Howto enable Permalinks in WordPress on LAMP

In my last post about setting up WordPress on a LAMP, I omitted how to successfully enable permalinks, something you of course want to have on your blog.

Permalinks in WordPress is a way to have pretty URL:s to your posts to make it easy to link directly to them, and give them a human-readable format.

For it to work in a LAMP environment, you need to have mod_rewrite enabled in apache, and the tricky part when it comes to WordPress, is to enable mod_rewrite on the directory where your blog resides.

Most linux distros default to rather sane settings, and typically have something like this in them:

    <Directory "/var/www/html">
        Options FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

that means (if /var/www/html is your DocumentRoot), that WordPress’ way of using .htaccess to control the rewriting with mod_rewrite, will not work as intended (due to the AllowOverride None directive).

The fix is easy. Just add something like this to your apache config:

<Directory "/var/www/html/wordpress">
    AllowOverride All
</Directory>

And you’ll be all set! (replace /var/www/html/wordpress above with the directory where you have wordpress installed. The same directory where wordpress created the .htaccess file when you enabled permalinks)

Step-by-step guide to set up wordpress on an existing LAMP system

0. If you get permission denied on the shell commands, try prefixing them with “sudo ”

1. Log in as root in mysql:

lamp$ mysql -u root -p

2. Create a database and MySQL user dedicated to wordpress:

mysql> CREATE DATABASE blogdb CHARACTER SET utf8;
Query OK, 1 row affected (0.00 sec)

mysql> CREATE USER 'blogger'@'localhost' IDENTIFIED BY 'b1ogpw';
Query OK, 0 rows affected (0.05 sec)

mysql> GRANT ALL PRIVILEGES ON blogdb.* TO 'blogger'@'localhost';
Query OK, 0 rows affected (0.63 sec)

3. download and unpack wordpress into a directory served by apache:

lamp$ cd /var/www/html
lamp$ wget http://wordpress.org/latest.tar.gz
lamp$ tar zxf latest.tar.gz
lamp$ rm latest.tar.gz
lamp$ cd wordpress

4. configure wordpress with the database details and secret keys (edit all occurrences of the word “here”). Use the online generator to get good values for the secret keys:

lamp$ vi wp-config-sample.php
lamp$ mv wp-config-sample.php wp-config.php

5. run the wordpress installation script from a web browser. The URL will be like this:

http://your-lamp/wordpress/wp-admin/install.php

6. Add the name for your blog, a user name (admin), password, your email address, and click the “Install WordPress” button att the bottom.

7. Done! Now log in, delete the sample post and sample page, and start customising your wordpress site.

Good luck!

My Android Adventure begins

So, today I started downloading and configuring of Eclipse, the Android SDK, Titanium, and even set up an account at Urban Airship, so let the coolness begin!

It should be very very interesting to see “whats new in development” these days. I haven’t used an IDE since Borland C back in… well, ages ago, anyway. I work faster in vi than in notepad, so it will surely be interesting to give Eclipse a go.

Watch out for more posts on my android progress!

Thoughts on fake SSL certificates for web sites

As you know, a while ago, an intruder to one of comodos affiliates were able to issue SSL certificates for:

  • mail.google.com
  • login.live.com
  • login.yahoo.com (three different)
  • login.skype.com
  • addons.mozilla.org
  • www.google.com
  • “global trustee”

The reason for the identity theft was probably a dictatorship state planning to implement a man-in-the-middle attack, silently monitoring the HTTPS traffic to the above sites.

It would be possible when you have control over all DNS traffic in and out of the country, to spoof all the DNS replies, so for instance the A record for login.yahoo.com points to your proxy with the bogus certificate installed to decrypt the traffic, and just resending the request to the real https://login.yahoo.com/ site.

My suggestion (at least for security-aware techies): An addition to the web browser that remembers the certificate fingerprint, issuer, and expiry date of your favorite HTTPS sites.

Each time you visit an HTTPS site, a simple local lookup will compare the sites certificate with the remembered value, and if it has changed, present the user with a notice and a choice to cancel or investigate. For instance if mail.google.com changes from a Verisign certificate to a smaller CA (Comodo, StartCom, etc.) long before the expiry date, you may want to think twice before continuing..

See Comodo’s blog for more info.

Comments are always welcome.