Just another technical blog
The performance of a website is an important issue. Even fast responding dynamic pages can be hit with problems with sub-optimal static content such as high overhead on many HTTP requests and large javascript/css files. Tools like YSlow, and Google Page Speed help identify these problem areas.
Webtatic Optimizer is a tool that can be used to improve these areas, and can help get an almost perfect score.
Continue reading Get an “A” in YSlow with Webtatic Optimizer »
Posted in category: Web Optimisation | Tags: Google Page Speed, PHP, Webtatic Optimizer, YSlow
Recently I have been handling the security of some sensitive data. I had originally been encrypting/decrypting data with a symmetric-key system using mcrypt for PHP. This was due to the web frontend and the backend existing on the same server. However for security purposes I am now separating the frontend and backend onto different servers, so that there is no way the web accessible frontend, whether compromised or not, can get at the data it inserts into the database.
In order to do this, a asymmetric-key system is needed, such as public-key cryptography. Googling for examples of this in PHP, there doesn’t seem to be any results of this other than the php OpenSSL extension documentation, and systems that try to reinvent the wheel with their own implementations.
Using the PHP OpenSSL extension it is fairly easy to sort out a secure system for encrypting data with one key that only can be decrypted with another.
Continue reading PHP public key cryptography using OpenSSL »
Posted in category: Security, Web Development | Tags: OpenSSL, PHP
My previous articles on installing PHP on CentOS dealt with installing PHP 5.2.6. I have found this to have some bugs that kill the process without error information. One bug I found, which was on an x86_64 server, was that converting an object to a string did this.
So, I have compiled the latest PHP version, 5.2.10 5.3.0 5.3.3, and put it in my own repository for easy installation. I have compiled it for CentOS 5 i386 and x86_64, and provided the source RPMS in the repo, if anyone wants to compile it for another OS or architecture.
Update 2009-07-03 – I updated the version to PHP 5.3, which was released a few days before. This includes many new features such as closures, namespaces, and packaged scripts in phar files, which I’ll blog about soon. Check out PHP changelog for more details.
Update 2009-09-01 – Added a note about deprecated errors, and how to silence them. Also I have included a tip that might help those of you struggling to install.
Update 2010-03-03 – I’ve added both apc 3.1.3p1 beta (php-pecl-apc in yum) and eAccelerator 0.9.6 (php-eaccelerator in yum) RPMs to the repository, they are compiled for (and work on) php 5.3.x
Posted in category: Server Admin, Software | Tags: CentOS, PHP
Recently, I wrote a mod_perl module for using a database backend for basic and digest authentication in Apache, however I found it to be much slower than mod_auth_mysql. This would be due to using mod_perl and DBI. So I have written a patch for mod_auth_mysql which performs the same, which means its as fast.
The main reason why I chose to do this rather than use Webtatic::AuthDBI is because subversion checkouts were taking twice as long. A mod_perl authentication provider, even without performing authentication (just returning OK for any login details) seems to be the speed of the whole mod_auth_mysql without even establishing a mysql connection.
This patch seems to perform just as well as mod_auth_mysql.
Check it out here: /projects/mod_auth_mysql-auth/
Posted in category: Server Admin, Software | Tags: Apache, mod_auth_mysql, mod_auth_mysql digest
The HTTP protocol gives a standardised way to provide authentication. This is supported via two modes:
Basic – transmit the username and password in a reversable base-64 encode
Digest – transmits complex MD5 hash of the username, realm, password, a server generated nonce, request method and request uri
Basic HTTP authentication suffers from a very easy man-in-the-middle attack, where the attacker can simply reverse the base-64 encode to get the user’s password. This is preventable if switching to HTTPS, where a man-in-the-middle is not possible.
Digest HTTP authentication however uses a complex series of MD5 operations on data provided by the server and client variables. This, depending on the server implementation, can prevent the man-in-the-middle from decyphering the password, and prevent replay attacks.
Digest HTTP authentication is relatively new, but is supported fully in all the latest browsers. Internet Explorer 6 however does not support the standard correctly, but there is an Apache server workaround to allow it.
I have written a mod_perl module which will provide a database backend to this method, called Webtatic::AuthDBI. It is similar to that of mod_auth_mysql, which only supports Basic auth.
I have published a project page for this at /projects/webtaticauthdbi/. It is free to use, and uses the same licensing terms as Perl. Installation and use instructions are on that page.
In theory, digest authentication will be more secure than cookie sessions, as once the session id is captured by the attacker, the attacker could then use that session themselves. Digest authentication always sends a different authorization header every request, so if the server can prevent replay attacks, the attacker wouldn’t be able to use the header again.
Posted in category: Server Admin, Software | Tags: Apache, mod_perl, Perl, Webtatic::AuthDBI
Update 20th June 2009 – I found a bug in PHP 5.2.9, so I have compiled 5.2.9 rpms, including the ones that this article talks about, check out the article here.
Update 23rd May 2009 – It appears dbase, readline, json and filter were included either compiled into php or as a shared module in php-common, so I’ve removed them from the spec.
In using the installation of PHP 5.2.6 on CentOS, I noticed that there were a few modules missing from the repository that are included as part of CentOS’s extras repository. They are nowhere to be found in the testing repository.
I found an easy way to build the RPM’s by downloading both the testing php source RPM (SRPM), and the extras php-extras-5.1.6 SRPM, rewriting the php-extras spec file so it incorporated the same patches, and building it as the php-5.2.6 version.
The php-extras include the dbase, readline, mcrypt, mhash, tidy and mssql extensions. In my spec file, I have removed dbase and readline, as they have moved to php-common. I have also included the newly added extensions to php 5.2; json and filter. In future versions of CentOS, these should hopefully be updated in the extras or the base repository.
Continue reading Installing PHP 5.2.6 on CentOS 5 – extra extensions »
Posted in category: Server Admin, Software, Web Development | Tags: CentOS, PHP
