| nathany | it appears there have been some bogus vhost requests | 00:00 |
|---|---|---|
| nathany | that have probably sent 500s | 00:00 |
| nathany | of course, rdfa.info and translate are both fucked as well according to nagios, so it's not all cc.engine | 00:00 |
| nathany | it appears the vhost info is getting urlencoded | 00:01 |
| nkinkade | I know ... and rdfa.info is where I'm looking now. | 00:02 |
| nkinkade | I wasn't trying to single out cc.engine, but 3/5 of the problems are cc.engine related, so I thought it was a good place to look around. | 00:03 |
| nkinkade | paulproteus: is LicenseChooser.js hosted off a8 in any way? | 00:05 |
| paulproteus | I think it's on the api-dot domain, right? | 00:05 |
| paulproteus | which is on a8 | 00:06 |
| * paulproteus checks the samples | 00:06 | |
| nkinkade | Someone wrote in saying that " We have a license chooser and display user control based on your java script project. I'm not a developer so I do not have access into the code and API calls that are failing. I can't get you the details until later." | 00:06 |
| paulproteus | http://labs.creativecommons.org/demos/jswidget/tags/0.95/example_web_app/with-seed-without-jurisdiction.html works fine and <script src>s in LicenseChooser.js off api-dot | 00:06 |
| paulproteus | That's likely the reason. | 00:06 |
| nkinkade | paulproteus: What's the specific URL that might be failing? | 00:07 |
| paulproteus | http://api.creativecommons.org/jswidget/tags/0.95/complete.js?locale=en_US&jurisdictions=disabled | 00:09 |
| paulproteus | But it works | 00:09 |
| paulproteus | going off irc for ca. 30m | 00:09 |
| nathany | nkinkade: did they give the URL of their site so we could look @ that? | 00:10 |
| nathany | (i wonder if it was just due to the downtime of a8?) | 00:10 |
| nkinkade | nathany: I asked for a URL and the above was his reply. | 00:11 |
| nkinkade | I suspect his reply came before the API was fully functional again. | 00:12 |
| nathany | yeah... if the demo seems to be working, i guess write back and let him know we had some downtime around an upgrade | 00:12 |
| nathany | ask if it's still having problem | 00:12 |
| nkinkade | nathany: I also just found out that the CC Planet requires python2.4 because rdfadict isn't installed for 2.5 | 00:12 |
| nkinkade | nathany: I asked. | 00:12 |
| nathany | nkinkade: cool (re: asking) | 00:12 |
| nathany | nkinkade: well we could install rdfadict for python2.5 | 00:13 |
| nkinkade | nathany: What's the method for that again? | 00:13 |
| paulproteus | I imagine so. | 00:13 |
| nkinkade | easy_install? | 00:13 |
| nathany | if that's installed for 2.5 | 00:15 |
| *** lotia has joined #cc | 00:15 | |
| nathany | what box is that again? | 00:16 |
| nathany | nkinkade: a8? | 00:16 |
| nkinkade | nathany: $ sudo easy_install rdfadict | 00:16 |
| nathany | right | 00:16 |
| nkinkade | That *seems* to have done it. Yeah, a8. | 00:16 |
| nkinkade | I saw references to installing things in 2.5. | 00:17 |
| nathany | you can do easy_install-2.5 (or -2.4) if you want a specific python version | 00:17 |
| nathany | nkinkade: i have to run home... be back online soon (hopefully) | 00:17 |
| nkinkade | nathany: Cool. | 00:18 |
| nkinkade | I think things have settled. Just a matter of getting those last few sites working Nagios. | 00:18 |
| nkinkade | Thanks for you help. | 00:18 |
| *** nathany has quit IRC | 00:34 | |
| *** jgay has joined #cc | 00:35 | |
| *** lotia_ has joined #cc | 01:01 | |
| *** lotia has quit IRC | 01:02 | |
| *** nathany has joined #cc | 01:07 | |
| *** tanjir has joined #cc | 01:08 | |
| paulproteus | nathany, rehi | 01:14 |
| paulproteus | Editing this screencast never was fun, but it'll be nice to have it be over. | 01:14 |
| *** grue_ has joined #cc | 01:17 | |
| *** grue has quit IRC | 01:18 | |
| *** grue has joined #cc | 01:18 | |
| *** grue has quit IRC | 01:19 | |
| nathany | paulproteus: heh | 01:25 |
| nathany | yeah, it'll be good to have it done | 01:26 |
| paulproteus | This is the one where in the first take, the staging server didn't have fr_CA show up at all and totally ruined my demo. | 01:26 |
| paulproteus | Boo frickin' hoo. | 01:26 |
| nathany | heh | 01:26 |
| paulproteus | Anyway, back to Audacity. | 01:26 |
| nathany | ok, i'm off for 60-90 min | 01:26 |
| nathany | ttyl | 01:26 |
| *** nathany has quit IRC | 01:26 | |
| paulproteus | ttyl | 01:26 |
| *** Bovinity has quit IRC | 01:31 | |
| *** Bovinity has joined #cc | 02:03 | |
| *** mecredis has joined #cc | 02:12 | |
| *** K`Tetch has quit IRC | 02:39 | |
| *** K`Tetch has joined #cc | 02:47 | |
| *** K`Tetch has quit IRC | 02:56 | |
| *** mlinksva has quit IRC | 02:59 | |
| *** K`Tetch has joined #cc | 03:02 | |
| *** mecredis has quit IRC | 03:15 | |
| *** jgay has quit IRC | 03:18 | |
| *** nkinkade has quit IRC | 03:26 | |
| *** mecredis has joined #cc | 03:28 | |
| *** mecredis has quit IRC | 03:51 | |
| *** nathany has joined #cc | 03:53 | |
| *** johndoigiii_ has quit IRC | 05:04 | |
| *** [mharrison] has joined #cc | 05:21 | |
| *** tanjir has quit IRC | 05:32 | |
| *** parkerhiggins has quit IRC | 05:58 | |
| isforinsects | ?def isforinsects | 06:11 |
| *** Bovinity has quit IRC | 07:02 | |
| *** sama has joined #cc | 07:59 | |
| *** nathany has quit IRC | 08:18 | |
| *** UncleCJ2_ has quit IRC | 09:36 | |
| *** UncleCJ2_ has joined #cc | 10:02 | |
| *** sama has quit IRC | 10:03 | |
| *** UncleCJ2__ has joined #cc | 10:03 | |
| *** sama has joined #cc | 10:23 | |
| *** UncleCJ2_ has quit IRC | 10:24 | |
| *** UncleCJ2__ is now known as UncleCJ2 | 10:41 | |
| *** K`Tetch has quit IRC | 12:00 | |
| *** nathany has joined #cc | 12:54 | |
| *** parkerhiggins has joined #cc | 13:08 | |
| *** kreynen has joined #cc | 13:16 | |
| *** UncleCJ2 has quit IRC | 13:32 | |
| *** UncleCJ2_ has joined #cc | 13:49 | |
| *** nathany has quit IRC | 13:53 | |
| *** johndoigiii has joined #cc | 14:16 | |
| *** johndoigiii_ has joined #cc | 14:21 | |
| *** lotia_ has quit IRC | 14:30 | |
| *** UncleCJ2_ has quit IRC | 14:32 | |
| *** nkinkade has joined #cc | 14:37 | |
| *** johndoigiii has quit IRC | 14:41 | |
| *** keksschaf has joined #cc | 14:47 | |
| *** mlinksva has joined #cc | 14:55 | |
| *** mlinksva has quit IRC | 15:03 | |
| *** nathany has joined #cc | 15:08 | |
| *** jgay has joined #cc | 15:11 | |
| *** kreynen has quit IRC | 15:11 | |
| *** K`Tetch has joined #cc | 15:22 | |
| *** lotia has joined #cc | 15:26 | |
| *** UncleCJ2_ has joined #cc | 15:27 | |
| nkinkade | paulproteus: Do you find it spurious that the Nagios check_http plugin automatically appends :80 to the end of the Host: HTTP header? | 15:33 |
| nathany | nkinkade: he's on his way to ETech right now, not sure he'll see it until he gets there | 15:34 |
| nathany | is that the cause of the nagios weirdness from yesterday? | 15:34 |
| nkinkade | Debian has a custom patch, but it propagates this behavior: http://patch-tracking.debian.net/patch/series/view/nagios-plugins/1.4.12-5/41_check_http_fix_http_header.dpatch | 15:34 |
| nathany | btw, the license engine on a5 is the new buildout | 15:34 |
| nkinkade | nathany: It has something to do with that, but I'm not quite sure why it only affects rdfa.info and a couple others. | 15:34 |
| nathany | it seems to be running ok but i need to add an init script | 15:34 |
| nathany | hrm | 15:34 |
| nathany | that is weird | 15:34 |
| nkinkade | Any ideas? | 15:34 |
| nathany | as to whether it's spurious or not? | 15:35 |
| nathany | not sure, to be honest | 15:35 |
| nathany | does it screw with Varnish to have :80 there? (since we do the hostname based dispatching) | 15:36 |
| nkinkade | No, the problem happens when I go right to port 8080 as well. | 15:36 |
| *** johndoigiii has joined #cc | 15:36 | |
| nkinkade | So, it's something weird with Apache, HTTP, and the check_http plugin. | 15:36 |
| nathany | hrm | 15:36 |
| nathany | so what does it do that's unexpected when the port is appended? | 15:37 |
| nkinkade | nathany: http://pastebin.com/d30c49a46 | 15:39 |
| nathany | nkinkade: interesting | 15:39 |
| nkinkade | I'm not sure why Apache redirects only for rdfa.info and not all the other vhosts. | 15:39 |
| nathany | i mean, it does make a certain amount of sense for Apache to say "uh, the 80 isn't needed, thanks", but it's weird it's just for rdfa.info | 15:40 |
| nkinkade | Oh, and removing that :80 from the request also fixes /license and /licenses | 15:40 |
| nathany | you mean in the nagios test? | 15:40 |
| nkinkade | Right. That's what confuses me. | 15:40 |
| nkinkade | nathany: Yeah. | 15:40 |
| nkinkade | I can manually run check_http ... it's a binary. | 15:40 |
| nkinkade | And when I specify a "Host:" header on my own, without the :80, then they work ... but it also reverts to HTTP/1.0 for some reason. | 15:41 |
| nkinkade | I admit I don't know much about the HTTP protocol. | 15:41 |
| nathany | well that fits with the error we were seeing in z3.log yesterday that was complaining about the vhost formatting | 15:41 |
| nathany | since it uses colons to separate things, the extra port probably got added in there confusing it | 15:42 |
| nathany | does check_http have a flag to force it to 1.0? maybe it's a "feature" of 1.1? | 15:42 |
| nathany | (i'm totally grasping @ straws) | 15:42 |
| nkinkade | Seems that it's valid to append the port: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23 | 15:44 |
| nathany | nkinkade: is 9080 open to the outside world on a7 or a5? | 15:45 |
| nathany | i guess it is on a5, huh | 15:45 |
| nathany | i wonder if we make the request to 9080 directly if we can see what we get | 15:45 |
| nathany | (logging into the nagios box) | 15:45 |
| *** johndoigiii_ has quit IRC | 15:45 | |
| nathany | nkinkade: where does check_http live? | 15:45 |
| nkinkade | /usr/lib/nagios/plugins/check_http | 15:46 |
| nkinkade | nathany: And for reference, this command works: /usr/lib/nagios/plugins/check_http -k "Host: rdfa.info" -I 64.34.161.33 -s "RDFa" | 15:47 |
| nkinkade | This one does not: /usr/lib/nagios/plugins/check_http -H rdfa.info -I 64.34.161.33 -s "RDFa" | 15:47 |
| nathany | -s checks for a string? | 15:47 |
| nkinkade | Yeah. | 15:47 |
| *** TRD has joined #cc | 15:49 | |
| nathany | nkinkade: so i think part of this might be varnish | 15:49 |
| nathany | one sec, let me pastebin | 15:49 |
| nathany | nkinkade: http://pastebin.com/m901cfff | 15:50 |
| nkinkade | nathany: Good point. | 15:51 |
| nathany | nkinkade: so i'm fairly certain varnish is to blame for the zope related stuff | 15:52 |
| nathany | i think it's mangling the URL for virtual hosting in a way zope doesn't understand | 15:52 |
| nathany | nkinkade: of course, i'm not sure what to do about it | 15:53 |
| nkinkade | nathany: That makes sense. It may be passing the :80 in with the hostname. | 15:53 |
| *** lotia has quit IRC | 15:53 | |
| nathany | right | 15:54 |
| nkinkade | One way around that would be to use a regex to match req.http.host | 15:54 |
| nathany | to split out the port portion? | 15:55 |
| nkinkade | Maybe. | 15:55 |
| *** UncleCJ2_ has quit IRC | 15:55 | |
| nathany | nkinkade: so it seems like we've figured out half the problem, but not the 301 part | 15:57 |
| nathany | you said the 301 stuff happens whether you hit 80 or 8080, right? | 15:57 |
| nkinkade | nathany: Right. Varnish doesn't seem to be causing the issue with Pootle either. | 15:58 |
| nathany | weird | 15:58 |
| nkinkade | Yeah, 80, 8080, it's the same. | 15:58 |
| nathany | is the pootle issue the same as the rdfa.info one/ | 15:58 |
| nkinkade | But if Varnish is mangling URL to cc.engine when the request host contains :<port>, then that is a larger problem. | 15:59 |
| nkinkade | I'll investigate. | 15:59 |
| nathany | ok... i need to prep for a call | 16:00 |
| *** UncleCJ2_ has joined #cc | 16:13 | |
| *** UncleCJ2_ has quit IRC | 16:18 | |
| *** Bovinity has joined #cc | 16:19 | |
| *** mlinksva has joined #cc | 16:23 | |
| paulproteus | Morning, nkinkade | 16:26 |
| paulproteus | That idea from Nagios should be fine; http://whatever.com:80/ should be the same as http://whatever.com/ (I *think*, this is a part of HTTP I don't know super well). | 16:26 |
| paulproteus | Oh HAH whatever.com:8080:8080 | 16:26 |
| *** lotia has joined #cc | 16:33 | |
| *** Bovinity has joined #cc | 16:33 | |
| *** parkerhiggins has quit IRC | 16:35 | |
| *** UncleCJ2_ has joined #cc | 16:37 | |
| paulproteus | Morning Bovinity. | 16:37 |
| paulproteus | You at ETech? | 16:37 |
| paulproteus | Joi's up now. | 16:37 |
| paulproteus | He's talking about The Stack, but I don't see any pancakes. | 16:38 |
| paulproteus | "Where the friction is, is the lawyers." | 16:40 |
| *** tvol has joined #CC | 16:41 | |
| paulproteus | Yargh, the point of RDFa isn't that "license information is important enough to be part of HTML" but that "extensible metadata choices should be made by the producers of web content, not the standards designers." | 16:45 |
| nathany | sigh. | 16:51 |
| nathany | at least he didn't call it "a different kind of drm" (again) | 16:51 |
| paulproteus | I'm writing a note and CC:ing cc-tab, fwiw. | 16:52 |
| nathany | great | 16:52 |
| nathany | (not sure who's on cc-tab these days, so not sure how useful that is, but whatev) | 16:53 |
| paulproteus | (I figure it's you and Ben at least, and that's the important thing) | 16:53 |
| nathany | paulproteus: i *think* I'm on it :) | 16:54 |
| nathany | (but i'm honestly not 100% sure) | 16:54 |
| paulproteus | Icey. | 16:54 |
| paulproteus | Well, since you're the Chief Technical Dude, you perhaps ought to. | 16:54 |
| nathany | lol | 16:55 |
| nathany | i'm pretty sure i am... i guess i'll go double check since my brain isn't particularly suited to other tasks this morning | 16:55 |
| nathany | paulproteus: i am; as are you and nkinkade :) | 16:56 |
| paulproteus | Yay (-: | 16:57 |
| nathany | (and various and sundry board members) | 16:57 |
| paulproteus | eer, /me fears lambasting joi in front of boardies | 16:57 |
| nkinkade | nathany: And on that same point, I assume you are also getting these cc-metadata moderator messages? | 16:57 |
| paulproteus | mm, cc meat data | 16:58 |
| nathany | yes. i was hoping they'd just go away :) | 16:58 |
| nathany | i'll log in now | 16:58 |
| * paulproteus just CC:s ML, BA, NY | 16:58 | |
| paulproteus | CC BY OM FG | 16:59 |
| nathany | paulproteus: and the deprecated variant: CC BY-Z-OM-FG | 17:00 |
| paulproteus | CC Zero was originally called CC Zomfg. | 17:01 |
| nathany | God i wish i'd thought of that when writing the code | 17:02 |
| paulproteus | Actually Zomfg was the joke name. | 17:03 |
| paulproteus | CC Zomfg was the original name. | 17:03 |
| paulproteus | er | 17:03 |
| paulproteus | CC Zomg was the original name. | 17:03 |
| paulproteus | CC Zero was what we renamed it; conveniently it's the same length, so we could just binary-patch the .pyc files. | 17:03 |
| paulproteus | (We lost the source and decompyle doesn't work against more recent versions of Python.) | 17:03 |
| nathany | heh | 17:05 |
| paulproteus | Look, I made Indonesian! http://translate.creativecommons.org/id/ | 17:11 |
| paulproteus | And it starts off at 0% because I copied en, and en has no values now. | 17:11 |
| paulproteus | Closer now to sanity. | 17:11 |
| paulproteus | (-: | 17:11 |
| paulproteus | BTW, SoC this year? | 17:14 |
| paulproteus | I also love how people call us "the Creative Commons Foundation." | 17:15 |
| *** K`Tetch has quit IRC | 17:16 | |
| *** johndoigiii has quit IRC | 17:18 | |
| *** sama has quit IRC | 17:24 | |
| *** K`Tetch has joined #cc | 17:24 | |
| nathany | paulproteus: yes, i need to do the application | 17:26 |
| nathany | iirc it's due end of week | 17:26 |
| paulproteus | Cool | 17:26 |
| nkinkade | nathany: For rdfa.info turns out is was Wordpress doing the redirect. | 17:39 |
| nathany | nkinkade: weird | 17:39 |
| nkinkade | It wasn't happening on the other WP installs because I have installed a plugin to disable "canonical" redirects. | 17:39 |
| nkinkade | That sucks. | 17:39 |
| nathany | yeah | 17:39 |
| nathany | i'd like to suggest just writing the test the way that works, if possible (specifying the host header); so long as we get back the result it shouldn't matter, right? | 17:40 |
| nathany | and the fact that it's just that one vhost doesn't make me very inclined to sink tons of time into patching WP (Since I'm guessing there's "a reason" for it :) ) | 17:40 |
| nkinkade | http://translate.creativecommons.org:80 | 17:41 |
| nathany | ? | 17:41 |
| nkinkade | nathany: There is no patching needed here. There is a WP plugin that disabled that spurious behavior. | 17:42 |
| nathany | ah, awesome | 17:42 |
| nkinkade | And I've installed it on rdfa.info. It has been installed on the other wikis for over a year, probably. | 17:42 |
| nkinkade | Sorry, the other WP installs. | 17:42 |
| nkinkade | But interested behavior from that link above, no? | 17:42 |
| nathany | nkinkade: you mean that it redirects? | 17:43 |
| nkinkade | paulproteus: What do you make of that translate link above? | 17:43 |
| nkinkade | It's faking Pootle out, I believe. | 17:43 |
| nathany | nkinkade: you mean that it redirects to http://translate.creativecommons.org ? | 17:44 |
| nkinkade | nathany: I don't think it's redirecting even. | 17:44 |
| nkinkade | Try http://translate.creativecommons.org:8080 | 17:44 |
| nathany | oh | 17:44 |
| nathany | i see, Fx must have "fixed" the link for me when i clicked it | 17:44 |
| nathany | weird that you get the directory index | 17:44 |
| nathany | like, totally weird | 17:44 |
| nkinkade | Very strange. | 17:45 |
| nkinkade | I can only image that Pootle is thrown off by the :<port> | 17:45 |
| nkinkade | So much so that it returns a directory listing instead of some HTML. | 17:45 |
| nkinkade | Or useful, HTML, that is. | 17:45 |
| *** robmyers has joined #cc | 17:46 | |
| nathany | nkinkade: but that's not pootle returning that index, it's apache | 17:46 |
| nathany | nkinkade: do we do vhost switching in varnish for translate? | 17:47 |
| nathany | i'm guessing it's the same as the zope problem -- it's passing in the port number, which confuses varnish's req.url matching | 17:47 |
| nkinkade | nathany: Varnish does touch those. | 17:47 |
| nkinkade | It must be bypassing Varnish and hitting some old Apache configurations. | 17:48 |
| nathany | right | 17:48 |
| *** lotia has quit IRC | 17:48 | |
| *** johndoigiii has joined #cc | 17:49 | |
| nkinkade | Changing Varnish rule to (req.http.host ~ "^translate.creativecommons.org") fixed it. | 17:51 |
| nathany | awesome | 17:51 |
| nkinkade | Before it was == (and minus the ^) | 17:51 |
| nkinkade | Okay, 2 down, cc.engine to go. | 17:51 |
| nathany | nkinkade: let me know if you want an extra set of eyes/frontal lobes on that | 17:52 |
| nkinkade | nathany: I may ping you when I come up with some. Just to verify what I do. | 17:53 |
| nathany | sure | 17:53 |
| nkinkade | nathany: In the Varnish config on a7 there is: ( req.url ~ "^/(license|characteristic)/" ) | 17:54 |
| nkinkade | Should that be: ( req.url ~ "^/(license|characteristic)/?" ) | 17:54 |
| nkinkade | (with or without trailing slash) | 17:54 |
| nathany | no, i think it's fine the way it is | 17:54 |
| nathany | we redirect /license to /license/ | 17:54 |
| nathany | (which we really want to enforce since some things uses relative URLs for better or for worse) | 17:55 |
| nathany | and /characteristic is old and lame | 17:55 |
| nathany | (but still used, of course) | 17:55 |
| *** mlinksva has quit IRC | 17:56 | |
| nkinkade | paulproteus: On a7 in my home directory there is a directory called easy-ssh-keys. Does that ring a bell with you? | 17:59 |
| nkinkade | It looks like you may have put that there: http://code.creativecommons.org/svnroot/hooks/update-staging-i18n.sh | 18:00 |
| nkinkade | But just checking, because it startled me. | 18:01 |
| johndoigiii | nathany: hey, I have a quick question about CC Net https issue | 18:04 |
| nathany | sure | 18:05 |
| nathany | johndoigiii: shoot | 18:05 |
| johndoigiii | in the issue listing, you say "When rendering the profile, if the request is made over HTTP, no OpenID header information will be included" | 18:05 |
| johndoigiii | are we display HTTP requests then? | 18:05 |
| johndoigiii | we to* | 18:05 |
| johndoigiii | just without the openid info? | 18:05 |
| johndoigiii | this confused me because currently all requests are forwards to https anyway | 18:06 |
| nathany | johndoigiii: to be honest i'm not sure; it's been a while since i thought about that | 18:06 |
| nathany | right | 18:06 |
| nathany | i can't remember if the thought was: | 18:06 |
| nathany | a) serve both, or | 18:06 |
| nathany | b) still redirect but try to detect if it started as https | 18:07 |
| nathany | (or not) | 18:07 |
| nathany | i *think* we were thinking (b)... i think that because | 18:08 |
| nathany | for existing users we still want to do the redirection and support OpenID URLs that have http:// in them | 18:08 |
| johndoigiii | hmm okay, well the way I approached this way to redirect all to https within django, but check for the case where a user might be trying to identify with openid, http://pastebin.com/m416880e6 | 18:08 |
| nathany | and we certainly want to do that over https | 18:08 |
| johndoigiii | sorry my english is god awful today | 18:09 |
| nathany | johndoigiii: that's an interesting start | 18:09 |
| nathany | (no problem, i'm running on < 4 hours sleep) | 18:09 |
| johndoigiii | yikes | 18:09 |
| nathany | johndoigiii: thinking... on sec | 18:10 |
| johndoigiii | nathany: NP | 18:10 |
| *** mlinksva has joined #cc | 18:11 | |
| *** bse has joined #cc | 18:11 | |
| nathany | johndoigiii: oh, so that only does the check if they're viewing their profile? | 18:11 |
| nathany | ah, i see | 18:12 |
| johndoigiii | yes | 18:12 |
| paulproteus | http://www.bofhcam.org/co-larters/snooping-email/index.html | 18:12 |
| paulproteus | nkinkade, Yes, it does | 18:12 |
| paulproteus | I added easy-ssh-keys so that I could easily do 'svn update' as your UID but use the keys in that dir. | 18:12 |
| paulproteus | i.e., in case your SSH key in your home is locked with a passphrase | 18:12 |
| nkinkade | Which is it. | 18:12 |
| nkinkade | Which it is, I mean. | 18:12 |
| * paulproteus nods, I never checked. | 18:13 | |
| nathany | johndoigiii: so i don't think that's quite right | 18:13 |
| paulproteus | bse, http://www.bofhcam.org/co-larters/snooping-email/index.html | 18:13 |
| paulproteus | (pardon the repeat) | 18:13 |
| nathany | it looks like that wouldn't allow any http:// access to the profile page, but would to other pages | 18:13 |
| nathany | right? | 18:13 |
| nathany | er, no | 18:13 |
| johndoigiii | no | 18:13 |
| nathany | nevermind, it redirects other pages to https, but doesn't redirect profiles | 18:13 |
| paulproteus | http://www.bofhcam.org/co-larters/why-you-cant/index.html is great too. | 18:13 |
| johndoigiii | nathany: no http anywhere, but if they http to view_profile then it just notifies them of whats going on | 18:14 |
| johndoigiii | we can change this to the view_profile with a more descriptive message, but I am just trying to map out this logic correctly | 18:14 |
| nathany | johndoigiii: right; i assume the bare return on line 25 is spurious? presumably if they're a "legacy" user they get redirected anyway with some warning? | 18:14 |
| johndoigiii | nathany: correct | 18:15 |
| *** stevel has joined #cc | 18:15 | |
| nathany | johndoigiii: and profile.redirect_https implies that they *can not* get openid requests originating on http, right? | 18:16 |
| johndoigiii | nathany: yes, I see my flaw, 1 sec | 18:17 |
| nathany | johndoigiii: i have a suggestion and you should feel free to tell me it's stupid | 18:17 |
| johndoigiii | haha okay? | 18:18 |
| nathany | instead of doing the check here and incurring the extra hit, what if we set up either apache or django (with middleware like this) to add a query string flag that says "this started as http" | 18:18 |
| nathany | so http://cc.net/nathan would redirect to https://cc.net/nathan?s=0 (or something very short) | 18:19 |
| nathany | well, i don't 100% love that either | 18:19 |
| johndoigiii | yeah | 18:19 |
| nathany | paulproteus: are you busy or can you lend a few cycles to thinking about this? | 18:19 |
| paulproteus | nathany, Hi, sure, sup? | 18:19 |
| johndoigiii | well my first approach was to append a param in the kwargs of all view requests that had a flag like "ssl" = True | 18:20 |
| * paulproteus scrolls | 18:20 | |
| nathany | paulproteus: see issue http://code.creativecommons.org/issues/issue94 | 18:20 |
| nathany | for context | 18:20 |
| nathany | i think the question before us is how we detect that a request originated as http and was redirected, right johndoigiii? | 18:20 |
| paulproteus | You could set this in the cookie / session instead. | 18:20 |
| nathany | maybe that's django middleware, as johndoigiii started | 18:20 |
| paulproteus | And you could even clear the "started as insecure" flag when you display a message about it. | 18:21 |
| johndoigiii | yes that is the question | 18:21 |
| nathany | paulproteus: which you'd want to do | 18:21 |
| * paulproteus nods | 18:21 | |
| nathany | (clear it, since only the first request would be vulnerable) | 18:21 |
| paulproteus | I would do it in the session. Is there a reason to do otherwise? | 18:21 |
| nathany | probably not; we already use the session store | 18:22 |
| nathany | so the sslmiddleware would: see a request that | 18:22 |
| nathany | is non-SSL, set the "insecure" session flag and redirect it | 18:22 |
| paulproteus | Yup, that's a good plan in a low-complexity-of-engineering sense. | 18:23 |
| nathany | of course, this requires a db hit for every request and clearing the flag | 18:23 |
| paulproteus | Sessions are in the DB? | 18:23 |
| paulproteus | You could just use a cookie instead if you'd rather be DB-free. | 18:23 |
| nathany | (in every view? or is there response middleware we could use to clear it on non-redirect responses, johndoigiii) | 18:23 |
| nathany | paulproteus: i'm not 100% sure now that i think about it | 18:23 |
| nathany | my head hurts :) | 18:23 |
| paulproteus | (There are still a bunch of attacks: someone doing a MITM can just proxy HTTP to the HTTPS site, and the user would never notice. And then there's the lovely iframe session cookie stealing attack, though I'd have to read up about that. But those are mostly off-topic; we can improve this particular issue and consider those later.) | 18:24 |
| nathany | paulproteus: right, but the idea is that you couldn't mitm it for new users because we wouldn't support open id requests that originated as http | 18:25 |
| *** lotia has joined #cc | 18:25 | |
| johndoigiii | nathany: what role would apache play then? | 18:25 |
| paulproteus | (if an active attacker is proxying HTTP to HTTPS, then we see an HTTPS request) | 18:25 |
| nathany | johndoigiii: it would pass every http and https request into django | 18:25 |
| johndoigiii | should we still plan on django handling all? | 18:25 |
| johndoigiii | ok | 18:25 |
| paulproteus | (might still be decent to ignore these parentheses things) | 18:25 |
| paulproteus | (nathany, Wait, maybe I agree with you, I need to think about it.) | 18:26 |
| nkinkade | nathany: The issues with Nagios are fixed. Just FYI I had to wrap each redirect to the cc.engine backend in a conditional that checks to see if req.http.host has :<port> appended, and if so, then use a modified URL to the cc.engine. | 18:26 |
| nathany | paulproteus: yes, but that means the user would have entered http://foo as their open id which we'd reject as an invalid identifier | 18:26 |
| nkinkade | It's just as well that this happened because it revealed a bug in our setup. | 18:26 |
| nathany | johndoigiii: so we'd have a request middleware which would see if it's http and if so, set the session flag and redirect | 18:26 |
| johndoigiii | okay | 18:26 |
| nathany | johndoigiii: and then we'd have a corresponding response middleware that looks clears the flag if it's not a redirection response | 18:27 |
| nathany | paulproteus: does that combination sound sane? | 18:27 |
| nathany | the only thing i don't like is that this means every user (not just logged in ones) get sessions, but i suppose we'll deal | 18:27 |
| nathany | premature optimization being the root of all evil and all that | 18:27 |
| nathany | nkinkade: glad to hear that :) | 18:27 |
| paulproteus | Only non-SSL users get sessions. | 18:28 |
| paulproteus | But yeah, I think it's a good setup. | 18:28 |
| nkinkade | But, nathany, it seems to me that it'd be cleaner if that could be handled on the Zope side of things ... were that possible, and not hard to implement. | 18:29 |
| nathany | johndoigiii: does this make sense to you? we can then do conditionals in different places based on the session rendering | 18:29 |
| johndoigiii | nathany: yes this makes sense, so if the session flag is set have conditions in the template that will prevent the openid header information from displaying? | 18:30 |
| nathany | right | 18:30 |
| nathany | we'll also check the profile when we do the openid auth to make sure they're allowed to "claim" an http:// id | 18:30 |
| johndoigiii | and if they're not? | 18:31 |
| nathany | but we can cross that bridge when we come to it -- that code's a little messy so i can help | 18:31 |
| johndoigiii | ok | 18:31 |
| nathany | so if they're a new member and they're trying to auth as http:// we reject it and say "not allowed to use that id" | 18:31 |
| johndoigiii | ok | 18:31 |
| nathany | if they're "legacy" we let it through | 18:31 |
| nathany | i think those are the two points of contact we need to worry about | 18:31 |
| johndoigiii | alright, that sounds good | 18:32 |
| johndoigiii | let me see what I can iron out before our call | 18:32 |
| nathany | awesome | 18:33 |
| mlinksva | paulproteus, Bovinity i am getting up now, will be back. i am too lazy to open my mouth | 18:43 |
| paulproteus | <3, Mike | 18:49 |
| nathany | do i want to know? | 18:59 |
| nathany | paulproteus, mlinksva^^ ? | 18:59 |
| bse | he was sitting with us | 18:59 |
| nathany | ah | 18:59 |
| nathany | i didn't know if there was something awful he might have opened his mouth about | 18:59 |
| nathany | (it's conceivable ;) ) | 18:59 |
| bse | the dullness of this right now is kinda awful | 19:00 |
| *** bse is now known as bovinity_ | 19:00 | |
| *** mlinksva has quit IRC | 19:08 | |
| *** johndoigiii_ has joined #cc | 19:12 | |
| *** johndoigiii has quit IRC | 19:19 | |
| *** johndoigiii has joined #cc | 19:29 | |
| *** UncleCJ2_ has quit IRC | 19:47 | |
| *** johndoigiii_ has quit IRC | 19:47 | |
| nathany | johndoigiii: you may be interested in this since you're on OS X http://gitx.frim.nl/ | 19:48 |
| johndoigiii | nathany: thx, this looks pretty good | 19:49 |
| nathany | sure | 19:49 |
| *** Xarthok has joined #cc | 19:51 | |
| *** Xarthok has left #cc | 19:51 | |
| *** UncleCJ2_ has joined #cc | 20:05 | |
| nkinkade | An info@ email had this elegant bit: "To wax mildly grandiose for a moment," | 20:11 |
| nathany | nkinkade: fine, but just for a moment ;) | 20:12 |
| nathany | paulproteus: can you go to http://socghop.appspot.com/ and sign up for an account, ping me with your "link id" | 20:12 |
| nathany | (i thought the web app couldn't get worse; I was wrong) | 20:12 |
| nkinkade | I wax grossly grandiose from time to time, but not often mildly. | 20:12 |
| nathany | nkinkade: and often not for just a moment ;) | 20:13 |
| nkinkade | That, too. | 20:14 |
| nathany | :) | 20:14 |
| nathany | paulproteus: did i lend you my headset long ago or did i lose it elsewhere? | 20:24 |
| *** UncleCJ2_ has quit IRC | 20:24 | |
| nathany | nkinkade: johndoigiii paulproteus do you guys want to try skype for our call or should we use the conf line? | 20:26 |
| mattl | paulproteus: say no to skype :) | 20:27 |
| nkinkade | Shall we try Ekiga again?! | 20:27 |
| nkinkade | It was so close last time. | 20:27 |
| nkinkade | mattl: I don't think you have to worry about that. I get the feeling that paulproteus wouldn't touch Skype with a 10 foot pole. | 20:27 |
| nathany | nkinkade: i'm fine with that but johndoigiii is on a mac | 20:28 |
| nkinkade | But I will say that Skype works well out-of-the-box, and that in itself has value. | 20:28 |
| nathany | do you know of easy instructions? | 20:28 |
| nathany | (for interop) | 20:28 |
| nkinkade | nathany: xmeeting | 20:28 |
| nkinkade | johndoigiii: I think xmeeting for the Mac is compatible with Ekiga ... in fact I've used it before with my father. | 20:29 |
| nkinkade | Well, he used xmeeting and I Ekiga ... worked great. | 20:29 |
| nkinkade | http://xmeeting.sourceforge.net/pages/index.php | 20:29 |
| nathany | nkinkade: i'm fine trying that... i forget how we do conference | 20:29 |
| nathany | oh, right | 20:30 |
| nkinkade | nathany: The setup with the mic and speakers in the conference room was quite nice. | 20:30 |
| johndoigiii | nathany: hey sorry, stepped away for a sec | 20:30 |
| nathany | no problem | 20:30 |
| nathany | you up for experimenting with ekiga/xmeeting? | 20:30 |
| johndoigiii | yeah definitely | 20:31 |
| nkinkade | One computer in the conference room connects the mic and speakers, and also connects to Ekiga or Skype. | 20:31 |
| nathany | nkinkade: does he just get a sip account from ekiga.net? | 20:31 |
| nkinkade | nathany: Yeah. | 20:31 |
| nkinkade | johndoigiii: http://ekiga.net | 20:31 |
| johndoigiii | i'm outside at a coffee shop due to my internet service ending at home | 20:31 |
| johndoigiii | prepping for my move :) | 20:31 |
| mattl | where are you moving? | 20:31 |
| nathany | johndoigiii: cool | 20:32 |
| johndoigiii | sausalito | 20:32 |
| nathany | nkinkade: wanna dial into the room and see if the basics are working? | 20:32 |
| nkinkade | Sausalito! | 20:32 |
| nkinkade | I thought about moving there. | 20:32 |
| johndoigiii | nkinkade: yup, I cant wait | 20:32 |
| nathany | nkinkade: i can hear you | 20:33 |
| nkinkade | I had people tell me that taking the ferry in each day was quite nice. | 20:33 |
| nathany | not sure what's going on | 20:33 |
| nathany | the mic doesn't show any pick up... | 20:33 |
| nathany | one sec | 20:33 |
| nkinkade | johndoigiii: Where you at with xmeeting and ekiga.net | 20:36 |
| *** [mharrison] has quit IRC | 20:36 | |
| johndoigiii | installing xmeeting | 20:36 |
| nkinkade | Cool. | 20:36 |
| *** TRD has quit IRC | 20:40 | |
| johndoigiii | hmm, I dont know if the NAT for the public wifi I am on will work | 20:41 |
| nathany | johndoigiii: i didn't do anything to route past our NAT here... i guess we can give it a shot | 20:41 |
| nathany | johndoigiii: if it doesn't work we can fall back to the conference line | 20:42 |
| nathany | i don't have the brain power for a long call today :) | 20:42 |
| johndoigiii | yeah, well during setup of xmeeting it warned me of a possible incompatibility with the NAT and now I cant get it to connect | 20:42 |
| nkinkade | johndoigiii: Is there any setup for STUN in xmeeting? | 20:42 |
| nathany | ah | 20:42 |
| nathany | ok | 20:42 |
| johndoigiii | lol, well let me try to connect to another network real quick and try that | 20:42 |
| johndoigiii | nkinkade: yes there is | 20:43 |
| nkinkade | johndoigiii: I think there are other clients compatible with Ekiga ... | 20:43 |
| nkinkade | http://wiki.ekiga.org/index.php/Which_programs_work_with_Ekiga_%3F | 20:44 |
| johndoigiii | I can try gizmo | 20:44 |
| johndoigiii | yeah | 20:44 |
| paulproteus | nkinkade, nathany: We do tech chat at 2, right? | 20:45 |
| nathany | paulproteus: 130 :) but at this rate it may be 2 | 20:45 |
| paulproteus | I'm at this lovely conference still, and I don't have a way to charge my phone. (I could probably take Bovinity's though.) | 20:45 |
| paulproteus | Okay, cool. | 20:45 |
| nathany | paulproteus: we're on ekiga | 20:45 |
| paulproteus | Oh, okay. | 20:46 |
| nathany | (or trying to be) | 20:46 |
| paulproteus | ...but I left your headset at home, oops. | 20:46 |
| paulproteus | (which answers the above question) | 20:46 |
| nathany | paulproteus: AH HA! so that's where it is ;) | 20:46 |
| nathany | johndoigiii: if you don't mind trying gizmo that'd be cool just so we know what works | 20:46 |
| nathany | otherwise we'll fall back to the conf line | 20:46 |
| paulproteus | I am so infuriated by STUN. | 20:46 |
| paulproteus | I haven't tested if ICE does better NAT traversal. | 20:46 |
| johndoigiii | nathany: installing now | 20:47 |
| nathany | INFURIATED! I say! | 20:47 |
| paulproteus | Honestly, people, this is just a matter of making basic network attack software an IETF standard. | 20:47 |
| johndoigiii | nathany: ....well downloading | 20:47 |
| nathany | :) | 20:47 |
| paulproteus | Skype does it and calls it Skype. | 20:47 |
| nathany | i don't really know what that means | 20:47 |
| paulproteus | Well, NAT piercing to some people is "omg an attack on the corporate firewall". | 20:48 |
| paulproteus | But F that, we have to destroy NAT. | 20:48 |
| paulproteus | Whatever it takes. | 20:48 |
| paulproteus | Every day we lose, the Internet becomes less end-to-end. | 20:48 |
| paulproteus | STUN does a bad job of it, and so Ekiga users suffer. | 20:48 |
| paulproteus | Skype does a good job of it, and Skype users are happy and live the end-to-end dream. | 20:49 |
| paulproteus | They're also hacked by Chinese, but that's neither here nor there. | 20:49 |
| nathany | paulproteus: as is fcgi ;) | 20:50 |
| johndoigiii | ....still downloading gizmo.... | 20:50 |
| * paulproteus giggles about Chinese Fast CGI. | 20:50 | |
| paulproteus | Skype is hacked by Chinese in a bad way, but mod_fcgid is hacked by Chinese in a good way. | 20:51 |
| paulproteus | Who knew that was even possible!? | 20:51 |
| nathany | who knew indeed | 20:51 |
| paulproteus | Anyway, should I try Ekiga, or Gizmo, or what? | 20:51 |
| nathany | i'll leave it up to you and johndoigiii | 20:52 |
| nathany | i have zero preference | 20:52 |
| paulproteus | I'll try Ekiga right now for no particular reason. | 20:52 |
| paulproteus | Who knows if STUN will work? | 20:52 |
| paulproteus | Frickin' A, I just need to get my laptop a global VPN'd IP. | 20:53 |
| johndoigiii | I just tried STUN with XMeeting | 20:53 |
| paulproteus | But that's decadence not everyone can afford. | 20:53 |
| nathany | paulproteus: 1st World Problems | 20:53 |
| paulproteus | I seem to have STUN'd into Ekiga fine. | 20:54 |
| paulproteus | Unfortunately the room is loud. | 20:54 |
| paulproteus | I'll see where I can go. | 20:54 |
| *** ronfo has joined #cc | 20:54 | |
| paulproteus | Yay, great success. | 20:55 |
| paulproteus | I say I prefer Ekiga since it just worked and I'm not very interested in fiddling. | 20:56 |
| *** ronfo has quit IRC | 20:58 | |
| nkinkade | http://creativecommons.org/licenses/by/3.0/hk/ | 20:58 |
| *** lotia has quit IRC | 20:59 | |
| nathany | nkinkade: can you still hear me? | 21:00 |
| nkinkade | nathany: Can you not hear me? | 21:00 |
| nkinkade | I hear you. | 21:00 |
| nathany | no, i can't | 21:00 |
| nkinkade | Not sure what happened? | 21:00 |
| nathany | i'll redial | 21:00 |
| nkinkade | Let me poke around. | 21:00 |
| nathany | nkinkade: can you hear me? | 21:01 |
| nathany | ugh | 21:01 |
| nkinkade | No. | 21:01 |
| nathany | nkinkade: can you try dis/re-connecting | 21:01 |
| nkinkade | Doing that now. | 21:01 |
| nathany | johndoigiii: if you get things configured, join us, otherwise i'll call you directly shortly if that's ok with you | 21:02 |
| johndoigiii | yeah thats fine, I'd like to figure this out for future ref so I'm gonna keep working on it | 21:02 |
| nathany | absolutely | 21:02 |
| bovinity_ | nathany: is the office empty? | 21:03 |
| nathany | nearly | 21:03 |
| nathany | bovinity: jane and allison are here | 21:04 |
| bovinity_ | i'm heading back | 21:04 |
| *** johndoigiii_ has joined #cc | 21:06 | |
| *** johndoigiii has quit IRC | 21:09 | |
| *** bovinity_ has quit IRC | 21:09 | |
| paulproteus | nkinkade, closed? http://code.creativecommons.org/issues/issue213 | 21:09 |
| paulproteus | Bovinity, wait | 21:09 |
| paulproteus | for me | 21:09 |
| paulproteus | d'oh | 21:09 |
| paulproteus | hold on | 21:09 |
| johndoigiii_ | I dont know if there is any way around a symmetric nat | 21:21 |
| *** UncleCJ2_ has joined #cc | 21:22 | |
| johndoigiii_ | is the host still 5016060@ekiga.net? | 21:23 |
| paulproteus | Turns out much "symmetric" NAT (like Linux netfilter) isn't entirely symmetric, I hear from NAT piercers. | 21:23 |
| paulproteus | Yup | 21:23 |
| nathany | johndoigiii_: yes | 21:23 |
| nathany | johndoigiii_: did you manage to get it figured out? | 21:24 |
| johndoigiii_ | no, I can't get it to resolve the NAT | 21:24 |
| nathany | johndoigiii_: ok, we're wrapping up | 21:24 |
| nathany | one sec | 21:24 |
| johndoigiii_ | alrighty | 21:25 |
| paulproteus | NAT, destroyer of the Internet. | 21:25 |
| paulproteus | "It can be that easy when you break the Internet." | 21:26 |
| paulproteus | Don't mind me, I'm just an old curmudgeon. | 21:26 |
| *** UncleCJ2_ has quit IRC | 21:42 | |
| *** nathany has quit IRC | 21:46 | |
| *** lotia has joined #cc | 21:49 | |
| *** User788 has joined #cc | 21:57 | |
| *** User788 has quit IRC | 22:00 | |
| *** johndoigiii_ has quit IRC | 22:02 | |
| *** tvol has quit IRC | 22:10 | |
| *** bse has joined #cc | 22:18 | |
| ianweller | https://secure.wikimedia.org/wikipedia/commons/wiki/Template:Bjarki <-- nice license. :/ | 22:37 |
| *** robmyers has quit IRC | 22:51 | |
| *** lotia has quit IRC | 22:57 | |
| *** UncleCJ2_ has joined #cc | 23:04 | |
| *** kreynen_ has joined #cc | 23:16 | |
| kreynen_ | seen Asheesh | 23:17 |
| *** kreynen_ has quit IRC | 23:23 | |
| paulproteus | kreynn... bye | 23:26 |
| *** [mharrison] has joined #cc | 23:39 | |
Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!