[Camelot]

Even though Mac OS X is not listed as a vulnerable OS (Mac OS is, but Mac OS X is not), you can still tune your system to deal with TCP sequencing problems as well as other performance and security enhancements by implementing rfc1948 support.

http://www.faqs.org/rfcs/rfc1948.html

To enable this on Mac OS X, just:

[code]sysctl -w net.inet.tcp.strict_rfc1948=1[/code]

or add the setting to /etc/sysctl.conf.

[Camelot]

What you don’t say is how you identify your machine from everyone else’s.

Either way there are several approaches. The most obvious would be to use the firewall to block port 80 access from any machine other than yours.

Another approach would be to use a proxy server, where the proxy server can have accounts with different privilege levels allowing you to set one set of rules for staff (e.g. any site, any time), and a different set of rules for students (limited set of sites, only certain hours, etc.)

More information about your network is needed, though, in order to advise further.

[Camelot]

What does the web server log have to say about it?

/var/log/httpd/error_log

[Camelot]

The question isn’t really one of backing up, it’s one of restoration.

If you backup any file that’s in use, the copy will be in, at best, an unknown state. This might mean it works fine. It might need some tweaking to get to work, or it may be completely unusable. There’s no way of predicting which way you’ll fall.

Now, that said you have to consider several other factors.

One is the mail activity during the backup window – how many incoming mails are there and, more importantly, how many mailboxes are likely to be changing right as the backup [i]on that file[/i] is taking place?
Chances are, it’s not that many.

So for a start, if we assume that there’s an equal 1/3 chance of the ‘fine/needs help/dead’ options for any file, multiplied by the chance that the mailbox is open as the backup kicks in. That number is hard to predict, but let’s say it’s 0.1% which seems reasonable to me (each file should backup pretty quickly and there’s only a problem if it’s backing up [i]right as[/i] a new message comes in).

That means that there’s a 0.066% of a message in the backup having [i]some[/i] kind of problem, and only a 0.033% chance of it being dead.

Now, multiply that by the number of backups you actually need to restore from… remember, it doesn’t matter how many backup copied are dead if you never need to restore from them. The backups could all be dead for what difference it makes.
So, how many of those backup files have you needed to restore? 1 in 1,000? 1 in 10,000?

So now you’re talking of a 0.00033% chance that a backed up mailbox is unusable. Seems like pretty long odds to me.

Now, in addition to that you need to factor in how much business is lost/impacted by these rogue emails that get lost compared to how much you’d lose if you lost an individual user’s mailbox.
For example,if your users are using POP, AND they were sent mails after they left work, AND the mail server crashed AND that user’s mailbox was unrecoverable from backup, what’s the business impact for that user losing any mail from 5pm (or whenever they went home) until the server crashed?

Of course, you may need to adjust those numbers – you may have a very significant amount of mail coming in during that 45 minute window, you may restore from backup more often than most, and every email may be critical, but the theory is sound – it’s a balance of risk analysis and cost analysis.

[Camelot]

There are many ways of doing this, but if you’re looking for the type of solution used by many pay-for-use hotspots you might want to look at one of the commercial solutions – there are many issues around the setup and administration (not least of which is tracking which users are paid and which are not).

If this is just for your internal use, though, the easiest solution is a proxy server. [url=http://www.squid-cache.org/]Squid [/url] is probably one of the better-known, and more full-featured ones.

The issue with a proxy, though, is getting the clients to use it – most systems need configuring to use a proxy server. There are some semi-automated approaches such as PAC files and DHCP options that will push out a proxy server configuration, but their support is by no means universal.

[Camelot]

[QUOTE][u]Quote by: mtspecial[/u][p]How would you do the redirect?

Getting our ISP to change anything takes an act of congress.[/p][/QUOTE]

Maybe it’s time to find another ISP… 🙂
Or, at least, take over your own DNS serving.

Anyway, a redirect won’t help unless there is some other external path to the Windows server – you can’t redirect to ‘store.company.com’, for example, since that’s what the user already entered to get to the Mac server in the first place.

The solutions are that you either:

a) redirect to some other hostname that points to the Windows server – which may invoke the wrath of the ISP if you need them to change DNS, too.
b) proxy the connection so that the traffic goes user -> Mac -> Windows -> Mac -> user

Option b will be seamless to the user, but is not something that can be done via Server Admin – you’ll need to manually edit your site’s configuration files.
In addition, I’m assuming you’re using SSL on your store and I’ve never tested proxying with SSL – I’d assume that you set it up on the SSL site, and install the store SSL certificate on the Mac, and proxy the connection via a non-SSL connection to the internal server, but it’s something I can only theorize on.

[Camelot]

Server Site includes are enabled by uncommenting the includes_module lines in /etc/httpd/httpd.conf:

[code]LoadModule includes_module /usr/libexec/httpd/mod_include.so
AddModule mod_include.c[/code]

However, as a module, includes are server-wide and cannot be controlled at a virtual host level.

[Camelot]

Cookies include a hostname component that they relate to.

For security reasons a site in one domain cannot set a cookie in another domain, so if your Rumpus server is in a different domain from your web site, you are out of luck,

However, if they’re in the same domain, you can set a domain-wide cookie in the web page. This should then be passed through to Rumpus (and, indeed, any other web server in your domain).

Without know more about your network setup it’s impossible to advise more.

[Camelot]

For simple file storage and administration, both machines are going to have plenty of horsepower, so the many other variables are going to be as/more important.

Do you need/have racks for the XServe?
If space is an issue, the rack-optimized nature of the XServe wins.

How much storage do you need?
The 4 internal bays on the XServe give you more storage than the two internal bays on the G5, but RAID options can affect this.

Where is the server going to sit?
If it’s close to users, the quiet nature of the G5 wins over the XServe. If in a separate server room this doesn’t matter.

What about A/C?
The XServes run hot. make sure there’s adequate ventilation around the XServe.

As you can see, there is no one right answer to your question.

[Camelot]

[quote:7da35e0d7e][localhost:~]% cat /etc/shells
# List of acceptable shells for chpass(1).
[b:7da35e0d7e]# Ftpd will not allow users to connect who are not using
# one of these shells.[/b:7da35e0d7e]

/bin/bash
/bin/csh
/bin/sh
/bin/tcsh
/bin/zsh
[/quote:7da35e0d7e]

kinda says it all, no?

[Camelot]

Which server admin apps? Each one uses a different port.

Server Settings, for example, uses 660:

#grep MacOS /etc/services
mac-srvr-admin 660/udp # MacOS Server Admin
mac-srvr-admin 660/tcp # MacOS Server Admin

Other tools, including Server Status and Workgroup Manager uses 311 (asip-webadmin).

BTW, in this scenario, tcpdump is your friend. You can tcpdump your interface and see what ports the various apps are trying to connect to.

[Camelot]

Sheesh, Bob. Chill out.

You’ve posted multiple negative comments about the lack of response on this board – within about 5 minutes of posting your question.

Man, what do you expect? There are some very talented people here, but most people don’t spend their lives hitting reload so they can see the next question milliseconds after it comes in.

Now, as to your specific problem, mail logs are handled by syslog.

/etc/syslog.conf should have a line like:

[b:419f32c1dd]mail.* /var/log/mail.log[/b:419f32c1dd]

which tells syslog to log all mail messages in /var/log/mail.log.

Now, according to [i:419f32c1dd]man syslog.conf[/i:419f32c1dd]:

[quote:419f32c1dd] o A filename, beginning with a leading slash, which
indicates that messages specified by the selector are
to be written to the specified file. The file will be
opened in append mode if it exists. If the file does
not exist, logging will silently fail for this action.
[/quote:419f32c1dd]

So if the file does not exist, the logs are never updated.

On that basis your solution is simple – create a log file that syslog can write to.

The following command should take care of it for you:

[b:419f32c1dd]sudo touch /var/log/mail.log[/b:419f32c1dd]

[Camelot]

[quote:118f037254=”mischa”]a – ip:port -> you hit the first site in the config-file, never any other site configuret to the same port.
b – name.with.dyn.dns:port – it goes to site named in config, name.with.dyn.dns
[/quote:118f037254]

This is exactly what I’d expect.

In option a) you’re hitting an IP address and port. There *is* no server name, so how can Apache know which virtual host you’re trying to hit. It can’t, therefore it serves the default site.

In setup b) where you’re hitting the site by specifying the name, Apache can use that name to determine which virtual host you’re trying to hit and can therefore support multiple sites.

To explain it a bit further, option a is like connecting to the server and saying “give me a page”. Option b is like connecting to the server and saying “give me a page for http://www.yourdomain.com”. There’s nothing in the first option that gives Apache any information about what site you’re trying to get.

[Camelot]

[quote:cca351a516=”MacTroll”]I’m not quite sure what you’ve run into with the GUI…[/quote:cca351a516]

Maybe my needs are somewhat different from a ‘typical’ Mac OS X Server user, Troll.

As a background, I run large (some, very large) web sites on a farm of servers sitting behind a load balancer. Each machine has a private class address, not real-world address (the load balancer takes care of all IP address issues).

Currently my production servers are all Solaris/SPARCs but we’re evaluating Mac OS X Server.

The first issue I run into is that I currently run port-based virtual hosts. There is zero support in the GUI for port-based virtual hosts, only name-based.

If I want to use the GUI and use name-based virtual hosts, the GUI tool will *only* let you setup a virtual host for, say, http://www.domain.com if the reverse DNS for http://www.domain.com resolves to the IP address of this machine.
That might be OK if I’m running on one machine that’s not NAT’d, but, guess what? since I’m behind the load balancer, it doesn’t.

So now I have to futz with hosts files on each machine (no, I can’t use split DNS or NetInfo because, as far as my network is concerned, http://www.domain.com *is* 192.168.1.1, 192.168.1.2 and 192.168.1.3 at the same time. The GUI can’t deal with that. bzzzzt.)

The actual intent of name-based virtual hosts as far as Apache is concerned is to match the HOST: header in the HTTP request to one of the virtual hosts. There’s nothing in the Apache docs that say the hostname has to match the machine’s IP, so Apple are wrong in requiring that.

It’s not a huge problem for me. Coming from Solaris I’m used to manually editing httpd.conf, so that’s OK. I’m sure the GUI is OK for low-end/simple configs. Mine isn’t, and it highlights flaws in the GUI app that IMHO shouldn’t be there for anyone.

[Camelot]

IIRC you can’t setup wildcard domains using the GUI tool. You need to set it manually by editing your httpd.conf.

http://localhost/manual/vhosts/index.html

[Author]

Posts