Dec 31, 2011

Secure remote access to home through OpenVPN (I)

I have prepared a secure access so that when I am living in London, I can connect to my home network securely. I have set up a VPN (Virtual Private Network) by means of OpenVPN.

Why have I preferred a VPN instead of a typical access such as SSH, VNC, etc.? Because in this way, I will be able to accomplish an encrypted tunnel between my laptop and home network, and over that secure line, to establish other types of connections later. Furthermore, I will be able to connect from any kind of insecure networks.

Why have I chosen OpenVPN? Because this application allows you to quickly build SSL/TLS channels, and this sort of VPN is really handy and straightforward to configure. OpenVPN is an open source software which easily implements VPNs over a public network, such as Internet. One of the main advantages of OpenVPN is that it just needs a single TCP or UDP port for transmissions and runs in userspace, rather than requiring IP stack operations, as for instance IPSec or PPTP.

Bellow you can observe a detailed outline of my infraestructure. It is a point to point link between my laptop and a PC connected inside the local network. The PC acts in the server role (takes care of listening for possible connection requests) and the laptop is the client (initiates the connection). Once I am connected to the PC via OpenVPN, I will be able to jump safely to any device located in the network. Both computers run Ubuntu 11.10.




One of the first things that I had to face up to is the issue of the dynamic IP address used by my ADSL service. Every time that I turn on the router, a temporary public IP address is assigned by the ADSL provider. To overcome it, I have signed up for a free dynamic DNS service: DNSdynamic. The registration process is pretty simple.

In this manner, I have obtained a subdomain which points to my router. To that end, I have installed ddclient on the PC, an address updating utility which keeps up to date the current public IP of the router. In order to show you my configuration, I will use a fictitious subdomain called test.dnsdynamic.com.

root@javi-pc:~# aptitude install ddclient

root@javi-pc:~# cat /etc/ddclient.conf
# Log messages to syslog
syslog=yes              

# Support SSL updates               
ssl=yes

# Obtain IP address from provider's IP by checking page                               
use=web, web=myip.dnsdynamic.com

# Update DNS information from server
server=www.dnsdynamic.org

# Login and password for server
login=test@gmail.com
password='xxxxxx'

# Update protocol used              
protocol=dyndns2

# Subdomain                        
test.dnsdynamic.com

root@javi-pc:~# cat /etc/default/ddclient 
...
# ddclient runs in daemon mode
run_daemon="true"

# Time interval between the updates of the dynamic DNS name (in seconds)
daemon_interval="3600"

root@javi-pc:~# /etc/init.d/ddclient start

The SSL/TLS connection configured by me is authenticated through digital certificates. So I have needed to make a couple of certificates, one for each end of the VPN tunnel. In addition, I have also had to create a CA (Certification Authority) in order to validate both certificates. OpenVPN allows peers to authenticate each other by using username/password, a pre-shared secret key or digital certificates. I have picked out the last option due to it is the most robust system.

So as to manage digital certificates, I am used to treating with easy-rsa, a small RSA key management package which contains a series of openssl scripts aimed at handling PKIs (Public Key Infrastructures). This tool is included within the OpenVPN source file.

javi@javi-pc:~/tmp$ wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz

javi@javi-pc:~/tmp$ tar xvzf openvpn-2.2.2.tar.gz

javi@javi-pc:~/tmp$ mv openvpn-2.2.2/easy-rsa/2.0/ . ; rm -rf openvpn-2.2.2*


Dec 22, 2011

Apache performance tuning: dynamic modules (II)

Let's continue with the second part of the article titled Apache Performance tuning: dynamic modules (I). Remember that this paper is aimed at reviewing the different modules belonging to Apache, so as to determine whether they are useful for our requirements. To that end, we will be able to fit the amount of memory used by Apache processes.

The most important point is to be aware of that one only process consumes little memory, but if our Apache installation requires lots of processes, the total memory grabbed by Apache will be huge. So if we get hold of turning down the initial memory with which a process is created, afterwards it will run lighter and besides, we will have that free memory available in order to be allocated for other things.

mod_ext_filter

Forwards the response body to an external program before sending it out to the client.

# LoadModule ext_filter_module modules/mod_ext_filter.so

mod_include

Filters files before delivering them to the client.

# LoadModule include_module modules/mod_include.so

mod_info

Provides a comprehensive overview of the web server configuration.

# LoadModule info_module modules/mod_info.so

mod_ldap

Improves the performance of websites by pooling LDAP connections and caching responses.

# LoadModule ldap_module modules/mod_ldap.so

mod_logio

Logs the input and output number of bytes received/sent per request.

# LoadModule logio_module modules/mod_logio.so

mod_proxy

Puts into action a a proxy/gateway.

# LoadModule proxy_module modules/mod_proxy.so
# LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
# LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
# LoadModule proxy_http_module modules/mod_proxy_http.so
# LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
# LoadModule proxy_connect_module modules/mod_proxy_connect.so

mod speling

Tries to correct erroneous URLs that users could have typed by overlooking capitalization and allowing up to one misspelling.

# LoadModule speling_module modules/mod_speling.so

mod_status

Provides statistics about the activity and performance of the web server.

# LoadModule status_module modules/mod_status.so

mod_suexec

Allows CGI scripts to run as a concrete user and group.

# LoadModule suexec_module modules/mod_suexec.so

mod_userdir

Allows user directories can be accessed through the web server.

# LoadModule userdir_module modules/mod_userdir.so

mod_usertrack

Logs user activity.

# LoadModule usertrack_module modules/mod_usertrack.so

After disabling these modules, the memory used by one Apache process (and owned by apache user) went from 2.02 to 1.46 MB, that is to say, we have gained around 0.6 MB. If you take into account that a large number of processes can be running on the system at any given time, the saved memory might be appreciable. In addition, you have to consider that from now on, a process is much lighter, with what its startup and performance will be much better.


Dec 14, 2011

Apache performance tuning: dynamic modules (I)

Apache is a cross-platform, modular and open source web server, widely used around the world for its quality, robustness and stability. But like most of the applications, it is installed with a default configuration which is not the most adequate. And I am going to say more: I have never seen an Apache installation where the administrator has set it up correctly later.

During several articles, you are going to learn how to properly optimize Apache, in order to achieve the best performance. The tests will be carried out on CentOS 6.2 (32 bits) with Apache 2.2.15. I am going to break up this first article relative to dynamic modules in two separate parts.

Apache has got two main operating modes, also known as multi-processing modules (MPMs):

  • Prefork: an unique Apache process (httpd) launchs child processes which take care of listening for potential connections and serving them. Apache keeps several idle processes ready to attend incoming requests. Thereby, a client does not need to wait for new children are forked. Another advantage of this operation mode is that if there is a problem in any process, this will not affect other processes (each child is independent of the rest). 

  • Worker: as in the previous case, an only control process creates several child processes, and in turn, each child process handles a listener thread which passes the inbound connections to other server threads managed as well by the same child process. This mode is faster and more scalable, but in contrast, it is more fault tolerant (several threads share the same memory area, and if there is any problem in the parent, it will involve the rest).

You can install Apache either by compiling it from its source code or by getting directly the binary file from a repository. I for one prefer this second option, because in this way, any kind of update (security or bugfix) will be able to be applied without compiling it again.

A typical installation of Apache via yum comes with the following pre-compiled modules. As you may appreciate, prefork will be the default operating mode (you can change this by modifying the /etc/sysconfig/httpd file).

[root@centos ~]# httpd -l
Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c

It is basic to know the funcionality of each module so as to figure out if it can be left out. Then we are going to put forward what modules can be ruled out in the most of the cases. Also point out that all directives showed below, are included into the Apache configuration file (httpd.conf). In many cases, the related modules will be also disabled, aside from the principal one.

mod_actions

Allows the execution of CGI scripts based on the MIME content type and the request method.

# LoadModule actions_module modules/mod_actions.so

mod_auth_basic

Limits access to certain users by using HTTP Basic Authentication. I usually disable its dependencies.

LoadModule auth_basic_module modules/mod_auth_basic.so
# LoadModule authn_file_module modules/mod_authn_file.so
# LoadModule authn_alias_module modules/mod_authn_alias.so
# LoadModule authn_anon_module modules/mod_authn_anon.so
# LoadModule authn_dbm_module modules/mod_authn_dbm.so
# LoadModule authn_default_module modules/mod_authn_default.so
# LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
# LoadModule authn_dbd_module modules/mod_authn_dbd.so

mod_auth_digest

Limits access to certain users by using MD5 Digest Authentication.

# LoadModule auth_digest_module modules/mod_auth_digest.so

mod_authz_*

Limits access to certain groups based on different origins (DBM or plaintext files, hostname or IP address, etc.). I get used to remove all less mod_authz_host.

LoadModule authz_host_module modules/mod_authz_host.so
# LoadModule authz_user_module modules/mod_authz_user.so
# LoadModule authz_owner_module modules/mod_authz_owner.so
# LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
# LoadModule authz_dbm_module modules/mod_authz_dbm.so
# LoadModule authz_default_module modules/mod_authz_default.so

mod_cache

Manages the content cache.

# LoadModule cache_module modules/mod_cache.so
# LoadModule disk_cache_module modules/mod_disk_cache.so

mod_cgi

Allows the execution of CGI scripts.

# LoadModule cgi_module modules/mod_cgi.so

mod_dav

Implements the WebDAV (Web-based Distributed Authoring and Versioning) funcionality.

# LoadModule dav_module modules/mod_dav.so
# LoadModule dav_fs_module modules/mod_dav_fs.so

mod_env

Controls the internal environment variables which are sent out to CGI scripts and SSI pages.

# LoadModule env_module modules/mod_env.so


Dec 5, 2011

I head off to London

Last year, when I was in London, I already knew that it was not going to be the last time, and indeed, I was not mistaken. Today, I have handed in my resignation and I have given up my current job, where I will be bound until the end of this month. My flight to the United Kingdom, the next stage of my life, will take off on the 9th of January.

This idea was going around in my head from a long time. And the question was: why not? Why not work in another country, run away from the daily monotony, learn from other cultures, break the political correctness and in short, squeeze the life.

Here in Spain we have a big problem and its name is PSOE (political party). Whenever they have governed, they have finished messing up the country, and nowadays, in contradistinction to 1996 (the previous time that they ruined us), we do not dispose of the European cohesion funds and the crown jewels (the most important public companies) to be sold, in order to be able to get ahead. I could write another book about the misdeeds of these political figures...

Spain has to face up to a hard situation throughout next years, and this is other of the reasons because I think that now is a good moment to go abroad. Unlike fifteen years ago, The Bank of Spain cannot devalue the currency at present and we will have to resort to other financial instruments so as to get over this critical condition, such as reducing salaries, increasing taxes, improving the productivity, optimizing public resources, etc., and in this way, to be more competitive and efficient.

Regarding the IT world, I have always said that Spain is not a good place for engineers, due to this is a country of services. We do not have IT industry and in the most of the cases, you can only aspire to cover the needs or requirements of a client. And why do I say client and not company? Because over time, the business model has totally changed and at the present time, it is no longer possible (or at least very complicated) to belong to a final company.

Between the client and you, there will always be an intermediate company that we call "cárnica" or "charcutera" (butcher shop in English). Thereby, in general, this intermediary takes care of obtaining a final client for you, offering you like a bit of meat, and paying your salary. Practically without lifting a finger and taking advantage of your work, it will grab a part of the money that you make every month.

What happens with this system? You will never be or feel part of a company; today you can be working in a certain place and tomorrow, in another one, and on top of all that, there is no way to develop a career inside an enterprise.

I recently read the article titled "Las ilusiones perdidas" (the lost illusions in English), which reflects perfectly the situation of thousand of Spanish who have had to leave our country because of multiple reasons, but mainly due to a lack of future. This is a great issue, because during the next years, we are going to lose the best generation of young people better prepared in history. This paradox is also known as brain drain.

As I mentioned before, my case is totally different. I am not in need to look for a job far away from home; I have a permanent job here and I have dropped it off voluntarily. Furthermore, I am aware of that I might have switched to another work at any moment. Simply, I am just in the mood for taking this step.

I am a person who likes to work out everything in detail, and in this manner, I have mapped out a complete roadmap for my first weeks in London. I have to read up some points before ending up my plan, but mostly, I am going to boost my English at the beginning, by enrolling in some language school, at least during the first three months. I know that I have a good English level, but I also realize that it is turned into lower-intermediate when you arrive there.

After that initial period of time, I will search for a job. I consider that it is better to build the house starting with the floor rather than the roof. For that reason and as I pointed out before, first of all I will be enhancing my English and in turn, I will have free time to get used to those new lands, aside from to accomplish other typical tasks such as opening a bank account, getting the NIN (National Insurance Number) and a GP (General Practitioner), registering at the embassy and so on.

Perhaps, this is the most important decision that I have had to take on throughout my life, and I hope not to slip up. I am aware of that it will not be straightforward, but at any rate, I am really looking forward to it!