When you're done crying...

There are several ways you can choose to organize your virtual host configuration files and that is fine. I just recommend using some organization as opposed to making a monolithic httpd.conf file that you end up having search everytime you need to make a change.
I learned somewhere along the line to place non secure site configurations in /etc/httpd/conf and secure site configurations in /etc/httpd/conf.d. You do not have to follow this suggestion, but this is the structure I will use for this document.

First suggestion is “use the Include feature of the Apache configuration. If you are setting up several virtual hosts use “Include conf/vhosts.conf” in httpd.conf to separate your virtual hosts into their own file. This makes for more convenient editing in the future.
If you expect to be adding many virtual hosts try separating them into multiple vhosts files like vhosts.a.conf for a-m and vhosts.n.conf for sites starting with n thru z. You can reference these files from httpd.conf with “Include conf/vhosts.*.conf".

To set up a name virtual host the first step is DNS. Using your favorite DNS server or DNS administrator, make your domain name a CNAME for your host machine’s IP address.
For our purpose lets use “Include conf/vhosts.conf” in httpd.conf, once that line is in httpd.conf we do not need to edit that file any further.
Assuming that your server has the IP of 192.168.1.1 we can add the following information to vhosts.conf to add a virtual host called www.domain.com.

<VirtualHost *:80>
ServerName www.domain.com
ServerAlias domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /var/www/domain.com/htdocs
ErrorLog /var/log/httpd/domain-error_log
CustomLog /var/log/httpd/domain-access_log combined
CacheDisable /images/
ScriptAlias /cgi-bin/ /var/www/domain.com/cgi-bin
< Directory “/var/www/domain.com/htdocs">
Options Indexes FollowSymLinks +Includes
AllowOverride All
</Directory>
</VirtualHost>

Now let’s pick it apart.

• <VirtualHost *:80>
  The Virtualhost container starts the section and specifies the IP address and port on which to listen. In our example the “*” means any IP address on the machine and the “:80″ is the standard httpd port.
• ServerName www.domain.com
  Servername is the domain name of the site.
• ServerAlias domain.com
  This an alternate name that the site can be called. This can be the non-www version as shown here, but it could be a completely different CNAME that is also pointed to this server.
• ServerAdmin webmaster@domain.com
  This is the address that will appear in the default error pages such as 404 - Page not found.
• DocumentRoot /var/www/domain.com/htdocs
  This is what tells Apache where the web page lives on the server, specifically where to find your index page.
• ErrorLog /var/log/httpd/domain-error_log
  This tells where Apache should log error messages. It is a good idea to have each domain write to it’s own log file.
• CustomLog /var/log/httpd/domain-access_log combined
  This does the same as above for the access log
• CacheDisable /images/
  This is an example in case you frequently change files in the image directory. RHEL 5 comes with mod_cache pre-enabled.
• ScriptAlias /cgi-bin/ /var/www/domain.com/cgi-bin
  This gives you the ability to run cgi scripts from a particular directory.
• < Directory “/var/www/domain.com/htdocs">
  You must tell Apache what privileges it has within the DocumentRoot (shown are rather liberal permissions). You should always have at least one Directory container that matches the path specified in DirectoryRoot above.
• The remaining tags are just for closing the above containers.

If you would like to have visitors who type in www.example-site.com be redirected to www.example.com you can add a redirecting virtual host like this:

<VirtualHost *:80>
ServerName www.example-site.com
Redirect / “www.example.com”
</VirtualHost>

Steps to upgrade firefox on RHEL5 or CentOS EL5
I was unable to find an RPM to upgrade Firefox on my RHEL5 machine to the newer more stable 2.x version. Not only is the 2.0 version more stable, but if it crashes it saves your session information so that you can get back to what you were doing faster. As of 2.x Firefox also includes a self checking upgrade package so it is as sensible as installing from RPM.
These are the steps I took to get Firefox upgraded on RHEL5.

First install the compat-libstdc package.

# yum install compat-libstdc++-33

Now i just browsed to mozilla.com and downloaded the latest firefox version to my Desktop.

Next, close firefox and open up your terminal.
Move your Firefox download to /usr/local/

# cd /usr/local/
# mv /pathto/firefox-2.0.0.11.tar.gz .
(your version will likely vary)
# tar zxvf firefox-2.0.0.11.tar.gz
(output)

Now move the old plugins directory and firefox binary to a safe place.

# mv /usr/lib/mozilla/plugins /usr/lib/mozilla/plugins15
# mv /usr/bin/firefox /usr/bin/firefox15

Create links so that the new plugins directory and binary are included in the correct paths.

# ln -s /usr/local/firefox/plugins /usr/lib/mozilla/plugins
# ln -s /usr/local/firefox/firefox /usr/bin/firefox

Add the following line in the [main] section of /etc/yum.conf so that your updates will not overwrite an older version into place.

exclude=firefox

You should now be able to open Firefox and see the 2.x version.

Iscsi is a great way to serve a disk(lun) from one machine to another. This is normally reserved for raid disk appliances that present them selves to the network over ethernet, but you can do this with just a couple of linux machines too.
Why would I ever want this?

• Perhaps you have an old computer in the basement that serves little purpose but it runs fine. You could install an OS on a small drive and then add a raid controller card or just a big second drive and make it appear as extra storage in your work horse computer. The computer that mounts the drive would treat the space as if it was installed locally. This is more useful than NFS when running SELinux because it makes directory contexts fine tunable.
• Run a small, even embedded system in your entertainment center and use iscsi to add huge disk space without cluttering your living area. This would work well for MythTV or Freevo.
• The backend machine does not have to be aware of user and group permissions on the disk it is powering.

Iscsi is accessed with something called an initiator. An initiator is a named interface by which the two devices communicate. The machine hosting the actual hard drive needs to run the iscsi-target software to be able to present the disk to the network.

Setting up the iscsi-target (server)

# cd /usr/local/src
# wget easynews.dl.sourceforge.net/sourceforge/iscsitarget/iscsitarget-0.4.15.tar.gz
# tar zxvf iscsitarget-0.4.15.tar.gz
# cd iscsitarget-0.4.15
# make
# make install

Next get the location of your new hard drive. See bolow that it is /dev/sdb.

# fdisk -l

Disk /dev/sda: 6442 MB, 6442450944 bytes
255 heads, 63 sectors/track, 783 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 783 6185025 8e Linux LVM

Disk /dev/sdb: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

You will want to change the following lines in /etc/ietd.conf

• iSNSServer - set to this machines IP address on the desired interface.
• Target - This is the initiator name that you want to give your LUN
• Lun - the actual hardware device being shared.

/etc/ietd.conf

# Example iscsi target configuration
#
# Everything until the first target definition belongs
# to the global configuration.
# Right now this is only the user configuration used
# during discovery sessions. “IncomingUser” specifies credentials the
# initiator has to provide - several of these are supported. If mutual
# CHAP shall be employed, “OutgoingUser” specifies the user/pass
# combination the target will provide - only one is supported.
# Leave them alone (keep them commented out) if you don’t want to use
# authentication for discovery sessions.

iSNSServer 172.16.247.130
#iSNSAccessControl No

#IncomingUser joe secret
#OutgoingUser jack 12charsecret

# Targets definitions start with “Target” and the target name.
# The target name must be a globally unique name, the iSCSI
# standard defines the “iSCSI Qualified Name” as follows:
#
# iqn.yyyy-mm.<reversed domain name>[:identifier]
#
# “yyyy-mm” is the date at which the domain is valid and the identifier
# is freely selectable. For further details please check the iSCSI spec.

Target iqn.2008-02.com.pitmanweb:storage.disk2.sys1
# Users, who can access this target. The same rules as for discovery
# users apply here.
# Leave them alone if you don’t want to use authentication.
#IncomingUser joe secret
#OutgoingUser jim 12charpasswd
# Logical Unit definition
# You must define one logical unit at least.
# Block devices, regular files, LVM, and RAID can be offered
# to the initiators as a block device.
Lun 0 Path=/dev/sdb,Type=fileio
# Alias name for this target
Alias Test
# various iSCSI parameters
# (not all are used right now, see also iSCSI spec for details)
#MaxConnections 1
#InitialR2T Yes
#ImmediateData No
#MaxRecvDataSegmentLength 8192
#MaxXmitDataSegmentLength 8192
#MaxBurstLength 262144
#FirstBurstLength 65536
#DefaultTime2Wait 2
#DefaultTime2Retain 20
#MaxOutstandingR2T 8
#DataPDUInOrder Yes
#DataSequenceInOrder Yes
#ErrorRecoveryLevel 0
#HeaderDigest CRC32C,None
#DataDigest CRC32C,None
# various target parameters
#Wthreads 8

Add “ALL ALL” to /etc/initiators.deny. This will block access to all addresses not configured in /etc/initiators.allow.
I added this line to /etc/initiators.allow to allow my client machine. It specifies the iscsi target and the associated client IP address that is allowed to connect.

iqn.2008-02.com.pitmanweb:storage.disk2.sys1 172.16.247.131

Start the iscsi-target service and enable in chkconfig.

# /etc/init.d/iscsi-target start
# chkconfig –levels 345 iscsi-target on

Setting up the client.
First we need to install the iscsi toolset.

# yum install iscsi-initiator-utils

Add your host machines initiator name in /etc/iscsi/initiatorname.iscsi
/etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2008-02.com.pitmanweb:storage.disk2.sys1

Start the iscsi service.

# /etc/init.d/iscsi start

Now we run a discovery process to register the iscsi lun.

# iscsiadm -m discovery -t sendtargets -p 172.16.247.130

Restart iscsi now that we have a device located.

# /etc/init.d/iscsi restart

You should now be able to see the remote disk as if it were local.

# fdisk -l

Disk /dev/sda: 6442 MB, 6442450944 bytes
255 heads, 63 sectors/track, 783 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 783 6185025 8e Linux LVM

Disk /dev/sdb: 8587 MB, 8587160064 bytes
64 heads, 32 sectors/track, 8189 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes

Disk /dev/sdb doesn’t contain a valid partition table

Don’t forget to enable iscsi in chkconfig on the client.

# chkconfig –levels 345 iscsi on

Now create a partition using fdisk and create whatever file system you like. You can experiment with authentication if you care to, or fine tune the parameters in /etc/ietd.conf.

We have a lot of software developers in house that for the most part have great freedom in how they would like to work. I have had several requests lately for new version control software packages.

Mercurial
Steps for installing Mercurial:

Make sure you have installed the python-devel package.
# yum install python-devel

Now continue

# cd /usr/local/src
# wget http://www.selenic.com/mercurial-stable-snapshot.tar.gz
# tar zxvf mercurial-stable-snapshot.tar.gz
# cd mercurial-5df7cb799baf/
# make all
# make install


This will install your Python modules in /usr/local/lib/python2.4/site-packages/ but unfortunately that is not already in your path. A simple symlink will fix that.

# ln -s /usr/local/lib/python2.4/site-packages/mercurial \
/usr/lib/python2.4/site-packages/
# ln -s /usr/local/lib/python2.4/site-packages/hgext \
/usr/lib/python2.4/site-packages/


Now test the install by running:
# hg help
Your probably good if you get a help listing instead of an error.

Try creating a repository:
# cd /tmp
# hg init

Check to make sure you now have a directory called
/tmp/.hg

Happy version controlling!

We are running RHEL 5 on our new web server and I am learning some new “gotchas” about Apache 2.2.3. I will also note some configuration requirements of running SELinux.

• There is a new caching feature built into apache called mod_cache and its associates mod_disk_cache, mod_file_cache and mod_mem_cache. We are hosting a few sites that require a lot of flexibility in space requirements as well as just needing quite a bit of space. For this reason we have the “webroot"s NFS mounted from our SAN.

  As of Apache HTTP server version 2.2 mod_cache and mod_file_cache are no longer marked experimental and are considered suitable for production use.

  This was brought to my attention by one of our web developers, when files are changed in the web directories we would see a lag before they would appear on the site. My first thought were that maybe this was a browser cache issue or maybe even Squid running on the web server without my knowledge (not really but I had to check). It turned out that neither of those were the case. All that had to be done was add this line in my virtual hosts containers "CacheDisable /" and all was well after restarting apache.This causes no content on this site to be cached. I could have also commented out the “LoadModule” sections if I wanted to lose it completely but it has not ticked me off that bad… yet.

  Apache mod_cache documentation

• Displaying Spanish characters.
  We have some pages in Spanish on our site and I found out that Apache 2.2.3 adds a default character set of UTF-8 which makes these pages unable to display the accented letters. Just comment out the following line and restart apache.
  AddDefaultCharset UTF-8

_____________________________________________________________________________

_____________________________________________________________________________

• LDAP Authentication.
  Use the following to password protect a web directory using LDAP.
  
<Directory "/var/www/html/private">
Options FollowSymLinks +Includes
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPURL ldap://ldap.example.org/dc=example,dc=org?uid
require ldap-group cn=private,ou=Group,dc=example,dc=org
AuthName "My Project"
AuthType Basic
</Directory>


• Another issue is with running SELinux while mounting web content over NFS. This information applies to the default SELinux “targeted” policy that ships with RHEL 5.

  If you are serving static content or something like a wiki you can mount the directory like this:
  server.dom.tld:/web/www /var/www/website nfs bg,hard,intr,context=system_u:object_r:httpd_sys_content_t 0 0

  Or if you need to be able to run scripts, this works:

  server.dom.tld:/web/www /var/www/website nfs bg,hard,intr,context=system_u:object_r:httpd_sys_script_exec_t 0 0