Saturday, September 04, 2010 15:23

Python Script for checking if a Process is running, and/or Restarting Server

March 29th, 2010

Hello all,

This is just a quick post with a script that I recently wrote to restart a Debian server if Squid is no longer running. You can change the top variables to change the process, where the log is written, or the server action. Make sure to chmod 755 the script for it to work.

——

#! /usr/bin/env python
# This script checks if an application is running in ps -A, and writes to a log file at the designated path
# comment
import commands
import time
import os

# Get the time and format it for writing to the log
timenow = time.strftime("%a %m/%d/%y %H:%M:%S", time.localtime())

#HERE ARE THE VARIABLES THAT YOU MAY WANT TO CHANGE
processname = "squid"
isrunningstring = "\n" + timenow + ' - ' + processname + " is still running..."
notrunningstring = "\n" + timenow + ' - ' + processname + " is no longer running..."
pathtologfile = "/usr/local/squid/var/logs/cache.log"
notrunningcommand = "/sbin/shutdown -r now"

#run ps -A to get a list of all processes
output = commands.getoutput('ps -A')
#check if the process we are looking for was in the ps -A
if processname in output:
	print isrunningstring
	fileHandle = open ( pathtologfile, 'a' )
	fileHandle.write (isrunningstring)
	fileHandle.close()
#if it wasn't there, epic fail, restart
else:
	print notrunningstring
	fileHandle = open ( pathtologfile, 'a' )
	fileHandle.write (notrunningstring)
	fileHandle.close()
#restart the server!!!!
	os.system(notrunningcommand)

Posted in Linux | No Comments »

Hot Chai Recipe

January 24th, 2010

I love Chai!

I don’t like the ‘bucks style Chai because I find it way too sweet and you can’t even taste the tea. My philosophy on flavor is: if you can’t taste it, why bother putting it in there. Below is my Chai recipe that I have been working on for a couple of weeks now.

Ingredients:

  • 4 Cups Lowfat 1% Milk (Light Plain Soy will also work, rice milk isn’t really creamy enough) **edit** Silk Almond Milk is DIVINE with this recipe.
  • 3 Cups water
  • 3 Bags of Lipton Premium Black Pearl tea (unmixed and plain Ceylon, Darjeeling, or other black tea should work, do not use “breakfast” teas or pre-blended chai)
  • 2 teaspoons fresh ginger *or 5-6 thin-cut slices* (do not use dry ginger unless absolutely necessary as it tastes different, substitute 1/8 tsp. dry)
  • 3-4 whole cloves (add one or two more for more tongue-numbingness)
  • 1 stick cinnamon (or 1/2 tsp ground cinnamon)
  • 1/2 teaspoon Cardamom powder
  • 2 teaspoons honey (add more to your taste)
  • Optional: 1/2 teaspoon Vanilla
  • Optional: 1/4 teaspoon Fenugreek (Meth seeds)

Directions:

Boil water with 3 bags of tea, cloves, (optional fenugreek), and cinnamon for about 4 minutes. Add honey, (optional vanilla) cardamom, and ginger, and simmer for 2 minutes. Strain into another pot and add milk, simmer for 2-3 minutes, stirring constantly. Remove from heat and serve immediately. Serves 2 “Large” glasses or 4-5 “Small” glasses.

Enjoy!

Posted in Indian Inspired, Recipes | No Comments »

OpenSWAN/IPSec to Netgear FVS318_V3

August 12th, 2009

I tested this with a ClarkConnect Home/Office Ed 3.2 and 4.0; both worked.

Netgear configuration

I just used the VPN wizard, choosing gateway-gateway, then changed the settings.

NetgearFVS318VPNPolicy

IKEPolicy

ClarkConnect Configuration

Create a new ipsec config.

# nano /etc/ipsec.newsitename.conf

Create the new connection configuration in this format:

#Beginning of config
conn fvs318
type=tunnel
left= xx.xx.xx.xx         #WAN ip address of local CC router
leftsubnet=192.168.x.x/24     #ip address of CC LAN subnet
leftnexthop=xx.xx.xx.xx     #ip address of local CC’s internet gateway
leftid=xx.xx.xx.xx.xx         #WAN IP
right=xx.xx.xx.xx         #WAN ip address of remote netgear fvs318
rightnexthop=xx.xx.x.x        #ip address of remote netgear’s internet gateway
rigthsubnet=192.168.x.x/24     #ip address of netear LAN subnet
rightid=xx.xx.xx.xx        #WAN IP

ike=3des-sha1-modp1024        #ike policy settings, could not get aes128 or aes256 to work
ikelifetime=1440m        #ike lifetime
keylife=480m            #key life
pfs=no                #pfs is off, could not get pfs working
keyexchange=ike            #tell it to use ike(not AH)
authby=secret            #tells it to use a PSK for authentication
auto=start            #start when ipsec(openswan) starts
esp=aes256-sha1            #phase 2 encryption, no pfs defined. Netgear “VPN policy”
#End of config

Create the secrets file:
nano /etc/ipsec.newsitename.secrets

Enter the remote WAN, then the local WAN, a colon “:” then ‘PSK “yourpskhere”’

Example:

60.11.11.11 61.11.12.13 : PSK “testtest”

Notes

You can restart ipsec on ClarkConnect or Red Hat(Centos, Fedora, etc) using this command: /etc/init.d/ipsec restart

Posted in Linux, Technology | No Comments »

Squid Reverse Proxy for OWA and RPC over HTTPS

August 11th, 2009

This method was tested on Debian 5.0 Lenny in SBS 2003 and Server 2003 environments.

Why use Squid?

  • It is free in most ways (GPL) – M$ ISA is not free
  • Apache can’t do RPC Reverse Proxying (yet?)

The Basics

Install Lenny using the net install disc with internet access available, when it prompts for what type of installation, you only need the base package. You can add the “Desktop Environment”,  but I haven’t tested adding any other functions at base install. Installing the Desktop is not recommended as it will create overhead (if you let it start on boot).

Make sure that you set up the apt repositories to use the http and ftp resources before you try apt-get. (Uncomment the lines in “/etc/apt/sources.list”)

OWA and/or RPC should be tested and working before you try the proxy.

The certificate on the external interface of your Proxy machine needs to be signed by a recognized CA or RPC will not work properly (and you should do this anyway). The Certificates between the Exchange server and the Proxy do not need to be signed by a recognized CA (for it to work). I used an inexpensive cert from GoDaddy (~$30) for the working example.

This method uses TWO certificates.  RPC/Browser -> SSL -> proxy – SSL ->  Exchange

Update apt, install OpenSSL

As root, update the local apt database.

#apt-get update

Now, install OpenSSL and essential ssl development libraries.

#aptitude install build-essential openssl libssl-dev

You shouldn’t have to do this, but you can also make sure g++ is installed (this is a compiler).

#apt-get install g++

Installing Squid

Go to http://squid-cache.org and download the 3.0 Stable version in tar.gz format.

Move the file to a directory that you can remember the path to, in this document, I’m going to download to the /home/exampleuser/ directory because I have access to that directory without being root.

I will assume that you can download and move the file without instruction.

NOTE: While Squid is in the apt repository, the apt installer will not enable SSL support; this is why we are compiling from source. Please note this also means you will not be able to update Squid using the apt repositories.

Once the file is downloaded, open a console and login as root, change directory to where we downloaded Squid and unpack the tar.

# cd /home/exampleuser/

# tar xvfz squid-3.0.STABLE16.tar.gz

NOTE: “squid-3.0.STABLE16” is the name of the current Squid 3 stable release, yours may be a different number, so make sure to use the file name of your file, don’t assume it is still 16.

Now, lets get to the compiling, first we will change directories “cd”, then we will configure, compile, and install Squid.

# cd /home/exampleuser/squid-3.0.STABLE16

# ./configure –enable-ssl –with-openssl=/usr/include/openssl/

# make

# make install

After the Install, you will need to create the squid cache.

# /usr/local/squid/sbin/squid –z

Squid Configuration

Replace the text in squid.conf with the below template. (Use whatever editor you want, nano is just easiest for newbies).

# nano /usr/local/squid/etc/squid.conf

Squid.conf Template -  items in Green are specific to your environment and need to be assigned:

visible_hostname owa.examplecompany.net

extension_methods RPC_IN_DATA RPC_OUT_DATA

https_port 443 cert=/path/to/external/cert

key=/path/to/external/cert.key defaultsite=external.owa.domain.name

cache_peer ip.address.of.exchange parent 443 0 no-query originserver login=PASS

ssl sslflags=DONT_VERIFY_PEER sslcert=/path/to/exchange/cert.crt sslkey=/path/to/exchange/certkey.pem name=owaServer

acl OWA dstdomain external.owa.domain.name

cache_peer_access owaServer allow OWA

never_direct allow OWA

http_access allow OWA

http_access deny all

miss_access allow OWA

miss_access deny all

Certificate Notes

Getting the certificates organized and prepared is sometimes the most daunting part of the setup.

For the internet-facing certificate, you will need to get a certificate from a certificate authority. I used GoDaddy. If they ask you what type of server you want it for, choose “Apache”.Make sure the “Simple Name” is the same as the external web address to access the OWA server, in our case it is “owa.examplecompany.net”.

After you order it from GoDaddy and initiate the process per their directions, you will get to a point where it asks you to paste your certificate request.

Generate the request on the proxy server.

# mkdir /usr/local/squid/certs/

# cd /usr/local/squid/certs/

# openssl genrsa –des3 –out owa.examplecompany.net.key 1024

# openssl req –new –key owa.examplecompany.net.key –out owa.examplecompany.net.csr

Copy the contents of owa.examplecompany.net.csr to the request form.

Once you get the certificate files from the CA, you will most likely get a bundle or intermediate cert and the public cert.

You will need to add gd_bundle.crt to the owa.examplecompany.net.crt. First, backup the owa.examplecompany.crt file, then we will append it with gd_bundle.crt.

# cp /usr/local/squid/certs/owa.examplecompany.net.crt /usr/local/squid/certs/certsexampleuser/owa.examplecompany.net.backup

# cat /usr/local/squid/certs/gd_bundle.crt >> /usr/local/squid/certs/owa.examplecompany.net.crt

For the exchange server communication, you can use a self-signed certificate.

If you generate a self-signed certificate on your Exchange server, you can export it as a PFX and use openssl on your proxy to convert it into the usable format. First, move the PFX file to the proxy (this example assumes it is in “/usr/local/squid/certs/”.

# cd /usr/local/squid/certs/

# openssl pkcs12 –in exchangecert.pfx –nocerts –out exchange.key

# openssl rsa –in exchange.key –out nopassexchange.key

# openssl pkcs12 –in exchangecert.pfx –nokeys –out exchange.crt

Now you have the key and the crt;  move these to the path that you specify in the squid.conf file.

Final Notes:

You have to forward the 443 traffic from your router to the proxy for this to work, and you have to make sure that 443 traffic is being allowed to your proxy. This involves iptables, which I will not get into.

I tested in the live environment before changing the forwarding on my router by changing my local hosts file to forward owa.examplecompany.net to the local address of the proxy. This worked fine for OWA testing.

Also, you should either set the ip address on the proxy or create a reservation for its MAC on your DHCP server.

References/Bibliography/Special Thanks:

The Squid Cache Projecthttp://www.squid-cache.org

The Debian Project - http://www.debian.org

Owen Campbell – http://www.tanti.org.uk/index.php/blogs/owencampbell/3-tech/3-proxy

Squid Cache Wiki – http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

Laurent Brichet - http://www.brichet.be/how-to-setup-a-reverse-proxy-server-over-ssl-squid-debian

Posted in Linux, Technology | 2 Comments »

Why Blog?

August 11th, 2009

Hello World!  ;-)

I’m just using this blog as an outlet for sharing some of my interests.

I love computers, especially if they have Linux on them.

I also love to cook, write, and play guitar.

Hopefully, I will have some music recordings and new recipes up soon, for now I have a couple techie posts!

Posted in Blog/Maintenance Related | No Comments »