Ubuntu Server Multihoming

Mar 28 12 under Networking | Leave a comment

Our new web server at work is a Ubuntu Server VM running Nginx for static content, Apache for dynamic, and Memcached for MySQL caching. In other words, it’s super fast!

The main challenge with setting this server up was the fact that it would be connected to three VLANs, all with their own subnet. It appears that randomly the server would decide to send reply packets out of the wrong interface, after a number of Google searches I finally had found the solution here.

The post suggests that this hack may only work on CentOS. I tried it out anyway and it worked as expected, I did have to modify the script slightly to add an additional interface, I added an additional table named 90.

OS X Lion Wiki Server Gripes

Feb 12 12 under OS X | Leave a comment

The teachers and students at Kolbe love to use wikis and due to poor performance with Snow Leopards built in wiki server we migrated to Lion for one of the servers.

We first trialled migration from Snow Leopard to Lion at 10.7, at this time Lion Wiki Server didn’t support Active Directory groups, this feature was finally added in 10.7.3 (along with editing from an iPad). Migration of wikis isn’t perfect, with some content not being displayed properly, and some embedded content missing.

Here are some fixes for some issues I have come across so far.

Attachment links broken

The best way to fix this issue is to simply click edit on the page, and save again. For some reason this fixes the broken link.

Using the “Wikis can be created by only some users” option with Active Directory Accounts.

I came across this yesterday afternoon, adding AD groups to the list of allowed accounts seems to be unsupported. I then had the great idea of making a local group in Workgroup Manager, and adding our Staff Users AD group as a member. Once this group is created you can then add it to the list of allowed creators in the Server App.

Permissions broken

Quickest way to resolve this is to remove the group and add it again, only seemed to effect a small amount of wikis.

One thing I noticed that is missing (hopefully it gets added soon) is the ability to add a global wiki Administrators. Currently only local Admin accounts are able to do this.

Freezing Accounts in System Preferences

Dec 5 11 under OS X | 1 Comment

I’ve seen this a lot at our service desk, A student will bring in their laptop because they can’t open the Accounts prefpane.

After investigation I found there to be multiple guest accounts on the computer, one named Guest and the rest Guest1, Guest2 etc. These can be removed using dscl within terminal with the following commands.

sudo dscl

cd /Local/Default/Users

This will show all the accounts that are on the system, you will need to find how many guest accounts have been created and remove them with the line command below…

rm Guest1

That command will need to be repeated for each additional guest account.

Once that is complete you can open System Preferences and the Accounts prefpane should load correctly.

In Lion you can open Directory utility, located in /System/Library/CoreServices/ and use the directory editor within to remove the accounts if you aren’t comfortable with Terminal.

pfSense Traffic Logging (updated!)

Aug 17 11 under iOS, Networking, pfSense | Leave a comment

As promised in my previous post, I have now completed the PHP script for making the connection between the pfSense Captive Portal authentication log and the Squid authentication log.

~~trafficlog~~ trafficlog 1.1 - Needs to be placed in /usr/local/www/ and renamed to trafficlog.php

~~captiveportal~~ captiveportal 1.1 - Needs to be placed in /usr/local/www/ and renamed to captiveportal.php

download - Needs to be placed in /usr/local/www/captivetraffic/ (The captivetraffic folder will need to be created.)

index – To replace the original in /usr/local/captiveportal/

A cron job to create the completeportalauth.log file will need to be setup, easiest way to do this is a install the Cron package and then add the following settings – Minute – 1, Hour – *, Mday – *, Month – *, Wday – *, Who – root, command - clog /var/log/portalauth.log >> /var/log/completeportalauth.log No longer required.

Unfortunately due to security built into WordPress, I cannot upload PHP files, so once you’ve download the downloaded the txt files you will need to change the extension to .php.

Please note, I’m no programmer, and I only did this so that my colleagues need not ssh into pfSense to run the commands. Depending on how large your logs are, the page may take a while to load.

I chose the load the log in an iFrame due to PHP running out of memory, outputting to a file and making it available for download was simplest way I could think of to get around this. The /usr/local/www/captivetraffic/ folder might begin to get quite full, but a nightly cron job that clears the log will fix this.

iOS devices on the CEO network

Aug 14 11 under iOS, Networking | Leave a comment

With the recent deployment of 190 iPads at the school I work at, we needed to create a network that would seamlessly support iOS devices. Being a Catholic school all our internet traffic goes though the Catholic Education Network’s proxies, making it almost impossible to download and use iOS apps due to the lack of complete proxy support in the operating system.

While most apps probably would work through the proxy, most of them wont work well, Our solution for this was to setup another VLAN and an open SSID, the best wanky name we could think of for the new network was “iConnect”.

When connecting to the “iConnect” network, and thanks to a neat feature in iOS, the user is prompted for their credentials, after they are successfully authenticated, the user can begin to access the Internet.

The iConnect network does not require the user to setup any proxies, thanks to pfSense. I configured pfSense with the Squid proxy and captive portal modules. Squid runs in transparent mode with the Catholic Education Network’s proxies specified in the upstream settings, the captive portal module uses RADIUS to authenticate against our existing AD infrastructure.

When building the network, the first issue we ran into was not being able to access HTTPS sites, this is because it is impossible to use a transparent proxy to route HTTPS traffic, we had to get port 443 open for the WAN IP address of our pfSense box, once it was open, HTTPS sites worked as expected.

~~I’m currently in the process of writing a PHP page that makes it simple to do a quick lookup of a users browsing history, once complete I’ll post it here.~~
See this post

Welcome

Aug 14 11 under Uncategorized | Leave a comment

Decided I’d change my website from just a static page with links to my online presences to something a little more interesting. Here you will find my nerdy posts that I think others will find useful.