It’s very windy today. Besides, raining but spring rain, indeed. It’s warm.
I took pictures of Hakusekirei (M. a. lugens). They are very active in spite of rain and wind. Cute!!
 |
 |
 |
 |
Categories
Updating to PHP5.6.7.
Update information Edit(Apr.14)
They released PHP5.6.7 Windows version on Mar-19 23:50:34UTC. It fixes several bugs as well as CVE-2015-0231 (bug #68976), CVE-2015-2305 (bug #69248) and CVE-2015-2331 (bug #69253). The previous version (PHP5.6.5) has a bug fix for CVE-2015-0231, so this bug fix is second time. I wonder if some unfixed issues still remain for this vulnerability. Anyway I updated my PHP from 5.6.6 to 5.6.7 on my Web server (Windows7HP+SP1(x86)).
By the way, the new version includes some fixes for OPcache. But I have no new report on the page Bug #67937. So, nothing might change about it, but I enabled OPcache on my server again (Mar-29@6:55JST). What results will I have? I feel nervous about it.
If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows”.
Edit(Apr.14):
The OPcache on my Windows server has worked well for more than two weeks. I don’t know why. But I am happy!!
Categories
桃の節句 (peach festival) passing.
The ume (梅) blossoms are still in full bloom in my garden (fig.1 white, fig.2 red), but I can see peach and apricot blossoms here and there in my town after 桃の節句 (peach festival) (fig.3 ひな飾り by Tirol-Choco, it’s a chocolate box (^o^). ).
 |
 |
 |
All told, I wanted to recite one of spring poems and chose 春風 (Spring wind) by 白居易(樂天). How do you feel?
亦 薺 櫻 一
道 花 杏 枝
春 楡 桃 先
風 莢 梨 發
爲 深 次 苑
我 村 第 中
來 裏 開 梅
- Rough translation of the poem
Spring wind makes one of the buds on a branch of Ume tree break in the imperial garden
Cherry, apricot, peach and pear following
It opens shepherd’s purse flowers and rustles shells of elm fruits in my village nearby mountains
It makes me happy because I also have the spring wind
If you read the poem, read top to bottom and right to left.
Categories
Smoke signals.
I got an e-mail from Delonix on March 1st. Its subject is ‘Smoke signals’, he-he. He wrote “every time I try to go to your blog it shows this message: Forbidden You don’t have permission to access / on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.“. This is 403 Forbidden default message.
I asked him to create a topic on o6asan’s BBS. And then I checked up my access-denied.conf file. I control the accesses by the conf file. Of course you can do it by .htaccess files and I think it is more common method. Anyway I found his current IP address and removed it. Now he can access my site.
Delonix and I sometimes exchange e-mails, so we know our email addresses each other. But for not close visitors I think I need to customize 403 Forbidden message. So I made a 403.html file. You see its text on the right image.
For 403 ErrorDocument I need to add the following lines, shown in bold, to the access-denied.conf file and to reboot my Apache httpd.
<Directory “G:/WEB”> <<— G:/WEB is my document root.
<RequireAll>
Require all granted
Require not ip xxx.xxx.xxx.xxx/xx
Require not ip yyy.yyy.yyy.yyy/yy
</RequireAll>
<Files “403.html”>
Require all granted
</Files>
</Directory>
That’s it!!
Categories
Updating to Apache 2.4.12.
Apache HTTP Server 2.4.12 was released. It includes four security patches for CVE-2014-3583, CVE-2014-3581, CVE-2014-8109 and CVE-2013-5704. In the httpd-ssl.conf the following lines were added. There was no release of 2.4.11.
-
# OCSP Stapling (requires OpenSSL 0.9.8h or later)
#
# This feature is disabled by default and requires at least
# the two directives SSLUseStapling and SSLStaplingCache.
# Refer to the documentation on OCSP Stapling in the SSL/TLS
# How-To for more information.
#
# Enable stapling for all SSL-enabled servers:
#SSLUseStapling On# Define a relatively small cache for OCSP Stapling using
# the same mechanism that is used for the SSL session cache
# above. If stapling is used with more than a few certificates,
# the size may need to be increased. (AH01929 will be logged.)
#SSLStaplingCache “shmcb:c:/Apache24/logs/ssl_stapling(32768)”# Seconds before valid OCSP responses are expired from the cache
#SSLStaplingStandardCacheTimeout 3600# Seconds before invalid OCSP responses are expired from the cache
#SSLStaplingErrorCacheTimeout 600
The version was built with openssl-1.0.1l, so the issues told by OpenSSL Security Advisory [08 Jan 2015] were fixed.
I downloaded httpd-2.4.12-win32-VC11.zip from the ApacheLounge for my Windows7 server. If you need the information about Apache 2.4.x configuration on Windows, see my post ‘To create a Wamp-like Web Server in Windows7-#1.’.
Update information Edit(Feb.5) Edit2(Feb.7)
Hey guys! I remove Google AdSense until Adobe Flash Player new version coming. Google AdSense is nothing wrong. But it sometimes includes bad sites. At this time, I mean until CVE-2015-0313 fixed, it might have a site which is infected hxxp://www.retilio.com/skillt.swf, Trend Micro calls it SWF_EXPLOIT.MJST. This bad swf spreads rapidly through popular sites, for example, Dailymotion, etc.
When Adobe Flash Player new version reaches to us, I’ll restore Google AdSense to my sites. m(_”_)m
Edit(Feb.5):
Hi, they released Adobe Flash Player new version. Now (16:00JST), I’ve confirmed I have the new version 16.0.0.305 on my IE, FireFox and Google Chrome. I strongly recommend everybody updates to the new version immediately.
I’ll restore Google AdSense to my sites within a few days.
Edit2(Feb.7):
Google AdSense has been restored.
Last time, I created a repository for my own. This time, I’ll write ‘How to use the repository’.
Log in a CentOS7 I want to use the repository on, for example the VPS, the VM for development environment, and so on.
- Install ‘yum-plugin-priorities’.
Because Base, Updates and Extras repositories have high priority, CentOS doesn’t use my repository package if the same rpm package exists in these three repositories when they are enabled and aren’t changed their priorities. Of course, you can handle this by manual each time, but I prefer using ‘yum-plugin-priorities’ for my frequently used repositories.
$sudo yum install yum-plugin-priorities
I think you have to set their priority for frequently used repositories. How do we know what repositories we enable? You can get the information by the next command.
$yum repolist
If you do ‘yum repolist all’, you can get the information about all repositories configured. - Create a myrepo.repo in the directory /etc/yum.repos.d.
$sudo vi /etc/yum.repos.d/myrepo.repo
Its text is the followings.
[myrepo]
name=o6asan’s original RPM packages
baseurl=http://www17130ue.sakura.ne.jp/~myrepo/x86_64/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-o6asan
priority=1 - Add ‘
priority=2‘ to the last line of [base], [updates] and [extras] in /etc/yum.repos.d/CentOS-Base.repo. - $
wget http://www17130ue.sakura.ne.jp/~myrepo/x86_64/RPM-GPG-KEY-o6asan
$sudo mv RPM-GPG-KEY-o6asan /etc/pki/rpm-gpg/
Now, I’m ready to use my repository. When I use my repository at the first time, CentOS7 asks about importing RPM-GPG-KEY-o6asan and imports it if I give ‘yes’.
Note) How to delete GPG public key from a client PC.
The client PC doesn’t have the private key. So ‘gpg --delete-key <email@address>’ gives ‘Unknown system error’. The next command works.
$ sudo rpm -e [package]
For that, you need an exact package name. You can get it by the following.
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}n'
For example, you have the following about CentOS-7 Key.
gpg-pubkey-f4a80eb5-53a7ff4b –> gpg(CentOS-7 Key (CentOS 7 Official Signing Key)
So you can delete it by the next command.
$ sudo rpm -e gpg-pubkey-f4a80eb5-53a7ff4b
I want to configure my system with event + suEXEC + FPM on さくらの VPS.
For that I rebuilt php.rpms with ‘--enable-fpm’, but I got fed up with all the dependency things when I used ‘rpm -ivh’. So I decided to create a repository for my own, ha-ha.
- On the VPS
- $
sudo adduser --gid xxxx myrepo
‘myrepo’ is a user for the repository and ‘xxxx’ is the gid of the httpd user group.
$sudo passwd myrepo - $
sudo chmod 710 /home/myrepo - $
sudo su - myrepo - $
mkdir public_html - $
cd public_html - $
mkdir x86_64 - $
exit
I haven’t written it yet, but I already configure Apache httpd for suEXEC Support. So I have new User and Group on the httpd.conf. If you use the settings on this post for your repository, read my words about httpd configuration on the post as your words on your system.
I removed ‘Options Indexes’ from the httpd conf files, but want to show the indexes of the repository directory. For that I need to use ‘Options Indexes’ in the .htaccess file. So I did the following things.
- About httpd on the VPS
- Change the followings about the userdir.conf (/etc/httpd/conf.d/userdir.conf).
UserDir enabled normuser1—>>UserDir enabled normuser1 myrepo
↑ This is not for .htaccess but for the user ‘myrepo’.
AllowOverride FileInfo AuthConfig Limit Indexes
—>>AllowOverride FileInfo AuthConfig Limit Indexes Options=Indexes - $
sudo systemctl restart httpd.service - $
sudo su - myrepo - $
cd public_html/x86_64 - $
vi .htaccess
Its text is ‘Options Indexes’. - $
chmod 640 .htaccess - $
exit
- On the VM for development environment.
- Log on as the user ‘rpmbuilder’ and rebuild all the rpm files I want.
Note 1) On the post ‘First VPS #5’, I wrote how to rebuild php.rpm. That’s nothing wrong, but yum gives ‘Package PACKAGE_NAME.rpm is not signed’ when I used my repository. We need a signature for rpm files when we use them by yum though we can avoid it by the option ‘--nogpgcheck’ and I used the option for my filezilla.rpm installation. - Add my signature to the rpm files.
$rpm --addsign rpmbuild/RPMS/x86_64/*
Of course, I need GPG Keys before this step.- Log on the VM as a root privilege user.
$sudo gpg --gen-key
$sudo gpg --export -a 'o6asan' > RPM-GPG-KEY-o6asan
RPM-GPG-KEY-o6asan is my public key file. I upload this to /x86_64 in myrepo’s DocumentRoot on the VPS by Filezilla client.
$sudo gpg -o file.secret --export-secret-key o6asan
file.secret is my private key file. I move this to rpmbuilder’s home directory.
$sudo mv /home/vmowner/file.secret /home/rpmbuilder/file.secret - Log on the VM as the user ‘rpmbuilder’
$gpg --import file.secret
This command imports both secret and public keys.
$vi .rpmmacros
Add the next two lines.
%_signature gpg
%_gpg_name <Owner name>
Note 2) Actually, I wanted to create the keys as ‘rpmbuilder’ because I rebuild the rpm files as ‘rpmbuilder’. But I couldn’t. To create GPG Keys requires root privilege.
- Log on the VM as a root privilege user.
- Upload all the rpm files to /x86_64 in myrepo’s DocumentRoot on the VPS.
- On the VPS.
$sudo yum install createrepo
$sudo createrepo /path to/x86_64
Now, I have a repository for my own and the URL is http://www17130ue.sakura.ne.jp/~myrepo/x86_64/.
I’ll write ‘How to use the repository for my own’ for the next post.
Categories
Updating to PHP5.6.5.
They released PHP5.6.5 Windows version on Jan-22 03:24:41UTC. It fixes several bugs as well as CVE-2015-0231 (bug #68710), CVE-2014-9427 (bug #68618) and CVE-2015-0232 (bug #68799).
I couldn’t find “Fixed bug #68799” on the PHP5.6.5 ChangeLog though it’s on 5.5.21’s. Did they forget to write it? Anyway, I updated my PHP from 5.6.4 to 5.6.5 on my Web server (Windows7HP+SP1(x86)).
If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows”.
Categories
First VPS #5 : To rebuild php.rpm.
My original plan for this post was to write an article about suEXEC Support. I want to configure my system with event + suEXEC + FPM on さくらの VPS. About event + suEXEC on Apache httpd it’s OK by CentOS7 default. But about FPM I found a big problem. The default php.rpm of CentOS 7 seems to have no ‘–enable-fpm‘ option at its build. This information you can have by the following command. For this you need to install the package ‘php-devel’. We cannot get the information by ‘php -i’ when we use CentOS rpms.
$ php-config --configure-options
So I have to rebuild the php.rpm with ‘–enable-fpm’. Is this really necessary? Well, OK (^^;).
I don’t build rpms on my VPS because I don’t want to install devel packages on the VPS, so I created a virtual PC for development environment in the NJ2100. For the virtual PC I used VMware(R) Player 6.0.4 build-2249910 and CentOS7 (Select ‘Development and Creative Workstation’ and check ‘Development Tools’). See the post “How to create a Virtual PC in Windows7 and run CentOS6.4 on it” for reference.
I almost had the same results except about Ethernet. The NJ2100 has SiS Ethernet Controller and CentOS7 on VMware(R) Player couldn’t find the device out. How can I fix this issue? I found a lot of pages about it on the Internet and I’ll recommend this page for you though it’s Japanese.
They tell me the same thing, i.e. use vmnetcfg.exe and vmnetcfglib.dll. They say that VMware Workstation Free Trial version like VMware-workstation-full-10.0.x-xxxxxxx.exe includes the two files. But there was a problem. We can download VMware Workstation 10 still now if we need a production version, but about Free Trial version we can download VMware Workstation 11 only from the vender site right now. Though I downloaded ‘VMware-workstation-full-11.0.0-2305329.exe’ and took a look in the file, I couldn’t find the two files.
I looked for VMware Workstation 10 on the Internet. FINALLY, I got it from filehorse.com and had the two files. Do you need them? I made a zip for you. Is this act gray or illegal? Anyway I had a VM for development environment.
Now I’ll write to rebuild the php.rpm. All procedures I did on the virtual machine and see the official page for reference.
- I make an unprivileged user(rpmbuilder) for building RPMs and and create the user mockbuild which is a no logon user. It seems to be used by the command ‘rpm’ and originated in IUS.
$sudo useradd rpmbuilder
$sudo passwd rpmbuilder
$sudo useradd -s /sbin/nologin mockbuild - Create directories for RPM building under rpmbuilder’s home.
$sudo su - rpmbuilder
$mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
$echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros - Download the source rpm from vault.centos.org.
$wget http://vault.centos.org/7.0.1406/updates/Source/SPackages/
php-5.4.16-23.el7_0.3.src.rpm - Install.
$rpm -ivh php-5.4.16-23.el7_0.3.src.rpm - Edit php.spec
$$ cd ~/rpmbuild/SPECS/
$vi php.spec
Add ‘–enable-fpm ‘ as the line 869. - $
rpmbuild -ba php.spec
It shows packages resolving Dependencies. Install all of them. After that try again.
$rpmbuild -ba php.spec
Now I had a php.rpm with ‘–enable-fpm’ option.
By the way, my VM has GUI, so I wanted to use FileZilla as FTP client software. But I couldn’t find its rpm on the official repositories. Then I made a filezilla.rpm. For this I needed the package wxGTK3-devel, so I installed epel repository.
- $
sudo yum install epel-release - $
wget ftp://fr2.rpmfind.net/linux/fedora/linux/development/rawhide/source/
SRPMS/f/filezilla-3.10.0-1.fc22.src.rpm
$rpm -ivh filezilla-3.10.0-1.fc22.src.rpm
$cd ~/rpmbuild/SPECS/
$rpmbuild -ba filezilla.spec
That’s it!