PHP4 for feisty - pbuilder for beginners

I helped Robbster out on #clug today, building php4 for feisty (it’s been dropped after edgy, in favour of php5). If you want to install it, don’t care about security holes, and want to use the debs I created, add this line to your apt sources list, and go wild:

deb ./

If on the other hand you want to know how to do it (so when the next PHP security hole appears tomorrow, you can build the latest version yourself), read on:

I’ve never used pbuilder before, so it was fun:

# aptitude install pbuilder

Edit /etc/pbuilderrc to point to your closest mirror, and uncomment the COMPONENTSline (so that you get universe included)

# pbuilder create

Now pbuilder is ready for work. Get the latest sources from debian (Download those 3 files at the end, dsc, orig.tar.gz and diff)

# pbuilder build *.dsc

Sit back and watch…

When it’s done, you probably want to create a trivial repository of your debs:

# cd /var/cache/pbuilder/result/; dpkg-scanpackages . /dev/null | gzip -c -9 > Packages.gz

Then add this to your sources.list

deb file:///var/cache/pbuilder/result/ ./

Wohoo. Remember to watch out for those security holes…

OpenVPN / WPAD Mania

I’ve just spent an afternoon tweaking an OpenVPN install, and I thought it would be a good idea to document it here. Not the world’s most interesting post, but it’s my method, and I want to document it.


The best solution I found was to have the server on it’s own subnet:

dev tun0
keepalive 10 120
push "dhcp-option DNS"
push "dhcp-option DOMAIN"
push "route"
ca /etc/ssl/vpn-cacert.pem
dh /etc/ssl/dh1024.pem
cert /etc/ssl/certs/
key /etc/ssl/certs/

This sets up a Windows-friendly, routed OpenVPN. (TAP32, the windows tap driver, can’t handle arbitrary IP routed VPNs, each link has to have a private /30 network)

Then, the Windows client side:

dev tun
dev-node VPN-Connection
proto udp
remote 1194
resolv-retry infinite
ca cacert.pem
cert winlaptop.pem
key winlaptop.key.pem
ns-cert-type server
verb 3
keepalive 10 60
explicit-exit-notify 2

This is nice and simple, and has the advantage of pulling a lot of configuration from the server rather than statically storing it on the client.


My network has Proxy Autodetection. While I wanted DNS queries to go through the VPN, I didn’t want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers).

My solution was: dnsmasq.conf:


Apache, default site config snippet:

<Location /wpad.dat>
        ForceType "application/x-ns-proxy-autoconfig"
        Order deny,allow
        Deny from all
        Allow from
        Allow from

And a fallback, in-case the wpad is already cached, this at the top of the wpad:

// VPN:
if (isInNet(myIpAddress(), "", "")) return "DIRECT";

Conversion with Openoffice

Finally, there is a decent way to use openoffice as a file-converter!

I keep an eye on a (currently dysfunctional) e-mail→fax system. The hard part is converting random incoming files to PDF. Especially nasty proprietary-format ones…

I first used WV, a venerable library, which was capable of getting text out of MS word files and into LaTeX. Great for linux sysadmins, but not so good for people who expect their formatting to survive the transition.

Then I moved on to AbiWord. AbiWord has supposedly taken on the WV torch, but it’s given it’s fair share of problems too:

  • It’s command-line PDF conversion has been broken for a while
  • It’s command-line PS conversion was broken for a while, but has since been fixed.
  • Excepting the latest development versions, it requires an X server. I got away with using Xvfb.

Now, I read about unoconv. This looks like exactly what I’ve been looking for! It’ll support all the document types supported by openoffice. Sure the fax server is going to be using a lot more RAM, but this could make it a hell of a lot nicer to work with!

Lighttpd mod_rewrite

I've migrated my teeny-weenie Xen web/mail server to Debian/etch. It hasn't even been rebooted (it would be a shame to spoil the uptime :-) ):

$ uprecords
     #               Uptime | System                                     Boot up
->   1   198 days, 06:16:44 | Linux      Thu Oct 12 10:12:51 2006
     2    99 days, 19:25:00 | Linux 2.6.12-xenU         Sun Oct  9 03:58:58 2005

It runs Lighttpd, a small and fast little webserver, popular in the Rails world. Lighttpd with PHP-fastcgi is probably faster than apache, and uses much less RAM.

With etch, I've finally been able to get mod_rewrite to work. So my Zapiro archive has nice URLs now :-)

Lighttpd has a very nice configuration style:

    # No WWW
    $HTTP["host"] =~ "^www\.((.+\.)?rivera\.za\.net)$" {
      url.redirect = ( ".*" => "http://%1$1" )
    # Add WWW:
    $HTTP["host"] =~ "^((foobar|someclient)\.co\.za)$" {
      url.redirect = ( ".*" => "http://www.%1$0" )
    # PHP Apps:
    $HTTP["host"] =~ "^(zapiro\.rivera\.za\.net)$" {
      url.redirect = ( "^/\?/(.*)" => "http://%1/$1" )
      url.rewrite-once = ( "^/(feed)$" => "/index.php?/$1",
                           "^/([0-9]+/[0-9]+/[0-9]+)$" => "/index.php?/$1" )

It's more logical than apache, but you have to watch out for rewrite->redirect->rewrite loops. So if you change to a clean URL syntax, you can't put in rewrites from index.php?/uglurl to /uglyurl because /uglyurl rewrites back to /index.php?/uglyurl, and you get a loop :-)

etch upgrades

I’ve done etch upgrades in the past (i.e. before etch came out), and they were sometimes quite hairy. Especially the transition from ssh to openssh-server and openssh-client. I had a few broken upgrades…

Since etch has come out, I’ve been upgraded a few machines, and it’s a piece of cake. In fact the CLUG webserver and backup-server have been upgraded.

My servers tend to use custom kernels without initrds, so upgrading is quite simple. The release notes seem to cover it pretty well. There are only a couple of gotchas I’ve had:

Upgrade vim with an aptitude install vim before you do any dist-upgrading. Personally, I like to use vimdiff for configuration file changes. This means I can keep the configuration file format and comments of the latest package, and my configuration changes from when the machine was originally set up. If vim is half installed, you can’t run vimdiff

When you are done, you might need to purge hotplug:

# aptitude purge hotplug

You can also remove non-US from your sources.list.

Syndicate content