Setup SSL for MySQL replication

Posted on May 8, 2012 by yan

MySQL replication is setup already. Now I need to add SSL so the communication between server and client will be secure.

1. generate CA certificate and server key/cert on Master

CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem -out ca-cert.pem

Server Key/Cert
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem -out server-req.pem
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

2. enable SSL on master
add the following to both [client] and [mysqld]

ssl-ca=/var/lib/mysql/ssl/ca-cert.pem
ssl-cert=/var/lib/mysql/ssl/client-cert.pem
ssl-key=/var/lib/mysql/ssl/client-key.pem

3. generate client key/cert on Slave

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem -out client-req.pem
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

4. enable SSL on slave
repeat 2, but on slave server and using keys/cert of slave, restart db with skip-slave-start

5. start slave

mysql>change master to master_host=’masterdb’, master_user=’repliuser’, master_password=’pass’,master_log_file=’db1-bin.xxxxx’, master_log_pos=98, MASTER_SSL=1, MASTER_SSL_CA=’ssl/ca-cert.pem’;
start slave

6. setup User permission to use SSL only
User “GRANT” to setup user allow SSL connection only

Check if SSL is on in mysqld

mysql> show variables like ‘%have_ssl%’;
+—————+——-+
| Variable_name | Value |
+—————+——-+
| have_ssl | YES |
+—————+——-+

Check if Client is using SSL:

>mysql
SHOW STATUS LIKE ‘Ssl_cipher’;

manipulating strings

Posted on April 30, 2012 by yan

1. cut

Ex. #echo “192.168.1.10:8080″| cut -d: -f1
192.168.1.10

Ex. User with uniq & sort

Ex. #netstat -nap|less|grep ‘192.168’| awk ‘{print $5}’|uniq -c|sort -nr -k 1

2. sed

match a string and replace it

echo “I love poem”|sed ‘s/peom/music/’

ldconfig — change lib path

Posted on April 17, 2012 by yan

Sometimes it’s preferred to install libraries into non-default locations, such as /usr/local/,
but how to let the system know where to find them?

ldconfig can be used to change the lib path,

Ex. To have the system be able to find libraries under /usr/local/lib for myapp

vi /etc/ld.so.conf.d/myapp.conf
/usr/local/lib
#ldconfig

To check result
#ldconfig -v

# ldconfig -l /path/to/lib/missing.lib.so

Great articles about shared libraries.
http://www.cyberciti.biz/faq/linux-setting-changing-library-path/
http://www.cyberciti.biz/tips/linux-shared-library-management.html

Linux Network command –tcpdump

Posted on April 16, 2012 by yan

Examples:

Show details of packets
#tcpdump -nnvvXS

tcpdump

show specific type of connection
#tcpdump icmp/tcp/udp

Add more options with source/destination IP/port, write to file
tcpdump -nnvvXS src 1.2.3.4 and port 3306 -w /tmp/test.pcap

Read tcpdump log from the file
tcpdump -qns -0 A -r /tmp/test.pcap

tcpick -C -yP -r /tmp/test.pcap

ngrep
ngrep -d any -W byline dst 1.2.3.4 > /tmp/test.pcap

logrotate

Posted on March 2, 2012 by yan

Very good page for logrotate usage and examples

HowTo: The Ultimate Logrotate Command Tutorial with 10 Examples

Force logrotate to run,
logrotate -f /etc/logrotate.d/app.conf

SPF for Gmail

Posted on February 10, 2012 by yan

I had a problem that mail sent from one gmail account to another got bounced back. It shows in the bounced mail that there was a softfail happened.

“mydomain” does not designate xxx.xxx.xxx.xxx as permitted sender

and xxx.xxx.xxx.xxx belongs to one of the gmail’s mail server.

It seems that the gmail server sent the email was not recognized as a valid sender…

Then I found this page,

http://support.google.com/a/bin/answer.py?hl=en&answer=60764

It needs to add “include:_spf.google.com” in the SPF!

Install ubuntu to EeePC

Posted on January 16, 2012 by yan

1. Create a USB image to install Ubuntu to EeePC.
problem:
Got error: “Unknown keyword in configuration file”

How to fix:
This page is very helpful
http://alexsleat.co.uk/2010/11/27/how-to-fix-unknown-keyword-in-configuration-file-ubuntu-usb-boot/

2. choose partition
delete old /dev/sda7
then “Add” on “Free Space” -> new /dev/sda7
ext3
mount point -> /
Then install

bg

Posted on January 5, 2012 by yan

To suspend the command just run

Ctrl + Z

Then use bg command to put in the background

Ex.
find / -name “syslog”

>Ctrl + z

[1]+ Stopped find / -name “syslog”

>jobs
[1]+ Stopped find / -name “syslog”

>bg %1
[1]+ find / -name “syslog” &

Setup Lighttpd for Vedio Streaming

Posted on December 24, 2011 by yan

Lighttpd is said that much lighter that Apache. I tried to set it up for flv and H.264 streaming. The configuration is relatively easy.

1. Download lighttpd-1.4.29.tar.gz

2. Download lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
(This is the patch for mod_h264)

3. Open tar ball of lighttpd
tar zxvf lighttpd-1.4.29.tar.gz

4. Patch h264-mod
mv lighttpd-1.4.29 lighttpd-1.4.18
tar zxvf lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz

5. config /etc/lighttpd.conf
basic setup:

server.port = 80
server.username = “lighttpd”
server.groupname = “lighttpd”
server.document-root = “/var/www”
server.tag = “lighttpd”
server.pid-file = “/var/run/lighttpd.pid”
server.errorlog = “/var/log/lighttpd/error.log”
include “conf.d/access_log.conf”
index-file.names += (
“index.html”, “index.htm”, “index.php”
)
include “conf.d/mime.conf”

6. module.conf
server.modules = (
“mod_access”,
“mod_fastcgi”,
“mod_h264_streaming”,
“mod_flv_streaming”,
“mod_rewrite”,
“mod_auth”,
)
h264-streaming.extensions = ( “.mp4” )
flv-streaming.extensions = ( “.flv” )

7. Setup vhost
There’re many samples out there for this part already, so I won’t write any here.

8. FCGI
I had FCGI installed in advance. To have lighttpd uses FCGI, edit

conf.d/fastcgi.conf

fastcgi.server = (
“.php” =>
(( “host” => “127.0.0.1”,
“port” => 81,
“bin-path” => “/usr/local/bin/php”
)),
)
9. restart lighttpd
Then you can see the lighttpd started fcgi process

10. Use jwplayer
download mediaplayer.zip
unzip it and copy “jwplayer.js” and “player.swf” to a folder under docroot of the site
check the “JW Player Quick Start Guide.pdf” in the zip file for how to use javascript to embed jwplayer to stream.

Yum Repo

Posted on July 21, 2011 by yan

Setup /etc/yum.conf
“man yum.conf” is useful to learn all the options

Yum repos are located under
/etc/yum.repos.d

$releasever is decided by distroverpkg in /etc/yum.conf
distroverpkg=redhat-release is set as default
how to get value of distroverpkg
yum whatprovides redhat-release

how to change $arch
man setarch

Yum with multiple repos
http://blog.chrisramsay.co.uk/2009/08/14/yum-with-multiple-repos-yum-plugin-priorities-on-centos/

L.A. Life

Category Archives: Memo