Monthly Archives: July 2014

Linux

Apache Forbid Direct Access

Leave a comment

Our all company meetings are “televised” via a gotowebinar/gotomeeting type setup and are recorded for future reference. The recordings are all in wmv format. The management team wants to allow end users to view these recordings, but they have strict policies in place as to how to secure said videos.

1) the video can only be accessed while on the internal network (either local or via VPN)
2) the video cannot be downloaded, copied, or shared with others

Number 1 is very easy; just host it on a system that’s not available externally. I ended up putting it on our intranet site. Check.
Number 2, however, was a little trickier since if I just put the .wmv up on the site it would be easily downloaded with a right-click save-as.

So I converted this to a flash file. FLVs are so much nicer since it can load up in the browsers of all the end users (not ipad owners.. )
Unfortunately one could still look at the source code and see the flv, right click from there and download. I initially looked at obfuscation of the code and found some good examples, but that doesn’t work entirely well since the browser will still take and show you the file locations.

So then I looked at .htaccess and how it could help.

cd /your/web/directory/and/files
nano .htaccess

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteRule \.(gif|jpg|flv)$ – [F]

apache2ctl restart

I changed the “localhost” portion to “intranet” in my case, but you can really utilize anything above.

Now you get a 403 forbidden error if you attempt to download those types of files.

Miscellaneous

Cisco Callmanager CUCM LDAP Logs

Leave a comment

So we had a working LDAP lookup system for our callmanager 8.x system up until very recently. What changed? We moved colocations and decided to decommission a few of the older domain controllers. No big deal, just point anything that had LDAP lookups to new DCs. Right?

So we noticed the callmanager was not populating any new employees. Hard to assign phones etc to them if that’s the case.

Connect
SSH to your CUCM box (our cucmadmin account was necessary)
I used putty.

List all logs, Take note of dates
file list activelog cm/trace/dirsync/log4j/ det date
The newest file should be on the bottom, looking like “dirsync0007.log” or similar

Open the log and see the errors
file tail activelog cm/trace/dirsync/log4j/dirsync00007.log
This will view the bottom part of the log (newest) live, so run a LDAP resync from the web interface of the CUCM and see results.
Unfortunately I had to wait the 10 minute timeout period to notice that it was looking at the old LDAP server despite the changes.

If I find out why it was still pointing to the old system I will update this post accordingly.