Nginx and Server Side Includes

Server Side Includes are an interesting way to embed content dynamically into static files. It can be particularly useful to inject information about the visitor or to add headers, footers or any file containing data changing over time.

Please note, however, that Nginx does not implement the full SSI specification yet. More information about what is currently supported can be found in the ngx_http_ssi_module documentation.

To enable SSI, the following directive must be added in the http, server or location block :

ssi on;

Here is an example HTML snippet with SSI directives, showing how to echo variables and include content from other files :

<h2>Visitor information</h2>

<p>Visitor IP address : <!--#echo var="REMOTE_ADDR" --></p>
<p>Visitor User agent : <!--#echo var="HTTP_USER_AGENT" --></p>

<h2>Server information</h2>

<p>Server local time : <!--#echo var="DATE_LOCAL" --></p>
<p>Server time (GMT) : <!--#echo var="DATE_GMT" --></p>

<p>Server uptime (refreshed every minute) : <!--#include file="uptime.txt" --></p>

<h2>Fortune of the day</h2>

<pre>
<!--#include file="fortune.txt" -->
</pre>

In order to populate fortune.txt and uptime.txt, we can use Cron and refresh files content as required. For even more fun, we can also use cowsay together with fortune.

Let’s add the following entries to the Crontab :

* * * * * uptime > /path/to/htdocs/uptime.txt
0 0 * * * /usr/games/fortune | /usr/games/cowsay -f tux > /path/to/htdocs/fortune.txt

Finally, here is the resulting output when accessing the page using Lynx :

Visitor information

   Visitor IP address : 175.45.176.1

   Visitor User agent : Lynx/2.8.8rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1h

Server information

   Server local time : Sunday, 21-Sep-2014 18:55:49 CEST

   Server time (GMT) : Sunday, 21-Sep-2014 16:55:49 GMT

   Server uptime : 18:55:01 up 52 days, 7:50, 3 users, load average: 0.13, 0.19, 0.22

Fortune of the day

 ________________________________________
/ In most countries selling harmful      \
| things like drugs is punishable. Then  |
| howcome people can sell Microsoft      |
| software and go unpunished?            |
|                                        |
\ -- Hasse Skrifvars, hasku@rost.abo.fi, /
 ----------------------------------------
   \
    \
        .--.
       |o_o |
       |:_/ |
      //   \ \
     (|     | )
    /'\_   _/`\
    \___)=(___/

Compiling Nginx on Debian and Ubuntu

Most of the time, there is no need to compile Nginx manually as Debian and Ubuntu provide several packages being compiled with a different set of modules (for details, see : Nginx packages in Debian stable). However, when performing more specific testing tasks, I sometimes need an exact particular version and have to compile it manually.

So here are the required steps to build Nginx with SSL and SPDY modules enabled.

Installing development packages :

apt-get install build-essential libpcre3-dev libssl-dev zlib1g-dev

Compiling Nginx :

wget http://nginx.org/download/nginx-1.6.1.tar.gz
tar xvfz nginx-1.6.1.tar.gz
cd nginx-1.6.1
./configure --with-http_ssl_module --with-http_spdy_module
make && make install

Checking compile time options :

nginx -V
nginx version: nginx/1.6.1
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --with-http_ssl_module --with-http_spdy_module

Lastly, here is a guide on how to compile Nginx on FreeBSD.

NetBSD ASCII logos

Since I’ve been more and more interested about NetBSD lately, I decided to draw some ASCII logos to be used as MOTD and/or as /etc/issue. So here are the two variants I came up with, rendered with Amiga Topaz font.

Feel free to use them on your systems, and change the NetBSD port in the information boxes accordingly. I currently use mainly NetBSD/evbarm, so the logos reflect that.

The files can be downloaded here and here. Enjoy.

NetBSD ASCII Logo - One-line variant

NetBSD ASCII Logo - Box variant

Cross building NetBSD on Linux

Known for its portability, it might come at no surprise that NetBSD (and pkgsrc as well) is also easy to cross build on other platforms and even other hosts. Building NetBSD on Linux can be very conveniant, as it’s far easier to get access to high-performance Linux powered machines than to NetBSD ones. So let’s go through the process and build a NetBSD/amd64 release on a Debian host, using an unprivileged user account.

First, we will need to install some development packages on the host machine :

apt-get install build-essential zlib1g-dev flex

Then, we can download and extract source sets for the NetBSD version we want to build. At the time of writing, latest NetBSD release is 6.1.4 :

wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.1.4/source/sets/gnusrc.tgz
wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.1.4/source/sets/sharesrc.tgz
wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.1.4/source/sets/src.tgz 
wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.1.4/source/sets/syssrc.tgz

for file in *.tgz
do
	tar xfz $file
done

We can now build the cross compiler :

cd usr/src
./build.sh -U -u -m amd64 tools

Compilation results :

===> Summary of results:
	 build.sh command:    ./build.sh -U -u -m amd64 tools
	 build.sh started:    Thu Aug 28 21:49:19 UTC 2014
	 NetBSD version:      6.1.4
	 MACHINE:             amd64
	 MACHINE_ARCH:        x86_64
	 Build platform:      Linux 3.2.0-4-amd64 x86_64
	 HOST_SH:             /bin/sh
	 No $TOOLDIR/bin/nbmake, needs building.
	 Bootstrapping nbmake
	 TOOLDIR path:        /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64
	 DESTDIR path:        /home/admin/usr/src/obj/destdir.amd64
	 RELEASEDIR path:     /home/admin/usr/src/obj/releasedir
	 Created /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64/bin/nbmake
	 Updated makewrapper: /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64/bin/nbmake-amd64
	 Tools built to /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64
	 build.sh ended:      Thu Aug 28 21:56:48 UTC 2014

Here is more information about configuration options used in those examples :

-U             Set MKUNPRIVED=yes; build without requiring root privileges,
               install from an UNPRIVED build with proper file permissions.
-u             Set MKUPDATE=yes; do not run "make cleandir" first.
               Without this, everything is rebuilt, including the tools.
-m mach        Set MACHINE to mach; not required if NetBSD native.

Once our toolchain is ready, we can now build NetBSD itself :

./build.sh -U -u -m amd64 release

Compilation results :

===> Summary of results:
         build.sh command:    ./build.sh -U -u -m amd64 release
         build.sh started:    Thu Aug 28 21:57:54 UTC 2014
         NetBSD version:      6.1.4
         MACHINE:             amd64
         MACHINE_ARCH:        x86_64
         Build platform:      Linux 3.2.0-4-amd64 x86_64
         HOST_SH:             /bin/sh
         TOOLDIR path:        /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64
         DESTDIR path:        /home/admin/usr/src/obj/destdir.amd64
         RELEASEDIR path:     /home/admin/usr/src/obj/releasedir
         Updated makewrapper: /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64/bin/nbmake-amd64
         Successful make release
         build.sh ended:      Thu Aug 28 23:21:28 UTC 2014

From there, building an ISO image takes only a few seconds :

./build.sh -U -u -m amd64 iso-image

We can now try to boot the resulting ISO image :

NetBSD Primary Bootstrap
NetBSD Installer

Unsurprisingly, it works as expected! Welcome to NetBSD :-)

Installing CA certificates on NetBSD

Using SSL-aware programs which expect a CA certificate path on NetBSD (such as cURL, Git or Wget) without installing CA certificates will result in the following SSL certificate error messages.

Please note that this also happens when using pkgsrc on other systems, and the same installation instructions can be used.

cURL error message :

curl https://www.netbsd.org
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Git error message :

git clone https://github.com/jsonn/pkgsrc.git
Cloning into 'pkgsrc'...
fatal: unable to access 'https://github.com/jsonn/pkgsrc.git/': SSL certificate problem: unable to get local issuer certificate

Wget error message :

wget https://www.netbsd.org
--2014-08-25 16:48:11--  https://www.netbsd.org/
Resolving www.netbsd.org (www.netbsd.org)... 149.20.53.86, 2001:4f8:3:7:14::25
Connecting to www.netbsd.org (www.netbsd.org)|149.20.53.86|:443... connected.
ERROR: cannot verify www.netbsd.org's certificate, issued by ‘/C=US/O=GeoTrust, Inc./CN=RapidSSL CA’:
  Self-signed certificate encountered.
To connect to www.netbsd.org insecurely, use `--no-check-certificate'.

In order to fix this issue, we need to install CA certificates distributed by the Mozilla Project (mozilla-rootcerts package), using either pkgsrc or pkgin :

Using pkgsrc :

cd /usr/pkgsrc/security/mozilla-rootcerts
make install clean clean-depends

Using pkgin :

pkgin install mozilla-rootcerts

We can then extract and rehash all CA root certificates :

mozilla-rootcerts install

The combined certificate file will be created in /etc/ssl/certs, and we can now connect safely to secure endpoints.