All posts by rbowen

(Saint) Paris, Ohio

We went to Paris on our honeymoon, and determined that we’d go back to Paris every year for our anniversary. Of course, Paris France is a little hard to get to, both in terms of budget and schedule, so we’re going to go to other Parises until we can afford it. Turns out there’s somewhere around 37 Parises in the USA.

Last year we went to Paris, KY, and this year we had three Parises to choose from in Ohio. There’s Paris, New Paris, and Saint Paris. We couldn’t get a room at the B&B we wanted to stay at in New Paris, so we went to Saint Paris, staying at the Simon Kenton Inn in nearby Springfield.

Saint Paris isn’t a big town. As we drove through it, we were trying to determine whether we had in fact gone through downtown when we saw the “Leaving Saint Paris Township” sign. But, hey, we went to Paris. 🙂

Next year, Paris Tennessee.

SugarSync

For some reason, I was sure that S3 was an end-user file storage service. It’s not. It’s for web developers who need somewhere to store a large amount of data for back-ending their website. So, say, someone like Flickr might use S3 for the actual photo storage. (I don’t know if they do. Just an example.)

So, thanks to a suggestion from CGNaughton, I am now using SugarSync, which was remarkably easy to set up, and seems to work pretty well, although it took three days for the initial sync of my data.

I’m also planning to put the 24G of photos, which I have on an aging Linux box at home, up on SugarSync, which will likely take all weekend. Once that’s done, I will finally shut down Buglet, which I have operated out of my house for more than ten years now, and I will then have a total of *zero* servers in my home, for the first time in probably fifteen years.

Having my servers managed, and, in particular, backed up, by someone else, has an awful lot of appeal. It’s no longer fun to keep servers updated, patched, backed up, free of dust, and restarted every time there’s a power dip.

On a related note, if you’re in the Lexington area, and you need a half-dozen aging server machines, come and get them. We’re only too delighted to offload them. Most of them were great machines in their time, but I no longer have need of them. Monitors too.

mod_pony

mod_pony has been a pretty long-standing joke on #httpd on Freenode, and has also made a number of appearances in conference presentations of mine when I wanted to refer to an imaginary module for some reason.

I’m pleased to announce that there is now actually a mod_pony. It really doesn’t do anything useful. But it does build, and output a pony. And, really, what more could one possibly want?

Patches welcome.

(See mod_pony in action HERE.)

EDIT: mod_pony is now moved to Github. The “in action” link is not working – I’ll try to fix it when I get a moment.

Hypocrisy

What you see here is the cover of the new People magazine.

Other than the quote, which is sure to be a favorite of her daughter once she can read, this looks like a promotion for teen pregnancy. She’s beaming, obviously very pleased with herself. Girls everywhere are going to be saying, wow, where can I get me one of those?

And, according to MSN, she’s going to make more than a quarter mil on the photos. What’s not to love. Better run out and get preggers as fast as you can.

It would be lying to say I’m shocked by the startlingly bad judgement of this magazine. I lost my last shred of respect for the media years ago. But surely, somewhere along the chain of command, someone has a daughter? Even one of you? Show at least a scrap of common sense, would you?

The Perfect Bag

Satchel

I’ve been on a search for the perfect bag for quite some time.

I carry a lot of stuff, and I hate having my pants pockets loaded down. There’s the wallet and phone and pens and ipod, for starters. But there’s also the keys and knife and … Am I becoming Ken Coar?

I want something that’s small – I already carry a backpack most places – but big enough for the stuff listed above. And it needs to be neither effeminate and purse-like, nor have the uber-geek-ness of a fanny pack.

I finally found The Ultimate Bag. It’s awesome. It’s got everything. It really has only one drawback – the price tag.

Now, with a 100 year warranty, and such an aura of awesomeness, perhaps $115 is in fact pretty reasonable. But I don’t actually have it at this moment. But what I do have is an awesome brother who lives in the place where they have amazing leather artisans on every street corner. I showed him the picture, and he arrived last week with The Perfect Bag.

At first, I thought it was a little small, because my Moleskine didn’t fit in it, but the more I use it, the more I love it. I think it might actually be the perfect size. It’s really well made. The stitches are small. The stress points are riveted. The inside has a nice lining. And the whole thing is that wonderful honey-brown color that will, I’m sure, darken with time and use. It doesn’t have any zippers or snaps to break or wear out, so I think it’s going to last a long time.

Whether they’ll fight over it when I’m dead, I’m not sure, but that’s a concession I’m willing to make.

Slowloris

No doubt you’ve heard of Slowloris, the HTTP DOS tool that will take down an Apache web server. I recommend reading the update at that site, which describes in some detail how it works.

Note that this condition is also covered in the Apache documentation, and, according to svn, that was put in:

r369825 | slive | 2006-01-17

So we’ve known about it for a *long* time.

What I can’t figure out is whether it’s really not that big a deal, or if I’m dismissing the importance because I’ve known about it for so long. I’ve known for a *long* time that you can take down an Apache server with nothing more than a telnet client. You telnet to port 80, issue a partial HTTP request, and then bg the process, then do it again.

The way that the attack works is that Apache then waits for the rest of the request, until it hits the timeout (configurable with the Timeout directive). This completely ties up that listener, so that it can’t answer any other inbound requests. Unfortunately, by default, Timeout is set to 300. And Apache only has a finite number of available waiting processes (Configurable by MaxClients.) So you do that MaxClient times within Timeout seconds, and, viola, the server is now no longer able to respond to inbound requests.

That’s exactly what the slowloris tool does, in a more automated fashion.

So, what to do about it?

Well, set Timeout lower. And use mod_evasive to limit the number of connections from one host. And use mod_security to deny requests that look like they were issued by this tool. However, that last one doesn’t really help, because it’s trivial to change the signature of requests from this tool.

On the other hand, this attack – or exploit, if you want to call it that – has been around for years, and hasn’t been a very popular attack vector. What this tool has done is not so much discovering an attack – we already knew about it – but let the larger number of script kiddies know about it. So presumably we’ll see it happen more often than we used to.

So, what to do about it longer term? Well, in Apache 3.0, or 2.4, with the event mpm and asynchronous IO, it will apparently be a non-issue. Another of the *many* compelling reasons to upgrade to 2.4 just as soon as it releases – something else that I need to write more about in the coming days.

Additional resources:

Niq’s response
Apache security documentation
Slowloris website
mod_evasive

OS 3, CalDav: update

In addition to Shep’s helpful comment, right after I posted my last entry I discovered that the settings at m.google.com/sync apply to the Exchange sync. Apparently the Exchange sync worked in OS 2.2, so there was no reason to upgrade at all, if I had just known that.

Of course, there are some nice additional features that I got, and it was only $10, but it’s rather irritating to me that I have to set up 10 different accounts to sync my 10 different Google calendars. That seems odd, to say the least.

Anyways, perhaps this is an enhancement that will come along shortly. Meanwhile, I’ll probably just keep using the Exchange connector.

OS 3.0 and CalDAV

I had one single motivation for upgrading my iPod Touch to OS 3.0 – CalDAV. According to very vague reports I had read before, it would “support CalDAV”, although the actual explanations of what that meant varied somewhat.

But iCal on the Mac started supporting CalDAV – actually allowing editing of CalDAV calendars – a while back, so I figured maybe the iPod/iPhone would too. And, hey, it’s only $10.

I found several conflicting instructions on how to configure CalDAV for Google Calendars. The best ones were here and here, suggesting that you set it up either as an Exchange account or a CalDAV account. While CalDAV seems more probable, the one that says to do it as Exchange is at Google. Weird.

Also, if you go to m.google.com/sync on your iPhone, you get a thing that lets you select which of your calendars you wish to connect to.

So far, sounds pretty good.

Yes, I said “which of your calendars.” I have a dozen calendars on my Google calendar account, because I share calendars with several people. It’s the only way to fly. But the iPhone seems to assume that I’ve only got one. As far as I can tell, it is syncing quite happily with one, but the other ones are being entirely ignored, despite what I configured on m.google.com.

Is this expected? I vaguely remember reading somewhere that I’d have to create a “new account” for each calendar, but that’s so completely ludicrous that I must have misunderstood, right? In that case, why would there be this tool at Google for saying what calendars I want to sync?

I *think* I have it set up right now, but now m.google.com says that my iPod hasn’t sync’ed since yesterday at 15:46, so … apparently something is still not set up right.

So. Frustrating.

mod_rewrite misinformation

rewrite.jpgI wrote a book about mod_rewrite. Perhaps you have a copy. If so, thanks.

Additionally, I spend a lot of time on IRC (freenode.org, #httpd) answering mod_rewrite questions. And I speak at various conferences, frequently on the topic of mod_rewrite.

mod_rewrite isn’t in fact, terribly difficult. However, it is made more difficult by two factors.

First, regular expressions are universally perceived as being difficult. Thus, even people who haven’t even tried to learn about them already *know* that they are difficult, because someone else communicated this dread to them in a weird tribal knowledge rear-brain kind of way.

Second, and perhaps more damaging, is the ENORMOUS quantity of misinformation that exists online about mod_rewrite. If you search for a rewrite recipe to do X, you’ll find a hundred of them, and at least 75% of them will be Just Plain Wrong, while 20% of them will be either misleading, or confusing, or actually work, but do it in such a way that enormously obfuscates things to the point that nobody can understand what’s actually going on.

The other 5% will make the observation that the task in question doesn’t actually require mod_rewrite, but that there’s another, more efficient and simple, configuration directive that does exactly what is being requested. Such as Redirect, or SetEnvIf, or Alias, or UseCanonicalName.

I became interested in mod_rewrite primarily because of regular expressions. Having read Jeffrey’s marvelous book from cover to cover back in the first edition, and using regex extensively in Perl, I figured, how hard could it really be? The secret answer is, not very hard at all. But since people go pretty far out of their way to make it hard, I’ve been guaranteed a speaking spot at any conference I want to submit a paper to, because people say, Oh, mod_rewrite is HARD!! Lucky me.

So, once again, a huge thank you to Ralf for creating this beast.

I will now resume my eternal quest to find and gently correct all of the bad mod_rewrite examples out there on the web.