There are bucket load of posts on how to use google application engine (GAE) as a CDN but many of them direct you to hosting static content on a google server. For me that approach isn’t practical, every time I did a WordPress update or plugin upgrade I would have to push an update to GAE… annoying!

Origin-Pull is the future then, basically the server acting as a CDN pulls a copy of the original, caches it and serves that to clients. Updates on the main site are easy, just wait for the CDN to age out it’s cache or if you are impatient manually purge.

Over the weekend I stumpbled upon SymPullCDN a GAE app, it’s a bit out of date so I’ve pushed a newer version to github. I’ve made two changes, firstly updated to python2.7 (as per google’s recommendation) and secondly I’ve added a cron job to keep your GAE app snappy

Setting up your own copy is simple, start by signing up for GAE and create a new “application”, mine’s called mygaecdn…

Next get a copy of the Google App Engine SDK for Python also known as GoogleAppEngineLauncher… Install it

Once it’s running, create a new application… give it the same name as the app you created on google.

Take a note of the directory in which the application is being created, mine is Users/nick/Documents/GoogleAppEngine/mygaecdn

Next download this zip file which has the updated SymPullCDN files.

Delete everything from your Users/nick/Documents/GoogleAppEngine/mygaecdn and place in there the contents of SymPullCDN-master.zip

Open app.yaml in a text-editor and edit line 1 to replace *replace*me* with your application name, e.g.:

application: mygaecdn

Next open main.py in a text-editor and edit line 21 and replace http://replace*me/ with your website, e.g.:

origin = "http://www.linickx.com/"

Make sure you save both files and you are done!

Now, test locally in the GoogleAppEngineLauncher app before deploying to google. Click the green “play” and a GAE application will run on your local machine; from the screenshot above you can see mine is listening on “port 10080″, so I can open a web browser to http://localhost:10080 – all things being equal you will see a copy of your website

If that works you’re ready to deploy…. hit the blue “deploy” button to push you app up to google. When that’s finished you should be able to visit mygaecdn.appspot.com… obviously yours isn’t called mygaecdn!

Once the deploy is finished you have a GAE ready and willing to serve cached copies of your site.

What you do next will depend on your website. Me, I use WordPress and wp-super-cache, so I can simply enable the CDN feature in that, e.g.:

You might have to install something, or change some URLs, whatever you do, just remember to only change links to static content such as CSS, JS or IMG – anything dynamic is likely to end in a world of pain.

FOOTNOTE: The term CDN is used loosely in this blog post, GAE is more of a content off-load, IMHO a CDN should server you geographically-local content but in all my tests on webpagetest showed all my content coming from Google-USA, not that is really a problem as their servers are still rocket-quick

OS X: Sync’ing keychains in the iCloud

Keychains hold passwords, certificates and general secret stuff – only do this if you understand the Apple will have access to this…. well assuming they can crack your keychain password (which they probably can).

Synchronising a keychain across macs could be useful, for example, having a dedicated keychain for WiFi credentials.

I stumbled across this link (dated Nov 2011) and found that this still works!

The ~Library/Mobile Documents/ folder is pushed to all iCloud enabled computers, so I have created a new folder, and copied my WiFi keychain into it:

$ mkdir ~/Library/Mobile\ Documents/com~linickx~icloud
$ cp ~/Library/Keychains/wifi.keychain ~/Library/Mobile\ Documents/com~linickx~icloud/

If you only have one keychain login.keychain, consider splitting out the really secret stuff and only sync’ing the stuff you want to share with apple.

Now open “Keychain Access”, delete the original keychain and add/open the iCloud copy. On any other Mac, add/open the iCloud keychain. Once complete, any change to the keychain will be pushed to all Macs, simplifying password changes

I’m also using this to sync dotfiles!

You could use dropbox for this, one reason to use dropbox is that iCloud sync seems to be a bit hit n miss; however Dropbox already have enough of my secrets, I’m not suggesting that iCloud is more secure, it’s just better to have many baskets.

FOOTNOTE: If your mobile documents folder isn’t sync’ing, see this post by SteveX.

linickx opened pull request symkat/SymPullCDN#1

Cisco.com & Wget

Ever since cisco updated their website (you know like, a year ago), I’ve struggled to find a way to wget software onto a box.

This week, I found a bodge using firefox. Sign into cisco.com and go through the normal process, accepting agreements and begin the download.

Once the download starts, pause it… right click and copy the download link:

Copy link from downloads

Then from your terminal/linux box, you can paste the url into wget:

wget -O ise-1.1.3.124.i386.iso "https://secure-us.esd.cisco.com/files/swc/sec/4_SDSP_59/bah/bah/ha?uid=linickxdotcom&key=go"

- Quick gotcha alert, the link you paste must be in speachmarks/double quotes or the full url will not paste correctly.

OS X: anonymous ftp directory on Mountain Lion

Pretty much every google search I tried landed me on a mountain lion server page, given I’m using normal mountain lion on a macbook the results were not much use!

I use FTP to transfer images to various appliances, firewalls, proxies etc so for speed and simplicity I need anonymous ftp. The default home directory on 10.8 for anonymous FTP is /var/empty which is a special directory which I didn’t want to tamper with, once I found the right stuff in the man page changing the home of thr anonymous FTP user wasn’t actually that hard…

To get started, in case you need it, the command to start the FTP service is:

sudo launchctl load /System/Library/LaunchDaemons/ftp.plist

and to stop:

sudo launchctl unload /System/Library/LaunchDaemons/ftp.plist

The config file is /etc/ftpd.conf, mine looks like this:

# match umask from Mac OS X Server ftpd
umask all 022
chroot GUEST /Users/linickx/ftp
modify guest off
umask  guest 0707
upload guest on

As you can see, I have changed the home directory of my anonymous user to a folder called ftp inside my home directory.

Now, there’s some special security stuff you can do to that folder, see man ftpd for full details, but this should do you as a minimun

~ftp Make the home directory owned by “root” and unwritable by anyone.

~ftp/pub This directory and the subdirectories beneath it should be owned by the users and groups responsible for placing files in them, and be writable only by them (mode
755 or 775). They should not be owned or writable by ftp or its group.

~ftp/incoming This directory is where anonymous users place files they upload. The owners should be the user “ftp” and an appropriate group. Members of this group will be
the only users with access to these files after they have been uploaded; these should be people who know how to deal with them appropriately. If you wish anony-
mous FTP users to be able to see the names of the files in this directory the permissions should be 770, otherwise they should be 370.

The following ftpd.conf(5) directives should be used:
modify guest off
umask guest 0707
upload guest on

This will result in anonymous users being able to upload files to this directory, but they will not be able to download them, delete them, or overwrite them, due
to the umask and disabling of the commands mentioned above.

Happy FTP Everyone!

wireshark xquartz osx (mountain lion) – crash on start

If (like me) you have just installed wireshark and and xquartz at the same time you’ll notice that after completing both installations wireshark will crash and not start up properly.

The wireshark forum shows that if you run wireshark from the command line you get this error..

(process:1234): Gtk-WARNING **: Locale not supported by C library.
    Using the fallback 'C' locale.

(wireshark-bin:1234): Gtk-WARNING **: cannot open display:

… for which there are a couple of work arounds, such as setting your display variable or opening wireshark from within an xquartz terminal window.

The actual fix was found here, notice the log out after installing… by simply logging out and back in again my wireshark now loads without any nasty work arounds.

Hope that helps!

OS X: Mediatomb (luanchd) .plist file for automatic start up.

Inspired by this, but better

So now I have got mediatomb working, I’ve started on my own StartupItem so that it loads at boot time. The reason it is better is because you can start and stop mediatomb via launchctl.

I saved the below (the more) as /Library/LaunchDaemons/com.linickx.mediatomb.plist.

To start:

sudo launchctl load /Library/LaunchDaemons/com.linickx.mediatomb.plist

To stop:

sudo launchctl unload /Library/LaunchDaemons/com.linickx.mediatomb.plist

Happy Days!

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>  
	<key>Label</key>
	<string>com.linickx.mediatomb</string>
	<key>ProgramArguments</key>
	<array> 
		<string>/usr/local/bin/mediatomb</string>
		<string>-e</string>
		<string>en0</string>
		<string>-P</string>
		<string>/Users/nick/.mediatomb/mediatomb.pid</string>
		<string>-p</string>
		<string>49152</string>
	</array>
	<key>UserName</key>
	<string>nick</string>
	<key>ServiceDescription</key>
	<string>Run MediaTomb at boot</string>
	<key>RunAtLoad</key>
	<true/>
	<key>Nice</key>
	<integer>20</integer>
	<key>KeepAlive</key>
	<true/>
	<key>StandardErrorPath</key>
	<string>/Users/nick/.mediatomb/error.log</string>
	<key>StandardOutPath</key>
	<string>/Users/nick/.mediatomb/output.log</string>
</dict>
</plist>

OS X: PS 3 Media Server service for start at boot (launchd)

Given the popularity of the Playstation 3 Media Server (PSM) I’m a bit confused to why I struggled to find a good solution to this…PSM does does not come with an mac service for running it a boot time, there is a windows service and some stuff for linux if you google but the best effort I could find for OS X was a bodge via SSH!

This is my best effort so far, it’s not perfect but it’s a start. Below the more link, is a launchd .plist file which if you place in /Library/LaunchDaemons/ will start PSM at boot time, well kinda.

The catch is that a user needs to log in, any user will do, the process will run as the user defined in the .plist file but since PSM requires some kind of windowing libraries it simply will not start until a user logs in!

Continue reading →

linickx opened pull request mxcl/homebrew#18451

OS X: Converting videos but keeping the timestamp

I got a new computer, w00t! My family like to use the point-and-click camera for adhoc videos whilst we’re out and about, the thing is it’s very old and records in a rubbish AVI format which consumes massive amounts of disk space, b000!

After a bit of googling I wrote the below, it’ll search through your disk and find AVI files, check that the file extension is .AVI and then convert it to .mp4; for bonus points it’ll change the timestamp of the mp4 to match the avi so that it’ll import into iPhoto albums nicely.

#!/bin/bash
export IFS=$'\n'
for i in $(find ./ -type f -name '*.AVI') 
	do 
		if [ ${i: -4} == ".AVI" ]
			then
			echo "Converting $i"
			ffmpeg -i "$i" -s 480x320 -aspect 4:3 -b 768k -ab 64k -ar 22050 -r 30000/1001 "${i%.AVI}.mp4"
			sleep 5
			TSTAMP=`gls -l --time-style=+%Y%m%d%H%m "$i" | awk '{print $6}'`
			touch -mt $TSTAMP "${i%.AVI}.mp4"
			sleep 5 
			rm -f "$i"
		fi
	done

Quick Note: gls is the GNU version of ls not the built in BSD-MAC version, you get it via homebrew (brew install coreutils)

Sourcefire Certified Professional (SFCP)

Image

Sourcefire Certified Professional

linickx opened issue mxcl/homebrew#17999

Cisco ISE, Andriod: ‘network setup assistant’ unable to detect server

The title should just about cover it, ^that^ is the error message I saw when trying to provision an Android Tablet using Identity Services Engine.

The answer is hidden on pg36 of the provisioning guide, you see that there http request..

The client software sends a http request to it’s default gateway, which for me was the Ciso WLC (Wireless LAN Controller); what is supposed to happen is that http request is re-directed to the ISE, BUT that will only happen if the ACL pushed down blocks it.

So block http to the ip address of the WLC, assuming that you are sending the correct AV pair down the WLC will re-direct the android to ISE and the rest of the provisioning process should work.

It took me ages to find that, hopefully this will help you!

Checkpoint, Gaia, TACACS – two lines of config

If you have a checkpoint firewall, you probably know about Gaia… and if you have more than one firewall admin, you probably want to individually authenticate them to the operating system (as apposed to a encrypted file of usernames & passwords which get’s passed around the office)

 add rba role TACP-0 domain-type System all-features
 set aaa tacacs-servers authentication server 10.10.10.10 key mysecretkey

What you need to know about the above…

If a user can successfully authenticate by TACACS they become a super user, if you need different roles read up on “role based administration”, TACP-15 and the enable_tacacs command.
The config has been tested on Cisco ACS 5.4, the default TACACS “default device administration” profile works with no changes.
This is tacacs authentication only, authorization is handled by the local RBA.

Ice Karting

Image

via Instagram

Nick is on Google+