Featured Posts

Free xmltv EPG Data for EyeTV, save the $20 from TV... code {border:1px dotted gray;background-color:white;padding:10px;display:block;} I wanted a free programming guide for EyeTV, and while I had some time to tinker, it's better to waste your time tinkering...

Readmore

Jelly Bean (OTA) on Droid Bionic with Page Plus Yes, it's working. I have no idea if data is working or not, but frankly I don't care. I started with a Droid Bionic that was running the stock Verizon ICS build. I did not use the automatic update...

Readmore

Install Windows 7 x64 on a Mac (beat the Select CD-ROM... Having trouble installing Win7 x64 (Windows 7 64-bit) on your mac? Keep getting a Select CD-ROM Boot Type" message when you go to install? Boot Camp have you pulling your hair out? Some googling...

Readmore

File compression primer (With .jpg examples for Adobe... Compression Compression typically looks for patterns and stores references to them. So, imagine you're storing the following text which is 151 characters long: He went to the store.  She bought...

Readmore

  • Prev
  • Next

squidguard logging with pfSense running https

Posted on : 08-13-2014 | By : Andy | In : uncategorized

0

Took me way too long to figure this one out, so once again I’m posting it to save countless masses the trouble.

pfSense is beautiful, and Squid is awesome, and Squidguard is lightweight and easy to use. There’s even a recommended way of getting Squid to log blocked pages from SquidGuard. Unfortunately, if you want to run your webConfigurator in HTTPS mode (SSL), it doesn’t work by default. Until now!

Here’s how it’s supposed to work:

From the Squid configuration

  1. There’s a nice option in your Squid config page to enable logging of squidguard blocked pages. Check the box. However, it tells you to edit sgerror.php and add the following code:
    $sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");
    $str[] = '< iframe > src="'.$cl['u'].$sge_prefix.'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';

    Unfortunately, there’s a typo there. It should be:
    $sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");
    $str[] = '<iframe src="'.$cl['u'].$sge_prefix.'sgr=ACCESSDENIED" width="1" height="1"></iframe>';
  2. You figured that out though, since you’re smart. In pfSense, go to “Diagnostics > Edit File” to load sgerror.php, found in /usr/local/www/sgerror.php
  3. Paste the ‘right’ code in the function for get_error_page(), right before the line that says: $str[] = ""; and then save it.
  4. Back in the Squid config, under ACLs, add “sgr=ACCESSDENIED” to the Blacklist box and save. (Don’t paste the quotes)
  5. Restart Squid

At this point, it’s working, as long as you’re not using SSL for your webConfigurator. The way it works, is that when Squidguard blocks a page, it makes your browser request the same URL with an extra variable tacked on at the end, “sgr=ACCESSDENIED”. Since you’ve blacklisted urls that include that text, Squid also blocks that page, which is what gets recorded.

The problem

If you’re using SSL to secure your webConfigurator, pfSense sends the block page (sgerror.php) over an https connection. By default, any good browser will NOT load an http URL inside an iFrame on an https page (it’s a security thing). Translation: the second request never actually gets made, so Squid doesn’t get a chance to block it, and it’s not logged.

The solution

You could disable SSL, but that’s dumb. Instead, you can set lighttpd to ignore sgerror.php when it redirects http requests to https.

  1. Go to “Diagnostics > Edit File” and load /etc/inc/system.inc
  2. Find the lines that modify your lighttpd config to redirect http to https, which should say:
    \$SERVER["socket"] == ":80" {
    \$HTTP["host"] =~ "(.*)" {
    url.redirect = ( "^/(.*)" => "https://%1{$redirectport}/$1" )
    }
    }
  3. Update them to NOT redirect the file beginning sgerror.php:
    \$SERVER["socket"] == ":80" {
    \$HTTP["host"] =~ "(.*)" {
    url.redirect = ( "^/^(sgerror)(.*)" => "https://%1{$redirectport}/$1" )
    }
    }
  4. Save. Restart your webConfigurator (shell option 11).
  5. Finally, set your Squidguard error page to point at http, not https by using an “external” error page.
    • Under your ACL in squidguard, choose Redirect mode of “ext error page (enter url)”
    • For redirect info, enter the path to your your pfSense error page, with http instead of https: http://192.168.1.1/sgerror.php?url=403%20Page%20Denied&a=%a&t=%t&u=%u(replace 192.168.1.1 with the internal IP of your pfsense machine)
  6. Save your settings, apply them (page 1 of Squidguard config), and then go back and save your Squid settings one more time for good measure.
  7. Profit!

One last note:

If you’re trying to get blocked https pages to show up in your squid logs, you might as well stop. Since https doesn’t support redirects like we’re doing, you can’t actually show an error page without doing an MITM attack on SSL connections, which is an incredibly large security risk for all your local users. You can block https pages without decrypting them if you set pfSense as an explicit proxy machine, but when they’re blocked it will just look to the user like the server is down, without showing a message about the page being blocked.

If I’m wrong about that, please correct me, since I would love to serve error pages for my blocked https sites, but don’t want to touch MITM. From everything I’ve seen, it’s impossible to do so.

Best of luck! If you want to say thanks, you could “buy me a beer,” but it’s much more likely I’d spend it at Starbucks, so…buy me some Chai!





iMag on a budget – Final Recommendations

Posted on : 03-24-2014 | By : Andy | In : uncategorized

Tags: ,

0

(Note: this is the final post of a series on how to do iMag without a megachurch budget.)

We’ve been through a lot here, and while this particular setup fit our church, your needs will probably be different. Adjust as necessary!

Barebones:
If you had no cameras or equipment, a great start would be the ATEM Television Studio, a used Sony FX7 (does 1080i), and a PC with HDMI out running PowerPoint (using a chroma key for lower thirds). If you camera was within 12′ of your TVS device, an HDMI cable would suffice to connect it, otherwise a BMD Mini Converter will run you signal great over SDI. Total outlay? Maybe $2,000 – $2,500, and you’d have a really nice-looking sermon recording.

From there:
Cameras that support SDI natively are a good bet, and the HPX250′s we went with are a steal. Redundancy of systems is nice with a really mission-critical application, but frankly in 5 months of usage, our Television Studio only crapped out on us once, and that was related to someone messing with the android control app. I wouldn’t go redundant if our sermon recordings weren’t being shipped to other churches every week.

Live Streaming:
With MXLight, you can do a direct pass-through of the H.264 stream from your TVS, which takes very little PC resources. If you have an old PC lying around, you might be able to repurpose it for such a use at little to no cost.

Pretty keying:
A Mac with ProPresenter running the Alpha Keyer is really beautiful, but hardly necessary. You can do great things without that expense if you’re a little creative with Keynote or PowerPoint.

Screens:
If you have ambient light issues with your projection screens, check out Screen Innovations. Really.

Spend your dollars where it counts:
Let’s face it, we’re in the business of inviting people into eternal relationships with an infinite God. If you can get the job done well enough, and at the same time save some money on technology that could be better used in reaching the lost, why wouldn’t you do that?

God bless, and good luck. Questions left in the comments may or may not be answered with any sort of expediency, but it couldn’t hurt to try, right?

iMag on a budget – Redundancy

Posted on : 03-24-2014 | By : Andy | In : tech

Tags: , ,

0

(Note: this is the eighth post of a series on how to do iMag without a megachurch budget.)

The good news is that BMD devices are cheap. The bad news is…I’m still looking for the bad news, but I had a friend from another church tell me they refused to use them because of reliability issues. We haven’t experienced this (I thought we had a broken SDI jack once, but it turned out to be the cable).

However, because these BMD devices are so incredibly cheap, we can afford a failover system. If a “better” switcher is $5,000 and a BMD ATEM TVS is $1,000, I figure you just buy two of them, right? You’re still saving $3,000, and you have dual switchers to boot! (And, of course, even that “better” expensive hardware can fail.)

Well, not so fast I guess. If you want a live failover system, you need your cameras and your graphics feed to go into BOTH switchers, and you need BOTH switchers to feed into your projectors.

So I wired up frankenstein. You can get Monoprice 3G SDI Splitters splitters for cheap, so I bought a bunch. Now, each source goes into a 1×2 splitter and gets routed into both of the ATEM devices.

Both of the ATEM outputs run into the A/B Switch, which controls which device is being sent to our projectors. If our main goes down, we hit the A/B switch and poof! We’re routing through the backup. Total cost: somewhere around $300 all said. That does mean a LOT of power and SDI cables floating around, so there’s that. If you want the ‘better’ way, it’s not as cheap.

$1,500 buys you a BMD Micro VideoHub. It’s a 16-in, 16-out SDI matrix, again for a fraction of a price of the competitors. It will do all the routing and switching you need in one rack-mountable unit. Add $500 for their physical controller for this router.

If you’re good at math, you’ll notice that the cost of cleanliness and convenience is about $1,700, which on our budget was just a little too much. Of course, if you could find a gently used VideoHub on eBay…you might close that gap a little bit. Your choice!

Either way, you’d still come out cheaper than a single, more expensive switcher. I dare my Television Studio to fail…we’re perfectly poised for failover!

NOTE: Aside from redundancy, there are other benefits to having two ATEM Television Studio devices. Given that both devices have access to all the same video sources, we can show one live feed/mix to our in-house audience while simultaneously producing a second, different feed to our live internet stream through the second unit. For example, a wide-angle staging shot is helpful for a remote audience, but distracting for our live audience. This also can help keep your video operators from getting bored.

NOTE: The two BMD Video Matrix items I mentioned can also be purchased integrated into one unit.

Next up: final recommendations

iMag on a budget – Projection

Posted on : 03-24-2014 | By : Andy | In : tech

Tags: , ,

0

Projectors are a project in and of themselves, and can easily cost you $10k-$100k or more depending on your needs. We already had OK projectors, but we made some updates to make them more, well, awesome.

Problem: ambient lighting. We have 5000 lumen projectors that are bright enough for our room, except for the awful amount of ambient light hitting our screens. It’s really bad, but we can’t turn down the lights because we preach from the Bible and we want people to actually bring theirs and read them with us. The net effect is washed-out video that looks like a cheap-o LCD from the early days. Ick.

Solution: Screen Innovations Slate screens. New to SI in 2014, you have to see them to believe them. The real solution is their Black Diamond line, but they’re so incredibly expensive that it will make your head spin. The Slate line is almost as good, but at a palatable price. We were able to get replacement screens for our setup for under $6,000, which is far short of the $10k+ per projector that we’d need to spend in order to get a similar performance boost out of projectors. It’s still a lot of money, but all it took was for me to get them to send me a sample. I taped it to our current screen, turned on our lights, played back a video through our projectors, and had our finance guy and our senior pastor look at the difference. Sold! We also found some new 1080p widescreen projectors to replace our old 4:3 ones that so far have been absolutely stellar: 5000 Lumens for less than $2000/each. (I think we found a dealer to get them for us at $1500 a piece, of you can get them direct from Amazon here: Optoma EH-501)

Problem: getting video to our projectors. Our current solution involved a VGA over Cat5 video sender, which was dodgy at best. Trying to maintain the right EQ and Gain balance for the signal was hard enough, but the scaler that downsized our video to fit on our 1024×768 projectors also messed with our signal. Our projectors could accept a 1080i or 720p signal, but getting that signal to the projectors untarnished just wasn’t happening.

Solution: HD-SDI can reach about 300′. Our ATEM Television Studio has 2 SDI outputs, so we just strung the output over RG-59 cable up to our projectors. The projectors can’t handle SDI in, so we used an HDMI-to-DVI cable to plug our projectors into the HDMI out of a ghetto-cheap SDI to HDMI converter. Getting our signal to multiple projectors involved using Monoprice 3G SDI Splitters, which I highly recommend. Monoprice makes a 1×4 SDI Splitter splitter as well, and a 1×8 SDI Splitter.

Next up: redundancy.

iMag on a budget – Live Streaming

Posted on : 03-24-2014 | By : Andy | In : tech

Tags: , , ,

0

(Note: this is the seventh post of a series on how to do iMag without a megachurch budget.)

Note: while we have done this in the past, we’re not currently doing this.

Note: we may never do this consistently.

Note: we will probably do this, at least on an occasional basis, so I did my homework.

Note: if you plan on doing this for your musical worship, make sure you update your CCLI license to cover that kind of usage.

As I mentioned earlier, the ATEM Television Studio supports a live H.264 feed over USB 2.0 to a connected Mac or PC. If you use Livestream’s service for live streaming, their producer software recognizes the TVS and makes it work like magic. You set the quality requirements to match your network’s upstream link speed, and it does the rest. We’ve streamed a few memorial services, and one children’s choir performance, using this method. I’ve also used it in-house for a quick-and-dirty overflow room, since you can just subscribe to your own Livestream event in another room with a computer connected to a TV or Projector and sound system! (It has about a 15-second delay round-trip).

If you want to use another streaming service, I’ve read a gazillion recommendations for MXLight (£55), which allows you to output a usable stream for just about any service out there. I’ve never tried it, but there’s so many people out there recommending it on every corner of the globe that I’d be remiss not to mention it.

If you don’t like paying for your live streaming, you can use YouTube live for free, now that Google is opening live events to anyone with a verified account. (This is our planned course of action). I haven’t done much research into PC requirements for this however (Adobe FMLE or MXLight should do the trick), since our initial forays into this consumed massive CPU resources. (60% or more of an i7-960) I’d hate to think that a PC crash could take down our live stream, and frankly I’d rather have that PC free for other purposes such as running the control software and saving our backup recording.

The perfect solution is a Teradek VidiU ($699). It’s a little box that supports HDMI input and does hardware H.264 encoding that is perfectly compatible with YouTube live. Plug it in, set a few settings, and you’re up and running.

Next up: Projection

iMag on a budget – Graphics and Lower Thirds

Posted on : 03-24-2014 | By : Andy | In : tech

Tags: , , , ,

0

(Note: this is the sixth post of a series on how to do iMag without a megachurch budget.)

Video is nice and all, but adding on those ever-popular lower-thirds graphics adds a bit of panache that makes your video stand out as professional, and not home-hacked. It’s also incredibly helpful for visual learners, and for underlining important content that shouldn’t be missed. We use them for word definitions, key points, and the text of supplemental scripture passages.

Thankfully for us, the ATEM Television Studio includes support for 1 upstream and 2 downstream keys. Definition time: keying refers to taking a video feed and cutting out parts of it based on color, luminance (brightness), or a separate feed. An upstream key happens first, typically, (think the weather guy in front of a green screen) and a downstream key is added after all video compositing is finished (think lower-third or logo bug). They both work more or less the same.

We started with a chroma key, as it’s super simple. Using ProPresenter, we set the background of our presentation to a bright magenta. (We chose this over green simply because our content was more likely to contain greens rather than magentas). This output went directly into our TVS using one of the HDMI inputs.

When we activated the upstream key, we set the chroma key to cut out anything magenta, which let the video of our pastor show through. This was OK, mostly. However, because of some problems, we eventually shelled out the money to upgrade to the “proper” solution outlined below. Those problems?

  1. The most ‘fool-proof’ method of using this key was to leave the key turned on during the whole service. Unfortunately, that meant that if we played back any video or other graphics through our system that included colors close to that precise shade of magenta, those parts of our slides would become transparent and show our video through them. Not great.
  2. The alternative method was to only turn on the key during the preaching portion of the service. However, if the operator missed turning on that key, the moment we went to the slide intended to be keyed out, a bright-magenta screen would show up instead. Since we usually show a pre-sermon intro video, this window was rather small. We had some purple screens show up, and that wasn’t nice. Furthermore, for some reason I had a hard time training our volunteers to understand the key well enough to ensure they wouldn’t screw it up again in the future. *sigh*.
  3. ProPresenter fades all of their transitions, even the swipey ones. When a graphic faded out, the magenta behind it would essentially grow brighter and brighter as it disappeared. Unfortunately, a chroma key is only so effective, so there was always a brief flash of dark purple on our screen right before the magenta got bright enough to be recognized as the key color. Our best solution was to make the fades go really fast (or use cuts), but that was very jarring and not ideal.
  4. The solution to our purple flashes would be to use PowerPoint or Keynote to run your slides, which could animate a slide-in motion of your graphics without fading. But we like the features of ProPresenter, and we paid a lot of money for it, so we weren’t going back to the stone ages of PowerPoint.

THE UPGRADE:

So what did we end up doing? ProPresenter has an add-on product that costs more than the software itself. (Yes, it’s stupid. No, there’s nothing we could do about it but pony up the cash.) For $1,000 you can get an “Alpha Keyer Module” that allows you to set ProPresenter to create two simultaneous outputs: one “Fill” that contains the graphics you want to show, and one “Key” that tells the switcher what parts of the screen to show, and at what transparency level. What stinks is that it only works on a Mac. What stinks worse is that it also requires you to have an extra piece of BlackMagic hardware that retails for about $1,000. I found one used on eBay for $600.

The great news is that once it’s properly configured, ProPresenter does all the heavy lifting. You plug in your UltraStudio 3D or UltraStudio 4K with a thunderbolt cable, and connect the two outputs to two of your SDI ports on your TVS. We set one of our Downstream Keys to use those two feeds (Fill and Key), and we can leave it on all the time. No purple involved, no human switching involved. We can use nice long fades and it looks absolutely beautiful. Expensive, but super-worth it. (Note, however, that leaves us with only 2 SDI feeds for cameras. There are still 2 HDMI feeds you can use if you need them.)

Tip: For some reason, Renewed Vision recommends turning on Additive Blend in your settings for ProPresenter. Don’t do this. You can follow their instructions here, but leave the Additive Blend box unchecked. On your Downstream Key on your ATEM, make sure “Pre-multiplied Key” is checked.

Bonus tip: If you’re not using the Alpha Keyer, or if you’re having issues switching between HDMI sources, try an ConnectPRO HDMI EDID Ghost. When we were plugging our iMac directly into our switcher for graphics, there were some issues involved with the HDMI “handshake” that gets negotiated when you connect and disconnect displays, especially if we turned on the Switcher after the Mac was already on. The EDID Ghost is a little box that accepts an HDMI in from your computer and sends HDMI out to your TVS. It copies the handshake of your TVS and fakes the computer into thinking it’s always connected. You can turn your TVS on, off, disconnect it, or even use an HDMI switch or splitter to send that signal to other devices as well, and your iMac will never know the difference.

Next up: Live Streaming