Re: rsync and named-xfer
> i hope this is useful to someone...there was no information at all on > the topic when i searched for it on google yesterday. Craig, that's very cool. I don't have an immediate use as yet, but thank you for publishing your hack to the list for everyone! - Jeff -- "And the beanbag is a triumph of modern day eclectic colourism..." - Catie Flick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache CGI Distress
On Wed, Jul 25, 2001 at 08:32:41PM -0400, Gene Grimm wrote: > After a major site update amounting to renaming the public_html folder, > and tightening up security by removing global permissions, I am now > getting errors trying to execute Perl scripts through Apache. All the > HTML files are properly displayed with rights 640 and ownership assigned > to user.www-data. The scripts have rights 750 with the same ownership. > The browser shows a "permission denied" message for /cgi-bin/vcounter > and /guestbook/guestbook.pl but the error log shows nothing for > /cgi-bin/vcounter.The log shows "ExecCGI is off in this directory". I > have rechecked httpd.conf several times and I have "Options ExecCGI" in > the groups for both the cgi-bin and guestbook paths. I have > even restarted Apache several times. What might I be missing? Make sure at the beginning of your httpd.conf that you do not have a default restrictive command in your httpd.conf. An example restrictive default is: Options SymLinksIfOwnerMatch AllowOverride AuthConfig As you have mentioned for the directory running the cgi scripts needs to have the correct permission 750 should be fine. Double check that in your httpd.conf file you have the directive similar to: Options Indexes Includes FollowSymLinks MultiViews ExecCGI AllowOverride AuthConfig Order allow,deny Allow from all Darren -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rsync and named-xfer
On Thu, Jul 26, 2001 at 05:51:03PM +1000, Craig Sanders wrote:
> has anyone used rsync to transfer zone files?
>
> i'm thinking of writing a wrapper script which runs rsync to transfer
> some domains, and falls back to named-xfer for other domains.
ok, i've figured out how to do this and got it running between two of my
own name servers.
there's two sides to the configuration, server side and client side.
i hope this is useful to someone...there was no information at all on
the topic when i searched for it on google yesterday.
SERVER SIDE CONFIGURATION
-
1. install rsync and add something like the following to /etc/inetd.conf
to run it as a daemon:
rsync stream tcp nowait root/usr/sbin/tcpd /usr/bin/rsync --daemon
2. edit /etc/rsyncd.conf like so:
---cut here---
syslog facility = daemon
[zonefile]
comment = zonefiles for rsync transfer
path = /var/cache/bind/rsync
read only = yes
# see rsyncd.conf(5) for details on hosts allow specification
hosts allow = a.a.a.a b.b.b.b c.c.c.c...etc...
---cut here---
/var/cache/bind/rsync is the directory containing the rsyncable zone
file(s). this should be a dedicated subdirectory with only the zonefiles
you want to be fetchable via rsync in it.
your zone file configuration in named.conf should look something like this:
zone "example.com" {
type master;
file "rsync/example.com.db";
};
whenever you edit the file and run "ndc reload", a NOTIFY will be sent
to the secondaries. this will cause them to run named-xfer to transfer
the updated zone. if any of the secondaries have the client-side set up
as below, then the transfer will be done with rsync rather than slow
named-xfer.
for small zonefiles, this makes no difference (in fact, the rsync
protocol overhead may be a net loss), but for large zonefiles (e.g. a
16MB dnsrbl type zonefile) it makes an enormous difference - only a
hundred kilobytes or so transferred rather than the full 16MB.
CLIENT SIDE CONFIGURATION
-
1. install rsync
2. configure named as usual to secondary the zone. e.g.
zone "example.com" {
type slave;
file "example.com.db";
masters {
x.x.x.x; // doesn't matter
};
};
you have to specify the masters { ... } section, but it will be ignored
by the rsync named-xfer. you tell it where to fetch the zonefile from in
the named-rsync.conf file.
3. create an /etc/bind/named-rsync.conf file like so:
---cut here---
# domainhostname/ip rsync_SRC filename
example.com x.x.x.x zonefileexample.com.db
---cut here---
this will cause rsync to fetch x.x.x.x::zonefile/example.com.db
this version requires you to specify the hostname to fetch the zonefile
from...a future version may extract that information from the named-xfer
command line.
3. create the following script, /usr/local/sbin/named-xfer.pl
---cut here---
#! /usr/bin/perl
# named-xfer.pl
#
# transfer zone files using rsync. falls back to
# standard named-xfer for zones not listed in
# /etc/bind/named-rsync.conf
#
# Copyright Craig Sanders <[EMAIL PROTECTED]> 2001
#
# This software is licensed under the terms of the GNU
# General Public License.
# configuration variables. adjust to suit your system
$dir="/var/cache/bind" ;
$realxfer="/usr/sbin/named-xfer" ;
$rsync="/usr/bin/rsync" ;
# read in the config file
# format is:
# domainhostname/ip rsync_SRC filename
$conffile="/etc/bind/named-rsync.conf";
open(CONF,"<$conffile") || warn "couldn't open $conffile: $!" ;
while() {
chomp ;
s/#.*//;
next if (/^$/) ;
($domain,$hostname,$src,$filename) = split ;
$rsync{$domain} = "$hostname:$src:$filename" ;
}
close(CONF) ;
# extract useful info from command line args...
for $i (0..@ARGV) {
if ($ARGV[$i] eq "-z") { $domain = $ARGV[++$i] } ;
if ($ARGV[$i] eq "-f") { $zonefile = $ARGV[++$i] } ;
}
# do the transfer
if ($rsync{$domain}) {
($hostname,$src,$filename) = split /:/, $rsync{$domain} ;
exec("rsync","$hostname\:\:$src/$filename","$dir/$zonefile") ;
} else {
exec($realxfer,@ARGV) ;
} ;
---cut here---
4. now edit /etc/bind/named.conf and tell bind to use the above script
instead of the standard named-xfer by adding the following line to the
options {...} ; section:
named-xfer "/usr/local/sbin/named-xfer.pl" ;
craig
--
craig sanders <[EMAIL PROTECTED]>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Virtual Hosting
Hey Simon, Thursday, July 26, 2001, 6:10:11 PM, you wrote: >> > You can't do name based virtual hosting with ftp, as the protocol >> > doesn't use domain names. >> > >> > You will need to do IP based virtual hosting and use IP aliasing. >> >> How hard would it be to implement a thing in say ProFTPd for example, >> that took "[EMAIL PROTECTED]" as the actual username, rather than just >> "user" ? >> >> Would that be possible? SA> Not with the current c0de base. Possible to do with code changes though. Works fine for me with 1.2.2r3, as I reported once before maybe a month or two ago on a thread about OpenLDAP with Russ. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Virtual Hosting
> > You can't do name based virtual hosting with ftp, as the protocol > > doesn't use domain names. > > > > You will need to do IP based virtual hosting and use IP aliasing. > > How hard would it be to implement a thing in say ProFTPd for example, > that took "[EMAIL PROTECTED]" as the actual username, rather than just > "user" ? > > Would that be possible? Not with the current c0de base. Possible to do with code changes though. Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] "There is no spoon" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Virtual Hosting
hello, as sombody allready pointed name based virtual hosts are not under the ftp protocol and for instance you have to chroot every user/domain on its own directory. alternatively maybe this package could help you: proftpd-ldap Versatile, virtual-hosting FTP daemon (with LDAP support) bests, teixi. On Thu, 26 Jul 2001 13:06:56 +1000 Robert Davidson <[EMAIL PROTECTED]> wrote: > On Wed, Jul 25, 2001 at 07:44:22PM -0700, Jeremy C. Reed wrote: > > > > Now if you are talking about real virtual hosting where you could have > > multiple users with the same name, then you'd need to have separate > > authentication (passwd) files for each virtual host -- and -- you'd need > > to decide on a UID (and GID) to own that user's files (maybe one UID and > > GID per virtual host, but then you'd have to stop different users from > > accessing other users' files -- maybe with chroot or jail?). > > Thats what I was thinking about - a real virtual hosting setup. Out of > interest, is there anything already made to do this kind of thing? > Like another FTP server for example? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
portable recommendation
Hi: Let me give my requirements and see if anyone has a recommended solution. 1. I am a blind network admin, and am off site much of the time. 2. I want a device ideally that would vibrate when a notification comes in, and read me the text when a button is pushed. And, allow online logins to internet. non-ideal: smallest workstation I can use with something like ricochet, and make voice ouput like emacspeak or speak work. I want to be able to use it at my off site job to check and sed fix instructions to onsite personel without causing any troulbe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: HTTPS transparent proxy with Squid
On Thu, Jul 26, 2001 at 08:52:53AM +0400, Ant wrote: > AvdM> HTTPS uses port 443, so it won't work with your current ipchains setup. > AvdM> You might be able to start a second squid process, and redirect HTTPS > AvdM> requists through it. > Could you tell me how to redirect HTTPS through squid, and give an example of > configuration. It is very interesting for me for the ICQ with HTTPS proxing option > enabled. Just look for HTTPS proxy options in ICQ... a few points: - Don't use transparant proxying if you don't really need it. Some services (last time I cheked the hotmail attachment function didn't work thru a transparant proxy). This is because some pages check for proxy settings, and use some different way if a proxy is detected. They won't detect a transparant proxy though. There often are ways you can set proxy settings centralized, f.e. in Windows 9x and NT4, you can make some 'policy' to do it (contact me if you need an administrative template for it). Windows 2000 can set it in group policies. In *nix you can often set it using some export http_proxy=http://foo:8080 (or ftp_proxy) in /etc/profile, or setenv http_proxy http://foo:8080 in cshrc for csh. I guess there are similair ways to do it for netscape & friends. For other proxy settings, consult your application's manual. - HTTPS won't be cached by any proxy, for security reasons, so proxying HTTPS won't speed up anything. If possible, just NAT (masquerade) it. - The only valid reason to transproxy HTTPS is if your internet connection does not allow direct connections to port 443 (some restrictive firewall f.e.), and the clients are too decentralized to enforce real proxy settings. I think you'll need specific HTTPS transproxy support in squid (or some other transproxy) to be able to transproxy HTTPS. The HTTPS requests should just be tunneled thru a proxy (using CONNECT, read my previous mail for more info). AFAIK a transparant proxy usually uses GET requests, for normal HTTP requests. Since HTTPS is encrypted, you can't decode the GET request, and translate it in some proxy GET request. The transparant proxy should establish a CONNECTion thru the proxy, and redirect the traffic thru that tunnel. If you find (or make) a transparant proxy with HTTPS support (thru CONNECT), you'll have to set it up in ipchains just like http (substitute all occurances of port 80 with port 443). Then instruct the transparant proxy to listen for requests to port 443 (http_accel_port 443). I never really tested transproxying with HTTPS, always just masqueraded it, so don't ask me for real example configurations for transproxy HTTPS ;) Cheers, Alson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
rsync and named-xfer
has anyone used rsync to transfer zone files? i'm thinking of writing a wrapper script which runs rsync to transfer some domains, and falls back to named-xfer for other domains. anyone done anything like this before? the motivation here is that i'm a secondary for relays.osirusoft.com which is a 16MB zone file and it often times out before transferring. named-xfer isn't really suitable for transferring large files. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache CGI Distress
On Wed, Jul 25, 2001 at 08:32:41PM -0400, Gene Grimm wrote: > even restarted Apache several times. What might I be missing? Maybe /var/log/apache/suexec(.log)? Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://student.uci.agh.edu.pl/~porridge/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
