Running Mercurial with FastCGI in nginx

logo-droplets-200 Mercurial is a so called DRCS (Distributed Revision Control System). I have been using Subversion for a couple of years, both at work and for my own projects. Now I thought it was about time to try something different.

But first, why do I want to switch from SVN to Mercurial? Basically the most appealing argument for me was the fact, that with Mercurial I am able to work offline with my repository. Besides that, I always had issues with the way SVN was handling tags and branches. Especially merging changes from a branch back into the trunk was always a pain. I did not need to use that functionality often but when I did, I always ended up doing it twice, because I could not remember which way to do it right.

Continue reading »

Nginx rewrite rules for SilverStripe CMS

If you are using Nginx with a configuration that is directly serving php pages via FastCGI, you need to adapt the rewrite rules to Nginx. In the case of the CMS-system SilverStripe this is not really straight forward. The original rewrite definition in the .htaccess file looks like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_URI} !(\.gif)|(\.jpg)|(\.png)|(\.css)|(\.js)|(\.php)$

RewriteCond %{REQUEST_URI} ^(.*)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L]

So every file which does not end in .gif, .jpg, .png, .css, .js and .php and where the file does not exist will be rewritten.

I chose a somehow stripped down version of these rules which looks in Nginx notation like this:

if (!-f $request_filename) {
    rewrite ^/(.*?)(\?|$)(.*)$ /sapphire/main.php?url=$1&$3 last;

If a requested file is not found, the rewriting engine will parse the request string for all elements before a ‘?’. This substring will be pasted as the url parameter to main.php. Everything after ‘?’ will be added as additional parameters. This rewrite rule seems to be working and I haven’t encountered any problems so far.

Continue reading »

Securing SSH server with fail2ban

When you are running your SSH server on the standard port 22, you likely see brute force login attempts multiple times a day. The SSH server does not limit unsuccessfull login attempts by itself. So there are multiple ways to deal with this problem.

One option is to move the SSH daemon to a non-standard port. But this means that you might get problems connecting yourself to the server if you are working from a restricted network. So another solution would be to use certificates for login. But then you need to make sure that you carry the certificates with you when you want to login to your server.

Now a good solution is to limit access to the SSH server. One way would be to use the so called port-knocking approach. Here the access to the SSH port is blocked until you use some kind of secret knock-sequence. Then the port will be unblocked for your IP for a certain time. This is very effective but has the downside that you always need to use this knock mechanism before connecting to your server.

Continue reading »

Setting up PureFTPD on a virtual server

PureFTPD LogoPureFTPD is a secure and easy to configure FTP server. It has all the features you usually need, like TLS encryption, virtual users, quotas and limits. The only downside is that PureFTPD is not easy to install on a virtual server because the default Debian package is compiled with some options that are not supported by the standard OpenVZ and Virtuozzo kernels. Therefore you need to recompile PureFTPD with some reasonable settings. In This post I will explain how to do that and do a basic service setup.

Continue reading »

Setting up the OSX terminal application

By default the terminal app in OSX is not configured the way you are used to on a Linux system. There is no color output for ls and things like page up and page down are not working via SSH. Fortunately this can be corrected with some small configuration tweaks.

The first thing is to open the prefenreces panel and set the “Pro” theme as the standard theme. I also like to activate text antialiasing. My font of choice is “Monaco 12pt.”.

To enable the page down, page up, home and end keys you need to go to the keyboard tab and set the following key actions:

Home = \033[1~

End = \033[4~

Page Up = \033[5~

Page Down = \033[6~

To activate colored output for ls with a decent color scheme that works well on a dark background, create a file .profile in your home directory with the following contents:

export CLICOLOR=1
export LSCOLORS=cxexcxdxbxfxfxbxbxcxcx
Continue reading »

Nginx as a reverse proxy for Apache

While Apache is a great server for delivering dynamic content and especially hosting PHP-based websites, it has a high memory footprint and a high overhead when forking new worker processes during high server load. In this article I will describe how you can use the nginx web server as a reverse proxy for your Apache to deliver static files instead of Apache. Nginx has a very small memory footprint and can deliver static files lightning fast.

The idea behind this setup is that nginx will listen on port 80 for incoming connections, identify whether the client requests a static file or a dynamic webpage. In case of a static file it will deliver the file itself. In case of a dynamic request it will forward that request to the Apache server.

Continue reading »

Running Django 0.96.2 in Leopard

The installer script for the Python based web development framework Django contains a bug on OSX 10.5 which leads to problems with the default applications “admin”, “comments” and “sitemaps”. The template and media files of these applications are copied to a wrong directory.

As a workaround for this bug, you can copy the files manually to the correct location:

sudo cp -r /System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/site-packages/django/contrib/* /Library/Python/2.5/site-packages/django/contrib/
Continue reading »

Hosting OpenVZ on Ubuntu 8.04

The long term support edition 8.04 of Ubuntu Linux will provide security updates until 2013. Therefore it is an ideal distribution for building the base of a secure hosting solution. In this article I will describe how you can setup the virtualization software OpenVZ on Ubuntu 8.04. OpenVZ allows you to run multiple virtual Linux servers on top of your Ubuntu system. It is extremely performant and OpenVZ is also the base of the well known Virtuozzo solution which is widely used in the web hosting market. Compared to Xen, OpenVZ is more limited in regards to different operating system you can run, but on the other hand it has a lower overhead and is therefore more performant. It is also possible to run OpenVZ inside of VirtualBox which is not possible with Xen.

Continue reading »

Speeding up PHP in 5 minutes

By default PHP scripts are compiled on each access. This will become a real performance killer once your website hits a certain load. There is a number of Opcode caches available which try to overcome this recompiling issue by storing precompiled versions of your scripts in a cache. This blog entry will explain how to integrate the Alternative PHP Cache (APC) into your PHP5 installation. This tutorial is based on a Debian installation, but it should also work with alternative distributions.

APC ist installed using the PHP Extension Community Library (PECL). Using PECL ist similar to using the PEAR Library. Before you can install APC via PECL, make sure that you have the following packages installed:

aptitude install php5-dev php5-gd

Downloading compiling and installation of APC using PECL ist a breeze. Just run from the command line:

pecl install APC

Now all you need to do is to add the following line to your php.ini file which you should find in /etc/php5/apache2/:

Once you restart Apache, caching will be enabled with default settings of APC. By default APC will use 30 MB memory to cache your PHP files. It is a good idea to tailor this setting to your server. This can be done with the following line in php.ini:

Continue reading »

Reloading kernel extensions

Sometimes it might be useful to reload a kernel extension in OSX without rebooting your Mac. This can be done in a terminal window with the following commands:

sudo kextunload /System/Library/Extensions/NameOfExtension.kext
sudo kextload /System/Library/Extensions/NameOfExtension.kext

Replace NameOfExtension.kext with the name of the extension you want to reload.

Continue reading »