2011-04-22

rsync + FAT32 filesystem

Found a useful nugget in the rsync FAQ: if your destination filesystem when using rsync is a FAT32 filesystem you need to add the --modify-window=1 option due to problems with the modified times on FAT32. A working example would be:
rsync \
--progress \
--delete \
--verbose \
--archive \
--modify-window=1 \
/path/to/source/dir/ \
/path/to/fat32/dir/
As always, remember to be careful about those trailing slashes!

2011-04-14

Self-signing a certificate... quickly

I've been using SSL/TLS certs for a long, long time - I've even had to re-issue my personal CA cert after it expired after 5 years. However, every time I've issued a self signed cert for an internal site, openssl prompted me interactively for the Country, State, Locality, etc. etc. blah, blah, blah. The lack of automation was exceptionally annoying. I knew the defaults could be customized so that only the Common Name would have to be entered, but that wasn't enough. The openssl req manual page has a non-working example of a config file that shouldn't prompt (Sample configuration containing all field values) but it doesn't work. After spending considerable time trying to craft a custom, template openssl.cnf file today, I finally found a blog post that mentions the -subj argument that completes the certificate request without any prompting. The only prompting now done is for the rsa command if you're encrypting your keyfile. And of course, this can be automated with the -passin arg, if needed. Here is a full example:
# FQDN of SSL/TLS site
CN="fhqwhgads.example.com"

# preflight
C="US"
ST="New York"
L="New York"
O="Example.com Inc."
OU="Systems Team"
emailAddress="devnull@example.com"

# create a private key
openssl genrsa -out ${CN}.key 2048
# create a certificate request
openssl req \
-new \
-subj "/C=$C/ST=$ST/L=$L/O=$O/OU=$OU/CN=$CN/emailAddress=$emailAddress" \
-key ${CN}.key \
-out ${CN}.csr
# create cert
openssl x509 -req -days 3650 -in ${CN}.csr -signkey ${CN}.key -out ${CN}.crt

#
# optional - encrypt key
#
# move key
mv ${CN}.key ${CN}.key.plain
# encrypt key
# (add '-passin pass:password' or '-passin file:pathname' for no prompting)
# see openssl(1) manpage
openssl rsa -des3 -in ${CN}.key.plain -out ${CN}.key.crypt
# rename key
mv ${CN}.key.crypt ${CN}.key
# clean up
rm ${CN}.key.plain

2011-04-08

Disabling TRACE and TRACK methods

After reading a blog post about how to disable TRACE and TRACK for compliance, I've taken an extra step - limit HTTP requests to only "the big three":
        RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)
RewriteRule .* - [F]
It's possible you might want to add "OPTIONS" to that list or "DELETE|PUT" to be RESTful, but as with most implementations, YMMV.

Ratings and Recommendations by outbrain