Cygon’s Blog

If your client happens to be Windows XP, you’re bound for some trouble. Of course, for something as important as WebDAV that you’re likely going to use for accessing your entire htdocs folder, a password sent as clear text will not cut it. So the authentication method of choice is digest authentication. Windows XP clients do support htdigest authentication, however, since Windows 2000, someone at Microsoft broke the code, causing Windows to think our WebDAV share actually uses another kind of authentication and to transmit the windows domain part with it.

There have been various recommendations, ranging from adding a # to the end of the WebDAV URL when configuring your windows client up to a special apache authentication module which will cut the windows domain part from the transmitted credentials before handing them over to the WebDAV module. This guide will explain how you can configure your Apache2 server so it works with all clients - unmodified.

The most important thing first: You need SSL. Using an https:// URL makes Windows XP use WebDAV and goes around the authentication problem in its entirety.

In your <VirtualHost /> section for the SSL IP (see [[Configuring multiple domains in Apache2]] why you should have this) we will define two aliases for the WebDAV share:

Alias /webdav/ /var/www/
Alias /webdav /var/www

This avoids another common problem of WebDAV clients, including, but not limited to, Windows XP.

Of course we now need to tell apache that this directory is supposed to be accessed via WebDAV and that the server should require authentication before letting a user fiddle around in our sensitive web roots:

<Location /webdav>
    DAV on

    Options Indexes FollowSymLinks

    <LimitExcept OPTIONS>
        AuthType Digest
        AuthName "webdav"
        AuthDigestFile /var/www/ssl-xy/conf/.htdigest

        Require valid-user
    </LimitExcept>

</Location>

That’s all, folks. No additional modules, no hazzle for the clients, no non-conforming server. Windows XP clients will now be able to access this WebDAV server as will any other WebDAV client.

This article originally appeared in my wiki, but since I’ve got different plans with that site now, I’ve just blogged it because I think it might be useful to some people

Obviously, in the spam business it is economical to to hire an office of typing slaves that surf around websites and try to send you spam where you don’t expect it. Your website contact form for example.

At least this seems to be the case with eBrandz, by their own description a “search engine optimization” company, that was contracted by another indian company whose name I’ll not disclose because it is, as I’m willing to believe, not aware of eBrandz’ questionable business practices.

• The first time, some danny.ebrandz@hotmail.com used my website’s contact form to tell me that he had placed a link to my website on his own site and that I should kindly link back to his site.
  

  Dear Webmaster, My name is [name] and I just wanted to let you know that we have already placed a link to your site on the following webpage: [url of hidden page on advertising client’s site]. Your site details are As Follows: [target site description from google open directory]. Kindly link back to our site with the following details: [description of advertising client’s site].

  The page containing the link to my website was there, but was in no way connected with the website structure of the client. Just a hidden area to make poor webmasters believe there was an actual outgoing link. I friendly replied to the sender’s hotmail account that I wasn’t interested. I got no reply.

• Some days later a bloke whose name I don’t know anymore because I deleted the mail repeated the exact same message, only the name was different. I visited the client’s website, looked up the marketing department’s email and repeated my friendly notice. I got no reply.

• Today, some zavier.ebrandz@hotmail.com pulled the same. Again. Oh, wait, now the message template had been changed:
  

  My name is [name] and I have just gone through your site, and visited many pages. It would be better if we link to each other as reciprocal link place an important role in a search engine ranking algorithm.

  I have already placed a link to your site on the following webpage: [url of hidden page on advertising client’s site]. Your link details are here: [target site description from google open directory]. I humbly request you to link back to us with the following details: [description of advertising client’s site].

I have to admit this is one step up from the usual buy 100 million email adresses and send undecipherable advertising mails to everyone practice. It’s almost like… hm… crime vs. organized crime. Do we have organized spammers now?

On Friday evening, I decided to upgrade this server’s kernel, which had been running for more than 6 months, to the current stable release, 2.6.17-gentoo-r7. Somewhere in this process I decided to build my boot partition from scratch: rm -r /boot/*, reinstall grub, put the kernel image and I’m on my way again.

Or so I thought. For the last 4 days I’ve been messing around with this server’s configuration and only now have I managed to boot the darn thing up again.

I’m sure I would have solved this problem in less than 30 minutes if I were able to see the console output during boot time. The reason I had to work blindly was that this server is not at my location and the provider doesn’t have KVM-over-IP, console forwarding or serial line monitoring.

Why can’t the linux kernel just write stdout into some file somewhere? Even if it would mean to temporarily reuse my swap partition as an ext2 partition to store the log or something. I can only see what happened when the whole ding has mounted the root file system and started the logging daemon, which is pretty much near the end of the boot process.

My latest server update surprised me by suggesting to replace my GCC 3.4.6 with the all-new GCC 4.1.1. Looks like the new GCC is assumed to be stable enough for production usage now.

I tried using -march opteron but some configure scripts began whining that “GCC is not able to create executables” (a quick hello world program worked for me), so I’ll stay with -march athlon-xp for now. It took several hours to recompile my whole system but thanks to gentoo’s portage, I didn’t need to monitor the server during this time at all. Everything went smooth and everything that runs on this server is now compiled by GCC 4.1.1.

With one notable exception: qmail. Instead of including the required header, qmail decided to locally declare the strerror() function in TLS.c. Except that header still got included and since the function signature seems to have changed, this is now an ambiguous reference. So, Ctrl+Ztted out after the ebuild had extracted qmail, commented out the strerror() declaration in TLS.c and resumed with fg.

When I checked by mails a bit later, my inbox had been nailed with countless spam emails. Oh great, simscan wasn’t getting called anymore. The last time this happened I spent a week uninstalling and reinstalling qmail and then attempting to switch to the courier mail server. There’s no way I want to go through that again, so I very carefully examined my system.

Simscan was installed and configured in /etc/tcprules.d/tcp.qmail-smtp. I rebuilt the .cdb file and restarted svscan but simscan still didn’t run. To make a long story short, I still don’t know what went wrong, but I decided to try netqmail. It compiled on GCC 4.1.1 without any problems and after uninstalling and reinstalling simscan, it immediately sprang to work, too. Phew.

Next, authentication failed whenever I wanted to send an email. Turned out that /usr/bin/checkpassword-pam (which I’m using for smtp-auth) had been rebuilt and its rights were wrong again. A quick chmod u+s /usr/bin/checkpassword-pam got everything running again.

I’d like to share a little training experience I’ve had during one of my recent runs. After reading some material about how to move more economical (eg. using less muscle power to generate more effect), I decided to try and improve my own technique. The obvious advantages are tempting enough:

• increase your maximum speed by letting less of your available muscle power go to waste
• run easier, faster or longer during long-distance exercises
• lower the stress on your joints and tendons

Normally, a human’s leg movements are controlled automatically by the motorical center of his brain. If you try to modify your own running technique using conscious effort, you will probably notice that your movements immediately lose efficiency. The effect will get worse the more you concentrate on moving consciously.

Obviously, nature is already quite good at saving power, so how could we possibly improve upon that?

First, instead of using conscious control, we need to tell our brain how we’d like to move and then just let it figure out the best way to do that. Let’s bring some fun into this: During your next jog, imagine being a spec ops guy. Run lower, use a longer stride and try to step as silent as possible. Do this on a longer distance.

For the first few kilometers, you’ll probably need to apply conscious effort to keep this running style up. Then, gradually, your autopilot should kick in and the movements should become more fluid and less stressfull. When you’re finally at the end of your training session, your legs will probably be exhausted.

Don’t worry, I’m not suggesting that to keep running like this. This way of moving will always be more stressfull than running naturally. But doing this once in a while will reward you with a better feel for your leg mechanics and train those muscles that often become a bottleneck at high speeds. You will step softer, have less airtime and longer ground contact providing for an extended propulsion period!