JADDOG

I’ve been working to open source a project I’ve been working on at work.

Pushed the code base up to FedoraHosted.org this morning. Documentation still in progress, ticket migration to FH.org trac site to come.

http://fedorahosted.com/nushus

Don’t dump out excess thinset (the stuff the adheres tile to backer board) in your driveway and expect to use just a hose to clean it up.

I ended up scooping it up with my hands and putting it in a cardboard box to get it in the trashcan. Otherwise it probably would have solidified in a huge blob in my driveway, and existed for what would have seemed like eternity.

On the other hand… I think the tile job in the downstairs bathroom turned out pretty decent. This photo is pre-grout. If I remember to I’ll take another photo in a finished state.

The problem:

I was using mod_auth_kerb to authenticate and ProxyPass to pass off the request to another server. I’m trying to support Kerberos Authentication but split the infrastructure into a proxy/app tiering using ProxyPass because I needed the ProxyPassReverseCookieDomain directive. Problem is I need to pass the user that had been authenticated along with the ProxyPass (ie. the value of REMOTE_USER) and found no configs to let me do that with mod_auth_kerb and ProxyPass.

What I tried:
I found a bunch of pages that referenced using a lookahead (LA-U:REMOTE_USER) to get the value of REMOTE_USER. Take that value and set an environment variable. Then use the env var to set a header, say, X-Forwarded-User. This didn’t seem quite right since this was being implemented at the rewrite stage (pre authentication, hence the lookahead’s subrequest) and spawned the overhead of another subrequest to get the initial value. I tried all kinds of permutations of some rewrite configs that looked something like this:

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* – [E=RU:%1]
RequestHeader set X_REMOTE_USER %{RU}e

http://n2.nabble.com/SSO-with-SSPI-and-SSL-LA-U-REMOTE-USER-always-null-td4086748.html et al.

In spite of the “not quite right” of the subrequest to env var to header I always got a value of (null) back from the lookahead. So this never even worked in combination with mod_auth_kerb (I’ve been told it does with basic auth or with mod_auth_kerb + RewriteRule [P]). Further it seemed inefficient to do all this subrequest to env to header stuff. I figured the most efficient thing to do (relative to processing the requests) would be to write a simple apache module that was in the module chain after auth but before proxy. Turns out that it didn’t take too long to do either.

The Solution:

I started with a tutorial at threebit.net where I just wanted to compile an apache module and insert it into the module chain. This worked like a champ (Thanks Kevin!) and I was logging to my error_log via stderr in no time at all. After reading though some apache code I figured out that r->user was the variable that mod_auth_kerb was populating the authenticated user to and that the ap_hook_handler method was inserting this module into the chain after proxypass. This location in the module chain was a problem because when I turn on proxypass the request was being proxied before the module was being executed. After a bit more docs and code reading I found ap_hook_fixups, which is in a stage between the auth and proxy modules. So that diff would look something like this:

< ap_hook_handler(mod_tut1_method_handler, NULL, NULL, APR_HOOK_LAST);
> ap_hook_fixups(mod_tut1_method_handler, NULL, NULL, APR_HOOK_LAST);

Finally, the method_hander’s code was changed from the stderr functionality to these two lines to use the r->user variable:

apr_table_set(r->headers_in, “X-Forwarded-User”, r->user);
apr_table_unset(r->headers_in, “Authorization”);

This sets the X-Forwarded-User header with the user the proxy has authenticated and strips out the Authorization header to be sure that your not passing any basic auth information (passwords in clear text!) from server to server.

I don’t have a complete set of code anywhere for you to download at this point, though, hopefully there’s enough here that all you’d have to do is swap a few pieces of code out, compile it (I had to update the automake stuff on the tutorial cuz it’s kinda old) and install it according to the tutorial’s directions.

Words of Warning:
1. Secure your app!
If you open your app up to accept X-Forwarded-User and trust that header as a source of an already authenticated user you must make sure that the only host that can pass that header to your app is your proxy! It would not be hard to install this custom module elsewhere (or use the lookahead stuff), slap basic auth on it and pass the header to your app completely ignoring your authoritative authentication infrastructure.

2. This will be applied to every request on your proxy.
There is nothing in this module that will only apply this to a specific vhost or anything. Every request that your proxy processes will get your custom header.

Future?
A nice addition to this would to let you configure the header name in your vhost config (ProxyUserHeader “X-Custom-Header-Name”) or even to submit a patch to mod_proxy so it’s not a separate module but built into mod_proxy (ProxyPassUserHeader “X-Custom-Header-Name”). Seems intriguing to do a bit more with it.

Ran my first half-marathon this morning: Tobacco Road Marathon

My goal was to do it in less than 2 Hours.

Chip time: 1:45:35
Avg mile: 8:07

pretty happy with my results.

Next race this year: Riverwood Sprint Triathlon

A couple weeks ago my church had the pleasure of Bob Kauflin visiting and teaching us. My family had a stomach bug that week so I’ve been listening to the recording. On the way into work this morning I finished it up and was really blessed by Kaufiln’s message. My 10,000 ft view looks like this:

No matter what happens, a Christian always has a hope in our saviour. A saviour that has shed his blood for our sins and will return one day to take us from this life to eternal life.

No matter how rotten of a day or how grim your circumstances seem. Rejoice. Give praise to your Lord. You are living his will and your purpose is to praise him.

Bob Kauflin: Living Like A Psalmist

I’m working on a feature for a project that I’m getting ready to open source. (more to come on it being open sourced when it happens) I’ve never taken the time to try and use pdb to debug a python program. I fell into a situation that seemed plausible to try it.

Found this post and was quite delighted to be able to dive right into debugging my app. Also of worth to note, the post references this link which once you have the basics of using pdb expands a little on what else you can do.

<3 pdb

At work we got talking about Dvorak a little while back. I’ve been picking through this tutorial as I get time and really enjoying it. Just google Dvorak to read up on what so different about it. The main point I like is that people claim it reduces stress on your wrists. I figure with how much I’m on a computer it’s worth a try. I haven’t found any scientific evidence that it actually helps. Maybe I’ll get to the point of using it full time one day and have my own claim.

You can reconfigure your keyboard to use this layout regardless of it’s labelling. I’ve got my fedora and mac configured so I can swap between qwerty and dvorak very easily. There’s plenty of info on google on how to set this up. Once it’s setup on a mac just select your layout from the keyboard notification icon near the date/time on your menu bar. On fedora I use L-shift+Caps-Lock and it switches in and out of dvorak. I assume you can do it on windows too, but I don’t have a windows machine to try it on.

Still on lesson 17 in the tutorial so I can’t really do anything with it other than the tutorial yet… but I’m sure I’ll post a blog post in dvorak when I get to that level

ABCD: A Basic Course in Dvorak :: http://gigliwood.com/abcd/

I started a project a while ago that was managing buildbots. It was a cli application that used sqlalchemy and func to manage buildbots across multiple machines. After some experience at work with build systems I realized that this setup was far to complex to expect someone to setup and use and it was fairly tied to a fedora/redhat infrastructure.

Well, I’ve started over. The new application is based on django and for now only installs bots on a single machine. I have plans to support a distributed configuration in the future. For now I just needed a decent interface to get some bots up and running fast.

I also have recorded a screencast to so a simple quick start. The screencast assumes you have some basic buildbot knowledge.

You can get more information, docs, the screencast and the code at https://fedorahosted.org/loki