HTTPS Web Sites: Just One Per IP?

by Andrew Barber 14. December 2009 07:06

I came across a post the other day where someone stated a misconception; That you can only host one HTTPS web site per IP address available on a server. I think most fairly experienced web server admins know that this is not actually the case, and also know why the misconception came to be. Most web server documentation I've seen tells one how to exceed that false limit, but of course it does not say so in exactly so many words!

Like pretty much everyone else who was ever a teenager, when someone says, "you can't do this", I want to know why. And I want to know why for the same reason I wanted to know why, as a teenager, I could not stay out past X time: so I can find a way around it. The long-and-short of the story is this: The actual limit for HTTPS sites is one per TCP socket, not IP Address. So, for every combination of IP address and TCP port, an HTTPS site can be hosted. Note that Host Headers have nothing to do with this. However; For a number of public uses of HTTPS sites, varying the standard TCP port is not a good option here, meaning the "one HTTPS site per IP" is still an effective standard.

More...

Add/Remove Programs Cleaner Rescues (Kills!) Orphans

by Andrew Barber 13. November 2009 00:34

Sometimes a software uninstall might not complete fully on a Windows system, and you'll be left with an entry in Add/Remove Programs, even though the program files are no longer present. Attempting to remove the program from that list again sometimes will generate an error, and the entry will not be removed, leaving you with an annoying orphan. IntelliAdmin has a freeware program called Add/Remove Programs Cleaner (link) which removes entries from that list.

Important Note: This tool does not do anything toward actually uninstalling a program's files, shortcuts, or registry or profile data. It only removes the item in the Add/Remove Programs list, and it should only be used on a program which you know has been uninstalled, but which Windows won't remove from the list when you try via the normal means.

The Cleaner works on Windows NT, 2000, XP, 2003, 2008 and Vista, and may work on Windows 7; I believe it does not work on Windows 98 (seriously, you aren't still using that, are you?) It does not require an installation; it is simply a single executable file that you run.

SQL Server Won't Start Up Automatically

by Andrew Barber 11. November 2009 08:30

I've had a recurring issue with a client's web server and the local installed instance of SQL Server 2005 Express, in this case, but this issue applies to all versions of 2005 and 2008. The behavior was that the service would fail to start automatically once the system was rebooted, but once I connected via the RRAS VPN and then Terminal Services for remote management, the service would start up just fine. The Windows Event Log had the following SQL Server error messages, immediately back-to-back in order (SQL Server itself has the same messages in its own logs):

- Server failed to listen on x.x.x.x <ipv4> xxxxx. Error: 0x2741. To proceed, notify your system administrator.
- TDSSNIClient initialization failed with error 0x2741, status code 0xa.
- TDSSNIClient initialization failed with error 0x2741, status code 0x1.
- Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
- SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

The server was configured to listen on only certain IP addresses, on port xxxxx. 127.0.0.1 was the primary address for the local web sites to use, and x.x.x.x was the private IP address assigned to the RRAS server; this was for remote management of the SQL Server via the VPN connection. Hopefully your light bulb is going off over your head more quickly than it did mine!

More...

Debian GNU/Linux 5 Release Keeps Debian on Top

by Andrew Barber 25. February 2009 13:01
Debian

On the 14th, it was announced that the next major version of Debian GNU/Linux - version 5, code-named Lenny - was officially released (link). Having had some time to consider this - particularly in relation to other distributions, like Ubuntu - I had some notes I wanted to share about the release. Well; more about Debian itself, really. I think I'm about to dive into something of a Holy War here, by daring to express some thoughts regarding my choice of Linux distros. Pray for me, will you?

I use Linux primarily (almost exclusively, actually) for network security functions; mostly for firewalls/routers, and to provide things such as DHCP, DNS and VPN functionality. This entry itself is being posted on a server protected by such a system, and typed on a computer also protected by such a system. Both systems are Debian based. In the past, I have made serious attempts to use Red Hat and Mandrake distributions, but once I gave Debian 3 a try, I was hooked, so to speak. I now primarily use Debian 4 (etch). The reasons I stick with Debian all come down to one simple issue; I want the servers I install to simply do their jobs.

More...

Macs and Malware; Pirates and Trojans!

by Andrew Barber 27. January 2009 10:08

iWork Logo A recently discovered bit of malware for the Apple Mac OSX operating system presents an opportunity to make a few brief points. I'll try not to preach. Too much.

The short version; The Peer-2-Peer file sharing networks have been discovered to be spreading a trojan horse software (link) posing as a free or cracked version of Apple's iWork 2009 (link) suite of productivity software. Apple does have a free trial version available for download for those who would legitimately like to try it out on their Mac.

For Heaven's Sake; Practice Safe Hex

Do not download from anonymous P2P networks. Forget the moral and ethical arguments entirely. These networks are simply a playground for people who would like to spread malware. All one has to do is create a trojan horse, and give it a name that suggests it is a crack for some expensive software, and off it goes. The prevalence of broadband connections means people will even download a 300 Megabyte piece of malware, which might actually be embedded within what appears to be the 'real' item claimed. The nature of most P2P networks makes it somewhat difficult to figure out where something came from, so there's little recourse when you get infected.

More...

MacBook Pro Battery Won't Charge?

by Andrew Barber 4. January 2009 11:24

MacBook ProFor those who do not already know, I use an Apple MacBook Pro (MBP) as my primary computer. I use Boot Camp to dual boot into Microsoft Windows Vista or Apple Mac OSX 10.5 as needed. I may make a separate post about some of the issues, solutions and tools I have found in that process. However, this post is about a small issue that happens to my MBP on occasion, and which I assume must happen to others also.

At times, the battery simply will not charge. Both Vista and OSX show the charger/power supply connected and in-use, and show the battery at a level other than 100%, but both also show that the battery is not being charged. Angela (my wife and business partner) and I have numerous chargers, and we have verified that the problem lies not with them. Since both OSX and Vista exhibit the same behavior (and since the behavior is also the same when the computer is off but plugged in), it lies not with the operating system, either.

The solution, then, is to reset the System Management Controller. This is a bit of firmware on the main logic board of the MacBook which controls many functions of the computer, including battery charging. This is accomplished like so;

  • Turn the computer completely off
  • Remove both the power supply and battery
  • Press and hold the power button for five seconds
  • Reconnect battery and power supply
  • Turn it all back on, and enjoy

One important note I want to emphasize is that this process should only be followed when the computer has been shut down properly. If you cannot get the computer to shut down properly, you have other issues which are more pressing than the battery not charging. Although Apple makes this caution only in relation to the MacBook Air, I think it would be wise to consider it for any MacBook, or at least to take the system to an authorized service center.

Finally, I want to note that this does not appear to help with another issue experienced by many MacBook Pro users. Many early MBP systems came with faulty batteries, which would not hold much of a charge at all. Apple had an exchange program for these batteries, which has long ago ended. There also was a software update to OSX which updated the firmware on some batteries to resolve some faulty batteries. All modern, fully-patched OSX systems (10.4+) will already have this update, and the battery itself would have been automatically updated, as well. If the battery still does not last long from a 100% charge, the best bet would be to purchase a new one.

Secure Web Sites Vulnerable?

by Andrew Barber 30. December 2008 09:48

Before anyone reading this sees the breathless headlines soon to come on the evening news, I thought I would post some quick analysis. In Berlin, Germany today, at the 25th Chaos Communication Congress (25C3), run by the Chaos Computer Club (CCC), a presentation was made which was entitled, "MD5 considered harmful today; Creating a rogue CA Certificate". I have no idea how the non-computer-literate (or even semi-) media will report this, but likely they will speak about SSL/Secure web sites being able to be spoofed, and that 'phishing' attacks will be more likely, and users won't have any way of knowing if they are victims.

Background

First, a quick attempt at giving a very simple explanation of what is actually very complex;

A 'Certificate Authority' (CA) is a company/entity which issues certificates that are used to verify the identity of something. Typically you will see this evident in the 'Padlock' or colored status bar of your web browser when browsing a secure web site. The 'certificate' is an electronic document, of sorts, which contains various information used to verify that the site is who it claims to be, and pointing your web browser (transparently to you) to a CA that does the actual verification. As you might expect, the identities of these CA's are very important. Every web browser comes with a pre-set list of known, trusted CA's. A user can add/remove CA's, which is a critical operation that in practice, is rarely done.

More...

Why Eels?

No one can really be certain. But those slimey underwater critters obviously have something going for them!

Links/Profile

Andrew Barber's Profiles:
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent the views of employees, contractors or clients of Inkwell Creative Group, LLC in any way.

© Copyright 2008, 2009 Andrew Barber