Category Archives: Tips & Tricks - Page 2

haproxy: rewrite request aka prefix url

Today I had a task which sounded like this "Change for balancer urls for this VIP - vip:8080 -> server* 16081/int"

Long story short:

frontend my_vip
     bind x.x.x.x:8080
     mode http
     maxconn 30000
     default_backend my_backend
backend my_backend
     mode http
     balance leastconn
     acl int_prefix path_beg /int
     reqrep ^([^\ :]*)\ /(.*) \1\ /int/\2 unless int_prefix
     server server1 y.y.y.y:16081 maxconn 32 check fall 3
     server server2 z.z.z.z:16081 maxconn 32 check fall 3

(openssl) verify that a private key matches a certificate

A while ago I had to renew the SSL certificate for a website I'm taking care of.

How do I verify that a private key matches a certificate?
[codesyntax lang="bash"]

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

[/codesyntax]

How do I verify that a CSR matches a certificate match?
[codesyntax lang="bash"]

openssl req -noout -modulus -in server.csr | openssl md5

[/codesyntax]

How to disable dnsmasq on ubuntu based distribution

dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide coupled DNS and DHCP service to a LAN.
From time to time dnsmasq decided to resolve some hosts over a VPN tunnel to their external IP address instead the internal one. This was quite annoying... After digging a little bit I found that the root cause of all my VPN heartache was the dnsmasq daemon controlling my DNS. And, related, network-manager. Ok, so how can we disable dnsmasq?!

[codesyntax lang="bash"]

vim /etc/NetworkManager/NetworkManager.conf
:%s/dns=dnsmasq/#dns=dnsmasq/g
:wq

[/codesyntax]

Ta-da! No more problems! We're all set!

How to list loaded Linux module parameter values

Well, at some point you might need this. So, how do you do this?

[codesyntax lang="bash"]

cat /proc/modules | cut -f 1 -d " " | while read module; do \
 echo "Module: $module"; \
 if [ -d "/sys/module/$module/parameters" ]; then \
  ls /sys/module/$module/parameters/ | while read parameter; do \
   echo -n "Parameter: $parameter --> "; \
   cat /sys/module/$module/parameters/$parameter; \
  done; \
 fi; \
 echo; \
done

[/codesyntax]

Wasn't that hard, right?!

VMware modules, Ubuntu 14.04 & kernel 3.13

After many years of using Debian, I decided to give Ubuntu 14.04 a shoot... One of the many problems I have encountered was the installation of VMware. Well, everything went fine but the kernel modules... Ok, long story short, here's the patch:

[codesyntax lang="bash"]

vim ~/vmnet313.patch

[/codesyntax]

205a206
> #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 13, 0)
206a208,210
> #else
> VNetFilterHookFn(const struct nf_hook_ops *ops,        // IN:
> #endif
255c259,263
<    transmit = (hooknum == VMW_NF_INET_POST_ROUTING);
---
>    #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 13, 0)
>       transmit = (hooknum == VMW_NF_INET_POST_ROUTING);
>    #else
>       transmit = (ops->hooknum == VMW_NF_INET_POST_ROUTING);
>    #endif

[codesyntax lang="bash"]

:wq

[/codesyntax]

[codesyntax lang="bash"]

# Change directory into the vmware module source directory
cd /usr/lib/vmware/modules/source
# untar the vmnet modules
tar -xvf vmnet.tar
# run a the patch you should have just saved earlier
patch vmnet-only/filter.c < ~/vmnet313.patch
# re-tar the modules
tar -uvf vmnet.tar vmnet-only
# delete the previous working directory
rm -r vmnet-only
# just run the GUI app
vmware

[/codesyntax]

There you go!

How to deal with "RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)" problem

If you see [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) in you apache error.log file means you have created a cert that is intended to be used to sign other certs, but you're using that cert as your SSL cert. So, it depends how you create the SSL cert.

But how can we solve this problem?!

1. Generate private key and certificate signing request

[codesyntax lang="bash"]

openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr

[/codesyntax]

Note: when the openssl req command asks for a “challenge password”, just press return, leaving the password empty.

2. Generate SSL certificate

[codesyntax lang="bash"]

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

[/codesyntax]

Set port knocking with knockd and iptables

This document describes a stealth method to externally open ports that, by default, are kept closed by the firewall.

Server side

1. Install knockd

[codesyntax lang="bash"]

apt-get install knockd

[/codesyntax]

2. Configure knockd

[codesyntax lang="bash"]

vim /etc/knockd.conf

[options]
        UseSyslog

[OpenClosePort]
        sequence    = 2123:udp,3543:tcp,6454:udp
        seq_timeout = 5
        Start_Command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport PORT -j ACCEPT
        tcpflags    = syn
        Cmd_timeout = 3600
        Stop_Command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport PORT -j ACCEPT

:wq

[/codesyntax]

Notes:

  • sequence - the sequence required to open desired port
  • seq_timeout - time to wait for a sequence to complete
  • Start_Command - command to be executed when a client makes the correct port-knock
  • Stop_Command - command to be executed when Cmd_Timeout seconds have passed since Start_Command has been executed
  • Cmd_Timeout - time to wait between Start_Command and Stop_Command in seconds
  • PORT - port to be opened

3. Enable knockd

 

[codesyntax lang="bash"]

vim /etc/default/knockd

:%s/START_KNOCKD=0/START_KNOCKD=1/g
:%s/#KNOCKD_OPTS="-i eth1"/KNOCKD_OPTS="-i eth0"/g
:wq

[/codesyntax]

 

4. Start knockd

[codesyntax lang="bash"]

/etc/init.d/knockd restart

[/codesyntax]

Client side

1. Knock the port

[codesyntax lang="bash"]

nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 2123 host; nmap -Pn --host_timeout 201 --max-retries 0 -p 3543 host; nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 6454 host

[/codesyntax]

2. Check if the port is open

[codesyntax lang="bash"]

telnet host PORT

[/codesyntax]

How to enable syntax highlighting in less

I wanted to have syntax highlighting for a php file I was debugging. Source-highlight given a source file, produces a document with syntax highlighting.

These are the output formats already supported:

  • HTML
  • XHTML
  • LATEX
  • MediaWiki (new)
  • ODF (new)
  • TEXINFO
  • ANSI color escape sequences (you can use this feature with less)
  • DocBook

These are the input languages (or input formats) already supported (in alphabetical order):

  • Ada
  • Asm
  • Applescript
  • Awk
  • Autoconf files
  • Bat
  • Bib
  • Bison
  • C/C++
  • C#
  • CakePhp templates
  • Clipper
  • Cobol
  • Configuration files (generic)
  • Caml
  • Changelog
  • Css
  • D
  • Diff
  • Emacs Lisp
  • Erlang
  • errors (compiler output)
  • Flex
  • Fortran
  • GLSL
  • Haskell
  • Haskell literate programming
  • Haxe
  • Html
  • ini files
  • IsLisp (new)
  • Java
  • Javalog
  • Javascript
  • KDE desktop files
  • Latex
  • Ldap files
  • Lilypond (new)
  • Lisp
  • Logtalk
  • Log files
  • lsm files (Linux Software Map)
  • Lua
  • Makefile
  • Manifest
  • M4
  • ML
  • Opa
  • Oz
  • Pascal
  • Perl
  • pkg-config files
  • PHP
  • Po
  • Postscript
  • Prolog
  • Properties files
  • Protobuf (Google's Protocol Buffers)
  • Python
  • R statistics programming language (new)
  • RPM Spec files
  • Ruby
  • Scala
  • Scheme
  • Shell
  • S-Lang
  • Sql
  • T/Foswiki TML markup
  • Tcl
  • Texinfo
  • UPC (unified parallel C)
  • Vala
  • VBscript
  • XML
  • XOrg conf files

Exactly what I needed!

[codesyntax lang="bash"]

apt-get install source-highlight
echo "" >> ~/.bashrc
echo "export LESSOPEN=\"| /usr/share/source-highlight/src-hilite-lesspipe.sh %s\"" >> ~/.bashrc
echo "export LESS=' -R '" >> ~/.bashrc

[/codesyntax]

Note: Be sure this line isn't present in your .bashrc because it will interfere with source-highlight:
[codesyntax lang="bash"]

 [ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"

[/codesyntax]

References:

Segmented file transfer over ssh

Many people would say why don't you use rsync? rsync is, in deed, a wonderful little tool that has a lot of features, but it doesn't support segmented file transfer. Well, there are a lot of software applications out there that can handle segmented file transfers over FTP or HTTP protocol. One of them is prozilla. But, as rsync, prozilla doesn't support SFTP protocol. So, how can we handle this? The answer has four letters: lftp. Quote from lftp man page:

Gets  the specified file using several connections. This can speed up transfer, but loads the net and server heavily impacting other users. Use only if you really have to transfer the file ASAP

[codesyntax lang="bash"]

lftp sftp://user[:password]@host.ro[:port] -e "mirror -c --parallel=5 --use-pget-n=5 \"/path/to/folder/\""

[/codesyntax]

Very simple and effective, right?

(Very) Later edit:

[codesyntax lang="bash"]

echo 'set sftp:connect-program "ssh -a -x -i /full/path/to/the/ssh/private/key"' | tee ~/.lftprc
lftp -u user,xxx sftp://host.ro:6646 -e "mirror -c --parallel=10 --use-pget-n=10 \"/path/to/folder/\"; quit"

[/codesyntax]

 

Where:

  • user is your username on the system you connect to
  • xxx is just a junk password

Prozilla - Linux Download Accelerator

Prozilla Download Accelerator is a multi-threaded download accelerator for Linux which supports both HTTP and FTP protocols and because it makes multiple connections to the server and downloads the file in portions, thus giving a much better speed rate than the conventional download programs which use a single connection, increases download speeds with up to 200-300%.

Resuming connections is fully supported and customizable.

Because it based on ncurses, Prozilla is also a lightweight download accelerator.

1. Get prozilla 2.0.4.

[codesyntax lang="bash"]

git clone https://github.com/totosugito/prozilla-2.0.4.git

[/codesyntax]

2. Install required packages

[codesyntax lang="bash"]

apt-get install autoconf build-essential libncurses5-dev

[/codesyntax]

3. Installing from source code

[codesyntax lang="bash"]

cd prozilla-2.0.4
./configure
make
make install

[/codesyntax]

4. Troubleshouting. If an error occurs:

make[4]: Leaving directory `/home/user/prozilla-2.0.4/libprozilla/src’
make[4]: Entering directory `/home/user/prozilla-2.0.4/libprozilla’
make[4]: Nothing to be done for `all-am’.
make[4]: Leaving directory `/home/user/prozilla-2.0.4/libprozilla’
make[3]: Leaving directory `/home/user/prozilla-2.0.4/libprozilla’
make[2]: Leaving directory `/home/user/prozilla-2.0.4/libprozilla’
Making all in src
make[2]: Entering directory `/home/user/prozilla-2.0.4/src’
if g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I.. -I../libprozilla/src -I../intl -I/usr/local/include -fno-inline -DLOCALEDIR=\”/usr/local/share/locale\” -Wall -ggdb -D_REENTRANT -MT main.o -MD -MP -MF “.deps/main.Tpo” \
-c -o main.o `test -f ‘main.cpp’ || echo ‘./’`main.cpp; \
then mv -f “.deps/main.Tpo” “.deps/main.Po”; \
else rm -f “.deps/main.Tpo”; exit 1; \
fi
In file included from main.cpp:39:
download_win.h:55: error: extra qualification ‘DL_Window::’ on member âprint_status’
make[2]: *** [main.o] Error 1
make[2]: Leaving directory `/home/user/prozilla-2.0.4/src’
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/user/prozilla-2.0.4′
make: *** [all] Error 2

And the solutions...

Looks like the problem of error occurs because the compatibility of the compiler the GNU C/C+ + latest version, to avoid this error edit the file src/download_win.h and replace:

void DL_Window::print_status(download_t * download, int quiet_mode);

with:

void print_status(download_t * download, int quiet_mode);

5. Do you want to make this a deb package?

[codesyntax lang="bash"]

apt-get install build-essential automake autoconf libtool pkg-config libcurl4-openssl-dev intltool libxml2-dev libgtk2.0-dev libnotify-dev libglib2.0-dev libevent-dev checkinstall
./configure && make && sudo checkinstall

[/codesyntax]