Takahisa’s Weblog

/etc/suphp.conf

[global]
logfile=/var/log/httpd/suphp_log
loglevel=warn
webserver_user=apache
docroot=/home
env_path=/bin:/usr/bin
umask=0077
min_uid=500
min_gid=500
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=false
;Send minor error messages to browser
errors_to_browser=true
[handlers]
;Handler for php-scripts
;x-httpd-php=php:/usr/bin/php
x-httpd-php="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi=execute:!self

/etc/httpd/conf.d/su.php

# This is the Apache server configuration file providing suPHP support.
# It contains the configuration directives to instruct the server how to
# serve php pages while switching to the user context before rendering.
LoadModule suphp_module modules/mod_suphp.so
# This option tells mod_suphp if a PHP-script requested on this server (or
# VirtualHost) should be run with the PHP-interpreter or returned to the
# browser "as it is".
#suPHP_Engine on
# Disable php when suphp is used, to avoid having both.
#<IfModule mod_php5.c>
#php_admin_flag engine off
#</IfModule>
#<IfModule mod_php4.c>
#php_admin_flag engine off
#</IfModule>
# To use suPHP to parse PHP-Files
#AddHandler x-httpd-php .php
#AddHandler x-httpd-php .php .php4 .php3 .phtml
# This option tells mod_suphp which path to pass on to the PHP-interpreter
# (by setting the PHPRC environment variable).
# Do *NOT* refer to a file but to the directory the file resides in.
#
# E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config
# /path/to/server/config".
#
# If you don’t use this option, PHP will use its compiled in default path.
# suPHP_ConfigPath /etc
# If you compiled suphp with setid-mode "force" or "paranoid", you can
# specify the user- and groupname to run PHP-scripts with.
# Example: suPHP_UserGroup foouser bargroup
# suPHP_UserGroup apache apache
# This option tells mod_suphp to handle requests with the type <mime-type>.
# Please note this only works, if an action for the handler is specified
# in the suPHP configuration file.
#suPHP_AddHandler x-httpd-php
# This option tells mod_suphp to NOT handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>

Usege example

<VirtualHost 192.168.1.10:80>
SuexecUserGroup "#500" "#500"
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/example.com/public_html
suPHP_Engine on
AddHandler x-httpd-php .php
AddHandler x-httpd-php .php .php4 .php3 .phtml
suPHP_AddHandler x-httpd-php
suPHP_UserGroup example.com example.com
<Directory /home/example.com/public_html>
allow from all
</Directory>
DirectoryIndex index.htm index.html index.php
</VirtualHost>

root at server1:/root/suPHP/suphp-0.6.3/src# diff -u ./Application.cpp
./Application.cpp-dist
— ./Application.cpp 2008-04-24 15:21:20.000000000 -0700
+++ ./Application.cpp-dist 2008-03-30 04:43:38.000000000 -0700
@@ -492,14 +492,12 @@
directory = directory.getParentDirectory();

UserInfo directoryOwner = directory.getUser();
-#ifndef OPT_USERGROUP_OWNER
if (directoryOwner != owner && !directoryOwner.isSuperUser()) {
std::string error = “Directory ” + directory.getPath()
+ ” is not owned by ” + owner.getUsername();
logger.logWarning(error);
throw SoftException(error, __FILE__, __LINE__);
}
-#endif

if (!directory.isSymlink()
&& !config.getAllowDirectoryGroupWriteable()

Originally found at https://lists.marsching.com/pipermail/suphp/2008-April/001831.html

Make key file

#openssl genrsa -des3 -out example.com.key 1024

Generating RSA private key, 1024 bit long modulus

…………..++++++

..++++++

e is 65537 (0×10001)

Enter pass phrase for example.com.key:

Verifying – Enter pass phrase for example.com.key:

# openssl req -new -key example.com.key -out example.com.csr

Enter pass phrase for example.com.key:

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:

Email Address []:

A challenge password []:

An optional company name []:

Get CRT (GeoTrust, verisign etc)

Remove pass phrase

#openssl rsa -in example.com.key -out example.com.pem

edit /etc/postfix/main.cf

smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_key_file = /etc/pki/tls/certs/example.com.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt

edit /etc/dovecot.conf

ssl_disable = no

ssl_cert_file = /etc/pki/tls/certs/stargatesys.com.crt

ssl_key_file = /etc/pki/tls/certs/stargatesys.com.pem

restart postfix and dovecot

as you might know, yum does not provide re-install functionality,

for re-installing yum installed application following methods may useful

yum install yum-utils
yumdownloader package
rpm -Uvh –force downloadedpackages

update-rc.d foo defaults

you also need script be executable
chmod +x foo

$ sudo dpkg -i webmin_1.420_all.deb
$ sudo apt-get -f install

ns2 ~ # /usr/bin/gdm

/usr/bin/gdm: error while loading shared libraries: libdirectfb-0.9.so.25: cannot open shared object file: No such file or directory

Revdep-rebuild should find out the problem for you, the most obvious reason whyit might not is if a previous run of revdep-rebuild did not complete and thetemporary files were still present.  Please try running “revdep-rebuild -i” toensure that the temporary files are cleaned out.  If you do this before trying to re-emerge totem-pl-parser, you can test whether it spots, it and then againwhether totem-pl-parser fixes the problem.

If after you’ve got the results the problem hasn’t been fixed, orrevdep-rebuild wasn’t correctly finding the issue, then please feel free to reopen this bug…  5:)

[root@ns99 ~]# wget http://ftp.riken.jp/Linux/fedora/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm
–02:00:53– http://ftp.riken.jp/Linux/fedora/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm
=> `squid-3.0.STABLE10-1.fc10.src.rpm’
Resolving ftp.riken.jp… 134.160.38.1
Connecting to ftp.riken.jp|134.160.38.1|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2,006,085 (1.9M) [application/x-wais-source]
100%[=============================>] 2,006,085 1.40M/s 02:00:54 (1.40 MB/s) -
`squid-3.0.STABLE10-1.fc10.src.rpm’ saved [2006085/2006085]
[root@ns99 ~]# rpm -ivh squid-3.0.STABLE10-1.fc10.src.rpm
warning: squid-3.0.STABLE10-1.fc10.src.rpm: V3 DSA signature: NOKEY, key ID 4ebfc273
1:squid warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
########################################### [100%]
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
[root@ns99 ~]# cd /usr/src/redhat/SPECS/
[root@ns99 SPECS]# rpmbuild –bb squid.spec
error: Failed build dependencies:
linuxdoc-tools is needed by squid-3.0.STABLE10-1.i386
[root@ns99 SPECS]# yum install linuxdoc-tools
Loading "fastestmirror" plugin
Setting up Install Process
Setting up repositories
Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Resolving Dependencies
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for linuxdoc-tools to pack into transaction set.
linuxdoc-tools-0.9.20-14. 100% |=========================| 27 kB 00:00
—> Package linuxdoc-tools.i386 0:0.9.20-14 set to be updated
–> Running transaction check Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
linuxdoc-tools i386 0.9.20-14 base 396 k Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 396 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): linuxdoc-tools-0.9 100% |=========================| 396 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: linuxdoc-tools ######################### [1/1]
Installed: linuxdoc-tools.i386 0:0.9.20-14
Complete!
[root@ns99 SPECS]# rpmbuild –bb squid.spec
[root@ns99 SPECS]# rpm -Uvh /usr/src/redhat/RPMS/i386/squid-3.0.STABLE10-1.i386.rpm

Activate dag repository

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1

install package

root@ns99 ~ # yum install postgrey

edit startup script /etc/init.d/postgrey

#OPTIONS=”–unix=$SOCKET”
OPTIONS=”–whitelist-clients=/etc/postfix/postgrey_whitelist_clients –whitelist
   recipients=/etc/postfix/postgrey_whitelist_recipients –inet=10023 -d –unix=$SOCKET”

startup postgrey when system is bootup

 root@ns99 ~ # chkconfig postgrey on

install filter to postfix /etc/postfix/main.cf

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023

edit white-list as you need /etc/postfix/postgrey_whitelist_clients

Check delay from maillog

cat /var/log/maillog | postgreyreport 

In computing, Sender Policy Framework (SPF) allows software to identify messages that are or are not authorized to use the domain name in the SMTP HELO and MAIL FROM (Return-Path) commands, based on information published in a sender policy of the domain owner. Forged return paths are common in e-mail spam and result inbackscatter. SPF is defined in RFC 4408. from wikipedia

Install require packages

root@ns99 ~ # yum install perl-Mail-SPF

Get SPF module from http://www.openspf.org/Software Newest at this time is 2.007 and Install SPF module

root@ns99 ~ # wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
root@ns99 ~ # tar zxvf postfix-policyd-spf-perl-2.007.tar.gz
root@ns99 ~ # mv postfix-policyd-spf-perl-2.007/postfix-policyd-spf-perl /usr/local/lib.

add following line to /etc/postfix/master.cf

policy  unix  -       n       n       –       0       spawn
  user=nobody argv=/usr/bin/perl /usr/local/lib/policyd-spf-perl

add following line to /etc/postfix/main.cf

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service,
check_policy_service unix:private/policy
policy_time_limit = 3600

Add SPF record to your DNS. SPF record can be wizardly made from 
http://old.openspf.org/wizard.html?mydomain=example.com&submit=Go%21

spf01   IN TXT “v=spf1 +ip4:xxx.xxx.xxx.xxx/24 ~all”
spf02   IN TXT “v=spf1 +ip4:yyy.yyy.yyy.yyy/24  ~all”
@       IN TXT “v=spf1 include:spf01.example.com include:spf02.example.com ~all”