Cache control with Apache

Caching, annoying but important.  On a basic apache level you can cache different file types on the client machine for different durations:

To turn on mod_headers and mod_expires:

A good link.
http://www.askapache.com/hacking/speed-site-caching-cache-control.html

Google links you might not have known existed…

So it seems that the most popular mobile phone handset these days is either run on Android or iOS. They both offer amazing time saving apps, they monitor our sleep they alert us of news events and remind us when our friends birthdays are… they also track us. They don’t just track us a little but they track us a lot, unless you actively restrict features on your handset they track almost everything we do with our handsets. Do all your students know that access to all their activity, from what they search on the internet to where they have physically been in the world is stored in a data centre and easily accessible…

Have a peak at this post for the links:
http://derepreportwriting.wordpress.com/2014/03/28/so-all-your-students-are-happy-sending-all-their-information-to-who/

IE placeholder fallback

OK, so the other day a client insisted that they ‘had’ to have the placeholder function on alll the browsers… however there was an issue with the existing client js code which meant i could not do the inserting the palceholder content into the value so… instead I used carefully placed spans…

Here is a mock up of it:  http://jsfiddle.net/W2dWA/

(oh btw replace “fake-placeholder” in real use, this is just to demo on normal browsers that support placeholder)

Hump day!

Referring to Wednesday as “hump day” is a fairly modern tradition in English. The term represents the idea that a week can be visualized as a mound or hill that a person climbs, with Wednesday typically being the middle or peak of the week. There is some disagreement over which day of the week should be the “hump,” since it varies depending on when a person works and how a week begins. There are other sources for negative associations with Wednesdays, and few holidays are regularly celebrated on this day….

Read more here: http://derepreportwriting.wordpress.com/2014/03/27/hump-day/

Enjoy more of your free time: http://www.derep.net

About working too much and what you can do about it (well, if you’re a teacher that is)

In 2012 teachers worked a total of 325 million unpaid hours!

A big factor increasing these hours is report writing. Although there are some generic tools available to create reports these often produce non student specific reports which offer little insight to the people that matter… the parents and the students!

Read more: http://derepreportwriting.wordpress.com/2014/03/21/did-you-know/

PHP pdo_mysql example use and general class

OK, so mysql_query died a long time ago in favour of “prepared database objects” aka PDO.

Although awesome, they can end up being quite verbose without an abstraction layer.

So.. here is one I wrote a while ago.

Starting the class

Inserting data and returning the auto increment id

A simple select and html print

SSO with google for website with new API on your server

The google documentation for server side authentication of the Google SSO is far from clear. There are tons of docs out there all talking about different things.. it will drive you mad or you can learn from my pain.

Step 1 – Set up the google app and client side bits via this link. It is all relatively straight forward.
https://developers.google.com/+/web/signin/add-button  When it says go to registered apps, it really means.. on the lhs go to ‘APIs & auth’ > ‘credentials’. Click the ‘Create new client id’. You won’t need a real Redirect URI section if you are kicking things off with the js popup login window. But make sure you Javascript Origin is just your websites domain name eg:
http://www.mysite.com
Once you done that you should be able to click the login button, the popup will appear and you can “login” with your new app from you site.

Step 2 – Your server setup:  https://developers.google.com/+/web/signin/server-side-flow
Here is where the author of the google documentation clearly just could not be bothered.. anyway here is the bit they miss out:
After going to the new github repos:https://github.com/google/google-api-php-client and downloading the full set of scripts and copied to somewhere sensible on your server you will want a script like this:

Setting up Debian for web server

(NB This guide is subject to change and will evolve with every bit of spare time I have to improve it. Please also note, this is what I did and is not necessarily what you should do. If I have made any errors or something similar please let me know.)

Setting up a Debian 8 via SSH

Step1 – User Security, changing the root password (back to index)

hit enter and follow promts

Step2 – Updates on a fresh install (back to index)

1 – Still logged in as root run the following command:

2 – After the server has finished updating, you need to upgrade, run:

Step 3 – Configuring IPTables

Please review the debian wiki on this: https://wiki.debian.org/iptables

There is a basic iptable config that will suffice for most.

Step 4 – installing ntp (network time protocol) & set server timezone
ntp should be installed by default, configure the timezones:

From http://wiki.debian.org/TimeZoneChanges

Restarting Daemons and Long-Running Programs

After the zoneinfo files are updated, you may need to restart daemons and other long-running programs to get them to use the new zone information. Examples of such programs include apache, bind, cron, fetchmail -d, inetd, mailman, sendmail, and sysklogd. A common symptom of this problem is seeing incorrect timestamps mixed in with the correct timestamps in your log files (e.g. /var/log/syslog). Even interactive programs like “mutt” may continue to use the old timezone information until they are restarted.

Or.. just restart the whole server:

 reboot

Step 5 – Adding a new username to the server(back to index)

1 – Still logged in as ‘root’ we are going to use the command ‘adduser’, and we are going to add a username ‘john’. Enter the following command:

2 – You will then be prompted for a password, which you will have to type in twice, follow the rest of the prompts…

 
Step 6 – Adding ‘sudo’ rights to the new username(back to index)

As we don’t want to allow root to log in via ssh, we will need to give our new user root privileges by added them to the sudoers file:

1 – Still logged in as ‘root’, type:

2 – You should see a section that looks like:   root ALL=(ALL:ALL) ALL.
Under it add a new one for your new use, ‘bob’.

Save and exit (how to use nano)

To gain root privileges when logged in as bob, run.. it will ask for a password but the result will be bob acting as root.

 

Step 7 – User Security, preventing root login and changing the SSH port(back to index)

1 – Open the ssh config file:

2 – The default is port for ssh connections is 22. For security, change this to any integer between 1025 and 65536 as port scanners typically start low down and run un batches of approx 1000 (A port scanner)… the most important thing here is you move it off the default port 22.

3 – Save and exit the ssh conf file, now what ever port you changed ssh to add this to your iptables (see the wiki post at the start of this post about iptables). Once done, restart ssh:

4 – Open a new terminal whilst keeping the old one open and try access your server on this new port. if you can get in, then you have successfully changed the default ssh port number and allowed through you ip tables, aka firewall.

5 – Now give you new user ‘bob’ or whatever you called it access to ssh. open the ssh config file again and add to the bottom, save and exit, then restart ssh:

6 – Fire up a new terminal and try ssh in with the new port and the new user. Success? Great, move on…

NB: to add more than one person access via ssh to the server, space separate on the same line eg:

7 – last but not least, prevent root from logging in via ssh. Find and change to no then restart ssh. Once done you should not be able to log in via root:

 

Step 8 – SSMTP an email forwarding program(back to index)

1 – install ssmtp:

2 – configure the following file:

a) comment out all existing running commands
b) add the following lines, tweaked to your own details:

NB: port 25 may be blocked, you may require a different port, contact your email host. Also ensure it is allowed in your iptables
NB Some smtp servers need to get the php.ini to point to a specific location on the server to enable php mail() to work: ssmtp does not. Leave it empty.

3 – Now test that ssmtp is working properly by sending a mail to your email address (eg, you@hotmail.com)

ssmtp somemail@yahoo.com

After pressing enter the cursor will jump down a line waiting for some more instructions, here you can enter more text for the email but for now, just press Ctrl + D to send the empty email.

You should now receive an email from your server as root.

Step9 – MySql install (back to index)

Using apt-get:

mysql_secure_installation sets a root password (if not exists), removes anonymous users, disables non-local root access, removes the test database and access rules related to it and finally reloads privileges.
REMARK: restart MySQL using systemctl restart mysql.service

Step10 – Apache2 (back to index)
Installing Apache2, this is what enables the server to send out html pages to people trying to access your site:

1 – Still logged in as root, run the following command:

2 – Enable mod_rewrite and mod_deflate (gzip compression). If you install webmin (below) you can do this via the webmin console, else use

3 – after it has finished, direct your browser to your domain name and you should see the Apache2 placeholder page (It works!). If you don’t have a domain sorted yet, just point your browser to the ip address of your server.

Step11 – PHP5 install (back to index)
1 – To install the PHP program onto your server

After it has installed you will need to restart the program Apache2 on the server to make apache aware of the new PHP program it can use, to do this type:

Step12 – Adding the mysql support for php5 and a few others(back to index)
To get MySQL support in PHP, we can install the php5-mysql package. It’s a good idea to install some other PHP5 modules as well as you might need them for your applications. You can search for available PHP5 modules like this:

This will display a list of the available php modules you can add. If this is the first time you have set up your own server then the chances are you might not know what a lot of the modules are. You can check by using the php manual page.

1 – Without getting too bogged down in which mods to install, here is a pretty full list which should cover most of your needs. Enter the following command:

2 – Again restart the Apache program to make it aware of the updates you have just installed to PHP5

3 – An optional extra which you may be using might require zlib. This requires quite a lot of space compared to the previous list so only add if you need it:

4 – Again restart the Apache program to make it aware of the updates you have just installed to PHP5

Step13 – Database management, phpMyAdmin(back to index)
The last basic program to install is phpMyAdmin, the easy to use database management setup for managing your databases from a web browser instead of at the command line.

1 – install a few prerequisites

2 – Run:

3 – You will see the following questions:
a) Web server to reconfigure automatically. Choose – apache2
b) Configure database for phpmyadmin with dbconfig-common? Choose Yes
c) You will then be asked for the MySQL password you choose previously.
d) You will also then be asked to create another password, this is for the ‘root’ login for phpMyAdmin. Note this down! It should be different to the root password for mysql.

3 – After installed restart Apache2

4 – To make phpMyAdmin work, the ‘apache2.conf’ file needs to allow phpMyAdmin to run. This is done by editing the apache2.conf file:

5 – Add the following line to the end

6. Save, exit and restart apache,

8 – You should now be able to login to phpmyadmin, with root and the mysql password you have stored somewhere:
http://<yourdomainOrIP>/phpmyadmin/

9 – You will notice that the link to the login of phpmyadmin is pretty basic. You should hide the default url link for security, and change it to some obscure alternative:

10 – Change the following line:

To something like (where : ‘secreturllogin’ is something secret of your choice like ‘osdvkjb765vlkj‘)

11 – Save and exit the file, restart apache and you should be able to access phpmyadmin on your new and secret url.

IMPORTANT

phpmyadmin is not that safe in my opinion, it gets the most attacks when viewing the http logs.. when you don’t need it comment out the include in the main apache config file.

 

Step 14 – Optional: Install webmin, a gui interface to the server(back to index)
You may or may not be happy to know that webmin got a whole load easier to configure
1 – Add the following lines to /etc/apt/sources.list

2 – Add apt key:

3 –  Install downloaded package using the following command

4- Similar to phpmyadmin, to increase security, change the default port from 10000. Change the top port number. Antyhing under 1000 is good. Change the port number on the first line and save the file.

5 – After stop and restart to pick up change:

You should now be able to access the webmin interface with ‘:784’  (where 784 is the port number you picked)

Step 15 – php.ini configurations(back to index)

If you need to make changes to the php.ini, there are two files that can be changed:
1) apache2/php.ini
2) cli/php.ini cli is command line interface.

So the cli/php.ini should only be in effect when running a php script from the “command line”.
The apache/php.ini is the one you want for php web pages.

Step 16 – Fail2Ban to prevent brute force attacks on ssh and others

fail2ban scans log files and bans IPs that show the malicious signs, for example too many password failures, seeking for exploits, etc.

If you have changed the ssh port number, let fail2ban know about it, find and edit the fail2ban jail.conf file

Find details in this post.

Step 17 – Intrusion detection

psad analyze iptables log messages to detect port scans and other suspicious traffic.

apt-get install psad

Find details in this post.

 

Step 18 – Lynis, find out how secure your system really is

Install Lynis using apt-get:

Perform system check and get your score…:

 

–auditor “Given name Surname” Assign an auditor name to the audit (report)
–checkall -c Start the check
–check-update Check if Lynis is up-to-date
–cronjob Run Lynis as cronjob (includes -c -Q)
–help -h Shows valid parameters
–manpage View man page
–nocolors Do not use any colors
–pentest Perform a penetration test scan (non-privileged)
–quick -Q Don’t wait for user input, except on errors
–quiet Only show warnings (includes –quick, but doesn’t wait)
–reverse-colors Use a different color scheme for lighter backgrounds
–version -V Check program version (and quit)

jQuery extension to insert a string of characters at the cursor/selection of a textarea/text input

A simple jquery extension to easily place a string into textarea or text input at the cursors position: