RSS feed for InstantSpot site Blog of Dave

Create SSL sites in Apache on Windows with OpenSSL

Fri, 13 Nov 2009 03:47:33 GMT

To get a secure SSL site up and running on Apache under Windows, there are a few hoops to jump through that are not very intuitive. To that end, I am going to document my approach to setting up SSL using OpenSSL. This approach assumes that you already have Apache up and running on your machine, so if you have not done that, head over to the HTTPD download page and set that up before continuing.

Setting up OpenSSL
First we need to get OpenSSL setup on our system, which is not included with the Apache Windows binaries. In fact the OpenSSL project doesn't even provide the binaries themselves, but you can find them at Shining Light Productions. For this example, I will be choosing the Win32 OpenSSL v0.9.8k Light version. If you see a message like the one below, you will need to install the Microsoft Visual C++ 2008 Redistributable Package and then attempt the OpenSSL installation again.

Once you have it installed, you can do a quick test to make sure that it is set up properly:
Creating Certificates
Next, we will use the OpenSSL terminal interface to create our self-signed certificates. To explain a bit about what is going on below, I have a site already existing on my system that can be reached at http://scribble. What we are doing is creating a secure subdomain of https://secure.scribble. Typically when I create certificates, I name the files with the host/domain obvious so that they can be easily identified later. Obviously you will want to replace the domain name to match your setup, but type the following in the terminal in the OpenSSL/bin directory:

[codeblock 433]

That will generate what you see below.

You may notice that I left a lot of the prompts blank. Considering this is a dummy certificate in a development environment, that approach makes sense. You may choose to be more explicit based on your needs.

If we were to use this key as it is, we would be prompted for the password every time that Apache starts. Since that is less than ideal, we will now generate a non-protected key from the one we created in the previous step by typing the following:

[codeblock 434]

You can see that I was prompted for a pass phrase. This is the same password that you created when we generated the certificate above.

Now we need to need to build the certificate that we will actually import into Apache. You can do so by typing:

[codeblock 435]

This will result in the following output:

You can see that we now have a .cert, .csr, .key, and .pem file for our domain. We will use a combination of the .key and the .cert
Configuring Apache
Now we need to make sure that your Apache server is ready to serve SSL requests.

First, let's put the .key and .cert files that we created above into a directory under Apache. In your "conf" directory, create a subdirectory named "ssl" and move secure.scribble.key and secure.scribble.cert into that new directory.

Next we need to make sure that the mod_ssl module is enabled. Open up the httpd.conf file for your Apache webserver. Search for "mod_ssl" and you should find a line that looks like this:

Yours will likely be commented out with a '#' sign in front of the line. You will want to delete that '#' so that it looks like the highlighted line above.

Next you will need to make sure that you have uncommented the line that includes the httpd-ssl.conf file like you see below:

The last thing we need to do is configure our site. Open up the conf/extra/httpd-ssl.conf file in an editor. You will see that there is an amazingly huge and complex site definition in there already that starts with and ends about 150 lines later with . We need to disable this site. If you are feeling bold, you can simply delete it. However, I take the approach of commenting it out entirely so that I still have it as a reference, which is my recommendation as well. Starting with the line , put a '#' at the start of every line that doesn't already have one and continue until you comment out the line.

Now it is finally time for us to create the site definition for our https://secure.scribble site. We will use some of the concepts in the example, but eliminate most of them. Here is what mine looks like after paring down all the excess:
[codeblock 436]

In that code you can see where we are pointing to the .key and .cert files that we created above.

Now, restart your Apache server and you are now serving up securely!

Talking through some current issues with ColdFusion Event Gateways

Mon, 09 Nov 2009 16:28:07 GMT

Normally on my blog I attempt to throw out some tip, trick, or nugget of some sort. This time? Not so! I am currently trying to find a solution to a problem at hand and am brainstorming the best way to handle a few things. I am really just talking this out for my own benefit, but I would love to hear thoughts from others that have perhaps solved similar issues.

On a project that I am currently engaged in I am leveraging ColdFusion Event Gateways which work as a subscriber to a SonicMQ JMS server. My gateway instance listens for messages on the ESB (Enterprise Service Bus) on a particular destination name (topic/queue). When it receives a message, it parses the XML that it received, and plays traffic cop pushing data into various services that need it. I have this working flawlessly in my small development environment. However, I have a couple of complexities ahead of me that I am having difficulty coming up with a good solution.

Running in the cloud - Our production environment will have any number of CF instances, not clustered, but rather running as isolated applications with a load balancer directing the requests using sticky sessions. Our system will be bringing new instances on/off line as traffic traffic dictates. I have yet to solve the issue of how to set up my JMS Event Gateway in this environment. I definitely don't want 20 different listeners out there all doing the same work. I have considered the idea of having some sort of a support database where a listener can insert a row with a specific JMS message ID and when any other server picks up a message with that ID it will see that it is already being acted upon and it can safely ignore it. There are a couple of negatives that I can see right off the bat. First is that every single subscribed instance will have to pull in the same message and test to see whether or not it should be acted upon. It just seems like a little bit of redundancy that shouldn't be there. Secondly, there is a chance that two servers could pick up the same request within milliseconds of each other and both could end up doing the work. Duplicate processing could not only be wasteful, but could also create some data integrity issues.
Different environments have different settings (dynamic config) - Right now in our development phase, we have a single config file with setting specific to our development JMS server (credentials, domain, URL, Initial Context Factory, etc). However, soon I will need to have this process support a number of different environments: multiple dev environments, multiple integration environments, multiple QA environments, and eventually production. Ideally it would be wonderful if I could find some way to load a specific config into the event gateway at server init time, but as of today I have _NO_ idea how to solve this one. First, there is no real intrinsic indicator at the server level that lets it know what environment is currently running (yet anyway...) and secondly, ColdFusion event gateway architecture isn't conducive in any way to dynamically loading a specific config.

So now I am counting on you CFML community. Help me brain storm on this! Do you have any thoughts/ideas that might help me here?

A linux guy's experience with Windows 7

Mon, 19 Oct 2009 13:58:00 GMT

Anyone who knows me well knows that I am typically somewhat of an anti-Windows guy. I absolutely love linux, and get very frustrated by Windows in general. The only thing that I really dislike about linux is the lack of application support by a number of companies (ahem…. Adobe). Before going to the Adobe MAX conference, I decided I should swap out OSes on my personal laptop so that I could run all the stuff I would need for labs without constantly cursing about being stuck in a VM, limited functionality, etc. A friend had just bought a package of Windows 7 licenses and sold me one for 5 bucks, which I considered to be a pretty reasonable risk. I opted for installing Windows 7 on my laptop.

Given that background and my previous feelings about Windows, I have to say that it is a pretty dang nice operating system. It is by far the best offering to date by MS in my opinion. There are a few things that they still haven't managed to get right (native file copy still makes me want to stick forks in my eyes), but by and large they have done a great job with Windows 7. Other than having to track down a few drivers for my laptop, the installation was painless – if not fast. This is still an area that linux, and especially Ubuntu, wins hands down though. Apps run extremely stable, and with the addition of a new concept of "Libraries", directories that I need access to regularly are right at hand instead of having to tree down through big hierarchies. I am also not finding what I expected would be an immediate degradation of performance after installing all the servers and development tools that I use on a daily basis. Over all, so far so good.

A few things that I think are a *must* for the way that I use it.

I found a "sudo" program called Start++ that allows me to open applications from the terminal or start menu as Administrator by typing sudo notepad [or some other program]. It will prompt you for the UAC stuff and the program will open as administrator. I use this regularly for editing system files like hosts, apache configs, and use it to open a terminal to fire off j2ee servers.
Install Teracopy which is a replacement for the Windows copy program. While certainly not as fast/efficient as a linux terminal, it greatly increases file copy speed over the native windows GUI file copy. No more "preparing to copy" waits while your system bogs down.

Things that annoy me

I still wish I could have a real terminal and be able to use VI in sudo, but that is just something I will have to get over I guess.
I hate that I now have to be so careful with regard to viruses and spyware. I love the protection that linux offers in that area, and having to go out of my to stay protected seems a bit cumbersome.
I miss being able to easily try out software with the ease of the synaptic package manager. It seems foreign now to have to download an exe run an installer and have settings being obscurely written all over a "black box" registry.
I miss built-in networking tools. Even simply things like being able to run "whois" from the teminal.
My drive is getting fragmented far faster than with linux, and I find that I am running the defrag tool fairly often. Linux just manages this under the covers and I never have to worry about it.

All said, after using it for about the past 4 weeks, I can honestly say that I am surprised (and perhaps even a bit disappointed) that I like it as much as I do. I planned on just running it while I was at the Adobe MAX conference and going back to linux when I got home, but it looks like I will be keeping it for a while longer.

Strange behavior with ColdFusion ExpandPath() when using Symbolic Links

Wed, 23 Sep 2009 14:11:00 GMT

I was playing around with the Quicksilver framework last night, and for some reason it was unable to find and instantiate my CFCs properly. After digging into the framework a bit and determining where it was breaking, I discovered something strange about the way that ColdFusion interprets ExpandPath() when it exists in a directory that is defined as a symbolic link. I am not sure if the same behavior exists on Macs, but I would imagine it does. If someone could confirm that to be the case, I would be interested.

For starters, I usually have a 'www' directory in my user home directory. This way when I pass my user profile around from distro to distro, my development work is included in my home directory. For ease of configuration I typically have a symbolic link in my OS that points /www/ ---> /home/dshuck/www/. Then when I am creating a new web project called 'davescode', I would put it in /home/dshuck/www/davescode, but my Apache config would usually point to /www/davescode. For the past several years, this approach has worked will for me. That is until last night when experimenting with Quicksilver.

When Quicksilver loads, it creates a list of service CFCs in the the application in such a way that if I had Foo.cfc in a directory 'com' in the root of my davescode site, it would look like /home/dshuck/www/davescode/com/Foo.cfc. When I initted the application, I was getting an error that it couldn't find the CFC home/dshuckcom/Foo.cfc. Essentially what was happening is that it was getting the full path of the CFC and replacing the path to the root of the site with "". In a perfect world the value of the path after the string replace would have looked like com/Foo.cfc. Unfortunately that was not so. Here's why!

I put a test file called path.cfm in the root of my davescode site that considted of the following:

<cfoutput>#ExpandPath("./")#</cfoutput> <br/> <cfoutput>#ExpandPath("/")#</cfoutput>

The result was very surprising!

/home/dshuck/www/davescode/ /www/davescode/

For some reason when you do ExpandPath("/") it looks at the symbolic link path, but when you do ExpandPath("./"), it looks at the true file path. For the life of me, I can't think of why that would be. If anyone has an explanation, I would be all ears!

Usability - It's not just for websites!

Mon, 02 Jul 2007 12:55:26 GMT

As a web developer, usability is something that we consider on a daily basis. When it comes to functionality that has become a standard, we don't jack with it! For instance, we have long established that when you mouseover a link the cursor turns into a pointy finger. Can we alter that? Sure! But people would be confused and would likely miss some content in your application. See that navigation bar at the top of my page? I could easily move to align with the bottom of my site, but the result would lead to more confusion.

This leads me to a mini-rant about my new phone. A couple weeks ago I dropped my LG phone one too many times. It seemed to always think I had a headset plugged in, although I have never actually owned a phone headset. In addition, when I turned it on, it would randomly call my Mom and Dad. That one I still can't figure out!

So, being a generally cheap guy, I stopped by the Cingular store to pick up the the next-to-the-bottom-line model for about 60 bucks and was on my way without paying too much attention. After unwrapping it and charging for the first time, I discovered something that baffles me. Check out this keypad!

What genius thought it would be a good idea to design the keys like that? After about 35 years of a consistent and well-defined pattern of telephone keypads, Sony/Ericsson decided it would be a good idea to alter that by offsetting the middle column. This serves no functional purpose either. You can see they could have quite easily shifted the middle column of buttons up so that they would be aligned. I am sure my fingers will get used to it, but dialing without looking at my fingers presents a new challenge. I suppose that is one of the costs of being cheap. :)

Cyber attack us eh? How about a counter attack IRL!

Thu, 08 Feb 2007 20:25:59 GMT

This is pretty interesting, especially in light of this week's rampant DoS attacks. From the article:

If the United States found itself under a major cyberattack aimed at undermining the nation’s critical information infrastructure, the Department of Defense is prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source.

Apparently if the nation's networks come under a severe attack, there is a group called the National Cyber Response Coordination Group (NCRCG) that is responsible for coordinating a defense/retaliation strategy. Members of the NCRCG include experts from the US-CERT computer-readiness team, the Department of Justice and the Defense Department. They are actually playing out "war games" in order to prepare for an attack. Where it gets especially interesting to me is the fact that the strategy potentially could include a physical bombing attack. I am certainly glad to see them protecting my career as an internet developer! :)

Read the complete article...

ps. Make sure you keep those Windows Updates current We sure would miss you if your computer was commandeered and was preforming an attack from your house!

Cool video showing an iPhone in action - and a question to web developers

Wed, 31 Jan 2007 16:50:43 GMT

I have been kind of passively watching the iPhone news go by the past month knowing I am far too cheap to actually buy one until they are no longer cool and people have moved on to the next flash in the pan at which point I will be stuck with the old and busted iPhone.

This morning a coworker sent me this video demonstrating the features. There is some really sweet stuff in there! As I watched it I could hear a future conversation my kids will be having their kids.

"Son, when I was a little boy we had these big noisy metal boxes under our desks and *those* were our computers. Can you believe that?"

So to the web development community -- What do you think we need to be doing today in order to be prepared for the future in such a way that we remain viable as developers? I don't want to end up staring at the same fate as client-server Windows application developers, watching my corner of the development world get smaller and smaller!

Does it really change much for us? What what should we be learning now?

[youtube YgW7or1TuFk]

Grand Canyon... It's on!

Mon, 11 Jul 2005 05:00:00 GMT

My father and I decided that this was the year that we would hike the North Rim to the South Rim of the Grand Canyon. I know this seems crazy, but it is actually a paperwork challenge to be able to hike the Grand Canyon. There is an application process in which you have to fax your request in the 1st day of the month 6 months before the intended date of your trip with a detailed itinerary, including where you will be sleeping and when. We sent faxed our paperwork in and held our breath on the 1st of April, 6 months before we hoped to go in September. After no word for a month we finally contacted them, only to find out that we had been rejected. Discouraged, but not beaten, we laid out the calendar to see if there was another time that would work. We decided that November would be acceptable, albeit a little colder. It should be in the 60s in the bottom of the canyon though where we will spend the majority of our time. Once again, we laid out our itinerary and faxed in on July 1. My dad received a letter today dated July 6, 2005 telling him that they were sorry, but they were unable to accept out application. He spent a good hour walking around the house cussing and feeling terribly disappointed. A bit later my mom noticed there was another letter from the Grand Canyon dated July 7, 2005.

Dear Mr. Shuck, we have accepted your request to hike the Grand Canyon on the dates of November 1, 2 and 3, 2005. Enlcosed are your passes, which you will need to affix to your backpack and carry with you in the canyon. There is no need to stop by the back country headquarters before departing on the trail.

So in 3.5 months, I will be taking this in....