Posts Tagged ‘pain in the ass’

iSH, the best free SSH / Telnet client for iOS iPhone, iPad equivallent of MobaXterm and fully functional Alpine Linux emulator

Wednesday, February 8th, 2023


Since few months I've switched my old BLU r1 HD Phone (a great old low budget phone for its price) to a friend's iPhone 10 ( X ) who gifted it for me. Coming from Android world, everyone who has experience with it is a pain in the ass as some of the Apps, which are into Google's play store does not have the same equivalent into Apple's install Package manager tool AppStore. Some of the crucial tools which I was interested as a freshly new migrated user from Android to iPhone was to have a decent SSH / Telnet client and Terminal, with which I can easily connect to my Linux servers both home and work. 

As Android Phone user, to connect and manage my SSH sessions I used most often some of the most popular Connectbot / SSHDroid / JuiceSSH.
On Android I've usually installed all of these tools but most frequently used Connectbot, which quickly become my favourite SSH client for Android over time.

The reasons why I really loved Connectbot and used it on Android OS in short:

  • It is Completely free
  • Ad-free
  • Open-source (too bad not Free software but still step better)
  • Copy and paste text between Applications
  • Customizable interface (i.e. font size, keyboard layout, SSH auth agent, etc.)


I've seen some people used and preferred Termius but never myself really liked this client, as it was including some Advertisements or for don't remember why reason.
Switching to iOS mobile operating system, of course was quite a shock especially the moment I found out the standard loved SSH Remote Client programs are used are not available or have only a paid version. Thus it took me quite a while of a research and googling until I found some decent stuff.


Tried for a time with Termius as well but again, its Ads and lack of some functionality pissed me off, so I've moved on to Shelly.


Shelly is really not a bad tool but has limitation over the SSH sessions you can add and other limitations, which can only be unlocked with an "Upgrade", to its paid version, thus I decided after few weeks of attempts to make it my remote server management mobile tool for iPhone, I've dropped it off as well.

Then I found the Blink Shell App – Blink Shell is a professional, desktop grade terminal for iOS. As overall the tool is really great and is easy to use but again to have it used in its full power you need the paid version and until you pay for it every now and then you got interruption of your shell for some really annoying ads.
Thus even though I used it for a times this few tools with whom basicly you can do basic remote ssh / telnet session operations eventually,  started looking for a better SSH Client Free alternative for iPhone Users.

Then came a friend at home for a dinner my dear friend Milen (Static) and he show me iOS.
The moment I saw this tool I totally loved it, for its simplicity and its resemblance to a classical TTY Physical old Linux console I used back in the days and its ability to resemble easily any improved functionaltiy through simple screen (multiple session management) command tool or tmux.

Wait, what's iSH ? And why it is the Best SSH / Telnet client to manage your servers remotely on iOS Mobiles (iPhone and IPads) ? 

iSH is a project to get a Linux shell environment running locally on your iOS device, using a usermode x86 emulator.

In other wors iSH is Linux emulator with busybox and a package ports for many of the standard Linux tools you get by simple apt-get / yum or if I have to compare you get via the MobaXterm's advanced apt-cyg (Cygwin packages) tool capabilities.

Once iSH is installed it comes with pre-installed apk command line package management tool, with which you can install stuff like openssh-client / screen / tmux / mc (midnight commander) etc. apk, is an apt like command like tool which uses as a basis for installing its packages Alpine Linux repositories.
Alpine Linux is perhaps little known as it is not one of these main stream disributions, such as Fedora or Ubuntu, but for those more concerned about security  Alpine Linux is well known as it is a security-oriented, lightweight Linux distribution based on musl libc and busybox. What makes the Linux even more attractive and perhaps the reason why the iSH developers decided to use it as a basis for their iSH emulator is it being actively developed and its tightened security makes it a good compliment to the quite closed and security focused mobile platform iOS.

iSH is available straight from AppStore , so to use it install it and run it (it is really a great news that iOS does not require iphone to be jailbreak – ed, and it is an ordinary installable software straight from AppStore):
iSH, already comes with some of the standard programs you would expect in a Linux environment such as Vi, wget, zip / unzip, and tar.
However to fit it better for my use over ssh and improve its capabilities, as well as support and use multiple Virtual windows ssh, just like you do on a Linux xterm
run from ish shell: 

# apk add openssh-client
# apk add screen
# apk add vim
# apk add mc




I also like to have a Midnight Commander and VIM Text editor installed out of the box to be able to move around in Ncurses interface through my iPhone.


Note that, just like most GNU / Linux distributions, iOS shell will run a normal bash shell.
From there on to use iSH as my default SSH client and enable my just installed GNU screen some Windowing beauty for readability whence I use the screen with multiple ssh logins to different servers as well make the screen Virtual consoles to have ability for scroll back and scroll up of console text to work, I do set up the following .screenrc inside my /home/iPhoneuser

The .screenrc to setup on the iSH to easify your work with screen is as follows:

# An alternative hardstatus to display a bar at the bottom listing the
# windownames and highlighting the current windowname in blue. (This is only
# enabled if there is no hardstatus setting for your terminal)
hardstatus on
hardstatus alwayslastline
hardstatus string "%{.bW}%-w%{.rW}%n %t%{-}%+w %=%{..G} %H %{..Y} %m/%d %C%a "
# Enable scrolling fix the annoying screen scrolling problem
termcapinfo xterm* ti@:te@
# Scroll up
bindkey -d "^[[5S" eval copy "stuff 5\025"
bindkey -m "^[[5S" stuff 5\025

# Scroll down
bindkey -d "^[[5T" eval copy "stuff 5\004"
bindkey -m "^[[5T" stuff 5\004

# Scroll up more
bindkey -d "^[[25S" eval copy "stuff \025"
bindkey -m "^[[25S" stuff \025

# Scroll down more
bindkey -d "^[[25T" eval copy "stuff \004"
bindkey -m "^[[25T" stuff \004

You can download the same .screenrc file from here straight with wget from the console:

# wget

Run GNU screen manager


 # screen

You will end up with a screen session, to open a new session for Virtual Terminal use virtual keyboard from ISH and Press

CTRL + A + C

To open other Virtual Windows inside screen just press CTRL + A + C as many times as you need it, each session will appear ina small window on the down corner as you can see in screenshot


To move across the Screen unnamed 3 Virtual Windows 0 ash 1 ash and 2 ash use the Virtual keyboard

for next WIndow use key combination:

CTRL + A + N (where + is just to indicate you have to press them once after another and not actually press the + 🙂 )

For Previous Window use:

CTRL + A + P

Or use CTRL + A and type 

:number 3 (where number is the number of window)

The available iSH commands without adding any further packages which are part of the busybox install are as follows:

Available /bin/ directory commands:

arch  ash  base64  bbconfig  busybox  cat  chgrp  chmod  chown  conspy  cp  date  dd  df  dmesg  dnsdomainname  dumpkmap  echo  ed  egrep  false  fatattr  fdflush  fgrep  fsync  getopt  grep  gunzip  gzip  hostname  ionice  iostat  ipcalc  kbd_mode  kill  link  linux32  linux64  ln  login  ls  lzop  makemime  mkdir  mknod  mktemp  more  mount  mountpoint  mpstat  mv  netstat  nice  pidof  ping  ping6  pipe_progress  printenv  ps  pwd  reformime  rev  rm  rmdir  run-parts  sed  setpriv  setserial  sh  sleep  stty  su  sync  tar  touch  true  umount  uname  usleep  watch  zcat  

Available /usr/bin/ commands:    

awk  basename  beep  blkdiscard  bunzip2  bzcat  bzip2  cal  chvt  cksum  clear  cmp  comm  cpio  crontab  cryptpw  cut  dc  deallocvt  diff  dirname  dos2unix  du  dumpleases  eject  env  expand  expr  factor  fallocate  find  flock  fold  free  fuser  getconf  getent  groups  hd  head  hexdump  hostid  iconv  id  install  ipcrm  ipcs  killall  ldd  less  logger  lsof  lsusb  lzcat  lzma  lzopcat  md5sum  mesg  microcom  mkfifo  mkpasswd  nc  nl  nmeter  nohup  nproc  nsenter  nslookup  od  passwd  paste  patch  pgrep  pkill  pmap  printf  pscan  pstree  pwdx  readlink  realpath  renice  reset  resize  scanelf  seq  setkeycodes  setsid  sha1sum  sha256sum  sha3sum  sha512sum  showkey  shred  shuf  smemcap  sort  split  ssl_client  strings  sum  tac  tail  tee  test  time  timeout  top  tr  traceroute  traceroute6  truncate  tty  ttysize  udhcpc6  unexpand  uniq  unix2dos  unlink  unlzma  unlzop  unshare  unxz  unzip  uptime  uudecode  uuencode  vi  vlock  volname  wc  wget  which  whoami  whois  xargs  xxd  xzcat  yes  

If you're a maniac developer you can even use iSH, to do some programs development with vim with Python / Perl or PHP as these are available from the Alpine repositories and installable via a simple apk add packagename for security experts nmap and some security tools are also available but unfortunately not everything is still working as this project is in active development and iOS has some security limitations if OS is not ROOTED 🙂

Hence some of the packages you can install via apk manager will be failing actually.
There is a list of What works and what doesn't still on iSH on the project github wiki check it out here.

There is much more funny stuff you can do with it, and actually my quick research on how people use iSH on their phones lead me to some Videos talking about iOS and Ethical hacking etc, but I'll stop here as I dont have the time to dig deeper to it. 
If you know or have some good use of iSH or some other goody you are using as a hack please share in comments.

Enjoy ! 🙂

Make Apache webserver fix spelling mistyped URL errors and serve files case insensitive with mod_speling

Wednesday, July 16th, 2014

On most if not all modern GNU / Linux distributions, Apache webserver comes preinstalled with mod_speling.

What mod_speling does is it tries to find and serve files and directories for non-existing  (404 return code) urls with a similar name to passed URL. Other thing mod_speling does is it serves files case-insensitive, even though the UNIX / Linux filesystems are built to understand files case-sensitive.

mod_speling is a very useful module especially when files are being pushed (synchronized) to Apache visible from web document folder from operating systems like Windows whose filesystem doesn't store files case sensitive.

Let me give you a small example on M$ Windows a create file NewFile.html, NEWFILE.HTML, NeWfIlE.Html etc. are one and the same file newfile.html and not 3 different files like it is usually on UNIX / Linux filesystems.

If you happen to migrate old static Websites from Microsoft Internet Information Services (IIS) to UNIX / Linux based hosting. Often Html coders which create websites on Windows platform doesn't respect in website hyperlinks case-sensitive, because anyways Windows FS is case-insetive, thus moving the website to Linux host with Apache the website/s will end up with many 404 error pages, whose fixing for big static websites will be a real pain in the ass.

Also there might be need for mod_speling module enabled, for PHP / Python / Perl websites developed on MS Windows platform and tested on Windows host and then officially to be deployed on Linux.

Note that mod_speling name as a funny thing as actually the module is also converting mis-pelled / mis-typed Apache URLs:

If for example, someone tried to link to your website from a forum mistyping the URL address with mod_speling the mistyped URL could still be handled to open the real existing URL:

Lets say you have URL:

and the actual URL is:


mod_speling will make Apache scan in /files/ for any files with similar name to what-Ever-fle.php and will open any similar matched file name, preventing you from the normal 404 error and therefore often serving exactly what it has to. Of course such a behavior could be unwanted in same cases for CMSes, which depend on 404 error code for proper operating, so be very sure when configuring mod_speling that this is exactly what you need.

mod_speling can be also useful sometimes for Search Engine Optimization – SEO, as it will show less 404 pages to Crawler search engine bots.

1. Enable mod_speling module on Debian GNU / Linux and Ubuntu

Enabling mod_speling in Apache in Debian / Ubuntu etc. debian based Linuxes is done with either creating symlink from /etc/apache2/mods-available/speling.load to /etc/apache2/mods-enabled/speling.load :

ln -sf /etc/apache2/mods-available/speling.load /etc/apache2/mods-enabled/speling.load

Or by using a2enmodDebian apache module enabling script:

a2ensite sitename

To enable mod_speling mis-speling resolve feature config directive is:


CheckSpelling on

To disable case sensitivity – as I said earlier helpful for migrations from Microsoft Windows hosts to Linux, use directive:

CheckCaseOnly on

To enable both use:

<IfModule mod_speling.c>
    CheckCaseOnly on
    CheckSpelling on

Enabling mod_speling case-insensitivity and fixing mistypes in URL could be done from .htaccess, for any <Directory> (vhost) with enabled .htaccess with

AllowOverride All

To enable it for default set host in new Apache install place it in /etc/apache2/apache2.conf and /etc/apache2/sites-enabled/000-default

Then as usual to make the configuration changes take affect, restart Apache:

/etc/init.d/apache2 restart

2. Enablig mod_speling on CentOS, RHEL and Fedora Linux


Most of RPM based Linux distributions have already mod_speling by default in Apache, so there will be no need to explicitly enable the module within HTTPD.

To check whether mod_speling is already enabled in httpd issue:

/usr/sbin/httpd -M |grep -i mod_speling

If you don't get no output from command this means the module is not enabled. This is the case with CentOS Linux 6.5 for example …

To enable mod_speling on Apache level add in /etc/httpd/conf/httpd.conf

LoadModule speling_module modules/

and restart webserver

/etc/init.d/httpd restart

If you get instead

/usr/sbin/httpd -M |grep -i mod_speling
speling_module (shared)


Then it is already loaded in HTTPD to enable the module for default domain add to /etc/httpd/conf/httpd.conf – within (<Directory "/var/www/html">),

<IfModule mod_speling.c>
    CheckCaseOnly on
    CheckSpelling on

Or if you want to make it active for specific directories within /var/www/html/whatever-dir use either new <Directory ..> directive within Apache config, or enable .htaccess processing with AllowOverride All and place them in .htaccess . For complete mod_speling reference check on Apache's official website

How to Block Facebook access on Microsoft Windows XP / Vista / 7 and 8

Friday, July 26th, 2013

Disable facebook on Windows computers using windows hosts fileIn Office home network, there is a Windows XP computer which is spending all his official work time in facebook.
Hanging in facebook makes this social network freak work quite inefficient so something had to be done immediately … and guess who had to do it …

 Usually I do facebook filtering via iptables rules directly from Linux NAT router, but filtering facebook https (port 443 traffic) is real pain in the ass and moreover facebook has a bunch of hosts so filtering from Linux i-net router is not always best solution. In this specific case the Linux router deliving internet to the Win host was also having complete routing so filtering with iptables wasn't so easy.
To save myself from loosing few hours trying to discover why I can't manage to filter facebook from Linux router, checked online if it possible to filter facebook using standard Windows method.
It turns out on Windows computer it is possible filter facebook by simply mapping all Facebook main hosts to localhost ( using hosts map file. In my case Win computer was running Windows XP, however on All Windows XP / Vista / 7 and 8, default location of hosts file is in: 


Microsoft Windows c:\system32\drivers\etc\hosts file Windows explorer screenshot

Therefore I used  Windows Explorer, navigated to C:\WINDOWS\system32\drivers\etc\ copied hosts file to Desktop, edited with Notepad and placed at the end of it following lines:

# Block Facebook

how to block facebook Windows hosts file opened in Notepad

Then copied the new modified hosts files from Desktop back to C:\WINDOWS\system32\drivers\etc
Following same logic, its possible to disable access to any host on the Internet. There are even some software like SpyBot which does by default change Windows default hosts file with pre-mapped well known spammer / spyware / malware hosts to prevent viruses and spyware to download more of themselves.

 Finally to make Windows re-read new hosts file I had to restart the PC, and Voila! Facebook access was cut 🙂

How to convert Adobe PDF file format to Microsoft Word DOC on MS Windows 2000 / XP / Vista / 7

Tuesday, July 24th, 2012

How to convert PDF to DOC on Microsoft Windows XP, MS Windows 7, Win Vista convert PDF to MS DOC 2003, ABBYY Covert Page
I had to convert Adobe PDF file to Microsoft Word ( .doc) file on Microsoft Windows OS for a friend. There is plenty of software available to convert PDF to DOC on Windows, as well as few web-site services claiming to convert correcly PDF to DOC. Converting PDF to DOC is easy and can be done with Open Office, however the reverse process is a real pain in the ass. I tried a dozen of free web serviecs to convert an ancient Latin writting PDF to DOC but none of them couldn’t properly convert it. Failing with the web services as a tool to convert, I’ve turned to seeking a tool that will do the trick. After trying few PDF to DOC converters which failed to produce a properly structed edittable DOC from the PDF file, I’ve come across ABBYY PDF Transformer 2.0. Abbyy PDF Transformer finally did it …

I’ve tried hard to look for a free software good PDF to DOC converter alternative for Windows but it seems as of time of writing this post there is no GPLed free software that does properly convert PDFs to MS WORD DOC ….

Using Abbyy PDF Transformer 2.0 is a piece of cake all I had to do is select the PDF file (pressing Open PDF) and then click on Convert (in right bottom corner). Below is a shot of Abby PDF transformer in action.

How to convert PDF to DOC on Microsoft Windows XP, MS Windows 7, Win Vista convert PDF to MS DOC 2003, abby pdf converter in action

How to run your Own / Personal Domain Web WHOIS service in a minute with SpeedyWHOIS

Thursday, April 5th, 2012

Running your own personal WHOIS service speedy whois in browser screenshot

I've been planning to run my own domain WHOIS service, for quite sime time and I always postpone or forgot to do it.
If you wonder, why would I need a (personal) web whois service, well it is way easier to use and remember for future use reference if you run it on your own URL, than wasting time in search for a whois service in google and then using some other's service to get just a simple DOMAIN WHOIS info.

So back to my post topic, I postpopned and postponed to run my own web whois, just until  yesterday, whether I have remembered about my idea to have my own whois up and running and proceeded wtih it.

To achieve my goal I checked if there is free software or (open source) software that easily does this.
I know I can write one for me from scratch, but since it would have cost me some at least a week of programming and testing and I didn't wanted to go this way.

To check if someone had already made an easy to install web whois service, I looked through in the "ultimate source for free software"

Looking for the "whois web service" keywords, displayed few projects on top. But unfortunately many of the projects sources was not available anymore from and the project developers pages..
Thanksfully in a while, I found a project called SpeedyWhois, which PHP source was available for download.

With all prior said about project missing sources, Just in case if SpeedyWhois source  disappears in the future (like it probably) happened with, some of the other WHOIS web service projects, I've made SpeedyWhois  mirror for download here

Contrary to my idea that installing the web whois service might be a "pain in the ass", (like is the case  with so many free software php scripts and apps) – the installation went quite smoothly.
To install it I took the following 4 steps:
1. Download the source (zip archive) with wget 
# cd /var/www/whois-service;
/var/www/whois-service# wget -q
2. Unarchive it with unzip command 
/var/www/whois-service# unzip
3. Set the proper DNS records

My NS are using Godaddy, so I set my desired subdomain record from their domain name manager.

4. Edit Apache httpd.conf to create VirtualHost
This step is not mandatory, but I thought it is nice if I put the whois service under a subdomain, so add a VirtualHost to my httpd.conf
The Virtualhost Apache directives, I used are:
<VirtualHost *:80>
        DocumentRoot /var/www/whois-service
        &lt;Directory /var/www/whois-service
        AllowOverride All
        Order Allow,Deny
        Allow from All
Onwards to take effect of new Webserver configs, I did Apache restart
# /usr/local/etc/rc.d/apache2 restart
Further on You can test whois a domain using my new installed SpeedyWHOISWeb WHOIS service  on
Whenever I have some free time, maybe I will work on the code, to try to add support for logging of previous whois requests and posting links pointing to the previous whois done via the web WHOIS service on the main whois page.
One thing that I disliked about how SpeedyWHOIS is written is, if there is no WHOIS information returned for a domain request (e.g.) a:
# whois
returns an empty information, the script doesn't warn with a message there is no WHOIS data available for this domain or something.
This is not so important as this kind of behaviour of 'error' handling can easily be changed with minimum changes in the php code.
If you wonder, why do I need the web whois service, the answer is it is way easier to use.
I don't have more time to research a bit further on the alternative open source web whois services, so I would be glad to hear from anyone who tested other web whois service that is free comes under a FOSS license.
In the mean time, I'm sure people with a small internet websites like mine who are looking to run their OWN (personal) whois service SpeedyWHOIS does a great job.

Finally TeamViewer 7 release for GNU / Linux is available

Thursday, March 29th, 2012


TeamViewer 7 Debian GNU / Linux released, my desktop screenshot

After a long time of inavailability, finally TeamViewer 7 for GNU / Linux is out!

Here is the short TeamViewer 7 Linux release note :

In our TeamViewer download area you will now find TeamViewer 7 for Linux.
The final version includes a selection of new features for Linux, e. g. an integrated screenshot feature and the possibility of saving individual connection settings per computer.
You can now establish cross platform connections with other computers running version 7 and hold online meetings and presentations with up to 25 participants.

We wish you best continued success with TeamViewer!

Well, guys it was about time, even later than that… Until now I've so many times experienced troubles with Windows machines which I had to administrate remotely and they only had a TeamViewer 7 installed (a real, real pain in the ass).

The issue comes cause TeamViewer 6 is incompatible with 7 and just until very recently only TV 6 for Linux was available, so trying to access a 7 install directly from Linux was impossible.
Hence to access TeamViewer 7 Windows install, I had to use either a fresh Windows copy with TeamViewer 7 installed or a Virtual Machine like (Qemu, VirtualBox) with Windows version installed in it.
Often back then, when I had to fix remotely a Windows machine behind a firewall, I had to instruct the machine owners to replace the TeamViewer 7 with TeamViewer 6 in order to be able to easily access the remote host from my Debian Linux.

I still remember, it was quite a stuggle to find a link to a Windows .exe install file for TeamViewer 6.

Now thanksfully, TeamViewer guys are starting to make it easier for the user who would for some reason want to stick to older TV version.
I've noticed on TeamViewer's website there is already a new TeamViewer download page offering for download all the old teamviewer version – 1.x, 2.x, 3.x, 4.x, 5.x, 6.x

One example, where old teamviewer release is useful is if you want to run teamviewer on older hardware or old OS (MS Windows 98 or old Linux distro).

I've made a mirror of teamviewer 6 for Debian / Ubuntu amd 32 and 64 bit versions along with all the OS available TeamViewer version 6 and 7, for the sake of preserving it if one day link to old versions of Teamviewer disappear from their website.

Here are the TeamViewer mirrored files:

Below you see a screenshot of teamviewer 7 running on my Debian Squeeze 🙂

TeamViewer 7 Debian GNU / Linux released, my desktop screenshot

It is great teamviewer produced a Linux working application, however if you run it you realize just like the previous releases TeamViewer is not natively supposed (compiled) to run on GNU / Linux OS but uses wine (windows emulator) to launch through…
Instead of porting the application to be natively for the Linux distros once again with this new release, teamviewer developers just "hacked" it to run on top of windows emulation. Though this is working its performance, is probably a bit degraded and it depends on having install on the Linux host a bunch of useless packages which wine depends on.
Besides that even if it "works" on Linux , TeamViewer has still non-free software essense. I still use it because unfortunately, I don't know of a better remote access program capable to connect to servers behind NAT / machines located behind a tight firewalled routers.
If only (I knew of?) a TeamViewer free software / open source equivalent
I will be glad to hear if someone know a (free software / open source) TeamViewer like program able to access remote hosts with no a real (public inet) IP address?P.S.: By similar TV program I don't mean VNC, UltraVNC and this kind of other VNC derivative programs but mean close TeamViewer alternative.

Problems with Skype microphone on Thinkpad R61i with Debian Linux again and fix

Tuesday, January 10th, 2012

Once again, I experienced Skype microphone issues!!! Its getting really annoying, since almost randomly I get issues. Skype is a terrible program and depending on a proprietary thing like Skype is a real pain in the ass.
This time it was totally strange as there was no way to record any voice inside Skype Call while testing with (Echo / Sound Test Service)

After a lot of puzzling and getting a bit angry I found this time the issues are caused by some settings which somehow changed in GNOME Sound Preferences microphone to mute:

Sound Preferences GNOME Debian GNU / Linux screenshot

Sound Preferences input gnome Linux muted microphone screenshot

You see on above screeshot that somehow the stupid thing get mutted 😐
GNOME sound preferences unmute mic linux

After unmuting and restarting Skype, the microphone started working in Skype again …

Howto install GeoTrust RapidSSL certificate on Debian Lenny / Squeeze / Wheezy Linux

Thursday, March 25th, 2010

I faced the task of generating official Validated SSL Certificates by in mydaily duties as a System Administrator at . Though generating self-signedSSL certificate is comparatively easy task. It was a pain in the ass setting Apache version 2.2.9-10+lenny6to correctly serve pages through https:// protocol over openssl version 0.9.8g-15+lenny6.I’ll try to go through the whole process of Generating the certificate in order to help some other Debianusers out there to face less setbacks in such a simple task as installing a Trusted SSL Certificate issued(bought) by RapidSSL. Even though this article will mostly deal with SSL certificate issued by RapidSSL,it should be not a problem to apply this methodogy with Verisign or some of the other Geotrust issuedSecure Socket Layer certificates.

In generating the Validated certficate I used enom which is a domain name,ssl certificates, email and hosting company whole-saler.
Fron emon’s website after logging in and using the web interface, there are two major things required to fill inin order to issue your Trusted SSL certificate.

1. Fill in in a form a CSR file, this is usually generated on the Linux server using the openssl.
To issue the CSR file required by Enom use the following commands:

a. First we generate an DES3 RSA encrypted key which we will use next to generate the opeensl CSR file required by ENOM.
debian:~# /usr/bin/openssl genrsa -des3 -out 2048
Enter pass phrase for

You’ll be required to fill in a pass-phrase that will be later be required to fill in before Apache servers starts or restarts,so make sure you fill something you either remember or you keep the password stored in a file.
You have to change also the in accordance with your domain name.
Now as we already have a proper generated DES3 RSA key afterwards it’s necessery to generate the CSR file with the openssl command line frontend.
So here is how:

debian:~# /usr/bin/openssl req -new -key /home/hipo/ -out /home/hipo/

Again in the above example change all the paths and file names as you wish.
It’s necessery that the end user fill in a number of questions related to the Certificate Signing Request.
Herein I’ll list what kind of prompts will emerge after executing the above command:

Enter pass phrase for /home/hipo/
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note that you’ll hav eto fill in the pass phrase previously entered during the generation of the file.
In case if you’d like to read more thoroughly on the subject of howto create a Certificate Signing Request or (CSR) as we called it on multiple times, you can read About Certificate Signing Request (CSR) Generation Instructions – Apache SSL more in depth here

2. Hopefully following the above instructions you’ll now have a file named www.domain.csrJust open the www.domain.scr and copy paste it’s content to the ENOM website CSR * webform.

3. Further on select your Webserver type on Enom’s website:In our case we have to select Apache + ApacheSSL

4. What follows next is filling in your company contact information This is also required for proper certificate generation, you have to think twice before you fill in this data, take a note this can’t be changed later on without issuing a brand SSL new certificate.

Apart from the 3 major above requirements to fill in Enom there are some few more radio buttons to use to make some selections according to your personal preferences, however I won’t take time to dig in that and I’ll leave this to you.
After all the above is fulfilled you’ll have to submit your certificate details and choose an email address to which you will receive in a minute a RapidSSL Certificate Request Confirmation

Following a link from the email, will show you some basic information about the certificate about to be generated. That’s your final chance to cancel the issued Trusted Certificated.
If you’re absolutely sure the information about to enter the certificate is correct then you’ll have to follow a link and approve the certificate.

You’ll be informed that you’ll receive your certificate either through Certifier website (e.g. Enom’s website) or via another email.
I thought it’s more probable I receive it via email but anyways I was wrong. More thank 4 hours has passed since the certificate was issued and is available via Enom’s interface but I haven’t received nothing on my mail.
Therefore my friendly advice is to check about your brand new shiny Trusted Certificate on Emom’s website. I had mine ready in about 10 minutes after the CSR was issued.

Assuming that you’ve succesfully obtained the SSL Trusted certificate from RapidSSL what follows is setting up the certificate.
Initially I tried using documentation from RapidSSL website called Installing your SSL Certificate / Web Server Certificate / Secure Server Certificate from
I tried to configure one of my Virtualhost as shown in their example inserting in my /etc/apache/sites-available/ file, few directives within the VirtualHost something like the shown below

SSLEngine on
# cointains the Trusted SSL certificate generated and obtained by you from RapidSSL
SSLCertificateFile /etc/apache2/ssl/
# contains the file used to generate the CSR file as described earlier in this post
SSLCertificateKeyFile /etc/apache2/ssl/

It is also possible insetad of using the SSLCertificateFile and SSLCertificateKeyFile directvies directives in Apache config to use:


Another alternative is to use

SSLCertificateFile /etc/ssl/certs/your-domain-name.crt
SSLCertificateKeyFile /etc/ssl/certs/your-domain-name.key
SSLCACertificateFile /etc/ssl/certs/gd_bundle.crt

The key file is the one generated earlier on the server and handed to the SSL regisrar, the files:

your-domain-name.crt and gd_bundle.crt files are provided by RapidSSL or from whatever SSL registrater the SSL was purchased.

After trying the above configuration and restarting apache with:

/etc/init.d/apache2 restart

Apache failed to start, it might be helpful to somebody out there the error I had in my apache error.log:
The error.log red the following:

[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

After some 30 minutes or an hour of Googling on the error I came to the conclusion that the error is caused, becauseApache is supposed to work with .PEM files instead of the classical .CRT and .KEY files asnormally approached in most of the other Unix operating systems.

It took me a bit more of reading on the internet to find out that actually the .pem files so widely adopted in Debian simply contain both the file and the key simply pasted one after another, this I also observed from the default Apache self-signed certificate that I believe comes with debian /etc/apache2/ssl/apache.pem .
So I copied both the content of my and and store it in one file:

Also the following configuration:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/

had to go in your

Last thing that’s left is to restart your Apache;

/etc/init.d/apache2 restart

Apache will prompt you for your certificate password entered by you during the generation. Type your password and with a bit of luck and hopefully with God’s help you’ll be having a Trusted Certificate on your webserver.

Last step is to check if the certificate is okay accessing your domain

Well this is the end of the article, hope you enjoy.If you do please leave your comments, any corrections are also welcomed 🙂

Configuring varnishd to log client IP addresses in Apache log

Wednesday, February 3rd, 2010

I realized today, that because my varnish serves incoming connections to my
apache port a really annoying problem appears.
I mean in my httpd-access.log everytime I get some visit from the Net, the
incoming IP address logged in the Apache log is originating from
e.g. (localhost). That’s a real pain in the ass, cause it prevents me from
adequately tracking visitors countries and their networks.
Therefore to fix that and configure varnish to always log my original visitors
IPs to the apache log I had to follow instructions described in.
How can I log the client IP address on the backend? in the Varnish Cache FAQ

Here I will include step by step explanation how I practically implemented
the solution as explained in the FAQ on my FreeBSD.

First I had edit:
The following is currently my default.vlc file content:
backend default {.host = "";.port = "8080";}sub vcl_recv {# Add a unique header containing the client addressremove req.http.X-Forwarded-For;set req.http.X-Forwarded-For = client.ip;# [...]}
Next I had to add:
to my /etc/rc.conf
And then modify my:
and include:
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" varnishcombined
as well as:
CustomLog /var/log/httpd-access.log varnishcombined
to all my VirtualHosts.

Finally it’s required to restart both varnishd and apache
pcfreak# /usr/local/etc/rc.d/varnishd restartpcfreak# /usr/local/etc/rc.d/apache2 restart

That’s all folks!

Troubled Day

Thursday, April 5th, 2007

It was a day full of waiting. The Admin/tech support personel in sofia is a real pain in the ass. I waited half a day for a simple debian base install. The guy installed debian over already installed freebsd on a server we sent destined for colocation in evolink. The machine is great dual 3ghz Xeon with 3 x 70 gb SCSI discs. In 4:00 o’clock I received a mail with username and password of the server, but the system was unaccessible for 1 more hour. I got really nervous I received tons of calls from the boss, our project Manager, Vladi the PHP programmer. I logged to the server in 5:00 and configured apache with mysql upto 10:00 o’clock then did a little walk with nomen in the central park and drinked one beer per capita. I had to meet Static and Amri in 6:00 o’clock but I was busy configuring the new rack so I missed a great oportunity to have fun with old friends. ORDER has to come back to Bulgaria, today or even he maybe is already in Varna. I’m quite impatient to see him! In the afternoon I went to some spiritual downfalls but now Thanks to God I’m alive and well. The pozvanete site already points to the new rack so I hope the machine would be able to serve it’s goal perfect. This will be made clear in the morning. Soon I’m going to bed. Glory be to God for fulfilling me with his love and sustaining my life and keeping me from evil! END—–