Wednesday, January 28, 2009

https redirect

My colleagues ran into minor issues when configuring mod_ssl. I helped out and wrote them some tips that I want to {b}log.

On a vanilla RHEL5 install with httpd already running all you need to do is:

yum install mod_ssl
/etc/init.d/httpd restart
yum creates an ssl.conf.rpmnew file so as to not touch an existing ssl.conf but it won't restart the service the way apt does.

If you wish to redirect all traffic to https add the following to your configuration file [0]:

    # note that Options FollowSymLinks had to be added above
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I found the above directives from a Google search. When I added just the above I got "permission denied". So I ran a tail -f error_log and saw something like the following:
[Wed Jan 28 05:19:27 2009] [error] [client 123.456.7.89] Options
FollowSymLinks or SymLinksIfOwnerMatch is off which implies that
RewriteRule directive is forbidden: /usr/lib/mailman/cgi-bin/listinfo
I then looked up FollowSymLinks in Apache's manual. I then went back and changed Options ExecCGI to Options ExecCGI FollowSymLinks and read the documentation on what this does. Since this seemed OK (the only accounts on this server are good ones) I left it.

If I hadn't looked at the logs there would have been little hope of figuring it out. I also find it's good to take the time to set up three terminals (edit conf, restart apache, tail logs) and a browser with three tabs (page being tested, manual, Google) when doing this.

Footnotes:
[0]
On RedHat the configuration file should be /etc/httpd/conf/httpd.conf. If you originally did a "yum install mailman" then it installs httpd as a dependency. If you're now securing that httpd after installing mailman the RedHat way, then add the rewrite directives to /etc/httpd/conf.d/mailman.conf.

Tuesday, January 27, 2009

Anatomy of a Program in Memory

Found an Anatomy of a Program in Memory.

Exchange Mail not Reaching you?

If you hear about a message like the one below ask if the "queue is frozen".

I had a case of mail not reaching my server. The sending server was an Exchange server. I asked the admin to check his queue. He had several messages that didn't make it for two weeks and his users didn't get any warning (my servers send warnings after 12 hours and return the message after 2 days). He read me the message below. When I heard the the destination server it made me think of my spam filter dropping connections, but I didn't have any logs of that. Turns out the other admin of the Exchange server had frozen the queue and he didn't know. Upon unfreezing it all of the mail went through. I think this queue freezing feature should at least warn the users of his server.

Your message did not reach some or all of the intended recipients.

Subject: RE: test message

Sent: 1/26/2009 2:54 PM

The following recipient(s) could not be reached:

me@my-domain.com on 1/27/2009 9:02 AM

This message was rejected due to the current administrative policy by the destination server. 
Please retry at a later time. If that fails, contact your system administrator.