Monthly Archives: March 2015

haproxy: rewrite request aka prefix url

Today I had a task which sounded like this "Change for balancer urls for this VIP - vip:8080 -> server* 16081/int"

Long story short:

frontend my_vip
     bind x.x.x.x:8080
     mode http
     maxconn 30000
     default_backend my_backend
backend my_backend
     mode http
     balance leastconn
     acl int_prefix path_beg /int
     reqrep ^([^\ :]*)\ /(.*) \1\ /int/\2 unless int_prefix
     server server1 y.y.y.y:16081 maxconn 32 check fall 3
     server server2 z.z.z.z:16081 maxconn 32 check fall 3

(openssl) verify that a private key matches a certificate

A while ago I had to renew the SSL certificate for a website I'm taking care of.

How do I verify that a private key matches a certificate?
[codesyntax lang="bash"]

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

[/codesyntax]

How do I verify that a CSR matches a certificate match?
[codesyntax lang="bash"]

openssl req -noout -modulus -in server.csr | openssl md5

[/codesyntax]

Enable LDAP authentication in Apache

Assuming you have a LDAP server somewhere and you don't want to authenticate users via htpasswd file anymore... I mean, having all your users in one place is a good thing - it's debatable, but in general is a good thing, right?

Now, the technical part...

My LDAP structure is like this:
- groups: cn=group,ou=groups,dc=example,dc=com
- users: uid=firstname.lastname,ou=users,dc=example,dc=com

Next... apache2...

[codesyntax lang="bash"]

a2enmod authnz_ldap

[/codesyntax]

Add this inside your virtualhost.

<Location />
        Order allow,deny
        Allow from all
        Deny from all
        AuthName "Boo..."
        AuthType Basic
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on

        # Search user
        AuthLDAPURL ldap://IP-DOMAIN-CONTROLLER:389/ou=users,dc=example,dc=com?uid

        # Use this user to bind to LDAP
        AuthLDAPBindDN "uid=ldapauthuser,ou=users,dc=example,dc=com"
        AuthLDAPBindPassword "password"
        Require valid-user
        Satisfy any

        # More restrictions!
        # specific user
        #   Require ldap-user john.doe john1.doe john2.doe
        # specific user by DN
        #   Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=net
        # member of group
        #   Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=net
</Location>

Restart apache server

[codesyntax lang="bash"]

/etc/init.d/apache2 restart

[/codesyntax]

That's it!