We are in the cloud

We are in the cloud, running on someone else’s computer.

Posted on

Keepalived and libvirt MACVTAP network interfaces

Keepalived is a routing software written in C that can be used to setup load balancing and high availiability for Linux machines. NOTE: hypervisor is Debian 10 (Buster) with libvirt and qemu/kvm, virtual machines also are Debian 10 (Buster). Keepalived configuration Install keepalived: $ apt install keepalived Install nginx, it will be use to check that keepalived is actually working: $ apt install nginx $ systemctl enable --now nginx Configure keepalived: $ vi /etc/keepalived/keepalived.conf --- global_defs { enable_script_security # prevents tampering with the check script script_user root # defines which user runs the check script } vrrp_script chk_nginx { script "/opt/scripts/nginx-check.sh" interval 2 # run script every 2 seconds weight 2 # add 2 points if OK } vrrp_instance VI_1 { interface enp2s0 # interface to monitor virtual_router_id 51 priority 101 # MASTER 101, BACKUP 100 advert_int 1 nopreempt # comment to not have the VIP go back to MASTER # -> when it comes back online authentication { auth_type PASS auth_pass myPass # maximum 8 chars } virtual_ipaddress { 10.10.0.12/24 # VIP (Virtual IP Address) } track_script { chk_nginx } } Also add a script to check if nginx is alive and well: …

Posted on

FreeBSD, Nginx and htpasswd file generation

On most Linux distros it is possible to generate the htpasswd file entries simply using the htpasswd command line util. On FreeBSD the easiest way to accomplish the same task is using OpenSSL itself: openssl passwd -apr1 Enter the password twice to get a nice hash, copy that in the htpasswd file with the usual user:password_hash syntax.

Posted on

FreeBSD, NGINX and TLSv1.3

After a six months hiatus here is a new blogpost. This saturday I finally found the time to upgrade the configuration of the server that hosts this very website. Software stack is pretty simple: FreeBSD (version 12.0-p6),nginx (version 1.15.10) and OpenSSL (version 1.1.1a-freebsd). Install the required software: $ pkg install nginx-devel py36-certbot Get a SSL certificate from letsencrypt: $ certbot-3.6 certonly --standalone -d domain.tld -d www.domain.tld Certfiles location is /usr/local/etc/letsencrypt/live/<domain.tld>, you might, or might not, want to move them to another directory. …

Posted on

Nginx and XMPP over TLS

XMPP over TLS (formerly XEP-0368) is a clever mechanism that allows users to connect to a XMPP server from networks that restrict outgoing traffic only to specific ports; this block is circumvent by routing XMPP traffic via port TCP 443. If the server hosts only a XMPP server setting up XMPP over TLS is pretty easy, just instruct the server to listen on port 443. If the server also runs a webserver which is listening on port 443 things are a bit more complicated; luckily Nginx provides a way to manage XMPP traffic and redirect it to the XMPP server. …

Posted on

Nginx, PHP-FPM, SELinux and sendmail

Since I am a real master at forgiving things I am writing this one down. PHP mail function relies on sendmail but SELinux by default block webservers from sending emails, the usual error that pop-out is: cat /var/log/maillog"> --- sendmail[16328]: NOQUEUE: SYSERR(nginx): /etc/mail/sendmail.cf: line 0: cannot open: Permission denied Allow webservers to send email is as easy as editing the appropriate SELinux boolean: setsebool -P httpd_can_sendmail 1 Use sestatus to check SELinux booleans: …

Posted on

Nginx, PHP-FPM caching done right

The whole web is full of pseudo guides on how to properly - that is the key word here - configure Nginx to perform caching alongside with PHP-FPM, but every single one of them fails to mention some minor steps resulting in a borked half functioning implementation. For example, not a single one mention the necessity to edit /etc/php.ini and set session.use_cookies to 0. Too bad that without doing so caching with WordPress in combination with certain plugins or themes (for example MainWP or Enfold theme) is completely not working; the following headers get added to every HTTP response: …

Posted on

Get rid of SHA-1 – nginx, TLSv1.2, PFS and SHA-2

Everyone who knows me a little bit knows how much I dislike Google but this time we really should thank them for taking a real step toward a more secure web. They are finally moving away from SHA-1 to the much more secure SHA-2, more info can be found here: http://googleonlinesecurity.blogspot.it/2014/09/gradually-sunsetting-sha-1.html .:. Setup CentOS 6.5 x86_64 nginx/1.6.1 OpenSSL 1.0.1e-fips 11 Feb 2013 Nginx developers provide an up to date repository (http://wiki.nginx.org/Install)for CentOS: …

Posted on