Saturday, November 30, 2019

linux - Reverse Proxy multiple internal FTP Servers

I have setup a reverse proxy for http using Apache mod_proxy like this:




  • Client > http:/abc.domain1.com > Reverse Proxy Server > 192.168.50.1 (Internal Server)


  • Client > http:/def.domain2.com/ > Reverse Proxy Server > 192.168.50.2 (another internal Server)





Now I want to acheive the same for FTP:




  • Client > ftp:/abc.domain1.com/ > Reverse Proxy Server > ftp:/192.168.50.1 (internal FTP Server)


  • Client > ftp:/def.domain2.com/ > Reverse Proxy Server > ftp:/192.168.50.2 (another internal FTP Server)




Both internal FTP Servers are running vsftpd. Please let me know the setup for Redhat/Centos.




Reason: I have only one public IP available.

Friday, November 29, 2019

debian - After resizing an encrypted LVM device, the machine takes 4 hours to boot

I have a host, under Debian Wheezy.



The virtualisation software is qemu/KVM, and uses LVM Volumes as disks for the guests.



The guests all have been installed using debian wheezy, full-disk encryption, LVM (/boot is out of the luks device, LVM is divided into /, /home, swap).



Two times I had to resize a drive for a guest, with the wish to grow the /home volume of the guest.



What I did was :





  • Turn off the machine

  • From the host, grow the guest LVM volume

  • From a debian-cd1 boot the guest machine, with rescue/enable=true as an extra boot parameter.

  • From that live system, chroot into the guest system (passphrase needed)

  • From that chroot, cryptsetup resize

  • Still in the chroot, resize filesystem

  • update-initramfs




And then I reboot the machine (after correctly unmounted and closed volumes and luks device), and it takes few hours before asking me for the passphrase.



If anybody has ever experienced this or knows about this problem, something I do wrong or so, please let me know!



Here is the dmesg log from last time :



[    0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.63-2

[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.2.0-4-amd64 root=/dev/mapper/srvices-root ro single console=tty0 console=ttyS0,115200
[ 0.000000] BIOS-provided physical RAM map:
[ 0.000000] BIOS-e820: 0000000000000000 - 000000000009dc00 (usable)
[ 0.000000] BIOS-e820: 000000000009dc00 - 00000000000a0000 (reserved)
[ 0.000000] BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
[ 0.000000] BIOS-e820: 0000000000100000 - 00000000dfffe000 (usable)
[ 0.000000] BIOS-e820: 00000000dfffe000 - 00000000e0000000 (reserved)
[ 0.000000] BIOS-e820: 00000000feffc000 - 00000000ff000000 (reserved)
[ 0.000000] BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved)
[ 0.000000] BIOS-e820: 0000000100000000 - 00000001a0000000 (usable)

[ 0.000000] NX (Execute Disable) protection: active
[ 0.000000] SMBIOS 2.4 present.
[ 0.000000] DMI: Bochs Bochs, BIOS Bochs 01/01/2007
[ 0.000000] e820 update range: 0000000000000000 - 0000000000010000 (usable) ==> (reserved)
[ 0.000000] e820 remove range: 00000000000a0000 - 0000000000100000 (usable)
[ 0.000000] No AGP bridge found
[ 0.000000] last_pfn = 0x1a0000 max_arch_pfn = 0x400000000
[ 0.000000] MTRR default type: write-back
[ 0.000000] MTRR fixed ranges enabled:
[ 0.000000] 00000-9FFFF write-back

[ 0.000000] A0000-BFFFF uncachable
[ 0.000000] C0000-FFFFF write-protect
[ 0.000000] MTRR variable ranges enabled:
[ 0.000000] 0 base 00E0000000 mask FFE0000000 uncachable
[ 0.000000] 1 disabled
[ 0.000000] 2 disabled
[ 0.000000] 3 disabled
[ 0.000000] 4 disabled
[ 0.000000] 5 disabled
[ 0.000000] 6 disabled

[ 0.000000] 7 disabled
[ 0.000000] 8 disabled
[ 0.000000] 9 disabled
[ 0.000000] x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106
[ 0.000000] last_pfn = 0xdfffe max_arch_pfn = 0x400000000
[ 0.000000] found SMP MP-table at [ffff8800000fdad0] fdad0
[ 0.000000] initial memory mapped : 0 - 20000000
[ 0.000000] Base memory trampoline at [ffff880000098000] 98000 size 20480
[ 0.000000] init_memory_mapping: 0000000000000000-00000000dfffe000
[ 0.000000] 0000000000 - 00dfe00000 page 2M

[ 0.000000] 00dfe00000 - 00dfffe000 page 4k
[ 0.000000] kernel direct mapping tables up to dfffe000 @ 1fffa000-20000000
[ 0.000000] init_memory_mapping: 0000000100000000-00000001a0000000
[ 0.000000] 0100000000 - 01a0000000 page 2M
[ 0.000000] kernel direct mapping tables up to 1a0000000 @ dfffa000-dfffe000
[ 0.000000] RAMDISK: 369a4000 - 374ca000
[ 0.000000] ACPI: RSDP 00000000000fd920 00014 (v00 BOCHS )
[ 0.000000] ACPI: RSDT 00000000dfffe550 00038 (v01 BOCHS BXPCRSDT 00000001 BXPC 00000001)
[ 0.000000] ACPI: FACP 00000000dfffff80 00074 (v01 BOCHS BXPCFACP 00000001 BXPC 00000001)
[ 0.000000] ACPI: DSDT 00000000dfffe590 01121 (v01 BXPC BXDSDT 00000001 INTL 20100528)

[ 0.000000] ACPI: FACS 00000000dfffff40 00040
[ 0.000000] ACPI: SSDT 00000000dffffe40 000FF (v01 BOCHS BXPCSSDT 00000001 BXPC 00000001)
[ 0.000000] ACPI: APIC 00000000dffffd50 00080 (v01 BOCHS BXPCAPIC 00000001 BXPC 00000001)
[ 0.000000] ACPI: HPET 00000000dffffd10 00038 (v01 BOCHS BXPCHPET 00000001 BXPC 00000001)
[ 0.000000] ACPI: SSDT 00000000dffff6c0 00644 (v01 BXPC BXSSDTPC 00000001 INTL 20100528)
[ 0.000000] ACPI: Local APIC address 0xfee00000
[ 0.000000] No NUMA configuration found
[ 0.000000] Faking a node at 0000000000000000-00000001a0000000
[ 0.000000] Initmem setup node 0 0000000000000000-00000001a0000000
[ 0.000000] NODE_DATA [000000019fffb000 - 000000019fffffff]

[ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00
[ 0.000000] kvm-clock: cpu 0, msr 0:16a9701, boot clock
[ 0.000000] [ffffea0000000000-ffffea0005bfffff] PMD -> [ffff880199600000-ffff88019ebfffff] on node 0
[ 0.000000] Zone PFN ranges:
[ 0.000000] DMA 0x00000010 -> 0x00001000
[ 0.000000] DMA32 0x00001000 -> 0x00100000
[ 0.000000] Normal 0x00100000 -> 0x001a0000
[ 0.000000] Movable zone start PFN for each node
[ 0.000000] early_node_map[3] active PFN ranges
[ 0.000000] 0: 0x00000010 -> 0x0000009d

[ 0.000000] 0: 0x00000100 -> 0x000dfffe
[ 0.000000] 0: 0x00100000 -> 0x001a0000
[ 0.000000] On node 0 totalpages: 1572747
[ 0.000000] DMA zone: 56 pages used for memmap
[ 0.000000] DMA zone: 5 pages reserved
[ 0.000000] DMA zone: 3920 pages, LIFO batch:0
[ 0.000000] DMA32 zone: 14280 pages used for memmap
[ 0.000000] DMA32 zone: 899126 pages, LIFO batch:31
[ 0.000000] Normal zone: 8960 pages used for memmap
[ 0.000000] Normal zone: 646400 pages, LIFO batch:31

[ 0.000000] ACPI: PM-Timer IO Port: 0xb008
[ 0.000000] ACPI: Local APIC address 0xfee00000
[ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] enabled)
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.000000] ACPI: IOAPIC (id[0x02] address[0xfec00000] gsi_base[0])
[ 0.000000] IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-23
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)

[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.000000] ACPI: IRQ0 used by override.
[ 0.000000] ACPI: IRQ2 used by override.
[ 0.000000] ACPI: IRQ5 used by override.
[ 0.000000] ACPI: IRQ9 used by override.
[ 0.000000] ACPI: IRQ10 used by override.
[ 0.000000] ACPI: IRQ11 used by override.
[ 0.000000] Using ACPI (MADT) for SMP configuration information
[ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000

[ 0.000000] SMP: Allowing 2 CPUs, 0 hotplug CPUs
[ 0.000000] nr_irqs_gsi: 40
[ 0.000000] PM: Registered nosave memory: 000000000009d000 - 000000000009e000
[ 0.000000] PM: Registered nosave memory: 000000000009e000 - 00000000000a0000
[ 0.000000] PM: Registered nosave memory: 00000000000a0000 - 00000000000f0000
[ 0.000000] PM: Registered nosave memory: 00000000000f0000 - 0000000000100000
[ 0.000000] PM: Registered nosave memory: 00000000dfffe000 - 00000000e0000000
[ 0.000000] PM: Registered nosave memory: 00000000e0000000 - 00000000feffc000
[ 0.000000] PM: Registered nosave memory: 00000000feffc000 - 00000000ff000000
[ 0.000000] PM: Registered nosave memory: 00000000ff000000 - 00000000fffc0000

[ 0.000000] PM: Registered nosave memory: 00000000fffc0000 - 0000000100000000
[ 0.000000] Allocating PCI resources starting at e0000000 (gap: e0000000:1effc000)
[ 0.000000] Booting paravirtualized kernel on KVM
[ 0.000000] setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:2 nr_node_ids:1
[ 0.000000] PERCPU: Embedded 28 pages/cpu @ffff88019fc00000 s82944 r8192 d23552 u1048576
[ 0.000000] pcpu-alloc: s82944 r8192 d23552 u1048576 alloc=1*2097152
[ 0.000000] pcpu-alloc: [0] 0 1
[ 0.000000] kvm-clock: cpu 0, msr 1:9fc13701, primary cpu clock
[ 0.000000] KVM setup async PF for cpu 0
[ 0.000000] kvm-stealtime: cpu 0, msr 19fc0dfc0

[ 0.000000] Built 1 zonelists in Node order, mobility grouping on. Total pages: 1549446
[ 0.000000] Policy zone: Normal
[ 0.000000] Kernel command line: BOOT_IMAGE=/vmlinuz-3.2.0-4-amd64 root=/dev/mapper/srvices-root ro single console=tty0 console=ttyS0,115200
[ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.000000] Checking aperture...
[ 0.000000] No AGP bridge found
[ 0.000000] Calgary: detecting Calgary via BIOS EBDA area
[ 0.000000] Calgary: Unable to locate Rio Grande table in EBDA - bailing!
[ 0.000000] Memory: 6116684k/6815744k available (3432k kernel code, 524756k absent, 174304k reserved, 3307k data, 580k init)
[ 0.000000] Hierarchical RCU implementation.

[ 0.000000] RCU dyntick-idle grace-period acceleration is enabled.
[ 0.000000] NR_IRQS:33024 nr_irqs:512 16
[ 0.000000] Console: colour VGA+ 80x25
[ 0.000000] console [tty0] enabled
[ 0.000000] console [ttyS0] enabled
[ 0.000000] hpet clockevent registered
[ 0.000000] Detected 3415.532 MHz processor.
[ 0.000000] Marking TSC unstable due to TSCs unsynchronized
[ 0.008000] Calibrating delay loop (skipped) preset value.. 6831.06 BogoMIPS (lpj=13662128)
[ 0.008000] pid_max: default: 32768 minimum: 301

[ 0.008000] Security Framework initialized
[ 0.008000] AppArmor: AppArmor disabled by boot time parameter
[ 0.008000] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes)
[ 0.012000] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes)
[ 0.015249] Mount-cache hash table entries: 256
[ 0.016170] Initializing cgroup subsys cpuacct
[ 0.017500] Initializing cgroup subsys memory
[ 0.018775] Initializing cgroup subsys devices
[ 0.020011] Initializing cgroup subsys freezer
[ 0.021356] Initializing cgroup subsys net_cls

[ 0.022698] Initializing cgroup subsys blkio
[ 0.024016] Initializing cgroup subsys perf_event
[ 0.025383] mce: CPU supports 10 MCE banks
[ 0.029219] ACPI: Core revision 20110623
[ 0.033372] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[ 0.035377] CPU0: AMD QEMU Virtual CPU version 1.1.2 stepping 03
[ 0.040002] APIC calibration not consistent with PM-Timer: 116ms instead of 100ms
[ 0.040002] APIC delta adjusted to PM-Timer: 6249547 (7253497)
[ 0.040002] Performance Events: Broken PMU hardware detected, using software events only.
[ 0.040002] NMI watchdog disabled (cpu0): hardware events not enabled

[ 0.040121] Booting Node 0, Processors #1 Ok.
[ 0.041284] smpboot cpu 1: start_ip = 98000
[ 0.053431] NMI watchdog disabled (cpu1): hardware events not enabled
[ 0.053428] KVM setup async PF for cpu 1
[ 0.053428] kvm-stealtime: cpu 1, msr 19fd0dfc0
[ 0.053428] kvm-clock: cpu 1, msr 1:9fd13701, secondary cpu clock
[ 0.060005] Brought up 2 CPUs
[ 0.068011] Total of 2 processors activated (13662.12 BogoMIPS).
[ 0.069677] devtmpfs: initialized
[ 0.074798] print_constraints: dummy:

[ 0.076177] NET: Registered protocol family 16
[ 0.077716] ACPI: bus type pci registered
[ 0.079085] PCI: Using configuration type 1 for base access
[ 0.080210] mtrr: your CPUs had inconsistent variable MTRR settings
[ 0.081863] mtrr: your CPUs had inconsistent MTRRdefType settings
[ 0.084006] mtrr: probably your BIOS does not setup all CPUs.
[ 0.085652] mtrr: corrected configuration.
[ 0.088260] bio: create slab at 0
[ 0.089632] ACPI: Added _OSI(Module Device)
[ 0.092010] ACPI: Added _OSI(Processor Device)

[ 0.093576] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 0.096015] ACPI: Added _OSI(Processor Aggregator Device)
[ 0.098360] ACPI: EC: Look up EC in DSDT
[ 0.100581] ACPI: Interpreter enabled
[ 0.102354] ACPI: (supports S0 S3 S4 S5)
[ 0.104014] ACPI: Using IOAPIC for interrupt routing
[ 0.113888] ACPI: No dock devices found.
[ 0.115411] HEST: Table not found.
[ 0.116017] PCI: Ignoring host bridge windows from ACPI; if necessary, use "pci=use_crs" and report a bug
[ 0.118877] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])

[ 0.120055] pci_root PNP0A03:00: host bridge window [io 0x0000-0x0cf7] (ignored)
[ 0.120057] pci_root PNP0A03:00: host bridge window [io 0x0d00-0xffff] (ignored)
[ 0.120059] pci_root PNP0A03:00: host bridge window [mem 0x000a0000-0x000bffff] (ignored)
[ 0.120061] pci_root PNP0A03:00: host bridge window [mem 0xe0000000-0xfebfffff] (ignored)
[ 0.120094] pci 0000:00:00.0: [8086:1237] type 0 class 0x000600
[ 0.120330] pci 0000:00:01.0: [8086:7000] type 0 class 0x000601
[ 0.120657] pci 0000:00:01.1: [8086:7010] type 0 class 0x000101
[ 0.122297] pci 0000:00:01.1: reg 20: [io 0xc0a0-0xc0af]
[ 0.124442] pci 0000:00:01.2: [8086:7020] type 0 class 0x000c03
[ 0.126058] pci 0000:00:01.2: reg 20: [io 0xc040-0xc05f]

[ 0.126769] pci 0000:00:01.3: [8086:7113] type 0 class 0x000680
[ 0.127047] pci 0000:00:01.3: quirk: [io 0xb000-0xb03f] claimed by PIIX4 ACPI
[ 0.128016] pci 0000:00:01.3: quirk: [io 0xb100-0xb10f] claimed by PIIX4 SMB
[ 0.129795] pci 0000:00:02.0: [1013:00b8] type 0 class 0x000300
[ 0.132504] pci 0000:00:02.0: reg 10: [mem 0xfc000000-0xfdffffff pref]
[ 0.136052] pci 0000:00:02.0: reg 14: [mem 0xfebf0000-0xfebf0fff]
[ 0.141073] pci 0000:00:02.0: reg 30: [mem 0xfebd0000-0xfebdffff pref]
[ 0.141386] pci 0000:00:03.0: [1af4:1000] type 0 class 0x000200
[ 0.148589] pci 0000:00:03.0: reg 10: [io 0xc060-0xc07f]
[ 0.149632] pci 0000:00:03.0: reg 14: [mem 0xfebf1000-0xfebf1fff]

[ 0.156542] pci 0000:00:03.0: reg 30: [mem 0xfebe0000-0xfebeffff pref]
[ 0.156956] pci 0000:00:04.0: [1af4:1001] type 0 class 0x000100
[ 0.158142] pci 0000:00:04.0: reg 10: [io 0xc000-0xc03f]
[ 0.159248] pci 0000:00:04.0: reg 14: [mem 0xfebf2000-0xfebf2fff]
[ 0.164887] pci 0000:00:05.0: [1af4:1002] type 0 class 0x0000ff
[ 0.165458] pci 0000:00:05.0: reg 10: [io 0xc080-0xc09f]
[ 0.169256] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT]
[ 0.169685] pci0000:00: Unable to request _OSC control (_OSC support mask: 0x1e)
[ 0.174231] ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)
[ 0.176076] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)

[ 0.180978] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
[ 0.184072] ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)
[ 0.185535] ACPI: PCI Interrupt Link [LNKS] (IRQs 9) *0
[ 0.187291] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,locks=none
[ 0.188014] vgaarb: loaded
[ 0.188596] vgaarb: bridge control possible 0000:00:02.0
[ 0.189569] PCI: Using ACPI for IRQ routing
[ 0.190306] PCI: pci_cache_line_size set to 64 bytes
[ 0.190443] reserve RAM buffer: 000000000009dc00 - 000000000009ffff
[ 0.190448] reserve RAM buffer: 00000000dfffe000 - 00000000dfffffff

[ 0.190645] HPET: 3 timers in total, 0 timers will be used for per-cpu timer
[ 0.192034] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
[ 0.193147] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
[ 0.212036] Switching to clocksource kvm-clock
[ 0.214927] pnp: PnP ACPI init
[ 0.215592] ACPI: bus type pnp registered
[ 0.216366] pnp 00:00: [bus 00-ff]
[ 0.216369] pnp 00:00: [io 0x0cf8-0x0cff]
[ 0.216371] pnp 00:00: [io 0x0000-0x0cf7 window]
[ 0.216372] pnp 00:00: [io 0x0d00-0xffff window]

[ 0.216374] pnp 00:00: [mem 0x000a0000-0x000bffff window]
[ 0.216376] pnp 00:00: [mem 0xe0000000-0xfebfffff window]
[ 0.216426] pnp 00:00: Plug and Play ACPI device, IDs PNP0a03 (active)
[ 0.216440] pnp 00:01: [io 0x0070-0x0071]
[ 0.216472] pnp 00:01: [irq 8]
[ 0.216473] pnp 00:01: [io 0x0072-0x0077]
[ 0.216492] pnp 00:01: Plug and Play ACPI device, IDs PNP0b00 (active)
[ 0.216526] pnp 00:02: [io 0x0060]
[ 0.216529] pnp 00:02: [io 0x0064]
[ 0.216545] pnp 00:02: [irq 1]

[ 0.216564] pnp 00:02: Plug and Play ACPI device, IDs PNP0303 (active)
[ 0.216594] pnp 00:03: [irq 12]
[ 0.216613] pnp 00:03: Plug and Play ACPI device, IDs PNP0f13 (active)
[ 0.216633] pnp 00:04: [io 0x03f2-0x03f5]
[ 0.216635] pnp 00:04: [io 0x03f7]
[ 0.216650] pnp 00:04: [irq 6]
[ 0.216652] pnp 00:04: [dma 2]
[ 0.216683] pnp 00:04: Plug and Play ACPI device, IDs PNP0700 (active)
[ 0.216750] pnp 00:05: [io 0x03f8-0x03ff]
[ 0.216766] pnp 00:05: [irq 4]

[ 0.216784] pnp 00:05: Plug and Play ACPI device, IDs PNP0501 (active)
[ 0.216878] pnp 00:06: [mem 0xfed00000-0xfed003ff]
[ 0.216906] pnp 00:06: Plug and Play ACPI device, IDs PNP0103 (active)
[ 0.217005] pnp: PnP ACPI: found 7 devices
[ 0.217730] ACPI: ACPI bus type pnp unregistered
[ 0.228506] PCI: max bus depth: 0 pci_try_num: 1
[ 0.228515] pci_bus 0000:00: resource 0 [io 0x0000-0xffff]
[ 0.228517] pci_bus 0000:00: resource 1 [mem 0x00000000-0xffffffffff]
[ 0.228705] NET: Registered protocol family 2
[ 0.231459] IP route cache hash table entries: 262144 (order: 9, 2097152 bytes)

[ 0.235819] TCP established hash table entries: 524288 (order: 11, 8388608 bytes)
[ 0.250779] TCP bind hash table entries: 65536 (order: 8, 1048576 bytes)
[ 0.253381] TCP: Hash tables configured (established 524288 bind 65536)
[ 0.255193] TCP reno registered
[ 0.256172] UDP hash table entries: 4096 (order: 5, 131072 bytes)
[ 0.257857] UDP-Lite hash table entries: 4096 (order: 5, 131072 bytes)
[ 0.259902] NET: Registered protocol family 1
[ 0.260861] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 0.262056] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[ 0.263174] pci 0000:00:01.0: Activating ISA DMA hang workarounds

[ 0.273610] ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 11
[ 0.275164] pci 0000:00:02.0: Boot video device
[ 0.275194] PCI: CLS 0 bytes, default 64
[ 0.275261] Unpacking initramfs...
[ 0.477514] Freeing initrd memory: 11416k freed
[ 0.482711] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 0.484075] Placing 64MB software IO TLB between ffff8800dbffa000 - ffff8800dfffa000
[ 0.485685] software IO TLB at phys 0xdbffa000 - 0xdfffa000
[ 0.487886] audit: initializing netlink socket (disabled)
[ 0.489023] type=2000 audit(1414446944.488:1): initialized

[ 0.507853] HugeTLB registered 2 MB page size, pre-allocated 0 pages
[ 0.512541] VFS: Disk quotas dquot_6.5.2
[ 0.513981] Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 0.516081] msgmni has been set to 11968
[ 0.518658] alg: No test for stdrng (krng)
[ 0.522396] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[ 0.525107] io scheduler noop registered
[ 0.526139] io scheduler deadline registered
[ 0.527797] io scheduler cfq registered (default)
[ 0.529671] pci_hotplug: PCI Hot Plug PCI Core version: 0.5

[ 0.547796] pciehp: PCI Express Hot Plug Controller Driver version: 0.4
[ 0.549695] acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5
[ 0.551777] acpiphp: Slot [3] registered
[ 0.553206] acpiphp: Slot [4] registered
[ 0.554527] acpiphp: Slot [5] registered
[ 0.555406] acpiphp: Slot [6] registered
[ 0.556338] acpiphp: Slot [7] registered
[ 0.557273] acpiphp: Slot [8] registered
[ 0.558229] acpiphp: Slot [9] registered
[ 0.559134] acpiphp: Slot [10] registered

[ 0.560029] acpiphp: Slot [11] registered
[ 0.560925] acpiphp: Slot [12] registered
[ 0.561909] acpiphp: Slot [13] registered
[ 0.562938] acpiphp: Slot [14] registered
[ 0.564249] acpiphp: Slot [15] registered
[ 0.565569] acpiphp: Slot [16] registered
[ 0.566820] acpiphp: Slot [17] registered
[ 0.568191] acpiphp: Slot [18] registered
[ 0.569475] acpiphp: Slot [19] registered
[ 0.570820] acpiphp: Slot [20] registered

[ 0.572144] acpiphp: Slot [21] registered
[ 0.573376] acpiphp: Slot [22] registered
[ 0.574658] acpiphp: Slot [23] registered
[ 0.575989] acpiphp: Slot [24] registered
[ 0.577173] acpiphp: Slot [25] registered
[ 0.578425] acpiphp: Slot [26] registered
[ 0.579739] acpiphp: Slot [27] registered
[ 0.580980] acpiphp: Slot [28] registered
[ 0.582278] acpiphp: Slot [29] registered
[ 0.583573] acpiphp: Slot [30] registered

[ 0.584773] acpiphp: Slot [31] registered
[ 0.586223] ERST: Table is not found!
[ 0.587312] GHES: HEST is not enabled!
[ 0.588856] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 0.629003] serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[ 0.658059] 00:05: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[ 0.660565] Linux agpgart interface v0.103
[ 0.673119] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12
[ 0.677148] serio: i8042 KBD port at 0x60,0x64 irq 1
[ 0.678248] serio: i8042 AUX port at 0x60,0x64 irq 12

[ 0.679836] mousedev: PS/2 mouse device common for all mice
[ 0.681944] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input0
[ 0.684831] rtc_cmos 00:01: RTC can wake from S4
[ 0.686732] rtc_cmos 00:01: rtc core: registered rtc_cmos as rtc0
[ 0.688777] rtc0: alarms up to one day, 114 bytes nvram, hpet irqs
[ 0.690651] cpuidle: using governor ladder
[ 0.691951] cpuidle: using governor menu
[ 0.693583] TCP cubic registered
[ 0.694984] NET: Registered protocol family 10
[ 0.697245] Mobile IPv6

[ 0.698222] NET: Registered protocol family 17
[ 0.709844] Registering the dns_resolver key type
[ 0.714300] PM: Hibernation image not present or could not be loaded.
[ 0.714348] registered taskstats version 1
[ 0.720212] rtc_cmos 00:01: setting system clock to 2014-10-27 21:55:43 UTC (1414446943)
[ 0.724133] Initializing network drop monitor service
[ 0.726898] Freeing unused kernel memory: 580k freed
[ 0.727988] Write protecting the kernel read-only data: 6144k
[ 0.730894] Freeing unused kernel memory: 648k freed
[ 0.734594] Freeing unused kernel memory: 688k freed

[ 0.856102] udevd[51]: starting version 175
[ 0.882389] SCSI subsystem initialized
[ 0.887544] ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 10
[ 0.902570] usbcore: registered new interface driver usbfs
[ 0.902753] virtio-pci 0000:00:03.0: setting latency timer to 64
[ 0.903451] virtio-pci 0000:00:04.0: setting latency timer to 64
[ 0.904180] ACPI: PCI Interrupt Link [LNKA] enabled at IRQ 10
[ 0.904217] virtio-pci 0000:00:05.0: setting latency timer to 64
[ 0.908345] libata version 3.00 loaded.
[ 0.908908] ata_piix 0000:00:01.1: version 2.13

[ 0.909051] ata_piix 0000:00:01.1: setting latency timer to 64
[ 0.912461] usbcore: registered new interface driver hub
[ 0.916405] scsi0 : ata_piix
[ 0.920989] usbcore: registered new device driver usb
[ 0.923162] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 0.925064] scsi1 : ata_piix
[ 0.926215] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc0a0 irq 14
[ 0.928003] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc0a8 irq 15
[ 0.930726] uhci_hcd: USB Universal Host Controller Interface driver
[ 0.933881] uhci_hcd 0000:00:01.2: setting latency timer to 64

[ 0.933890] uhci_hcd 0000:00:01.2: UHCI Host Controller
[ 0.935462] uhci_hcd 0000:00:01.2: new USB bus registered, assigned bus number 1
[ 0.937756] uhci_hcd 0000:00:01.2: irq 11, io base 0x0000c040
[ 0.939465] usb usb1: New USB device found, idVendor=1d6b, idProduct=0001
[ 0.941008] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 0.942864] usb usb1: Product: UHCI Host Controller
[ 0.944217] usb usb1: Manufacturer: Linux 3.2.0-4-amd64 uhci_hcd
[ 0.945600] usb usb1: SerialNumber: 0000:00:01.2
[ 0.947218] hub 1-0:1.0: USB hub found
[ 0.948370] hub 1-0:1.0: 2 ports detected

[ 0.958914] virtio-pci 0000:00:03.0: irq 40 for MSI/MSI-X
[ 0.958937] virtio-pci 0000:00:03.0: irq 41 for MSI/MSI-X
[ 0.958954] virtio-pci 0000:00:03.0: irq 42 for MSI/MSI-X
[ 0.971100] virtio-pci 0000:00:04.0: irq 43 for MSI/MSI-X
[ 0.971120] virtio-pci 0000:00:04.0: irq 44 for MSI/MSI-X
[ 0.971579] FDC 0 is a S82078B
[ 0.973380] vda: vda1 vda2
[ 1.101935] ata2.01: NODEV after polling detection
[ 1.102793] ata2.00: ATAPI: QEMU DVD-ROM, 1.1.2, max UDMA/100
[ 1.109793] ata2.00: configured for MWDMA2

[ 1.115456] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 1.1. PQ: 0 ANSI: 5
[ 1.148087] sr0: scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray
[ 1.149401] cdrom: Uniform CD-ROM driver Revision: 3.20
[ 1.151382] sr 1:0:0:0: Attached scsi CD-ROM sr0
[ 1.158778] sr 1:0:0:0: Attached scsi generic sg0 type 5
[ 1.260227] usb 1-1: new full-speed USB device number 2 using uhci_hcd
[ 1.302176] device-mapper: uevent: version 1.0.3
[ 1.307903] device-mapper: ioctl: 4.22.0-ioctl (2011-10-19) initialised: dm-devel@redhat.com
[ 1.456752] usb 1-1: New USB device found, idVendor=0627, idProduct=0001
[ 1.456755] usb 1-1: New USB device strings: Mfr=1, Product=3, SerialNumber=5

[ 1.456757] usb 1-1: Product: QEMU USB Tablet
[ 1.456759] usb 1-1: Manufacturer: QEMU 1.1.2
[ 1.456760] usb 1-1: SerialNumber: 42
[ 1.485089] input: QEMU 1.1.2 QEMU USB Tablet as /devices/pci0000:00/0000:00:01.2/usb1/1-1/1-1:1.0/input/input1
[ 1.485328] generic-usb 0003:0627:0001.0001: input,hidraw0: USB HID v0.01 Pointer [QEMU 1.1.2 QEMU USB Tablet] on usb-0000:00:01.2-1/input0
[ 1.485378] usbcore: registered new interface driver usbhid
[ 1.485384] usbhid: USB HID core driver
[ 6308.594031] PM: Starting manual resume from disk
[ 6308.607186] PM: Hibernation image partition 253:2 present
[ 6308.607188] PM: Looking for hibernation image.

[ 6308.607520] PM: Image not found (code -22)
[ 6308.607522] PM: Hibernation image not present or could not be loaded.
[ 6308.684653] EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
[ 6310.590145] udevd[372]: starting version 175
[ 6310.869309] WARNING! power/level is deprecated; use power/control instead
[ 6310.917370] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input2
[ 6310.938347] ACPI: Power Button [PWRF]
[ 6311.083046] piix4_smbus 0000:00:01.3: SMBus Host Controller at 0xb100, revision 0
[ 6311.105034] input: PC Speaker as /devices/platform/pcspkr/input/input3
[ 6311.523064] Error: Driver 'pcspkr' is already registered, aborting...

[ 6311.779350] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input4
[ 6312.487542] EXT4-fs (dm-1): re-mounted. Opts: (null)
[ 6312.775121] EXT4-fs (dm-1): re-mounted. Opts: errors=remount-ro
[ 6313.573035] loop: module loaded
[ 6314.543459] Adding 8519676k swap on /dev/mapper/srvices-swap_1. Priority:-1 extents:1 across:8519676k
[ 6326.584149] eth0: no IPv6 routers present

Wednesday, November 27, 2019

OpenLDAP with ldaps support on Debian Lenny

somehow I am unable to configure slapd to enable ldaps support on Debian Lenny. It looks like OpenLDAP is compiled with GnuTLS instead of OpenSSL which could be part of the problem.



I've added the following options to slapd.conf:




TLSCipherSuite TLS_RSA_AES_256_CBC_SHA
TLSCertificateFile /etc/ssl/certs/myhost.pem
TLSCACertificatePath /etc/ssl/certs/
TLSCertificateKeyFile /etc/ssl/private/myhost.pem

TLSVerifyClient never


and the following to ldap.conf:




URI ldap:/// ldaps:///
TLS_REQCERT never



The following error appears in the logs if I try to start slapd:



main: TLS init def ctx failed: -64


Could it be that the certificate, which has been generated by openssl, cannot be read by GnuTLS?



Has anyone of you configured OpenLDAP on Debian with ldaps support? If yes, any hints on how to get it to work would be very appreciated.



Thanks.




EDIT: found a working TLSCipherSuite.

Tuesday, November 26, 2019

linux - Strange OpenVPN behavior - disconnects after one minute

I'm using OpenVPN for connect two private networks and now I got a problem, that I'm not able to solve.
Servers are connected with simple UDP configuration with static key. I've already checked iptables for limits or something and there's nothing, also both servers are directly on the public IP - no routers/NAT or something is between. Server A is listening and server B is client.
When the VPN starts, client connects to each other and everything works perfectly, but ONLY for first minute.
Then it stop working. Tunnel connection (ping from one end point to the other) from server A to server B still working (can ping), but from the other side, it does not work. After next one minute watchdog realize, that connection is down on the server B and restart tunnel. Then it's working for one minute and this repeats forever...



Both servers are Ubuntu 64bit:



Server A:





root@server:/etc/openvpn# uname -an
Linux server 2.6.38-13-virtual #52~lucid1-Ubuntu SMP Thu Nov 10 19:46:44 UTC 2011 x86_64 GNU/Linux
root@server:/etc/openvpn# openvpn --version
OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Originally developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc.



Server B:




root@gw2:~# uname -an
Linux gw2 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
root@gw2:~# openvpn --version
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc.


$ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route

Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL


Server A ovpn config:




daemon vpn-conn
writepid /var/run/openvpn-vpn.pid

dev tun3
proto udp
port 1859
comp-lzo
keepalive 10 30
persist-tun
persist-key
ifconfig 10.9.0.1 10.9.0.2
route 10.10.10.0 255.255.255.0
secret my-key.key

log-append vpn.log
verb 5


Server B:




daemon vpn
writepid /var/run/openvpn-vpn.pid
remote 4.3.2.1

dev tun0
proto udp
port 1859
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
ifconfig 10.9.0.2 10.9.0.1
route 192.168.0.0 255.255.252.0

secret my-key.key
log-append vpn.log
mtu-test
verb 5


I did some research to add/ remove "ping-timer-rem" "mtu-test" and "float" to client and server configuration, but the problem still remains.



Server A still logging strange things into log (i think, that it CAN be the source of the problem, but i don't know, how to solve it. Time on both servers is the same):





Wed Sep 4 10:25:44 2013 us=125832 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #100 / time = (1378283056) Wed Sep 4 10:24:16 2013 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings


Another strange on server A is that it seems, that server B is connecting from two sockets! I've checked server B and there's only ONE openvpn instance and no others. When I kill it, connection probes from both sockets ends.



Server A log details:




Wed Sep 4 09:56:12 2013 us=544282 Peer Connection Initiated with [AF_INET]1.2.3.4:1859

Wed Sep 4 09:57:06 2013 us=661505 Peer Connection Initiated with [AF_INET]1.2.3.4:1194


Server B detail:




Wed Sep 4 10:28:16 2013 us=98524 SIGUSR1[soft,ping-restart] received, process restarting
Wed Sep 4 10:28:16 2013 us=98562 Restart pause, 2 second(s)
Wed Sep 4 10:28:18 2013 us=98688 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Sep 4 10:28:18 2013 us=98871 Re-using pre-shared static key

Wed Sep 4 10:28:18 2013 us=98905 LZO compression initialized
Wed Sep 4 10:28:18 2013 us=98981 Socket Buffers: R=[229376->131072] S=[229376->131072]
Wed Sep 4 10:28:18 2013 us=99043 Preserving previous TUN/TAP instance: tun0
Wed Sep 4 10:28:18 2013 us=99075 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Sep 4 10:28:18 2013 us=99144 Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 10.9.0.1 10.9.0.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Wed Sep 4 10:28:18 2013 us=99167 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 10.9.0.2 10.9.0.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Wed Sep 4 10:28:18 2013 us=99215 Local Options hash (VER=V4): '184f07f3'
Wed Sep 4 10:28:18 2013 us=99255 Expected Remote Options hash (VER=V4): 'de9a476a'
Wed Sep 4 10:28:18 2013 us=99291 UDPv4 link local (bound): [undef]
Wed Sep 4 10:28:18 2013 us=99321 UDPv4 link remote: [AF_INET]4.3.2.1:1859

WrWrWRWed Sep 4 10:28:21 2013 us=987011 Peer Connection Initiated with [AF_INET]4.3.2.1:1859
wrWrWed Sep 4 10:28:22 2013 us=847036 Initialization Sequence Completed
WrWRwrWRwrWWed Sep 4 10:28:24 2013 us=931728 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
WRwrWRRwrWRwrWrWWrWRwrWRWwrWRRwrWRWwrWRRwrWRwrWRWwrWRwrWRwrWRWwrWRRwrWRwrWRWwrWRwrWRwrWRWwrWRRwrWRwrWRWwrWRwrWRwWrWRRwrWRwrWRwrWRWwrWRwrWRwrWRWwrWRRwrWRWwrWRwrWRwrWRwrWRWwrWRRwrWRwrWRwrWRWwrWRwrWRWwrWRRwrWRwrWRWwrWRwrWRwrWRwrWrWWrWRRwrWR
wrWWRwrWRwrWRwrWrWrWRWwrWRWrWrWWrWWrWWWWWWWWWWWWWWWrWrWWWrWrWWed Sep 4 10:30:19 2013 us=505037 Inactivity timeout (--ping-restart), restarting
Wed Sep 4 10:30:19 2013 us=505153 TCP/UDP: Closing socket


On the server B, there's NO "1194" string in the log, but when I try to tcpdump packets between servers (1.2.3.4 = client, 4.3.2.1 = server):





root@gw2:/etc/openvpn# tcpdump -ni eth0 host 4.3.2.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:34:43.534596 IP 4.3.2.1.1859 > 1.2.3.4.1859: UDP, length 100
10:34:43.535359 IP 1.2.3.4.1859 > 4.3.2.1.1859: UDP, length 100
10:34:44.468608 IP 4.3.2.1.1859 > 1.2.3.4.1859: UDP, length 100
10:34:44.481441 IP 1.2.3.4.1859 > 4.3.2.1.1859: UDP, length 100
10:34:45.476109 IP 4.3.2.1.1859 > 1.2.3.4.1859: UDP, length 100
10:34:45.476510 IP 1.2.3.4.1859 > 4.3.2.1.1859: UDP, length 60

10:34:45.477085 IP 1.2.3.4.1859 > 4.3.2.1.1859: UDP, length 100
HERE -->10:34:45.496917 IP 1.2.3.4.1194 > 4.3.2.1.1859: UDP, length 60
10:34:45.537356 IP 4.3.2.1.1859 > 1.2.3.4.1859: UDP, length 540
10:34:46.540260 IP 4.3.2.1.1859 > 1.2.3.4.1859: UDP, length 100
10:34:46.540955 IP 1.2.3.4.1859 > 4.3.2.1.1859: UDP, length 100
10:34:47.526090 IP 4.3.2.1.1859 > 1.2.3.4.1859: UDP, length 100
10:34:47.526793 IP 1.2.3.4.1859 > 4.3.2.1.1859: UDP, length 100


It seems, that client sometimes want to reconnect FROM udp 1194 (instead the right 1859) and the other connection, which is already on 1859, left open.

So the server A is sending packets to the 1859 connection (and can ping), but the client change routing to the 1194, which is not initialized and not working (and try to connect from the 1194 socket generate "decryption error" on server A). As I said - there's no other configuration nor instance of openvpn on th client (Server B) than the one i dumped upper.



Could somebody tell me, what could be wrong in my configuration? I'm on the end of my mind.



Thank you.



J+



PS: Sorry for bad english.

linux - ive got dkim=neutral (bad version) header.i with gmail and dkim=fail (unknown key type) with yahoo



I'm having external ip and ubuntu server with
exim4.71 and bind9. I'm trying to set valid dkim entry to send mail for gmail



Here are my configuration files:
bind9:



_domainkey.example.com.       IN      TXT     "o=-;"

mail._domainkey.example.com. IN TXT "v=DKIM1;k=rsa-sha256;p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMDO8xXc3fMjQnWs6ejxTsrMa4xvb0470b2wCIbx1/790huhBr1386mkvvzeTpDDwkFmOZWXnJLw+Qeh4p/rkNQ7AVCk2uZQ+Kwy+jxM17QdZaDxSY9U1HYUFXC8BKAUYwIDAQAB"


I've got this results from check-auth@verifier.port25.com



==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral

DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham


Any idea what the problem is?



from yahoo:



from=example.com; dkim=fail (unknown key type)



ive change k=rsa-sha256 to just k=rsa and now



from=example.com; dkim=pass (ok)


This also helped with gmail :)



Solution:




v=DKIM1;k=rsa-sha256;p=... --> v=DKIM1;k=rsa;p=....



Question solved


Answer



Solution:
change dkim field in BIND9 zone:
from v=DKIM1;k=rsa-sha256;p=... to --> v=DKIM1;k=rsa;p=....
rsa-sha256 or rsa-sha1 doesnt work for me :(


Monday, November 25, 2019

Unable to run php script with nginx



I installed nginx on my Lubuntu 13.04 32 bit using:




sudo apt-get install php5-fpm
sudo apt-get install mercurial libpcre3-dev libssl-dev
hg clone -r stable-1.4 http://hg.nginx.org/nginx nginx
cd nginx
auto/configure --with-http_ssl_module
make
sudo make install



After it I disabled apache:



sudo kill $(pidof apache2)
sudo update-rc.d -f apache2 remove


and I edited the nginx.conf, that now is:



worker_processes  1;


events
{
worker_connections 1024;
}


http
{
include mime.types;
default_type application/octet-stream;

sendfile on;
keepalive_timeout 65;

server
{
listen 80;
server_name localhost;
index index.html index.php;

location /

{
root html;
index index.html index.php;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ \.php$
{
root html;

fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}

error_page 500 502 503 504 /50x.html;
location = /50x.html
{
root html;

}
}
}


So I started nginx, I wrote a test.php script inside the html directory with only



    echo 'OK!';



and I opened it inside the browser, but it doesn't work. The error is:




[error] 2886#0: *1 connect() failed (111: Connection refused) while
connecting to upstream, client: 127.0.0.1, server: localhost, request:
"GET /test.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host:
"localhost"





php5-fpm seems to be already started, since if I try sudo php5-fpm, I get this error:



ERROR: An another FPM instance seems to already listen on /var/run/php5-fpm.sock

Answer



Your PHP-FPM installation is set up to use sockets and not TCP.



Change this line:



fastcgi_pass fastcgi_pass 127.0.0.1:9000;




To: fastcgi_pass unix:/var/run/php5-fpm/php5-fpm.sock;



Alternatively you can modify your nginx.conf file's listen = to use a port instead of the socket.


linux - Restarting Network through SSH

On server A, I want to issue the following commands to Server B through ssh.




service network stop
sleep 5
service network start


The problem is because I issued a network 'stop', then my current ssh connection is lost as well. Therefore I cannot execute the succeeding commands (sleep 5 and service network start). Note that I cannot use (service network restart).



Does anyone have a workaround / solution for this?

Saturday, November 23, 2019

centos - NFS files and directories created with wrong permissions from MacOS client

I have a simple NFS share setup on CentOS 7 to allow my Mac to manage files in the /var/www/html directory:



/var/www/html 192.168.1.107(all_squash,anonuid=1000,anongid=1001,rw,sync)



Files and directories are created with the correct UID and GID, but the wrong umask:




-rw-r--r-- 1 1000 1001 41 Jul  1 15:05 index.html
drwxr-xr-x 2 1000 1001 6 Jul 1 15:04 test_dir


I need the permissions to be 664 and 775 respectively.



I have set the umask for the user (GID 1000) to "umask 000" for testing in .bashrc



When I log in as that user and touch a file in that directory I get 666 permissions.




This is the mount command I'm using on the Mac:



sudo mount -t nfs -o resvport,rw,vers=4 www:/var/www/html /mnt/www


(www is the name of the CentOS server)



I have completely disable SELinux on this server and verifies that it is not enabled.

Thursday, November 21, 2019

Intermittent 5.7.1 email bounce to Exchange 2007



My knowledge of Exchange isn't particularly great, so excuse me if some of the terminology I use isn't quite right. I'm primarily a web developer who's now responsible for a small business's network.



We have a server running SBS 2008 and Exchange 2007. Generally, everything works well, emails are able to be sent to both internal and external domains without issue. We've only got ~20 users, Exchange is sitting on a single server.




I use SendGrid to send emails generated by our externally hosted website to users in the office. Primarily, order notifications are sent to orders@somedomain.com.
Without any pattern and less than once per week on average, an email to orders@somedomain.com will bounce back, and the logs on SendGrid detail the following error:



550 5.7.1 Unable to relay for orders@somedomain.com


Either side of that failed delivery attempt, I'm able to send and receive emails to/from orders@somedomain.com.



Having done some research, incorrect reverse DNS seems like it could be a cause of intermittent bounces like this. Having used nslookup, I have found that the reverse DNS doesn't map like it should, e.g.




Office IP: 135.325.351.123 (made up IP, for example only)
Domain: office.somedomain.com (made up, for example only)
Reverse DNS: somedomain.gotadsl.co.uk (half made up)



Could this be a cause? I'm sure that the IP address and the domain should map to each other.



Also, it has been suggested to me that as the Exchange server is on a network with an ADSL connection, that could be a potential cause as the connection "goes up and down all day long". I don't have an opinion on this, as I don't have enough knowledge of Exchange/ADSL to form a reliable opinion.



Can anyone offer any insight as to whether one or both are actually potential causes, or if there is another possible cause?


Answer



Both comments led to me finding the solution. Yes the ADSL will cause me issues, and I did have a faulty MX record set up for a backup mail server, which has since had it's IP changed. The answer for my scenario is to use a backup mail server to allow emails to still be delivered to the domains I manage even when my internal server cannot be reached (due to the ADSL connection). This backup mail server will be external, and will be a paid-for service (e.g. MxSave with a SLA).



email - DNSBL listed at zen.spamhaus.org - cant get outgoing mail working? Am I interpreting the response correctly?



I have problem with a mailserver and there is something I kind of not understand!



I can connect, authenticate, specify the sender address - but when specifying the reciever i get a error 550 which looks like so:



RCPT TO:joehopf@gmail.com

550-DNSBL listed at zen.spamhaus.org
550 http://www.spamhaus.org/query/bl?ip=62.178.15.161


Now the strange thing is that 62.178.15.161 is my local client address. Not the servers ip address.



Also the error code 550 seems to be defined as so:



550 Requested action not taken: mailbox unavailable



To me that makes totally no sense. Why this error code with this spamhaus message? Why the local ip adress and not the servers?



There is exim running and there is nothing turning up in the logs mail.err mail.info mail.log mail.warn in /var/log



I looked up both the servers and the clients ip adress on blacklists. The clients ip adress is listed on some (as expected), but the server is totally clean.



Here is the complete telnet log when I reproduced the error. Mail clients like Evolution and Thunderbird give me the same spamhaus error message.



joe@joe-desktop:~$ telnet mail.hunsynth.org 25

Trying 193.164.132.42...
Connected to mail.hunsynth.org.
Escape character is '^]'.
220 hunsynth.org ESMTP Exim 4.69 Sat, 01 Jan 2011 17:52:45 +0100
HELP
214-Commands supported:
214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
EHLO AUTH
250-hunsynth.org Hello chello062178015161.6.11.univie.teleweb.at [62.178.15.161]
250-SIZE 52428800

250-PIPELINING
250-AUTH PLAIN LOGIN CRAM-MD5
250-STARTTLS
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdEBodW5zeW50aC5vcmc=
334 UGFzc3dvcmQ6
*****
235 Authentication succeeded

MAIL FROM:test@hunsynth.org
250 OK
RCPT TO:joehopf@gmail.com
550-DNSBL listed at zen.spamhaus.org
550 http://www.spamhaus.org/query/bl?ip=62.178.15.161
quit
221 hunsynth.org closing connection
Connection closed by foreign host.
joe@joe-desktop:~$



Update:



I tried the same thing from my other server and could successfully send an email.



So it really looks like the server does check the IP wich establiches the connection is in some blacklist.



This is theoretically a good thing - but - the authentication on the server should prevent that? Or shouldn't it?



Well I just think it would be absurd if I couldn't send email over my smtp server from my dynamic ISP connection because the dynamic is listed, altough i have a clean server with login?



Answer



Okay, it think I kind of figured it out.



i had to add the rule:



accept
authenticated = *


to to the top of /etc/exim4/vexim-acl-check-rcpt.conf



Tuesday, November 19, 2019

ip address - Connect by SSH to a certain device knowing public and private IP addresses?

I want to connect to a computer which is always on at home from anywhere.



Suppose my router has the static public IP of 1.2.3.4 and a netmask of 255.255.255.0.




As far as I'm concerned, every computer connected to it will have the same public IP address. But I want to connect to a specific device connected to it, suppose it has the private IP of 192.168.0.10 and the private IP of the access point is 192.168.0.0.



A SSH server is already installed and the port 22 is opened on the computer. The router is also configured to be able to receive connections from the outside world.



Should I just do



ssh -p 22 username@1.2.3.4



Doesn't this method send a ssh connection request to all connected computers to the router? What if two computers share an username? Can't I just connect to one specific device?



Sorry if this a stupid question, I'm starting to learn about computer networking.

apache 2.2 - index.php not automatically read by localhost



I just installed Apache, php and MySQL manually in windows 8. It works fine




but the problem is when i try to open the directory in browser it auto opens index.html but not index.php



for ex: i have following folder structure



htdocs->folder1->index.php



if i access "localhost/folder1/index.php" it loads fine, but if i access"localhost/folder1" then it will show all the files and folder in that folder.



Is there anyway I can make localhost open index.php open automatically and not show files inside that folder?


Answer




Check that the DirectoryIndex directive is set correctly in you apache configuration file e.g.



DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm


Monday, November 18, 2019

apache 2.2 - Can't start apache2 on Debian Squeeze

I installed apache with apt-get install apache2 then tried wget localhost and got:



--2012-09-21 23:12:29--  http://localhost/

Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... failed: Connection refused


Then I tried /etc/init.d/apache2 status and sure enough, apache2 wasn't running but it still wouldn't start the service if I do /etc/init.d/apache2 start.



Any help is appreciated!

Sunday, November 17, 2019

active directory - RDP presents Self-Signed certificate instead of Certificate Authority's one

Few days ago I witnessed a strange problem within my domain:




  • During RDP connection I see warnings about certificate being not trusted (and I see self-signed certificate, not issued by domain CA)


  • I can no longer connect by RDP to servers with enabled NLA (Network Layer Authentication).





This problem is omnipresent - I experience it on different workstations and on different servers, including Windows Server 2012R2|2008R2, Windows 7 and Windows 10.



About CA infrastructure: one offline Root CA and one Domain Level Issuing CA. pkiview.msc says everything is OK: both Root and Issuer have valid Certificates, CDP's, IAI's and DeltaCRL's (issuer only). I've updated Root CRLs and republished them in AD because I thought that might be the case but no luck.



Custom Certificate Template with Client|Server|RDP Auth still exists and I can confirm that servers in question have such certificates in Personal folder in MMC Certificates Applet (and can request new ones from there), although only self-signed certificate is present in RDP folder.



Using MMC Certificates applet I also see that both Root and Issuer certificates are trusted.



So.. I don't really know what to do and how fix it, and why it's broken in first place. Any help is appreciated.




PS. Also some time ago I modified Default Domain GPO enforcing private network IP ranges. Can it be the reason? Anyway, I turned those back to default and no luck either.



UPDATE
Some pics to clarify a bit:



1) Security Warning



Security Warning




2) ...because servers presents Self-Signed Certificate



...because it present Self-Signed Certificate



3) However we can see proper CA-certificate in Personal storage on server in question



However we can see proper CA-certificate in Personal storage on server in question



4) In Remote Desktop certificate storage I can see just Self-Signed Cert. I copied proper one there as well, but no effect. And if I delete Self-Signed Cert from there I won't be able to connect to server over RDP at all.




In Remote Desktop certificate storage I can see just Self-Signed Cert. I copied proper one there as well, but no effect. And if I delete Self-Signed Cert from there it won't connect to server over RDP at all.



5) Also you can see that my local CAs are trusted by server:



Also you can see that my local CAs are trusted by server



6) And that is the error I get when I try to RDP to NLA-enabled server. So client for some reason can't or won't willingly use CredSSP. It worked a week before so I think it's connected to cert problem.



And that is the error I get when I try to RDP to NLA-enabled server. So client for some reason can't or won't willingly use CredSSP. I think it's connected to cert problem.




7) Finally some screens from Issuing CA. It seems to be OK.



Finally some screens from Issuing CA.



enter image description here

Saturday, November 16, 2019

External Azure Active Directory

In Azure, I have invited some external users via their corporate email addresses and they are now visible in our AAD, the source being listed as External Azure Active Directory. I do not know if they had to create a new password when they clicked the link in the email invitation.
My question is this: If we add one of these external users to security groups or apps in Azure and they later on leave their job (and have their email accounts closed), will their access to whatever we have granted them access to be terminated as well?
In other words: Are external accounts in AAD dependant on them being active in their own ADs, or are they merely copied to Azure AD upon invitation (our users' full names as they appear in their email accounts' name field are automatically shown in the same way in our Azure AD) and thus active until we actively remove them or restrict their access?

Thursday, November 14, 2019

iis 6 - ISA Server 2006 SSL Certificate Dilemma




I'm making so great headway in offering our services over https with help from a Go Daddy certificate, later to be upgraded to Thawte SSL123 certs. But, I've just run into one whopper of a problem.



Here's my setup: I run an ISA 2006 firewall. Our web services are distributed over 2 servers. One is Windows 2000 (www.domain.com) and the other is Windows 2003 (services.domain.com). So, I'll need to purchase 2 certs for both www and services, import them into IIS6 on their respective machines, then export them with the primary key (making sure to Include all certificates in the certification path if possible... that had me stumped for a while), and then to finally import them into ISA's local computer Personal store. The problem I've just run into is that I have separate firewall rules for services.domain.com and www.domain.com... because requests need to be forwarded to different web servers. Each of these firewall rules use the same httplistener. I have just found out that you can only use 1 certificate per httplistener. To make matters worse you can only have a single httplistener per ip / port. Is this correct? I can only use a single certificate for a single ip address? This would seem to be a severe limitation. Am I wrong? If I'm not then I've got a whole lot more work ahead of me as I'll have to set up extra ip's, add them to the firewall's network interface, create new listeners using that ip, etc...



Can someone please confirm that I'm doing this correctly / incorrectly? Once I got my head wrapped around it all it seemed easy... then this.



Thanks in advance.



Edit: To explain what I believe I have to do now is: set up www.domain.com to use one ip address and set services.domain.com to use another ip address. Then create separate httplisteners (well... create one because one already exists) for each. One with the www cert installed, the other with the services cert installed. How does this sound?


Answer




I didn't think you had to specify an IP address for a weblistener, which would force it to use host headers and perform your mapping that way.



Otherwise, you might want to think about a wildcard certificate (*.domain.com)


Wednesday, November 13, 2019

cluster - Clustering on cloud/VPS providers

I'm wondering if anyone can give some clustering recommendations to me. I'm currently on Linode, which I'm impressed and happy with, but they (along with just about every other VPS provider I know of) don't allow broadcast/multicast addressing, only unicast.



The tools I've been trying to set up for failover (keepalived / wackamole+spread) only work over multicast, as far as I know. If I'm wrong, please let me know and point me to an example configuration.



I've now read that Heartbeat can use unicast, but that it does it over multicast protocol. Not sure if this will work or not, and I'd like opinions before I try to spend more time installing it.



My ultimate goal is to have N servers share N ip addresses, and if one server goes down, server A takes its IP, if another server goes down, server B takes its IP, etc. From what I've read wackamole is the best option for this, but I just can't get spread to work on Linode.




Has anyone successfully set up clustering/failover on a VPS/cloud provider (without multicast)? I'd really appreciate some pointers and advice.

centos - Ensure PPTP / OpenVPN clients cannot interact with each other?

How can one ensure that PPTP / OpenVPN will not allow clients connected to the tunnels to be able to interact with each others?



I never enabled bridging and enabled the following in iptables



iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

systemd, logrotate and PID-files




I'm packaging some daemon for debian 8 and systemd.



The daemon can create PID-file by itself, but it has no permissions to write into /run because of non-root user. It used to create PID-file via old sysV init-script, but it doesn't work on systemd.



I can use workaround in service-file like this:



Environment="PIDDIR=/var/run/mydaemon"
PermissionsStartOnly=true
ExecStartPre=/bin/mkdir -p $PIDDIR

ExecStartPre=/bin/chown -R mydaemon. $PIDDIR


But it doesn't looks right.



I can use /tmp as $PIDDIR, but it also seems wrong.



Actually the only reason I need a PID-file is logrotate's postrotate sending SIGUSR1 to the daemon:



[ -s /run/mydaemon.pid ] && kill -USR1 `cat /run/mydaemon.pid`



It's also possible to search daemon's pid with pgrep, but it seems to be unreliable.



copytruncate in logrotate seems to be not the best option because of risc of loosing some part of log.



So, what is the right way to manage PID-files via systemd?



Аnd is there a way to sends random signals to daemons via systemd?


Answer




Systemd has dedicated mechanism to create temporary directories and files: systemd-tmpfiles and tmpdfiles.d



In short have your package drop a file /usr/lib/tmpfiles.d/mydaemon.conf :



 #Type Path            Mode UID      GID    Age Argument
d /run/mydaemon 0755 mydaemon daemon - -

Monday, November 11, 2019

Which one is better for my CentOS? Hardware RAID using Dell PERC 6 or Software RAID?

I would like to setup RAID 0 for my Dell 2900 server. Which one is better, using hardware RAID (using installed Dell PERC 6 controller) or software RAID? The RAID 0 is for database.

Sunday, November 10, 2019

apache 2.2 - Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)



I need a static IP address that handles SSL traffic from a known source (a partner). The reason the IP needs to be static is that the partner requires this in order to maintain the PCI compliance.



Our servers are behind an AWS Elastic Load Balancer (ELB), which cannot provide a static IP address; many threads about this here.



My thought is to create an instance in EC2 whose sole purpose in life is to be a reverse proxy server having it's own IP address; accepting HTTPS requests and forwarding them to the load balancer.




Are there better solutions?


Answer



In the end, I implemented the requirement of our partner as follows:




  • launch an instance in AWS

  • allocate and attach an Elastic IP (EIP) to it

  • Installed Apache

  • (in our case, installed our SSL certificate)

  • Configured Apache as a reverse proxy server, forwarding to a CNAME that pointed to our ELB




Here's a sample Apache virtual host configuration. I turned off NameVirtualHost and specified the address of our EIP. I also disabled a default host. If the partner desires, I will add a block that accepts requests only from their IP range.




# Catch non-SSL requests and redirect to SSL

ServerName our-static-ip-a-record.example.com
Redirect / https://our-elb-cname.example.com


# Handle SSL requests on the static IP

ServerAdmin monitor@example.com
ServerName our-static-ip-a-record.example.com

# SSL Configuration
SSLEngine on
SSLProxyEngine on
SSLProxyCACertificateFile /etc/apache2/ssl/gd_bundle.crt
SSLCertificateFile /etc/apache2/ssl/example.com.crt

SSLCertificateKeyFile /etc/apache2/ssl/private.key
# Additional defaults, e.g. ciphers, defined in apache's ssl.conf

# Where the magic happens
ProxyPass / https://our-elb-cname.example.com/
ProxyPassReverse / https://our-elb-cname.example.com/

# Might want this on; sets X-Forwarded-For and other useful headers
ProxyVia off


# This came from an example I found online, handles broken connections from IE
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown





Hope this saves someone else some time in the future :-)


Saturday, November 9, 2019

OpenLDAP using ipv6 link-local address "Can't contact LDAP Server (-1)"



I'm trying to use IPV6 to connect to my LDAP server. Everything works if I use ipv4 but I'm not ipv6 link-local address. I used the following command on my server using its own ipv6 address. Any clue what I'm doing wrong? I can use ping6 to ping the server from client and client from server.



ldapsearch -D "user" -H "ldap://[fe80:20c:29ff:fefd:deea] -W returns Can't contact LDAP Server (-1)




Thanks


Answer



Your IPv6 address is incomplete. You forgot the scope ID, which appears as a % followed by the relevant interface ID.


Friday, November 8, 2019

What does the email header "X-CAA-SPAM" refer to?

I've got an application that sends out notification emails to users of the application (this is not spam; the information in these emails is solicited and useful, and is also a feature turned off by default and must be enabled by the user). The app is still in beta, and one of our testers reports that the notification emails are going to his junk mail folder in Outlook 2003. This is the only reported case of this, but I asked him to send me the email headers from the message, and I noticed that there is a header there labeled "X-CAA-SPAM" with a value of 00000 .



I'm a programmer, so I'm fairly green in the world of successful automated emails - does anyone know if this header is the culprit? If not, any suggestions?

Thursday, November 7, 2019

nat - Apache presents wrong certificate when accessed via load balancer

I've got a server that has two SSL certificates set up, one for internal access where it is accessed along the lines of host.my-local.net and other for external access where it is accessed similar to 185.185.185.185 (this is not the actual IP address, but it is an IP address as there is no host name assigned to it). When accessed via the external address, the connection is going through a load balancer / firewall which I don't have any access to, all I know is that it translates incoming connections on a specific port into the internal address on the SSL port.



The problem is, when an external connection comes in, I get browser warning that the site is masquerading as host.my-local.net; it is presenting the certificate for host.my-local.net instead of 185.185.185.185. I have a virtual host set up for both names in my apache2 config file, so I assume that for some reason the server is having trouble distinguishing between an external connection and a LAN connection. I haven't had this problem with a simple NAT, so I don't know why it would make a difference if the load balancer is making the request look like it's coming from the LAN instead of internally.



I have verified that the browser I am using support SNI (Google Chrome) and Apache 2.4 apparently supports it out of the box without requiring the NameVirtualHost directive. However, the documentation says:




In 2.3.11 and later, any time an IP address and port combination is used in 
multiple virtual hosts, name-based virtual hosting is automatically enabled
for that address.


However, it's not the same IP address used in the two different virtual hosts, one is the internal (LAN) IP address and one is the external (world visible) IP address, so does that apply here?



To clarify my configuration, I have two virtual hosts set up, like so:





# here i specify the certificate for 185.185.185.185, e.g.
SSLCertificateFile /etc/ssl/private/185.185.185.185.crt


# here i specify the certificate for host.my-local.net, e.g.
SSLCertificateFile /etc/ssl/private/host.my-local.net.crt

How to properly use rsync Push with SSH on local macOS to remote Debian



I've been trying to get rsync working for a couple of hours now, but haven't had much luck 😣. I have a Digital Ocean droplet that I would like to send a file via rsync using SSH.



local rsync running on macOS 10.12.6 installed via homebrew
rsync version 3.1.2 protocol version 31




remote rsync running on Debian 8.x installed via apt
rsync version 3.1.1 protocol version 31



I am trying to send a single file from the local macOS box to the remote Debian box (Digital Ocean droplet)
The command I am issuing locally in Terminal on macOS
$ rsync -avvvv -e "ssh -p $SSH_PORT_# -v" dummy $USER@example.com:/home/$USER/www/



Some tidbits,
1) dummy is a single 10MB file on my local system.
2) I can successfully ssh in the remote Digital Ocean with the below command, $ ssh nathan
2.1) I have a "config" file in /Users/$USER/.ssh/
2.2) The contents of the /Users/$USER/.ssh/config



Host nathan
HostName $REMOTE_IP_ADDRESS i.e. 1.2.3.4
User $REMOTE_USERNAME chris
port $SSH_PORT_# 4242
IdentityFile /Users/$USER/.ssh/id_rsa




3) I can also ssh into the remote Digital Ocean droplet with the below command
$ ssh -l $USER -p 4242 $REMOTE_USERNAME example.com



Some output from running the above rsync command,
opening connection using: ssh -p 4242 -v -l $USER example.com rsync --server -vvvvlogDtpre.iLsfxC . /home/$USER/www/ (12 args)
msg checking charset: UTF-8
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/$USER/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to example.com [1.2.3.4] port 4242.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u4
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to example.com:4242 as '$USER'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:REMOVED_KEY
debug1: Host '[example.com]:4242' is known and matches the ECDSA host key.
debug1: Found key in /Users/$USER/.ssh/known_hosts:15
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/$USER/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to example.com ([1.2.3.4]:4242).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending command: rsync --server -vvvvlogDtpre.iLsfxC --log-format=%i . /home/$USER/www/
(Client) Protocol versions: remote=31, negotiated=31



And this is as far I can get using using the above rsync command 😭 If you have any thoughts / suggestions I'd sure love ❤️ to hear them.



cheers 🍺
Chris


Answer



TLDR; The issue was related to my config.fish file.




How I ended up coming to a resolution.



I decided for a sanity check to create a new user on both machines and test rsync / scp with the newly created user account. Low and behold both ended up working.



Things I ended up trying, rebooting the remote box, starting up sshd in single user mode by passing the -vvvv flag, sifting through the log and seeing nothing related to a file being sent improperly.



The only other computer I have access to locally is a RasPi, so I tried scp / rsync locally to the RasPi, which ended working, so I deduced it had to do something with a configuration file on the server.


Wednesday, November 6, 2019

virtualization - Slow http response time from vm

I am currently hosting a test website under a 8 vcpu and 2gb ram virtual machine using nginx and php-fpm, the host machine is hosting other virtual machines doing the same thing with 10gbps network interface. During my stress test after 50 users requesting concurrently my test website's response time rises from 800-900ms on normal to around 2 seconds. After this test I tried to increase the virtual machine's ram to 6gb but there were no change in the response time at all. What could be causing this?

Monday, November 4, 2019

apache 2.2 - HTTPS is over 50 times slower then HTTP



I have a website that uses https to transmit a javascript file to the client. The website is getsimpleapps.com.



It turns out that this file is loading 52 times slower with https (20.08s - 29.08s) that with http (380ms).



The homepage of the site shares the same slowness as the javacript file.






I've recently switched over from dreamhost to linode, and hacked at getting SSL to work on the new server until it did. I didn't do any crazy configuring.



The linode is running Ubuntu 12.04 and the site is on top of a (LAMP) stack.



My question to the stack overflow community is: How do I go about fixing SSL & HTTPS on my server? I know that stack overflow is littered with questions regarding the slowness of HTTPS but no real solutions are given. A ubuntu tutorial or configuration guide would be ideal.







file : /etc/apache2/sites-enabled/getsimpleapps.com




ServerAdmin admin@getsimpleapps.com
ServerName getsimpleapps.com
ServerAlias www.getsimpleapps.com
DocumentRoot /srv/sites/getsimpleapps.com/public/
ErrorLog /srv/sites/getsimpleapps.com/logs/error.log
CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined




SSLEngine On
#SSLCertificateFile /etc/apache2/ssl/www.getsimpleapps.com.crt
#SSLCertificateKeyFile /etc/apache2/ssl/www.getsimpleapps.com.key
#SSLCACertificateFile /etc/apache2/ssl/comodo.crt
SSLCertificateFile /etc/apache2/ssl/dreamhost/dh.crt
SSLCertificateKeyFile /etc/apache2/ssl/dreamhost/dh.key
SSLCACertificateFile /etc/apache2/ssl/dreamhost/dh.cer


ServerAdmin admin@getsimpleapps.com
ServerName getsimpleapps.com
ServerAlias www.getsimpleapps.com
DocumentRoot /srv/sites/getsimpleapps.com/public/
ErrorLog /srv/sites/getsimpleapps.com/logs/error.log
CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined







Curl from local workstation



thomas@workstation:~$ time curl -Iv https://getsimpleapps.com/
* About to connect() to getsimpleapps.com port 443 (#0)
* Trying 50.116.58.18... connected
* Connected to getsimpleapps.com (50.116.58.18) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com

* start date: 2012-02-23 00:00:00 GMT
* expire date: 2013-02-22 23:59:59 GMT
* subjectAltName: getsimpleapps.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: getsimpleapps.com
> Accept: */*
>

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 02 Aug 2012 20:31:39 GMT
Date: Thu, 02 Aug 2012 20:31:39 GMT
< Server: Apache/2.2.22 (Ubuntu)
Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.2
X-Powered-By: PHP/5.3.10-1ubuntu3.2
< Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/
Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/

< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html

<
* Connection #0 to host getsimpleapps.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):


real 0m29.078s
user 0m0.018s
sys 0m0.005s


Curl from linode server (via ssh)



thomas@vannevar:~$ time curl -Iv https://getsimpleapps.com/happy-ending/api/script.js?shop=holstee.myshopify.com
* About to connect() to getsimpleapps.com port 443 (#0)
* Trying 50.116.58.18... connected

* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com
* start date: 2012-02-23 00:00:00 GMT
* expire date: 2013-02-22 23:59:59 GMT
* subjectAltName: getsimpleapps.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA

* SSL certificate verify ok.
> HEAD /happy-ending/api/script.js?shop=holstee.myshopify.com HTTP/1.1
> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: getsimpleapps.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 02 Aug 2012 20:43:30 GMT
Date: Thu, 02 Aug 2012 20:43:30 GMT

< Server: Apache/2.2.22 (Ubuntu)
Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.2
X-Powered-By: PHP/5.3.10-1ubuntu3.2
< Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/
Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/
< Content-Type: text/javascript
Content-Type: text/javascript
* no chunk, no close, no size. Assume close to signal end


<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

real 0m25.991s
user 0m0.015s
sys 0m0.022s

Answer



Turns out my issue was my keys were from another server. I needed to get a new certificate and set it up with new keys.



domain name system - What is reverse DNS?




I've lot of *.in-addr.arpa domains requests in my OpenDNS account. I know this should be normal and it's about reverse DNS.



I've been reading here and there but still I can't really get how it works and why I get so much requests (higher number than www.google.com).I'd just need someone that, like Einstein suggested, could explain to me what this reverse DNS is used for like he would explain it to his grandmother.


Answer



Reverse DNS is a mapping from an IP address to a DNS name. So it's like DNS, but backwards. If you are assigned IP addresses you have to setup reverse DNS to tell the world what the addresses are used for.



In practice, if you want to know what system is at 216.239.32.10 you design what is called a reverse lookup by reverting the ip address and adding in-addr.arpa to it. So it looks like this: 10.32.239.216.in-addr.arpa. A PTR record should then tell you what system it is. The dig tool automates this with the -x switch.



pehrs$ dig -x 216.239.32.10


; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 216.239.32.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49177
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;10.32.239.216.in-addr.arpa. IN PTR


;; ANSWER SECTION:
10.32.239.216.in-addr.arpa. 86400 IN PTR ns1.google.com.

;; AUTHORITY SECTION:
32.239.216.in-addr.arpa. 86400 IN NS ns1.google.com.
32.239.216.in-addr.arpa. 86400 IN NS ns2.google.com.
32.239.216.in-addr.arpa. 86400 IN NS ns4.google.com.
32.239.216.in-addr.arpa. 86400 IN NS ns3.google.com.

;; ADDITIONAL SECTION:

ns2.google.com. 205358 IN A 216.239.34.10
ns1.google.com. 205358 IN A 216.239.32.10
ns4.google.com. 205358 IN A 216.239.38.10
ns3.google.com. 205358 IN A 216.239.36.10

;; Query time: 63 msec
;; SERVER: x#53(x)
;; WHEN: Tue Jan 4 13:35:14 2011
;; MSG SIZE rcvd: 204



Notice the PTR record. It tells us that 216.239.32.10 is in fact ns1.google.com.


uptime - Update Docker container without downtime



Let's say I have a Docker container with a web server (like Apache 2). Now I want to update the OS under it. This SF answer says the best way is to rebuild the base image and my Apache image. But deploying the image means downtime because I have to delete the old container before I can create the new one, so there is only one container that is binding to port 80/443.



But how can I deploy this update with zero downtime? Should I use a load balancer and use inter-container communication? And how do I update the load balancer?


Answer



The ideal target scenario



Yes, you should use a load balancer and update one instance at a time. I'm not sure where inter-container communication comes in.




As an example, imagine you have a load balancer which serves your site A. Users only connect to it as and only know it as "A". The load balancer knows that there are two or more backends (B, C, etc.), and whether they're VMs or containers doesn't matter.



Then, you want to upgrade the backends, which in this case are Apache instances.




  1. take B out of the eligible backends for the load balancer so it's no longer accepting any traffic.

  2. wait for the currently-live requests to be served and existing connections closed.

  3. update the container or underlying VM that serves B

  4. restart B, wait for it to load and start working

  5. test B to make sure it's serving new requests properly


  6. add B back to the load balancer backend pool to re-enable traffic



Then, do the same process for C, D, etc.



Note that there's an open request for in-place upgrades of Docker containers, from Nov 2013, but it doesn't appear to have much progress so the above solution is what you should do in the mean time.



What to do for an existing live site



Presumably, you're asking this because you're already running a live site in this model and you would like to upgrade it without downtime. So, we need to get to the ideal target state above, but incrementally.




Let's assume that:




  • you have a DNS name pointing to your container

  • your container runs on some IP address

  • your users don't know the container's IP address and it's not hard-coded anywhere



If these assumptions are false, you should first fix it such that this is correct.




Then, follow these steps:




  1. create a load balancer at a new IP and point it at the existing container as its only backend

  2. change DNS to point to the load balancer rather than the container IP directly

  3. add an identical Apache backend with the same VM + container setup

  4. now you have a load balancer with two backends B and C, so follow the directions in the "ideal target scenario" section for upgrading them one at-a-time




How to update a load balancer



The easy (hosted) way



The easiest option is to not run your own balancer. For example, if you're using a cloud platform which provides load balancing as a service, consider using it and then maintenance and update of the load balancer is not an issue.



The manual way



If you are running your own load balancer, adding another layer of indirection (i.e., DNS) will help. Let's assume the following:





  • that we have a host name resolving to the IP of our load balancer A which we would like to update

  • our load balancer has a backend pool of P1, P2, etc.



We proceed as follows:




  • create a new load balancer B with the new software version

  • add all backend pool instances P1, P2, etc. to our new load balancer B as backends


  • add B's IP address to the DNS resolution along with A




    • now we're effectively using DNS as a load balancer

    • if the entries for A and B are unweighted, they're effectively 50-50

    • now watch to see how B performs, whether there are any errors, etc.

    • if anything is wrong with B, undo as follows:




      1. remove B from the DNS config


      2. wait for the the B entry in the DNS to disappear (i.e., wait for TTL to expire)

      3. turn down B



  • assume you've done the "burn-in" test for B and everything is fine

  • update the priority and weight for B in DNS gradually

  • remove A from DNS entirely

  • wait for DNS TTL to expire; A should not be getting any requests anymore

  • turn down A




and you're done.



Details, diagrams, and tooling



See these write-ups and tools that can help you automate the process, but the general idea is the same:





The Moral




"All problems in computer science can be solved by another level of indirection, except of course for the problem of too many indirections."David Wheeler


Sunday, November 3, 2019

Configuration for a two machine ESXi cluster using VSA to present local storage to VMs



I'm designing a little vSphere 5 cluster for one of our remote sites. We have some IBM x3650s that have 6x 300GB 10K RPM drives in them, along with dual quad core CPUs and 24GB RAM. Because we use HP P4500 G2s at our primary site, we have licenses available for HP P4000 VSAs. I thought that this would be the perfect opportunity to use them.



Below is a basic drawing of what I want to accomplish:



Drawing




I want to run a P4000 VSA on each server and run them in a Network RAID-10 (Lefthand speak for network mirroring, think of it as RAID 1 across nodes or as an active/active storage cluster). I will then present this storage to guests that will run on this mini-cluster. It will be managed by a vCenter Server on our main site.



All connections will be GbE with two dedicated to storage. Management and Data will share a pair of connections, since I don't expect there to be high load. These servers are just there to provide directory services, dhcp, printing, etc.



Does anyone see anything potentially wrong with this approach? Is this the best way to do this without adding additional dedicated storage heads? Are there any pitfalls in this design, besides the lack of dedicated Data/Mgmt interfaces?


Answer



This looks like perfectly reasonable design to me. I assume you want to place your virtual machines on data stores on VSA-based HP LeftHand Storage. You have the hardware and networking part covered: using two NICs on vSwitches for your HP LeftHand VSA, the ESXi's iSCSI VMkernels and possibly guests which access the HP LeftHand cluster is best practice; I suggest you create resource group reservations for the VSAs according to the user manual.



[Edit]Because just saw this in the comments to the original question: It is best practice to presented RAID-ed storage to the VSA which is made then virtualizied and made available in the HP LeftHand Cluster. The RAID level is depended on your requirements for capacity, performance and protection. RAID 10 is the way to go for you then.[/Edit]




One thing you need to be careful about is where you place your managers in this HP LeftHand setup. This is very important in a configuration with only two storage nodes! Right now I do not see a HP LeftHand Failover Manager (definitely the preferred option) in your design to maintain quorum in the storage cluster; or are you planning use the Virtual Manager? Depending on the uplink to your main data center (latency <= 20ms, bandwidth ~100Mbit/s), you might be able to place it in there.



PS: You might also want to make use of Remote Copy to replicate your VMs and data into your main data center; you already have everything which is needed in place to make it work.


linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...