Richard Walker :: Brisbane IT Professional (Infrastructure / Web)

There’s a decent performence boost to be obtained by coupling apache with lighttpd, a lightweight (hence the name) web server with great features and a ridiculously small footprint.

In this example…. we’re configuring lighttpd as our forward-facing (port 80) web server, which will use mod_proxy (proxy module) to send any dynamic requests back to apache listening on port 8080, while lighttpd takes care of any and all static content. I won’t go into the details of *installing* lighttpd or apache as this is beyond the scope of this article.

First of all…. ports.

In the Apache config (/etc/apache2/ports.conf if you’re using Debian, or /etc/httpd/conf/httpd.conf if you’re using RedHat or a derivative, these are just the defaul install locations) you want to find the following line:

	Listen 80

And change it to:

	Listen 8080

That’s it for the apache config! By default, lighttpd should already be listening on port 80 so we don’t need to change that.

In lighttpd.conf (wherever your distro of choice chooses to place this file), find the server.modules section, and uncomment (or add, if it’s not there already) the following line:

	"mod_proxy",

Now, scoot down to the bottom of the file, and we’ll set up the proxy:

	$HTTP["url"] !~ “(?i)\.(js|css|gif|jpg|png|ico|txt|swf|mp3|pdf|ps|wav|flv|zip|rar|gz|tar)$” {
		proxy.server = ( “” => (
			( “host” => “your-server-ip-here”, “port” => 8080 )
		))
	}

Obviously substitute “your-server-ip-here” with the IP address of your web server. This is very important, because if you use any virtual hosts, they won’t like it if you just set host to 127.0.0.1 (or at least they didn’t in my config).

Which brings me to the next point…. virtual hosts. If you are serving several domains from the same location and use several different virtual hosts, you will need a virtual host definition for each because lighttpd simply needs to know where to look for your static content! This worked for me (for this site):

	$HTTP["host"] =~ “(^|\.)richardwalker\.com\.au$” {
		server.document-root = “/opt/web/richardwalker.com.au”
	}

That’s it….. thats a virtual host definition in lighttpd. There are several more options but for the purposes of this demonstation (and of this site), that worked a treat.

All that’s needed now is to stop both apache and lighttpd, then start them up again.

You might wonder why this approach is beneficial….. it is possible to set up apache to use persistent connections, which means it fetches all the content (the root page, the CSS, the images, etc) all in the one connection. This can be troublesome for sites with huge amounts of traffic, as instead of just dropping off when the job is done, persistent connections hang around for a predetermined length of time. Large amounts of concurrent traffic can quickly turn into a large number of persistent connections.

Alternatively, if you leave persistent connections off, you get a connection made to the web server for each item in the HTML that needs fetching…. the root HTML itself, a CSS file or two, a JS include, all the images……. for each one of those, Apache will fire up a process, load its modules etc, fetch the item, and drop off. This can result in very large chunks from memory being eaten up all at once in bursts, which can slow things down considerably.

There are of course several schools of thought on this sort of thing, and everyone has an opinion about which is better…. for me, the approach outlined above works perfectly. My lighttpd access log has hits for all the static items, and my apache log has only the single hit, the initial GET request for the HTML itself. Which is exactly the way it should be.

Dear Netlogistics,

(CC: Any hosting provider who provides VPS hosting plans)

Please, please, PLEASE include a full-featured set of iptables modules. “-m state” and “-m recent” at the very least. It’s the only way to set up a half-decent set of firewall rules.

Thanks,

Internet

After fighting a losing battle trying to get x.org 7.2 working on my machine, a nice chap over at the gentoo forums was able to help me solve the issue.

In a nutshell:

1. Make sure “hal” and “dbus” USE flags are set in make.conf.
2. Re-emerge xorg-server if they weren’t.
3. Change the “driver” names for keyboard/mouse devices to “evdev” in xorg.conf.
4. ???
5. Profit.

A snippet from my xorg.conf input sections might help:

Section “InputDevice”
Identifier     ”Mouse0″
Driver         ”evdev”
Option         ”Protocol”
Option         ”Device” “/dev/input/event5″
Option         ”Emulate3Buttons” “no”
Option         ”ZAxisMapping” “4 5″
EndSection

Section “InputDevice”
Identifier     ”Keyboard0″
Driver         ”evdev”
Option      “Device”        “/dev/input/event3″
EndSection

To get the evdev event addresses (/dev/input/event3 etc) just use “cat /proc/bus/input/devices | more” and look for your keyboard vendor… my Apple keyboard showed up twice, only one of the two events worked. A little bit of trial-and-error there and you should be up and running.

The full thread is available on the Gentoo forums.

TOTALLY off-topic, and the last thing I’d usually write about, but I found this recently while trying to diagnose my parent’s jack-russell terrier, Browser.

Snippet from The Glittering Eye follows:

It’s an oldie but a goodie. I don’t know the original source of this but it’s pretty wellknown to dog lovers.

YELLOW URKA-GURKA

Dog runs around the house and hides under furniture while making a prolonged ‘uuuuurka-guuuuurka, uuurka-guurka’ noise. (This noise is the only thing guaranteed to wake up a true dog lover who is hung over from a post dog-show celebration at 3:30 a.m.) After mad scrambling to capture the dog and drag him outside, the episode ends with an inaudible ten yard slimy yellow froth from the living room rug to the back door.

BLAP DISEASE

Dog exercises hard and (a) eats large mouthfuls of snow (winter Blap Disease) or (b) drinks a bucket of water (Summer Blap Disease). Within two minutes of returning inside, the dog spews out large amounts of clear slimy liquid while making a distinctive ‘blap’ sound and a sharp percussive noise as it hits the linoleum.

GARKS

Dog suddenly clears his throat with loud and dramatic ‘gggaark, gggark’ noises generally followed by prolonged ‘iiiksss’ and then loud satisfied smacking noises. There is nothing on the rug. Don’t investigate, you don’t want to know.

RALFS

Apropos of nothing, the dog strolls into the dining room and waits till the innocent dinner guests are all watching him. Then, with a single deep gut wrenching ‘raaaalff’ dislodges the entire weeks’ contents of his stomach on the dining room rug.

Variation: Then he eats it.

In all the above events the dog is entirely healthy and indeed deeply pleased with himself.

If you’re like me and are fortunate enough to have your own external SMTP server (which is just about anyone with dedicated or VPS web hosting) here’s a simple but really neat trick….. configure your SMTP service (exim, postfix, et al) to listen on port 587 as well as port 25….. according to the IETF, port 587 is officially reserved for SMTP anyway! Most ISPs cruel enough to block port 25 probably won’t block port 587. And hey, if they do, use a different port…. 26, 8025, 8587, just make sure it’s not something used by another service.

The other side of the equation is your mail client….. alter your SMTP settings and change the port to the new one you specified in your MTA config. It’s possible (I’ve not tested it) that using SSL or TLS may yield positive results too…. I’m not sure if this particular nameless ISP (run by a monopolistic behemoth telco in Australia, hint hint) blocks secure SMTP or not, but I might give it a try and swing an update to this post with my results.

Recently, I’ve had an issue using mount.cifs from the command line in linux to mount shares, on Ubuntu Linux (as a client).

The problem was, mounting a samba share using CIFS and using only the samba username/password would render the entire mount unwriteable, except by root.

The dead simple solution to this is as follows.

Instead of doing just this:

mount.cifs //<server>/<share> -ouser=<username>,pass=<password>

Try this:

mount.cifs //<server>/<share> -ouid=<localuser>,gid=<localgroup>,user=<username>,pass=<password>

So if your samba username is joe.bloggs, and your username and group on your local machine are just “joe”, you’d do this:

mount.cifs //<server>/<share> -ouid=joe,gid=joe,user=joe.bloggs,pass=<password>

This simply tells CIFS that user ‘joe’ on the local machine should be the owner of the mounted share, and then subject to whatever permissions the samba server has set.

Easy as!

So I have an option to undergo a few new certifications.

I have a shortlist (of vendors, at least): Cisco, RedHat, Oracle, Novell. Not necessarily in that order.

I think one thing I’ve discovered is that being the jack-of-all-trades type is extremely handy because you’re so hireable for anybody who touches upon any area of technology you happen to be savvy in. One thing I’m learning through talking to people however is that specialists tend to earn a lot more, even if finding the work they’re after is a little trickier and they have to think on their feet a lot more to move (geographically, if necessary) where the money is.

However the other area in which certification is handy is when you have someone like me, jack-of-all-trades etc who has earned their skills through live-fire exercise, so to speak; usually dropped in the deep end with something or faced with a challenge that threatens to unseat their personal lives through commitment to getting the job done.

I’m talking about knowledge holes. Gaping voids, in some cases.

Being fire-baptised in IT is a great thing because it teaches you comprehension, complex reasoning, problem solving and any number of other valuable skills. All in all, if it were up to me, if you presented me with a) a die-hard hobbyist who’d been playing with computers since the age of 12, with no tertiary education and who’d hopped from one work experience placement to another, perhaps putting in a little grunt time at a university or ISP or their dad’s company, and who’d taught themselves the skills they deemed useful, or b) a straight-7’s computer science student….. in an ideal world, I’d hire both, but if I had to choose, it would be an extremely difficult choice, and most likely contingent upon Mr/Ms Straight 7’s past in the field, i.e. did he/she take to computers early on out of genuine passion, or did they simply fit into the groove after leaving school and do very well.

Experience trumps education. And while that may seem like a very obtuse and foolish view, remember that experience IS education. It’s just a different form of education….. it’s education learned through exposure and practical application rather than theory, study and more theory.

Example: I have absolutely no idea what 1st, or 2nd, or 3rd, or 4th “normal form” is if I were faced with such a question on an exam. But I’d put money on the fact that I can design and implement a database much better than Mr Straight 7’s, because I’ve had real exposure to such problems. And upon examination, it would be perfectly apparent that my design was well thought out, thoroughly normalised and generally in very good shape.

Now, I’m not suggesting a university education is worthless, or even simply unecessary… but where IT managers and the like need to be careful is in simply moving someone’s resume to the top of the pile because they finished first in their class.

Experience is gold. Education makes a great foundation and an even better supplement after the fact, and if you can combine the two, you are dynamite and damn near unstoppable.

But I digress (on a monumental scale). The reason for my desire to attain more certification is to plug knowledge gaps…. I’m a good man in a storm, I let nothing stand between me and ultimate success when it comes to solving technology problems, but there is ground I haven’t covered. I can kick ass in my field and suddenly be left treading water and eventually drowning because there’s just one little area I’m completely unexposed to, and in which I’m completely uneducated.

This is where certification fits in: most people like me can absolutely cream the certification path/uni course of choice, because real world experience primes you to nail the comprehension, complex reasoning and problem solving tasks that you may face during the process, and leave you to simply soak up the knowledge and apply it creatively, pragmatically and most importantly, with an eye for real-world application.

Moral of the story: if you’ve been in the game a couple of years, and are a pro at getting the job done in a half dozen different disciplines, there could not possibly be a better time to pick a specialisation and get certified. By the time your certification is done, you’ve already got several years applicable experience under your belt and can start punching well above your weight straight away.

If there’s one valuable lesson I’ve had to learn and re-learn over and over again, it’s that a business, fledgling or otherwise, simply must not skimp on some pretty crucial IT components…. so I’ve made a list of what sort of things the new or established business should look at prioritising, tech-wise (in no particular order):

Power protection. This is simply a MUST. There is no excuse for second-rate hardware, as a failure here has the potential to do a lot of damage, most importantly to things you DON’T skimp on, or even worse, your data.

A decent business-grade-or-better UPS is a must, and if you can’t verify it’s good for at least a thousand-amp surge, get a surge protector that is. I have one plugged into the wall near my feet that cost me $30, and has a $25,000 connected equipment warranty. From memory, it’s good for about 1,300 amps of current.

Whichever UPS you choose, it is essential that it has the capability to connect to your hardware via RS-232 or USB, so that your equipment can get the notifications it needs to start a clean shutdown. A 30-minute battery life is utterly useless during a 35-minute power failure, if all that happens when the batteries run dry is that the equipment goes down hard anyway!

If you can cover every piece of computing equipment in the office, so nobody goes down in sheets of flame when the power goes out, even better. Expensive, but in my opinion, downtime is even more so.

Decent networking gear. A little desktop 8-port switch running all your crucial bits isn’t really that much of an unsafe bet, but if it fails (and a fair percentage do, even if it’s never happened to you) you’re left with nothing tying your network together, and a bunch of workers twiddling their thumbs while you feverishly run off to Harris Tech to buy a new switch.

Get something reasonable. Doesn’t have to be a monstrous 48-port managed beast from Cisco with fiber connections etc, but get something rackmountable, 24 ports to allow for future expansion, and a decent brand…. I’m looking an unmanaged solution from Cisco square in the eyes here, but if it’s beyond your price range, go for something like Asus or D-Link.

On the topic of networking gear, a business-grade ADSL modem (assuming you have ADSL) is absolutely crucial. Again, see the point about failure: workers twiddling their thumbs while you hike to the nearest computer shop for a new modem. Consumer-grade modems often have problems dealing with a “larger” (5 or more people, certainly not large) internal network, as NAT tables etc tend to get overrun, and they will simply fall over and twitch/sputter/whimper if you happen to get (D)DoS’d. I’ve recently stumbled upon Draytek as a pretty good brand (although it got fried thanks to point #1 not being observed previously), but Cisco would be the definite preference…. again, if it’s out of your price range, Draytek is a sure bet.

Don’t even think about bringing in something you pulled off the shelf at your local computer store for $99.

Redundancy. $1,000 for your entire server infrastructure might look like awesome savings on paper, but you won’t be thinking that when a month’s worth of data goes down the tube because a hard drive dies. Think about how long it took X number of people to do all that work, and how much it cost to pay them…. weigh that up against paying a few thousand extra for a business-grade server with redundant storage, along with a backup option (tape preferably). It’s an easy choice, really…. pay $5,000 now for a business-grade server stacked inside a rack cabinet with a business-grade UPS, and a RAID solution. RAID5 is my personal favourite, as alongside the data protection, you get downtime protection too… if a drive dies, the lights stay on and you just replace the drive. It’ll crunch for a few hours rebuilding the array, but no-one else in the office going about their daily duties needs to be any the wiser…. and that’s exactly the way it should be. Hardware RAID5 is better….. don’t put your data’s fate in the hands of a generic software-based solution.

Guys who know their stuff. I’ve heard of too many places that get a “consultant” in for a few days to build them a server and then bugger off and leave it to its own devices. If your company or business model doesn’t warrant in-house IT talent, think seriously about hosting everything (email, web etc) offsite and then striking up a good relationship with an IT consultant who’ll work by the hour, and have a support contract in place…… you might not need him/her for 6 months, but when you do, he/she is an hour or so away and can get you back up and running ASAP. And you’ll have a nice fileserver running onsite with the peace of mind in knowing that it can get fixed same-day by your IT consultant of choice.

If you are the sort of business who needs IT talent, then make sure you match up your infrastructure with their skillsets….. it can be tricky, but find yourself a jack-of-all-trades who’s savvy with all aspects of your infrastructure, whether you’re a Linux-based or Windows-based shop. Make sure they’ve got the right equipment, and that they’re happy to kick in a few outside hours (weekends, nights etc) to keep things running or to fix things when needed. A 9-5 clock-puncher who disappears off the face of the earth between 5pm and 9am isn’t going to fix a 24/7 system when it goes down out of hours. Get some sort of monitoring set up so that they get that irritating SMS at 4 in the morning telling them that something is broken. If they’re good at what they do and take their job seriously, they’ll haul their butts out of bed and fix it.

Equipment for everyone. You don’t need to buy a $4,000 gaming rig for the guy who works at spreadsheets all day or writes content…. but make sure the equipment you do buy is good quality. Spend a little extra cash on good quality monitors, slightly-better-than-average componentry and a comfy, ergonomic chairs, keyboards and mice. You’re not trying to run a sweatshop and boiler room, so treat your staff with respect and make sure they enjoy using the equipment that makes the business earn money! More importantly, you don’t want a graveyard of broken-down computers and computer parts filling up the server room.

So!

That was a (by no means exhaustive) list of some of the things you’ll be looking at purchasing/providing when setting up or expanding your business, and in my opinion, they are things that should not be skimped on. If you look at that list and think “well, chairs, servers, computers… what else IS there??” that’s kind of the point….. it’s all the equipment that makes your business function (and keeps your staff comfortable), and essentially is what brings money into the business…. ergo it’s entirely justifiable to spend a bit of extra cash making sure you get the goods. And not the junk.

Jonathan Xavier Walker was born 2:41pm, 30th October 2008, at a healthy 3.84kg (8lbs 8 ounces for those of you still wallowing in the labyrinthine and archaic grasp of the imperial system!).

It’s been a LONG 60 hours. Krissy went into labour around 2:00am on Thursday morning, and then it was just all systems go from there.

Those of you who are in the loop Facebook-wise, there’ll no doubt be a multitude of photos hitting the pages very very soon!

Nothing further for now….. everyone concerned is absolutely WRECKED and I’ve got an epic amount of work to catch up on….. once things settle down a bit, I’ll have more.