Ken's Weblog

People should not fear their governments; governments should fear their people.

Month: February 2012

  • Setting up iChat Server

    I’ve finally got the iChat portion of my Mac Mini Server up and running. It turned out that some fairly important parts of the process were poorly documented (or not at all), so I decided to write down the process in the hope that someone setting it up in the future will have better luck with their search results than I did.

    Initial DNS Setup

    The very first thing I did, before I even took the Mac Mini out of the box, was get its domain name set up. I’m on a cable modem, which means that all of my computers have local IPs (192.168.x.x) and share the same external IP address, which is subject to change at any time. That’s obviously a problem for any kind of server, but fortunately it was solved long ago by dynamic DNS services. These work by giving you a subdomain such as orangeroad.ddnsservice.org, which resolves to your current IP, and automatically updating the DNS record whenever your IP changes. I signed up for an account with FreeDNS, which is supported by my router’s firmware, so it will automatically keep my subdomain on their service updated.

    Next I logged into the administrative interface for the orange-road.com domain, which has been hosted for many years by the excellent Mac-centric hosting service MacHighway. I then created a CNAME record pointing frontier.orange-road.com to the fully qualified domain name from Free DNS. There were some other DNS changes needed later, but to avoid confusion I’ll cover them later, where they fit into the process.

    Finally, when I started up Frontier for the first time I told it that its name was frontier.orange-road.com. The actual server has no knowledge of the Free DNS FQDN. I assigned it a static IP address in my local subnet, and then logged into the router to forward all the ports I’d need (there were quite a few) to that static local IP. With all this done, an outside request for frontier.orange-road.com will (so long as it’s for one of the forwarded ports) end up at the Mac Mini Server.

    Getting a Signed SSL Certificate

    When I set the server’s name, it automatically created a self-signed SSL certificate. In order to avoid potential problems from poorly designed software putting up scary warnings or possibly refusing connections via XMPP, I wanted to get this signed by a certification authority. A few days before I’d read an article which mentioned StartSSL, which issues free certificates.

    On the server side, the software makes it very easy to export a special file called a Certificate Signing Request, and then import the signed certificate once it’s received from the CA. The process of actually getting certificate signed proved tricky, but thanks to StartSSL’s very helpful Eddy Nigg I was eventually able to manage it. The trick is that when you first go to their web site it seems like you’re requesting a signed certificate, but what you’re really doing is creating an entirely new certificate which identifies you for logging in to their system. Once that’s done, it’s simple to paste the contents of the CSR file exported by the Server app into a form and then download the signed certificate. The trick is to know ahead of time that it’s a two-stage process.

    Setting up SRV Records

    At this point my iChat service was up and running and I could use the XMPP address khagler@frontier.orange-road.com. However, I wanted to make it just khagler@orange-road.com, so that my IM address would be the same as the email address that I’ve had since 1996. To do this, I needed to create DNS SRV records to send XMPP traffic for orange-road.com along to frontier.orange-road.com (the actual orange-road.com machine is a web server in Colorado which would just ignore XMPP traffic).

    The system my hosting provider uses to administer the orange-road.com domain, cPanel, doesn’t have a way to create SRV records so I wasn’t able to do this all myself as I did with the CNAME record earlier. I new that MacHighway wouldn’t be able to offer any support for this, so I carefully checked and re-checked and then submitted a support request asking them to manually enter the following lines into the record for the orange-road.com domain:

    _xmpp-client._tcp.orange-road.com 14400 IN SRV	0 1 5222 frontier.orange-road.com
_xmpp-server._tcp.orange-road.com 14400 IN SRV	0 1 5269 frontier.orange-road.com

    Once I got a reply from MacHighway support that the change had been made, I checked with dig and confirmed that everything was working perfectly on the DNS side. Note that if I had used the Free DNS FQDN it would have worked, but that would also have made it impossible for me to move to another dynamic DNS service should the need arise without bugging someone at MacHighway to make another manual change for me.

    Fixing the Server’s Identity Crisis

    At this point I discovered that as far as the iChat service was concerned it was still frontier.orange-road.com, and it was certainly not going to allow users of orange-road.com to connect! I needed to change the name that just the iChat service had for itself, without affecting anything else on the server, and this turned out to be the biggest headache of the whole process, mostly due to the general lack of documentation. After a great deal of searching and a few red herrings, I finally came up with the answer: sudo serveradmin settings jabber:hostsCommaDelimitedString = "orange-road.com" (the iChat service is actually a variation of jabbered2).

    Chat Room DNS Setup

    The last thing I needed to do was create a DNS record for the multi-user chat part of the iChat service. This has its own subdomain, “rooms.” followed by whatever the host name is–in this case, rooms.orange-road.com. To get it working, I created another CNAME record which pointed to that Free DNS FQDN. That completed the setup, and if I ever need to change dynamic DNS services, or if I get a static IP at home, I can make all the necessary changes without have to involve anyone else.

  • If you can’t beat them, extort them

    The three patents Microsoft is hammering the Nook with—and why they may be invalid.

    Microsoft's complaint against Barnes & Noble's Android-based Nook devices has been narrowed down to just three patents, with the US International Trade Commission having to decide whether Nook devices infringe on several patented methods of interacting with and downloading electronic documents. Barnes & Noble is also asking the ITC to declare the patents invalid because they cover obvious and trivial functionality.

    Microsoft’s ITC complaint, which was filed in March 2011 and targets Foxconn and Inventec in addition to Barnes & Noble, cited five patents. One 1994 patent related to “new varieties of child window controls [that] are provided as system resources that application programs may exploit,” and a 1997 patent related to how browsers load and display content in portable computers with limited display areas have since been dropped from the case.

    [Ars Technica]

    Here’s the sentence in the article that explains what this is really all about: “The ruling will be an important one in Microsoft’s quest to extract money from every Android hardware vendor.” In other words, having dismally flopped in their every attempt to develop a mobile device, Microsoft has given up on competition and turned to extorting money from companies that actually can develop useful devices.

  • New Server

    20120202-130242.jpg

    Earlier this week I added this Mac Mini Server, which I named Frontier, to my home network. It’s a bit strange after so many years of working with Macs, and helping to administer Windows and Linux servers, but this is actually my first Mac server!

    I got it primarily as a file server for scanned photos, but I’ve also enabled the iChat Server, which is Apple’s front end for the popular XMPP server jabberd. The idea is that once I’ve got some DNS stuff straightened out I’ll finally have the same address for instant messages that I do for email.

  • Comment spam

    The Akismet plugin, which I use to block comment spam here, has a display of how much comment spam I’ve received. The amount has been going up ever since I turned commenting back on, with the total spam for January being 2,279. That’s more than twice the amount of email spam I received in the same period, despite have had the same email address (widely distributed across multiple websites) for sixteen years. I don’t really see why people would bother generating so much comment spam–I can’t even remember the last time I saw a spam comment get through to somebody’s weblog.

  • Terrorists in the U.S.

    “I just happened to glance over and saw this huge chainsaw ripping down the side of my door.”. “I just happened to glance over and saw this huge chainsaw ripping down the side of my door.”

    […]

    If the purpose of these raids is to take dangerous people by surprise before they can shoot back at police, how exactly does taking the door down with a chainsaw fit that strategy? [The Agitator]

    As several people pointed out in the comments on that post, there is really nothing more ideally suited to making an armed citizen empty their gun through their front door than some maniac cutting through it with a chainsaw! As tactics to use against an armed drug dealer, I can’t think of anything more incredibly stupid.

    On the other hand, what this sort of thing is very good for is terrorizing a mother and her very young daughter and making sure that they will never make the mistake of thinking they live in anything other than a hideously oppressive police state. That, I think, is the real purpose of these raids–they’ve got nothing to do with policing, and everything to do with state terrorism.

    Sadly, it could have been even worse. They’re not called the Federal Baby Incinerators for nothing.