Do Not Analyze Me

I like using Google Analytics for tracking statistics. Those statistics read like porn to guy who loves numbers. There is only one problem with them - they count every visitor. That would also mean that my administrative tasks are skewing numbers. We cannot have that!

In order to disable logging own visits we need to check what exactly Analytics’ code does:

<script type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-4401313-2']);
  _gaq.push(['_trackPageview']);
  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();
</script> 

Code is pretty simple and only place where any action can possibly happen is in line 7 where we see ga.js script. Depending on whether our page is http or https those URL’s are http://www.google-analytics.com/ga.js and https://ssl.google-analytics.com/ga.js respectively. As soon as we disable those two servers our own visits will not be logged.

Since we cannot disable servers as such we need to do next best thing and disable them in our part of universe. There is nice file called “hosts” situated in “C:\Windows\System32\drivers\etc” (or in “/etc” for *nix systems). In this file we can override any DNS resolution and assign any IP address to any host name.

File format is quite simple and I will not explain it here. It is enough to say that we just need to append two lines (after adding write permissions, by default this file is not writable by normal user):

···
127.0.0.1	www.google-analytics.com
127.0.0.1	ssl.google-analytics.com

These lines are just forwarding any call to Analytics servers to our own computer. Since we do not have Google’s infrastructure it is pretty safe to assume that all requests will go nowhere. And that also means that computer with this “fix” will not be recorded by Google Analytics.

P.S. Modifications to “hosts” file are great way to annoy somebody in office who left computer unlocked.

Homelessness

My laptop died again so I am currently using my wife’s laptop. I got my account there but it is annoying how much effort must go into setting up environment. As soon as I install something, I notice something else missing.

What I didn’t expect is effect it has on my productivity. I just can’t be bothered to do anything new. And it is not that I miss my particular laptop, I just miss a place to call home.

What is most annoying is fact that, as soon as I set up whole environment, my old laptop will be repaired and, in worst case scenario, I will need to repeat everything once more. Nitpicker’s work is never done…

Manning

As I bought yet another book few days ago, I noticed that most of my IT book purchases are going to Manning. Whenever I need a book they are first site that I check. If there is book there, I will check no further.

Probably main reason for this is their stance toward DRM - there is none! Once I buy PDF book I can read it on whichever device I want to. I can make million of copies. Only thing they add is your name on footer of every page. Cynics would call this social DRM but I find this acceptable and quite unobtrusive when reading on computer or paper.

Most e-book readers are notoriously lousy when it comes to PDF and Manning fortunately recognized this as of late. Almost all new books are coming with mobi (Kindle) and ePub support alongside PDF (and you only pay once for all three). Some older books are getting e-book versions also, but Manning is taking their time.

Selection of books is quite nice, especially in .NET compartment where you can find gem as C# in Depth by Jon Skeet, easily the best book on C#. Other authors and books are also way above minimum quality. I would definitely say that, at least for books that I have read, quality ranges from good to excellent.

If you want to get view of newest technology where book is just in writing, Manning has solution for that also. It is called MEAP (Manning Early Access Program) and, in nutshell, it enables you book access as it is being written. You buy book in advance and every month or so you get next few chapters to read and that goes on until book is completed. During that time you have access to author and you can give him notice of error, steer him in other direction, or just annoy the hell out of him. :) Rarely it happens that MEAP book is cancelled and in that case Manning offers full refund (or two free books for your emotional suffering).

Nice touch is that I probably never paid full price for a book. It is really hard to find time in year when there isn’t some coupon code to take 30% or more from purchase (they adore giving 42% discounts). If you are patient enough there is also Deal of the Day offering where each day there is a book with discount. I find it almost impossible to pay full price.

There are bad things also. Site looks like something from 10 years ago, their account center is almost impossible to find and, once you find it, you will curse at annoying interface. Other than this, they are pretty close to being perfect.

P.S. For company with colorful book covers, they have a really ugly logo.

P.P.S. No, I was not paid for promoting them.

Mercurial Over Both Http and Https

My last post about Mercurial left us with Mercurial server listening to https-only requests. This is probably best solution security-wise but there might be valid reasons for having it on http also (e.g. performance within local network).

Solution lies in editing “/etc/apache2/sites-available/hg” to have two configurations - one for http and one for https:

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /srv/hg/cgi-bin
    <Directory "/srv/hg/cgi-bin/">
        SetHandler cgi-script
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>
    ErrorLog /var/log/apache2/hg.log
    <Location />
        AuthType Basic
        AuthName "Mercurial"
        AuthUserFile  /srv/hg/.htpasswd
        Require valid-user
    </Location>
    RewriteEngine on
    RewriteRule (.*) /srv/hg/cgi-bin/hgweb.cgi/$1
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /srv/hg/cgi-bin
    <Directory "/srv/hg/cgi-bin/">
        SetHandler cgi-script
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>
    ErrorLog /var/log/apache2/hg.log
    <Location />
        AuthType Basic
        AuthName "Mercurial"
        AuthUserFile  /srv/hg/.htpasswd
        Require valid-user
    </Location>
    RewriteEngine on
    RewriteRule (.*) /srv/hg/cgi-bin/hgweb.cgi/$1
    SSLEngine on
    SSLOptions +StrictRequire
    SSLCertificateFile /srv/hg/https.crt
    SSLCertificateKeyFile /srv/hg/https.key
</VirtualHost>

After quick Apache restart your Mercurial will answer both http and https requests.

Mercurial Over Https

My guide on making Mercurial server left us with http as a protocol of choice. This might be ok in local network but https would be more comfortable choice. This post starts with already running Mercurial server on Ubuntu.

Apache does come with https module which has to be enabled:

sudo a2enmod ssl
 Enabling module ssl.
 See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
 Run '/etc/init.d/apache2 restart' to activate new configuration!

Before restarting Apache we need to create few things (key, certificate signing request, certificate) and easiest way is to create it ourself (write whatever you want for organization details):

openssl genrsa -out https.key 1024
 Generating RSA private key, 1024 bit long modulus
 ..........++++++
 ......++++++
 e is 65537 (0x10001)

openssl req -new -key https.key -out https.csr
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]: 
 State or Province Name (full name) [Some-State]: 
 Locality Name (eg, city) []: 
 Organization Name (eg, company) [Internet Widgits Pty Ltd]: 
 Organizational Unit Name (eg, section) []: 
 Common Name (eg, YOUR name) []: 
 Email Address []: 

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []: 
 An optional company name []: 

openssl x509 -req -days 36500 -in https.csr -signkey https.key -out https.crt
 Signature ok
 subject=...
 Getting Private key

Once keys are created we must enter following lines in “/etc/apache2/sites-available/hg” (I left other stuff for clarity):

NameVirtualHost *
<VirtualHost *>
    ServerAdmin webmaster@localhost
    DocumentRoot /srv/hg/cgi-bin
    <Directory "/srv/hg/cgi-bin/">
        SetHandler cgi-script
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>
    ErrorLog /var/log/apache2/hg.log
    <Location />
        AuthType Basic
        AuthName "Mercurial"
        AuthUserFile  /srv/hg/.htpasswd
        Require valid-user
    </Location>
    RewriteEngine on
    RewriteRule (.*) /srv/hg/cgi-bin/hgweb.cgi/$1
    SSLEngine on
    SSLOptions +StrictRequire
    SSLCertificateFile /srv/hg/https.crt
    SSLCertificateKeyFile /srv/hg/https.key
</VirtualHost>

With this we are ready for restart:

/etc/init.d/apache2 restart
 * Restarting web server apache2
     [warn] NameVirtualHost *:80 has no VirtualHosts
 ... waiting [warn] NameVirtualHost *:80 has no VirtualHosts

After these changes Mercurial is listening ONLY on https. Since we made self-signed certificate, browser will complain about verification, but that is quite normal.

P.S. To use both http and https, read some more.