Jenkins slaves, Java Web Start and proxies

So we (Apache Traffic Server) have our Jenkins CI system behind a proxy, naturally. This works very well. We have a few remote slaves, that uses the "local" Java start processes, and when they fetch the .jnpl file, the destination host and port for it to talk to Jenkins itself is wrong. It (of course) tries to talk to the proxy host, which doesn't work! This was fairly easy to fix, in the Node configuration for the slaves, click the advanced option, and add a host:port value for "Tunnel connection through".

Hacking: 

Optimizing Drupal7 CSS and JS

Even though Drupal (since long ago) supports merging CSS and JS into one file each, after I upgraded from v6 to v7, I still ended up getting more than one of each. It turns out, Drupal has some notion of groups, and it would only merge the CSS / JS elements within each group. I did some web searches, and came up with the following:

function pixture_reloaded_js_alter(&$js) {
  if (arg(0) === 'admin' || strpos($_GET['q'], 'search/google') === 0) {
    return;
  }

  uasort($js, 'drupal_sort_css_js');
  $weight = 0;

  foreach ($js as $name => $javascript) {
    $js[$name]['group'] = -100;
    $js[$name]['weight'] = ++$weight;
    $js[$name]['every_page'] = 1;
    $js[$name]['scope'] = 'footer';
  }
}


function pixture_reloaded_css_alter(&$css) {
  uasort($css, 'drupal_sort_css_js');

  $print = array();
  $weight = 0;
  foreach ($css as $name => $style) {
    $css[$name]['group'] = 0;
    $css[$name]['weight'] = ++$weight;
    $css[$name]['every_page'] = TRUE;

    if ($css[$name]['media'] == 'print') {
      $print[$name] = $css[$name];
      unset($css[$name]);
    }
  }

  $css = array_merge($css, $print);
}

This goes into the Theme's template.php file, in my case I use the Pixture Reloaded theme. I don't know much about Drupal nor PHP, so I don't know what this might break. But this accomplishes three things:

  1. Merge all CSS into one single CSS.
  2. Merge all JS into one single JS.
  3. Move the JS to the "footer" of the page (this is important for improved page rendering, but could potentially break some sites I'd imagine).

Hacking: 

Forward proxy over HTTPS

Most clients supports what we call Forward Proxying: You explicitly tell it which server (and port) to use as a proxy. This has traditionally been done over HTTP, with the addition of support for the CONNECT method for HTTPS request. We are now starting to see some clients supporting Forward Proxy over HTTPS, and you might wonder why? Well, a few reasons could include

  • Even with CONNECT there can be some leakage of information. The CONNECT request includes the destination server and port, in clear text.
  • Authentication to the proxy.
  • Overal, we're transitioning away from HTTP.

I saw this tweet from Daniel Stenberg, looking for volunteers to implement support for this in curl. I don't know if he's got any takers yet :). Firefox and Chrome both are working on this feature, Chrome already having the basics available. Since I work on a proxy server (Apache Traffic Server), I took the opportunity to test it with the latest Chrome. Lo and behold, it simply worked right out of the box! I started chrome with this (OSX) command:

% Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --proxy-server=https://localhost:443

Hacking: 

United Wifi and MITM attacks on TLS

So, I was going to check my Email to my private IMAPS (TLS, port 993) mail server. And I get this warning about the certificate from my mail client (Apple Mail). Curious, I checked the certificate, and found this:

Server certificate
subject=/C=US/ST=Colorado/L=Arvada/O=Ogre/CN=*.ogre.com/emailAddress=leif@ogre.com
issuer=/C=  /ST=Some-State/O=Blue Coat SG900 Series/OU=4312240020/CN=172.16.0.50
Now, this doesn't make a whole lot of sense. I know my certificate was not issued by this issuer. Who is that ? Well, Blue Coat SG900 is obviously a proxy of some sort, presumably a transparent (captive) proxy. But why would United care about my IMAP over TLS connection? What could they possible want to see? My email? Anti-virus? And, this is after I had paid the $8.99 (very reasonable) internet fees (so it should IMO not be captive any more).
 
Needless to say, I did not trust this certificate / MITM attack and therefore, unable to check my email. Very lame.

 

Note: This is the TLS handshake with the MITM proxy server:

Server certificate
subject=/C=US/ST=Colorado/L=Arvada/O=Ogre/CN=*.ogre.com/emailAddress=leif@ogre.com
issuer=/C=  /ST=Some-State/O=Blue Coat SG900 Series/OU=4312240020/CN=172.16.0.50
---
No client certificate CA names sent
---
SSL handshake has read 1754 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: XYZ
    Session-ID-ctx:
    Master-Key: XYZ
    Key-Arg   : None
    Start Time: 1397924326
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Hacking: 

firewalld and network interfaces

I have to say, firewalld and firewalld-cmd really sucks. But, since it's the default on a bunch of installations I use, and I try to "drink the koolaid", I've had the misfortune to try to set it up. Now, it mostly works, except when it doesn't, and then it really fails hard. Case in point, I wanted to reassign some network interfaces to a different zone, and naïvely thought that e.g. this would work:

$ sudo firewall-cmd --permanent --zone=public --remove-interface=eth2
$ sudo firewall-cmd --permanent --zone=internal --add-interface=eth2

 

Yeah, not so much ... What does instead work is adding lines like this to /etc/sysconfig/network-scripts/ifcfg-eth2:

ZONE=internal

WTF?

Hacking: 

tmux and SSH agents

I use tmux a fair amount, together with iterm2's support for control channels, it's amazing. However, when restoring sessions, and you rely on SSH agents, it can sometimes get wonky. The issue being that the shell sessions under the tmux session loses the agent connectivity. So I wrote this little shell script, which I run as part of logging in and starting (or restoring) a tmux session:


#!/bin/sh
 
MY_AGENT=~/.ssh/.ssh-agent
rm -f $MY_AGENT
ln -s $SSH_AUTH_SOCK $MY_AGENT
export SSH_AUTH_SOCK="$MY_AGENT"
 
tmux has-session > /dev/null 2>&1
if [ 0 -eq $? ]; then
    exec tmux -CC attach
else
    exec tmux -CC
fi

 

It might not be perfect, I'm sure it could be automated better in some ways. But with this, naming the script "mux", I simply just run this command every time I want to connect to my tmux session. It'll figure out if it should attach to an existing session, or create a new one as well.

Hacking: 

International characters on OSX

NOTE: this is collected from some sites I can no longer find, so I can not take credit for this.

 

Longtime Mac users know that you can type characters with diacritical marks— for example, â, é, ì, ü, and ñ—by first typing the diacritic (which usually requires the use of the Option key) and then typing the letter. For example, to get ä, you press Option-U (to get the umlaut, or diaeresis) and then press A.

If you can’t remember all those key combos, you could use Mac OS X’s Keyboard Viewer to figure out which ones do what. But it can be a hassle to summon and then hide the Keyboard Viewer whenever you want a special character. Or you could try PopChar X (4.0/5.0; macworld.com/4659), the utility that lets you choose special characters from a drop-down menu; however, it’s probably overkill for most users.

An easier way is built right into Snow Leopard (Mac OS X 10.6). Launch System Preferences, open the Language & Text pane, and then open the Input Sources tab. In the list of input methods on the left, scroll down and enable U.S. International – PC. To make it easier to switch to this input method, choose Show Input Menu In Menu Bar.

That done, when you want to insert a character with a diacritic, choose U.S. International – PC from the Input menu on the menu bar and then create the character by typing a standard punctuation character followed by the letter:

  • To Get an Acute Accent (´) Type ’ (apostrophe) plus the letter; for example, ’e gives you é.
  • To Get an Accent Grave (`) Type ’ (accent grave, or backtick) plus the letter; for example, ’o gives you ò.
  • To Get an Umlaut, or a diaeresis (¨) Type "(quotation mark) plus the letter; for example, "u gives you ü.
  • To Get a Caret (ˆ) Type ^ plus the letter; for example, ^a gives you â.
  • To Get a Tilde (˜) Type ~ plus the letter; for example, ~n gives you ñ.


To type a stand-alone diacritic followed by a vowel without creating a character with a diacritic on top of it, follow the diacritic with a space; that will disable the automatic replacement.

 

Hacking: 

Pages

Subscribe to Ogre.com RSS