Friday, October 30, 2009

HOWTO : Ubuntu 9.10 Desktop for Traditional Chinese users

Step 1 : Install Ubuntu

Select Traditional Chinese from the menu when you install and follows the instruction on screen. Choose Taiwan as time zone no matter you are living in Hong Kong or not. You may change to the correct time zone after the installation.

After that, you should update your Ubuntu.

sudo apt-get update
sudo apt-get upgrade


Step 2 : Install Traditional Chinese language support

Go to System >> Administration and select Language Support. Install the missing language pack. Make sure the panel displays "Chinese (Taiwan)" after the installation.

Step 3 : Install SCIM - Chinese Input Method (Optional)

Since the default Input Method - iBus is not mature and complete, I choose SCIM instead.

sudo apt-get install scim scim-modules-table scim-chewing scim-pinyin scim-chinese

After the install, you should logout and re-login or reboot instead.

After the re-login or reboot, go to System > Administration and select Language Support. Changes "iBus" to "SCIM" on the panel.

Step 4 : Bug fix the Flash on YouTube (Optional)

After played the Youtube with browser, you may find the Chinese characters not displayed well and correctly. You can fix it by the following steps.

sudo nano /etc/fonts/conf.d/49-sansserif.conf

Replaces the last fourth line where "sans-serif" to "sans".

Logout and re-login or reboot instead to make the change works.

That's all. See you.

Thursday, October 01, 2009

HOWTO : Highest secured Hiawatha Web Server (6.17.1) on Ubuntu 9.04 Server

What is Hiawatha?

Hiawatha is a web server that developed by Hugo Leisink since 2002.  Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of.  Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite.  Hiawatha is already built-in.  She can ban some bad traffic and bad activities on your web server.  Her footprint is also small, that is 130kb, surprise?!  She is the default web server for Austrumi and Puppy Linux. 

Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server.  There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it requires to modify the source code to solve the problem.

Hiawatha runs MySQL and PHP great in cgi mode.  It can run in Windows environment too (but not yet tried).  This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.04

Install Ubuntu 9.04 Server and OpenSSH.  If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

*Note : some modules will not be required, such as php5-sqlite and php5-snmp.  If your web application requires them, make sure to install them.

Step 2 - Install Hiawatha

Download the current Hiawatha, 6.17.1 at this time of writing.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1


Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Fix bug on Hiawatha.
sudo nano cgi-wrapper.c

At line 103, just below rest = uncomment(line); add the following lines :

if (*rest == '\0') {
   continue;
}


At the hiawatha-6.17.1 directory, build the Hiawatha deb package.

./configure
make deb


The deb package will be created at your home directory, such as /home/samiux.  You can install it now.

cd ..

For 64-bit system :
sudo dpkg -i hiawatha_6.17.1_amd64.deb

For 32-bit system :
sudo dpkg -i hiawatha_6.17.1_i386.deb

Step 3 - Configure PHP5

Edit the php.ini.

sudo nano /etc/php5/cgi/php.ini

Make change as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd


*Note : some PHP application may requires safe_mode = Off.

Edit Hiawatha's php-fcgi.conf.

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf


Step 4 - Configure Hiawatha

Edit the file hiawatha.conf.

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.
ServerId = www-data

Add the following line at the GENERAL SETTINGS. Apache compatible log file format.
LogFormat = extended
CGIwrapper = /usr/sbin/cgi-wrapper


Uncomment the following entries at BINDING SETTINGS.
Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}


Uncomment all the entries at BANNING SETTINGS.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24


*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi


Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}


Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}


*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   #Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog/access.log
   ErrorLogfile = /var/log/hiawatha/blog/error.log
   TimeForCGI = 5
   #UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCMDi = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   WrapCGI = jail
}


Configure cgi-wrapper.conf.
sudo nano /etc/hiawatha/cgi-wrapper.conf

Make changes to the file.
CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
#CGIhandler = /usr/bin/python
#CGIhandler = /usr/bin/ruby
#CGIhandler = /usr/bin/ssi-cgi


Wrap = jail ; /var/www ; www-data:www-data

*Note : Some CMS will not well when PreventCMDi = yesDenyBot entries are optional.  If you do not want spiders and bots to crawl your site, you should enable it.  Those entries are examples only.  UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data.  If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.
# Last Modified: Thu Oct 1 10:00:57 2009
#include <tunables/global>


/usr/sbin/hiawatha {
#include <abstractions/base>


   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,


   network inet tcp,


   /bin/dash rix,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /etc/php5/cgi/php.ini r,
   /etc/php5/conf.d/ r,
   /etc/php5/conf.d/**.ini r,
   /etc/phpmyadmin/** r,
   /etc/postfix/**.cf r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /usr/bin/php5-cgi rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/hiawatha mr,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/dbconfig-common/** r,
   /usr/share/file/magic.mime r,
   /usr/share/mysql/charsets/Index.xml r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /usr/share/zoneinfo/ r,
   owner /var/lib/** rwk,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid rw,
   owner /var/spool/postfix/maildrop/** rw,
   /var/spool/postfix/public/pickup w,
   /var/www/ r,
   /var/www/** rw,
}


* suppose you are using postfix.

Make the profile in enforce mode (active).
sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Step 6 - Improve the security of CGI-Wrapper

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper


The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

Known Issue
Alias cannot be functioned with this configuration so far.

That's all.  See you!