Tiny Deathstars of Foulness

OS X Server 5 dropped last week. It’s the first time I’ve seen an OS X Server version drop before an OS release. I’m guessing there was an impetus to get it out the door before OS X 10.11 ships, so that caching and software update servers can facilitate quicker adoption and tools like Profile Manager will work on 0-day. But, there are some funny issues that are popping up. One of these is OS X Server usurping some ports that would otherwise potentially be used by other tools. Notably for Casper administrators, this includes port 8443. So here are some issues I’ve seen with Apache in the latest OS X Server.

Ports are in use that shouldn’t be

This is of particular interest to people running Tomcat sites (e.g. Casper admins). If you have a 3rd party service that isn’t loading, you may find that a port is already in use. For example, let’s say that you’re trying to start a JSS on port 8443. Well, let’s say you run stroke and you see this (when the JSS is stopped):

/System/Library/CoreServices/Applications/Network\ 8443 8443

And let’s say you get this response (again, with the JSS stopped):

Open TCP Port:      8443      pcsync-https

Well, that means that the server has probably just totally ganked port 8443 for that funky new proxy thing. In /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf there are a few new funny things due to proxy services (that whole proxy folder is new btw). One of which is the fact that the server listens on some ports you might not mean for it to listen on, by default including 80, 443, 8008, 8800, 8443, and 8843. The server always had a default site listening on ports 80 and 443, but now Caldav response is using 8443 for a Virtual Host for the CalendarServer that redirects to /webcal on port 443. Arg. There are a few things you can do to correct this. One would be to comment out one of the lines for the listeners. For this, find the line that reads:

listen 8443

And replace it with:

#listen 8443

This would likely spawn some errors in your apache logs when the virtual hosts that also use 8443 try and load. So you’ll likely also want to comment out the virtual host section of the file. For this, look for <VirtualHost *:8443> to that virtual hosts </VirtualHost> and comment out the whole section. Another option, if you do actually want to use the server as a calendar server as well, might be to replace the asterisk in the definition with an IP address or hostname, which would bind that port to a specific IP address or hostname.

This would be true if you have something using 8008, 8800 (think Kerio), etc.

Also, consider that there’s a /Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites*.conf entry. For 5.03 and 5.04, this isn’t an issue, but any time you see an include like that, you could be loading up multiple includes in the future. Which could introduce additional tasks. Also, keep in mind that you’ll want to keep a backup of this file handy. It’s in a place in your system where Apple can change things in the file without any concern around customizations you previously made in the file. Therefore, in a subsequent software update, you may need to restore that file.

You don’t get prompted that there’s a new version of OS X Server

When you install OS X Server 5, the next time you open the Server app, you should get prompted that the Server app has been replaced and then go through a little assistant. If you don’t, reboot, throw the in the trash, redownload and reopen the app. That should take care of that issue.

Certificates don’t get migrated

The /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf file will have a number of certificates. These include SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile. In /etc/certificates, you’ll have some certificates. For example, on my server, I have:

Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.cert.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.chain.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.concat.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.key.pem

One is built based on the promotion of OD, another is a fallback, and the one with the funny GUID in front of it is usually the one that you’d use when defining these fields. If OS X Server doesn’t see the correct pem files that it’s expecting it will just create new ones. The old ones are still there. So, if a service like Profile Manager is totally busted, you can backup the /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf and edit the path to the certificates in the file to correct them. Reboot and see if Profile Manager fires up. On one machine, I also had to trash the Server app again and install it again, but just pointing the paths to the correct location worked for the most part (also, note that I had to use the full path of a file rather than just the name of the file). Oh, don’t forget, this would need to be done for each virtual host with an offending certificate chain.


Apache binds ports to all IPs

A final issue I’ll point out is that servers that I’d customized the IP that Apache listens on needed to be reconfigured. This is done in the see /Library/Server/Web/Config/Apache2/httpd_server_app.conf configuration file. Here, look for a line for Listen. It will be commented out as so:


If you want to only have a given port listen on a given IP, use that section of that file to customize how the listener should operate. For example, if you have an IP on your machine of and you only want port 80 listening on that port, use the following



Overall, I would say that if you haven’t upgraded to Server 5 on a Yosemite system, that I’d hold off. There are some funny kinks that need to be worked out and I’d hate to be the one figuring some of this out if I wasn’t planning on a funky upgrade session (e.g. if I had a limited downtime window).

September 22nd, 2015

Posted In: JAMF, Java, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

The Caching Server in OS X Server 5 (for El Capitan and Yosemite) now does content and Software Updates. Woohoo, the promised land. Now, when 10 of your users download that latest Nicholas Sparks book and movie, you only sacrifice your WAN pipe to download it once, and the other 9 people piggy-back off that. And when OS X El Capitan ships, you only need to download it over the WAN once, and the other local users will pull off that spiffy Caching Server sitting in your office. Pretty sweet, right?

So, how do you use this ultra-complicated service. Well, it looks and feels kinda’ like an iPad app. Which is to say that as far as server stuffs go, this thing is pretty darn easy to use. To get started, open the Server app and then click on the Caching service in the sidebar of the Server app.

Screen Shot 2015-09-10 at 10.49.00 PM

Here, click on the ON button. OMG, so hard. But wait, there’s more! Click on that Change Location button and you can select a larger volume for your updates that are cached. You’ll likely wanna’ do this because the entire series of OZ is kinda’ big (and yes, creepy, but really well written)…

Screen Shot 2015-09-10 at 10.50.21 PM

If you do change the location, you’ll see a window to change the volume you’re caching to. That’s pretty much it. Other than the waiting for the updates to move. By default, the Caching service allows for unlimited space. Use the spiffy slider to reduce the total amount of space that the service can occupy on the hard drive. This can be a good thing if it happens to be your boot volume and there are other more mission critical services hosted on that thing.

Screen Shot 2015-09-10 at 10.54.04 PM

Overall, this all seems pretty straight forward. So what else might you need to know. In case you get a corrupt asset, or in case your volume fills up, there’s a Reset button, to reset the cache.

Screen Shot 2015-09-10 at 10.53.04 PM

The service can be controlled from the command line as well. To start it, use the serveradmin command along with the start verb and the service name (oddly, that’s caching).

sudo /Applications/ start caching

To stop the service, use the stop verb along with the service name:

sudo /Applications/ stop caching

To see a list of settings, use the settings verb with the service name:

sudo /Applications/ settings caching

The settings are as follows, mostly available in the Server app:

caching:ReservedVolumeSpace = 25000000000
caching:CacheLimit = 350000000000
caching:ServerRoot = "/Library/Server"
caching:ServerGUID = "DEE63BBB-9F32-428B-B717-E3941F82E2DC"
caching:DataPath = "/Library/Server/Caching/Data"
caching:LocalSubnetsOnly = yes
caching:Port = 0

One setting you might choose to change is the reserved volume space, as this can keep you from getting the service started on smaller volumes. In the above example, the setting is 250 gigs. To change that to 100 gigs:

sudo /Applications/ settings caching:ReservedVolumeSpace = 10000000000

September 20th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

Every now and then you run into a problem with a caching server that causes you to need to clear out the cache. If running Squid, you can look in the /etc/squid/squid.conf configuration file and find a setting in that file called the cache_dir, which is a path. For example, we’ll use /var/squid/cache in this article.

squid_logoYou can clear the cache of a Squid proxy then, by deleting that directory:

rm -Rf /var/squid/cache

Then recreate the cache directory:

mkdir /var/squid/cache

Then run squid with a -z option:

squid -z

Then fire up squid again:


January 11th, 2014

Posted In: Mac OS X, Mac OS X Server, Network Infrastructure, Ubuntu, Unix

Tags: , , , ,

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. The best, in my experience, has been using a proxy.

In Apple Configurator 1.2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps.

Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator.

The above has I am all about layered defense, though. Or if a proxy is not an option then having an alternative. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator, see the below profile.

Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access.

In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watch, Mobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others.

While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

October 19th, 2012

Posted In: iPhone

Tags: , , , , , , , , , , , , , , , , ,

Tor is a tool that can be used to proxy your online communications between multiple, randomly selected, global providers effectively anonymizing your Internet traffic. Tor is a free anonymizing service, but doesn’t also encrypt your traffic.

Privoxy is a non-caching proxy that also has a certain amount of filtering built into it. Many may use privoxy to do adware removal. But it can also be used to filter information for Tor. Installers are available at Once you have installed privoxy you can access the configuration page at Because privoxy is a command line tool, you can also access the help page for that using the following command (using privoxy as your working directory):
privoxy –help

By default privoxy will install the following files on your system:

  • /usr/sbin/privoxy
  • /etc/privoxy/config
  • /etc/privoxy/match-all.action
  • /etc/privoxy/default.action
  • /etc/privoxy/user.action
  • /etc/privoxy/default.filter
  • /etc/privoxy/user.filter
  • /etc/privoxy/trust
  • /etc/privoxy/templates/*
  • /var/log/privoxy/logfile

But you don’t have to install any of that.  Or use it manually – you can, but you don’t have to.  You can download the Vidalia Tor installer bundle, which will install privoxy, Vidalia, Tor and the Torbutton extension for Firefox. The installer package can be run choosing all of the defaults and then will need a reboot. Once complete, open Firefox (the first time it will install the extension, quit Firefox and then reopen it to activate it) and you’ll see Tor Disabled in the lower right hand corner of Firefox. You’ll then be able to click on it to switch over to using Tor from within Firefox. Click on it again and it will disable Tor again.

Overall, this is a nice and sleek design for obtaining anonymous web communications. Obviously, if you use it to log into your Twitter account, that’s not anonymous. But browsing and posting to sites does not link back to your IP address, which is one key aspect of Tor. You’re also still connecting over standard protocols. Again, Tor does nothing to encrypt data – it is a service dedicated to anonymity.

July 31st, 2009

Posted In: Mac OS X, Mac Security

Tags: , , , , , , ,

Final Cut Server allows you to archive the primary representation (or the original file) for assets that are cataloged.  When you do so, the proxy clips (low resolution versions) of your assets still live on the Final Cut Server.  However, the primary representation, once moved to your archive device can then be archived off to another form of media.

There are a variety of strategies to manage archived media. The one I will describe here is using the Amazon S3 storage service at a cost of approximately $.12 to $.15 per gigabyte. As a conduit to and from Amazon S3 we will use the Jungle Disk application, which uses the Amazon S3 API to provide a mount point to Mac OS X.  Before you get started, first create an Amazon account (or enable Amazon Web Services for your existing Amazon account).  Once you have enabled Web Services, click on the link that will be emailed to you that allows you to create an Access Identifier. Also keep in mind that file sizes cannot be larger than 5GB per file.

To get started, download Jungle Disk from Once downloaded, run the installer. At the welcome screen click on Next.  At the Jungle Disk Account Information screen enter the Access Identifier and the Secret Key for your user account.

Next, tell Jungle Disk to use the storage from Amazon as a Network Drive. Here, I gave this drive a name of FCSBackup.

Next, create a new bucket (or use one you have already created).

To create a new bucket, click on Next. At the Bucket Setup screen provide a name for your bucket of storage within S3.  I called my bucket fcsvrbackup.  Here you can use standard or high encryption. Speeds will be reduced with high encryption but the data will be more secure. Click Next when you are satisfied with your settings and then click on Finish to complete the installation.

Next, for speed we’re going to do a little quick tuning.  Open the Jungle Disk Configuration application and then click on Network Drive for the fcsvrbackup bucket.  Then increase the maximum cache size and check the box for Upload files in the background for faster performance.

Next, open /Volumes and verify that you see your fcsbackup (or whatever you decided to name the volume).  Alternately you can use the Bucket menu from within JungleDisk Monitor to click on Show Network Drive in Finder.  Once you have verified that your mount is there, test copying data to the folder to verify that you have full write access. Once you are finished, open the Final Cut Server System Preference pane. Then click on the plus icon (+) to bring up your Device Setup Assistant.

Here, click on the Local Device type and click on Continue.  

Next, open a Finder screen and open /Volumes/ (Command-Shift-G).

Now drag the FCSBackup over to the location field in the Device Setup Assistant and provide a name for your Final Cut Server to refer to your Device as (I used Amazon Backup here). Now click Continue.

Next, check the box for Enable as an Archive Device and click on the Continue button. At the next screen, click Finish.

Now go to your trusty Final Cut Server client application and control click (or right click if you’re so inclined) on an asset. Here, you will click on the Archive item in the dialog box.

Now, if you go to the FCSBackup volume you should see the file you decided to archive. These will be stored in a folder that corresponds to the device ID that Final Cut Server has for your “device”. Only the primary representation has been moved at this time, so your proxy media for these files is still in your proxy bundle. Now, click on the asset within the Final Cut Server client application and then perform a get info (Command I). You will now see the relative path to your device that the file is in. You can now unmount the FCSBackup drive and you will still be able to access the file. Once you have uploaded some files, tap into Amazon and check out how much they’ve charged you…

November 14th, 2008

Posted In: Final Cut Server

Tags: , , , , ,

Firefox users who wish to filter browsing (eliminate filtered words, etc) can use ProCon Latte, a Plug-in for Firefox.  ProCon is available at and can easily be deployed alongside Firefox.

January 16th, 2007

Posted In: Mac OS X, Mac OS X Server, Mac Security, Windows XP

Tags: , , , , ,