Arthur

Pemberton

Full-stack web applications developer


Welcome to my blog

As I discover new things in my field and solve troublesome problems, I will attempt to document my finds here.

Backend request heades with an Apache reverse proxy (frontend server)

On July 18, 2018, by Arthur Pemberton, 0 Comments

If you ever find yourself using Apache as a frontend server or reverse proxy, as opposed to one Nginx, for example. You may want to be sure to pass the actual host IP and scheme information back to your application so that it may function properly. By default, mod_proxy sets the X-Forwarded-For header. But that header is a list, and is used by other types of proxies. You may want to set the X-Forwarded-Proto and X-Real-IP as well. The following entries into your VirtualHost or similar should do the job:

RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
RequestHeader set X-Real-IP "%{REMOTE_ADDR}s"

Openfire certificate import

On September 27, 2016, by Arthur Pemberton, 0 Comments

Working with SSL certificates in Openfire are surprisingly troublesome, at least as compared to popular web servers (Apache hTTPd, Nginx, IIS).

I recently needed to update an expiring certificate (having once, previously, figured out how to successfully import a purchased, SSL certificate.

This time I found a nice tutorial: https://alpha-labs.net/2014/12/openfire-and-ciphers/. Thanks to Christian for that.

I’ve made some slight modifications to his Shell script, and I just wanted to share

#! /bin/bash
JavaDir="/opt/openfire/resources/security" 
PASS="changeit"
certdomain="im.example.com"
certname="im_example_com"
certdir="/etc/ssl"
tmp="/root/tmp"
 
 
## echo "stop openfire"
##/etc/init.d/openfire stop
 
echo "> deleting truststore and keystore"
test -e "${JavaDir}/truststore" && rm -f "${JavaDir}/truststore"
test -e "${JavaDir}/keystore" && rm -f "${JavaDir}/keystore"

echo "> merge domain certificate with CA certificate"
cat "${certdir}/${certname}.crt" "${certdir}/${certname}.ca-bundle" > "${certdir}/${certname}.combined.crt"

echo "> create a new trust store"
keytool -import -trustcacerts -storepass $PASS -alias "PositiveSSL" -file "${certdir}/${certname}.ca-bundle" -keystore "${JavaDir}/truststore"

echo "> create new p12 file"
openssl pkcs12 -export -in "${certdir}/${certname}.combined.crt" -inkey "${certdir}/${certname}.key" -out "${certdir}/${certname}.p12" -name "${certdomain}" -CAfile "${ca}" -passout pass:"${PASS}"

echo "> create new key store"
keytool -importkeystore -deststorepass "$PASS" -srcstorepass "$PASS" -destkeystore "${JavaDir}/keystore" -srckeystore "${certdir}/${certname}.p12" -srcstoretype PKCS12 -alias "${certdomain}"

echo "> change file perms"
chmod 644 "${JavaDir}/truststore" "${JavaDir}/keystore"

echo "> change ownership"
chown daemon:daemon "${JavaDir}/truststore" "${JavaDir}/keystore"

echo "> list directory"
ls -lha "${JavaDir}" *store*

## echo "start openfire"
##/etc/init.d/openfire start

Notes

A few quick notes:

  • This _will_ delete your existing truststore and keystore, back them up first
  • I disable stopping and starting of the OpenFire service, feel free to uncomment those
  • This version expects the CA’s chain certificate to be named in the format `CERTIFCATE_NAME.ca-bundle`
  • This only creates an RSA certificate

Google Apps DNS Entries

On June 10, 2015, by Arthur Pemberton, 0 Comments

Every now and again I find myself having to rebuild DNS entries for a client who has Google Apps hosted email. Googling for the appropriate queries gets me there, but in a round about fashion, so I’ve decided to collect the relevant pages here.

Read More