Das clusterige gecluster von Clustern

Vor ein paar Tagen hatte ich eine Anfrage zum Thema clustern.

Es ging um eine seit kurzem stark im öffentlichen Interesse stehenden Website.

Ca. Ein Jahr zuvor hatte ich der Konfiguration der Seite den Feinschliff verpasst. Lief soweit ganz gut. Nginx und Co.

Aber seit eben jenem dauerhaft erhöhten Interesse, war die Flut an Anfragen so hoch, das irgendwann alles langsamer wurde, weil die Festplatte (eine SSD wohlgemerkt) nicht mehr hinterher kam.

Daraufhin der erste Schritt: MySQL Tabelle in den RAM. Zack, alles lief wieder schnell. Jedoch ist das keine permanente/gute Lösung, da RAM flüchtig ist uns nach einem Reboot oder Stromausfall wären alle Daten weg.

Und schon wurde der zweite Server bestellt, um Lastspitzen auszugleichen.

Wunderbar. Beide gleich eingerichtet.
Nun ging es ans clustern.

Die Dateien, wie bekomme ich am effektivsten die dynamischen Dateien gesynct.

Versuch 1: Glusterfs.

Gefühlte 4 Stunden lang in ein Glusterfs Volumen kopiert. Als es live ging, fiel nach 4 Sekunden die Performance so in den Keller, das der php timeout erreicht wurde, noch bevor der Webserver mit dem IOWAIT fertig war.
Also kann man Glusterfs in die Tonne treten für Websites, auch als man das ganze als NFS gemountet hatte, was einen Performance boost bringen sollte, hat es keine Minute gedauert, bis die Website unerreichbar wurde.

Dann Unison probiert. Klappt wunderbar.

Jetzt die Frage was machen mit der MySQL DB? Zuerst einmal auf MariaDB wechseln, ganz klar. Anschließend wurde überlegt, wie man einen Ausweg aus dem ramfs Dilemma findet.
Großer Buffer von mehreren GB RAM, sowie trx commit auf 2 brachten den Erfolg, die Daten sind jetzt persistent.
Schön und gut, wie bekomme ich den zweiten Server dazu, die MySQL vom ersten zu benutzen? Socat Socket.

Cool jetzt sind die Server gesynct.

Nun geht es ans loadbalancing.

Ich habe bisher nur mit DNS loadbalancing (aka das balancing für faule) genutzt. Haproxy war mir aber auch ein Begriff, nur nicht notwendig, da ich damals 20 identische nodes für ein Cdn hatte.

Die Website jedoch hat einen starken und einen mittelmäßig starken Server. Da möchte man mit unterschiedlichen Gewichtungen arbeiten.

Es liegt hier nahe, das loadbalancing Angebot des Providers in Anspruch zu nehmen, wäre da nicht die Fußnote das man bei unterschiedlichen points of presence nicht mit Gewichtung arbeiten kann. Toll.

Also musste Plan B, haproxy her.
Vps gemietet, haproxy eingerichtet und es läuft prima.

Daher lasst euch sagen: Glusterfs ist nur was für statische Datenkraken und Unison/haproxy/MariaDB sind tolle Programme.

Gamescom 2014 – Berichterstattung

Die Gamescom 2014 hat sich nicht wirklich gelohnt, nur Mainstream Scheiß wie Battlefield, Call of Duty, World of Warcraft, League of Legends…

Die Retroarena jedoch war ganz nett, dann sind wir noch durch die Shoppingmeile gelaufen, dort gab es eine Kombo bestehend aus einem Glaskrug, einem Dota 2 Keychain und einem Brewery HUD zum Dota 2 Spiel, fanden wir ganz witzig und haben uns das Bundle im Doppelpack genehmigt.

brewery

In diesem Jahr standen wir nirgendwo an, bei Evolve hatten wir es kurz in Betracht gezogen, sind dann aber abgedriftet, als die Schlange komplett voll war.
4 Stunden anstehen, ohne Klappstühle? Nur für Diablo 3… was sich schlussendlich aber auch als riesigen Flopp geoutet hat.

Nach 3 Stunden Aufenthalt waren wir schon wieder Zuhause.

Die Krux mit dem Headset

Seit etwa 15 Jahren nutze ich Headsets neben meinem 5.1 Boxenset.

Grob geschätzt 20 Headsets habe ich seitdem genutzt/umgetauscht/zerbrochen.

Eines meiner ersten Headsets die ich mir gekauft habe war das Wavemaster HPX-2000M (schön mit batteriebetriebenem Bassverstärker/Ohrvibrator).

Ich war drauf und dran das zum dritten mal zu kaufen, aber das ist mir dann doch schon zu altbacken.

Nunja, es folgten einige Headsets, bis ich beim Creative Draco hängen blieb.

Das Headset hab ich etwa 1 1/2 Jahre genutzt, warum ich es dann mit einem anderen Headset ersetzt hatte, weiß ich nicht mehr genau, vermutlich mal daraufgesetzt oder so.

Nun, heute habe ich zum zweiten mal das Creative Draco gekauft.

Hatte jetzt seit… gut einem halben Jahr das Roccat Kave 5.1 im Einsatz.

Das Headset wiegt gefühlte 5kg und hat die unpraktischste Kopfpolsterung die ich kenne.
Nach etwa einer Stunde Tragedauer ist die Polsterung nämlich so eingedrückt, das schön das Plastik, welches die Kopfpolsterungspads hält, die Kopfhaut massiert, äußerst angenehm.
Würde mich nicht wundern, wenn ich jetzt einen vernarbten Oberkopf habe.
Dachte mir, so masochistisch bin ich nicht veranlagt, das ich mir das noch länger antue.
Aber nichts gegen die Ohrpolster, die waren ganz gut.

Nun zum Creative Draco,
Oben ein dickes Stück Schaumstoff zum polstern, so wie es Sinn ergibt, die Ohrpolster sind ebenfalls angenehm und die Ohrmuscheln sind eng am Ohr anliegend.
Ich habe, anders als beim Roccat Kave aber nicht das Gefühl, das ich unter dem Headset ans schwitzen komme.
Aber jetzt der Knüller. Ob ihr es glaubt oder nicht. Es hört sich UM EINIGES besser an, räumlich (ist vermutlich der guten Creative Soundblaster Z Soundkarte zu verdanken) als auch in der Qualität der Tonausgabe, verglichen mit den 5 Mini-Boxen im Kave.

Also merkt euch:
2 40mm Neodymmagnete sind besser als 5 Standardmagnete in einem Kopfhörer.
Gut 50€ billiger und doch besser, es kommt eben nicht immer auf den Preis an.

Hiawatha: Hisser

After checking who @hiawatha_ws is following on twitter, because I often get to know new things by doing so, I saw Hisser, which looks like its made from Hugo Leisink aswell.
Being the experimental person I am, I wanted to give it a try.

I tested it for several hours, I like the simplicity and security of the chat solution equally.

Download is found here and the Installation is as easy as possible.

For Hiawatha users:
UrlToolkit {
ToolkitID = banshee
RequestURI isfile Return
Match ^/(css|files|images|js)($|/) Return
Match ^/(favicon.ico|robots.txt)$ Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}

and add
UseToolkit = banshee
to the VirtualHost running the Hisser server.
Lead the WebsiteRoot to the public folder inside the Hisser server.

Change settings inside hisser/settings/website.conf ,
set DEBUG_MODE to no when everything works (or just now, because it will work), don’t forget that.
and set the following to your needs, the script will create it all and install the database for you, so don’t create it yourself.
# Database settings
#
DB_HOSTNAME = localhost
DB_DATABASE = yourdb
DB_USERNAME = youruser
DB_PASSWORD = yourpw

I installed the database and logged into profile,
well I at least tried. It kept telling me wrong password, but I’ve seen admin:banshee as default combination.
Didn’t work for some reason, so I went into phpMyAdmin, into the hisser db, and into the users table.
There, I’ve set username, full name and mail address and used the lost password function to gain control over the admin account.

After doing that, you can use the server.
Unfortunately, there is no comfortable way to use it, YET.
There is a Hisser command line client (PHP), and from the look of the page, android and iphone apps are planned.
Want to use the cli php version?
Use this chain of commands, make sure to edit it to the directory where you want it:
apt-get install php5-sqlite -y && wget http://hisser.eu/files/hisser-php-0.2.tar.gz && tar xvfz hisser-php-0.2.tar.gz && mv hisser /whereever-you-want-it/hisser && cd /wherever-you-want-it/hisser && ./initdb
The initdb scripts asks for the following:
- Hostname of Hisser server:
- Your full name:
- Your username at server:
- Your password:

If everything is correct, this appears:
Generating RSA key pair.
Generating device identifier.
Registering device identifier.

You can now use the ./hisser file for further options, which are
Usage: ./hisser
Commands: contacts: Show contact list.
delete : Delete message from database.
fetch: Fetch messages from inbox.
inbox: Show overview of messages in inbox.
index: Show index of messages in database.
invite : Invite other user.
myhash: show my hash for validation.
read : Read message.
send : Send message to other user.
uninvite : Remove user.
validate : Validate user in contact list.

I’m loving it, trying to get the status of being the first recognized german hisser server at 5zs.de. Just need some way to allow public registration ;).

Can’t wait for a smartphone app, that would surely skyrocket the popularity.

When it’s true, and it’s well crypted so noone knows whats in the message, where it comes from nor where it goes to, it’s much more appreciated than apps like WhatsApp in my eyes.




From my Hiawatha article series

Hiawatha: PolarSSL Advantage

Hiawatha is using PolarSSL for SSL/TLS implemention known commonly as https, which is forced to be used here by setting:
RequireSSL = yes
inside the VirtualHost section.
I think it activates Strict Transport Security (HSTS) with max-age of 31536000 aswell.
Another really cool feature by Hiawatha is the
RandomHeader = 1000
option, which has to be put into the VirtualHost section.
In the above case, it adds between 1 and 1000 Bytes of Header Response.
This helps prevent attackers from guessing what file was requested based on the response length.

Hiawatha is the first webserver I know of, that implements such genious technique.

HTTPS Header when RandomHeader activated:
curl -I https://solsocog.de
HTTP/1.1 200 OK
Date: Sun, 29 Jun 2014 07:20:11 GMT
Server: Hiawatha v9.6
Connection: keep-alive
X-Random: iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked

as you see it adds X-Random, it is indeed random, here are some other X-Random headers
X-Random: 77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777
X-Random: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
X-Random: 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
X-Random: PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
X-Random: 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
X-Random: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
X-Random: jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj

So every https transfer size differs, even if the page is the same. I like it a lot.

The webserver also uses TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(with Forward Secrecy of course) by default!
1024Bit is the default Diffie-Hellman Keysize, it can be increased up to 4096 by setting
DHsize = 4096
into the servers main configuration.

Lets compare the ciphers of PolarSSL to the more often used SSL Library,
OpenSSL 1.0.1h

Ciphers
AES, Blowfish, Camellia, SEED, CAST-128, DES, IDEA, RC2, RC4, RC5, Triple DES, GOST 28147-89[7]
Cryptographic hash functions
MD5, MD4, MD2, SHA-1, SHA-2, RIPEMD-160, MDC-2, GOST R 34.11-94[7]
Public-key cryptography
RSA, DSA, Diffie–Hellman key exchange, Elliptic curve, GOST R 34.10-2001[7]

(Perfect forward secrecy is supported using elliptic curve Diffie–Hellman since version 1.0.[8])

PolarSSL 1.3.7

Ciphers
AES, Camellia, DES, RC4, RC5, Triple DES, XTEA, Blowfish
Cryptographic hash functions
MD5, MD2, MD4, SHA-1, SHA-2
Public-key cryptography
RSA, Diffie-Hellman key exchange, Elliptic curve cryptography (ECC), Elliptic curve Diffie–Hellman (ECDH), Elliptic Curve DSA (ECDSA)

PolarSSL is neat having a smaller footprint, especially in combination with Hiawatha, which adds some security to https aswell.

Set
MinSSLversion = TLS1.2
if you want to support only the latest TLS version for maxed out security, older computers can’t visit your https page anymore though.




From my Hiawatha article series

Hiawatha: Prevention

I tested several options of Hiawatha.
Especially the preventive options were interesting.

I’ll list some nice features and how they work here:
PreventXSS = yes #Prevents XSS.
PreventSQLi = yes #Prevents SQLi, see for yourself with the test link at the end of this post.
PreventCSRF = yes #Prevents CSRF.
ConnectionsPerIP = 60 #60 Connections per IP allowed, if going above, you get banned for the length of the BanOnMaxPerIP time period.
BanOnFlooding = 20/1:15 # 20 Connections per 1 Second, going above will result in 15 seconds ban from the server.
BanOnGarbage = 3600 # If doing obvious bullshit like this w00tw00t bot requests, you'll taste the banhammer.
BanOnInvalidURL = 30 # If doing weird invalid URL in terms of some RFC stuff, like not requesting a space with %20 to the server.
BanOnMaxPerIP = 30 # Ban time in seconds.
BanOnMaxReqSize = 3600 # If MaxRequestSize limit is exceeded, get banned.
BanOnSQLi = 3600 # Ban time on SQL injection tries.
BanOnWrongPassword = 1:120 # Entered password wrong 1 time/s, get banned for 120s.
KickOnBan = yes # Forcefully kicks connections of the bad guy instead of showing any error.
RebanDuringBan = yes # If the bad guy keeps doing bad stuff, refresh the ban time.

So as you see, there is quite much to tune in Hiawatha when it comes to preventing bad occurrences.
In fact, the Hiawatha server takes sql injections so serious, it even bans me for posting a sql injection test link in a post, so I had to masquerade it a bit.
Replace the x appearances in the URL with this symbol -> ‚
https://solsocog.de/wp-login.php?action=lostpasswordx or 1x=x1
(warning, you’ll get banned from the Webserver for one hour when clicking the link)




From my Hiawatha article series

Hiawatha: phpMyAdmin sorting Error 403 fix

If you run phpMyAdmin under Hiawatha, you might encounter one annoying error.
When trying to sort MySQL table content, it simply says Error 403 in a small pma error window.

The fix is as easy as usual,
just add
SecureURL = no
to your pma VirtualHost.

And there you go, it works like a charm!

The „SecureURL“ parameter is not to be found inside the manpages, which I found rather irritating, but well.




From my Hiawatha article series

Hiawatha: Introduction

Some years ago ( 19.04.2011 ) I tested several webservers and rated Hiawatha with just 1 of 5 points.

When I wrote a résumé of my experiences in the IT domain, I stumbled upon my rating of Hiawatha.

I thought it would be a good idea to give it another try, and it was.
I was digging into the configurations and possibilities of Hiawatha for several hours straight, and fell in love with it.

Since the webserver isn’t that popular yet (for whatever reason that is) I’ll write some articles about Hiawatha, it’s few quirks, it’s endless possibilities and other useful configurations around it.

If you need help with Hiawatha, just leave a comment here (with a genuine email of course), or ask over at the official Hiawatha forum, Hugo Leisink is a very kind and committed developer.

ServerStatus

Gute Scripte brauchen möglichst viel Publicity,
deswegen präsentiere ich euch hier das ServerStatus Script von BotoX.

Beschreibung von ServerStatus:

ServerStatus is a full rewrite of mojeda’s ServerStatus script, which in turn is a modified version of BlueVM’s script.

Hier downloaden

Ich find es ganz nützlich,
siehe
status.solsocog.de
wo es schon seit mittlerweile 2 Monaten ununterbrochen auf meinem RaspberryPi zuhause läuft.