My scrapbook / technical journal

As stated in my last post, I received my CCNP Lab Kit in the post last week.

In my excitement, I decided to switch my IP Phones from the SCCP firmware (which was the software originally on the phones) to the SIP firmware so that I could connect to VoIPTalk.

Now that the excitement has died down a little, I wanted to switch back to SCCP as, from what I can tell, it provides more features than SIP.

As I’m not too familiar with Cisco IP Phones, I started Googling for instructions on how to switch back, but I couldn’t really find any instructions on how to do so.

In the end I tried the same way I had originally upgraded to the SIP firmware. I edited my gkdefault.txt which originally contained the following line:

upgradecode:3,0x601,0x0400,0x0100,0.0.0.0,69,0x060111a,CP7912080000SIP060111A.sbin

And replaced it with:

upgradecode:3,0x601,0x0400,0x0100,0.0.0.0,69,0x070409a,CP7912080003SCCP070409A.sbin

You can read what the values mean on the Cisco site, but all I had to change was two last values of the line:

0×060111a -> 0×070409a

CP7912080000SIP060111A.sbin -> CP7912080003SCCP070409A.sbin

The first value I had to change was the build ID/date, which is (from what I can tell) the last few characters in the file name after the “SIP” or “SCCP” bit.

The second value is pretty self explanatory, its just the file name of the firmware file you have.

Next, I used cfgfmt to convert the file into a .cfg file compatible with the phones, and put it on my TFTP server.

I then restarted the phones, and behold! They were downloading the SCCP firmware image.

I’m not sure if this is the “correct” way to switch back to the SCCP firmware, but it worked for me and I don’t see why it wouldn’t be correct, it seems pretty obvious. The only reason I am a little confused is the fact that while searching for instructions to switch back, I found a lot of people having difficulties switching back and even some companies offering a “recovery” service for people in this situation.

Hopefully my post will help other people who are in this situation.

Now I just need to figure out how to get the CTU ringtone onto the phone.

Over the last few days, I’ve been playing with Ruby on Rails again and came across Thin, a small, yet stable web server which will serve applications written in Ruby.

This is a small tutorial on how to get Nginx, Varnish, HAProxy working together with Thin (for dynamic pages) and Lighttpd (for static pages).

I decided to take this route as from reading in many places I found that separating static and dynamic content improves performance significantly.

Nginx

Nginx is a lightweight, high performance web server and reverse proxy. It can also be used as an email proxy, although this is not an area I have explored. I will be using Nginx as the front-end server for serving my rails applications.

I installed Nginx using the RHEL binary package available from EPEL.

Configuration of Nginx is very simple. I have kept it very simple, and made Nginx My current configuration file consists of the following:

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

    sendfile on;
    tcp_nopush on;
    tcp_nodelay off;

    keepalive_timeout 5;

    # This section enables gzip compression.
    gzip on;
    gzip_comp_level 2;
    gzip_proxied any;
    gzip_types text/plain text/html text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    # Here you can define the addresses on which varnish will listen. You can place multiple servers here, and nginx will load balance between them.
    upstream cache_servers {
      server localhost:6081 max_fails=3 fail_timeout=30s;
    }

    # This is the default virtual host.
    server {
        listen 80 default;
        access_log /var/log/nginx/access.log main;
        error_log /var/log/nginx/error.log;
        charset utf-8;

        # This is optional. It serves up a 1x1 blank gif image from RAM.
        location = /1x1.gif {
          empty_gif;
        }

        # This is the actual part which will proxy all connections to varnish.
        location / {
          proxy_pass http://cache_servers/;
          proxy_redirect http://cache_servers/ http://$host:$server_port/;

          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

Varnish

Varnish is a high performance caching server. We can use Varnish to cache content which will not be changed often.

I installed Varnish using the RHEL binary package available from EPEL as well. Initially, I only needed to edit /etc/sysconfig/varnish, and configure the address on which varnish will listen on.

DAEMON_OPTS="-a localhost:6081 \
             -T localhost:6082 \
             -f /etc/varnish/default.vcl \
             -u varnish -g varnish \
             -s file,/var/lib/varnish/varnish_storage.bin,10G"

This will make varnish listen on port 6081 for normal HTTP traffic, and port 8082 for administration.

Next, you must edit /etc/varnish/default.vcl to actually cache data. My current configuration is as follows:

backend thin {
  .host = "127.0.0.1";
  .port = "8080";
}

backend lighttpd {
  .host = "127.0.0.1";
  .port = "8081";
}

sub vcl_recv {
    if (req.url ~ "^/static/") {
        set req.backend = lighttpd;
    } else {
        set req.backend = thin;
    }

    # Allow purging of cache using shift + reload
    if (req.http.Cache-Control ~ "no-cache") {
        purge_url(req.url);
    }

    # Unset any cookies and autorization data for static links and icons, and fetch from catch
    if (req.request == "GET" && req.url ~ "^/static/" || req.request == "GET" && req.url ~ "^/icons/") {
        unset req.http.cookie;
        unset req.http.Authorization;
        lookup;
    }

    # Look for images in the cache
    if (req.url ~ "\.(png|gif|jpg|ico|jpeg|swf|css|js)$") {
        unset req.http.cookie;
        lookup;
    }

    # Do not cache any POST'ed data
    if (req.request == "POST") {
        pass;
    }

    # Do not cache any non-standard requests
    if (req.request != "GET" && req.request != "HEAD" &&
        req.request != "PUT" && req.request != "POST" &&
        req.request != "TRACE" && req.request != "OPTIONS" &&
        req.request != "DELETE") {
        pass;
    }

    # Do not cache data which has an autorization header
    if (req.http.Authorization) {
        pass;
    }

    lookup;
}

sub vcl_fetch {
    # Remove cookies and cache static content for 12 hours
    if (req.request == "GET" && req.url ~ "^/static/" || req.request == "GET" && req.url ~ "^/icons/") {
        unset obj.http.Set-Cookie;
        set obj.ttl = 12h;
        deliver;
    }

    # Remove cookies and cache images for 12 hours
    if (req.url ~ "\.(png|gif|jpg|ico|jpeg|swf|css|js)$") {
        unset obj.http.set-cookie;
        set obj.ttl = 12h;
        deliver;
    }

    # Do not cache anything that does not return a value in the 200's
    if (obj.status >= 300) {
        pass;
    }

    # Do not cache content which varnish has marked uncachable
    if (!obj.cacheable) {
        pass;
    }

    # Do not cache content which has a cookie set
    if (obj.http.Set-Cookie) {
        pass;
    }

    # Do not cache content with cache control headers set
    if(obj.http.Pragma ~ "no-cache" || obj.http.Cache-Control ~ "no-cache" || obj.http.Cache-Control ~ "private") {
        pass;
    }

    if (obj.http.Cache-Control ~ "max-age") {
        unset obj.http.Set-Cookie;
        deliver;
    }

    pass;
}

HAProxy

HAProxy is a high performance TCP/HTTP load balancer. It can be used to load balance almost any type of TCP connection, although I have only used it with HTTP connections.

We will be using HAProxy to balance connections over multiple thin instances.

HAProxy is also available in EPEL. My HAProxy configuration is as follows:

global
  daemon
  log 127.0.0.1 local0
  maxconn 4096
  nbproc 1
  chroot /var/lib/haproxy
  user haproxy
  group haproxy

defaults
  mode http
  clitimeout 60000
  srvtimeout 30000
  timeout connect 4000

  option httpclose
  option abortonclose
  option httpchk
  option forwardfor

  balance roundrobin

  stats enable
  stats refresh 5s
  stats auth admin:123abc789xyz

listen thin 127.0.0.1:8080
  server thin 10.10.10.2:2010 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2011 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2012 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2013 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2014 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2015 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2016 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2017 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2018 weight 1 minconn 3 maxconn 6 check inter 20000
  server thin 10.10.10.2:2019 weight 1 minconn 3 maxconn 6 check inter 20000

Thin

My Thin server is actually run on a separate Gentoo box. I installed Thin using the package in Portage.

To configure Thin, I used the following command:

thin config -C /etc/thin/config-name.yml -c /srv/myapp --servers 10 -e production -p 2010

This configures thin to start 10 servers, listening on port 2010 to 2019. If you want an init script for Thin, so you can start it at boot, run

thin init

This is will create the init script, and you can set it to start up at boot using the normal method (rc-update add thin default or chkconfig thin on).

You should now be able to access your rails app through http://nginx.servers.ip.address

Next, we must configure the static webserver.

Lighttpd

I decided to go with Lighttpd as it is a fast, stable and lightweight webserver which will do the job perfectly with little configuration.

You could also use nginx as the static server instead of using lighttpd, but I decided to separate it.

I decided to use the package from EPEL for Lighttpd, and found that most of the default configuration was as I wanted it to be. The only thing I needed to change was the port and address the server was listening on:

server.port = 8081
server.bind = "127.0.0.1"

And thats pretty much it! Now you just have to dump any static content into /var/www/lighttpd/ (the default location that the Lighttpd package in EPEL is configured to use) and reference any static links using “/static/document_path_of_file”, for example if I put an image into /var/www/lighttpd/images/ called “bg.png”, I can access it using http://servers_hostname/static/images/bg.png.

I have not really done any performance tests onto how well this works, and there are probably many things which I could have done better. This is the first time I made any attempt HTTP performance tuning, and so I am always looking for feedback or tips on how to make this better, so please do contact me if you have any suggestions!

Shhh! I was bored! – It describes me pretty well though imo

Your result for The Official Myers-Briggs Personality Test…

ISTP

1% Extraversion, 20% Introversion, 14% Sensing, 12% Intuition, 23% Thinking, 1% Feeling, 8% Judging and 14% Perceiving!

For the last month or so, I’ve been using Bacula to backup the important data on my machine/servers and my dads computer. Although it works great with my PowerVault 100T DDS4 drive, I got fed up of having to constantly change tapes every they got filled up.

To solve this problem I decided to buy a Dell PowerVault 120T DLT-7000 Autoloader from eBay.

I receieved the PV a few days ago, but I was unable to test it as I did not have the neccicary terminator or cable required to connect it to my server.

After looking on eBay, I found both items from a single seller (the same seller I bought the autoloader infact!), and I received both items in the post today.

I hooked everything up very excitedly, and found that the DLT-7000 drive in the PV-120T was faulty! The LCD displays “Drive POST Error”. I’ve emailed the seller of the autoloader, and I really hope he will be able to repair or send me a new one of these devices.

Lately I’ve been playing with OpenSWAN and IPSec in general.

For the last few years I’ve been using OpenVPN as my home VPN server, but recently I bought a few Intel PRO/100 S Server Ethernet adaptors. From looking on the Intel site the only big difference I could see between these and regular Intel PRO/100 cards was that it has IPSec offloading, which I also remembered seeing IPSec support on my iPhone. So that got me looking into replacing OpenVPN with OpenSWAN on my home router.

In the past, I have come across IPSec quite often, but I never really looked into it. After a bit of reading, I decided to buy “Building And Integrating Virtual Private Networks With OpenSWAN“. I haven’t finished reading the book, but I can say that it is a very well written book for people looking to get started with IPSec. It has quite a nice introduction on the internet and why encryption is so important on the internet. It also explains how encryption was originally only used by the military and how governments around the world tried to stop encryption being used widely across the internet.

On Linux, there are two IPSec stacks, NETKEY and KLIPS. KLIPS is currently the more stable one, and from what I understand, the one which is easier to use. NETKEY on the other hand, is quite a new stack, but due to various reasons, KLIPS was not allowed to be included in the Linux kernel by default, where as NETKEY is.

Since my router machine is running RedHat Enterprise Linux 5, which only includes support for NETKEY, I have been using the NETKEY IPSec stack. So far, the only problem with the NETKEY stack is that creating firewall rules for encrypted packets is much more difficult than it would be using KLIPS, although I was not too disapointed by this since the KLIPS does not have IPv6 support, which, since I like IPv6 so much, is a must for me!

Although I had a bit of a problem with the OVH kernel, after a bit of tweaking and compiling and a lot of rebooting, I was able to create an encryted tunnel between my OVH RPS and my home router. If it had not been for all the trouble I had with the OVH kernel (it took quite a while to get the RPS to boot from the iSCSI disk using my custom kernel, rather than use netboot to fetch an OVH kernel), the tunnel would have been set up within a few minutes, which I found amazing as it takes a bit more time and effort to do with OpenVPN.

So far, I haven’t managed to figure out how to use the IPSec offloading feature of my ethernet cards, but I don’t think thats is really a problem considering my router machine is powerful enough to handle the few IPSec connections that I  have setup (Its a 2.4GHz Pentium 4 machine with 1GB ECC Reg RAM).

After a bit more reading, I decided it would be fun to try and get my iPhone connected to my IPSec Server, so over the next few days, hopefully thats what I will be doing!