SSH config file to the rescue

August 31, 2008

I’ve recently switched my hosting from single self-managed dedicated server at 1and1 to a managed virtual private data center on “the cloud” with ENKI consulting.  The benefits of the grid computing technology they are using are numerous, including improved security, automatic redundant failover, and great mangement and monitoring tools.

As part the improved security, each component of the system (webserver, database) runs in its own virtual machine, and only has the bare minimum access to files and other services that it needs.  When setting these up, I have to ssh to each component individually.  Access is provided to the seperate components by having a different ssh port on one externally available IP address.

Typing in “ssh -p 7543 dobes@543.32.54.32” with varying port numbers, usernames, and IP addresses can be a pain.  Today I found out that you can specify aliases in your ssh configuration that set up connection options, hostnames, and IP addresses.

Simply edit ~/.ssh/config and put sections like:

Host glassfish-live

HostName 543.32.54.32

Port 7543

User dobes

Compression on

IndentityFile  ~/.ssh/id_rsa_live

Each time ssh finds “Host” it treats the settings that follow as specific to that host, and “HostName” tells it the “real” host to connect to.  These aliases are a great shortcut and I was so pleased to discover them I couldn’t wait to share them.

Hope you make good use of this one …

Advertisements

GWT to lighttpd/apache to glassfish 502 proxy or 500 internal errors fix

August 22, 2008

I’ve been dealing with this for a while now trying to figure out why, when using my online accounting software, users sporadically get a StatusCodeException when sending requests to the server.  I finally this week figured out what was going on; glassfish was dropping the connection or sending bad responses occasionally because it doesn’t behave in the was that the mod_proxy modules of these webservers expect it to.

Originally I was running lighttpd and I was thinking this might be a bug in lighttpd, so I eventually switched to apache.  Once I was running apache I got a much more verbose error – instead of just a plan 500 or 502 status code I got a message.  I googled that error message plus glassfish and found the solution.

I thought I’d share it here so that future searchers who are using lighttpd or apache will have more places to find the answer.

To fix the issue, add:

SetEnv force-proxy-request-1.0 1

SetEnv proxy-nokeepalive 1

To your apache httpd.conf.  I don’t know what the equivalent fix for lighttpd is, if there is any.

From this fix, it appears that glassfish is misbehaving in some way in relation to being behind a proxy, but I don’t what way that is and I’m just glad I fixed this mysterious problem!

If any of you readers have more information about this issue, please comment!


Getting an SSL private key into glassfish

July 2, 2008

After much frustration I finally figured out how to get my existing private key and certificate into glassfish’ keystore so that it worked.  You see, I did something that the makers of java keytool never thought of – I didn’t use keytool to generate my private key!  Unfortunately, keytool doesn’t allow you to import an existing private key, you can only import the certificates (e.g. the public keys).  It took me a few hours to figure out this bit of idiocy, and kudos to this blog post for enlightening me:

Import private key and certificate into Java Key Store (JKS)

I followed his steps to convert the keys into DER format and generate a keystore file from that.  Then I used keytool’s -importkeystore command to merge that new keystore into glassfish’ keystore, and used keytool to change the key’s password to match the keystore’s password.  Fixed!