Posts

Showing posts from February, 2015

mod_remoteip backport for Apache HTTPD 2.2

Image
Apache HTTPD 2.4 has a very useful new feature for large deployments: Replacing the remote IP of a request from a request header, e.g. set by a load balancer or reverse proxy. Users of Apache HTTPD 2.2 as found on RHEL6 can now use the backport found on https://github.com/ImmobilienScout24/mod_remoteip-httpd22.

I pulled this backport together from various sources found on the Internet and "it seems to work". Working with C code (which I did not do for 14 years!) tought me again the value of test driven development and modern programming languages. Unfortunately I still can't explain a change like this without a lot of thinking:
You can easily build an RPM from the code on GitHub. The commit history shows the steps I had to undertake to get there. Configuration is as simple as this:


LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.100.15.33

with the result that a reverse proxy on 10.100.15.33 can set the X-Forwarded-…

Simplified DEB Repository

Image
2 years ago I wrote about creating a repository for DEB packages with the help of reprepro. And since then I suffer from the complexity of the process and cumbersome reprepro usage:
Complicated to add support for new Ubuntu version which happens every 6 monthsNeed to specifically handle new architecturesI actually don't need most of the features that reprepro supports, e.g. managing multiple repos in one or package staging This week I realized that for there is a much simpler solution for my needs: apt-ftparchive. This tool creates a trivial repo with just enough information to make apt happy. For my purposes that is enough. All what I want from a DEB repo is actually
Work well with 50-500 packagesEasy to add new Debian/Ubuntu/Raspbian versions or architecturesSimple enough for me to understandGPG signatures It turns out that the trivial repo format is enough for that, it makes it even simpler to add new distro versions because the repo does not contain any information about the di…

Ubuntu Guest Session Lockdown

Image
The guest session is a very important feature of Ubuntu Linux. It makes it very simple to give other people temporary computer or Internet access without compromising the permanent users of the computer.

Unfortunately the separation is not perfect, the guest user can actually modify critical configuration settings on the computer and even access the files of the other users, if they don't take precautions.

The following scripts and files help to lock down the guest session so that no harm can be done.
How It Works The guest session is actually a feature of the LightDM Display Manager that is used in Ubuntu and in Xubuntu. The guest session is enabled by default.
When a user chooses a guest session the following happens: LightDM uses the /usr/sbin/guest-account script to setup a temporary guest account. The home directory is created in memory (via tmpfs) and can occupy at most half the RAM of the computer.
Optionally, /etc/guest-session/prefs.sh is included as root to further custo…