Archives

Track mpm-itk problems with truss

Some background

I’ve some security needs on a shared hosting web server at work and I’ve ended up installing Apache-mpm-itk in place of my old vanilla Apache server. MPM-ITK is a piece of software (a set of patches in fact) you apply onto Apache source code to change it’s natural behavior.
Out of the box, Apache spawns a handful of children httpd belonging to user www:www or whatever your config is using. Only the parent httpd belongs to root.
Hence, every single httpd must be able to read (and sometimes write) web site files. Now imagine you exploit a vulnerability into a php CMS, successfully injecting a php shell. Now through this php shell, you are www on the server, you can do everything www can, and it’s bad, because you can even hack the other web sites of the server that have no known vulnerability.
With MPM-ITK, Apache spawns a handfull of master processes running as root, and accordingly to your config files, each httpd serving a particular virtual host or directory will switch from root to a user:group of your choice. So, one httpd process currently serving files from web site “foo” cannot access file from web site “bar”: an attacker exploiting a vulnerability of one particular web site won’t be able to hack every other web site on the server.

More background

That’s a world you could dream of. In real world, that’s not so simple. In particular, you’ll start having troubles as soon as you make use of fancy features, especially when you fail to provide a dedicated virtual host per user.
On the shared server we host about 35 vhosts for 250 web sites, and we can’t afford to provide every user with his dedicated vhost. The result is a given virtual host with a default value for the fallback user:group (say www:www), and each web site configured via Directory to use a different dedicated user.

When a client GET a resource (web page, img, css…) it generally keeps the connection opened with the httpd process. And it can happen that a resource linked from a web page sits into another directory, belonging to another user. The httpd process has already switched from root to user1 to serve the web page, it can’t switch to user2 to serve the linked image from user2′s directory. So Apache drops the connection, spawns a new httpd process, switches to user2, and serves the requested resource.
When it happens, you can read things like this into your Apache error log:

[warn] (itkmpm: pid=38130 uid=1002, gid=80) itk_post_perdir_config(): 
initgroups(www, 80): Operation not permitted
[warn] Couldn't set uid/gid/priority, closing connection.

That’s perfectly “legal” behavior, don’t be afraid, unless you read hundreds of new warning every minute.
If you host various web sites, belonging to various users, into the same vhost, you’re likely to see many of these triggered by the /favicon.ico request.

Where it just breaks

When things are getting ugly is the moment a user tries to use one of your available mod_auth* variant to add some user authentication (think .htaccess). Remember, I host many web sites in a single vhost, each one into its own directory with its own user:group.

Suddenly every single visitor trying to access the protected directory or subdirectory is disconnected. Their http client reports something like this:

the server unexpectedly dropped the connection…

and nothing else is available. The error, server-side, is the same initgroups error as above, and it does not help at all. How would you solve this? truss is your friend.

Where I fix it

One thing I love about FreeBSD is the availability of many powerful tools out of the box. When I need to track down a strange software behavior, I feel very comfortable on FreeBSD (it doesn’t mean I’m skilled). truss is one of my favorites, it’s simple, straightforward and powerful.
What you need to use truss is the PID of your target. With Apache + MPM-ITK, processes won’t stay around very long, and you can’t tell which one you will connect to in advance. So the first step is to buy yourself some precious seconds so that you can get the PID of your target before the httpd process dies. Remember, it dies as soon as the .htaccess file is parsed. Being in production, I could not just kill everything and play alone with the server, so I choose another way. I’ve created a php script that would run for few seconds before ending. Server side, I’ve prepared a shell command that would install the .htaccess file I need to test, and start truss while grabbing the PID of my target. On FreeBSD, something like this should do the trick:

cd /path/to/user1/web/site
mv .htaccess_inactive .htaccess && truss -p $(ps auxw|awk '/^user1/ {print $2}')

First http GET request, the .htaccess file is not present, an httpd process switches from root to user1, starts serving the php script. I launch my command server-side: it puts .htaccess in place, gets the PID of my httpd process, and starts truss.
The php script ends and returns its result, client-side I refresh immediately (second GET request), so that I stay on the same httpd process. My client is disconnected as soon as the httpd process has parsed the .htaccess file. At this point, truss should already be dead. I’ve the complete trace of the event. The best is to read the trace backward from the point where httpd process issue an error about changing UID or GID:

01: setgroups(0x3,0x80a8ff000,0x14,0x3,0x566bc0,0x32008) 
    ERR#1 'Operation not permitted'
02: getgid()					 = 80 (0x50)
03: getuid()					 = 8872 (0x22a8)
04: getpid()					 = 52942 (0xcece)
05: gettimeofday({1364591872.453335 },0x0)		 = 0 (0x0)
06: write(2,"[Fri Mar 29 22:17:52 2013] [warn"...,142) = 142 (0x8e)
07: gettimeofday({1364591872.453583 },0x0)		 = 0 (0x0)
08: write(2,"[Fri Mar 29 22:17:52 2013] [warn"...,85) = 85 (0x55)
09: gettimeofday({1364591872.453814 },0x0)		 = 0 (0x0)
10: shutdown(51,SHUT_WR)				 = 0 (0x0)

Line 01 is the one I’m looking for: the httpd process is trying to change groups and fails, line 02 to 05 it’s gathering data for the log entry, line 06 it’s writing the error to the log file. 07 & 08: same deal for the second line of log.

From that point in time, moving up shows that it tried to access an out-of-directory resource, and that resource is an html error page! Of course, it makes sense, and it’s an hard slap on the head (RTFM!).

01: stat("/user/user1/public_html/bench.php",{ 
    mode=-rw-r--r-- ,inode=4121,size=7427,blksize=7680 }) = 0 (0x0)
02: open("/user/user1/public_html/.htaccess",0x100000,00) = 53 (0x35)
03: fstat(53,{ mode=-rw-r--r-- ,inode=4225,size=128,blksize=4096 }) = 0 (0x0)
04: read(53,"AuthType Basic\nAuthName "Admin "...,4096) = 128 (0x80)
05: read(53,0x80a8efd88,4096)			 = 0 (0x0)
06: close(53)					 = 0 (0x0)
07: open("/user/user1/public_html/bench.php/.htaccess",0x100000,00) 
    ERR#20 'Not a directory'
08: getuid()					 = 8872 (0x22a8)
09: getgid()					 = 80 (0x50)
10: stat("/usr/local/www/apache22/error/HTTP_UNAUTHORIZED.html.var",{ 
    mode=-rw-r--r-- ,inode=454787,size=13557,blksize=16384 }) = 0 (0x0)
11: lstat("/usr/local/www/apache22/error/HTTP_UNAUTHORIZED.html.var",{ 
    mode=-rw-r--r-- ,inode=454787,size=13557,blksize=16384 }) = 0 (0x0)
12: getuid()					 = 8872 (0x22a8)
13: setgid(0x50,0x805d43d94,0x64,0x800644767,0x101010101010101,0x808080808080
    8080) = 0 (0x0)

line 13 shows the beginning of setgid process, and 10/11 shows the culprit. Up from here is the regular processing of the .htaccess file.

RTFM

When you use mod_auth* to present visitors with authentication, the server issues an error, and most of the time, this error is sent to the client with a dedicated header, and a dedicated html document (think “404″). When the error is about authentication (error 401), most clients hide the html part, and present the user with an authentication popup.
But the html part is almost always a physical file somewhere in the server directory tree. And it’s this particular file the httpd process was trying to reach, issuing an initgroups command, and dying for not being allowed to switch users.
I’ve found in my Apache config the definition of ErrorDocument:

ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
...

and replaced them all by a file-less equivalent, so Apache won’t have any error file to read and will just send a plain ASCII error body (it saves bandwidth too):

ErrorDocument 400 "400 HTTP_BAD_REQUEST"
ErrorDocument 401 "401 HTTP_UNAUTHORIZED"
ErrorDocument 403 "403 HTTP_FORBIDDEN"
...

I’ve restarted Apache, and authentication from mod_auth* started to work as usual.
Same approach applies to almost any mpm-itk problem when it’s related to a connection loss with Couldn't set uid/gid/priority, closing connection error log. You locate the resource that makes your server fail, and you find a way to fix the issue.

Share

Quelques jours avec le Nexus 4

IMG_2870 Comme évoqué précédemment, j’ai baissé ma garde, et paf, je me retrouve avec un smartphone Google Nexus 4. Bien sûr, c’est rarement par hasard qu’on met un script shell dans une crontab pour tester toutes les 5 minutes le réassort d’un modèle de téléphone sur le site du distributeur… Je peux difficilement invoquer l’accident.
Je passe sur les spécifications techniques du bazar. Ce qui compte c’est que ce téléphone est mon premier modèle moderne. Mon outil précédent était un Nokia 3100, presque 10 ans d’âge, obtenu à l’époque pour 1 euro avec un forfait d’entrée de gamme, et fonctionnant encore parfaitement. En payant 300 fois plus cher ce Nexus, je sais déjà qu’il ne vivra pas aussi longtemps. La Sainte Obsolescence, tout ça. Mais passons.
La première expérience avec un smart phone est quelque chose de troublant. Un truc auquel on ne pense jamais par exemple, c’est la manière dont le téléphone rétréci en une poignée de jours. Fraîchement reçu et déballé, l’engin me semblait énorme, mal commode, encombrant en comparaison de mon fidèle 3100 qui tient très bien au creux de ma main. Après quelques jours, il n’est plus si gros que ça, il tient un peu mieux en main. Et surtout, plus on l’utilise plus on trouve que l’écran est trop petit.
Question ergonomie, je suis plutôt satisfait par la version d’android fournie. C’est propre, plutôt bien foutu, et même sans manuel utilisateur j’ai trouvé mes repères assez rapidement. J’ai plus de difficultés avec le matériel par contre. Sans coque de plouc pour protéger les télécommandes, le téléphone est assez glissant, très lisse, et le tout-tactile ne laisse aucune indication sous les doigts. Je pense que j’aurai apprécié une fine bande antidérapante sur la tranche Mon téléphone me signale qu’il a une bande légèrement antidérapante sur les côtés, mais je dois bien avouer que ce n’est pas du tout comme ça que je l’imaginais, donc ça ne compte pas.
Étant un peu photographe, je me suis immédiatement intéressé au rendu des couleurs. Le résultat est très décevant, surtout face à mon écran calibré. Les photos sont verdâtres. Par contre, prise sans référence extérieure, l’image reste agréable. Et là, je tiens une vraie valeur ajoutée : maintenant j’ai mon book dans ma poche. C’est assez appréciable quand je veux parler de ce que je fais sans avoir mon site web sous la main. L’appareil photo quant à lui est de piètre qualité, mais je n’ai pas encore mesuré à quel point, ne l’ayant pas testé en extérieur à la lumière du jour. Je dois aussi voir si il est utilisable en conjonction avec mon Ranger Quadra.
Globalement, je suis satisfait, mais pas spécialement emballé. Mon opinion générale sur les smart phones n’a pas vraiment changé (c’est cher, ça ne sert pas à grand chose, et c’est largement sous-dimensionné pour ce à quoi je voudrai l’employer). Pour moi qui n’ai pas de forfait data, les vrais gains sont : le clavier pour les sms, les galeries photos pour avoir mon book dans ma poche et le GPS couplé aux cartes google map enregistrées en local (parce que même le lichen a un meilleur sens de l’orientation que moi).

Share

Mac OS X Benchmark: native vs virtualized

An important thing about my work-in-progress virtualized workstation setup is that I’ve created the Mac OS X VM using my very own hard drives, hooked as raw devices (RDM: raw device mapping). So I can boot exactly the same OS directly from the hard drive, or from ESXi into a virtual machine. Quite convenient when the time comes to make comparisons. And now, I can boot the VM with ATI Radeon graphics card plugged in passthrough mode thanks to VMware DirectPath I/O and some tweaking.
While it’s not enough to make a workstation (still miss a keyboard/mouse in passthrough), it allows some benchmarks. I’ve ran XBench on the VM and on the same OS booted natively from the hard drive.

The VM is configured with only 4 CPU. the Mac Pro sports a quad core Xeon capable of hyperthreading, so when Mac OS X boots natively it sees 8 CPU. It might explain the 50% difference on the Thread test, but that will require further testing.

The final result is not good at all. I understand very well that virtualization has a performance cost, but if I want a powerful virtualized workstation I need a setup that will waste as few resources as possible.
Quartz Graphics and User Interface tests show that “desktop” graphics are well supported, but the OpenGL test results are horrendous. With a performance loss of 87%, it predicts much trouble with games. According to this very simple benchmark, the VMware passthrough mode for graphics card seems to be very bad compared to what can be seen on XEN for example.
To be honest, having my hard disks accessed directly via RDM, I though I would have a 10-15% penalty. The 46% drop for sequential access surprises me. As for the GPU, the OpenGL results are so bad I’m wondering if the graphics card is properly passed through. May be some features are just dropped in the process. By the way, the virtualized Mac OS X won’t load the screen color profile. May be it’s related to the pseudo-VGA screen attached to the VSphere console. Unfortunately I can’t get rid of this pseudo-VGA screen yet. Until I find a way to pass keyboard and mouse through to the VM, I need the VSphere console.

Results 259,39 127,18 -50,97 %
System Info
Xbench Version 1,3 1,3
System Version 10,6,8 (10K549) 10,6,8 (10K549)
Physical RAM 24576 MB 12288 MB
Model MacPro5,1 VMware7,1
Drive Type WDC WD1001FALS WDC WD1001FALS (ATA)
CPU Test 205,42 200,27 -2,51 %
GCD Loop 314,75 16,59 Mops/s 305,66 16,11 Mops/s -2,89 %
Floating Point Basic 182,81 4,34 Gflop/s 177,44 4,22 Gflop/s -2,94 %
vecLib FFT 121,5 4,01 Gflop/s 119,14 3,93 Gflop/s -1,94 %
Floating Point Library 385,38 67,11 Mops/s 374,17 65,15 Mops/s -2,91 %
Thread Test 954,74 477,33 -50,00 %
Computation, 4 thr. 989,65 20,05 Mops/s 517,69 10,49 Mops/s -47,69 %
Lock Contention, 4 thr. 922,22 39,67 Mlocks/s 442,8 19,05 Mlocks/s -51,99 %
Memory Test 452,72 370,19 -18,23 %
System 493,4 452,74 -8,24 %
Allocate 746,78 2,74 Malloc/s 877,63 3,22 Malloc/s 17,52 %
Fill 352,03 17116,62 MB/s 287,47 13977,29 MB/s -18,34 %
Copy 526,18 10867,96 MB/s 497,95 10285,00 MB/s -5,37 %
Stream 418,24 313,1 -25,14 %
Copy 422,51 8726,77 MB/s 321,23 6634,92 MB/s -23,97 %
Scale 395,84 8178,02 MB/s 303,88 6278,02 MB/s -23,23 %
Add 438,89 9349,24 MB/s 328,71 7002,18 MB/s -25,10 %
Triad 417,99 8941,89 MB/s 300,37 6425,59 MB/s -28,14 %
Quartz Graphics Test 315,19 300,47 -4,67 %
Line [50% α] 239,24 15,93 Klines/s 232,29 15,47 Klines/s -2,91 %
Rectangle [50% α] 314,61 93,93 Krects/s 296,25 88,45 Krects/s -5,84 %
Circle [50% α] 264,41 21,55 Kcircles/s 251,89 20,53 Kcircles/s -4,74 %
Bezier [50% α] 279,29 7,04 Kbeziers/s 263,55 6,65 Kbeziers/s -5,64 %
Text 875,44 54,76 Kchars/s 836,28 52,31 Kchars/s -4,47 %
OpenGL Graphics Test 306,01 39,01 -87,25 %
Spinning Squares 306,01 388,19 frames/s 39,01 49,49 frames/s -87,25 %
User Interface Test 463,72 405,19 -12,62 %
Elements 463,72 2,13 Krefresh/s 405,19 1,86 Krefresh/s -12,62 %
Disk Test 97,42 72,35 -25,73 %
Sequential 176,21 94,27 -46,50 %
Uncached Write [4K blk.] 180,38 110,75 MB/s 167,14 102,62 MB/s -7,34 %
Uncached Write [256K blk.] 177,43 100,39 MB/s 80,84 45,74 MB/s -54,44 %
Uncached Read [4K blk.] 149,41 43,73 MB/s 51,88 15,18 MB/s -65,28 %
Uncached Read [256K blk.] 207,16 104,12 MB/s 208,09 104,59 MB/s 0,45 %
Random 67,32 58,7 -12,80 %
Uncached Write [4K blk.] 21,3 2,25 MB/s 19,86 2,10 MB/s -6,76 %
Uncached Write [256K blk.] 507,04 162,32 MB/s 300,75 96,28 MB/s -40,69 %
Uncached Read [4K blk.] 159,73 1,13 MB/s 96,75 0,69 MB/s -39,43 %
Uncached Read [256K blk.] 235,97 43,79 MB/s 242,2 44,94 MB/s 2,64 %
Share

Mac OS X on VMware ESXi: ATI Radeon passthrough

Lately I’ve been quite involved into a virtualization project: running Mac OS X and Windows as workstations on top of VMware “bare-metal” hypervisor ESXi on my Mac Pro. It requires a good knowledge of virtualization and VMware products like ESXi and VSphere, serious sysadmin skills, and lots of perseverance.

I’ve finally managed to boot a Mac OS X 10.6.8 virtual machine on top of ESXi, on my Mac Pro with a proper ammount of RAM (12 GB), and the graphics card in passthrough mode. That required a manual tweak of the vmx file.
The VM wouldn’t boot when configured with both the graphics card in passthrough and more than 2 GB RAM. I’ve had to add into the vmx file those two lines:

pciHole.start = "1200"
pciHole.end = "2200"

Then I was able to boot my Mac OS X VM with 12 GB RAM and the graphics card in passthrough. Great. I’m still lacking passthrough for USB keyboard and mouse, meaning I need a remote computer with VSphere Client to control my VM using the embedded console. But the VM uses the physical ATI Radeon, and the physical screen, and in theory it could use full GPU power.

It looks like things are working OK, but it’ll take time and many more tests to make sure everything is really working. For example, I was not able to launch 3D FPS games like Left 4 Dead and Left 4 Dead 2 into the VM. The game would crash on launch.

Share

Fix a stuck Steam client on Mac OS X

From time to time, the startup of my Steam client on Mac OS X (10.6.8) is incredibly slow. And sometimes, it won’t even launch successfully, getting stuck with a Beach Ball of Death.
A quick diagnostic comes from the powerful utility dtruss:

$ sudo dtruss -p <PID of steam process>
...
__semwait_signal(0x14D03, 0x4D03, 0x1)		 = -1 Err#60
__semwait_signal(0x17C03, 0x3F03, 0x1)		 = -1 Err#60
__semwait_signal(0xC03, 0x0, 0x1)		 = -1 Err#60
semop(0x2000F, 0xB5464C98, 0x1)		 = -1 Err#35
__semwait_signal(0xC03, 0x0, 0x1)		 = -1 Err#60
__semwait_signal(0x4D03, 0x14D03, 0x1)		 = -1 Err#60
...

If you read a LOT of errors on __semwait_signal and semop lines, you can fix your client quite easily. I must say, it might have some side effects, but I’ve never seen any.
First, kill the Steam client (right-click on it’s icon in the Dock, choose “Force Quit”), then list semaphores:

$ ipcs -s
IPC status from <running system> as of Fri Nov 30 21:28:29 CET 2012
T     ID     KEY        MODE       OWNER    GROUP
Semaphores:
s 131072 0xe93c17d9 --ra-------   patpro   patpro
s 131073 0xc0ec4f17 --ra-ra-ra-   patpro   patpro
s 196610 0xb9e1e4e1 --ra-ra-ra-   patpro   patpro
s 131075 0x697a55e6 --ra-ra-ra-   patpro   patpro
s 131076 0x2e726ce1 --ra-ra-ra-   patpro   patpro
s 196613 0xa9ae61d6 --ra-ra-ra-   patpro   patpro
s 131078 0x1a661f70 --ra-------   patpro   patpro
s 196615 0x36dbd757 --ra-------   patpro   patpro
s 196616 0x44433b26 --ra-ra-ra-   patpro   patpro
s 196617 0x3cea9ea0 --ra-ra-ra-   patpro   patpro
s 196618 0xec712fa7 --ra-ra-ra-   patpro   patpro

If your steam client is not running and you read a full list of semaphores, you might want to remove them:

$ for SEM in $(ipcs -s | awk '/^s / {print $2}'); do ipcrm -s $SEM; done

Then, your Steam client should launch faster (well, at a normal speed), and it shouldn’t get stuck.
Use at your own risks.

Share

Spamhaus’ ZEN blacklist efficiency

At work, I’m using Spamhaus’ Zen blacklist for many years now. For a huge organization the amount of daily checks makes it impossible to rely on the free Spamhaus service. So we pay for a local copy of the blacklist, rsynched every 20 minutes. It allows faster check too. When you use Spamhaus’ blacklists as a paid service, the question is: how can you rate your return on investment? In an attempt to answer this question, I’ve gathered 2 years and 9 months worth of mail server log files (12 GB bzip2) and extracted some data.

I use greylist, blacklist, whitelist, antispam/antivirus, and recipient-based filtering. So it make things quite complicated when I need clear statistics about what is going on. The MX server accepts around 1.3 million messages a month for internal delivery, but many more come knocking at the door.
The main purpose of blacklisting is to limit the amount of emails going thru expensive filters. Greylist and blacklist are cheap filters: they are fast, and they cost very few CPU, memory, and network resources. In comparison, antispam and antivirus filters are expensive: they are slow, and have a huge CPU, memory and network usage. I do before-queue content filtering. It means the MX server will scan for spam and virus before the email is accepted. So all the filtering process must take place during the SMTP session, and that’s a pretty hard thing to do. To make sure that spam and virus filters are available for fast analysis, you must block as much as bad emails with cheap (and fast) filters.

So here is the deal: use of paid RBL (Spamhaus’ Zen, here) is only relevant if expensive filters cannot cope with the traffic. Below, the gnuplot output for MX log files between 20100101 and 20120928. It shows in red the number of hits in zen RBL, in green the number of emails coming out of Amavisd-new as “clean”, and in blue the number of spam blocked by Amavisd-new.

2 years and 9 months of data: daily spam count in blue (“Blocked Spam” in amavisd-new logs), daily clean count (“Passed”) in green, daily blacklist hits in red (blocked using zen.dnsbl-local in Postfix logs).

It shows, mainly, that hits in the blacklist have plummeted, when levels of spam and clean emails out of Amavisd-new are fairly constant. So while the blacklist is blocking at least 5 times less incoming SMTP transactions, the amount of emails reaching the antispam does not change. Spamhaus’ zen blacklist efficiency is good (no increase in spam detection), but becomes less useful every day.

Below, the gnuplot output for the same time period showing the number of lines in Postfix logs :

total number of lines in postfix logs, daily basis

total number of lines in postfix logs, daily basis

It’s good enough to stand for the evolution of the number of SMTP sessions and it’s very similar to the curve of blacklist hits. Then, we can conclude that an external factor is responsible for the drop in incoming unwanted SMTP transactions. The war on botnets really took off in 2010, so may be we have an explanation here.

Lets go back to the main idea of this post: does zen blacklist worth its yearly fee? Based on my experience, yes it does, or at least, it did. From 2008 to 2011, it was clearly an asset. Before-queue content filtering would have been absolutely unusable. Reducing dramatically the load on the antivirus and antispam, zen RBL allowed me to handle about 1,300,000 clean email messages per month on a single MX server with b-qcf (on a 6 years old Apple XServe).
On 2012, zen blacklist still blocks a good daily amount of spam before it reaches the real antispam. But it’s clear that if the trend continues, I will not renew the Spamhaus subscription on september 2013. At this rate, usefulness of this blacklist will not worth its cost by the end of 2012. Now that big vendors like Microsoft have embraced the war on botnets, I’m pretty confident that I won’t need zen RBL any longer.

Share

Nuxeo, round 2

J’ai décidé de donner une seconde chance à Nuxeo. Je m’étais heurté fin 2011 et début 2012 à quelques difficultés qui m’avaient bien refroidi : bug divers, implémentation bancale avec MySQL, problème de proxying derrière mod_ssl, etc.
Fort d’une récente expérience de montage apache+mod_ssl+tomcat qui s’était terminé brillamment avec une application proprement cachée derrière un proxy apache+ssl, je me suis mis en tête de reproduire le montage avec Nuxeo. J’ai donc téléchargé et installé la dernière version de Nuxeo, purgé la base MySQL existante, et lancé la configuration.
Premier point : mea maxima culpa. Le support de MySQL semble bien moins mauvais que ce que j’avais constaté il y a presque un an. En effet, en tournant autour de ma configuration SSL, j’ai été amené à mettre mon nez dans les logs de Nuxeo, constatant que ces derniers contenaient des indications d’erreurs liées à MySQL. En corrigeant le tir, j’ai obtenu un comportement de l’application qui devrait être meilleur. Je reste au conditionnel, car l’année passée, tout avec bien fonctionné en apparence pendant quelques semaines, avant que je commence à constater des dysfonctionnements.
Deuxième point : Ha. Finalement j’ai retrouvé le drag & drop. j’ai perdu le drag & drop. Peut être avais-je rêvé en testant Nuxeo DM 5.4, mais en testant la version 5.6 je ne trouve pas le moyen de glisser-déposer des fichiers d’un répertoires à l’autre pour les ranger simplement. C’est très frustrant, le glisser-déposer de Nuxeo était un avantage majeur face à Alfresco.
Troisième point : j’ai raté mon coup avec le SSL. But initial de ma manipulation, la reconfiguration de la chaîne apache+mod_ssl+tomcat n’a pas donné satisfaction, donc je fonctionne avec les mêmes artifices qu’initialement (redirection des requêtes http vers l’https, notamment).
Quatrième point : lovely WebDAV. J’aime le WebDAV, c’est un protocole sympa, passe partout, supporté out-of-the-box par mon système. Je m’en sers presque tout les jours au boulot et à la maison. J’ai même configuré un programme dans le copieur connecté du bureau pour envoyer les scan de documents que je fais directement sur un serveur WebDAV. Bref, je viens de découvrir que Nuxeo permet d’accéder à mon espace de travail directement en WebDAV. Je peux ajouter des documents, des dossiers, les ranger/déplacer, et même les modifier dans une suite bureautique directement à partir du bureau de mon système.
⌘K, https://monserveur/nuxeo/site/dav/, login/mot de passe, et hop, montage sur le bureau. La vie est belle.
Aller, je vais essayer de m’en servir plusieurs fois par semaine, et voir où cela me mène. Verdict dans un mois.

Share