# uname -a

WordPress : Migrate from The Events Calendar to Events Manager

Mathieu — Tue, 31 Mar 2026 18:09:00 +0200

A quick snippet to switch all my events created with The Events Calendar to Events Manager, which offers more functionnalities in its free version.

It is a single-file plugin that you can activate in WordPress. Use it at your own risks, and with a backup available before starting.

<?php
/**
 * Plugin Name: TEC → Events Manager Migration
 * Description: Auto migration of The Events Calendar to Events Manager.
 * Version: 1.0
 */

if (!defined('ABSPATH')) exit;

class TEC_To_EM_Migration {

    const DRY_RUN = false;
    const LOG_FILE = WP_CONTENT_DIR . '/tec-em-migration.log';

    public function __construct() {
        add_action('admin_menu', [$this, 'add_admin_page']);
    }

    public function add_admin_page() {
        add_menu_page(
            'Migration TEC → EM',
            'TEC → EM',
            'manage_options',
            'tec-em-migration',
            [$this, 'admin_page']
        );
    }

    public function admin_page() {
        if (isset($_POST['run_migration'])) {
            $this->log("=== START MIGRATION ===");
            $this->migrate_events();
            $this->log("=== END MIGRATION ===");
            echo "<div class='updated'><p>Migration finished. See log file.</p></div>";
        }

        echo '<h1>Migration TEC → Events Manager</h1>';
        echo '<form method="post">';
        echo '<p><strong>DRY RUN :</strong> ' . (self::DRY_RUN ? 'YES' : 'NO') . '</p>';
        echo '<input type="submit" name="run_migration" class="button button-primary" value="Start migration">';
        echo '</form>';
    }

    private function migrate_events() {
        $events = get_posts([
            'post_type'      => 'tribe_events',
            'post_status' => 'publish',
            'posts_per_page' => -1,
        ]);

        foreach ($events as $event) {
            $this->log("The Event Calendar: {$event->post_title}");

            // Dates
            $start = get_post_meta($event->ID, '_EventStartDate', true);
            $end   = get_post_meta($event->ID, '_EventEndDate', true);

            // Location
            $venue_id = get_post_meta($event->ID, '_EventVenueID', true);
            $location_id = $this->migrate_location($venue_id);

            // Create EM event
            $new_post_id = $this->create_em_event($event, $start, $end, $location_id);

            // Thumbnail
            $thumbnail_id = get_post_thumbnail_id($event->ID);
            set_post_thumbnail($new_post_id, $thumbnail_id);
        }
    }

    private function migrate_location($venue_id) {
        if (!$venue_id) return 0;

        $venue = get_post($venue_id);
        if (!$venue) return 0;

        $address = get_post_meta($venue_id, '_VenueAddress', true);
        $city    = get_post_meta($venue_id, '_VenueCity', true);
        $country = 'FR';

        $this->log(" → Location: {$venue->post_title}");

        if (self::DRY_RUN) return 0;

        global $wpdb;
        $existing_id = $wpdb->get_var(
            $wpdb->prepare(
                "SELECT location_id FROM {$wpdb->prefix}em_locations WHERE location_name = %s LIMIT 1", $venue->post_title
            )
        );
 
        if ($existing_id) {
            $this->log("   → Existing location, ID = {$existing_id}");
            return $existing_id;
        } else {

            $EM_Location = new EM_Location();

            $EM_Location->location_name    = $venue->post_title;
            $EM_Location->location_address = $address;
            $EM_Location->location_town    = $city;
            $EM_Location->location_country = $country;

            $lat = get_post_meta($venue_id, '_VenueLatitude', true);
            $lng = get_post_meta($venue_id, '_VenueLongitude', true);
            if ($lat && $lng) {
                $EM_Location->location_latitude  = $lat;
                $EM_Location->location_longitude = $lng;
            }

            $EM_Location->save();

            $this->log("   → New location created, ID = {$EM_Location->location_id}");

            return $EM_Location->location_id;
        }
    }

    private function extract_time($datetime) {
        if (!$datetime) return '00:00:00';

        // Normalize datetime
        $datetime = str_replace('T', ' ', $datetime);

        // Extract hours
        $parts = explode(' ', trim($datetime));
        if (count($parts) < 2) return '00:00:00';

        $time = $parts[1];

        // Add missing seconds
        if (preg_match('/^\d{2}:\d{2}$/', $time)) {
            $time .= ':00';
        }

        // Only keep HH:MM:SS
        if (preg_match('/^\d{2}:\d{2}:\d{2}/', $time, $m)) {
            return $m[0];
        }

        return '00:00:00';
    }

    private function create_em_event($event, $start, $end, $location_id) {
        $this->log(" → Creating EM: {$event->post_title}");

        $start_date = substr($start, 0, 10);
        $end_date   = substr($end, 0, 10);

        $start_time = $this->extract_time($start);
        $end_time   = $this->extract_time($end);

        if (self::DRY_RUN) return 0;

        // Create new EM event

        $EM_Event = new EM_Event();
        $EM_Event->event_type = 'single';
        $EM_Event->event_archetype = 'event';
        $EM_Event->event_name = $event->post_title;
        $EM_Event->post_content = $event->post_content;
        $EM_Event->event_date_created = $event->post_date;
        $EM_Event->event_start_date = $start_date;
        $EM_Event->event_start_time = $start_time;
        $EM_Event->event_end_date = $end_date;
        $EM_Event->event_end_time = $end_time;
        $EM_Event->start = strtotime($EM_Event->event_start_date.' '.$EM_Event->event_start_time);
        $EM_Event->end = strtotime($EM_Event->event_end_date.' '.$EM_Event->event_end_time);
        $EM_Event->event_rsvp = false;
        $EM_Event->event_rsvp_time = $start_time;
        $EM_Event->location_id = $location_id;
        $EM_Event->event_status = 1;
        $EM_Event->save();

        return $EM_Event->post_id;
    }

    private function log($msg) {
        file_put_contents(self::LOG_FILE, date('[Y-m-d H:i:s] ') . $msg . "\n", FILE_APPEND);
    }
}

new TEC_To_EM_Migration();

Drupal 8 / 9 / 10 : Programmatically render a view with contextual and exposed filters input

Mathieu — Sun, 10 Mar 2024 19:45:00 +0100

Exposed Input and Contextual Input are two different ways of providing input to Drupal Views.

Contextual filters work with an ordered list of parameters, while Exposed Input works with a form that has a couple name/value for every input parameter.

Contextual Filters

The right way to render a view result with contextual filters is to generate a render array:

$render_array = [
  '#type' => 'view',
  '#name' => 'YOUR_VIEW_NAME',
  '#display_id' => 'YOUR_VIEW_DISPLAY',
  '#arguments' => [CONTEXTUAL_FILTER_1, CONTEXTUAL_FILTER_2, ...],
];

You can then send the render array to a Twig variable, or render it programatically:

$result = \Drupal::service('renderer')->render($render_array);
return $result->__toString();

We are using the __toString() function to get the rendered HTML because the result returned by Drupal Render service is an object containing cache metadata.

Exposed Filters

The right way to render a view result with exposed filters is to generate a render array, and set the '#view#' parameter with a view object where you can initialize the filters:

$view = \Drupal\views\Views::getView('YOUR_VIEW_NAME');
$view->setExposedInput([
    'YOUR_FILTER_NAME' => 'YOUR_FILTER_VALUE',
]);
$render_array = [
  '#type' => 'view',
  '#name' => 'YOUR_VIEW_NAME',
  '#view' => $view,
  '#display_id' => 'YOUR_VIEW_DISPLAY',
  '#arguments' => [CONTEXTUAL_FILTER_1, CONTEXTUAL_FILTER_2, ...],
];

You can then send the render array to a Twig variable, or render it programatically:

$result = \Drupal::service('renderer')->render($render_array);
return $result->__toString();

We are using the __toString() function to get the rendered HTML because the result returned by Drupal Render service is an object containing cache metadata.

Leaked Metadata and Early Rendering

If you render a view while rendering a controller output that is suppose to provide its own cache metadata (CacheableJsonResponse for instance), and run on the error:

LogicException: The controller result claims to be providing relevant cache metadata, but leaked metadata was detected. Please ensure you are not rendering content too early.

Just wrap the rendering in a render context:

$context = new Drupal\Core\Render\RenderContext\RenderContext();
$html = \Drupal::service('renderer')->executeInRenderContext($context, function () {
  $render_array = [
    '#type' => 'view',
    '#name' => 'YOUR_VIEW_NAME',
    '#display_id' => 'YOUR_VIEW_DISPLAY',
    '#arguments' => [CONTEXTUAL_FILTER_1, CONTEXTUAL_FILTER_2, ...],
  ];
  $result = \Drupal::service('renderer')->render($render_array);
  return $result->__toString();
});

Sources

Configurer Visual Studio Code pour utiliser xdebug avec PHP FPM et SSHFS

Mathieu — Fri, 28 May 2021 14:46:00 +0200

Bonjour,

Une note à moi-même et à mes stagiaires pour utiliser xdebug avec un point de montage SSHFS, et PHP FPM.

S'assurer que PHP est bien installé sur la machine du développeur, c'est nécessaire pour la coloration syntaxique et la vérification de syntaxe.
Installer PHP xdebug sur la machine distante
Configurer xdebug pour PHP FPM sur la machine distante. Attention, cela change selon la version de xdebug.
1. Modifier le fichier de configuration FPM pour xdebug, par exemple pour Debian c'est /etc/php/7.3/fpm/conf.d/20-xdebug.ini
2. Y placer les instructions suivantes :
  Pour xdebug v3 :
```
[xdebug]
zend_extension="xdebug.so"
xdebug.mode=debug
xdebug.start_with_request = yes
xdebug.client_host=127.0.0.1
xdebug.client_port="9003"
```
  Pour xdebug v2 :
```
[xdebug]
zend_extension="xdebug.so"
xdebug.remote_enable=1
xdebug.remote_autostart=1
xdebug.remote_host=127.0.0.1
xdebug.remote_port="9003"
```
3. Redémarrer PHP FPM.
Sur la machine du développeur, installer le module PHP xdebug pour Visual Studio : https://marketplace.visualstudio.com/items?itemName=felixfbecker.php-debug
Connecter en SSHFS le dossier distant (la machine qui exécute PHP) sur la machine (locale) du développeur : sshfs login@distant:dossier_distant dossier_local
Connecter un tunnel SSH pour forward le port xdebug vers la machine locale : ssh -R 9003:localhost:9003 login@distant
Ouvrir dans Visual Studio le dossier monté avec SSHFS
Ouvrir un fichier, puis le debugger dans les onglets à gauche

Cliquer sur "create a json launch file", et vérifier le port de xdebug pour pointer sur le bon port. Ajouter le pathMapping pour mettre en correspondance le chemin local (ouvert dans Visual Studio Code) et le chemin distant (monté en SSHFS) :

{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Listen for Xdebug",
            "type": "php",
            "request": "launch",
            "port": 9003,
            "pathMappings": {
                "dossier_distant": "${workspaceFolder}/"
            }
        },
        {
            "name": "Launch currently open script",
            "type": "php",
            "request": "launch",
            "program": "${file}",
            "cwd": "${fileDirname}",
            "port": 9003,
            "pathMappings": {
                "chemin_distant": "${workspaceFolder}/"
            }
        }
    ]
}

Redémarrer Visual Studio par sécurité.
Lancer l'écoute via le debugger, ajouter les breakpoints dans Visual Studio, puis charger la page du site distant via le navigateur. Visual Studio devrait stopper l'exécution au niveau des breakpoints, pour permettre l'affichage de la pile, et le lancement des commandes.

Sources

Configure a 3CX extension with Big Blue Button conferencing bridge (Freeswitch)

Mathieu — Fri, 23 Oct 2020 16:43:00 +0200

Just a quick note for reference.

I managed to successfully configure the phone bridge with FreePBX as a SIP provider for Big Blue Button using this documentation : https://docs.bigbluebutton.org/2.2/customize.html#add-a-phone-number-to-the-conference-bridge . My trunk is connectd to the SIP server running FreePBX and Big Blue Button is registering as a phone extension to receive phone calls and route them to the conference room.

But using a similar architecture with 3CX instead of FreePBX as a provider was failing. Actually, you have to add the AuthID as "auth-username" attribute (see https://freeswitch.org/confluence/display/FREESWITCH/Sofia+Gateway+Authentication+Params )

In Big Blue Button, the profile file would looks like :

<include>
  <gateway name="ANY-NAME-FOR-YOUR-PROVIDER">
    <param name="proxy" value="sip.example.net"/>
    <param name="username" value="EXTENSION NUMBER (for instance 100)"/>
    <param name="auth-username" value="THE AUTHID"/>
    <param name="password" value="PASSWORD"/>
    <param name="extension" value="CALLED-NUMBER"/>
    <param name="register" value="true"/>
    <param name="context" value="public"/>
  </gateway>
</include>

I hope it will help someone stuck with the official documentation.

Redémarrer une machine lorsqu'un programme l'étouffe inopinément (Debian 10)

Mathieu — Wed, 14 Oct 2020 12:40:00 +0200

Admettons que vous ayez une machine avec un programme bugué. Typiquement, un logiciel métier avec une fuite de mémoire, qui va pour une raison inconnue saturer la mémoire vive et provoquer son propre crash ou le crash des autres services sur la machine.

Vous pourriez lui mettre une limite de mémoire via /etc/security/limits.conf mais ça ne fera que planter le programme (segmentation fault) pour protéger les autres, et dans le cas d'un logiciel métier cela veut dire prendre ensuite d'autres actions, manuelles ou automatiques, via un système de monitoring approprié.

C'est vrai, le monitoring est la bonne solution quand on suit un logiciel aussi critique qu'un logiciel métier, mais dans le cas d'un logiciel qui doit "juste tourner", d'une équipe de maintenance réduite ou n'ayant pas la possibilité d'astreintes, une solution simple pour s'assurer que la machine tourne même en cas d'incident, c'est de redémarrer la machine lors d'un incident. Pour cela, on peut utiliser le programme watchdog.

Cela doit être fait avec motivations et circonspection, une analyse "post-mortem" doit suivre chaque reboot, dans le cas d'une tentative d'élévation de privilèges par Buffer Overflow, rien ne dit que l'attaque n'a pas réussie même si le système a redémarré.

Watchdog : Configuration

Watchdog s'installe via les paquets :

apt install watchdog

Il y a ensuite deux choses à configurer : les règles pour déclencher le reboot, et le mode de chargement du programme ("no actions" ou actif).

Dans mon cas, je voulais redémarrer si le serveur avait moins de 20% de RAM disponible, ce serveur tourne en permanence à 50% de consommation de RAM et n'est jamais sensé dépasser, ou alors c'est signe d'un problème, d'où le reboot à déclencher.

La configuration de watchdog se trouve dans /etc/watchdog.conf et fournit deux valeurs à régler : min-memory et allocatable-memory . Attention, ces valeurs sont à renseigner en taille de page RAM.

Pour identifier la taille des pages sur le système, utilisez la commande :

getconf PAGESIZE

Ensuite, un simple calcul permet d'identifier la valeur à mettre dans min-memory et allocatable-memory. Par exemple, pour un PAGESIZE de 4096 (4 kB), 2 GB (2048 MB) de RAM et 20% de ce total :

( 20 % * 2048 * 1000 ) / 4096

Une fois min-memory et allocatable-memory configurés, il convient de tester le trigger avant de le démarrer;

Les options de lancement se trouvent dans /etc/default/watchdog . Modifier watchdog_options pour y renseigner :

watchdog_options="-v --no-action"

Désactivez Watchdog du démarrage automatique, puis démarrez-le :

systemctl disable watchdog
service watchdog start

Vous en verrez la trace dans les logs via service watchdog status ou journalctl -f .

Watchdog : Activation

Si les essais sont concluants, retournez dans /etc/default/watchdog pour activer le module noyau. Cela évitera que Watchdog se fasse tuer par un processus quelconque (oom-killer par exemple) :

watchdog_module="softdog"

Si vous ne voulez laisser aucune chance pour éviter le reboot (par exemple si oom-killer a réussi à baisser la consommation de ram sous le seuil acceptable et que le reboot n'est plus nécessaire), rajoutez nowayout :

watchdog_module="softdog nowayout"

Attention, une fois chargé en nowayout, le module noyau restera actif même si watchdog est stoppé (légitimement ou non), le seul moyen de le retirer est de retirer softdog des modules noyau (via rmmod), ou de rebooter.

Activez ensuite watchdog :

systemctl enable watchdog
service watchdog start

watchdog doit être visible dans les modules noyau chargés :

lsmod | grep softdog

Sources

Maman, j'ai patché Debian

Mathieu — Thu, 19 Mar 2020 15:33:00 +0100

Un billet en forme de note à moi-même sur ce qu'il faut faire pour correctement :

Récupérer un package depuis upstream
Appliquer un ou plusieurs patches
Le signer et le re-déployer en production

Préparer l'environnement

Pour compiler et signer un paquet simplement il vous faut :

Un utilisateur (non root)
Une clé GPG
Les build-essentials et les devscripts (parce qu'on est feignasse)

Créez un utilisateur non-root et loguez-vous avec. N'utilisez pas "su" à partir de root, parce que sinon GPG ne pourra pas vous demander la phrase de passe (des histoires de droits sur les TTY).

Créez une clé GPG, et paramétrez-la :

gpg --full-generate-key

Récupérez l'identifiant de clé à la fin de la procédure, ou avec gpg --list-keys si vous l'avez loupé.

Modifiez ou créez le fichier ~/.devscripts et ajoutez :

DEBUILD_SET_ENVVAR_DEBSIGN_KEYID=xxxxxxxx

Avec le xxxxxx qui correspond à votre identifiant de clé.

Récupérer le paquet et les dépendances de compilation

Le plus simple c'est quand le paquet existe déjà et qu'il faut simplement patcher. S'il n'existe aucun paquet, il faut créer un nouveau paquet, éventuellement debianizer la configuration, et c'est une autre paire de manches (et c'est pas le sujet ici).

Pour récupérer le paquet upstream :

apt-get source nomdupaquet

Si le paquet est introuvable, ajoutez les dépôts src à votre sources.list :

deb-src http://deb.debian.org/debian/ buster main contrib
deb-src http://security.debian.org/debian-security buster/updates main contrib
deb-src http://deb.debian.org/debian/ buster-updates main contrib

Il faut ensuite récupérer les paquets nécessaires à la compilation. Coup de bol, si vous avez pu avoir le paquet source à l'étape précédente, c'est facile :

apt-get build-dep nomdupaquet

Patcher le paquet

Le format dpatch est obsolète, en principe votre package utilise quilt comme tout paquet récent. Il suffit de télécharger le patch depuis git et le placer dans le dossier debian/patches.

Ensuite, ajoutez le nom du fichier que vous avez ajouté au fichier debian/patches/series . Attention, l'ordre dans series est important.

Déclarer les changements

Ce n'est pas nécessaire la première fois, mais si vous re-compilez un paquet, il faut ajouter un commentaire dans le Changelog. Le plus simple : utilisez la commande dch -i et modifiez la ligne de changelog, en changeant bien la version du paquet pour qu'elle soit consécutive à la précédente.

Compiler le paquet

Rendez-vous dans le dossier du paquet, et lancez la commande debuild . C'est tout. Rentrez votre phrase de passe pour la clé à la fin de la procédure.

Déployer en production

Pour déployer un paquet, deux solutions :

Envoyer le paquet puis l'installer avec dpkg -i lefichier.deb ou un outil d'orchestration
Installer un DPA (Debian Private Repository) et l'ajouter au sources.list

L'installation du serveur DPA fera l'objet d'un autre billet (un jour).

Sources

Wordpress : la revanche du reverse proxy

Mathieu — Thu, 23 Jan 2020 23:30:00 +0100

Quand un reverse proxy est mal configuré,

Il n'a pas les bonnes variables d'environnement,

Wordpress se croit toujours en HTTP,

Et fait une boucle de redirection en HTTPS.

Heureusement, il y a une autre solution,

Ouvrez wp-config.php, et ajoutez (au bon endroit) :

/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
    $_SERVER['HTTPS'] = 'on';
}

Source.

La délégation NS d'un sous-domaine, cet illustre inconnu

Mathieu — Tue, 05 Mar 2019 09:15:00 +0100

Un billet un peu technique aujourd'hui. Si vous travaillez dans le Web, vous n'êtes pas sans savoir que c'est le mécanisme des DNS qui fait en sorte que vos noms de domaine soient résolus en adresses vers votre hébergement.

Vous savez aussi peut-être ce qu'est une zone DNS. Une zone DNS est un bête fichier présent sur le serveur DNS, et qui contient l'ensemble des enregistrements du domaine¹.

Vous savez aussi certainement ce qu'est un sous-domaine, par exemple pour le domaine example.com, des sous-domaines seraient :

www.example.com
test.example.com
sousdomaine.example.com

Parfois, pour séparer les services, on souhaite aller encore plus loin et dédier un sous-domaine entier à une tâche, par exemple on souhaite faire en sorte que compta.example.com soit totalement indépendant, c'est à dire :

Qu'on puisse recevoir sur l'email facturation@compta.example.com ,
Qu'on puisse avoir des mini-sites dédiés sous ce sous-domaine, comme urssaf.compta.example.com ou creances.compta.example.com
Que le sous-domaine puisse servir tout autre usage tel que permis par les DNS (enregistrements SRV, etc)

Bien sûr, ces usages sont possibles à partir de la zone DNS du domaine parent, mais à mesure que le sous-domaine grandit en indépendance (et donc en nombre d'enregistrements), il peut être nécessaire de poser les bases d'une délégation plus avancée, pour éviter de maintenir une zone avec tous les enregistrements. On peut aussi vouloir déléguer à un prestataire la gestion de ce sous-domaine.

Pour ce qui est des mini-sites, il est relativement simple de déclarer un wildcard pour rediriger tous les enregistrements d'un sous-domaine vers un même serveur. Mais lorsqu'on veut plus de souplesse, ou que l'on veut aussi déléguer tous les enregistrements de ce sous-domaine, un wildcard est trop "brutal" et pas toujours supporté par toutes les spécifications, il faut alors déléguer la zone via une délégation NS.

En deux images

Requête DNS classique : le serveur répond au client avec un enregistrement A

Requête DNS déléguée : le serveur répond d'aller interroger un autre serveur,
le client transmet la requête à l'autre serveur et obtient l'enregistrement A.

En exemple

Prenons un exemple de la vie réelle. Sortez votre commande dig, et examinez le domaine pingveno.net :

dig +trace pingveno.net @8.8.8.8

pingveno.net.        172800    IN    NS    ns-197-a.gandi.net.
pingveno.net.        172800    IN    NS    ns-150-b.gandi.net.
pingveno.net.        172800    IN    NS    ns-153-c.gandi.net.
;; Received 733 bytes from 192.52.178.30#53(k.gtld-servers.net) in 46 ms

pingveno.net.        3600    IN    A    xx.xx.xx.xx
;; Received 57 bytes from 217.70.187.154#53(ns-153-c.gandi.net) in 45 ms

Dans l'exemple ci-dessus, j'ai retiré les appels du root server car ils ne sont pas pertinents pour notre exemple. On constate que la requête est transmise aux serveurs de Gandi, qui répondent directement avec l'enregistrement A du domaine.

Nouvel exemple, avec le sous-domaine uname.pingveno.net :

dig +trace pingveno.net @8.8.8.8

pingveno.net.        172800    IN    NS    ns-197-a.gandi.net.
pingveno.net.        172800    IN    NS    ns-150-b.gandi.net.
pingveno.net.        172800    IN    NS    ns-153-c.gandi.net.
;; Received 737 bytes from 2001:501:b1f9::30#53(m.gtld-servers.net) in 114 ms

pingveno.net.        3600    IN    A    xx.xx.xx.xx
www.pingveno.net.    10800    IN    CNAME    pingveno.net.
;; Received 75 bytes from 217.70.187.154#53(ns-153-c.gandi.net) in 44 ms

Cette fois le serveur répond avec un CNAME vers pingveno.net, c'est la méthode "pas chère" de déléguer le sous-domaine à un autre enregistrement. Ce n'est pas un wildcard, puisque l'enregistrement est seul, mais le résultat aurait été le même avec un wildcard.

Enfin, essayons avec ishimaru.pingveno.net :

dig +trace ishimaru.pingveno.net @8.8.8.8

pingveno.net.        172800    IN    NS    ns-197-a.gandi.net.
pingveno.net.        172800    IN    NS    ns-150-b.gandi.net.
pingveno.net.        172800    IN    NS    ns-153-c.gandi.net.
;; Received 742 bytes from 192.41.162.30#53(l.gtld-servers.net) in 45 ms

ishimaru.pingveno.net.    10800    IN    NS    a.ns.wellhosted.ch.
ishimaru.pingveno.net.    10800    IN    NS    b.ns.wellhosted.ch.
;; Received 98 bytes from 213.167.230.151#53(ns-150-b.gandi.net) in 44 ms

ishimaru.pingveno.net.    60    IN    A    xx.xx.xx.xx
ishimaru.pingveno.net.    3600    IN    NS    b.ns.wellhosted.ch.
ishimaru.pingveno.net.    3600    IN    NS    a.ns.wellhosted.ch.
;; Received 130 bytes from 2a03:2040:d:121::1#53(a.ns.wellhosted.ch) in 49 ms

Cette fois, le serveur a répondu en deux temps : il a indiqué un enregistrement NS sur le sous-domaine, puis le client (ici la commande dig) a continué la requête vers les serveurs indiqués dans l'enregistrement NS pour retourner finalement l'adresse IP.

C'est une délégation NS. Cela signifie que tout le sous-domaine (la zone complète) de ishimaru.pingveno.net n'est pas gérée par gandi.net, mais par a.ns.wellhosted.ch . De cette manière, le sous-domaine est totalement indépendant, et peut être utilisé pour tous les usages d'un domaine de niveau supérieur.

Conclusion

C'est tout, ce court article sert juste à démystifier l'enregistrement NS, qui est très peu souvent utilisé, d'une part par la méconnaissance de la plupart des "webdesigners" se contentant de pointer des sous-domaines en A ou en AAAA, et ensuite parce qu'il faut pouvoir déléguer à un serveur DNS, tous les prestataires ne sont pas équipés pour accueillir un domaine de cette façon.

Notes

¹ : L'ensemble, ou presque, le serveur DNS ne portant que la zone sur laquelle il a autorité, tout le travail du client DNS consiste justement à interroger les serveurs DNS en cascade, pour arriver à l'enregistrement qui fait autorité. Pas d'exposé là dessus aujourd'hui, mais vous pouvez lire la doc.

Utiliser l'Object Storage d'OVH (Openstack Swift) avec Updraft Plus

Mathieu — Tue, 26 Feb 2019 17:48:00 +0100

J'ai expérimenté cette semaine l'Object Storage d'OVH avec le module de sauvegarde de Wordpress UpdraftPlus, et le moins que l'on puisse dire c'est qu'on n'est pas aidé : pas de documentation de A à Z, les noms de configuration qui souffrent à la traduction, bref.

Voilà comment faire, simplement et du premier coup.

Créer un Projet dans le manager OVH

Aller sur le manager OVH, choisir "Cloud" en haut, accepter les contrats, et créer un projet :

Dans l'onglet "Stockage", cliquer sur "Créer un conteneur" :

Choisir la zone et le stockage, donner un nom au conteneur.

Attention, le stockage à froid à bas prix, bien que plus économique sur le prix du stockage, facture les données en entrée, contrairement au conteneur "privé".

Aller ensuite dans l'onglet "Gestion technique", puis "Openstack Users" et choisir "Ajouter un utilisateur" :

En face du nom d'utilisateur, ouvrez le menu secondaire, puis choisissez "Ouvrir Openstack Horizon" pour tester les identifiants :

Téléchargez ensuite le fichier de configuration OpenStack et ouvrez-le avec un éditeur de texte.

Vous êtes prêt à configurer UpdraftPlus. Ouvrez les paramètres d'UpdraftPlus et choisissez "OpenStack (Swift)" :

Dans "URI d’authentification", renseignez le contenu de OS_AUTH_URL : https://auth.cloud.ovh.net/v2.0/

Dans "Projet", renseignez le contenu de OS_TENANT_NAME

Dans "Région", renseignez la région que vous aviez choisi (SBG5, GRA, etc)

Dans "Identifiant", renseignez l'identifiant que vous avez créé dans le manager (attention aux espaces en faisant copier-coller)

Dans "Mot de passe", renseignez le mot de passe de l'identifiant que vous avez créé dans le manager (attention aux espaces en faisant copier-coller)

Dans "Contenant", renseignez le nom de votre containeur (dans l'exemple, mon_containeur).

Testez la connexion, si ça marche, la sauvegarde vers Openstack est configurée.

Je suis hype, j'ai un Tipeee

Mathieu — Fri, 03 Nov 2017 13:01:00 +0100

Voilà, c'est fait.

Presque deux ans après avoir retiré Flattr et ses bénéfices mirobolants, profitant d'un rhume qui verrouille mon cerveau en mode "lecture seule" depuis deux jours, j'ai fini par me laisser convaincre à créer un Tipeee.

Vous trouverez donc sous chaque article un petit rappel que oui c'est possible de donner un euro pour remercier le type qui vous a fait gagner 20 minutes, qui vous a fait sourire, ou que vous trouvez simplement sympathique.

À très bientôt sur le blog

Setup Letsencrypt certificates on Gitlab and Mattermost

Mathieu — Thu, 19 Oct 2017 13:01:00 +0200

The new versions of Gitlab are embedding the Mattermost server. Here is how to setup the certificates for these instances.

1. Install certbot

Read the docs here (choose Nginx on the appropriate system) : certbot.eff.org

2. Make a webroot

mkdir -p /var/www/letsencrypt/.well-known

3. Configure Gitlab and Mattermost to answer /.well-known to this webroot

Edit /etc/gitlab/gitlab.rb and add :

nginx['custom_gitlab_server_config']="location ^~ /.well-known/ {\n alias /var/www/letsencrypt/.well-known/;\n}\n"
mattermost_nginx['custom_gitlab_mattermost_server_config']="location /.well-known/ {\n alias /var/www/letsencrypt/.well-known/;\n}\n"

And reconfigure Gitlab :

gitlab-ctl reconfigure

4. Create the certificates

Run the certbot command :

certbot certonly --staging --webroot --webroot-path=/var/www/letsencrypt/ -d gitlab.your-domain.com
certbot certonly --staging --webroot --webroot-path=/var/www/letsencrypt/ -d mattermost.your-domain.com

5. Tell Gitlab to use the certificates

Edit /etc/gitlab/gitlab.rb again, and add :

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.your-domain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.your-domain.com/privkey.pem"

mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/mattermost.your-domain.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/mattermost.your-domain.com/privkey.pem"

6. Done

Reconfigure Gitlab again :

gitlab-ctl reconfigure

Elasticsearch, Kibana : mapper [hits] cannot be changed from type [long] to [integer]

Mathieu — Tue, 10 Oct 2017 23:34:00 +0200

Every time I upgrade my ELK stack, it breaks. This time, it was the Kibana index with this obscurous errors :

[DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction] [logs] failed to put mappings on indices [[[.kibana]]], type [timelion-sheet]
java.lang.IllegalArgumentException: mapper [hits] cannot be changed from type [long] to [integer][DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction]

[DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction] [logs] failed to put mappings on indices [[[.kibana]]], type [timelion-sheet]
java.lang.IllegalArgumentException: mapper [version] cannot be changed from type [long] to [integer]

Here is how to fix it. You will have to re-create an index with the correct mapping, and then reindex it.

First, export your Kibana index mapping and settings :

curl localhost:9200/.kibana/_settings?pretty
curl localhost:9200/.kibana/_mapping?pretty

Then, Create and index template with your settings and mapping (don't forget to change the type of the offending fields) :

curl -XPUT "http://localhost:9200/_template/kibana" -H 'Content-Type: application/json' -d'
{
    "template":".kibana-5.6",
    "settings":{
        "number_of_shards":1
    },
    "mappings":{
        "dashboard":{
            "properties":{
                "description":{
                    "type":"string"
                },
                "hits":{
                    "type":"integer"
                },
                "kibanaSavedObjectMeta":{
                    "properties":{
                        "searchSourceJSON":{
                            "type":"string"
                        }
                    }
                },
                "optionsJSON":{
                    "type":"string"
                },
                "panelsJSON":{
                    "type":"string"
                },
                "timeFrom":{
                    "type":"string"
                },
                "timeRestore":{
                    "type":"boolean"
                },
                "timeTo":{
                    "type":"string"
                },
                "title":{
                    "type":"string"
                },
                "uiStateJSON":{
                    "type":"string"
                },
                "version":{
                    "type":"integer"
                }
            }
        },
        "_default_":{
            "dynamic":"strict"
        },
        "url":{
            "dynamic":"strict",
            "properties":{
                "accessCount":{
                    "type":"long"
                },
                "accessDate":{
                    "type":"date",
                    "format":"strict_date_optional_time||epoch_millis"
                },
                "createDate":{
                    "type":"date",
                    "format":"strict_date_optional_time||epoch_millis"
                },
                "url":{
                    "type":"string",
                    "fields":{
                        "keyword":{
                            "type":"string",
                            "index":"not_analyzed",
                            "ignore_above":2048
                        }
                    },
                    "fielddata":false
                }
            }
        },
        "search":{
            "properties":{
                "columns":{
                    "type":"string"
                },
                "description":{
                    "type":"string"
                },
                "hits":{
                    "type":"integer"
                },
                "kibanaSavedObjectMeta":{
                    "properties":{
                        "searchSourceJSON":{
                            "type":"string"
                        }
                    }
                },
                "sort":{
                    "type":"string"
                },
                "title":{
                    "type":"string"
                },
                "version":{
                    "type":"integer"
                }
            }
        },
        "index-pattern":{
            "properties":{
                "fieldFormatMap":{
                    "type":"string"
                },
                "fields":{
                    "type":"string"
                },
                "timeFieldName":{
                    "type":"string"
                },
                "title":{
                    "type":"string"
                }
            }
        },
        "server":{
            "dynamic":"strict",
            "properties":{
                "uuid":{
                    "type":"string",
                    "index":"not_analyzed"
                }
            }
        },
        "config":{
            "properties":{
                "buildNum":{
                    "type":"string",
                    "index":"not_analyzed"
                },
                "defaultIndex":{
                    "type":"string"
                },
                "discover:aggs:terms:size":{
                    "type":"long"
                }
            }
        },
        "visualization":{
            "properties":{
                "description":{
                    "type":"string"
                },
                "kibanaSavedObjectMeta":{
                    "properties":{
                        "searchSourceJSON":{
                            "type":"string"
                        }
                    }
                },
                "savedSearchId":{
                    "type":"string"
                },
                "title":{
                    "type":"string"
                },
                "uiStateJSON":{
                    "type":"string"
                },
                "version":{
                    "type":"integer"
                },
                "visState":{
                    "type":"string"
                }
            }
        }
    }
}
'

Then, reindex (copy) the values of your old kibana index to the new one :

curl -XPOST "http://localhost:9200/_reindex" -H 'Content-Type: application/json' -d'
{
  "source": {
    "index": ".kibana"
  },
  "dest": {
    "index": ".kibana-5.6"
  }
}'

And finally, change your kibana index in /etc/kibana/kibana.yml :

kibana.index: ".kibana-5.6"

Sources

The war on SPAM: an review of the real world tools

Mathieu — Tue, 12 Sep 2017 02:54:00 +0200

Anti-spam techniques review: a few hints and tools review from my own experience.

Spam mesage are very common these days, but filtering them out is not as easy as it seems. The filtering techniques have evolved at the same rate than the spammers' evasive techniques, and the risk of filtering out a legitimate message is greater than ever.

It is also quite difficult to find good and up-to-date counter-measures list that anyone can implement.

Here is a summary of the anti-spam strategies I used / am still using. I hope it will help you understanding today's threats, and build your own solutions.

Definitions

MTA : Mail Transport Agent : this is the software that will actually do mail delivery. It is listening on port 25 and answers to SMTP commands. Some common MTAs : Postfix, Exim. More about MTA.
MX : MX records are DNS entries that are identifying the server responsible for mail delivery for the domain. More about MX records.
RBL : Realtime Blackhole List : a list of blacklisted IPs, that should be considered as spam sources. It is called Realtime because they are constantly updated. More about RBL.
RFC : Request For Comments, these are proposal for norms, some of them become norms. More about RFC.
IPS : Intrusion Protection System : these are "smart firewalls" that are blocking malicious requests, often based on behavioral rules. More about IPS.

The goals

My personal goals on SPAM war are pretty short:

Minimum false positive: having a spam is better than missing an important mail, try keeping the "permanent bashing" as low as possible
Hit harder on reoffending: coming-back spammers should be slapped harder
Internet neutrality: try not to encourage big mail farm, and let fair little providers doing their business

Available techniques

Blacklist / Blackhole Lists

Blacklists, Blackhole Lists (or RBLs) are the most ancient and most common measures for reducing spam. They are still pretty accurate, but:

It depends A LOT on the quality of the list, trashy lists are very common and they would end up sucking resources for no result, or worse, blocking legitimate emails
They are only accurate when updated often. I mean, very often (the R in RBL).
You should not use it directly on the MTA, these lists are an aggressive artefact of the past, where spam did not come from mail farms.
Very few are implementing IPv6, I agree that IPv6 spam is quite anecdotal, but it will probably change pretty soon (believe me)

Greylist

Greylisting is issuing a temporary REJECT code to force the foreign server to keep the message and send it back later. It aims at increasing the "cost per mail" for spam farms, as they cannot "hit and run" as fast as before.

The main culprits are that some providers are not implementing it well (hello Facebook) and so it needs an educated whitelist to work properly.

Some spammers are also re-sending the same mail several times in case of failure, looking like a legitimate mail server, and making Greylisting inefficient.

It is also hurting the fastness of the mail transmission, as the retry may occur several tens minutes after, slowing the mail delivery with little control on delays.

Also, some legitimate mail farms (hello OVH) are distributing their retry on several servers, making Greylisting inapplicable without fully whitelisting them.

RFC compliance

Spammers are often running special softwares for their crafted emails, tightening RFC compliance may be a good way to kick them out.

It can be as simple as forcing an HELO on SMTP protocol, or more tricky like checking the mail headers or enforcing a valid reverse.

In the majority of cases, it is very efficient, but:

Some home-made servers, especially Synology or Windows servers may be blocked while they are sending legitimate email. These servers are often ran by people who doesn't know or care on how to correctly setup a mail server. These buggy setups are more common than you think, and they are often legitimate senders, who have no clue of what is wrong, and are not willing to fix it (did I mentioned banking companies?).
In the vast majority of cases, IPv6-ready servers have no reverse on their IPv6 addresses and/or the IPv6 reverse is wrong.

SPF and DKIM

SPF and DKIM are anti-spoofing techniques. They does not guarantee that a mail is legitimate, but if the controls are showing an anomaly, it is very likely to be spam (or worse : scam or social engineering tentative).

The SPF technique is based on IP or sending domain whitelist: the sending email domain publishes a list of servers allowed to send email, along with a hint on what is expected if it does not pass (soft or hard reject).
DKIM is much more complex as the sending mail server has to cryptographically sign every message with a domain-specific key, which is then published in a special domain record.

SPF has been proven efficient at its beginnings, but today many spammers are just using stolen email accounts or custom domains that does not publish any SPF records, making it less pertinent.

DKIM is, like SPF, an anti spoofing technique, and spammers may be likely to sign mails from their custom domain if it becomes a necessity. Like SPF, a signed mail is not necessarily a clean mail. By the way, signature problems are pretty comon, and trashing an offending DKIM may not be the right behavior: Yahoo broke a lot of mailing lists when they enforced their DMARC policy.

To conclude, DKIM is relevant if you need to certify outgoing mails or if you are enforcing policies inside your company (to block spoofed email targeting your organisation) but it is definitely not an efficient anti-spam measure. And the recipient's servers may decide to simply ignore your painfully-configured DKIM headers.

Bayesian filters

Bayesian filters are frequency-based spam detection mechanisms. The idea is to sort out ham and spam for a short period of time, to let it "learn" what spam is made of, for efficient content-based detection. It has the benefit of being organisation-specific, as what is ham and what is spam may vary from one company to another (a company selling drugs may not be willing to filter out every message containing the word "pill").

But the learning process has to be taken seriously, and many end-users are just deleting spam instead of marking it for feeding the learning. By the way, the learning process needs IMAP folders to sort mails, and it will not work properly if all users are using POP mailboxes.

Spammers techniques

Or "the today's weapons of this war" .

Here is a short review of the spammers techniques I know, and some counter measures.

Address guessing

Some spammers are taking random web domains from their crawling, and then try to send their mails to commonly used addresses patterns. It can be webmaster@ ; ceo@ or whatever. These are easy to spot in log files, and a well configured MTA can take counter measures to lock out these guesses. Free (French ISP) is actually implementing this: postmaster.free.fr/index_en.html

Unfortunately, some legitimate email are sometimes sent to non existent addresses (typo, user deleted, etc) and legitimate MTA sometimes get blocked if the ban trigger is too low.

Moreover, nowadays' spammers are distributing their guesses trough zombie machines to stay under triggers, making it hard to spot.

Botnets

A lot of spammers are using zombies machines to send a high amount of mail in a short amount of time. Commercial ISP are taking the problem seriously, and many are blocking or filtering port 25 on their dynamic ranges, making impossible to have a custom mail server at home, but also preventing infected machines from sending direct-to-SMTP queries.

Direct to SMTP connections, ignoring MXes

Some spammers are just scanning IP ranges and directly talking to MTA, even if these MTAs are internal and pointed by no MX records. You may think that an authoritarian firewall is the neat solution, but it may be worth collecting these feisty IPs and feed them to an IPS, to protect the network from their guesses on the real MTAs.

Fake bounces and backsquatting

Sometimes you get an Undelivered Message notice (DSN) for a mail you never sent. This is probably backsquatting.
Backsquatting is sending email to a buggy address with a valid "from" address. An incorrectly configured mailserver would reply straight away to the from address to notify the failed delivery, instead of rejecting the mail and letting the foreign server doing the dirty job.

These configuration errors are pretty common, sometimes in defaut configurations or example configurations, but they can be easily avoided (look for documentation about backsquatting for your MTA, and test if your y server is vulnerable).

Real life advices

I am sorry, I don't have the magic wand to stop all Spam. A good spam fighting solution is always a combination of techniques, SpamAssassin for instance uses scoring from RBL as well as a bayesian filter and SPF checks.

I think that constant monitoring is important. Not just automated monitoring, but also clever log reading and mind openness on what can be a better solution for each problem. You never know what can happen in a spammer mind, and what works today may not work tomorrow. The Internet of Things is already a game changer.

I also advise you to be careful. Some decisions on our implementations may really hurt the Internet. Locking whole countries out is not without consequences, and the rise of IPv6 Internet has to be take into consideration from now.

Things are often not that pretty in mail servers, the temptation is great for a default blocking policy (hello MailInBlack). But as sysadmins, it is our responsability to not abuse and not hurting the smallest actors in the market (mails not coming from big farms). That may be a big word, but in my opinion, the freedom of the Internet also count on our neutrality on mail processing.

Thanks for reading.

Mémo rsync pour mes collègues

Mathieu — Mon, 17 Jul 2017 15:01:00 +0200

Un rappel de l'usage pratique de rsync pour mes collègues qui oublient tout le temps les commandes à taper.

Format de base

rsync arguments source destination

Arguments courants

-r : récursif (copie les dossiers et leur contenu)
-a : récursif + conserve permissions et propriétaire (si root)
-u : ne pas changer les fichiers plus récents dans la destination
-v : verbeux (affiche les fichiers et dossiers affectés)
-z : compression du tunnel (pour une connexion fibrée vers des machines lowcost, on peut omettre le paramètre pour soulager le CPU)
--exclude : exclus certains chemins d'accès de la synchronisation. Attention, les chemins sont relatifs au chemin la source.
--dry-run : montre les opérations sans rien toucher
--delete : efface les dossiers supplémentaires de la destination

Format de "source" et "destination"

login@hôte:/chemin/dacces/

Attention avec l'utilisation du récursif (activé avec "-r" ou "-a"), le / à la fin du chemin de la source est important.

Exemples d'usages corrects

Usage	Source	Destination	Résultat	Remarques
Envoyer un fichier dans un dossier	/chemin/source/fichier	/chemin/destination/dossier/	/chemin/destination/dossier/fichier
Envoyer des fichiers dans un dossier	/chemin/source/*	/chemin/destination/dossier/	/chemin/destination/dossier/fichier1 /chemin/destination/dossier/fichier2 /chemin/destination/dossier/fichier3 ...
Envoyer un dossier dans un dossier	/chemin/source/dossier	/chemin/destination/	/chemin/destination/dossier	Ne pas confondre avec la ligne 5 !
Synchroniser deux fichiers	/chemin/source/fichier1	/chemin/destination/fichier2	/chemin/destination/fichier2
Synchroniser deux dossiers	/chemin/source/dossier1/	/chemin/destination/dossier2/	/chemin/destination/dossier2	Ne pas confondre avec la ligne 3 !

Exemples de mésusages

Mésusage

Source

Destination

Résultat

Remarques

Envoyer un dossier dans un dossier

/chemin/source/dossier/

/chemin/destination/

Va synchroniser les deux dossiers au lieu de placer dossier/ dans destination/

Si des fichiers ont le même nom, ils seront remplacés. Particulièrement dangereux aussi avec --delete

Exemples d'utilisations correctes

Usage	Commande	Résultat
Envoyer un fichier dans un dossier distant	rsync --dry-run -azv /source/fichier login@serveur:/destination/dossier/	Sur serveur : /destination/dossier/fichier
Envoyer des fichiers dans un dossier distant	rsync --dry-run -azv /source/* login@serveur:/destination/dossier/	Sur serveur : /destination/dossier/fichier1 /destination/dossier/fichier2 /destination/dossier/fichier3 ...
Envoyer des fichiers dans un dossier distant et efface les autres fichiers contenus dans le dossier de destination	rsync --dry-run --delete -azv /source/* login@serveur:/destination/dossier/	Sur serveur : /destination/dossier/fichier1 /destination/dossier/fichier2 /destination/dossier/fichier3 ...
Envoyer un dossier dans un dossier	rsync --dry-run -azv /source/dossier login@serveur:/destination/	Sur serveur : /destination/dossier
Synchroniser deux fichiers	rsync --dry-run -azv /source/fichier1 login@serveur:/source/fichier2	Sur serveur : /destination/fichier2
Synchroniser deux dossiers	rsync --dry-run -azv /source/dossier1/ login@serveur:/source/dossier2/	Sur serveur : /destination/dossier2
Synchroniser deux dossiers et efface les autres fichiers présents dans le dossier de destination	rsync --dry-run --delete -azv /source/dossier1/ login@serveur:/source/dossier2/	Sur serveur : /destination/dossier2

Configure Wordpress for Performance and Stability

Mathieu — Tue, 11 Jul 2017 10:05:00 +0200

Wordpress is a very common CMS nowadays, and works well out-of-the-box. But when it comes to Performance and Security, its default options are not hardening it enough.

This topic has been discussed a lot on Internet, but here are my tips, as a web developer and sysadmin.

Performance : the main culprits

On a public websites, the slowness can com from :

Network : your provider has as slow network, a huge traffic load, or the user simply has a bad connection
Database access : the provider's database may be under load, you query's sizes may be too important, or the access time between the script and the datbase is just "usually slow".
Disk access : the disk where is stored your files may be slow, or does not have proper in-ram caching
CPU : the CPU of the machine where you site is hosted may be slow, or you are on a low-cost VPS

There is no "miracle solution" for a badly designed website, but in the vast majority of cases, we could help a bit with simple solutions.

Security : the main threats

The main threat in a Wordpress installation is the updates execution. You should update your modules, themes, and core as soon as possible.

Custom and unmaintained modules and themes can also become a threat as they are not updated anymore, and can contain exploitable leaks.

There are several way to prevent your site from leaking too many informations on its "healthiness". It can give you some time to update your website before its exploitation by hackers.

Security : Disable XMLRPC

Unless you are absolutely sure that you are using it (in particular if you are using Jetpack), disable XMLRPC. XMLRPC is a sort of "remote control" for Wordpress and is widely used as an attack vector for Wordpress : bruteforce, denial of service, scans and other nasty things.

Save yourself from the unexpected, disable XMLRPC either with a module or web server rules.

Security : Enable Brute Force Protection

Brute force is a technique that aims at guessing the administrator password by testing common or stolen passwords. Even if they have little chance to succeeed, they are sucking CPU and network acess for your users.

Many modules are offering basic brute force protection, please check that your WAF (if you have one) does not provides one already.

Performance : Install a cache plugin

Caching is very important. It can save you hours of CPU and database access time, and is widely standardized. There are various techniques :

Static cache : the web page is stored "as the user sees it", and is served immediately without executing all the databases queries
In-RAM (object) cache : the PHP processor keeps in-memory objects, to load faster. Some assets like images or CSS files can also be cached in-memory by the web server.
Browser cache : expiry time can be set for static elements or pages, so that the browser does not query back the file when it is not needed.

All these techniqes are widely known and used in cache plugins. Please use (and configure) one of them.

Security : Install a WAF

A WAF (Web Application Firewall) is a sort of filter that will prevent your website from being attacked, scanned, or inflitrated by hackers. It is not an absolute protection, but it easily kicks out script kiddies that could scan your website, saving you resources for real users.

A WAF can be available from your hosting provider, in that case a simple button can enable it. Several modules are also available for Wordpress to do it.

Beware, these modules are often heavy as they filter every requests, use it combined with a properly configured cache system.

Performance : Watch database size and optimize

You probably does not need so many content revisions. The revisions are backups of your articles and pages, stored in the database. You can regularly delete older revisions.

Some modules can do it for you, for instance WP-Optimize. It is advised to do a backup before executing the purge.

It should not be a problem, but if your hosting provider does not optimize databases automatically, it can become one.

Performance : Use a CDN if possible

A CDN is a server designed to give you static content faster that the original site, by using well-located servers, and long retry-times.

You can have many benefits on using a CDN : caching, faster loading of assets, default compression and optimization, etc.

If you can afford and configure one, you can really see a performance improvement.

Performance : Tweak Apache settings

Some actions can be taken if you have access to Apache configuration :

Enable gzip compression : gzip compression can be enabled on top of Apache configuration, to compress assets and pages and improve the network overload.
Set high expiration duration : you can tell the user's browser to cache the content by setting Expiration headers in your htaccess.
Enable Google's mod_pagespeed : Google provides an auto-optimization module that can help if your theme is messy. Warning : you must have a good I/O rate in order to use this plugin, it makes many accesses to disks.

Cinq raisons qui prouvent que l'IA de Portal est la même que celle de WiiFit

Mathieu — Wed, 04 Jan 2017 08:30:00 +0100

On m'a fait jouer (de force) à Wii Fit il y a quelques jours, et cette fois c'est une certitude : l'IA qui ponctue l'avancée du joueur dans Portal est la même que celle du jeu Wii Fit. Voici pourquoi.

Nota Bene : cet article est le produit d'un Programme Expérimental d'Enrichissement du Blog par Recyclage d'Articles Restés en Brouillon (PEEBRARB).

1. La voix est la même

Source : http://thebaneofqueequeg.blogspot.fr/2012/04/top-10-game-bosses.html

Vous vous souvenez de cette voix métallique, féminine, qui tout en douceur vous assène vos quatre vérités avec une implacable assurance ?

C'est la voix de GladOS dans Portal, mais c'est aussi celle de la console WiiFit. La douce mélodie de la voix n'étant qu'un prétexte à vous pousser à faire ce qu'elle veut.

2. Elles font des commentaires désobligeants sur votre physique

Source : http://pressontogether.com/2012/07/10/training-tuesday-obese-no-more/

L'une comme l'autre a toujours son petit commentaire ou sa petite phrase pour vous rappeler qu'en fait, si vous jouez à ce jeu c'est que vous aimez vous faire insulter :

« Vous êtes déséquilibré ! » [WiiFit]
« Bientôt, vous serez si grosse que vous tomberez comme une pierre en sautant. Dans de l'acide. Comme une grosse patate dans une friteuse. » [GladOS]
« Ne bougez plus pendant la mesure. Voici les résultats : vous avez pris du poids ! » [WiiFit]
« Hmm. Cette Plaque ne doit pas être étalonnée pour quelqu'un de votre... adiposité. Je vais augmenter le poids maximum de quelques zéros. » [GladOS]

3. Elles vous font faire des "tests" et "exercices" qui vous semblent inutile

Oui, c'est comme ça qu'on fait !
Source : http://littlefatgirl.blogspot.fr/2011/01/my-morning-workout.html

Que ça soit la séance insoutenable d'abdos fessiers, les positions improbables de yoga ou les salles de test avec des tourelles et des lasers, les deux IA excellent dans l'art de vous confronter à des situations inconnues, voire dangereuses. Elles vous encouragent juste le nécessaire pour vous faire passer au test suivant, et les exercices recommencent avec de plus en plus de difficulté.

Pour ceux qui ont encore des doutes : est-ce que vous avez la possibilité de « terminer le jeu » en « battant le boss » avec WiiFit ? Non ? C'est bien la preuve que cette IA aussi est accro à l'initiative de test perpétuelle.

4. Elles essaient de vous tuer

« Bonjour. »
Source : https://www.youtube.com/watch?v=Tg67XggeraM

C'est peut-être pas évident pour la WiiFit, mais c'est justement le piège car cette IA est beaucoup plus subtile : vous avez survécue à trois heures d'abdos fessiers, deux heures de ski, et quatre heures de gymnastique rythmique ? Attendez, il y a encore plein d'autres exercices ! C'est bien la preuve que les deux IA partagent la même motivation.

« Le prochain test contient des tourelles. Vous vous en souvenez ? Les choses pâles et froides remplies de balles ? Ah non, ça c'est vous dans cinq secondes. Bonne chance. » [GladOS]

5. L'entraineuse WiiFit ressemble étrangement à Chell

Il y a vraiment une ressemblance, non ?

Source : https://www.flickr.com/photos/64097747@N05/5837262217

Source : http://www.ssbwiki.com/Wii_Fit_Trainer

Je n'explique pas cette singularité pour l'instant, mais les théories les plus sérieuses sont les bienvenues dans les commentaires ! Coincidences ? Je ne pense pas.

Sample public calendar for ownCloud using ICS parser

Mathieu — Sat, 30 Jul 2016 08:09:00 +0200

When ownCloud removed the ability to share a calendar publicly, I had no other choice than forcing my acquaintances to register to my ownCloud.

I didn't want that, so I implemented my own solution.

1. Abstract

My calendar works like this :

I write events in a particular calendar.

I share this calendar with a special ownCloud user, dedicated for this.

The script will login on the CalDAV API with the credential of the special user, and get the content of the shared calendar.

The script compile the events and compile a nice table, with the content of the calendar.

Please note that the events I write are special: I only use the title field to specify a "color" that will be displayed for the day. The colors are corresponding to my « level of availability » (to show my holidays dates, for instance)

2. Create the calendar and the user

In owncloud, create the second user. I called it public, for instance.

In ownCloud, create the shared calendar on your own account, and give public access to it. Do not tick write permissions.

Create a test event, and log out.

3. Download the library

I used this ICS parser to parse the CalDAV respponses. Download it on your web hosting to the direcory ics-parser/.

4. Install the script

Here is the script I use:

<?php
// Require ICS parser library
require_once('ics-parser/class.iCalReader.php');

// Use it to debug, the previously included parser disables the errors
error_reporting(E_ALL);
ini_set('display_errors', '1');

// Simple caching system, feel free to change the delay
if (file_exists('calendar.cache.html')) {
    $last_update = filemtime('calendar.cache.html');
} else {
        $last_update = 0;
}
if ($last_update + 60*60 < time()) {

// Get events

$headers = array(
        'Content-Type: application/xml; charset=utf-8',
        'Depth: 1',
        'Prefer: return-minimal'
    );

// Setup the calendar URL and the credentials here
$calendar_url = 'https://example.com/remote.php/caldav/calendars/public/public_shared_by_YOU';
$calendar_user = 'public';
$calendar_password = 'public_password';

// Prepare request body
$doc  = new DOMDocument('1.0', 'utf-8');
$doc->formatOutput = true;

$query = $doc->createElement('c:calendar-query');
$query->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:c', 'urn:ietf:params:xml:ns:caldav');
$query->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:d', 'DAV:');

$prop = $doc->createElement('d:prop');
$prop->appendChild($doc->createElement('d:getetag'));
$prop->appendChild($doc->createElement('c:calendar-data'));
$query->appendChild($prop);

$prop = $doc->createElement('c:filter');
$filter = $doc->createElement('c:comp-filter');
$filter->setAttribute('name', 'VCALENDAR');
$prop->appendChild($filter);
$query->appendChild($prop);

$doc->appendChild($query);
$body = $doc->saveXML();

// Debugging purpose
//echo '<pre>' . htmlspecialchars($body) . '</pre>';

// Prepare cURL request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $calendar_url);
curl_setopt($ch, CURLOPT_USERPWD, $calendar_user . ':' . $calendar_password);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'REPORT');
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);

$response = curl_exec($ch);
if (curl_error($ch)) {
    //echo curl_error($ch);
    exit();
}
curl_close($ch);

// Debugging purpose
//echo '<pre>' . htmlspecialchars($response) . '</pre>';

// Get the useful part of the response
$xml = simplexml_load_string($response);
$data = $xml->xpath('//cal:calendar-data');

// Debugging purpose
//echo '<pre>' . htmlspecialchars($data[0]) . '</pre>';

// Parse events
$calendar_events = array();
foreach ($data as $vcalendars) {
    $ical = new ICal();
    $vcalendars = $vcalendars->__tostring();

    $lines = explode("\n", $vcalendars);
    $ical->initLines($lines);
    $events = $ical->events();

    foreach ($events as $event) {
        $start = $ical->iCalDateToUnixTimestamp($event['DTSTART']);
        $end = $ical->iCalDateToUnixTimestamp($event['DTEND']);
        $summary = $event['SUMMARY'];
        $calendar_events[] = array(
            'start' => $start,
            'end' => $end,
            'summary' => $summary,
        );
    }
}

// Function to sort the events by start date
function _sort_events($a, $b) {
    return ($a['start'] > $b['start']);
}

// Sort the events by start date
// By doing so, you can have overlapping events, the newest event will superseed the previous
usort($calendar_events, '_sort_events');

// Function to convert my "special titles" into hex colors
function color2hex($color) {
    $color = strtolower($color);

    switch($color) {
        case 'green':
        return '#00ff00';
        break;

        case 'orange':
        return '#ffaa00';
        break;

        case 'red':
        return '#ff0000':
        break;

        case 'black':
        return '#000000';
        break;

        case 'blue':
        return '#0000ff';
        break;
    }
}

// Bufferize output for caching system
ob_start();

// Get current date
$now = mktime(0,0,0);

// Initiate the color array
// Each day in our calendar table will have a color
// Each color is an hex color, corresponding tu the event title (see the switch-case block upper)
$day_color = array();

// Loop through ALL events (old events included)
foreach ($calendar_events as $event) {

    // Discard passed events
    if ($event['end'] < time()) {
        continue;
    }

    // Calculate the timestamp of the "start" date of the event
    $current_day = mktime(0,0,0, date('n', $event['start']), date('j', $event['start']), date('Y', $event['start']));
    $first_loop = true;
    // Loop to fill the color array from the event start date to the event end date
    for ($d = $current_day; ($first_loop || $d < $event['end']); $d+=(60*60*24)) {

        // Debugging purpose
        //var_dump(date('r', $current_day) . ' ' . date('r', $d) . ' ' . date('r', $event['start']) . ' ' . date('r', $event['end']));

        // Handle overlapping events: stack color at the beginning of the sub-array
        if (isset($day_color[$d]) && is_array($day_color[$d])) {
            array_unshift($day_color[$d], color2hex($event['summary']));
        } else {
            $day_color[$d][0] = color2hex($event['summary']);
        }

        $first_loop = false;
    }
}

// Debugging purpose
//var_dump($day_color);

// Output the final table
/ My week starts on Monday, but you can change it

$week_day = date('N', $now);

echo '<table class="forecast">';
echo '<tr><th></th><th>Mon</th><th>Tue</th><th>Wed</th><th>Thu</th><th>Fri</th><th>Sat</th><tH>Sun</th></tr>';

// Loop through the color array
for ($row = 0; $row < 10; $row++) {
    echo '<tr>';

    echo '<td class="week">' . (date('W', $now) + $row) . '</td>';
    for ($col = 0; $col < 7; $col++) {

        // Skip past days from the first week (leave it blank)
        if ($row == 0 && $col < $week_day-1) {
            echo '<td></td>';
            continue;
        }

        $current_day = $now + ($row)*(7*60*60*24) + ($col-($week_day-1))*(60*60*24);
        $current_day = mktime(0,0,0, date('n', $current_day), date('j', $current_day), date('Y', $current_day)); // Working around daylight saving time
        if (isset($day_color[$current_day]) && isset($day_color[$current_day][0])) {
            // We choose to get the first color of the array,
            //   but if you want to display overlapping events colors,
            //   you can use the other values of the array
            $color = $day_color[$current_day][0];
            echo '<td class="' . $color . '">';
        } else {
            echo '<td>';
        }
        // Debugging purpose
        //echo '<pre>' . $current_day . '</pre>';
        //echo date('r', $current_day);
        // Label the cell with the current day
        echo date('j', $current_day) . ' ' . date('M', $current_day) . ' ' . date('Y', $current_day);
        echo '</td>';
    }
    echo '</tr>';
}

echo '</table>';

$html = ob_get_clean();
ob_end_flush();

file_put_contents('calendar.cache.html', $html);

} else {
    $html = file_get_contents('calendar.cache.html');
}

echo $html;

Copy and paste it to an empty PHP file.

Please note that it has a small caching system (calendar.cache.html) to prevent fetching events every time someone loads the page. You can easily reduce the delay or deactivate this feature.

Refer to the comments to extend it.

Drupal 8 : create a custom Rule Action

Mathieu — Wed, 27 Jul 2016 10:56:00 +0200

Warning : the Rule plugin for Drupal 8 was not considered stable when I wrote this post.

1. Drupal 8: the new modules paradigm

Drupal 8 modules structure changed, and many modules are now using the new API.

No more plain old functions name like hook_something, no more obscurous PHP for menu entries. Instead, Object Oriented programming, YAML configuration files, magic comments, and Symfony routing.

Let's give it a try, let's make our first simplest module.

2. Base module configuration

If you already know how to do this, jumb to next section.

Create a directory for your module, for instance mymodule.

Create an info file in YAML format : mymodule/mymodule.info.yaml:

name: 'My Module'
type: module
core: 8.x
package: Custom

You don't need more! You don't need routing as you will plug into Rules.

3. File names and Namespaces

Create the RulesAction directory and its parents: mymodule/src/Plugin/RulesAction/

Create a PHP file for your class: MyAction.php. The class will be loaded with the autoload system.

Edit the file you just created, and specify the namespace at the beginning of the file:

/**
 * @file
 * Contains \Drupal\mymodule\Plugin\RulesAction\MyAction.
 */
namespace Drupal\mymodule\Plugin\RulesAction;
use Drupal\rules\Core\RulesActionBase;

The namespace must correspond to your module name and class name!

4. Rule Action specifications and parameters

Comments are very important as they are also specifications. You will define your Action id, description, and parameters. For instance, here is a copied sample from the predefined action DataSet:

/**
 * Provides a 'My action' action.
 *
 * @RulesAction(
 *   id = "rules_myaction",
 *   label = @Translation("Set a data value"),
 *   category = @Translation("Data"),
 *   context = {
 *     "data" = @ContextDefinition("any",
 *       label = @Translation("Data"),
 *       description = @Translation("Specifies the data to be modified using a data selector, e.g. 'node:author:name'."),
 *       allow_null = TRUE,
 *       assignment_restriction = "selector"
 *     ),
 *     "value" = @ContextDefinition("any",
 *       label = @Translation("Value"),
 *       description = @Translation("The new value to set for the specified data."),
 *       default_value = NULL,
 *       required = FALSE
 *     )
 *   }
 * )
 */

The Rule id is rules_myaction.

The category of the action in the dropdown menu is Data and it will be labeled Set a data value.

The current action will have two parameters : the data that will be changed, and the corresponding value.

5. Rule Action callback

Again, no more plain callback, the function doExecute will be called to execute your Action:

class MyAction extends RulesActionBase {

  /**
   * Executes the Plugin.
   *
   * @param mixed $data
   *   Original value of an element which is being updated.
   * @param mixed $value
   *   A new value which is being set to an element identified by data selector.
   */
  protected function doExecute($data, $value) {
    $typed_data = $this->getContext('data')->getContextData();
    $typed_data->setValue($value);
  }

  /**
   * {@inheritdoc}
   */
  public function autoSaveContext() {
    // Saving is done at the root of the typed data tree, for example on the
    // entity level.
    $typed_data = $this->getContext('data')->getContextData();
    $root = $typed_data->getRoot();
    $value = $root->getValue();
    // Only save things that are objects and have a save() method.
    if (is_object($value) && method_exists($value, 'save')) {
      return ['data'];
    }
    return [];
  }

}

The class name has to correspond to your file name.

In this sample, the parameter $value will be set to $data.

6. Troubleshooting

Uncaught PHP Exception Drupal\\Component\\Plugin\\Exception\\PluginException: "Plugin (rules_myaction) instance class "Drupal\\tbh_system\\Plugin\\RulesAction\\MyAction" does not exist."

Your namespace/classname/filename/directoryname is probably wrong.

Source

Drupal 8 Rules Action documentation

Debian 8 : Configure Nginx and Passenger to supercharge your PuppetMaster

Mathieu — Wed, 22 Jun 2016 21:16:00 +0200

The Puppet master comes by default with a basic WEBrick server. It allow a quick start for those that are not familiar with Puppet, but when the number of Puppet nodes grows, the performances of the default WEBrick server are going down quickly.

The Puppet documentation show how to configure Apache and Passenger to replace the default WEBrick server, but what if you have a lot of nodes ? What if you want to apply your configuration within minutes, instead of the default half-hour threshold before the agent asks the master if something changed ?

Or you may just want a fancy Nginx instead of your plain-old-reliable Apache.

Here is how.

Check your hostname

Your hostname is the base configuration for your node, you should check that it's correct, otherwise you will run into problems after Puppet installation.

# hostname -f

If everything is okay, check your hosts file

# cat /etc/hosts

If your hostname is inside your host file, carry on. Otherwise, set it.

Install Puppet and Puppetmaster

I suppose that you also need the puppet agent installed on the Puppetmaster server.

Install Puppet and Puppetmaster :

# apt-get install puppet puppetmaster

Stop the Puppetmaster :

# service puppetmaster stop

Prevent the puppetmaster from starting. Nginx will spawn on the right port instead of the WEBrick server, previously spawn by Puppetmaster service. Edit the file /etc/defaults/puppetmaster :

# Start puppetmaster on boot?
START=no

Configure the Puppet agent : edit the file /etc/puppet/puppet.conf to point your agent on the master (for instance puppetmaster.example.com).

Also, comment the two lines that are "needed for passenger", our configuration don't need them. Actually, if you keep it, it will not work.

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
server=puppetmaster.example.com

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
#ssl_client_header = SSL_CLIENT_S_DN
#ssl_client_verify_header = SSL_CLIENT_VERIFY

[agent]
report = true

Enable your puppet agent :

# puppet agent --enable

Install Nginx and Passenger

We will install the bundle Nginx+Passenger shipped by Phusion repositories.

Add the key to your keyring :

# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7

The Phusion repository uses HTTPS, add HTTPS transport to APT :

# apt-get install apt-transport-https ca-certificates

Finally, install Nginx and Passenger :

# apt-get update
# apt-get install nginx-extras passenger

Configure Nginx and Puppetmaster application

Edit /etc/nginx/nginx.conf and uncomment the reference to passenger config :

    ##
    # Phusion Passenger config
    ##
    # Uncomment it if you installed passenger or passenger-enterprise
    ##

    include /etc/nginx/passenger.conf;

Create the file /etc/nginx/nginx/sites-available/puppet.conf with the following content :

server {
    listen                     8140 ssl;
    server_name                puppet puppetmaster puppetmaster.example.com;

    passenger_enabled          on;
    passenger_app_env          production;

    passenger_set_header       X-Client-Verify  $ssl_client_verify;
    passenger_set_header       X-Client-DN $ssl_client_s_dn;
    passenger_set_header       X-SSL-Subject    $ssl_client_s_dn;
    passenger_set_header       X-SSL-Issuer     $ssl_client_i_dn;

    access_log                 /var/log/nginx/puppet_access.log;
    error_log                  /var/log/nginx/puppet_error.log;

    root                       /etc/puppet/rack/public;

    ssl_certificate            /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem;
    ssl_certificate_key        /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem;
    ssl_crl                    /var/lib/puppet/ssl/ca/ca_crl.pem;
    ssl_client_certificate     /var/lib/puppet/ssl/certs/ca.pem;
    ssl_ciphers                'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers  on;
    ssl_verify_client          optional;
    ssl_verify_depth           1;
    ssl_session_cache          shared:SSL:128m;
    ssl_session_timeout        5m;
}

Remove the default virtual host from Nginx as we don't need it :

# rm /etc/nginx/sites-enabled/default

And enable your newly created server :

# ln -s /etc/nginx/sites-available/puppet.conf /etc/nginx/sites-enabled/puppet.conf

Before restarting Nginx, we will configure the Ruby application for Puppetmaster.

Create the directory /etc/puppet/rack and its subdirectories /etc/puppet/rack/public and /etc/puppet/rack/tmp

# mkdir -p /etc/puppet/rack/public /etc/puppet/rack/tmp

Create the file /etc/puppet/rack/config.ru with the following content :

# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.

# if puppet is not in your RUBYLIB:
# $LOAD_PATH.unshift('/opt/puppet/lib')

$0 = "master"

# Set the PATH in environment variable
ENV['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# if you want debugging:
# ARGV << "--debug"

ARGV << "--rack"

# Rack applications typically don't start as root.  Set --confdir, --vardir,
# --logdir, --rundir to prevent reading configuration from
# ~/ based pathing.
ARGV << "--confdir" << "/etc/puppet"
ARGV << "--vardir"  << "/var/lib/puppet"
ARGV << "--logdir"  << "/var/log/puppet"
ARGV << "--rundir"  << "/var/run/puppet"
#ARGV << "--codedir"  << "/etc/puppet/code"

# always_cache_features is a performance improvement and safe for a master to
# apply. This is intended to allow agents to recognize new features that may be
# delivered during catalog compilation.
ARGV << "--always_cache_features"

# NOTE: it's unfortunate that we have to use the "CommandLine" class
#  here to launch the app, but it contains some initialization logic
#  (such as triggering the parsing of the config file) that is very
#  important.  We should do something less nasty here when we've
#  gotten our API and settings initialization logic cleaned up.
#
# Also note that the "$0 = master" line up near the top here is
#  the magic that allows the CommandLine class to know that it's
#  supposed to be running master.
#
# --cprice 2012-05-22

require 'puppet/util/command_line'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Util::CommandLine.new.execute

Chown the file for Puppet user :

# chown puppet:puppet /etc/puppet/rack/config.ru

And finally, restart Nginx :

# service nginx restart

Then, test you configuration by running the agent :

# puppet agent --test

Troubleshooting and errors

Error 500

Warning: Error 500 on SERVER: Internal Server Error

Read the logs at /var/log/nginx/error.log and /etc/nginx/puppet_error.log

Error 403

Warning: Error 403 on SERVER: Forbidden request: localhost(127.0.0.1) access to /node/puppetmaster.example.com [find] at :119

Check that your hostname resolves, and that your host file is clean. In particular, you should have the host name of your server on the same line than localhost :

127.0.0.1    localhost puppetmaster puppetmaster.example.com

Also check that your Puppet configuration is correct, in particular check that the two lines "required for Passenger" are commented.

Sources

Blattaria Momentum

Mathieu — Mon, 20 Jun 2016 09:53:00 +0200

Ou « ce que je n'ai pas dit à l'oraison funèbre, parce que c'est pas mon truc de parler devant des gens tristes pour les faire pleurer ».

Lundi dernier, nous avons perdu quelqu'un. À titre strictement personnel, je ne le connaissais pas si bien que ça.

C'est à l'occasion de mes apparitions aux rendez-vous et événements du BDE que j'ai eu l'occasion de le rencontrer. Et même si je n'ai passé en cumulé qu'une centaine d'heures avec lui, sa disparition m'a troublé à un point auquel je ne m'attendais pas.

J'ai été d'autant plus touché qu'il était né la même année que moi, presque le même mois. Je me sentais très proche et je me reconnaissais beaucoup dans sa manière de réagir et d'interpréter les événements et les problèmes. L'impression de perdre quelqu'un que l'on regrette d'avoir connu ajoute de la déception et du regret au chagrin.

Je ne le connaissais pas si bien que ça, mais c'était quelqu'un d'immédiatement attachant, souriant, et qui allait spontanément vers les autres. C'était quelqu'un de sérieux, d'engagé, de rigoureux et fidèle dans ses engagements. Lundi dernier, nous avons perdu un ami fidèle, un membre émérite de l'association, et une très grande personne.

Certains le connaissaient pour ses colères ou ses prises de position tranchées, sa passion un peu trop féroce pour convaincre du bien fondé de son point de vue, mais une fois l'orage passé il avait l'humilité, l'intelligence, et le courage de reconnaître lorsqu'il s'était trompé. Des qualités trop rares de nos jours.

Profondément rationnel, logique, mais aussi humain et attentif à la souffrance des autres, son geste est d'autant plus incompréhensible. Au point où l'accident stupide semble être la seule explication rationnelle que l'on peut admettre.

De son engagement associatif, humain, et scientifique, il restera dans nos mémoires comme un fils, un frère, un modèle, ou simplement un ami.

Adieu Jean. Et merci.