Want to be a Linux admin? Start here.

This collection of links originally appeared on my consulting website.  If you are a developer new to using Linux or Unix systems these guides will probably come in handy at some point.  Enjoy.

Summer Recreation - Dragonboating in False Creek

Just a quick note about the fun activities around Vancouver in the summer time.  This is the ideal place to spend your time on a beach if you are wanting to waste the summer away.  I'll be working for much of this summer.  Crazy busy right now.  I still make time to dragonboat.  Teams are a good way to stay focused and motivated when the beach is always trying to lure you away from your busy life.  That's me in the back.

Customizing FCKeditor on Drupal

Editing modern CMS-based sites usually means a bit of HTML editing.  More often than not there is some kind of editor built-in with the application framework you are using to facilitate this.  On Drupal you choose whichever editor you think works best.  For me the choice was simple - FCKeditor.  Why FCK? It supports a lot of browsers and is built in a modular fashion.  So there are many different ways you can use it.

Before we get started there are a few decisions to make about how you want to integrate with Drupal.

Choosing Your Module

You can use the "Wysiwyg API" module if you are interested in using the editor for everyone of a specific input format (think "Filtered HTML", etc).  This new module allows you to download the current FCK codebase and permission against that and only that.  It is limited but growing in popularity due to the number of other editors that are supported by this module.  If you need more than one editor this is your best bet.

What I have found in practice though is that you will probably want the FCKeditor module rather than "Wysiwyg API" if you want to customize with a GUI interface and/or set permissions based on URL and/or another method.  For most new installs I use "WYSIWYG API" for it's simplicity.

If your intent is to use custom buttons for page break and to manually set teaser length I would recommend the FCKeditor module - it has the Drupal custom plugins included.

Getting the Code

Once your module is installed you will want to download the source code for the editor.  This will effectively activate your module and allow you to set permissions so you can use it.

Make Editing Pleasurable

By default there are a few settings that are targeted to yesterday's editing preferences.  I like to change the following to better utilize my browser's built-in functions.

  1. Simplify the toolbar - by default FCK shows absolutely everything under the sun.  That means 4 or more bars worth of buttons.  Simplify that!  This can be done in the fckconfig.js file by modifying the tokens in the toolbar.  You can also add new toolbars, when using Wysiwig API you will need to activate new toolbars by editing fckeditor.js to specify the default.  With the FCKeditor module you can use the Drupal admin page to specify the default.
  2. Activate the Drupal Plugins - the FCKeditor module comes with the Drupal Plugins.  These two buttons will set your teaser length and/or page break points.  If working on a site which requires these features the buttons are worth it. (Alternatively, you could copy the plugin from the FCKeditor module's folder to your Wysiwyg API folder and then add the name in your fckconfig.js file if you aren't using the FCKeditor module).
  3. Switch to the Silver skin - the default of all FCK instances is to display a yucky brownish color to match an old Microsoft Office theme.  Not all of my users are on Windows so I switch to "Silver" when I can.
  4. Disable the right-click context menu - when you're editing text in a web browser you often need the real right-click menu rather than one supplied by JavaScript.  Why? Some browsers block the JavaScript code.  Also, Firefox lets you change languages with this menu - quite important for spell checking.  You can change this in fckconfig.js as well.
  5. Disable built-in spell checking - Most editors like this do a terrible job of spell checking anyway.  Modern browsers do a better job on their own.  Let the browser manage spelling like you know it should.  Again, fckconfig.js will get you there.
  6. Whitelist any odd HTML notation you use - one of my projects involved adding <span> tags into the editor space.  Not ideal code, I know, but it is worth noting that you can override the editor to allow certain tags through when it cleans up the code.  Yes, FCK cleans up broken HTML code.  It even has options in fckconfig.js for removing Word-style formatting.  What bliss.

Those changes will probably make you a hero with most offices.  FCK is widely supported so if you get it working it just works.  It has been around for a long time and seems to have pretty good momentum.

When you want to move on to bigger and better things I suggest creating your own plugins for FCK.  They can be complex, but they are well worth the struggle when you get them working.  I use a custom plugin to produce buttons which insert pre-defined text into the HTML.  More on that in a future posting.

Securing your site with SSL

I have now implemented SSL a couple of times and each time I attempt an install it feels like I am starting over from scratch with my SSL knowledge.  It can be complicating for a newbie but it is entirely possible for someone with a technical aptitude to achieve.  In this article I describe things to look out for when you are doing work with SSL.

This article assumes that you are working on a Debian Linux installation, but would probably work on Ubuntu and other modern Linux distributions as well.

Generate the Keys

In every article you read you are going to see that same heading.  Keys are the things that keep your privacy, and you must generate them on your own.   In this example my certificate signing authority wanted an AES-256 type of key (that's the type of encryption) so I ran the following command in Debian:

openssl genrsa -aes256 -out personal.key 1024

Update 2011-11-02: new recommended command from my provider: openssl req -nodes
-newkey rsa:2048 -keyout personal.key -out personal.csr

As you may have guessed, that creates a file called personal.key.  That's your key!  Keep it safe.  You're probably wanting to do more with it though, because if you go this route you will need to get the certificate signed as well.  If you aren't looking to get a signed key you could alternatively generate a self-signed certificate, but always keep in mind that modern browsers do not like these.  They throw all kinds of errors, security warnings and other messages about your security settings.  So if you want that, go check it out, otherwise let's get that key signed:

openssl req -new -nodes -keyout personal.key -out request.csr

If you're using the italics version above, you can probably skip this step!

In this example you take that key you just created and you generate a signing request.  It wants information - so be honest!  This is your online reputation when someone clicks to view the certificate so make sure it is accurate.

The Waiting Game

After your SSL signing request is ready to go it is time to contract your signing authority.  I have gone to two different ones in the past - a Vancouver company called Omegasphere issues these and I have also signed up for one through Godaddy.  You could buy one from Verisign too, but you will pay a lot more for the privelege.

Once your certificate signing authority gets your request they will do some kind of verification with you and/or your site.  Typically you can pay more for deeper inspection of records.  I'm not sure exactly how that benefits the site owner, but it could make users feel better (provided they understand SSL really well - I'm going to assume most users don't give a F*#$).

All they want is your request.csr file with accurate information.  Be available to respond to their inquiries and requests.  After waiting you should get two new files if your request is approved:

personal.crt
ca-bundle.crt

The file names will certainly differ but the concept is always the same.  You need to install three files when you get into your SSL setup (coming up next, read on!).  First, you need your personal.key.  That has your secret data.  Then you have your personal.crt.  That has your information and signature that says your key is legit.  Lastly, the Certificate Authority Bundle (ca-bundle.crt) is a file that says who vouched for you, and I believe it might also provide a way of authenticating them.  Rest assured, no matter what the case, that last file is about your service provider, not you, but you still need it.

Confirm the Goods

The biggest challenge when you are debugging these files that you just paid for is knowing if you got what you paid for before you spend countless hours trying to force the key into your system(s). I found the solution to this one here, but I'll warn you that the forum is all in French.  Here is a translation.

Run these two commands, they should provide the same answer:

openssl x509 -noout -modulus -in personal.crt | openssl md5
openssl rsa -noout -modulus -in personal.key | openssl md5

Do those look the same?  Good.  Ok, you got what you paid for.

Just in case though, let's do one more test.

openssl x509 -noout -text -in server.crt
openssl rsa -noout -text -in server.key

This one is more complicated.  Check that the exponent is the same.  Typically it is 65537 in most configurations.  So long as you have a match you are gold.

Installing Away

Using Apache2

Installation on Apache2 is "simple" in the sense that there are lots of howto documents out there for you to sink your teeth into.  Sometimes you will chip a tooth.  I took one recommendation and accidentally removed PHP5 while trying to setup SSL.  Be wary of what you copy and paste, it is a mixed bag out there.

Your server will not restart if you do not get this configuration right.  So do it when the sun is not shining.  Also, be sure you checked out the test steps above, they will save you some headaches here.

Enable mod-ssl

Apache2 needs modules to get SSL support configured.  So install it with this command:

a2enmod ssl

Edit ports.conf

You need to enable Port #443 to get SSL in gear.  Update your ports.conf as such:

Listen 80
Listen 443

There, the "Listen 80" line was there so we added a second entry.

Virtual Hosts

This is where virtual hosts get weird.  You need to add the NameVirtualHost directive and define at least one new site.  You can only have one SSL certificate per IP address so start adding some to your account if you intend to run a few different certificates on your server.

NameVirtualHost 127.0.0.5:80
NameVirtualHost 127.0.0.5:443

Be sure to replace 127.0.0.5 with your server's IP address. 

Now define your new site.  Copy your existing virtual host entry and paste it into the same file, making sure to paste it after the end of the primary virtual host.

Now, change your IP address and port in the new entry:

From: <VirtualHost 127.0.0.5:80>
To: <VirtualHost 127.0.0.5:443>

Be sure to skip the from/to part that I typed in there, that was just for reference.  You can customize the other settings in here now or come back to it later.  You might want to setup a different log file for SSL errors, for example.

Now, somewhere in the definition of the ssl virtual host add the following lines. 

SSLEngine on
SSLCertificateFile /etc/apache2/personal.crt
SSLCertificateKeyFile /etc/apache2/personal.key
SSLCertificateChainFile /etc/apache2/ca-bundle.crt

Note that you must change the path to these files to match where you have stored them on your system.  As mentioned earlier, if this statement fails your server will not start any more.  You can comment out "SSLEngine on" by putting a # in front of it if you need to get your site back up in a hurry (obviously without SSL).

If you added a password during the setup process you will now need to enter it each time you start Apache2.  It is possible to remove this "feature" if you automate updates and can't predict when your server restarts itself.

For other services

When it comes time to expand your SSL presence beyond Apache2 you can start plugging these three files into your other servers.  You need to keep in mind that the IP address and domain name should be the same as the Apache2 server. 

In my experience certain programs requrie you to change the format of the information to convert it to a PEM file.  This will also probably reduce the number of files you need to install the key, but your mileage may vary.  Ideally, you still want your CA-Bundle in there but sometimes it isn't necessary. 

For Drupal

If you plan on using your SSL certificate with Drupal setup Apache as noted above and then install the Secure Pages Drupal module in your site.  I had to add "user" as one of the paths to encrypt so that visitors know their data is safe.  Otherwise it handled the web side of things quite gracefully.