Continue reading »]]> In my last post I described a VB Script for moving IMAP email from my inbox to an archive folder. As an interesting Apples to Oranges (or Apple to Microsoft?) comparison here is the Apple Script I use with Entourage to perform the same task. I will post two versions: one that performs the exact same task and a second version that is significantly longer that integrates with the popular Growl notification system for OS X. I would just like to highlight the overall simplicity and elegance of the Apple Script vs. the VB script. Yes I know their history is totally different and perhaps VB script is overloaded in usage these days but the point stands: the Apple Script is readable and intuitive while the VB script is neither.

Once again I apologize for the formatting but WordPress is butchering <code> posts lately and insert all sorts of uglies inside the code blocks and I don’t feel like fixing it at the moment.

tell application “Microsoft Entourage”
set acctName to “BA”
set folderName to “Archives”
set destFolder to null

set currMsgs to (current messages)
set currCount to (count of currMsgs)

if currCount is not 0 then
set folderList to folders of IMAP account acctName
repeat with x in folderList
if name of x is folderName then
set destFolder to x
move currMsgs to x
end if
end repeat
end if
end tell

And the second with Growl support:

tell application “GrowlHelperApp”
set the allNotificationsList to {“General”, “Move message”, “Error”}
set the enabledNotificationsList to {“General”, “Move message”, “Error”}

register as application “Entourage AppleScripts” all notifications allNotificationsList default notifications enabledNotificationsList icon of application “Microsoft Entourage”

if currCount is 0 then
notify with name “Error” title “Entourage Error” description “You attempted to move a message but no message was selected.” application name “Entourage AppleScripts”
delay 10
return
end if
if destFolder is null then
notify with name “Error” title “Entourage Error” description (“You attempted to move a message but the destination folder \”" & folderName & “\” is not valid.”) application name “Entourage AppleScripts”
delay 10
return
end if

– 1 Notification…
if currCount is 1 then
notify with name “General” title (acctName & ” Notification”) description (“1 message moved to \”" & name of destFolder & “\” folder of account \”" & acctName & “\”") application name “Entourage AppleScripts”
delay 10
end if

– Multi Notification…
if currCount > 1 then
notify with name “General” title (acctName & ” Notification”) description (“” & (count of currMsgs) & ” messages moved to \”" & name of destFolder & “\” folder of account \”" & acctName & “\”") application name “Entourage AppleScripts”
delay 10
end if
end tell

Continue reading »]]> The past few days people in Linux blogosphere have been bringing back up the noatime/nodiratime mount options. These options disable the updating of file and directory access times. On many standard systems when you read file a “last read,” or access time, timestamp is written to disk. Disabling the writing of access times can provide performance increases in some conditions. Probably in a lot of conditions. Disabling the writing of these access times can be accomplished with the noatime and nodiratime mount options on a typical FS on a Linux system. Well in OS X and hfs+ nodiratime doesn’t exist but noatime does.

These options are old news to some. I had used them in Linux in the past – heck I think it was even in the standard Gentoo install docs – but I had never them a second thought since I moved to OS X. If you know me personally you know I can’t leave something untweaked. And those recent discussions got me to thinking…

Be forewarned, I haven’t gone to great lengths to explain the concepts of the notes below so if you’ve never seen a terminal this isn’t going to be comprehendible.

I wanted to mount my filesystems with the noatime option in OS X to disable the updates to access times for files. Problem is that, at least in 10.5, OS X no longer honors /etc/fstab for system disks, only for automount disks.

After wrestling with it for awhile I gave upon trying to find a location where I could specify mount options for system disks. I decided to just remount the disk later with the correct options. I created a StartupItem entry to remount the disk. I created a directory:

# mkdir /Library/StartupItems/spencer_boot

Then I created the StartupItem plist. Pretty straight forward.

# cat /Library/StartupItems/\
spencer_boot/StartupParameters.plist

{
Description = “Spencer’s Boot Script”;
Provides = (“spencer_boot”);
OrderPreference = “None”;
Messages =
{
start = “Starting Spencer’s Boot Script”;
stop = “Stoping Spencer’s Boot Script”;
restart = “Restarting Spencer’s Boot Script”;
};
}

Now I needed the shell script that would be run on boot.

# cat /Library/StartupItems/spencer_boot/spencer_boot

#!/bin/sh

. /etc/rc.common

case “$1″ in
start)

ConsoleMessage “Starting Spencer Boot: remounting root fs noatime”
mount_hfs -o noatime /dev/disk0s2 /

;;
esac

exit 0

This solved the problem for the root fs but I also use Filevault. If you don’t use Filevault you can stop reading here. How would I go about this? Same problem as before, no where to add mount time options. Additionally the fs is mounted upon login, not boot. So our previous method of creating a StartupItem won’t work. We’re going to have to do it later after it has been mounted – again.

<redacted> I did have some other information here but after review I wasn’t happy with advocating the “hack” I’m using. But the gist of it is to run something like this: /sbin/mount -u -o noatime,nosuid,nodev /dev/disk1s2 /Users/spencer/ after the volume is mounted. This happens after you enter your password. So a good place would be login items if you can figure out how to run mount as root from a user’s startup scripts.</redacted>

After you login and the system has completely finished running your startup apps open a terminal and type “mount”. You should see “noatime” listed as a mount option for you system and Filevault disks.

spencer_boot shell script
StartupParameters.plist for the spencer_boot StartupItem
remount_filevault for noatime in Filevault volumes

Continue reading »]]> My favorite BASH shell completion of all time is hostname completion for all of my favorite commands:

SSH_COMPLETE=( $(cat ~/.ssh/known_hosts | \
cut -f 1 -d ‘ ‘ | \
sed -e s/,.*//g | \
uniq | \
egrep -v [0123456789]) )

complete -o default -W “${SSH_COMPLETE[*]}” ssh scp sftp rsync nmap traceroute ping nslookup dig host nmap nc

I find most of the hosts I ssh into I use for basic network diagnostics. So performing completion for traceroute, ping, etc based on the contents of known_hosts works great. Just add it to your .bashrc.

Update: 2008/11/04

I’ve modified it to support completion of SVN commands leveraging the hostnames expanded during the SSH completion above:

SVN_COMPLETE=( $(svn -h|grep -e '^ '|awk '{ print $1; }') $SSH_COMPLETE )
complete -o default -W "${SVN_COMPLETE[*]} ${SSH_COMPLETE[*]}" svn

Adding these may lengthen your shell exec tasks.

I test at work. I work from home. But I will not test from home. Fix it yourself. (trademark pending).

Continue reading »]]> I was trying to connect to RHN from Yum/up2date in Red Hat Enterprise Linux 5. I kept getting fatal invalid SSL cert errors. The strange part – out of all of the machines I tested it was only occuring on a single RHEL 5 laptop. The really strange part – it was happening on the host as well as inside a guest in a VM running in VMware Player.

If you get this:


[root@rhel5-vm ~]# yum search openoffice
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
yummain.main(sys.argv[1:])
File "/usr/share/yum-cli/yummain.py", line 85, in main
base.getOptionsConfig(args)
File "/usr/share/yum-cli/cli.py", line 199, in getOptionsConfig
errorlevel=opts.errorlevel)
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 134, in doConfigSetup
self.plugins.run('init')
File "/usr/lib/python2.4/site-packages/yum/plugins.py", line 153, in run
func(conduitcls(self, self.base, conf, **kwargs))
File "/usr/lib/yum-plugins/rhnplugin.py", line 88, in init_hook
login_info = up2dateAuth.getLoginInfo()
File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 139, in getLoginInfo
login()
File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 98, in login
li = server.up2date.login(systemId)
File "/usr/share/rhn/up2date_client/rhnserver.py", line 64, in __call__
raise up2dateErrors.SSLCertificateVerifyFailedError()
up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The SSL certificate failed verification.


Check the date/time on the machine. Mine was a VM syncing w/ a host clock with a bad CMOS battery. Caused it to think it was 2005 and the cert wasn’t valid yet. Also explains why it happened in both host and guest.

Continue reading »]]> Ran into a problem with Exchange. I created a server-side rule to place spam messages in a folder that didn’t exist. All spam was instead going to the root folder, the folder above my inbox. Well if you use Entourage to access Exchange you will not be able to access this folder. If you go into Outlook Web Access (OWA) you can navigate to the root user folder by clicking on “Folders”.

Unfortunately by this point I had like thousands and thousands of messages. There is no “Delete All” option in OWA. Craptacular. So moving on I mounted the server via WebDAV in finder (cmd+k). The URL to mount will look something like:
http://exchange.servername.com/exchange/username

If this folder is large navigating to it in Finder will be a horrific experience. Open Terminal.app and navigate to the mountpoint.

~/> cd /Volumes/username

Once again, if the folder is large rm *.EML will not work as the wildcard expansion done by bash will exceed the length of the command-line itself (32K by default IIRC). Try this:


/Volumes/username> SRC=./*.EML
/Volumes/username> for i in $SRC; do rm "$i"; done


This will cleanup most, if not all, of the mess. Some files will not be removed due to escape characters and escaped escaped characters etc. Open the folder in Finder and delete the rest. There are def. more elegant ways to handle this from a scripting standpoint but this was quick and worked.

Continue reading »]]> Just finished updating WordPress to 2.5 from 2.3.3. Ran into a few problems. Normally I diff the old version of WP to the new version and just apply the generated patch to my “custom” install. Somewhere along the line I must have deleted extraneous files like license.txt because the patch failed to apply because some files listed in the diff didn’t exist in the directory I was applying it to… this is the first time this method of non-destructively updating WordPress had failed me. I could have edited the patch by hand but it was 100K lines so I wasn’t particularly interested in this method.

So I finally ended up actually following the upgrade instructions, deleted wp-admin and wp-includes, and copied all the files from 2.5 into my existing install. The database update took about 1 second to complete. The upgrade was technically complete at this point but of course it wreaked havoc with my theme.

One thing about the WordPress theme architecture is that if a failure occurs in a custom theme it kinda falls back to the default theme, this is due to CSS I guess. Problems with a theme, like my Binary Blue bastardization, also show up in the strangest ways.

For example, my last.fm plugin’s cache directory got blown away. The plugin could no longer find the image cache and was throwing a (fatal?) error to Apache’s logs. The site was being styled by what looked like a combination of the default classic and my own customized Binary Blue theme. What I do to fix this is an utter hack, I move the default theme out of the way and symlink the directory of my theme to wp-content/themes/default. Then when things go wrong it is still pulling from my theme. Then I go back and fix the actual problem.

The upgrade is complete. It took me about 30 minutes to migrate total. But I am more concerned about “corner cases” this time since my traditional method of just merging in the diff between releases failed. I also haven’t stress tested all of the widgets and plugins. Overall I would suggest upgrading. The experience was worse than usual, but not terrible.

I just noticed when writing this post that the “Preview this Post” feature in WP 2.5 must pull from the auto-saved draft. When I click preview I don’t see the content that hasn’t been saved yet. Small potatoes, remind me to open a bug.

Update (4 hours later): I figured out why my theme was getting butchered into some combination of the default and my own – I had some absolute URLs in my header.php where I forgot to use the template path variables.

Continue reading »]]> It’s been three years since we upgraded the hardware that hosts our various sites. I contacted my provider (Crucial Paradigm) and got some competitive offers. Stefan, my friend in Berlin that I split the server with, and I agreed on the following specs:

• Athlon 64 x2 4000 (2 cores @ 2.1GHz, 512K L2 each)
• 4GB RAM, 160GB SATA, 100Mbps
• CentOS 5
• Apache, BIND, MySQL, Postifx, Spam Assassin, ClamAV, Cyrus IMAP
• SELinux enforcing

Once again this is going to be a dedicated, remote, hosted server. A few days later and they contacted me with the login information. I’m going to describe the move from a high-level. I’m not going to go through the individual config file modifications or how to dump a Cyrus database.

It only took me about a day to prep the new system for the move. Stefan was gone for a week so I could move pretty much all of my stuff but I would wait until he got back to move the shared mail services. It is rather difficult to incrementally move users from one system to another using Cyrus so I just did a test migration of the IMAP spools and databases but waited on actually updating the DNS MX records.

First I updated the glue records and name servers at my registrar. I made the new system master and the old system I just modified to run as a slave. I also had Josh fix his config since he is my DNS buddy (I highly recommend using the DNS buddy system). With DNS up and running I added entries for the new server.

Then I moved my website. I just dumped my databases and pulled them into the new system. A few Apache tweaks and everything was good to go. I was pulling my hair out at one point trying to figure out why the CentOS default page was appearing but I finally tracked it down to a welcome.conf configuration file. I removed that and found I could debug Apache config problems more easily.

I decided to tackle all of the SSL stuff at once. I setup Apache, Cyrus, and Postfix w/ certs and CAs. I tested each service to ensure I had the directory permissions correct and had the authentication mechanisms properly configured. It is at this point that I tested a Cyrus migration knowing that I would be repeating the process again later.

Then I moved on to configuring the rest of the Postfix chain using Amavis, Spam Assassin, and ClamAV. There was plenty of documentation on this process available online. Note that ClamAV (and maybe a few of the others) are only available in the rpmforge yum repos. These programs aren’t officially part of the CentOS/RHEL distributions but are commonly used by the user communities. As a result their configuration files don’t mesh precisely with the rest of the services, for example storing the virus database in /var/clamav by default instead of /var/lib/clamav. I fixed these discrepancies and would recommend you do the same. It did take me a while to track all of these down. freshclam (the ClamAV updater) was running from a Cron job. It was trying to write to “/var/clamav” which didn’t exist. As a result the virus signatures weren’t updating. I discovered this only through reviewing the logs.

As soon as Stefan got back he moved all of his services and data. Finally we cut the mail over to the new system by fixing the MX records and using the Postfix transport map feature on the old system to force it to relay to the new server. That completed the migration.

SELinux
Upon login I discovered SELinux was disabled despite my specific request that it be enabled. I decided to fix it by hand instead of letting Brickwall fix it automatically to show that going from disabled to permissive to enforcing isn’t bad and shouldn’t be scary. It should be done regardless of the presence of a management tool like Brickwall. I changed the flag in /etc/selinux/config to enforcing and ran # touch /.autorelabel.

I also added enforcing=0 to the ends of the kernel command lines in /boot/grub/menu.lst.

Tangent – I chose this route, modifying the grub file, for going into permissive mode during configuration and testing instead of setting the flag in /etc/selinux/config to permissive. Applications, such as those built into Red Hat and CentOS as well as third party applications like Brickwall, modify the settings in /etc/selinux/config. It is possible for me to inadvertently set the system to boot into enforcing before I am ready using these applications. Since this is a remote server and the configuration is in flux I want to make sure a quick remote reboot request gets me back in to my system. It is the exact same as using iptables remotely; you don’t load the firewall rules automatically on boot until you’re sure you can get back in through SSH. As soon as I’m confident that I typed in the SSH network settings properly the system boots into enforcing mode.

After setup is complete remember to remove the kernel command line flag – always going into permissive mode on reboot, much like not auto-loading firewall rules, is a patentable bad idea on a production system.

I disabled all unnecessary services (everything except SSH at this point) and rebooted. The system relabeled and came up in permissive mode. Everything was working fine and running in the proper SELinux domains according to # ps axZ. I ran # setenforce 1 to go into enforcing mode for the first time.

Nothing bad happened. The world didn’t end. The system didn’t stop responding. I’m also assuming the rampant rumor that SELinux kills Giraffes in enforcing mode is false because I watched the news and saw nothing Giraffe related. This SELinux stuff really isn’t as hard, or as mean as people make it sound. BTW Brickwall would have taken care of all of this editing of SELinux config files and relabeling stuff for me if I wasn’t such a control freak.

Well turning it on is one thing. Really using it is a whole ‘nother thing right? That is where Brickwall comes into play (disclaimer [1]). I mentioned it before but think “SELinux Management” and there are free versions for Fedora and demos for RHEL and CentOS. Because I’m cool I get to use the Enterprise Edition. Mere mortals may have to run Professional or Standard via “ssh -X”. There is no difference in configurability. Both use the same configuration GUI. The only policy difference is the policy for the remote daemon – not really needed if the remote enterprise management daemon isn’t installed. One has centralized/remote management, the other does not.

Brickwall Enterprise Edition has two components, the centralized manager application with configuration editor and the remote daemon. The centralized management application takes different plug-ins – I’m only going to be using Brickwall plug-in that supports general SELinux configuration. I installed the Enterprise Manager with the Brickwall Enterprise component on my desktop RHEL 5 system. This installation process generated the remote daemon RPMs for me. These packages include SSL keys tying the remote daemon to this specific Enterprise Manager install. The SSL keys are used to encrypt the network traffic between the manager and the client daemons.

I installed the remote daemon on the new system. It is just a little daemon that facilitates remote management of SELinux policy. I added one of the IPs of this system to a group in my Enterprise Manager. The system had to be “activated” which means Brickwall had to switch from the standard targeted policy to a Brickwall policy. There aren’t really any functional differences between the two policies – a default Brickwall policy is semantically equivalent to a targeted policy as shipped by Red Hat/CentOS. But the Brickwall policy contains the structure we need in-place to customize the policy later.

Continuing w/ Brickwall I started restricting network settings for the services I would be running (listed above). I restricted things like the spam, virus, mysql, and other mail filtering services to local host only. I restricted service ports to meet my requirements. I applied the configuration changes and rebooted and went into enforcing to verify services came up in the proper domain after a reboot.

All of the SELinux domain names show exactly what processes they target so run`ps axZ`. All of you key services should be running as “*:*:servicename_t”, such as “mysqld_t” or “httpd_t” or “postfix_smtp_t”.

The only thing that should be “unconfined_t” is user processes or custom services that aren’t targeted by SELinux. Note that there are some 200 odd applications or services covered by SELinux so there is a good chance your “custom service” is covered.

[1] Disclaimer: I work for the company that makes Brickwall. Since I’m only an amateur blogger (not commerically endorsed, still eligible for the Bloglympics) and since this doesn’t appear on tresys.com I’m not going to be writing a review or praise the software, I’m just going to run through using it to batten down the hatches on my system.

Continue reading »]]> I recently decided that the tried and trusted [1] personal information management tool I had been using, a G5 pen and a Levenger Circa, wasn’t doing much to manage the information on my computer. In actuality I had the paper notebook, Entourage, iPhoto, folder structures, del.icio.us, etc to manage all my information. For awhile I thought this system rocked. Then I thought it was missing something. Then I thought it sucked. Then I knew it sucked. Then I thought about how all this information was like disconnected graphs. Then I wanted to kill my discrete math professor. It was time to do something about this mess. Someone had to be connecting the disparate information centers in life. The exploration of personal information management started anew.

I hate Entourage [2] so that was out, kGTD was great but a little to “hacky”, so after looking over the options I settled on the combo of Omnifocus (aka the kGTD on crack) and Yojimbo. I can capture notes, passwords, serials, web page archives, bookmarks blah blah blah in Yojimbo. A few scripts helped any bookmarking I do get sent to del.icio.us, Pukka, and Yojimbo as both a bookmark and a web archive. Omnifocus handles organization of everything that doesn’t already reside on a computer mainly my GTD lists. I’ve been using this combination for personal information management for about a week and it is pretty solid. I have nothing but praise for both applications.

During these phases where I’m restructuring my personal information and tasks I won’t become attached for at least a month or so. This is something that really has to grow on you. Spending a few weeks with a tool that impacts so much in your day-to-day life is the least you can do… during this period you also have to continue exploring your options. You should be open to supporting multiple systems and even moving management systems during this period. Yes using multiple systems or switching systems sucks. Just be happy you have more than one fucking system to choose from and quit your bitchin. Seriously, stop.

OK so I bitched a little inside and bottled up the frustration to let out at a later, yet to be announced date. Now today I read about this new Chandler application. Completely open source, runs on Linux, OS X (including Leopard), and Windows. It also has a standalone Tomcat app that can be used for synchronization and provides a bad-ass AJAX [3] web interface.

Some may have heard of this project before. It is a rare breed in that seems to have followed some type of development process. Haven’t read the book…. yet.

Finally, it has a bit of integration with ordinary IMAP servers; it creates special folders that you can move content into from any other email application.

You can then operate on this content using the normal management techniques supported by Chandler (GTD). For example, I sent myself an email with the simple subject line “meeting on january 2nd at 10am with ken”. When it popped up in my Entourage inbox I simply moved it to the “Chandler Events” folder. Back in the Hall of Justice (Chandler) I forced a sync. This grabbed my email and immediately realized I wanted to create a meeting on January 2nd. It leaves the item in your Inbox for processing later, a GTD concept, but the appt is already there.

But apps and other scripts can do all this. The part that I’m really looking forward to, the collaborative information management possibilities. Chandler can run stand-alone, it can connect to your iMap servers, and it can connect to Chandler servers. The people at OSAF (the group behind Chandler) have kindly provided us with Chandler hub. Until I get some friends on I can’t really test out the features but two things come to mind: porn and chicken. First, the server is a Tomcat app that provides an ajaxy gooey sweet interface even if you’re not sharing information with other people. You sync from your desktop, then you can access the information remotely from anything with a browser. Mobile browser support is not provided but you might have some luck. I expect this will be remedied quickly.

But if you are someone who interacts with other people in any way, perhaps you can take advantage of Chandlers collaborative features. PIM has just gotten personal… erh um… collaborative [4].

I’ll post a follow-up shortly. I’m going to continue using Yojimbo/Omnifocus but will experiment with Chandler and possibly other collaborative tools for the next few weeks. Like I said, sometimes information management sucks but the benefits are amazing.

Inbox:

1. Fix P is for Collaboration Part 1
2. Write second article discussing for P is for Collaboration Chandler in more detail.
3. Add this to my Chandler inbox.

Continue reading »]]> I just finished moving the last of my content into WordPress pages. I got tired of my old theme and decided to give up on integrating WordPress into my existing site. I was spending a significant amount of time just merging in the changes from WordPress releases without clobbering all of my customizations. It had officially become a pain in my ass. School, and Projects are now available in the other Other… section at the top. I might them up to the top-level but for now they are there.

Aside from moving the content and fixing it to adhere to my theme and WordPress’ requirements I had to come up with some magic mod_rewrite rules to redirect the old pages to the new pages including query strings. I hadn’t used QUERY_STRING in redirects before so it was a learning experience and quickly reminded of the love/hate relationship I have with mod_rewrite. Here are the new components:

RewriteCond %{REQUEST_URI}              ^/wordpress.*$ [NC]
RewriteRule wordpress/(.*)            http://beyondabstraction.net/$1 [R=301,L]

# legacy url rewriting
RewriteCond %{REQUEST_URI}              ^/school.php$ [NC]
RewriteRule ^school.php$                http://%{SERVER_NAME}/stuff/school/ [R=301,L]
RewriteCond %{REQUEST_URI}              ^/school-stuff/?$ [NC]
RewriteCond %{QUERY_STRING}             class=([^&;]*)? [NC]
RewriteRule .*                  http://%{SERVER_NAME}/stuff/school/%1/? [R=301,L]

RewriteCond %{REQUEST_URI}              ^/sonyfs660/?$ [NC]
RewriteRule sonyfs660/?            http://beyondabstraction.net/stuff/vaio-fs660/ [R=301,L]

RewriteCond %{REQUEST_URI}              ^/projects.php.*$ [NC]
RewriteRule projects.php(.*)?            http://beyondabstraction.net/stuff/projects/$1 [R=301,L]

Since I’ve never posted these in their entirety before I’m attaching my top-level .htaccess and my 403 page [1] [2]. The 403 page uses flushes to display content to humans while staying in a loop to waste spammers time.

I had to add a .htaccess rule to disable output compression on the 403 directory. This is because I have Apache setup to use mod_deflate to compress the content. So mod_deflate is buffering output to compress before sending it to the client. Additionally, PHP is buffering output and the client side browsers are buffering. PHP is an easy fix via a flush() and ob_flush() call. Client side buffering is a little more tricky. Must browsers start displaying content as soon as it can be rendered. Safari, and perhaps other KHTML/Webkit based browsers, buffer until the first 1K is seen or the connection is closed. There is some magic in the 403 file to skirt around this problem.

Updated: Forgot to describe the rest of the .htaccess file. Those of you not interested in mod_rewrite should not read on as the boredom may kill you. Those of you that are interested:

1. Find a new hobby and don’t read this dribble
2. Perhaps even move and start a new life
3. At the very least should get a cup of coffee and a porno to avoid the same boredom related death as the non-interested

I’m going to pretend I didn’t post that clip from the .htaccess file above and just start over from the beginning. Please click any of the links below to see a demonstration of the rewrites.

# spammers and scanners
Order Allow,Deny
Deny from 69.13.156.208
Deny from 208.57.118.100
Deny from 216.229.143.241
Deny from 12.178.36.25
Deny from 81.95.146.227
Deny from 68.83.37.146
Deny from 80.58.205.34
Allow from all

The next section starts the rewrite engine, ensures that the site is only reachable via very certain host names [3]. It also provides a shorthand for my security blog that can easily be written on a matchbook

<IfModule mod_rewrite.c>
RewriteEngine On

# host rewrite rules
RewriteCond %{HTTP_HOST}   !^beyondabstraction\.net [NC]
RewriteCond %{HTTP_HOST}   !^security.beyondabstraction\.net [NC]
RewriteCond %{HTTP_HOST}   !^$ [NC]
RewriteRule ^/(.*)         http://beyondabstraction.net/$1 [R=301,L]

# security sub-blog
RewriteRule ^security/?$ /category/security?title=off [R=301,L]

The next chunk is the meat of what I call “legacy support”. These are efforts a maintainer takes to avoid dead links as their site changes. These were all required when I moved to a pure WordPress site. Come to think of it, that is how this whole tangent got started. Oh well, now that you’re screwed and I’m stuck finishing…

The wordpress/ rewrite shows exactly what I mean when I say WordPress was integrated into my site; the rewritten rule shows that WordPress is now the top-level of my site. For the sake of explanation, lets say WordPress used to be at the second level. I had other content at the second level such as my school work. This meant all of that content had to be moved from the second level of my old site, to the second level of my new site inside of WordPress. These rewrites are the equivalent of setting a forwarding address for snail mail or email. The hardest one is the rewrite of a query string, a GET request. The old school pages took the class number as a GET argument to determine which page to display. I used the QUERY_STRING variable and converted it into a sub-directory. /school.php?class=cs331 will now redirect to /stuff/school/cs331.

RewriteCond %{REQUEST_URI}              ^/wordpress.*$ [NC]
RewriteRule wordpress/(.*)            http://beyondabstraction.net/$1 [R=301,L]

# legacy url rewriting
RewriteCond %{REQUEST_URI}              ^/school.php$ [NC]
RewriteRule ^school.php$                http://%{SERVER_NAME}/stuff/school/ [R=301,L]
RewriteCond %{REQUEST_URI}              ^/school-stuff/?$ [NC]
RewriteCond %{QUERY_STRING}             class=([^&;]*)? [NC]
RewriteRule .*                  http://%{SERVER_NAME}/stuff/school/%1/? [R=301,L]

RewriteCond %{REQUEST_URI}              ^/sonyfs660/?$ [NC]
RewriteRule sonyfs660/?            http://beyondabstraction.net/stuff/vaio-fs660/ [R=301,L]

RewriteCond %{REQUEST_URI}              ^/projects.php.*$ [NC]
RewriteRule projects.php(.*)?            http://beyondabstraction.net/stuff/projects/$1 [R=301,L]

The final set of rules addresses bandwidth leechers, Ebay image leechers and spam referrers. The final four lines are used to pass requests for non-existent files and directories onto WordPress as path information. WordPress then uses this information to generate dynamic pages.

# bandwidth leechers
RewriteCond %{HTTP_REFERER} ^https?://.*.ebay.com/.*$
RewriteRule .*\.(gif|GIF|jpg|JPG|png|PNG).*$ - [G,L]

# spammers
RewriteCond %{HTTP_REFERER} poker [OR]
RewriteCond %{HTTP_REFERER} medicine [NC,OR]
RewriteCond %{HTTP_REFERER} pills [NC,OR]
RewriteCond %{HTTP_REFERER} diet [NC,OR]
RewriteCond %{HTTP_REFERER} viagra [NC,OR]
RewriteCond %{HTTP_REFERER} mortgage [NC,OR]
RewriteCond %{HTTP_REFERER} casino [NC,OR]
RewriteCond %{HTTP_REFERER} insurance [NC,OR]
RewriteCond %{HTTP_REFERER} loan [NC,OR]
RewriteCond %{HTTP_REFERER} xanax [NC,OR]
RewriteCond %{HTTP_REFERER} meridia [NC,OR]
RewriteCond %{HTTP_REFERER} incest [NC,OR]
RewriteCond %{HTTP_REFERER} lesbian [NC,OR]
RewriteCond %{HTTP_REFERER} viagra [NC,OR]
RewriteCond %{HTTP_REFERER} adult [NC,OR]
RewriteCond %{HTTP_REFERER} hentai [NC,OR]
RewriteCond %{HTTP_REFERER} tramadol [NC,OR]
RewriteCond %{HTTP_REFERER} phentermine [NC,OR]
RewriteCond %{HTTP_REFERER} gambling [NC,OR]
RewriteCond %{HTTP_REFERER} texas- [NC,OR]
RewriteCond %{HTTP_REFERER} holdem [NC,OR]
RewriteCond %{HTTP_REFERER} pharmacy [NC,OR]
RewriteCond %{HTTP_REFERER} ultram [NC,OR]
RewriteCond %{HTTP_REFERER} levitra [NC,OR]
RewriteCond %{HTTP_REFERER} phentermine [NC,OR]
RewriteCond %{HTTP_REFERER} cialis [NC,OR]
RewriteCond %{HTTP_REFERER} payday [NC,OR]
RewriteCond %{HTTP_REFERER} bargains [NC,OR]

# WARNING: any inserted lines need NC,OR... only the last line should be NC
RewriteCond %{HTTP_REFERER} tramadol [NC]
RewriteRule .* - [F,L]

# pass everything non-file/dir as a parameter to index
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>