Author Archives: Jack

How to build a LEMP stack

Growing up it was always common to spin up a “LAMP” box to host a website.  The typical setup was:
Linux
Apache
MySQL
PHP

Over the past few years, this model has slightly changed due to new open source technologies bringing new ideas to solve performance and licensing issues at massive scale.  In this tutorial, we are going to look at setting up a LEMP box on Debian Stretch (9.1).
Linux
nginx [engine x]
MariaDB
PHP

Please note, MariaDB could easily be swapped out with MySQL in this tutorial, however many have opted to jump over to MariaDB as an open source alternative (actually designed by the original developers of MySQL) over fear Oracle may close source MySQL.

Installing Linux

This tutorial assumes you already have either a copy of Ubuntu 14+ or Debian 7+.  This probably works on earlier versions as well, but I haven’t tested them.  On a side note, I typically don’t install Linux builds with an interactive desktop environment, so grab yourself a copy of Putty and ssh in or open up Terminal if you have interactive access to the Desktop Environment.  Before continuing, go ahead and update apt-get repos and upgrade any packages currently installed:

apt-get update && apt-get upgrade

Installing nginx

Grab a copy of nginx

apt-get install nginx

Installing MariaDB

Grab a copy of MariaDB

apt-get install mariadb-server

Installing PHP

In this case, I want to roll with PHP7.  You can specify php5 or php7 depending on your application, but PHP7 has some great performance enhancements, so for new apps, I’d leverage it.  The biggest thing here is to make sure you use the FastCGI Process Manager package.  If you specify just php or php7, package manager will pull down apache2 as a dependency.  That is not what we want in our LEMP stack.

apt-get install php7.0-fpm

Once installed, fire up your favorite text editor (it’s ok if it’s vi :)) and edit the default site for nginx

vi /etc/nginx/sites-enabled/default

Search for the comment # Add index.php to the list if you are using PHP and add index.php to the line below it.  For example:

index index.html index.htm index.php index.nginx-debian.html;

Next, find the comment # pass PHP scripts to FastCGI server and change the block of code to the following to tell nginx to process .PHP files with FastCGI-PHP:

# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}

Save the file.  If using vi, you can do that by executing :wq

Next, reload the nginx service to pickup the new changes to our configuration:

service nginx reload

Test

At this point, we can create a php file to validate things are working well. Go ahead and create a new file /var/www/html/info.php and add the following line:

<?php
phpinfo();

If you see a page listing the PHP version and the corresponding environment configuration, congratulations, you have finished setting up your new LEMP stack! 🙂

Setting up WeeWX with a Raspberry PI

This is a quick setup guide on how to configure the open source software WeeWX for a Personal Weather Station (PWS).  I highly recommend you check out the WeeWX User Guide as this information is very well documented.  Here is a reflection of how I was able to get WeeWX installed on a Raspberry PI with a brand new weather station.

  1. Setup your Raspberry PI
    1. How to setup your Raspberry PI: http://jackstromberg.com/2018/03/setting-up-a-new-raspberry-pi-via-ssh/
      1. Note: Raspbian is a distribution based upon Debian.  In this case, we will follow the Debian instructions for setting up WeeWX.
        1. http://weewx.com/docs/debian.htm
  2. (Optional) Configure the Raspberry PI to be localized to your environment
    1. sudo raspi-config
      1. Here you can arrow down to Localization Options and configure the timezone to match that of your console/weather sensor.  Keeping time is critical, so if possible, try to keep the date/time between your weather station and the Raspberry PI as close as possible.
  3. Configure Apt-Get to look for the WeeWX packages
    wget -qO - http://weewx.com/keys.html | sudo apt-key add -
    sudo wget -qO - http://weewx.com/apt/weewx.list | sudo tee /etc/apt/sources.list.d/weewx.list
  4. Update your Raspberry-PI to use the latest packages
    sudo apt-get update
    sudo apt-get upgrade
  5. Before installation, ensure you have your console or device setup and connected to your Raspberry PI for WeeWX to pull the data
  6. Determine the interface the console is connected to (if using a directly attached data loggerm skip if using an IP based source)
    1. Execute the command dmesg and look for what interface the data logger is connected to
      1. In my example, you can see the data logger is connected to ttyUSB0
  7. Launch the installation wizard for weewx
    1. sudo apt-get install weewx
      1. Note: You will likely be prompted to install a few dependencies, type Y for yes to install them
  8. Installation
    1. Enter the location of your weather station: Santa’s Workshop, North Pole
    2. Enter in the latitude, longitude of your weather station
      1. Note: If you don’t have GPS, you can easily find this by using Bing Maps or Google Maps, navigating to your location, and right clicking.
        1. For Bing, it will just show you the lat/long values when you right click
        2. For Google, click on “What’s Here” and it will list these values
      2. Note: You can be more specific than 3 digits behind the decimal, so if you want to use a more specific set of coordinates like 40.689167, -74.044444, that is acceptable.
    3. Enter in your Altitude of where the weather station is
      1. You can use Google Earth to find the altitude or this tool here: https://www.freemaptools.com/elevation-finder.htm
    4. Set your preferred unit of measurement
      1. US (Imperial) or Metric
    5. Select your weather station type
      1. I.e. AcuRite, Vantage (if using Davis), etc.
    6. Select the interface the device is listening on
    7. For those using serial port, select the interface that the data logger is connected to.  You should have found this in step 4 above; if using ethernet, go ahead and type in the IP, Port, etc. of the data logger.
  9. At this point WeeWX is technically installed, however many individuals will want to present the WeeWX reports via webpage.  In this case, we’ll install nginx, which is a lightweight webserver
    1. sudo apt-get install nginx
      1. More details on this can be found here: http://www.weewx.com/docs/usersguide.htm#integrating_with_webserver
  10. Configure WeeWX to minimize disk IO
    1. Why do we need to do this?  Since Raspberry PI’s leverage SD cards, there is typically a finite number of reads/writes to the SD Card.  In this case, it is recommended to either leverage an external database/fileserver for WeeWX to write its reports.  Alternatively, we can also configure WeeWX to leverage ram to host the reports, which will prevent IO to the SD card (in this case, theoretically increasing the life of the drive)
      1. Three approaches are outlined here–in this guide I’ll reflect the GitHub page in saving reports to a temporary file system using tmpfs
        1. Add an entry to fstab
          1. echo "weewx_reports /var/weewx/reports tmpfs size=20M,noexec,nosuid,nodev 0 0" | sudo tee -a /etc/fstab
        2. Mount the new file system
          1. sudo mkdir -p /var/weewx/reports
          2. sudo mount -a
        3. Update weewx.config file to point to new directory
          1. sudo sed -i -e 's%HTML_ROOT =.*%HTML_ROOT = /var/weewx/reports%' /etc/weewx/weewx.conf
        4. Restart WeeWX service
          1. sudo service weewx restart
        5. Create symbolic link to point webserver to the reports
          1. sudo ln -s /var/weewx/reports /var/www/html/weewx
        6. Give the web server the ability to read from the directory
          1. sudo chmod -R 755 /var/www/html/weewx

At this point, go ahead and browse out to http://youripaddress/weewx/ to see your weather.

Notes:

WeeWX updates the webpage every 30 minutes (1800 seconds) out of the box.  You can force a report update by executing wee_reports weewx.conf or you can modify the /etc/weewx/weewx.conf file by changing the archive_interval variable (in seconds) under the [StdArchive] section.

You can modify the Weewx configuration by editing: /etc/weewx/weewx.conf

You can validate if WeeWX is running by executing: service weewx status

You can look at diagnostics logs by following the guide here: http://www.weewx.com/docs/usersguide.htm#monitoring

Best practices guide on using WeeMX + Raspberry PI: https://github.com/weewx/weewx/wiki/Raspberry%20Pi

How to upgrade your Windows Server Evaluation/Trial

Scenario: You downloaded the evaluation copy of Windows Server and you have 180 days to test out whatever you are working on.  Fast forward a few months and you only have a few days left and you are so happy with how it works, you go out and buy the whole license key.  When you go to apply the license key under System, you get a big ol’ error that says: “This edition cannot be upgraded.”

Solution:

You can use the DISM tool to figure out what versions of Windows Server you can upgrade to, and also use the tool to help change the product key of the version installed.

Easy enough, let’s go ahead and open up command prompt as an administrator (right click on windows flag/start icon, Command Prompt (Admin):

Execute the following command to find out what versions you can upgrade to:

Dism /Online /Get-TargetEditions

In this case, you can see I can upgrade to ServerStandard or ServerDatacenter

Next, let’s go ahead and actually upgrade the edition and inject my license key:

Dism /Online /Set-Edition:TheEditionListedYouWantToGoTo /AcceptEula /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Viola!  At this point, I simply need to reboot and my instance will be upgraded accordingly.

[Tutorial] Integrate Visual Studio Code with Visual Studio Team Services

Here’s a quick way to integrate Visual Studio Code with Visual Studio Team Services.

  1. Create a new Team Project
    1. Instructions on how to create a new Team Project are outlined here: https://docs.microsoft.com/en-us/vsts/accounts/create-account-msa-or-work-student
  2. Create a Personal Access Token
    1. Instructions on how to generate a personal access token are outlined here: https://docs.microsoft.com/en-us/vsts/accounts/use-personal-access-tokens-to-authenticate
  3. Download and install Git: https://git-scm.com/download/
  4. Download Visual Studio Code: https://code.visualstudio.com/Download
  5. Inside of Visual Studio Code, click on the Extensions button
  6. Search the marketplace for Visual Studio Team Services and select Install button
  7. Once the extension has been Installed, click on the Reload button.
  8. Inside of Visual Studio Code, press F1 on your keyboard and type Git: Clone

  9. Once prompted, type in the URL to your Team Project and click on the Open Repository button
  10. Once in the repository, type: Team: Sign In  Select Provide an Access token manually, enter the Personal Access Token from Visual Studio Online and press Enter on your keyboard
  11. From there, go ahead and make a change to any of the files in your Repository
  12. Click on the Source Control icon in Visual Studio Code
  13. Select Commit All
    1. Note: You will be prompted to type in a commit message, go ahead and type in what you changed

  14. Either select Push from the button in the top right, or click the Push button in the bottom left corner
  15. Validate you see the committed changes in Visual Studio Team Services

Setting up a new Raspberry Pi via SSH

This is my super subpar tutorial on how to quickly setup a new Raspberry Pi via SSH (no mouse/keyboard/monitor directly attached to the device).

  1. Download the latest copy of the operating system (I personally prefer Raspbian Stretch Lite for the most minimal setup): https://www.raspberrypi.org/downloads/raspbian/
  2. Extract the download so you have a copy of the ****-**-**-raspbian-stretch-lite.img file
  3. Download Etcher to burn the image to an SD Card: https://etcher.io/
  4. Download a copy of Putty if you don’t have a way to ssh: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
  5. Open the SD card you just flashed and you should see the “boot” partition.  Create a file called ssh (no file extension or data needs to be written to the file)
    1. Note: ssh is disabled on all OS builds starting November 16 forward — see here: https://www.raspberrypi.org/documentation/remote-access/ssh/
  6. Default credentials:
    1. Username: pi
    2. Password: raspberry
  7. Quick commands
    1. Configure Raspberry PI specific settings: sudo raspi-config
    2. Proper Shutdown (-h) / Restart (-r): sudo shutdown -h now

Unlike most laptops/desktops, the Raspberry Pi doesn’t have a shutdown button, so always use the commands above to prevent SD Card corruption!

Windows 10 – Missing Windows Disc Image Burner for ISO files

In Windows, you typically are able to download a .ISO file, right click on it, and burn it via your CD/DVD drive using the Windows Disc Image Burner application. Unfortunately, for whatever reason my machine is missing this menu item.

A quick workaround that doesn’t involve any registry hacks is to simply right click on the file, select Open With, and select Choose another app.

Select More apps and scroll to the bottom and select Look for another app on this PC.

Navigate to C:\Windows\System32, select isoburn.exe, and click Open

At this point, you can go ahead and burn your iso 🙂

 

[Tutorial] Configuring an Azure Acitve Directory (AAD) Application to leverage multiple Reply URLs

Use Case:

I was recently asked if it is possible to configure multiple Sign-On URLs for a SalesForce application by a customer.  Per the customer, the Sign on URL and the Identifier URL are how Salesforce HR agents log in, in addition to the forms filled out via the web application. When multiple Reply URLs are configured, SSO is possible between both the agent and web application.  Without configuring multiple URLs, you will receive an error stating that the Reply URL is incorrect via the Agent or Web Application.

In this case, this tutorial will cover how to configure multiple Reply URLs for a single Azure AD Application; whether created from the Azure AD Marketplace or custom.

Here is a link to a customer on SalesForce’s forums asking a very similar question as well: https://developer.salesforce.com/forums/?id=9060G000000ICYYQA4

Configure Multiple Reply URLs in Azure AD

  1. Login to https://portal.azure.com and select Azure Active Directory
  2. Select App Registrations (even though an application may be an Enterprise application, please proceed with App registrations)
  3. Select your application from the list
  4. Select Reply URLs on the right side of the blade
  5. Add/Remove the URLs to the desired configuration and then click Save

Please note that if you do browse back to Enterprise Applications, today the portal will only reflect one-URL as of 7/24/2017.

List of schema versions for Windows Server Active Directory

Here’s the current list of Schema Versions for Active Directory on Windows Server.

OS Schema Version
Windows 2000 Server 13
Windows Server 2003 30
Windows Server 2003 R2 31
Windows Server 2008 44
Windows Server 2008 R2 47
Windows Server 2012 56
Windows Server 2012 R2 69
Windows Server 2016 87

 

You can validate the current schema version you have in your environment via PowerShell or Registry Editor.

Validate schema version via PowerShell:

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

In this screenshot, I have ObjectVersion equal to 69, denoting the schema has been extended for AD on Windows Server 2012 R2.

Validate schema version via Registry Editor:

  1. Click Start and search for
  2. regedit
    regedit
  3. Open up regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters
  4. In this screenshot, I have Schema Version equal to 69, denoting the schema has been extended for AD on Windows Server 2012 R2.
    regedit - schema version

Configuring time for Azure IaaS Domain Joined Machines

Synopsis: When placing a Virtual Machine on the Azure Platform, by default it inherits time controls from the underlying hypervisor: Hyper-V.  The default behavior for these VMs is to synchronize the system clock with the host via the Hyper-V TimeSync service (VMIC) for Hyper-V hosts and guests running prior operating systems to Windows Server 2016.

Windows 2016 guests will find the most accurate clock, rather than defaulting to the host. It was for this reason that we advised to manually disable Hyper-V Time Provider setting for machines participating in a domain in Windows 2012R2 and below.  More information on Windows Server 2016 time can be found here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/windows-time-service/windows-2016-accurate-time

To disable the Hyper-V Time Provider, we recommend creating a new Group Policy template and targeting your Azure VMs.

Validate that your machine is synchronized to the Hyper-V Time Provider

Open command prompt and execute the following command: w32tm /query /status

If you see VM IC Time Synchronization Provider, the Guest OS is synchronized to the VM Host

Create a new group policy to disable the Hyper-V Time Provider (VM IC Time Synchronization)

  1. Create a new Group Policy and target it to an OU that contains the machines synchronized to the Hyper-V Time Provider
  2. Edit the new Group Policy Object
  3. Navigate to Computer configuration -> Preferences -> Windows Settings -> Registry and Add a new item

  4. Navigate to the following Key HKLM:SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider and select the Enabled Value
  5. Change the Value data to 00000000 and click OK

  6. Restart each of the Azure Virtual Machines or login to each machine and execute the following command to restart the Windows Time service: net stop w32time && net start w32time

  7. Validate that the Source is now pointing to your NTP server/domain by running the following command: w32tm /query /status

[Tutorial] Gathering trace/event logs in ADFS v2.0 and v3.0

Problem:

Gathering trace/event logs in ADFS is not a trivial task.  The following article will show you how to gather these logs to further help investigate relying party trust issues or issues with end users authenticating to the service.  This tutorial will be leveraging ADFS v3.0 on Server 2012 R2.  The same steps should apply for v2.0 on Server 2008 R2.  This process does change slighting in ADFS on Server 2016 as the logging engine was rewritten.  Depending on demand, a second article will be released for ADFS on Server 2016.

Caviets:

Before beginning, as a side note, debugging in ADFS v2-3 is honestly a total PITA (pain in the… butt).  The problem with ADFS logging is logs are stored on the machines serving the requests, not centrally.  In this case, you will likely have to enable tracing on each ADFS server, or configure your load balancer/host file to temporarly route requests to a specific machine so you know which server to hunt down for the logs.  Likewise, as you will find at the end of the tutorial, the logs gathered from ADFS are very verbose.  Take some time to familiarize yourself with the logs of a working request vs a failure to get used to what logs are actually meaningful.

Tutorial:

Enable list of events/audits to be logged

  1. Login to one of your ADFS servers that you believe will be authenticating the end users
  2. Open Server Manager

  3. In Server Manager, select Tools -> AD FS Management
  4. In AD FS Management, select AD FS in the top left and select Edit Federation Service Properties…
  5. Click on the Events tab and check all the items you wish to log and click OK

Enable tracing

  1. Open Server Manager
  2. Select Tools -> Event Viewer
  3. In Event Viewer, select View in the top menu, and select Show Analytic and Debug Logs
  4. Expand Applications and Services Logs, expand AD FS Tracing, and select Debug
    1. Note: In ADFS v2, the AD FS Tracing folder will be called AD FS 2.0 Tracing
  5. When you are ready to begin collecting logs, right click on Debug and select Enable Log
  6. Click OK when prompted to write over the existing event logs
    1. Note: Each time you enable/disable AD FS Tracing, Event Viewer will purge your last results.  I highly recommend you export your logs if you need them for comparison at a later time.
  7. At this point, recreate the issue, error, or login to the relying party you want to debug.
  8. Once you have recreated the error or logged in, go back to Event Viewer, right click on Debug and select Disable Log
  9. At this point, you should have some events captured to further analyse 🙂
  10. Optional Step: Right click on Debug and select Save All Events As…  This will export to a evtx file, in which this can be sent to another team for analysis or you can reference the logs at a later time.
    1. Note: If you are sending the events over to another team for analysis, zip the logs as it will greatly decrease the file size 🙂

Common error when enabling Debug logging

One error I typically see is the following:

AD FS Debug – The requested operation cannot be performed over an enabled direct channel.  The channel must first be disabled before performing the requested operation

This error is caused by a misconfiguration on the logging properties of the Debug log.  Please verify that you have not manually enabled the debug log nor have the maximum log file size set to Overwrite events as needed.

To fix, right click on Debug and select Properties

Typically, the screenshot below is an example of the incorrect settings used; make sure that Enable Logging is unchecked and is Do not overwrite events ( Clear logs manually ) is checked

Here is a picture of the correct settings for the AD FS Tracing Debug Logs; at which point, once the settings are applied, you should no longer receive this error when conducting your debug/trace logging.