How to start matrixtunnel

Matrixtunnel is a small http wrapper that adds ssl on top of plain http. Small memory footprint.

Here’s how to start it:

user:~# matrixtunnel -A /etc/ssl/domain.com.cer -p /etc/ssl/domain.com.key -r 80 -d 444

Print help screen:

user:~# matrixtunnel -h
usage: [-c] [-v] [-d localip:port] [-r remoteip:port]

    -A      Certificate Authority file
    -p      private key and certificate chain PEM file name
    -c      client mode. remote is ssl, local plain
    -v      validate certificate
    -d      listen locally on this [host:]port
    -r      connect to remote machine on [host:]port
    -P      pidfile
    -f      foreground mode
    -D      syslog level (0...7)

If one wants to test, one can use –f (start on the console, not as a daemon).

Note: don’t use –v, sometimes it fails. I don’t know why.

Few extra commands (openssl, certificates)

This is an addendum to https://mihail.stoynov.com/blog/2009/03/12/CertificatesKeystoresJavaKeytoolUtilityAndOpenssl.aspx 

Key file is a format that keeps the private key in unencrypted format. It does not keep the certificate.

Converting pem –> key

openssl rsa –in mycompany.pem –out mycompany.key

Check out a certificate (pem, key)

openssl x509 –in mycompany.pem -text –noout
openssl x509 –in mycompany.key -text –noout

Output the private key

openssl rsa –in mycompany.key
openssl rsa –in mycompany.pem

(if they’re the sam certificate, they output the same thing).

Output the private key in readable format

openssl rsa –in mycompany.key –text
openssl rsa –in mycompany.key –text –noout (omit the binary part)
openssl rsa –in mycompany.pem –text
openssl rsa –in mycompany.pem –text –noout (omit the binary part)

Update:

Launch small https server to test a certificate

# on one host, set up the server (using default port 4433)
openssl s_server -cert mycert.pem –www

Check the speeds to that server

# on second host (or even the same one), run s_time
openssl s_time -connect myhost:4433 -www / -new -ssl3

How to have a Subversion Repository on a Windows Server (+ security), part 1

The article is written based on Windows Server, CollabNet Subversion 1.6.1, Apache 2.2. Windows XP or Vista would do as well.

Subversion comes with it’s own server – svnserve. By default there is no security. One can install svn+ssh, but on a windows server and windows client that is a bit stupid.

The other option is to setup an Apache server with mod_dav and mod_dav_svn. Fortunately the CollabNet Subversion binary comes with Apache pre-bundled with those modules. The binary even installs viewvc, which is rather nice.

Installation steps.

After installing the bundle, however, there are a lot of things to do. Most of them manually. I’ll try to describe most of them here.

Download Collabnet Subversion Server binary from CollabNet (no other place to download it from). Registration required.

So we decided to use Apache instead of svnserve, so while installing one doesn’t have to make it a service. Only Apache should be installed as a service. Another pro for Apache is that it can host multiple SVN repositories as opposed to only one by svnserve AFAIK.

Now is the time to suggest that one make the Apache server run with limited credentials. By default the service would be running with Local System account which has more privileges than God the users in the Administrators group. The concrete steps would be to create one user with compmgmt.msc. Remove it from the Users group (which removes all the default privileges) and give this user Modify right for the httpd directory (one will most probably find it in C:\Program files\Subversion\httpd) and all the repositories.

The configuration. When installing Apache asks where is the repositories basedir. Using a basedir means that all the repositories are subdirectories of the basedir:

Subversion/httpd/conf/httpd.conf:

<Location /svn>
  DAV svn
  SVNParentPath "D:/SVN Repositories/"    <— put the qoutes. installer does not do it
</Location>

Note: by default the installer does not put quotes around the dir, so if there are space characters, the server will not start. One should put the quotes himself/herself.

Now is the time to say that the Apache server is very verbose. Every error show up in the Event Viewer in the Applications tab. There are always pretty good descriptions of what is wrong. I definitely like this feature of Apache. Unfortutely one has to use Google to figure how to fix it.

Another place to look for errors is httpd/logs/errors.log. Pretty readable. I’m positively surprised.

I don’t like the basedir approach – repositories with me are in different dirs. I do it like this

<Location /svn/mycompany>

   DAV svn

   SVNPath "D:/My Company/Repository"                   <— put the qoutes

</Location>

Authentication. Very shortly – http basic and http digest. Http basic is very insecure (only base64). Http basic looks like this:

<Location /svn/mycompany>

   DAV svn

   SVNPath "D:/My Company/Repository"

   AuthType Basic

   AuthName "MyCompany subversion repository"

  
AuthUserFile "C:\Program Files\Subversion/httpd/conf/svn_auth_file"

   Require valid-user

</Location>

Now, how to make the user’s file (svn_auth_file). Use htpasswd (only for http basic):

C:\Program Files\Subversion\httpd\bin>htpasswd -cm ..\conf\svn_auth_file mihail

New password: ******

Re-type new password: ******

Adding password for user mihail

C:\Program Files\Subversion\httpd\bin>htpasswd -m ..\conf\svn_auth_file ivan

New password: *****

Re-type new password: *****

Updating password for user ivan

The first time –c is used to create the file. Any subsequent user is with –m only (which stands for MD5 as far as I remember).

svn_auth_file:

mihail:$apr1$AzWq5tu5$k554PODb79n9TZwBxBDh..

ivan:$apr1$hlr9s6gK$oFLP1WtwvOLczyUSiP10v/

For http digest the configuration first the module has to be uncommented in httpd.conf:

LoadModule auth_digest_module modules/mod_auth_digest.so    <—uncomment this line

the configuration for the location is the following:

<Location /svn/mycompany>

AuthType Digest

And users are made with htdigest:

C:\Program Files\Subversion\httpd\bin>htdigest.exe –c ../conf/svn_auth_file "MyCompany subversion repository" mihail

Adding user mihail in realm MyCompany subversion repository

New password: ******

Re-type new password: ******

C:\Program Files\Subversion\httpd\bin>htdigest.exe ../conf/svn_auth_file "MyCompany subversion repository" ivan

Adding user ivan in realm MyCompany subversion repository

New password: ******

Re-type new password: ******

The file svn_auth_file looks a bit different now:

mihail:MyCompany subversion repository:3d16aced3eac2fc74ce5663df86d145b

ivan:MyCompany subversion repository:3ff20546c01028d5008651445b62d2e0

Note: keep in mind that the realms in svn_auth_file and the <Location AuthName should match.

Note: do not confuse htpasswd and htdigest. They produce users for http basic and http digest respectively and are not interchangeable.

For now there is a pretty usable svn server that supports multiple repositories and digest auth. But the communication with the server is plain and unencrypted http.

The svnbook is available here (most up-to-date version 1.5): http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html. The chapter for servers is Chapter 6.

The next part is how to setup a SSL on top of Apache.

Test blog post with Windows Live Writer

I’ve heard of Windows Live Writer but I’ve always thought that it only works for Blogger and Sharepoint. A comment to the blog (here) made me investigate whether dasBlog would support WLW. It does. This is the first blog post with WLW.

While installing WLW in my virtual Windows XP (I’ll write about that later if WLW works) I decided to update the blog. The update can now be installed with something called Web Platform Installer 2.0. It installs crap directly from the internet especially crap for IIS:

Web Platform Installer 2.0

(Wow, WLW can inline the image in the text. I’ve always missed that.)

So, let’s see how this blog post would look like.

Submit... (in this case “Publish”)

Update: this cannot be true. WLW has live preview that embeds the post in the blog, this is so f*cking cool. Look at it:

WLW live preview

Image thumbnails, resizing. Categories. Everything seems to work seamlessly. So let’s finally submit it and see what happens (I may start using this a lot).

Usability of the blog

Watching the blog stat one can't help but notice the decreasing amount of articles (I guess my single reader and I are the ones that should notice). Maybe it's because a lack of time. Maybe it's because of too much work,study or travel (I'm currently in Turkey on vacation).

Lately one new reason is emerging in my head (yes, it takes them (the thought) some time to mature :). Maybe I'm not writing that much because of the usability of the blog. The usability from the readers' point of view is bad (here for example,), but it's hard to fix it and I'm too lazy to do it. But now I'd like to talk about usability from my perspective (as the author).

I'm running the blog (hosted on dasBlog) at my own server with a very cheap internet connection so it's a bit slow. dasBlog doesn't do any kind of image help (not to mention anything more complex) - I have to do my own thumbnails (I so very much hate that). dasBlog's rich text editor does not support my phone's browser or Safari.

So at the end even if i think of a good story it takes a lot of time to represent it in the blog. Especially if it's very visual, or even only a bit visual.

So I have to think of other ways to improve my experience. And I just thought of one. I'll write when I do it.

Good Night, and Good Luck.

I just watched the 2005 movie Good Night, and Good Luck. It basically depicts the communist witch-hunt that happened in the US just after the WWII. It's very moving and a bit sad (especially at the end with the faith of the main character).

The movie made me spend some time on Wikipedia reading about McCarthy, Murrow and Hollenbeck. Very interesting. Makes one think whether we have the same media now.

Directed by George Clooney. 6 Academy awards nominations. Highly recommended.