Q user@domain.com

and, voilá a new and accurate maildirsize file!

EDIT

I did a very simple script that rebuilds the quotas system wide (yes.. it’s PHP, not in real man C or some other fashion language, but it works for me)

$vpopmail_bin = '/home/vpopmail/bin/';

$domains = dir('/home/vpopmail/domains');
while (false !== ($domain = $domains->read())) {
  if ($domain != '.' && $domain != '..' && is_dir($domains->path.'/'.$domain)) {
    $users = dir($domains->path.'/'.$domain);
    while (false !== ($user = $users->read())) {
      if ($user != '.' && $user != '..' && is_dir($users->path.'/'.$user)) {
        if (file_exists($users->path.'/'.$user.'/Maildir/maildirsize')) {
          unlink($users->path.'/'.$user.'/Maildir/maildirsize');
          exec($vpopmail_bin.'vuserinfo -Q '.$user.'@'.$domain);
        }
      }
    }
  }
}

DJB tinydns (djbdns)

FreeBSD comes with the venerable BIND (the Berkeley Internet Name Daemon) both for resolving hostnames and to publish own domain addresses (dns server). I don’t like it a bit…. it’s not fond to the Unix ways and principles at all, it’s big and monolithic, strange configuration file, bad security holes history, etc…

So, with a new box, comes the need to replace bind with djbdns. This is my howto on doing this in FreeBSD. Viewer discretion is advised as the level of geekness can leave brain damage…

Continue reading “DJB tinydns (djbdns)”

PHP overriding “Soapaction” header

Oh no, SOAP again. I hate SOAP…. but making shit work is everyone’s job. So, here i go again. This time i need (don’t ask why) to change the Soapaction header. It turns out to be quite simple with the bundled Soap extension of PHP. Just need to extend the SoapClient and override the  __doRequest function. The code:

<?

class CustomSoapClient extends SoapClient {
  function __doRequest($request, $location, $action, $version, $one_way = 0) {
    $action = 'my_custom_soap_action'; // override soapaction here
    return parent::__doRequest($request, $location, $action, 
                               $version, $one_way);
  }
}


$options = array('exceptions'=>true,
                 'trace'=>1,
                 'cache_wsdl'=>WSDL_CACHE_NONE
                 );
            
$client = new CustomSoapClient('my.wsdl', $options);

try {
  $input = new stdClass();
  $input->property  = "example";
  $input->property2 = "example2";
   
  $response = $client->helloWorld($input);   
   
} catch (Exception $e) {
  echo "\n";
  echo 'Caught exception: ',  $e->getMessage(), "\n";
  echo "\n";
  echo "REQUEST:\n" . $client->__getLastRequestHeaders() .
                      $client->__getLastRequest() . "\n";
  echo "\n";
  echo "RESPONSE:\n" . $client->__getLastResponseHeaders() . 
                       $client->__getLastResponse() . "\n";   
}			
			
?>

SSH port forwarding

Isn’t SSH great? It’s secure and it can do lots of cool things, as providing access to services to local machines that are only available to the remote machines (that you can connect through SSH). This is called port forwarding.

Windows with Putty

So, you are on your local windows box and got ssh access to a remote machine, let’s call it “Remote” and from there you can access a service in another machine, let’s call it “Far”. The problem is that from your local windows box you can’t directly access “Far” (most times because the good people of network, and their strong sense of security…, vpn’s, etc).

So:
Localbox -> Remote (ok)
Localbox -> Far (not ok)
Localbox -> Remote -> Far (ok)

and it would be nice to test the service (lets say HTTP to exemplify) running on Far with your nice Localbox browser, instead of the console based Lynx browser that you have on Remote.

Enter the black magic of ssh port forwarding. With Putty (the SSH client for Windows) it’s pretty easy. Just open your connection normally, but before pressing the Open button, go to Connection -> SSH -> Tunnels:

The source port will be the port on your Localbox, i usually put there the localhost ip:port combination (127.0.0.1:80).  You should check with “netstat -an” if you have this free, if there is some service (IIS, Apache) already running on this ip:port stop it. The destination is the Far ip:port that you want to get access (far_ip:80). Click “Add”.  And open the connection normally and login to the Remote console. On the Localbox check again with “netstat -an” and you should have an entry like this

TCP    127.0.0.1:80           0.0.0.0:0              LISTENING

And there you go! You have an open tunnel from Localbox to Far. Now just open the browser on localbox and point it to 127.0.0.1, your request is being sent to Far. If you need an hostname to access the service correctly just put it on the hosts file:

127.0.0.1 hostname

Linux

Pretty easy… just with the ssh -L switch.
-L localport:foreig_ip:foreign_port

To make this clear, an example. On my production server i run a MySQL server instance, but it only listens to localhost (127.0.0.1) but i want to use a GUI to manage it. I have the GUI in my linux box, so it would be impossible to connect the GUI to the MySQL server… not with ssh around…

ssh user@mysqlhost -L 3306:127.0.0.1:3306

after the ssh connection is made i can access the MySQL server as if it was running on my Linux localhost. We can even check with netstat.

netstat -an | grep 3306 | grep LISTEN

it should get something like:
tcp    0    0    127.0.0.1:3306    0.0.0.0:*    LISTEN
tcp6    0    0    ::1:3306    :::*    LISTEN

There, a no-brainer sometimes very useful.