Time Nick Message
20:55 jcamins Heh.
20:54 cait heh
20:54 drojf return of the button replacer :)
19:34 * wajasu slow kohaclone for me
19:01 tweetbot` [off] twitter: @ranginui: "ever wanted to help out with #kohails ? nominations for roles for the 3.14 (pi) release are open http://t.co/3vKA6TBe"
16:23 Oak bgkriegel++
16:22 Oak he cait :)
15:55 cait :)
15:55 cait hi Oak
15:54 cait bgkriegel++
15:54 jcamins It's fun.
15:52 * jcamins learns how to mess with the web browser's history.
15:36 * Oak waves
13:07 bgkriegel ok
13:07 amb it's a problem only for staff right now...
13:07 bgkriegel or is a problem only for the staff?
13:06 bgkriegel if they access from teh same place
13:06 amb ?
13:05 bgkriegel you could face the same problems
13:05 amb bgkriegel: or rather, i don't know right now, but they probably will
13:05 amb bgkriegel: yes
13:04 jcamins Yes, that makes sense.
13:04 amb Apache continues to listen on 80 as usual for OPAC and also for staff site
13:03 amb Right, I just need to open up another random port like 8888 in my EC2 firewall for the problematic site... have nginx listen on 8888 and proxy_pass onto Apache
13:03 bgkriegel amb: do your patrons need to log-in in OPAC?
12:59 jcamins You could even have everyone except your problematic site access the staff client directly.
12:59 amb I think that would work.
12:58 amb Right! 2 IPs works great... Apache listening on OPAC on one IP and nginx as a reverse proxy for Staff Site on the other
12:57 jcamins Oh. Or if you had two IPs.
12:57 amb hmmm
12:56 jcamins Well... you could if you were running Koha under nginx.
12:56 jcamins drojf: I don't think so.
12:55 amb but i need to see how i could accomplish that configuration
12:54 amb drojf: exactly my point :)
12:54 amb And for the rest, well... how can I pass that on to Apache directly? I can't right?
12:54 drojf pardon my ignorance but can't you have the opac side connections done to apache directly and the staff client cia nginx reverse proxy for only your two ip addresses?
12:53 amb I guess it makes sense to have the nginx as a reverse proxy in front of the staff site... and white-list the 2/3 valid IP addresses
12:52 * amb nods
12:52 jcamins Yeah, that sounds like IT screwing something up. Load balancers generally have the option for "sticky" sessions.
12:51 amb And the fix should have been for the client to not toggle their public IP every alternate request... but I can't really influence their network setup that much :(
12:51 cait :)
12:51 amb *i now understand
12:50 amb i know understand why the "Error: IP address has changed." logout was introduced as a security measure in the first place :)
12:49 jcamins amb: right. With SSL you still have higher risk, but at least you don't make it easier for MITM.
12:48 drojf jcamins_away: i think i misunderstood your sentence then but we mean the same
12:48 amb oh crap, right... so one way could be to force everything over ssl... so hopefully less chance of MITM
12:48 jcamins_away Which would be good. :)
12:47 jcamins_away You may simply not care.
12:47 jcamins_away drojf: no, the IP will _not_ be user-specific.
12:47 jcamins_away And there is a much larger number of potential interceptors since the OPAC traffic could come from anywhere and be quite high.
12:46 jcamins_away amb: if a malicious user intercepts the HTTP cookie, it's very easy to impersonate someone elese.
12:45 wahanui i heard so was a long road.
12:45 amb so?
12:45 drojf jcamins_away: and by »not« you mean »now«?
12:45 jcamins_away Right.
12:45 amb yes, koha/apache only sees incoming requests from 'localhost' all the time now
12:45 amb i don't quite understand
12:44 jcamins_away amb: public users are not going to have their sessions localized to IP either.
12:42 amb what's the catch, jcamins_away?
12:42 cait bgkriegel++ too :)
12:42 amb jcamins, yes it is
12:41 bgkriegel :)
12:41 cait amb++ :)
12:41 jcamins_away amb: there is a gotcha here to keep in mind... is your OPAC publicly accessible?
12:41 amb thx, cait
12:41 drojf bgkriegel++
12:41 drojf bgkriegel is on a signoff spree
12:41 amb yeah, you guys rock :)
12:40 cait good job :)
12:40 amb but an excellent idea that i'm sure will solve my problem
12:40 drojf cool
12:40 amb btw, i've setup nginx in front of apache2, and it's working great... i have yet to confim that it works for the client
12:40 amb ok :)
12:40 drojf no, it is not of course
12:39 cait don' worry
12:39 cait don't think this is about you
12:39 amb ??
12:36 * cait waves
12:31 drojf [off] i think he was also told before he broke it not to do it
12:30 jcamins_away [off] Well, yeah, but if he'd just followed instructions he wouldn't have needed to look in the manual... it's not like he wasn't told *exactly* what the problem was.
12:29 drojf [off] or opening the manual page by himself. instead of asking for the manual section
12:28 jcamins_away [off] A shame his research hasn't involved following any instructions given by anyone.
11:21 cait huh?
11:21 drojf cait has to watch the channel so nobody steals anything :)
11:18 * amb goes off to setup nginx
11:18 * drojf goes to the books
11:18 cait night rangi
11:18 amb sleep well, rangi... thanks
11:17 drojf night rangi
11:17 * rangi goes to sleep
11:16 rangi if you switched debug on
11:16 amb to be more specific, where will: warn "Checking Auth"; appear?
11:13 amb they're all [error] right now
11:13 amb *logs
11:13 amb in the koha lohs
11:13 rangi you want more detail in the access log?
11:13 rangi just edit the apache config
11:12 amb uh, how can i change the loglevel for these logs?
11:11 amb ok
11:11 rangi s
11:11 rangi then ye
11:11 rangi if you called your instance library
11:10 amb are all the koha logs at /var/log/koha/library ?
11:08 rangi cool
11:04 amb i'll put an nginx in front of apache
11:04 amb rangi: excellent suggestion, thank you!
11:03 rangi and make that proxy only accept connections from the 2 ip numbers
11:03 rangi what i would do, is put a reverse proxy out in front of your koha, do that yourself, so that all connections appear to koha as from that ip
11:03 rangi its unlikely to be pushed upstream is what i was hinting
11:01 amb my current attempt at changing Auth.pm didn't seem to have the least effect
11:01 amb cool... i have to get a working fix first :)
11:00 rangi but you are welcome to submit a patch for whitelisting ips .. as long as it comes with a huge warning - potential security hole
10:59 rangi if its erratic enough that the person cant get anything done, its gonna be throwing packets all over the floor
10:58 rangi not just with koha
10:58 rangi well asynchronous routing is gonna cause a whole pile of problems
10:58 amb right now the client can't get any work done
10:58 rangi i still think a vpn would be better
10:57 amb in my case, i just need to white-list two IP addresses
10:57 amb so that the client never encounters a perplexing "Your IP address has changed." message on some unfortunate days when the load is erratic
10:57 drojf do they have reserved ip ranges at the two ISPs? if you have to list all addresses of two ISPs that seems not very practical
10:56 amb true, but i think there's still a good use-case for white-listing trusted IP addresses
10:56 rangi yep so theres the problem then
10:55 amb rangi, it's currently being a bit too erratic, it usually isn't... the public IP is usually much "stickier" to one ISP
10:55 rangi if it only switches occassionally, they just have to relogin occassionally
10:55 rangi if it switches continuosly there is something wrong
10:54 amb because i think the client's network setup is perfectly valid
10:54 amb rangi: true, but there should be a way to whitelist certain "good" or trusted IP addresses
10:53 drojf i still think you should look into the vpn option
10:53 rangi because there is no way to tell its the same person, or if someone has stolen their cookie
10:53 rangi no
10:53 amb so this is definitely a use-case that I (and perhaps Koha too) should support
10:52 wahanui i heard interesting was sometimes good and sometimes bad
10:52 drojf interesting
10:52 drojf ah!
10:52 amb they have two ISPs and the public IP can unpredictably change from one to the other depending upon load
10:52 drojf amb: have you done a whois on the ips? those are two different provider's address ranges. it seems unlikely that a bad connection would switch between ISPs?!
10:52 amb just spoke to the network admin... he says this is deliberate
10:47 amb its weird... my apache logs show connections over two ip addresses from her computer: http://mibpaste.com/KC7HI9
10:47 amb well, my changes to Auth.pm don't seem to have helped... the client is still having the same problem
10:46 amb i see
10:29 drojf what some people do to maintain local changes is create their own packages. if you have not worked with git before it will take some time to learn how to do that though
10:21 amb yes, from the ubuntu packages
10:18 drojf are you running koha froma package installation?
10:17 amb cool
10:14 drojf if you consider doing a patch it would probably be best in this case to ask about it on the developer mailing list first to see what people think about it
10:13 * amb nods
10:12 drojf not sure if that is applicable here if it opens a security problem. i'm not sure of the implications of disableing the ip check
10:11 amb since i made the unsupported change in the first place
10:11 drojf in the long run, the easiest way to maintain changes is to generalize your change so others might be able to use it, make it optional (with a syspref) and submit a patch to bugzilla
10:11 cait you got it :)
10:11 amb i understand... it may break on upgrade, and then it's basically my responsibility to fix it
10:09 drojf if you do local changes
10:09 drojf you will have trouble with upgrades
10:09 drojf the problem is
10:09 drojf :)
10:09 * amb breathes a sigh of relief
10:09 amb oh ok :)
10:08 drojf sure
10:08 amb btw, i'm new to open source and licensing and GPLv3 etc... so if I'm running a modified version of /usr/share/koha/lib/C4/lib/Auth.pm... is that permitted?
10:07 amb great
10:07 drojf it shouldn't, zebra is just for indexing the records
10:02 amb *daemon
10:02 amb okay... zebrasrv is running as a separate demon... that has nothing to do with my changes, right?
10:01 cait s
10:01 cait maybe need to clear your cache/cookie
10:01 cait you can't really restart koha
10:01 cait I think it should take effect immediately
10:01 amb I mean, I've changed /usr/share/koha/lib/C4/lib/Auth.pm... will restarting Apache2 bring these changes into effect?
10:00 amb sorry for the n00b question, but does restarting Apache2 also restart Koha?
10:00 drojf good luck :)
09:59 amb cool, I'll give that a shot
09:59 drojf i think you can do that in openvpn configuration, on a per client basis
09:57 amb If they go through a VPN, will that guarantee a fixed public IP address?
09:56 amb hmmm
09:55 drojf don't know if that would work, just a thought
09:55 drojf maybe you could make them go through a vpn and assign fixed ip addresses to them
09:54 amb I need to be able to support flaky or rapidly-changing DHCP addresses at koha-side
09:54 amb I don't think there' much I can do to change that
09:53 amb drojf: i agree, i wish i could solve the problem at the client side, but they are an NGO with poor Internet connectivity
09:53 drojf amb: i think i would rather look into the connection problem first and see if that can be fixed
09:50 amb i guess this is where i could change the behavior
09:49 amb there are a couple of lines with " # IP address changed"
09:49 cait hm yeah maybe in the code you can, but not sure how or where
09:49 amb i'm looking at /usr/share/koha/lib/C4/lib/Auth.pm
09:48 cait amb: sorry no, it's a security thing
09:47 francharb hi
09:40 amb but can i disable the ip address check somehow?
09:39 amb i guess it's because she is on a flaky network connection
09:37 amb one of the people accessing the staff site is experiencing this error: "IP address has changed, please log in again"
09:37 amb i've just setup koha, and am playing around with it
09:36 amb greetings
09:04 drojf [off] but i suppose it is the same there times 10
09:04 rangi [off] ahhh
09:03 drojf [off] ah sorry, no i mean the people in wildau where we do the workshop :D i don't even want to think about the others ;)
09:02 rangi [off] yep it feels like non of them talk to each other
09:02 drojf [off] yeah i think the IT there is pretty strict. i asked the koha tech person there why he wouldn't ask them for a debian machine and instead continues to use centos/rh and it sounded not like is a big fan of talking to them
08:59 rangi [off] ahh annoying i hate when IT depts in some misguided guise of security make people unable to do their work
08:58 drojf [off] but it would probably not work with the network there, i could not even get on irc last time
08:56 rangi [off] thats a good idea actually, i think the problem is someone is messing about with stuff they dont understand
08:56 drojf [off] i coul dinvite him to take part in our installation workshop via skype ;)
08:56 rangi and fix the marcxml and marc
08:56 rangi they'd have to write a script to run through every biblioitem row
08:55 rangi i cant see that happening
08:55 rangi hmm given how long it took to do the first one
08:55 drojf a bunch of stuff as in "set up a new instance"
08:54 rangi it sounds like a total mess
08:54 rangi if they dont haee bibnumbers in the marc, you cant just add the tags back and expect it to fix itself, they are gonna have to do a bunch of stuff
08:54 rangi [off] doesnt sound like they need one, they need someone who isnt gonna randomly delete fields from frameworks
08:53 drojf [off] but i'm not a librarian
08:50 cait [off] didn't you always wnat to travel the world? :)
08:49 drojf [off] oh, there is a job opportunity in iraq :)
08:24 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9226 minor, P5 - low, ---, fridolyn.somers, Pushed to Stable , Wrong branch filter after suggestion creation�
08:24 jenkins_koha Fridolyn SOMERS: Bug 9226: Wrong branch filter after suggestion creation
08:24 jenkins_koha Project Koha_3.8.x build #274: SUCCESS in 37 min: http://jenkins.koha-community.org/job/Koha_3.8.x/274/
08:23 drojf hi cait
08:23 cait hi rangi and drojf :)
08:23 drojf +1°C, birds are going crazy on my balcony :D
08:22 drojf hey rangi
08:22 rangi hi drojf
08:21 drojf good morning #koha
07:46 jenkins_koha Starting build #274 for job Koha_3.8.x (previous build: SUCCESS)
07:46 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9226 minor, P5 - low, ---, fridolyn.somers, Pushed to Stable , Wrong branch filter after suggestion creation�
07:46 jenkins_koha Fridolyn SOMERS: Bug 9226: Wrong branch filter after suggestion creation
07:46 jenkins_koha Project Koha_3.10.x build #66: SUCCESS in 40 min: http://jenkins.koha-community.org/job/Koha_3.10.x/66/
07:18 rangi or mtj set it up and i updated it then we both forgot :)
07:11 rangi lol i had registered koha with openhatch 2 years ago and forgot about it
07:06 jenkins_koha Starting build #66 for job Koha_3.10.x (previous build: SUCCESS)
06:31 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9592 minor, P3, ---, robin, Pushed to Master , Package dependency updates for master�
06:31 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7608 normal, P5 - low, ---, jcamins, Pushed to Stable , Manual history is always 'enabled'�
06:31 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9454 major, P5 - low, ---, colin.campbell, Pushed to Stable , NewBasket does not use placeholders in sql�
06:31 jenkins_koha * Robin Sheat: Bug 9592 - update dependencies, allow blacklisting
06:31 jenkins_koha * Jared Camins-Esakov: Bug 7608: Manual history should not always be enabled
06:31 jenkins_koha * Colin Campbell: Bug 9454: Use placeholders when adding basket
06:31 jenkins_koha Project Koha_3.10.x build #65: SUCCESS in 40 min: http://jenkins.koha-community.org/job/Koha_3.10.x/65/
06:07 mtj this is seriously funny!
06:06 mtj hey chrissa -> http://www.stuff.co.nz/entertainment/music/8265850/MC-Slaves-Winery-Tour-video-diary
05:51 jenkins_koha Starting build #65 for job Koha_3.10.x (previous build: SUCCESS)
05:37 rangi ok then
05:37 rangi what version of koha appu1984 ?
05:36 appu1984 message displayed when checkout 'Local Use Recorded'. cant check out . how to clear this, please
05:13 rangi evening