Tarotoast’s Stuff

On my 1&1 VPS II server, it comes with only 256MB of dedicated memory, which is pathetic. If I run a separate mysqld, it’s going to take 1xxMB away from this super limit memory pool. It makes sense to me to make use of MySQL databases on another shared hosting account. BlueHost and HostMonster both comes with firewall enabled by default for their MySQL servers. Going about white listing server’s IP can be done via:

1. Launching remote firefox session, which takes your patient and the hassle of all those x window configs.
2. Setup VPN on the server, and use server’s IP to to whitelist itself.

But the connection between the VPS server and Shared Host’s MySQL database is insecure. It’s natural to come to this conclusion as the best option: ssh tunnel.

Assuming you have shell access to both VPS and Shared Host, and both are running OpsnSSH.

Setup Public Key Authentication

1. Login to VPS with account you want to create the tunnel

2. cd ~/.ssh

   (create it if not exist)

3. ssh-keygen -t dsa

4. Securely transfer id_dsa.pub to the Shared Hosting’s home directly, something like this:

   scp id_dsa.pub sharedhost:/home/username/.ssh/server_id_psa.pub

5. Login to Shared Host

6. cd ~/.ssh
   cat server_id_psa.pub >> authorized_keys

7. Switch back to VPS, try logging into Shared Host using public key authentication:

   ssh username@sharedhost

   If everything is setup properly, no password is prompted.

If in doubt, [this] is a good place to consult about Public Key Authentication.

Setting up a host name

When MySQL is connecting to localhost, it will try to use socket, regardless of the efforts trying to tell it the service is actually not running on localhost, but rather a tunnel to a remote host. To overcome this issue, create an entry in /etc/hosts:

127.0.0.1 localhost mysqlhost

This points the host name ‘mysqlhost’ to 127.0.0.1 which essentially is also localhost, but mysql is too dumb to understand.

Create the tunnel

1. First, stop the local mysqld. As root:

   service stop mysqld

2. Login to VPS with username previously configured with public key authentication to Shared Host
3. create tunnel:

   ssh -f username@sharedhost -N -L 3306:localhost:3306

   This creates a ssh tunnel in background and forward connection to port 3306 on localhost to port 3306 on sharedhost.

4. Make change in php to reflect the database names, users, password on Shared Host, and most importantly, instead of localhost, use mysqlhost in configuration files.

Automate the process

What if the ssh tunnel died? What if the VPS restarts? How to make sure the connection stays live? The answer is to use autossh.

1. As root:

   yum install autossh

2. Edit /etc/rc.d/rc.local, add this line at the bottom:

   su VPSusername -c 'autossh -M 5307 -f SHAREDHOSTusername@sharedhost -N -L 3306:*:3306' &

   This tells the server to execute the command in ‘ ‘ as VPSusername and put the process into background at startup. autossh will use port 5307 to monitor the ssh tunnel to sharedhost, and reconnect if it drops. Also make sure to disable the local MySQL daemon from starting automatically, or the tunnel cannot be created.

Server

1. yum install openvpn
2. cp -R /usr/share/openvpn/easy-rsa /etc/openvpn
3. cd /etc/openvpn/easy-rsa
4. vim vars:

   # easy-rsa parameter settings
   # NOTE: If you installed from an RPM,
   # don't edit this file in place in
   # /usr/share/openvpn/easy-rsa --
   # instead, you should copy the whole
   # easy-rsa directory to another location
   # (such as /etc/openvpn) so that your
   # edits will not be wiped out by a future
   # OpenVPN package upgrade.
   # This variable should point to
   # the top level of the easy-rsa
   # tree.
   
   export D=`pwd`
   
   # This variable should point to
   # the openssl.cnf file included
   # with easy-rsa.
   
   export KEY_CONFIG=$D/openssl.cnf
   
   # Edit this variable to point to
   # your soon-to-be-created key
   # directory.
   #
   # WARNING: clean-all will do
   # a rm -rf on this directory
   # so make sure you define
   # it correctly!
   
   export KEY_DIR="/etc/openvpn/keys"
   
   # Issue rm -rf warning
   
   echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
   
   # Increase this to 2048 if you
   # are paranoid.  This will slow
   # down TLS negotiation performance
   # as well as the one-time DH parms
   # generation process.
   
   export KEY_SIZE=1024
   
   # These are the default values for fields
   # which will be placed in the certificate.
   # Don't leave any of these fields blank.
   
   export KEY_COUNTRY=US
   export KEY_PROVINCE=CA
   export KEY_CITY=SANDIEGO
   export KEY_ORG="TAROTOAST.COM"
   export KEY_EMAIL="chang.peter@gmail.com"

5. chmod 700 *
6. mkdir /etc/openvpn/keys
7. make sure in Bash shell (still at /etc/openvpn/easy-rsa directory)
8. ./vars
9. ./clean-all
10. ./build-ca
    Enter ROOTCA for common name
11. ./build-key-server server
    Enter ROOT for common name
12. ./build-key [computername] <– repeat for # of computers want to allow connect
    Enter [computername] as common name
    EX: ./build-key AMD64
    EX: ./build-key X40
13. ./build-dh
14. vim /etc/openvpn/server.conf:

    port 1194
    proto tcp
    dev tun
    ca keys/ca.crt
    cert keys/server.crt
    key keys/server.key
    dh keys/dh1024.pem
    server 10.11.12.0 255.255.255.0
    client-config-dir ccd
    push "dhcp-option DNS SERVERIP"
    push "dhcp-option DNS SERVERDNS"
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway"
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status server-tcp.log
    verb 3

15. Create log files: touch /etc/openvpn/server-tcp.log /etc/openvpn/ipp.txt
16. vim /etc/init.d/openvpn:
    Uncomment line 114

    /sbin/modprobe tun >/dev/null 2>&1

    Insert after line 115

    iptables -t nat -A POSTROUTING -s 10.11.12.3 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.4 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.5 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.6 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.7 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.8 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.9 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.10 -j SNAT --to SERVERIP

17. service openvpn start

Client (Windows Vista with UAC on)

1. Download and install OpenVPN Gui 1.0.3 with OpenVPN 2.0.9 [Here]
2. Scary warning will pop up telling you the driver will not work, install it anyway. OpenVPN’s developers fixed it already.
3. Make a shortcut on desktop to GUI executable “C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe”
4. Use WinSCP to download these files onto the client computer:
   /etc/openvpn/keys/ca.crt
   /etc/openvpn/keys/AMD64.key
   /etc/openvpn/keys/AMD64.crt
5. Put above files along with this VPNServer.ovpn in C:\Program Files\OpenVPN\config
   VPNServer.ovpn

   client
   dev tun
   proto tcp
   remote SERVERIP 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   ca ca.crt
   cert AMD64.crt
   key AMD64.key
   ns-cert-type server
   push "dhcp-option DNS SERVERIP"
   push "dhcp-option DNS SERVERDNSIP"
   comp-lzo
   verb 3
   route-method exe
   route-delay 2
   

6. Right click on the shortcut to openvpn-gui-1.0.3.exe, select Run As Administrator
7. On the taskbar, right click the openvpn gui icon, select connect

DONE [aha

The above mostly follows [this thread] except some minor changes in client side config.

結果選了 Bluehost。原因很多而且說不清，但是簡單說就是讀了很多 BH Forum 上面的文章後最後 follow my heart 所作的決定。是不是因為裡面 moderator 說 BH 是 CEO 的 baby 我不知道，反正綜合了很多文章最後內心裡面的奇妙邏輯決定要 BH 的。

有關 BH 的一些 note:

Installing SVN 1.4.3 (source)

#

# this is how I installed subversion 1.4.3 on my bluehost account

#mkdir ~/src

# get and make 'apr-0.9.13' (this isn't included in the subversion tarball)

cd ~/src

wget http://apache.ausgamers.com/apr/apr-0.9.13.tar.gz

tar -xzf apr-0.9.13.tar.gz

cd apr-0.9.13

./configure --prefix=$HOME

make

make install

# get and make 'apr-util 0.9.13' (this isn't included in the subversion tarball either)

cd ~/src

wget http://apache.planetmirror.com.au/dist/apr/apr-util-0.9.13.tar.gz

tar -xzf apr-util-0.9.13.tar.gz

cd apr-util-0.9.13

./configure --prefix=$HOME --with-apr=$HOME

make

make install

# get and make 'subversion-1.4.3'

cd ~/src

wget http://subversion.tigris.org/downloads/subversion-1.4.3.tar.gz

tar -xzf subversion-1.4.3.tar.gz

cd subversion-1.4.3

./configure --prefix=$HOME --without-berkeley-db --with-zlib --with-ssl

# at this point there's a bit of complaining about berkeley db, let's ignore that...

make

make install

# check it works!

cd

svn --version

# yay!

SSH

Helpdesk 裡面說要寫信到 support@bluehost.com，但是其實不是。寫過去只會被退回說現在必須開 ticket 才行。正確做法是進入 cPanel (BH 的 cPanel 好像比 HM 的好看) 然後注意看右下角會看到一個 SSH Access 的選像，點下去就會把你丟到正確的地方了。填好資料 (domain name 和 cPanel 的密碼) 然後送出後的下一頁就可以夾帶檔案。把駕照用數位相機拍下來夾上去就 ok 了。

SSH 是個 chroot 的環境，但是但部分軟體像上面那樣，只要 configure 實後記得加 –prefix=$HOME 其實都可以裝。有個很爛的就是他對外所有連結只能 port 80。不能 ssh 回家耶，不能 sftp 回家耶，有沒有爛到這種程度 \囧/

Domains

BH 只收 5 個 addon domain，加上原本的 master domain，全部只能有 6 個。搞不好我會開始反悔了。不過說真的她資料夾的放法有夠弱，我還不知道有比 1&1 更弱的放法。她所有 addon domain 的資料夾都是掛在 ~/public_html/ 下面，並不能由選單上面選擇說你要放在 ~/domains/domain1/ 之類的更合邏輯的資料夾。根據 forum 上指出，其實打電話去可以叫 tech support 幫忙手動改，所以可能會等把所有 addon 都放上後再一次看哪些要改全部一起改吧。

Support

他們的 Support 系統如果拿 1&1 的來比的話，1&1 根本是大便。電話打進去如果沒有馬上接起來的話，會每分鐘跟妳說你前面還有幾個人在等，我等最久也才 5 分鐘左右。跟 1&1 的 3x 分再加後面的 1x 分 on hold 比起來，天使吧。

他們的 Ticket 也回應頗快，每個丟出去的 Ticket 都有個 Due Time，都是 12 HR 內得回應。好吧目前為止我只丟了兩個，但是這兩個都有在時限內回，而且都回的頗快的。至少到目前為止都還很滿意。

Bandwidth

從台灣學網對 1&1 和對 BH 的速度比起來，BH 很明顯快太多了 (160KB/s vs 38KB/s)，然後我從家裡對 1&1 和 BH 的測試則是 1&1 略快。不過可能是 BH 對每個 TCP connection 有限制，所以我把 FlashGet 調成 6 條後速度也是一樣 max 在 cable 的頻寬。1&1 <–> BH 的速度還真黑皮，每個 TCP connection 的速度都是 1MB/s，然後同時 wget 四個檔，全部也都是 1MB/s。

將陸續增加..

So, I have this Logitech QuickCam® Messenger™ that I bought last summer, it’s a dual pack combo so I can put the other back at home. I recently upgraded my computer to Vista and guess what I find out:

This Camera will not work with Windows Vista. Please see our list of newer Vista compatible cameras.

This is the exact phrase I see when I tried to download driver from Logitech’s . So my first thought is that, ok, maybe it wasn’t working properly so they’d call it “will not work”. I decided to download its driver for XP and see if it will install. Following the instruction of the (32.2MB) installer, I need to restart my computer for it to finish the installation. Sure, will do. After restart, hmm, Windows still can’t find the drivers it wants, ok maybe Logitech is right, this is not working for Vista.

My laptop is running Windows XP so I don’t really bother trying to get the webcam working on Vista. The (32.2MB) file just sits there and do nothing. I later installed WinRAR because I wanted to open some supposed to be lame video a friend sent me. Guess what, since now that I have WinRAR installed, I can right click on the driver installer (qc848enu.exe) and choose to extract to folder. I don’t need a stupid little icon on my taskbar just to make sure I am aware that a webcam is installed anyway.

Now that I have WinRAR installed (I really didn’t want to install it actually), files extracted, I can try installing drivers manually. Windows Vista has more steps than XP to get to the browse-for-your-driver page. After I am there, I point the Wizard to look under the Drivers folder within the extracted files of the installer (qc848enu.exe). Guess what, Vista found all the drivers it needs and this webcam is working now.

Yeah, it should right? You can pretty much use XP’s (32bit) driver in Vista (x86) anyway. My FastTrak 376/378 driver is for 2000/XP/2003 and it’s working like what it should under Vista. Now it makes me wonder why Logitech says it won’t work?

• Geeksquad can show the message to an old granpa or grandma and charge them part and labor for getting a new webcam.
• Some know-where-to-download-driver computer newbie sees that message and will decide to get a new webcam.
• It’s technically way too difficult to have a properly written installer for this particular webcam.

Maybe, but I think this makes the most sense:

• Just say it won’t work and don’t even bother upgrading the installer so people who can’t install it will have to buy a new webcam. Yeah, go get that $120 Logitech QuickCam Orbit MP, it not only tracks your move, you also get a Vista driver installer (85MB)!!!

Well, I guess this is how you push forward to “encourage” upgrade, maybe?

Update (5/17) : Thanks for Shawn to point out that there is now a Vista ready driver that was in question.