Ahsay Backup Behind Nginx (w/ SSL Proxy)

Posted by Joshua Schmidlkofer Fri, 22 Feb 2008 08:10:00 GMT

In order to get Ahsay working behind and SSL proxy which passes traffic to port 80, you have to modify your conf/server.xml and set a few settings on ol’ Nginx.

Add to your server.xml, non-SSL connector declaration

scheme="https" secure="false" proxyPort="443" redirectPort="443"

nginx config section

    proxy_pass      http://127.0.0.1:9080;
    proxy_redirect  http://archive.myisteam.com      https://archive.myisteam.com;
    proxy_redirect  http://archive.myisteam.com:80   https://archive.myisteam.com;
    proxy_redirect  https://archive.myisteam.com:80  https://archive.myisteam.com;

.....

Apart from that, it’s perfectly normal

Special thanks to Cliff Wells. For Tireless effort in the face of java.

Thanks as well to the Apache Documentation efforts. Tomcat Connector Docs

Pointless Rants 2

Posted by Joshua Schmidlkofer Wed, 15 Nov 2006 04:44:00 GMT

I have been working on an article, which was accidentally published for about 8 hours, which is a bitter recount of my views on OpenLDAP.

IMNHSO OpenLDAP has been a tool fraught with complexity, needless overhead, and inhuman design problems. Replication is terrible to setup. The whole SSL thing is a debacle. The init scripts have failed (for at least 4 years) to take into account that the average human inits ldap as root, then starts it to run as ‘ldap’. They rely on Berkley database, which is the bane of such things as RPM. The error output is ridiculous and often requires starting it, by hand, with -d .

ACLs, ACIs, lack of unified management, etc. All of these things factor into a solution that (until recently) has has a horrible slew of segfaults if the client or server mishaved.

However, the more that I rant, the more futile it seems. I am really bitching and complaining about other humans. Humans, who I might point out, Jesus Loves very much. So, who am I to tear apart their work?

In short OpenLDAP devs, if I have a voice, and since quiting the list some time ago, I don’t. Please give us a few clear, nice things:

  • Simple replication setup
  • Some sort of unified management for ACIs at least
  • An initscript that will chown the ldap directory, or a startup flag that causes this to happen before dropping priv’s.
  • Simple (read: HUMANE) SSL options (Hint: Verify Certs should WARN and not abort by default.)
  • Automagic db_recover for bdb backends

For the rest, well, I think that I will stew that article a little longer. I don’t want to hate on people.

Update: Marty Heyman from Connexitor mentioned me in his blog.