Sunday, January 31, 2021

monitoring icecast stream with uptimerobot

Just a reminder to myself that the uptimerobot monitor for Icecast streams has to be a GET monitor, because Icecast sends a 400 Bad request error for HEAD requests. So, for example, we can set up a GET monitor for
https://streamingurl.tld/mountpoint/status.xsl

But then we would not really know if the streams are running - for that, we rely on our shell scripts to email us like
COULD NOT FIND PLAYLIST nameof.playlist AT Sun May 28 06:01:01 IST 2017
PLAYING EMERGENCY INSTRUMENTAL PLAYLIST!!

Friday, January 29, 2021

another domain name for the same page, implemented with Plesk

We wanted the same content as oldname.tld/url to be served from newname.tld/url for a domain which was being served from a shared server running Plesk. We could not do it by adding a domain alias, instead we had to do it by adding newname.tld as a new domain in Plesk and pointing it to the same directory as oldname.tld for wwwroot.

creating a Linux filesystem on a VHD file

In order to create a timeshift backup before upgrade, creating a virtual hard disk volume,
https://www.tecmint.com/create-virtual-harddisk-volume-in-linux/

This took 20 minutes on lenovo pc for 30 GB. mkfs finished in just seconds.


Thursday, January 28, 2021

fiber link tests

Our fiber link, which used a 2-core media converter, had gone down. Checking various segments which were looped at different locations, each segment by itself was OK. But with all the loopings, though light was seen when testing with a "visual fault locator" or laser, one core was less bright. So, used a single-core media converter, and link became OK. 

Wednesday, January 27, 2021

Google Forms for creating a feedback form

Initially, I thought our non-profit edition of Google Workspace did not have Google Forms, and so created a form manually, following

https://dev.to/omerlahav/submit-a-form-to-a-google-spreadsheet-1bia

https://github.com/jamiewilson/form-to-google-sheets

and a template from jotform.com

Then PB pointed out that accessing Google Forms from Google Drive -> New -> Google Form works, and that the scripts.google link has a problem of not displaying if the user is logged on to more than one google account at the time of clicking that link.

So, PB recreated as a Google Form. 

google apps scripts limitation on multiple logins

One of the limitations of Google Apps Scripts - apps created with script.google.com fail when logged in to multiple accounts.
https://www.demandsage.com/blog/google-multi-account-authentication-bug-what-it-is-possible-workarounds/

For standalone scripts which have a url like https://script.google.com/macros/s/LONGID/exec?parameter the error shown is:
"Sorry, unable to open the file at present.
Please check the address and try again."



Monday, January 18, 2021

renewing a dot tk domain

Freenom is the domain registrar for .tk and currently, their process for renewing free domains is - 

  • we get a reminder email 2 weeks before expiry
  • free renewal is possible only 2 weeks before expiry
  • the current link to renewal is via the Services menu item - Services -> Renew domains and not via "My Domains" as mentioned in their email. 

Sunday, January 17, 2021

exploring creating issues on github using email

Checked out ifttt email -> github - that needs the email to be sent from a particular email id, which will then create an issue on github. Could possibly implement using gmail's auto-forwarding features.

Saturday, January 16, 2021

adding SSL (https) to http mp3 streams - Apache reverse-proxy and letsencrypt

Our audio streams were getting blocked by Chrome's insistence on https. Our initial workaround was to not use any javascript-based player, and instead just use a link to the stream URL with target = _blank to open it in a new window or tab. Now, working towards https support for our audio streams, we found two options.

1. Icecast 2.4.4 has support for SSL, but we need to recompile it on most platforms with the flag set as the icecast package which is available at this repo doesn't support SSL. ./configure --with-curl --with-openssl

2. The other option is to use an SSL reverse-proxy - Apache or Nginx.

Since we had Apache running on our server already, I tried the reverse-proxy method. I had to use acme.sh and not certbot since our server needs an OS upgrade. After the acme.sh installation, have to log out and log in (or open another shell) for the .bashrc changes to take effect. On the server, the main steps were:

a2enmod proxy
a2enmod proxy-http
  #(without this, got Internal Server Error)
service apache2 restart

a2ensite stream.ourdomain.tld
service apache2 reload

The file created for stream.ourdomain.tld in /etc/apache2/sites-available/stream.ourdomain.tld.conf was copied from another virtual host and then I added the lines like

ProxyPass /nameofstream http://11.22.33.44:8567/
ProxyPassReverse /nameofstream http://11.22.33.44:8567/ 

ProxyPass /nameofanotherstream http://11.22.33.44:8577/ 
ProxyPassReverse /nameofanotherstream http://11.22.33.44:8577/ 
</VirtualHost>

The file created for the ssl version had to be hand-written since acme.sh doesn't automatically create the config files unlike certbot. stream.ourdomain.tld-ssl.conf had the additional lines

<IfModule mod_ssl.c>
<VirtualHost *:443>

SSLEngine on
  SSLCertificateFile      /etc/ssl/certs/stream.ourdomain.tld.cer
  SSLCertificateKeyFile /etc/ssl/private/stream.ourdomain.tld.key

So, with acme.sh, first issued the certificate in Apache mode as root - 

acme.sh --issue --apache -d stream.ourdomain.tld

and then installed it using

acme.sh --install-cert -d stream.ourdomain.tld \
--cert-file      /etc/ssl/certs/stream.ourdomain.tld.cer  \
--key-file       /etc/ssl/private/stream.ourdomain.tld.key

a2ensite stream.ourdomain.tld-ssl
service apache2 reload

Worked.

Everything seems to be fine - Apache was not having any issues I could detect with top and a tail -f of the Apache access log. Cloudflare proxying had been turned on, but I'm not sure if it had any impact since this was a stream and not a static file which could have been cached.

CPU utilization and RAM utilization didn't change more than 1-2% - 97% idle CPU, and all the Apache processes together were using only 14% RAM or less of our 8 GB server, which didn't increase substantially from what it was before the test. Some 300+ clients connected via our website with the new links to the various streams in the last 90 minutes or so of the test. 

Edit: See the later post, implemented with icecast-kh
https://hnsws.blogspot.com/2021/06/adding-ssl-https-to-http-mp3-streams.html

Monday, January 11, 2021

github phasing out password authentication for commits

While making some command-line commits to github, I'd received an email from github that password-based authentication is deprecated, and would be unavailable after Aug 2021. Github docs also mention that pw auth is deprecated. This stackoverflow post also discusses the change, and its advantages. So, basically we need to create the password token, give it suitable permissions and use that instead of the password on the commandline.

Sunday, January 10, 2021

centre-click for restoring xfce minimized windows

Working with xfce on a GCP cloud server, minimized windows were not visible. My workaround as suggested by this forum post was to centre-click on the desktop (right+left click on my trackpad) and choose the relevant window from the list.

RDP failure and resolution

Last week, I could not remote desktop into one of our servers which was a VM on Azure - Remote Desktop was working only immediately after a restart, and later not at all. Remmina failed with

connected to ip.address.tld:3389
recv: Connection reset by peer
Error: protocol security negotiation or connection failure

and rdesktop failed with

ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
Failed to connect, CredSSP required by server.

I thought I got the explanation for CredSSP from this post and thought disabling NLA would solve the issue. But then, I could not connect at all. I'd done this by right-clicking on System, Properties, Remote, and disabling the check-box 'Allow connections only from computers with NLA...' 



Tried resetting the connection configuration from Azure portal, still no. (Choose the VM in Azure Portal, Support + Troubleshooting, Reset Password screen, choose 'Reset configuration only').

I tried logging on using a Windows 10 VM on another server, but got an "internal error". Perhaps this was due to the Windows trial license expiring on that machine. Today when I re-installed a trial version of Windows 10 and tried to connect, the Remote Desktop connection worked fine. Turned on NLA, it still worked. Tried with Remmina on my local machine, that also worked. 

So, why did it fail and why did it start working again? Was it due to a Windows update causing issues like in this forum thread? Perhaps a network glitch? Perhaps restarting the VM (which I did several times) or resetting the configuration solved the issue but I was unable to check due to turning off NLA? At that time, I did not see this post, but maybe in the future I might need these tips again. 


Thursday, January 07, 2021

port forwarding workaround

One of our external IP addresses had port-forwarding set up to allow incoming ssh. That external network failed and the alternate network took over for web browsing, but our ssh connections would fail. Workaround was to set up identical port-forwarding rules for this alternate network external IP address also. Then, if the primary network fails, we can ssh in using the alternate network. 

Tuesday, January 05, 2021

recommended font sizes for responsive websites

Troubleshooting an issue of iSpring's output html not appearing properly on a mobile app, found this page with some recommendations on font sizing for mobile devices. The issue itself might be due to javascript support issues or user-agent issues, I guess, since the page appears properly on mobile browsers.