Zeltus

For me, including snippets of PHP code within my web-pages has always been a given. To the extent that it sometimes comes as a surprise to me when someone asks me how to do it. Doesn’t everyone already know?

What most people trip up on is expecting PHP to only operate on files with a .php suffix. Nothing wrong with this so far as it goes, but I prefer my web pages to have .html suffixes. The fact that I choose to embed chunks of PHP inside my pages needn’t be visible to the end-user. Or rather, viewer. So how do I do it?

Well, it couldn’t be easier, really.

But first, a small refresher on how PHP embeds itself into web pages anyway. I use Apache but all HTTP Server software will work in much the same way.

The file Apache uses as it configuration file is invariably called httpd.conf. It’s location may sometimes be a little obscure, dependent on what OS it is residing on – on my Red Hat servers (well CentOS, anyway!) it is found in /etc/httpd/conf/. Caveat: some Ubuntu distros seem to want to call the file apache2.conf – but you shouldn’t have much trouble figuring that out, especially if you remember that GIYF (Google Is Your Friend)

Anyway, a well-behaved PHP install will create or amend something like the following entries in said configuration file…

<IfModule dir_module>
    DirectoryIndex index.php index.cgi index.html index.htm
</IfModule>
.
AddHandler test/html .htm .html
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
.
LoadModule php5_module libexec/apache22/libphp5.so
.
.

In brief, PHP has told Apache that

• accept index.php as a valid directory index file. It is now the same as index.html in that respect.
• Anytime Apache processes a file with a .php suffix, use the PHP MIME-type declared as the processing agent.
• Load in the PHP module that does all this good stuff.

OK, so at this stage, a file called say, example.php will be correctly processed and served by Apache. But I ALL my .html files pre-processed by PHP. Simples.

AddType application/x-httpd-php .php .htm .html
AddType application/x-httpd-php-source .phps

After saving these changes, checking no silly typos were accidentally entered into the config file…

root: apachectl -t
Syntax OK

…and then restarting Apache

root: apachectl graceful

Upon which, all things being equal, PHP will pre-process all .htm and .html files. Obviously, there is an overhead in doing this but you’d have to be running a seriously hard-run site before this became an issue. Do remember, after all, that PHP has been highly optimised to integrate into HTML and I’m willing to bet you’ll not notice a difference in page load times (the time taken to download images will far outweigh any time spent by PHP doing it’s stuff)

Finally, note that AddType and AddHandler ARE different! As a very rough rule of thumb, I try and use AddType exclusively. FWIW, the difference is that AddHandler directives tell Apache how to handle file types and AddType directives tell Apache how to handle the contents of files. Any clearer? No, thought not. As I said, try and use AddType directives exclusively and you’re not likely to go far wrong.

Technorati Tags: addhandler, addtype, apache, httpd.conf, mime, php

Up to now, I’ve been mildly amused at the attempts of script-kiddies to break into one of my servers. I’ve no idea why they are targetting that one specific server – it’s an important one to me but then, all my servers have that category. What with my regime of backups and replication, it’s a particularly easy one for me to rebuild.

Not that it will ever come to that. I do use strong passwords.

Nevertheless, I think it’s reached a stage where I have better things to do than watch my logs autorotate. Like the majority of my Systems Administration peers, I’ve decided to opt for the superior protection of RSA or DSA keys, rather than rely on passwords.

A few pre-requisites. I only access this server via ssh. All other services are turned off. So the script-kiddies were always on to a hiding to nothing anyway. I access the box mostly from a Windoze workstation – so I use PuTTY for command line access and WinSCP for file transfer.

The beauty of this is that I can use the extremely easy PuTTYgen to create my public key/private key pairs.

PuTTYgen allows me to create both the Public & the Private keys that I need for this hardening exercise. The Private key I hide away in a safe location on my workstation. I like to use Truecrypt volumes or similar schemes for this side of things. The Public key needs to be moved to my server. Sometimes this is the hardest bit to achieve! But in this case, I already have sshd running, albeit with password access, so I can use WinSCP to get the key across.

Under FreeBSD (and pretty much most other main-stream distros) the key is in ~/.ssh and is called authorized_keys. As I only have the one key all I need to do is rename the Public key accordingly and then [IMPORTANT]set it’s permissions to 644[/IMPORTANT]

Now, to enable key-based authentication, I need something like the following in the system /etc/ssh/sshd_config file.

Protocol 2
PermitRootLogin without-password
PasswordAuthentication no
ChallengeResponseAuthentication no
ClientAliveInterval 60
ClientAliveCountMax 30
UsePAM no
AllowUsers user1 user2 user3 user4 user5
DenyUsers root {all other userids in /etc/passwd}
Port 12345

1. Force use of SSH 2 – much more secure.
2. Don’t allow passwordless root logins. In fact, I don’t allow root to login at all – see DenyUsers.
3. Don’t allow passwords at all. For anybody. It’s all keyfiles for this server.
4. I don’t use skey type authentication. You probably don’t either.
5. Lines 5 & 6 – stop non-responding connections from clogging up the system.
6. These will timeout and closedown any such attempts.
7. PAM can bypass ssh login settings. Unless this line is set.
8. The next two lines only allow those users specified to use ssh to login. Everyone else is banned. In particular, root.
9. In fact, DenyUsers has precedence over AllowUsers. So be a bit careful about overlaps.
10. Finally, some obscurity to back up my security – use a non-standard Port.

A few notes before re-starting the sshd daemon, which will activate all this.

It might be an idea to open up Telnet access just while this is being tested. A small mistake here can lock you out of your server until a friendly, local SysAdmin can get at the server and correct the errors for you. Très embarassing! Telnet means you can fix your own mistakes. Just don’t forget to turn it off again when you’re happy with your ssh set-up.

As I have said, I use PuTTY for CLI access and WinSCP for file transfer. All I have to do is amend these to use the keyfiles and the ports I have specified and as far as my perception of things is, I just log in as before (umm, I suppose I do have to type in a rather longer passphrase rather than a password – but that’s the only change I see)

So, in order of security, more or less, I have

• Obscurity – I use a non-standard Port. If a script-kiddie does discover it, I can change it quite easily.
• If the Black Hat does discover the Port I am using, he then has to work out what userids are allowed to login
• …at which point he has the problem of cracking a very powerful asymmetric key mechanism. If that’s you, the NSA want to hear from you!
• I also have numerous rules set up in the TCP Wrappers’ hosts.allow file. So there is plenty of scope to trip up there and have the connection aborted
• And finally, I use Packet Filter combined with sshguard-pf just in case.

If there is any overkill in here I don’t really care. It’s all pretty easy to set up and in the few days I have been running this configuration, my logs have reported that hacking attempts have dropped from several thousand attempts per day to a big, fat zero.

Technorati Tags: authentication, freebsd, hardening, password, security, ssh, sshd

Despite all the clever-clever Colour Studios and Colour pickers out there, I always have trouble deciding what colours to use in any particular theme. It never used to be this bad – Web-safe colours were the norm (all 216 of ‘em!) and before that, UNIX X11 windowing systems relied on a simple flat file called "rgb.txt" – which is still distributed with modern Linux distros today.

So I figured that if I looked for I would find a .css file of these X11 colours, ready for me to pick’n'choose some well-known favourites such as cadetblue or indianred. I am used to cut’n'pasting rather than using fancy IDEs, so although I do use Dreamweaver, I certainly don’t use all of it’s cleverer functions – one day maybe.

But a search failed to find any such file. It’s not surprising on reflection, as it really is of limited use – a .css file that size would simply slow the whole page load process down to a crawl – something Internet Explorer users already seem to find tolerable but us Firefox, Chrome, Opera and yes, Safari users certainly don’t.

Anyway, to cut a not-very-long story to a really-short story, I grabbed hold of a copy of an rgb.txt file and a few swift typically-arcane commands in vi, my favourite UNIX editor, I ended up with a humungous .css file containing all the X11 colours as simple class entries for both color: and background-color: properties.

And here it is…

As is ever the case, I did have some trouble with IE8 – it simply didn’t want to display the .css content the way I wanted to display it. So although the production of the file was a matter of minutes at most, I probably took over two hours to produce the page describing it! That’s the way the Microsoft biscuit crumbles I guess.

Anyway, I want to return to font handling now – the world has changed since my last post on this…

Technorati Tags: colours, css, rgb, rgb.txt, X11

Whilst idly browsing the ‘web, I came across http://www.datejs.com/ – This javascript library, which despite being an alpha release, looked remarkably useful and already has a thriving support forum. It’s taken me no time at all to install it and write a small piece of code that calculates the date of the next Stir-up Sunday, as a test case.

And that piece of code is now installed and working in my Christmas Pudding recipe page – that should ensure it is always up to date. The source of that page shows how simple and intuitive to use this library is. Well, reasonably intuitive, anyway.

I expect I’ll be working with this library a lot more, altho’ PHP is still my first choice for non-interactive web page code, as I am more familiar with it.

Incidentally, I had to do a fair bit of investigation as to when Stir-up Sunday actually occurs – originally, it was the 25th Sunday after Trinity Sunday, which is a floating date based on Easter. But, in typically archaic language, the Church declared that it could be moved closer to Advent if necessary – it’s intention was to prepare the great unwashed for the season of Advent, which is a fixed date and begins four Sundays before Christmas.

Note that the 25th Sunday after Trinity Sunday fell on 9th November this year, due to Easter having occurred very early in the year. A long time before Advent, that’s for sure, and I suppose one of the reasons why the modern Church allowed the date to be tagged to Advent rather than Easter.

Anyway, most authorities have it that Stir-up Sunday occurs on the Sunday before Advent.

But there is certainly a lot of confusion about the calculation. For instance, some information sites are quoting the 30th November as Stir-up Sunday for 2008. But that is the first day of Advent. I seek further enlightenment, but until I receive it, I believe such sources are plain wrong.

Technorati Tags: calculations, date, datejs, dates, javascript, LinkedIn

When I first created this blog, my un-optimized MySQL installation very quickly barfed and I had to re-compile and re-install it.

As it was brand-new, all that happened was that I lost my first few posts. I am now taking the time to re-write this particular one.

I really don’t get on with the WordPress Way of adding images to my posts. I’ve written a number of PHP functions that allow me to easily enter image data into my HTML with, for me, great ease. I therefore decided to create a similar function to allow me to insert images into my blog posts. And thus blotto was written. The clever-clever name is a sort of corruption of “blog-photo”.

This extremely simple function allowed me, thanks to the excellent Exec-PHP plug-in, to insert a pre-prepared thumbnail image of a photo and hook into Lightbox (another excellent plug-in) to display the full-size image. And to achieve this, all I needed to do was insert a single line of code in my post…

<?php blotto("Charlies_rear"); ?>

And hey presto! I get

It really didn’t take me very long to realise that I needed a number of variants of this function – and so I ended up with the following four routines.

• blotto – (blog-photo) Insert a lighbox’d photo in a post
• flickr – provide a link to a flickr set
• blink – (blog-link) Provide a graphical link to a web-page, internal or external
• baphic -(blog-graphic) Display a picture. That’s all

And so I re-wrote my blog_functions.php file to include these functions. And I also wrote a full set of documentation.

Technorati Tags: blotto, embed, exec-php, flickr, function, image, lightbox, LinkedIn, php, syntaxhighlighter, tag

This is an update on my earlier page, describing my experiences with True Font Family.

Remon Lammers, the author, has now released version 1.4 of this product, and it is a significant improvement on version 1.0 – faster, cleaner and if possible, even easier to use. One of the major improvements to it as far as I am concerned, is that it is now as easy to use in Opera as in the other major browsers.

Remon is already working hard on WebfontZ, the successor to TFF. If he keeps up this rate of progress, then I forecast and hope that this will be a highly successful product (especially if he keeps the cost at the altogether too reasonable price he charges for TFF). WebfontZ has been advertised around the font-oriented web forums since February and I had wondered if it was going to just be vapourware. But no, Remon will, I’m sure, make it a truly professional and useful product in very short order.

A beautiful feature of this product is that it integrates quite seamlessly with font-aware browsers (currently, that’s just the Webkit-engined Safari as far as I am aware) – developers can use TFF/WebfontZ now and not have to worry about having to change their code if as and when their favourite browsers also become font-aware – Remon’s product will continue to work quite happily and most importanly, swiftly.

One well known alternative to this product is sIFR, a Flashbased product that i’m afraid I found quite difficult to install and use. And Flash is a bit heavy on resources. But still, YMMV – personally, I’m sticking with True Font Family/WebfontZ.

Technorati Tags: embed, font, LinkedIn, opera, sIFR, true font family, webfontz

I recently had to make use of Apache’s rewrite module in order to alter the behaviour of my site. In summary, I needed to a) remove the www. part of the URL if it was specified, b) insert a trailing slash if it was needed and c) stop hot-linkers abusing my bandwidth.

mod_rewrite is viewed as arcane and voodoo by many (umm, most?) administrators but in fact it is reasonably straightforward to use, especially the simple tasks I needed it for.

I’ve documented what I did and why here as I rather hope it will be useful to some of you out there.

Technorati Tags: apache, denial, deny, example, freebsd, hotlink, LinkedIn, mod_rewrite, non-www, rewrite, slash, trailing

I’ve downloaded and installed Firefox 3 and so far, I’m mightily impressed. It’s blindingly fast and renders all my own pages perfectly, as far as I can tell.

I’ll be even happier when all my beloved add-ons and themes are brought up to date but then, that’s down to the relevant developers – I can easily manage without for now.

The download was fast, the install was completely painless – for such a major component of anyone’s Web experience, that is not something to sneezed at by any means.

I highly recommend this browser.

Download it now from here and make it your default browser today!

Technorati Tags: browser, download, firefox

I have been playing with True Font Family quite a lot and have now set up a demo page for my pleasure and amusement.

I already use TFF for all the headers I use (the font is Tempus Sans ITC, for those who may be interested.) But I want to try and push the limits of this a bit. My demo works fine on Firefox and Safari, pretty much works on Internet Explorer (after a certain amount of faffing around) and fails miserably on Opera. Which is a slight surprise, as TFF generates the Tempus headers quite happily – it simply refuses to render the content. TFF’s author is a very helpful guy so I will contact him and no doubt receive an explanation and a fix in short order.

One reason I am doing this is that the web world is about to undergo a huge sea-change – Apple’s Safari browser uses Webkit as it’s rendering engine. And Webkit is already able to use downloadable fonts. So it is only a matter of time before Opera (Presto) and Firefox (Gecko) join in the fun. I don’t suppose Internet Explorer will be in any great hurry to adopt this feature anytime soon.

More on @font-face information can be found at Qodo and at css3-info – now get ready for a deluge of eye-wateringly bad web layouts, font copyright infringement accusations and general fun and mayhem!

My demo is here – altho’ I already feel the need for a more in-depth, technical demo once I’ve wrapped my head around everything that is going on where font handling is concerned.

Technorati Tags: cataneo, css, css3, font, font-face, font-family, opera, poet, poetry, rococo, safari, swinburne, webkit

I have already mentioned that I had an inordinate amount of trouble installing and configuring MySQL on my FreeBSD Virtual Server.

I have therefore taken the time to set up a short web-page listing my session details, which’ll act as an aide-memoire for me for the next time I have to re-install it! And you never know, someone out there might find it useful*

The page is here

*I searched all over the ‘net, including Usenet groups, for definitive help on this issue – whilst I found lots of tips and hints, I couldn’t find anything that specifically solved my problem. That’s the first time in a long, long time that I’ve experienced failure like that.

Technorati Tags: daemon, freebsd, install, installation, LinkedIn, linux, Mysql, mysqld, unix