Stuff I'm Up To

Technical Ramblings

Git – Version Control — October 13, 2017

Git – Version Control

We have a distinct lack of version control in the relatively small development team that manages one of our business applications. One of the main challenges isn’t really related to the developers, but to the vendor that connects remotely and “fixes” things without leaving any clue as to what has been changed.

So I came up with a sneaky plan to deploy Git onto the servers and manage the versions of configuration files used by the application. I can then capture any changes and roll back as necessary.

Continue reading

Advertisements
Tomcat log4j Errors — October 12, 2017

Tomcat log4j Errors

As I’ve been spending a lot of time with Tomcat these days I’ve tried to clear out the stderr log of error messages. One of the frustrating warnings I had to deal with was this:

log4j:WARN Continuable parsing error 208 and column 23
log4j:WARN The content of element type "log4j:configuration" must match "(renderer*,throwableRenderer?,appender*,plugin*,(category|logger)*,root?,(categoryFactory|loggerFactory)?)".

The log4j.xml file parsed correctly and was obviously working as we were seeing log output. But this error had me baffled for a while. I checked the syntax of the xml file, ensured it was sound structurally and couldn’t for the life of me spot the problem.

Turns out the order of the elements in the file is important and must match the order of the string listed above. We’d got some logger elements after the root element. A move of the root element below the logger elements and the error message went away.

 

Forcing Tomcat to HTTPS — September 28, 2017

Forcing Tomcat to HTTPS

As our environment needs change more and more of our internal services are being forced to change to HTTPS.

Tomcat supports the deployment of services using HTTPS, but many of our vendors have taken the easy route and just use HTTP on the standard port 8080. This is now going to become a bit of a hurdle as we now need to advise clients of the change to HTTPS and the port change involved.

Securing Tomcat with valid certificates is the start of the journey and adding a connector using HTTPS is the first step. Then we need to make calls to the non-secure HTTP site redirect over to the HTTPS version.

Continue reading

Windows, Apache 2.4 and OpenSSL — September 22, 2017

Windows, Apache 2.4 and OpenSSL

In order to make Apache 2.4.27 compliant it needs the later version of OpenSSL v1.1.0. To get this you need to install the VC15 version. The VC11 etc. do not include the later OpenSSL and fail because they are compiled with v1.0.2

  Banner           : Apache/2.4.27 (Win64) OpenSSL/1.0.2l
  Reported version : 1.0.2l
  Fixed version    : 1.1.0

This is detailed in the 16 June 2017 change log, but is repeated here as a reminder to install vcredist_x64 for VC++ 2017 which is linked on the downloads page on Apache Lounge.

References

https://www.apachelounge.com/download/

https://www.apachelounge.com/Changelog-2.4.html

Apache 2.4 TRACE – Nessus plugin 11213 — September 21, 2017

Apache 2.4 TRACE – Nessus plugin 11213

Googling for how to close the vulnerability for the TRACE method on Apache 2.4 results in lots of responses that just use a rewrite rule to respond with a permission denied message.  Even the Nessus plugin output lists the rewrite fix. Nessus doesn’t use this for it’s scans, it carries out a HTTP call for OPTIONS and relies on the server telling it what methods are available.

RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Whilst the rewrite rule may be a valid mitigation on Apache servers, the actual vulnerability warning won’t be removed from Nessus’ results.

If you’re using Apache 2.4 then there is a config TraceEnable directive that you should use to simply turn off the TRACE method.

Continue reading

OwnCloud, php7.0-fpm and Memcache — September 19, 2017

OwnCloud, php7.0-fpm and Memcache

When checking out the setup for our OwnCloud system it came up with a few cautionary problems that needed to be resolved.

The problems related to environment variables and file locking.

php does not seem to be setup properly to query system environment variables. The test with getenv(“PATH”) only returns an empty response. Please check the installation documentation ↗ for php configuration notes and the php configuration of your server, especially when using php-fpm.

and

Transactional file locking is using the database as locking backend, for best performance it’s advised to configure a memcache for locking. See the documentation ↗ for more information.

Continue reading

Owncloud 10.0 Upgrade — July 24, 2017
Owncloud Upgrade and Maintenance Mode — May 22, 2017
HTTPS on the Synology NAS — April 25, 2017

HTTPS on the Synology NAS

I love this Synology NAS. It’s so versatile and immensely capable. I use it for streaming my TV, movies and music. It also acts as my Couchpotato, Sonarr and NZBGet system. I think I’ll definitely get another when the time comes.

But enough glorification.

Using the free certificate services from Let’s Encrypt you can obtain a FREE TLS/SSL certificate that you can use on any of your encryption services with the one caveat that it will expire every 3 months.

Continue reading

HTTPS and SNI — March 9, 2017
IIS HTTP to HTTPS — March 1, 2017

IIS HTTP to HTTPS

In the process of deploying an IIS web server we’d like to ensure that browsers that visit the http unencrypted page, get redirected to the https encrypted page.

By default IIS comes with a “HTTP Redirect” module but this doesn’t really do what we’re after. HTTP Redirect simply takes any request and forwards it to a specific URL. So it doesn’t care about the original host name header, URI or query string that was supplied by the browser, it just takes you to the exact URL that you specify.

To get the behaviour we’re expecting we need to install another module called “URL Rewrite”

Continue reading

Strong Ciphers — February 16, 2017