Pramati IIS Webgate plugin

Most of the times the Application servers are hidden beyond the Webserver/Load Balancers/Reverse Proxy servers, such as Apache and IIS. One of my previous posts talk about Reverse Proxy here In case you are running an apache server, it provides a nice Mod_proxy module to reverse proxy to back end nodes which happen to be Application servers. However, when running IIS, then we are in a fix if you are running the back end nodes as J2EE Application servers . Pramati Server has a nice plugin that helps you to dispatch requests from IIS to Pramati Server. Documentation for the same can be refered here. 

I have seen some issues where the IIS plugin installation shows up red in the IIS configuration window. Restarts of the IIS service/admin service does not seem to fix the problem. Here are 2 quick things that you might need to check if you are seeing this problem.

1. The version of the IIS Webgate plugin and the version of IIS being used. Pramati Server ships various versions of IIS Webgate plugin with different versions of Pramati Server. The ones shipped with 4.1 are compatible only with IIS 4 or IIS5. May be you are trying to use a wrong combination!! For Webgate plugin that works with IIS 5 and above, I recommend that you pick up the latest version of Pramati Server and use its plugin. The latest version of Pramati Server can be downloaded from the site here. 

2. Sometimes, the issue could be with the log file location that you have specified for the Webgate log. The log location tag is present in the iisplugin.props file located in the ${Pramati_install}/add_ons/webgate/iis folder. Change the value to a valid location on the system

LogFileName E:\\fubar.log

These 2 checks should be able to get you running with IIS Webgate plugin in Pramati Server. Inc case you still have problems, you can talk to your designated support contact at Pramati or drop a message in one of their forums here.

Session Invalidation

Session is the user's key to the application. Once the user logs out of the application, it is very vital to invalidate the session.

I have come across a situation where the session was not invalidated even when I clicked on the Logout button.

This happened to me with the NetGear Wireless router that I use. I logged into the Router Management page and clicked on the logout button present. I was presented with the logged out screen. All was well till I wanted to visit the Management console again. When I accessed the pages, I was presented with the console without prompting for username/password.

Did I do something wrong? May be. Retry again. But it still shows the same. I use Firefox as the default browser. Then I tried with Internet Explorer. This is where the magic came up.



The logout button sends back to logged out confirmation page and this relies on the java script to close the browser. But that javascript fails in Firefox. There are 2 trivial things here:

1. To rely on the javascript to close the browser and not verifying the cross browser functionality.
2. Not invalidating the session once you click on the Logout button.

Now talking about why it is important to invalidate the session once the user clicks on the logout button:


1. Memory utilization: Most of the times, username is not the only data stored in the Session object. There could be some user specific cache that can be put into the sessions as well. The cache could account to good amount of memory. Imagine thousands of sessions created on the server which are waiting to be cleaned up and the memory they could could be hogging.

2. Security Vulnerability: Well, this is kind of tricky. Lets say the user has clicked on the logout button but the application has not invalidated the session. Now, there is some window between the user clicking on the logout and the session invalidated on the server side due to timeout. Now, lets take a session stealing case. This scenario leads to an extra time window which will help the other guy to use the stolen session and change the system. Invalidating the session once the user has logged out would reduce that security risk.

ORA-12519 & ORA-12505

java.sql.SQLException: Listener refused the connection with the following error:

ORA-12519, TNS:no appropriate service handler found The Connection descriptor used by the client was: localhost:1521:XE

Alright, another Oracle Exception. It says "Listener refused the connection". Is hostname correct? Yes, port? Yes, SID? Yes. Damn me. Must have forgot to start the TNSListener. But wait, if it is saying Listener refused the connection, doesn't it mean that the Listener is working and has refused the connection? Oh, yes. A quick check in the services shows that the Listener is already up and running. Why would Listener refuse the connection.? Wouldn't it refuse if the Oracle service is not running? Yes!! But the Oracle Server is running. Run a quick check and see what it says when the Oracle Service is not running.

Well, it says

java.sql.SQLException: Listener refused the connection with the following error:

ORA-12505, TNS:listener does not currently know of SID given in connect descriptor The Connection descriptor used by the client was: localhost:1521:XE

This clearly states that the SID is not recognized as the service is not running. So the earlier problem was not due to Oracle service not running. Back to square one. Okay, let me see if listener recognizes the Oracle services... What was the command? Oh, Yes. "LSNRCTL.EXE". Do a lsnrctl.exe services

Service "xe" has 1 instance(s).
Instance "xe", status READY, has 1 handler(s) for this service...
Handler(s): "DEDICATED" established:243 refused:0
state:ready LOCAL SERVER

The listener is able to identify that there is a service running. Hmmm. Now why does the listener refuse the connection? Let me do a quick restart on both the Oracle Service and Listener service. No use...

Hmmm. Does it have have anything to do with the username/pwd that I am using. Given the fact that the username/pwd has been created just now...It might be.

Now rerun with the root username/pwd. :-) It still fails. Thank God, I have not misconfigured the username/pwd. Wait, I see that there are some connections already established in the Application Server. Well, if its failing, it should fail for all the connections. Do a restart on the AppServer and check. Its the same thing again.

Okay, lets put up a simple java client which will try to create connections and see. Alright, it gets the connection. Let me try to check how many connections it can establish.

Connection :0
Connection :1
Connection :2
Connection :3
Connection :4
Connection :5
Connection :6
Connection :7
Connection :8
Connection :9
Connection :10
Connection :11
Connection :12
Connection :13
Connection :14
Connection :15
Connection :16
Connection :17
Connection :18
Connection :19
Exception in thread "main" java.sql.SQLException: Listener refused the connection with the following error: ORA-12519, TNS:no appropriate service handler found The Connection descriptor used by the client was: localhost:1521:XE

Aha!!!! Trying to establish more than 20 connections is causing the problem.

Alright, its out of my control now. Googling, finally I land up at:

http://forums.oracle.com/forums/thread.jspa?messageID=1145120

It says, the problem is with the number of process count defined in the init.ora file. Let me check. There is no process count defined. WTH, let me define the process count in init.ora file and restart Oracle

processes=200

It still stays the same. So adding the process count is not recognized. Let me try what was suggested.

ALTER SYSTEM SET PROCESSES=150 SCOPE=SPFILE

Now with this change and restarting the Oracle service, it is able to create upto 409 connections now. Great!

No blogging!

One more reason why I do not blog (being lazy is the first one) :-)

http://blogs.pcworld.com/staffblog/archives/006764.html

What makes me happy

What a satisfying day it was. Its been nice, I felt good all through the day. Strangely, I cannot attribute any of the activities that I did today for the Feel Good factor I am experiencing.

Which one out of these made me happy?

1. Getting up early in the day,about 5:30 AM which I rarely do.
2. Stepping into Gym, which I hardly ever visited.
3. Mom inaugurating Reliance Fresh store in our building
4. Zipping on the roads in maruti 800, which belongs to my friend. I should confess that I really loved doing this. A small car which happens to listen to you and to just creep into those li'l places and make others go crazy!!
5. Visiting old school friend of mine. I got sucked into Happy days movie which I watched couple of days back. This brought back few memories of my school days and raked the old telephone directory of mine to check if any of the numbers are still working. Given that I finished my schooling 11 years back, hit 30% success with the contact numbers which is not bad.
6. Visiting few stores to buy a bicycle(Believe me! Its True). I seemed to got sucked into this thing seeing Deepak and Surya (Both my colleagues and are avid runners). Unfortunately, I wasn't clear on the kind of one I am looking for so nothing fruitful happened there.
7. Visiting a good friend of mine who is ill and taking him to a hospital. Well, we forced him to go for an injection which he furiously resisted. But we prevailed over him( Those li'l sadistic pleasures).
8. Watching Racing Stripes movie. I just liked the concept that right friends help to do something really nice.

I think I will isolate all these activities and try to replicate them one in a day(one of them cannot, but I will know that it is the one if all others fail). Then I can narrow it down and I will know what made me happy.. Well, Support Guys are always Support Guys. You cannot change the way they think..Sigh

I have resolved to workout more. I have reasons for this. Well, if you are thinking that I am trying to get into shape, then you are wrong. Who said Round is not a shape?? The excuses I have in my mind right now are:

1. This will help me cut down the amount of nicotine I consume. Seriously, good work out always helps you to cut down the amount you smoke.
2. Help me to buy a Royal Enfield.

Hibernate, antlr and Class loading issues

Hibernate uses HQL(Hibernate Query Language) for generating Object-Oriented queries.  Hence for this purposes ships a specific version of antlr.jar along with the Hibernate. Most of the App servers use antlr to generate the Query Language for the CMP beans. In this case, it is quite possible that the two versions of antlr are different. The difference in versions kicks in some of the exception messages when you try to access the application. Most of the time, the exception is reported in the HQLToken class.

In some cases, ClassNotFound/NoClassDef exceptions are also reported as the global library file is trying to access the Applications WEB-INF/classes or WEB-INF/lib folders.

To resolve it, the easiest option is to remove the version shipped with App Server(Please note that most of the App Server support personnel refuse to assist if the folder structure/folders are altered in the server installation).  In case you are not using any components that use Container Managed Persistence, the above work around works fine.  The problems kick in when any of your component tries to use Container Managed Persistence. Also, to make sure that you get proper support from your App Server vendor, the above approach should not be followed.

So what should be done?

To fix the issues, the class load/search/scope functionalty of the App server needs to be modified. The classes in the WEB-INF/classes or WEB-INF/lib folders should be loaded/searched prior to the global ones.

Fortunately most of the Application servers provide a way to change to such classloading functionality. Following is the consolidated list for the App Servers:

Pramati Server:

Add the following tag after <module-name>  in the generated pramati-j2ee-server.xml file for the application under the <web-module> element:

<prefer-deployed-web-classes>true</prefer-deployed-web-classes>

OC4J:
http://download.oracle.com/docs/cd/B25221_04/web.1013/b14433/classload.htm#CIHFABFI

WebLogic:
http://edocs.bea.com/wls/docs81/programming/classloading.html#1082452

Websphere:
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r0/topic/com.ibm.websphere.base.doc/info/aes/ae/crun_classload.html

JBoss:
http://wiki.jboss.org/wiki/Wiki.jsp?page=ClassLoadingConfiguration

Flock

Are you one of those people who spend good amount of time publishing lot of posts and transferring photographs to one of your sites such as Flickr? Then you should check out Flock. This is very nice little browser(Of course a free one!). This remembers your account details and would post it to your blog/site for you. More details are here

If you are trying to upload Pics of yours to share it with your friends, then you are wasting your time and bandwidth in uploading the pics. Just download Dekoh and start sharing the content from your desktop with fine grained control over what you share..

Want to know where your class is picked up from?

I safely assume that every one working on Java/J2EE platform must have come across class loading issues. Some (like Hrish) have the knack to crack them very efficiently. Some, like me, grope when trying to figure out the problem. Java says the first class it encounters in the classpath is picked up and the other versions of the same class later in the classpath are ignored. That sounds pretty simple. However, in some cases, jars contain manifest files pointing to various other jar files/locations. In such cases, it becomes very difficult to check where the class is being loaded from, unless you have good amount of patience to perform a search in TextPad and go through all the results for possible class loading issues. There have been few annoying situations because of the wrong class files picked up from the class path.

Here is the best way I use to figure out from which jar the class is being picked up. Start the java program with -verbose switch and it will print out the class being loaded and the jar/location from where it is being picked up. Sounds simple right? Yeah, but one caveat is, this would work only with Tiger(JDK5) version onwards. Good luck in your classloading issues, if any.

PS: Want to know the fancy names for various Java versions? Click here

JVM options for HP Java SDK

Its been long time that I actually worked with HP Java(even though for very short duration). Had one installation running on HP-Itanium machine which uses HP-Java. We wanted to turn on few JVM options for some analysis. Here is complete list of JVM options that are supported on HP Java. Its good to see HP-Java supporting few of the Sun non Standard JVM options as such.

Going Dutch

Any one who goes out to lunch with colleagues might have heard about this term. Today, I was having lunch with one of my good friend Bharani and suddenly this word popped up in our conversation. We both being avid fans of word origin stories, couldn't figure out how this was coined. Given by the name, could guess that it was something related to Dutch but could make no progress. You can check out the phrase on Wikipedia here. Well.. do not be disappointed that this has a negative meaning. As long as it does not hurt your pocket, it is good.

Adiós, amigo

It was last day for Anil at our office. I am really going to miss this guy. I think I complemented this guy very well. It's very important to have such a partner specially when working in Product support environment.

Anil, Thank you very much for all the things you did for me and for all the times we have worked together. I will always miss you.

All the best in your next endeavors.

PS: I will learn to play snookers and lets play someday when I visit your place.

JVM Crash

In my view JVM crash is the most dreaded problem that could ever happen to an App server on production machine. Unfortunately, one of our clients production machine has been crashing regularly with a certain version of JDK at high concurrency, We have looked at few crash reports and determined that the crash appears to be happening in one particular piece of code.

Our client being Premium partner with Sun was able to take it up with Sun Support Team. They needed some info from our team as well. So a conference call was setup.

This is how it went on

Sun: We have looked into the crash reports. But would like to know if there is any more info you could provide.
Me: Sure( I ended up saying the changes that we made).
Sun: Anything else?
Me: We might have lot of things to say. But what is that you are looking for?
Sun: I am just trying to get more info on the problem as there seems to be nothing in the logs. How did you determine that it was a problem with JDK?
Me: It crashed and produced a crash report which we shared with you, You being the developers for this JDK should be able to say more about the crash and why t happened
Sun: I do not see any specific info from the logs that you have sent
Me: But we see that there is this crash that always happens in a compiler thread.
Sun: Oh okay, that is good info. Let me forward this to my analysis team. But can you tell me where you got this info from?
Me: Did you happen to have a look at the crash logs? It says so in the logs.

After a day Sun team has come up with the outcome of the analysis. I thought it was impressive. The outcome was that there was a StackOverFlow during class-native compilation(Thanks to Rajiv for taking pains to explain me about this compilation).

There were few params that were suggested. One of them was to increase the compilerthreadstacksize. We have tried with few options 1024,2048 but to no avail. We had to go back to Sun team to report about our unsuccessful attempts. So there was one more angle that was brought into the picture. There might be some recursion in the code due to which the stackoverflow was happening. Well that sounded logical to me. But where was this happening? Since the current stacktrace in the jvm crash reported at jvm.dll, I am convinced to believe that it was happening somewhere in the native code of JVM. But the Sun team had to differ here. We wanted to know how we can check where this is happening.(All these were through email correspondenses).

Next day there was an email from the Sun team in which they have provided one way to check where the StackOverFlow was happening.

"We would like you to capture a thread dump before the crash so that we can analyze the issue. For accuracy, it would be really good if you can capture at least 3-4 thread dumps."

Whoa!!! How do I capture a thread dump before the JVM crash? I need some real Oracle to help me out in predicting the time of crash so that I can capture the thread dump before the crash!!

Well said SUN!!!!

HP ServiceGuard

Been busy last couple of weeks. Some really nice things happened during these weeks. We had an opportunity of integrating Pramati Server with HP Serviceguard. We had one of our customer who was looking for clustering solutions. We have offered Pramati Cluster, which offers fail over, and load balancing. The End User had HP machines for production enviroment. With these HP machines he happened to purchase the Serviceguard framework which manages the fail over mechanism and manages switching of IP address( virtual IP address). We had setups with OS level clustering such as Windows Clustering, Sun Clustering. However, these happened to manage the things at a machine level. Well it really depended on how you are trying to configure it. Generally these run with Active-Active or Active-Passive configurations. Active-Active means that both the machines are in active state and the data replication happens on both machines and the load is balanced between the two machines. This is achieved by using a Virtual IP address that forwards the traffic to back end machines. In Active-Passive configuration, only one machine is active at any time and all the traffic that hits virtual IP address is routed to the active machine.

However, the HP Serviceguard was managing the thing at package level. For this service any application registered with it is a package and it manages the package between the cluster nodes. That is to say App server can be running on one cluster machine and Database on the other. These two are independent and could be running anywhere on the cluster machines. With this background, I assume it is now safe to go into the details of what happened during this integration.

The End User has called up asking for few queries on how Pramati Server can be fit into the picture. Pramati Server has clustering solution which works independent of OS level clustering. We have proposed the same. However since there is no single point of entry for the traffic for cluster nodes, we were left with either using a loadbalancer or leveraging on the HP Serviceguard framework to manage the traffic routing. The Application vendor was in favor of leveraging on the existing HP Serviceguard framework. Hence, there were series of conference calls setup with HP implementation team, the Application vendor and us.

This is where the real fun has begun.

The following is the snapshot of the conversation that took place between the HP implementation guy at the clients place and me:

With all introductions done…

Me: How does this HP Serviceguard thing work? ( Though I have done some ground work on the HP Serviceguard thing, couldnot find any relevant docs on how the applications should interact with it).

HP: The HP Serviceguard has to register your application and a virtual IP address configured for your application.

Me: Okay, how do we register the application with HP Service?

HP: You will have to provide us with few scripts using which we would register your app into HP Service.

Me: (I was happy to hear this. Good just few scripts and its all done). Okay, what would these scripts be and what is the desired functionality of the scripts.

HP: I am not really sure, but all I know is that you will have to provide me few scripts.

Me: ( What the !!!!). Okay, if you can tell us what these scripts should be doing, we might quickly put up few scripts for the desired functionality.

HP: ( He repeats the same thing). I am not really sure, but all I know is that you will have to provide me few scripts.

Me: ( Now I am beginning to worry. This is not going to end soon). Okay, then who would know about what kind of scripts are required?

HP: The HP Serviceguard team would know.

Me: Are you from the HP team or a reseller of the product?

HP: I am from HP team, but from implementation team. So I do not know what kind of scripts. All I know that is few scripts are supposed to be provided by you.

Me: (Does any shell script do? Such as the one to display simple helloworld on the Console?) Okay, can you give me numbers of your HP Service team so that I can talk to them?

HP: You wouldn’t be able to talk to them directly without any case id.

Me: Okay, can we create a case for this and then talk to them.

HP: Sure, we should be able to do that. Shoot across an email on the info required and I will get back to you.

So I shot across an email to this guy and waited for a day. Nothing happened on it. So decided to call up and check what’s happening:

Me: Looks like we haven’t got a reply from your team. Since we have logged a case, can we call them up and check with them?

HP: Yes, but I do not have the numbers for the HP Serviceguard team.

Me: Okay, how do we get this?

HP: Can you call up HP Sales team and check with them?

Me: (Sigh….) Okay, I will call them up and check.

Now I call up HP sales team.

Me: Hi, this is ….. We have one customer who is interested in integrating our App server with one of your product. HP Serviceguard. We have few clarifications. Can you help us?

HPSales: I can provide you with HP Support number who should be able to help you

Me: Great.

I call up this number

Me: ( I ended up speaking few minutes about the current situation and what we are looking for).

HP Support: Sure Mr Naveen. Before we can start with any of your queries, can I have the serial number of the machines?

Me: Sure, we have few HP machines at our place. So will the number from any of them do?

Here comes the ace..

HP Support: No, the serial numbers should be of the machines on which HP Serviceguard framework was purchased.

Me: Okay I will get back with these numbers

Now I call up this HP guy at the clients place and ask him for the numbers. I asked him if he can give me the serial numbers. For some strange reasons he was reluctant to give me these numbers.

Finally with some intervention from Application Vendor and End User, we could get a sample script that was used to integrate MySql with HP Serviceguard. So we just mimicked these scripts and provided them to this HP implementation guy. After a day we got a call from our App Vendor saying all went well and Pramati Server has been registered with the scripts provided by us. One more happy customer.

But I really feel that HP Serviceguard is the one that provides clustering solution, they are supposed to have some documentation on what is required from applications such as App servers, database etc. It should have published its API if any and should be a part of the software that they sell. I wonder why it is not the case.

Blackle

Do you know that Google has a black version of its famous search engine to save power?

blackle

http://blackle.com/about/

I appreciate that. Thnx Google

Session Stealing-2

Contnuation of the previous posting..

My apologies for the abrupt ending of my previous post. Something important came up due to which I had to end it abruptly.

Session hijacking is generally crafted using the following methodologies:

1. Request-Response Sniffing
2. Cross site scripting

Well, the first one can be prevented when the whole session is handled through https. However, if part of the session is handled through http and is switched over to https, then the sniffer would be able to pick up the session id transferred in the http session. To avoid this Pramati Server uses a special cookie in addition to the sessionid cookie. This pair is validated when trying to access the https pages. As the second cookie is set via https, the sniffer would not be able to view it easily. When the sniffer/hijacker sends a https session without the secret cookie, the server would understand that this is not from the authenticated user and hence will deny the response.

Regarding second, you should check if the server is immune to XSS (cross site scripting) vulnerabilities.

Session stealing

You have heard about username/password, identity stealing. Did you ever hear about session stealing/hijacking? Session stealing is the act of taking control of the user session after having obtained/generated authenticated session id. Following is a bit intro on session and session id.

HTTP is stateless protocol. To maintain the state of the logged in users and identify them, the servers depend on the session ids. Session is a series of interactions between two end points( in this case server and client) that happens during the span of single connection. Session ID is a random alphanumeric string that a web server assigns a specific user for the duration of that visit. Once the user is logged into the web site/application a session is created for that user and the server hands out the session id to the browser when sending the first response. The browser would send this Session ID to the server on all the subsequent requests. As long as the user makes the requests from the same browser without closing and reopening it, the web site would not ask for the login information. This is coz,the server/application validates the session id received from the browser and would check if the user with that session id is logged in.

Now that we know what session and session id is let us move on to how it is transmitted between the server and the browser. One of the most used method is to set the session id as cookie on the browser JSESSIONID in case of J2EE and ASPSESSIONID for .NET servers. If you have any tool such as IEHttpHeaders for IE or LiveHttpHeaders for Firefox, you would be able to see something similar to this in the response from the server.

Status=OK - 200

Date=Wed, 27 Jun 2007 11:13:45 GMT

Content-Type=text/html

Set-Cookie=JSESSIONID=978704440835854248; Path=/

X-Cache=MISS from HYD-MDU-CACHE2

Via=1.0 HYD-MDU-CACHE2:515 (squid/2.6.STABLE12)

Connection=close

What you are seeing here is the Session ID Cookie and the value of the session ID. Anyone sniffing on the network packets between your server and you would be able to easily flick this info. Now once he has that session id, he would send the request to the server with the session id along with the request (You can use Tamperdata extenstion of Firefox to do this)

Now you would start thinking. This guy has some random number generated by the server and that is passed between my browser and server. So what? Just to remind you, this session id is not just another alphanumeric string, as far as the application is considered, this your passport to the application unfortunately a passport without photo on it. Any one who has this session id can get the server tricked into believe that it is YOU who is talking to the server. It is equivalent to some one flicking off your passport and presenting himself as you(Remember no photo on it). Now when application believes that some one else is you, then it would allow that person to do what you would be able to do! Let me put it in few steps

1. You open your bank site and go to the login page and login.

2. Once you are successfully logged in, the server would redirect you to your account details and setting a session id cookie in your browser.

3. When you make any request in any of the bank site, the intelligent browser would send the session id to server along with the new request.

4. The server would verify this id and see that you are already logged on. Hence no more login requests.

5. Now lets say there is a guy in the middle who has been sniffing the requests and responses between your machine and the server. He would be able to see the Session ID cookie that’s shared with you. Now he would pick up the same session id and send it over to the server. Since the id is shared between server and only you, the server would be under the impression that you are the one who is talking to server but it is actually not!

6. Now the guy in the middle would make a request for harmless page with your session id sent along to the server.

7. Server would verify the session id and see that you are already logged in and hence would present the harmless page to the guy in between.

8. From here, he would be able to navigate to your account page effortlessly and view details or do what fancies him at that time.

More about this in my next blog.

Look who's doing it!!

What if govt flouts pollution control rules? In the pic is one of the waste dumping yards used by GMCH( Greater Muncipal Corporation of Hyderabad). Every day hundreds of trucks dump the garbage collected from all over the city and it is burnt in the evening. Look at the rising smoke. If something goes wrong we have govt to complain to. Now where do we go??

Analog

How do Business Developers take decisions on what should they be targeting at? Well, I think they too need data. But, data like what? Lets say you have a web site then they would like to know what interests people the most in your site. How do they figure out this? They are not oracles that would look at the crystal ball and say “Look these are the most visited site on our site and hence developing these products/pages further would increase the traffic and your revenue”. Obviously they would like that kind of data from the person who manages the web site.

Whenever there is a hit to your website, the web server that you use silently logs the request and the response it has sent. But what use is it of? I thought you would never ask this question after reading the first paragraph above. Okay, since you have asked this anyway, let me answer that. This would help that poor guy who has to give the demographics of the site to the enthusiast business developers. But any decent web site would have hits to a volume of few thousands a day. How do we get demographics from thousands of requests? This is where web log analyzers come to our rescue. I have been looking at few web log analyzers recently. Being strong supporter of open source software, I have tried to search for few and I came across this tool named Analog. An open source product, you can download from here. What was impressive was that it took me less than 5 minutes to get the whole stats from my web logs. Just under 5 minutes!!

This is what I did:

Downloaded the package from here
Unzipped it to my disk
Got into unzipped directory located analog.cfg fle, opened it and pointed the web log file.
Saved the config file, and ran the analog executable.
That’s it. This created the Report.html file that contained the stats.

Sounds good. But if you have a web site, which has huge traffic, there would whole lot of web logs created in a single day. How do we deal with this? Simple.. Zip up all the logs, point Analog to the zipped up file and run it. Analog will take care of reading the requests from archive file and present the stats for you.

More documentation is available here

Server name in response headers

Was looking through some of the web server vulnerability problems again. Most of the servers do send the server name in the http response. In case you have any livehttpheaders or IEhttpheaders, the response from any of the Application servers can be checked and most of them would contain the server name and probably version as well.

Here is how you can turn it off in some app servers

In Pramati Server, changing value of display-server-name in-header tag to false in web-config.xml would do the trick.

To prevent a WebLogic Server instance from sending its name and version number, disable the Send Server Header attribute in the Administration Console. The attribute is located on the Server —>ServerName —>Configuration —>Protocols —>HTTP tab.

A new environment variable, SERVER_TOKEN_OFF, has been added to
WebSphere Application Server for z/OS v4.0.1 that suppresses Server header in the response

Apache webserver you can turn this off by setting ServerTokens option to prod. This does not eliminate the server name just removes the version of the Apache server.

Reverse Proxy

So what is it all about? Before we move into what is Reverse proxy, we have to look at what proxy is.. I will wait till you brush up with Proxy concepts here. Just kidding. Proxy is that machine which acts as an intermediatary between your pc and the Internet. Put in simple way, Proxy is used as one point of exit for all your network traffic. There are benefits of this. Any rules that you would like to force such as blocking few sites, needs to be done only at proxy location. This way it gives more control on controlling what needs to be controlled. Huh!.

There are few points that make the proxies dear to all..

1. Caching. Lets say this blog has become so popular that 200+ people are reading this 200 times every day from your network. This means lot of network traffic to one site. Now, its very obvious that this blog would change once in a day given, I quit my job and become full time writer. Without the proxy, every request to read my blog would be routed to Internet and thus increasing the network traffic. With proxy in between, it will cache the complete blog on the first hit and the Proxy itself would serve all subsequent requests. This reduces the internet traffic and the amount that your company pays to your ISP.

2. Better Control: Lets say your company would like to block this blog as it sees that people waste a lot of time reading this blog( I agree on time wasted in reading, but about being popular I doubt). Now with proxy in place, we just need to add a line in the configuration of the proxy server and restart it. Voila.. Your fav blog is no longer accessible in your network now.

Now moving to reverse proxy, the simplest way to define it would be to flip the proxy on its feet and its reverse proxy. :-)

Reverse proxy is a special case of a proxy, designed to carry traffic from a less trusted network into a more trusted network. The normal proxy proxies on behalf of a network, but the reverse proxy proxies on behalf of a web server.

So the question is why have this in first place?

1. Security: With reverse proxy in place, there is single point of entry to the web servers (from the reverse proxy). Hence you do not have to open up the web server to Internet, which would reduce the security risk.

2. Caching: The reverse proxy can cache the content from the web server hence reducing the load on the actual web server and serving the content from its cache.

3. Lets say you had to change over the web server to a different machine or to a different host name. Without reverse proxy in between, the names will have to be republished to the outside DNS world. With reverse proxy in place you don’t have to deal with these as the mappings will have to be known just to the reverse proxy and not to the Internet world.

Apart from above there is whole possibility of load balancing that comes into the picture which I would write in detail about in my next coming posts.

Everything comes with some cons as well. So what would be cons about reverse proxy?

1. The single point of entry. While this adds more security, would prove otherwise when the reverse proxy is compromised.

2. The reverse proxy name/IP is all the whole world knows as the façade to your web server. When this goes down without a backup in place, your whole web presence (do I have to mention about your sleep!!) is down the drain.