Scenario

You are doing a Ubuntu LTS upgrade from 14.04. Having new 16.04 installed, everything seems fine, but after the upgrade to 18.04, Apache shows only blank pages for PHP sites. Even simple commands like phpinfo() do not work. The common log files do not show any information about it.

Cause

The general PHP upgrading process from 5 to 7 (and to 7.2) seems to not always work well.

For whatever reason, the Ubuntu upgrade process declares some Apache PHP library modules as obsolete and deletes them, or at least disables them. So you might finish the upgrade with Apache having not enabled any PHP library module at all.

Quick Fix

Re-enable the module:

a2enmod php7.2

Details

See /etc/apache2/mods-available directory to find the most recent available PHP module version.

If no PHP module is installed, run

apt install libapache2-mod-php7.2

See /etc/apache2/mods-enabled for potential dead links, then re-enable the module via above a2enmod command.

Additional Note

Ubuntu 18 upgrade also removes Let’s Encrypt’s certbot tool, you might have to reinstall it.

 [:]

In a previous post, I explained how to set up Mikrotik Routerboards as a VPN gateway.

This post is about how to remotely switch the VPN on and off via Smart Home visualization OpenHAB 2, so it affects your whole LAN. You can even switch to other VPN servers, conveniently via phone or browser interface.

Basic procedure: User starts a command via OpenHAB interface -> SSH commands are executed via shell -> RouterOS accepts the commands.

SSH preparation

First we need to establish a simple and secure connection between your server (e.g. Ubuntu, running OpenHAB) and your routerboard, which can be used in scripts without passwords.

On your OH server, execute:

su - openhab -s /bin/bash #the Linux user which is running the OpenHAB process
mkdir /ssh-mikrotik
cd /ssh-mikrotik
ssh-keygen -t rsa #as location, choose /ssh-mikrotik/id_rsa

Copy the file /ssh-mikrotik/id_rsa.pub to your Mikrotik device, e.g. via WinSCP and RouterOS WinBox (or FTP / terminal).

Then open WinBox -> System -> Users and create a user “openhab” with full permissions. If you want, restrict it to a certain IP address.

In “SSH keys” tab, import the file id_rsa.pub you copied before, and assign it to Mikrotik user “openhab”.

Test the SSH connection on your OH server:

ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "echo asdf" # assuming 10.1.0.11 is your RouterOS device

Scripts

You need some scripts on your OH server to get the VPN state and be able to control it.

#!/bin/bash

if [ "$1" = "ON" ]
then
        echo "enabling vpn"
        ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client enable myvpn" #assuming your VPN runs via PPTP and is called "myvpn"
fi

if [ "$1" = "OFF" ]
then
        echo "disabling vpn"
        ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client disable myvpn"
fi

<?php

$result = `ssh -l openhab -i /ssh-mikrotik/id_rsa  10.1.0.11 "/interface pptp-client print where name=myvpn"`;

#echo $result;

$lines = explode("\n", $result);

//offline?
if (count($lines) < 5)
{
        echo "error";
        exit;
}

$line = $lines[1];

$expl = explode(" ",$line);

#var_dump($expl);

if ($expl[3] == "R")
{
        echo "ON";
}
else
{
        echo "OFF";
}

?>

Make both scripts executable by the openhab user:

chmod a+x openhab /ssh-mikrotik/vpn-*

You can later extend these scripts e.g. to be able to switch to another VPN host. Use the commands like in WinBox terminal, e.g. “/interface pptp-client set myvpn connect-to=example.com”.

Execute the scripts in your OH server’s shell manually to see if they work (they must be able to run under user openhab).

OpenHAB2 configuration

The last step is to configure OH visualization.

We use the Exec binding for OH2, so make sure it is enabled in runtime.cfg (or in your preferred OH admin interface).

Thing exec:command:Vpn-Control [command="/ssh-mikrotik/vpn-control.sh %2$s", interval=0, autorun=true] 
Thing exec:command:Vpn-Status [command="/usr/bin/php /ssh-mikrotik/vpn-status.php", interval=3600, timeout=15]

String VPN "VPN" <network> (All) { channel="exec:command:Vpn-Control:input", channel="exec:command:Vpn-Status:output", autoupdate="true"}

Switch item=VPN

You should now be able to control your VPN interface via OpenHAB:

[:]

Decline disposable email domains

To add another obstacle for bots and to make the checkout process not more complex than needed, I added some additional code in Magento’s root directory.

It declines the customer’s email address if it comes from a disposable email (trash mail) provider. So for the checkout to complete, the customer is forced to enter a valid (non-trash) email address.

This list on Github seems to be pretty much complete and can be queried directly e.g. here.

<?php

//2017-06 DXSdata.com

if (isset($_POST['billing']))
{
       //https://github.com/ivolo/disposable-email-domains
        //look if listed as disposable email domain
        if (@$tmp['email'])
        {
                $result = @file_get_contents("https://open.kickbox.io/v1/disposable/".$tmp['email']);

                if ($result)
                {
                        $result = json_decode($result);
                        if ($result)
                        {
                                if ($result -> disposable)
                                {
                                        $_POST['billing']['email'] = '';
                                        mail("office@dxsdata.com", "disposable email detected: ".$tmp['email'], "", "From: office@mywebser.ver");
                                        exit;
                                }
                        }
                        else mail("office@dxsdata.com", "could not check disposable email domain","","From: office@mywebser.ver");
                }
                else mail("office@dxsdata.com", "could not check disposable email domain","","From: office@mywebser.ver");
        }


}

Then include it in your Magento’s index.php:

<?php
#only add the following line:

include('checks.inc.php');

#original:
/**
 * Magento
 *
...

Note: After every update, security patch etc., check your index.php file if the include command is still there. Re-add it, if necessary.

Restrict admin access to certain IP ranges

In addition, it definitely makes sense to make the virtual /admin subdirectory more secure. It does not really exist in Magento’s file structure, so you cannot use .htaccess files like it can be done for the /downloader directory. But you can extend the new checks.inc.php file you created before:

<php
#addition

function isAllowedAsAdmin()
{
    $whitelist = array(
        '10.1.*',
        '192.168.1.*',
        '77.1.2.34',
        '234.45.567.80'
    );

    if(in_array($_SERVER['REMOTE_ADDR'], $whitelist))
        return true;
    else{
        foreach($whitelist as $i){
            $wildcardPos = strpos($i, "*");

            if($wildcardPos !== false && substr($_SERVER['REMOTE_ADDR'], 0, $wildcardPos) . "*" == $i)
                return true;
        }
    }

    return false;
}

if (strpos($_SERVER['REQUEST_URI'], "/admin") !== false)
{
    if (!isAllowedAsAdmin())
    {
        echo $_SERVER['REMOTE_ADDR'] . " not allowed.";
        exit;
    }
}

 [:]

Signup

Create an account on www.github.com, should be self-explaining.

Also create a repository; I will call it “testrepo” in this tutorial.

We will use a Ubuntu VM as local machine in this case.

Prepare local directory

I suppose you already have a local project directory which contains all the files you want to upload.

If you use any personal user credentials in your project, please transfer the data to a separate file.

E.g. if you have a file like data.inc.php, also create a neutral file data.inc.php.sample.

Then create a file .gitignore with the contents you do not want to be uploaded:

.htaccess
data.inc.php

Upload local files

First preparation:

apt-get install git
cd [yourlocalpath]/testrepo
git init
git remote add testrepo https://github.com/[yourUsername]/testrepo

Add and upload all files:

git pull testrepo master
git add .
#or git add -A
git commit
#add a comment and close the editor
git push testrepo

Modifying a file is quite similar:

#modify a file
git add -A
git commit
git push testrepo

 [:]

Because the integrated smileys and icons seem a bit outdated, I created an IconSet generator which uses the much more beautiful emoticons from EmojiOne.

Project is also available on Github.

[iframe src=”https://www.dxsdata.com/other/EmojiOne2Spark” width=”100%” height=”950″]

 [:]

According to various forum threads, the cause is that sorting has changed with PHP7.

Workaround

Download this module, it provides a fix for this issue.

Extract it to the root folder of your Magento installation, e.g. /var/www/html.

You might have to delete cache files, afterwards everything should work again.

Reference[:]

Abhilfe schafft diese Extension (alternativ direkt vom Hersteller).

Installation

• Download des .gz-File
• Über den Magentoconnect Manager (Downloader) hochladen (“Direct package file upload”)
  • Bei Fehler “downloader – CONNECT ERROR: Unknown resource type”: GZ-File lokal entpacken und neu komprimieren, z.B. mit 7-Zip als Tar-File, dann erneut hochladen.
• Alternativ das Archiv in den Root-Ordner von Magento entpacken.
• Extension aktivieren: Admin -> System -> Konfiguration -> Product Attachment -> ja
• (optional) Übersetzungsdatei anpassen
  • app/design/frontend/default/default/locale/de_DE/translate.csv

UPDATE 2017-04:

In einigen Fällen scheint nach der Modul-Installation die Produktbeschreibung (Description) nicht mehr auf.

Workaround:

//Bugfix: Missing description; insert this code at line 20 (between $version php-echo)
?>
<h2><?php echo $this->__('Description') ?></h2>
<?php echo $_description;
//End Bugfix: Missing description

Bedienung im Magento-Adminbereich

Der einfachste Weg ist zuerst das Attachment anzulegen und es dann einem bestehenden Produkt zuzuordnen – siehe Screenshots.

Neues Attachment anlegen:

Resultat:

 [:]

Using a KNX server like eibd with PHP in combination, you might come to a point where you want to convert the DPT/EIS encoded telegram values to decimal format.

For some data types, it works by simply using PHP hexbin(), but it does not for 2-byte floating point values.

In many forum threads the following sample is used:

 $first_byte = decbin(hexdec(substr($value, 0, 2)));
 $second_byte = decbin(hexdec(substr($value, 2, 2)));

 while (strlen($first_byte) != 8) {
   $first_byte= "0".$first_byte;
 }

 while (strlen($second_byte) != 8) {
   $second_byte= "0".$second_byte;
 }

 $tmpdata = $first_byte.$second_byte;
 $eib_base_value=bindec(substr($tmpdata,5,15));
 $eib_exponent=bindec(substr($tmpdata,1,4));
 return (0.01*$eib_base_value)*pow(2,$eib_exponent);

 
BUT it converts negative values wrong! This can lead to e.g. wrong temperature values which might affect the heating control.

Use this snippet instead:

$intValue = hexdec($value);
$floatValue = ($intValue & 0x07ff);

if (($intValue & 0x08000) != 0)
{
  $floatValue = $floatValue | 0xfffffffffffff800;
  $floatValue = $floatValue *-1;
}

$floatValue = $floatValue << (($intValue & 0x07800) >> 11);
            
if (($intValue & 0x08000) != 0)
{
  $floatValue = $floatValue * -1;
}

return $floatValue / 100;

Reference[:]

So this is my approach:

Secure /downloader

Add to downloader/.htaccess:

Order deny,allow
Deny from all
Allow from 77.12.34.56
Allow from 10.1.0.0/16
Allow from 192.168.0.0/24
Allow from 91.12.34.56
#adjust to your needs

Secure /admin via .htaccess

Because the admin URL does not point to a real directory called “admin” (but points to /index.php), this is a bit more complicated.

Add to your Magento root .htaccess:

#Some IP Blacklisting (fake orderers etc.)
Deny from 91.123.45.
Deny from 80.12.34.56

# Restrict admin access
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC]
RewriteCond expr "! -R '10.1.0.0/16'"
RewriteCond expr "! -R '192.168.1.0/24'"
RewriteCond %{REMOTE_ADDR} !^77.12.34.56
RewriteCond %{REMOTE_ADDR} !^91.12.34.56
#add more if needed
RewriteRule ^(.*)$ / [F,L]

Note the different syntax (expr) when using wildcards/subnet ranges instead of full IPs.

Secure /admin via index.php

The code above works for many cases, but under some circumstances it might happen that the user can access the login form anyway. For me, it worked e.g. with example.com/index.php/admin/admin…, but not for example.com/admin (so an attacker would be able to test passwords).

So I recommend to use the following PHP script in addition.

<?php

//ds, 11.2016
//Addition to .htaccess to restrict /admin access.   
                  
function isAllowedAsAdmin()
{
    $whitelist = array(
        '10.1.*',
        '192.168.1.*',
        '77.12.34.56',
        '91.12.34.566'
    );
    
    if(in_array($_SERVER['REMOTE_ADDR'], $whitelist))
        return true;
    else{
        foreach($whitelist as $i){
            $wildcardPos = strpos($i, "*");

            if($wildcardPos !== false && substr($_SERVER['REMOTE_ADDR'], 0, $wildcardPos) . "*" == $i)
                return true;
        }
    }

    return false;
}

if (strpos($_SERVER['REQUEST_URI'], "/admin") !== false)
{
    if (!isAllowedAsAdmin())
    {
        echo $_SERVER['REMOTE_ADDR'] . " not allowed.";
        exit;
    }
}

                
?>

Save it as /ipcheck.inc.php, then edit index.php and add this line at the beginning:

<?php
include('ipcheck.inc.php');
?>

 [:]

Unfortunately, at the moment there is no way to get direct API access to the gateway, so the commands have to be sent out of your LAN, and the gateway forwards the Gardena server command to the mower, etc.

In addition, there is no official web interface yet, but thanks to this post, there are commands you can use to integrate it into your existing home automation system.

For convenience, I created a PHP class for it.

First register a Gardena account, e.g. via Gardena smart system mobile app, and add your gateway and your mower.

Afterwards, you can use the class:

[github-contents username=”DXSdata” repository=”Gardena” filepath=”gardena.class.inc.php” language=”php” ]

Example usage:

[github-contents username=”DXSdata” repository=”Gardena” filepath=”index.php” language=”php” ]

Update 2017-04-17

I updated the class with Gardena Smart Sensor support. The hardware is not cheap but reliable as I can say so far. If you have e.g. a Gardena Smart Sileno mower and a Smart Sensor, you can use this class to park the mower in its charging station as long as the ground is moist.

Update 2017-04-21

Moved project files to Github.

Now also includes Watering Control.

Latest commits:

[github-commits username=”DXSdata” repository=”” limit=”3″][:]