SIDEBAR
»
S
I
D
E
B
A
R
«
Setting up iChat Server
Feb 11th, 2012 by Ken Hagler

I’ve final­ly got the iChat por­tion of my Mac Mini Serv­er up and run­ning. It turned out that some fair­ly impor­tant parts of the process were poor­ly doc­u­ment­ed (or not at all), so I decid­ed to write down the process in the hope that some­one set­ting it up in the future will have bet­ter luck with their search results than I did.

Initial DNS Setup

The very first thing I did, before I even took the Mac Mini out of the box, was get its domain name set up. I’m on a cable modem, which means that all of my com­put­ers have local IPs (192.168.x.x) and share the same exter­nal IP address, which is sub­ject to change at any time. That’s obvi­ous­ly a prob­lem for any kind of serv­er, but for­tu­nate­ly it was solved long ago by dynam­ic DNS ser­vices. These work by giv­ing you a sub­do­main such as orangeroad.ddnsservice.org, which resolves to your cur­rent IP, and auto­mat­i­cal­ly updat­ing the DNS record when­ev­er your IP changes. I signed up for an account with FreeDNS, which is sup­port­ed by my router’s firmware, so it will auto­mat­i­cal­ly keep my sub­do­main on their ser­vice updat­ed.

Next I logged into the admin­is­tra­tive inter­face for the orange-road.com domain, which has been host­ed for many years by the excel­lent Mac-centric host­ing ser­vice MacHigh­way. I then cre­at­ed a CNAME record point­ing frontier.orange-road.com to the ful­ly qual­i­fied domain name from Free DNS. There were some oth­er DNS changes need­ed lat­er, but to avoid con­fu­sion I’ll cov­er them lat­er, where they fit into the process.

Final­ly, when I start­ed up Fron­tier for the first time I told it that its name was frontier.orange-road.com. The actu­al serv­er has no knowl­edge of the Free DNS FQDN. I assigned it a sta­t­ic IP address in my local sub­net, and then logged into the router to for­ward all the ports I’d need (there were quite a few) to that sta­t­ic local IP. With all this done, an out­side request for frontier.orange-road.com will (so long as it’s for one of the for­ward­ed ports) end up at the Mac Mini Serv­er.

Getting a Signed SSL Certificate

When I set the server’s name, it auto­mat­i­cal­ly cre­at­ed a self-signed SSL cer­tifi­cate. In order to avoid poten­tial prob­lems from poor­ly designed soft­ware putting up scary warn­ings or pos­si­bly refus­ing con­nec­tions via XMPP, I want­ed to get this signed by a cer­ti­fi­ca­tion author­i­ty. A few days before I’d read an arti­cle which men­tioned StartSSL, which issues free cer­tifi­cates.

On the serv­er side, the soft­ware makes it very easy to export a spe­cial file called a Cer­tifi­cate Sign­ing Request, and then import the signed cer­tifi­cate once it’s received from the CA. The process of actu­al­ly get­ting cer­tifi­cate signed proved tricky, but thanks to StartSSL’s very help­ful Eddy Nigg I was even­tu­al­ly able to man­age it. The trick is that when you first go to their web site it seems like you’re request­ing a signed cer­tifi­cate, but what you’re real­ly doing is cre­at­ing an entire­ly new cer­tifi­cate which iden­ti­fies you for log­ging in to their sys­tem. Once that’s done, it’s sim­ple to paste the con­tents of the CSR file export­ed by the Serv­er app into a form and then down­load the signed cer­tifi­cate. The trick is to know ahead of time that it’s a two-stage process.

Setting up SRV Records

At this point my iChat ser­vice was up and run­ning and I could use the XMPP address khagler@frontier.orange-road.com. How­ev­er, I want­ed to make it just khagler@orange-road.com, so that my IM address would be the same as the email address that I’ve had since 1996. To do this, I need­ed to cre­ate DNS SRV records to send XMPP traf­fic for orange-road.com along to frontier.orange-road.com (the actu­al orange-road.com machine is a web serv­er in Col­orado which would just ignore XMPP traf­fic).

The sys­tem my host­ing provider uses to admin­is­ter the orange-road.com domain, cPan­el, doesn’t have a way to cre­ate SRV records so I wasn’t able to do this all myself as I did with the CNAME record ear­li­er. I new that MacHigh­way wouldn’t be able to offer any sup­port for this, so I care­ful­ly checked and re-checked and then sub­mit­ted a sup­port request ask­ing them to man­u­al­ly enter the fol­low­ing lines into the record for the orange-road.com domain:

_xmpp-client._tcp.orange-road.com 14400 IN SRV	0 1 5222 frontier.orange-road.com
_xmpp-server._tcp.orange-road.com 14400 IN SRV	0 1 5269 frontier.orange-road.com

Once I got a reply from MacHigh­way sup­port that the change had been made, I checked with dig and con­firmed that every­thing was work­ing per­fect­ly on the DNS side. Note that if I had used the Free DNS FQDN it would have worked, but that would also have made it impos­si­ble for me to move to anoth­er dynam­ic DNS ser­vice should the need arise with­out bug­ging some­one at MacHigh­way to make anoth­er man­u­al change for me.

Fixing the Server’s Identity Crisis

At this point I dis­cov­ered that as far as the iChat ser­vice was con­cerned it was still frontier.orange-road.com, and it was cer­tain­ly not going to allow users of orange-road.com to con­nect! I need­ed to change the name that just the iChat ser­vice had for itself, with­out affect­ing any­thing else on the serv­er, and this turned out to be the biggest headache of the whole process, most­ly due to the gen­er­al lack of doc­u­men­ta­tion. After a great deal of search­ing and a few red her­rings, I final­ly came up with the answer: sudo serveradmin settings jabber:hostsCommaDelimitedString = "orange-road.com" (the iChat ser­vice is actu­al­ly a vari­a­tion of jabbered2).

Chat Room DNS Setup

The last thing I need­ed to do was cre­ate a DNS record for the multi-user chat part of the iChat ser­vice. This has its own sub­do­main, “rooms.” fol­lowed by what­ev­er the host name is–in this case, rooms.orange-road.com. To get it work­ing, I cre­at­ed anoth­er CNAME record which point­ed to that Free DNS FQDN. That com­plet­ed the set­up, and if I ever need to change dynam­ic DNS ser­vices, or if I get a sta­t­ic IP at home, I can make all the nec­es­sary changes with­out have to involve any­one else.

If you can’t beat them, extort them
Feb 7th, 2012 by Ken Hagler

The three patents Microsoft is ham­mer­ing the Nook with—and why they may be invalid.

Microsoft’s com­plaint against Barnes & Noble’s Android-based Nook devices has been nar­rowed down to just three patents, with the US Inter­na­tion­al Trade Com­mis­sion hav­ing to decide whether Nook devices infringe on sev­er­al patent­ed meth­ods of inter­act­ing with and down­load­ing elec­tron­ic doc­u­ments. Barnes & Noble is also ask­ing the ITC to declare the patents invalid because they cov­er obvi­ous and triv­ial func­tion­al­i­ty.

Microsoft’s ITC com­plaint, which was filed in March 2011 and tar­gets Fox­conn and Inven­tec in addi­tion to Barnes & Noble, cit­ed five patents. One 1994 patent relat­ed to “new vari­eties of child win­dow con­trols [that] are pro­vid­ed as sys­tem resources that appli­ca­tion pro­grams may exploit,” and a 1997 patent relat­ed to how browsers load and dis­play con­tent in portable com­put­ers with lim­it­ed dis­play areas have since been dropped from the case. 

[Ars Tech­ni­ca]

Here’s the sen­tence in the arti­cle that explains what this is real­ly all about: “The rul­ing will be an impor­tant one in Microsoft’s quest to extract mon­ey from every Android hard­ware ven­dor.” In oth­er words, hav­ing dis­mal­ly flopped in their every attempt to devel­op a mobile device, Microsoft has giv­en up on com­pe­ti­tion and turned to extort­ing mon­ey from com­pa­nies that actu­al­ly can devel­op use­ful devices.

New Server
Feb 2nd, 2012 by Ken Hagler

20120202-130242.jpg

Ear­li­er this week I added this Mac Mini Serv­er, which I named Fron­tier, to my home net­work. It’s a bit strange after so many years of work­ing with Macs, and help­ing to admin­is­ter Win­dows and Lin­ux servers, but this is actu­al­ly my first Mac serv­er!

I got it pri­mar­i­ly as a file serv­er for scanned pho­tos, but I’ve also enabled the iChat Serv­er, which is Apple’s front end for the pop­u­lar XMPP serv­er jab­berd. The idea is that once I’ve got some DNS stuff straight­ened out I’ll final­ly have the same address for instant mes­sages that I do for email.

Comment spam
Feb 2nd, 2012 by Ken Hagler

The Akismet plu­g­in, which I use to block com­ment spam here, has a dis­play of how much com­ment spam I’ve received. The amount has been going up ever since I turned com­ment­ing back on, with the total spam for Jan­u­ary being 2,279. That’s more than twice the amount of email spam I received in the same peri­od, despite have had the same email address (wide­ly dis­trib­uted across mul­ti­ple web­sites) for six­teen years. I don’t real­ly see why peo­ple would both­er gen­er­at­ing so much com­ment spam–I can’t even remem­ber the last time I saw a spam com­ment get through to somebody’s weblog.

Terrorists in the U.S.
Feb 1st, 2012 by Ken Hagler

I just hap­pened to glance over and saw this huge chain­saw rip­ping down the side of my door.”. “I just hap­pened to glance over and saw this huge chain­saw rip­ping down the side of my door.” 

[…]

If the pur­pose of these raids is to take dan­ger­ous peo­ple by sur­prise before they can shoot back at police, how exact­ly does tak­ing the door down with a chain­saw fit that strat­e­gy? [The Agi­ta­tor]

As sev­er­al peo­ple point­ed out in the com­ments on that post, there is real­ly noth­ing more ide­al­ly suit­ed to mak­ing an armed cit­i­zen emp­ty their gun through their front door than some mani­ac cut­ting through it with a chain­saw! As tac­tics to use against an armed drug deal­er, I can’t think of any­thing more incred­i­bly stu­pid.

On the oth­er hand, what this sort of thing is very good for is ter­ror­iz­ing a moth­er and her very young daugh­ter and mak­ing sure that they will nev­er make the mis­take of think­ing they live in any­thing oth­er than a hideous­ly oppres­sive police state. That, I think, is the real pur­pose of these raids–they’ve got noth­ing to do with polic­ing, and every­thing to do with state ter­ror­ism.

Sad­ly, it could have been even worse. They’re not called the Fed­er­al Baby Incin­er­a­tors for noth­ing.

»  Substance:WordPress   »  Style:Ahren Ahimsa
© Ken Hagler. All rights reserved.