Keepalived and libvirt MACVTAP network interfaces

Keepalived is a routing software written in C that can be used to setup load balancing and high availiability for Linux machines. NOTE 1: For the sake of simplicity, in this exampe we will consider a cluster of two CentOS Stream virtual machines with firewalld and iptables disabled. NOTE 2: virtualization host is Fedora 33 server with libvirt and qemu/kvm. CentOS Stream Install keepalived: $ dnf install keepalived Add nginx repo to the system: repo. …

Posted on

FreeBSD, Nginx and htpasswd file generation

On most Linux distros it is possible to generate the htpasswd file entries simply using the htpasswd command line util. On FreeBSD the easiest way to accomplish the same task is using OpenSSL itself: openssl passwd -apr1 Enter the password twice to get a nice hash, copy that in the htpasswd file with the usual user:password_hash syntax.

Posted on

FreeBSD, NGINX and TLSv1.3

After a six months hiatus here is a new blogpost. This saturday I finally found the time to upgrade the configuration of the server that hosts this very website. Software stack is pretty simple: FreeBSD (version 12.0-p6),nginx (version 1.15.10) and OpenSSL (version 1.1.1a-freebsd). Install the required software: $ pkg install nginx-devel py36-certbot Get a SSL certificate from letsencrypt: $ certbot-3.6 certonly --standalone -d domain.tld -d www.domain.tld Certfiles location is /usr/local/etc/letsencrypt/live/<domain. …

Posted on

Nginx and XMPP over TLS

XMPP over TLS (formerly XEP-0368) is a clever mechanism that allows users to connect to a XMPP server from networks that restrict outgoing traffic only to specific ports; this block is circumvent by routing XMPP traffic via port TCP 433. If the server hosts only a XMPP server setting up XMPP over TLS is pretty easy, just instruct the server to listen on port 443. If the server also runs a webserver which is listening on port 443 things are a bit more complicated; luckily Nginx provides a way to manage XMPP traffic and redirect it to the XMPP server. …

Posted on

Nginx, PHP-FPM, SELinux and sendmail

Since I am a real master at forgiving things I am writing this one down. PHP mail function relies on sendmail but SELinux by default block webservers from sending emails, the usual error that pop-out is: cat /var/log/maillog"> --- sendmail[16328]: NOQUEUE: SYSERR(nginx): /etc/mail/sendmail.cf: line 0: cannot open: Permission denied Allow webservers to send email is as easy as editing the appropriate SELinux boolean: setsebool -P httpd_can_sendmail 1 Use sestatus to check SELinux booleans: …

Posted on

Nginx, PHP-FPM caching done right

The whole web is full of pseudo guides on how to properly - that is the key word here - configure Nginx to perform caching alongside with PHP-FPM, but every single one of them fails to mention some minor steps resulting in a borked half functioning implementation. For example, not a single one mention the necessity to edit /etc/php.ini and set session.use_cookies to 0. Too bad that without doing so caching with WordPress in combination with certain plugins or themes (for example MainWP or Enfold theme) is completely not working; the following headers get added to every HTTP response: …

Posted on

Get rid of SHA-1 – nginx, TLSv1.2, PFS and SHA-2

Everyone who knows me a little bit knows how much I dislike Google but this time we really should thank them for taking a real step toward a more secure web. They are finally moving away from SHA-1 to the much more secure SHA-2, more info can be found here: http://googleonlinesecurity.blogspot.it/2014/09/gradually-sunsetting-sha-1.html.:. Setup CentOS 6.5 x86_64 nginx/1.6.1 OpenSSL 1.0.1e-fips 11 Feb 2013 Nginx developers provide an up to date repository (http://wiki.nginx.org/Install)for CentOS: …

Posted on

nginx and TLS v1.2

Given that SSL and TLS, especially v1.0, suffer from serious security issues (e.g. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS) I thought it would be a good idea to use the latest and more secure version of it: v1.2. On CentOS 6.4 the openssl version included is quite old and doesn’t support TLS v1.1 and 1.2. So, first of all we have to install the latest version 1.0.1e, it can be done compiling from sources or by adding a third party repository; I chose the latter. …

Posted on