Featured post

GPG key adding script for Debian*

*Debian based systems

There might be an easier way. Or maybe there is even an automatic way to do it. I couldn’t be bothered to search long enough.

Recently I’ve had to reinstall my system on a clean SSD drive. Some of the things were copies, but as Debian released it’s new stable (and testing, as I’m using this one) version I could install it from scratch. My pain was adding multiple keys so I’ve semi-automated it by creating a script.

The steps to reproduce are:

apt install dirmngr gnupg

The script:

#!/bin/bash

for var in “$@”
do
echo “Your key is:” $var
gpg –recv-keys $1
gpg –export $1 | apt-key add –
done

$@ passes all parameters to the script. The loop is using each element to increment itself using it as “var” variable. To use the script you need to:

chmod +x script.sh

and you use it like

./script.sh key1 … keyN

voila’

Advertisements

Nginx throttling

Recently I’ve noticed that someone is trying to brute-force the login to one of my services. At that time I’ve had no captcha on login or any limitations on my API. I’ve had to figure out a fast solution to limit the scale of this. The underneath solution is not a perfect one, as it’s not fixing the problem (unlike limiting unsuccessful login and captcha). This solution is only “slowing” down the brute-force process.

The idea is fairly simple: You can send max 5 requests per minute to an endpoint. The documentation for this can be found here

limit_req_zone $binary_remote_addr zone=login_zone:10m rate=5r/m;

So we create a 10 megabytezone for our request. We limit the number of requests to 5 requests per minute. It’s a login endpoint, so how many times would you like to login during 1 minute?

limit_req_status 429;

If you exceed the 5req is 1 minute you get a “Too many requests” status code.

You insert your limit inside the location block it’s meant to work with:

    location /login {
                proxy_cache_use_stale off;
                proxy_cache_lock off;
                client_max_body_size 20m;
                limit_req zone=login_zone burst=5 nodelay;

                proxy_pass http://api/login;
    }

Thanks,
Wizard

Proxy for yum

Short post, short story. If your server is in a separated network without “internet” connectivity, but you have a proxy server set up in the network you can download the packages from official repos!

In /etc/yum.conf add
proxy=https://IP:PORT

and voila’

Serve error code via Haproxy.

Quest: Serve error code via Haproxy. For testing reasons etc.

1) Creaate a backend:
backend error
mode http
log global
option httplog
errorfile 500 /etc/haproxy/errorpages/503.http
errorfile 502 /etc/haproxy/errorpages/503.http
errorfile 503 /etc/haproxy/errorpages/503.http
errorfile 504 /etc/haproxy/errorpages/503.http

2) Create the errorpage:

HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html>
<head>
<title>Title of your site</title>
</head>
<body style=”font-family:Arial,Helvetica,sans-serif;”>

500

</body>
</html>

 

3) Add the use backend
use_backend error if { hdr(Host) -i bob.com }

4) What’s worth considering is adding the “testing” mode for some IP’s. Add a new acl:
acl office_ips src 192.168.1.0/25

5) Change the use_backend to

use_backend error if { hdr(Host) -i bob.com http://www.bob.com } office_ips

^THIS will redirect every request coming from bob.com or http://www.bob.com, that comes from the IPs declared in office_ips to the backend “error” and show an error

Redirect sites to the rootfolder without using a new vhost on Nginx.

Map. It’s a construction that maps the the value to a variable.
map $http_host $name {
hostnames;

*.bob.com bob;
default bob2;
}

So if your hostname ($http_host) would be anything from *.bob.com than your variable $name will have it’s value set to bob. Otherwise it’s set to bob2.
The “hostnames”, following the nginx man – indicates that source values can be hostnames with a prefix or suffix mask.

RL Example:

You can map the matching domain name to the rootfolder name.

map $http_host $root {
hostnames;

.funnycats.com funny_cats;
.funnydogs.com funny_dogs;

default funny_animals;

}

in the “server” section you can use:

root /var/www/$rootpath/;

Than reload nginx and you can check if it’s working with curl:

curl 127.0.0.1 -H “Host: bork.funnycats.com

Mind the gap! (haproxy)

Haproxy is an awesome software. If you’re not sure if your config is correct you can check it by:
haproxy -c -f /path/to/your/config.conf

-c is for check
-f is for file

BUT REMEMBER:

The check won’t notice if spaces are in the wrong place. So…

hdr(Host) and hdr (Host) are both correct for Haproxy check config. But it won’t work (well it didin’t work for me). hdr(Host) is correct (no space between hdr and (Host)).

Mad load caused by acpi_pad

If your machine hits crazy load and your processor is: Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Check with top what’s wrong. In my case I had load 44 without any special reason (non production server). The problem was: acpi_pad.
Kernel: ~3.10 but google say it’s also on higher Linux Kernels (4.x)

Solution?
Dirty and nasty – “rmmod acpi_pad” and blacklisting the module with ” echo “blacklist acpi_pad” >> /etc/modprobe.d/blacklist-acpi_pad.conf ”

A nicer and suggested solution that I have to check: updating the bios of the server machine.

Oh, the issue is not brand-related. Some people have it on Supermicro boards, Dell boards. I’ve had it on a Lenovo server.