Work continues on the rain garden–a project whose purpose is ever-more apparent with the recent downpour. With the ugly gravel pit juxtaposed to the greening lawn, and the last frost date looming, I completed some preliminary additions.
I’m assuming that the garden’s flood/drought cycle will make it perfect for succulents, and as they were already bursting at the seams of their peat pots, I indulged their eagerness and buried the pots in the stone. Also, I relocated some volunteer tiger lilies, which were wedged against the house’s foundation, predicting that they were hardy candidates for repeated flood cycles. Now, again I wait.
Last week we visited St. Augustine. From the perspective of humanity, Florida really sucks. I hate the people. I hate the culture.
However, focusing on the the biome itself (which is my preference), I did find it interesting. The warmer climate reminded me of my own childhood, and also served as a respite from the lingering Ohio winter. So, phone in hand, I cataloged points of interest:
When we moved out of the rental and bought a house, I compiled a list. In anticipation of the chores to come, I knew I’d need a reminder as to why we left (and gave up free maintenance). One of the entries on this list pertained to the garden. A garden is a very personal project–it betrays much about its creator, being infinitely customizable. And it is because of this customization that no two people can agree on a garden’s layout.
But it’s a comparatively minor issue to have marital bickering over a layout. When the property is a rental, however, the owner, and by extension the management, gets final say. And often, they exercise this executive power by giving a hired landscaping company carte blanche, without ever consulting the tenants. My first experience with this involved the empty pot of dirt by the front door. Our unit shared the walkway to the model (the unit that’s way nicer than anything they rent out), so it was maintained better than the collapsing structures which comprised the rest of the compound. But for whatever reason, this pot sat unused. I let it remain this way for the entire first year.
On year two, however, it was impossible to overlook the eyesore, and I invoked eminent domain. Its location was on the south side of the building, upon concrete and brick–it was a hot and dry pot of dirt. I concluded that this would make an excellent herb garden. When early spring came the following year, I started seed in anticipation. After last frost, I topped the pot off with a good potting soil (the pot’s contents had long since compacted to a crusty and barren dust), and planted my seedlings.
The landscapers promptly came through, ripped out my herbs, and planted petunias. Enraged, I grabbed a bucket and retrieved from the pot the potting soil I had purchased, and re-used it in the back garden. The petunias, not only uprooted but now exposed to the unrelenting sun, and going without water because apparently management didn’t assign garden watering duties to anyone, withered and died, leaving a fallow vessel of dirt once again for the remainder of the year.
A couple years later, I had a similar non-verbal disagreement with the landscapers when I planted morning glories along the back fence. I constructed a zigzag trellis of fishing line so that the plants could make a pretty cover as they grew up the invisible wire. Then, as the plants were nearing the top, the landscapers reached over the fence and ripped out the plants, along with the fishing line. I stewed over this transgression for a long time thereafter.
For years I grew morning glories in a pot in the center of the patio–far away from the murderous hands of hired thugs. Then one year, I noticed that I started getting volunteers. I let them grow, and they turned out to be far more invasive than store-purchased seed. Ultimately I concluded that they had cross-pollinated with bindweed, as they bore similar characteristics. I dubbed these “Evil Morning Glories”, as their voracity rivaled kudzu.
Bitterly remembering the cruelty of prior years, when this batch of morning glories went to seed, I saved some. But this would turn out to be unnecessary, as once upon the earth, these plants would prove to be ruthless. The following year, they exploded upon the fence with unholy fervor. And despite their physical removal and chemical applications (once again at the hands of the landscapers), they could not be eradicated. This is my gift to the apartment complex–the ultimate landscaping nemesis, a reminder for all eternity!
But when you dance with the devil…okay that’s a little dramatic. I took seed with me, and against better judgement, planted it at the house. Come spring, the devil’s progeny will once again plague the land, yet evil always accompanies beauty.
In my prior job, I was a web developer for the company’s internal website. Specifically, this website’s purpose was to consolidate process and procedural information for the agents on the phone, presumably so that they could quickly research what to do for any given scenario, because remember: time is of the essence!
Now I’ve noticed something about big companies. An individual job will gradually acquire additional responsibilities until it reaches critical mass. Then, like a plant’s bulb, the job splits, creating a separate position, related to the parent position. That’s when the transition is mild. Sometimes it’s like a star going critical, then exploding into a supernova.
Then something interesting happens, where the plant analogy breaks down: these satellite positions as I’ll call them, remain vaguely defined for a time. Work is dispersed among them, and they gradually form solidly defined purposes. But then, a management change occurs. The new manager, eager to stand out as the new vanguard to change, decides to promote efficiency. Efficiency is the oft correlate to cost reduction (though I find that debatable), and therefore the new manager combines positions and their duties, eliminating needless processes and jobs along the way. The remnants of the supernova, having floated in their nebulous form, gradually coalescing from gravity into new celestial bodies, now collapses back into a new star–a facsimile of the original.
This new star remains as such until it again reaches critical mass, but by then the manager who created it has benefited from the transition sufficiently as to receive promotion. The manager’s replacement sees this star and, eager to stand out as the new vanguard to change, breaks it up into satellite positions. Attentive readers might be having a “Wait a minute…” moment right now.
Yes, it’s cyclic. I’ve experienced having my job redefined so many times that I now expect it as an inevitability. As a result of this dynamic, my job only consisted of developing the Collections website. Operations and Fraud had their own team of developers. Whether or not this was more efficient is an argument left to history, and only a transitory state as defined by those in charge.
Yet, to me it seemed counter-intuitive to have no communication between the teams. After all, we were doing the same thing, and using the same software. It was only expected that each of us had differing levels of knowledge which, if combined, could benefit everyone, right? Not waiting for any management sign-off, as is my way, I initiated dialogs with the other team members. We began sharing knowledge, with limited success, but eventually my own manager saw the value and started some more formal cross-team discussions.
And all I was after was the sharing of knowledge and information, and to physically sit near each other. My request for a desk near the Operations team was immediately denied. Then, as the discussions began to involve higher levels of management, they died. Some of the changes were minor, like upgrading to HTML5, or implementing RSS update feeds. But ultimately, sensing stagnation and seeing opportunity elsewhere, I took a promotion and transferred to Marketing.
Two months later, one of the publishers from the Operations team ran into me as I was taking a walk outside. She confirmed that all movement on the collective ideas had been paused indefinitely, much to her dismay. Shortly thereafter, I received a group email from higher management confirming this.
Ultimately, I’m just as guilty, for I too benefited from this system. In the process of pushing for change, I gained the experience and notoriety needed to achieve promotion, leaving my work, and any hope of meaningful lasting change, to atrophy, thus becoming part of the eternal cycle of zero sum innovation.
We are products of our time. If the right conditions do not present themselves, any idea, good or bad, will fail to achieve fruition. So it was with this story, but while we may not have seen our ideas implemented, technology forces change, and some version of them ultimately will be. I’m curious how similar to our own goals they will turn out.
So, I run a web server. I do not pay for hosting. Maybe one day when I’m rich and famous I’ll have the need to offload my computing and security needs to a third party, but for now it’s the joy of having full control over the hardware that both feeds and permits my curiosity of technology. Hey, the title of this post was not misleading. If you’re actually reading this, then you must share some of these interests.
With all web-accessible content comes the need for access control. Normally I handle this through the operating system’s administration panel, but a need arose in which this wasn’t as practical as I had hoped. Here’s why:
No one can ever remember their login credentials
The web GUI is processor-intensive, and therefore slow (especially on mobile devices), leading to user impatience
the web GUI doesn’t play nice with mobile OSes in general
Mounting network shares is a lot of trouble for a single file (also: see the first bullet)
Access control management is a pain, especially when it’s a new user who doesn’t necessarily need access to the server for anything else
The files were meant to be shared with anyone on the LAN, who presumably would already have been authenticated by me or else they wouldn’t be on my LAN in the first place
When a file needs to be downloaded, and the client doesn’t need to upload anything, few methods are easier and more universal than good ol’ HTTP
Based on these limitations and my needs, I determined the best solution was to create a file repository that was devoid of separate access control, restricted to the local LAN. Only people on my LAN could access the files, and any people on my LAN by default would have de facto permission to access them (and not those on the guest subnet).
Fortunately from experience, once I identified these needs, I knew of the solution, though it did take a little research. Any web server has individual configuration files which can be applied at the directory level:
IIS has “web.config”
NGINX has “nginx.conf”
Apache has “.htaccess”
Natrually I would never be caught dead using IIS, although I was forced to use it for a prior job. But my server, Linux-based of course, leverages NGINX with an Apache backend. I had a working familiarity of Apache, and I had already dabbled with .htaccess and .htpasswd files before, as well as modifying the Apache config files to allow their overrides, so this seemed like the best option.
Still with me? Okay good. I created a new directory “/public_LAN/” and with the server’s own text editor, created the directory’s own .htaccess file. And my god why do OSes have to be so difficult with non-standard file extensions? I know why: some idiot will mess with a critical config file or open malware, but why can’t I turn it off? I used to be able to edit any file type I wanted with older Apple OSes, but it seems that now it’s forbidden completely. So no, I couldn’t just open my HTML editor and save a text file as .htaccess because that’s an usupported extension. Whatever.
Into this file I placed:
Options +Indexes
ErrorDocument 403 “<h1>403 Forbidden</h1><p>This page is restricted to internal LAN access only:<br><a href=’http://192.168.0.106/public_LAN/’>192.168.0.106/public_LAN/</a></p>”
order deny,allow
allow from 192.168.0.
allow from 10.8.0.
deny from all
BAM! Okay, triumphant interjection aside, what does this mean? I will explain, else I risk bastardizing the value of this post:
Options+Indexes : This command enables directory browsing. Web servers always have this off by default for security reasons, but since I was going to use the directory for the very purpose of browsing files within, I needed to turn it on. This is how you do it.
ErrorDocument 403 “<h1>403 Forbidden</h1><p>This page is restricted to internal LAN access only:<br><a href=’http://192.168.0.106/public_LAN/’>192.168.0.106/public_LAN/</a></p>” : This is optional, but it adds a custom 403 error page (for this directory only). In short, mine says that if it’s triggered, the user isn’t inside the LAN and therefore can’t go there. Attentive readers will notice that I neither link to a TLS connection, nor use the domain name. More on this later.
order deny,allow : This sets the precedent that all access will be denied by default first, then checked for conditions under which access is allowed.
allow from 192.168.0. : This line is the condition under which access will be granted. It is the first 3 blocks of the main LAN IP address. This includes any client IP address that begins with these 3 blocks–which will be anything on my LAN (excluding the guest network).
allow from 10.8.0. : This is the second set of LAN IP addresses to allow. In my case, this is the subnet for anything connected to the LAN via VPN. I wanted this available to VPN clients too as the VPN is handling the authentication and encryption parts already for any remote access.
deny from all : Finally, any client that doesn’t meet the above conditions will be denied access.
Okay, now the two elephants in the room, and all the technical babble. First is the lack of encryption. Ultimately I determined that this wasn’t necessary, as any file access would be strictly over the LAN. If there are untrusted devices on my primary network, then I have bigger problems to deal with. Also, I can’t service HTTPS without a domain name being used for the connection, since no Certificate Authority will issue a valid TLS certificate to a private IP address, so I’d have to use a certificate that won’t pass a browser’s domain name validation–in itself not a problem, but then it warns the client of a potential security risk, which the client may not understand, thus inciting panic and undermining the entire point of this project–seamless ease of use. Also, as mentioned before, any remote access will be tunneled through a VPN, so any data that makes it to the outside web will be encrypted anyway. Second, domain name validation isn’t possible for the above reason, but also because I can’t access this directory via the domain name anyway (okay, I can, but only by local IP–VPN clients still perform a DNS lookup for the host IP, making the client appear to the server that it’s outside the LAN), or the server will see the request coming from the WAN IP, and not the LAN IP. Therefore, it will block the request. I could add the WAN IP to the whitelist, but it’s not static and if it ever changes I’ll have to update the .htaccess file again. Also the authentication side of domain name validation is moot while accessing via LAN IP, as it won’t be feasibly faked unless some rogue device is attempting ARP spoofing–again something which, if happening, means I have bigger problems to deal with. Whew, done.
Obviously this isn’t high-end security, but it’s reasonably effective. I wouldn’t use this method to conduct crime, but if I need to say, give a somewhat sensitive file to a guest and it’s too big to email, and I don’t want that file publicly accessible, then this is a pretty good solution. Keep your data safe!