czwartek, 20 sierpnia 2020

CentOS 7/8 UEFI with ESP on RAID1

Kickstart configuration for RAID1 setup on UEFI firmware.
clearpart --all --initlabel 
part raid.A0 --fstype=raid --ondisk=sda --size=512
part raid.A1 --fstype=raid --ondisk=sda --size=200
part raid.A2 --fstype=raid --ondisk=sda --size=1 --grow
part raid.B0 --fstype=raid --ondisk=sdb --size=512
part raid.B1 --fstype=raid --ondisk=sdb --size=200
part raid.B2 --fstype=raid --ondisk=sdb --size=1 --grow
raid /boot     --device=0 --fstype=ext4  --level=1 raid.A0 raid.B0
raid /boot/efi --device=1 --fstype=efi   --level=1 raid.A1 raid.B1
raid pv.1      --device=2 --fstype=lvmpv --level=1 raid.A2 raid.B2
volgroup storage pv.1
logvol /    --fstype=ext4 --name=root --vgname=storage --size=8192
logvol swap --name=swap   --vgname=storage --size=8192
logvol /srv --fstype=xfs  --name=srv --vgname=storage --size=1 --grow
All partitions are marked as RAID type (no esp or boot).
MDRAID for  ESP is created with 1.0 metadata format (metadata at the end of the partition).

środa, 27 maja 2020

Apache + PHP - deny policy

This is sample config for apache + php (mod_php) which by default blocks all .php and allow only specified locations:
php_admin_value engine off
<FilesMatch "\.php$">
  Deny from All
</FilesMatch>
<Location /index.php>
  Allow From All
  php_admin_value engine on
</Location>
<Location /sample/>
 Allow From All
 php_admin_value engine on
</Location>
This assume there is catch all to index.ph somewhere (.htaccess or vhost).

czwartek, 6 lutego 2020

IPSec policy via plain old setkey

In old days I sometimes used IPSec keying (PSK) via manual rules (no IKE at all). I needed sample config for some PoC stuff. So for "future" use: On one side:
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P in  ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P out ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
On other side:
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P out ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P in  ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
Change spdadd policy direction only.

piątek, 24 stycznia 2020

What is my IP? DNS way...

What is my IP via custom DNS server:
dig @ip.socha.it tell-me-my-ip +short
Other use cases
dig @ip.socha.it ip +short
dig @ip.nauka.ga ip +short
dig @ip.automatus.cf ip +short

dig @ip.socha.it ip TXT +short 
dig @ip.socha.it ip TXT +short +tcp

What is my IP? The nginx way...

Pure nginx solution ;)
curl -sf ip.socha.it
or
curl -sf ip.socha.it/eol

Nginx configuration:
server {
        listen 80;
        server_name ip.socha.it;
        default_type "text/plain";
        location /eol {
          return 200 "$remote_addr\n";
        }
        location / {
          return 200 $remote_addr;
        }
}

niedziela, 19 stycznia 2020

Traefik v2 - private docker repository

It's time to migrate from Traefik v1 to Traefik v2.

Sample project based on docker-compose service definition: priavate docker registry.

Quick setup
curl -sf automatus.cf/private-registry | bash

Or step by step.

  • Install docker & docker-compose
  • Create required directories
    mkdir registry
    cd registry
    mkdir {auth,default}
    
  • Create docker-compose.yml file:
    version: '3'
    
    services:
      gateway:
        image: traefik:2.1
        restart: always
        command: 
          - "--providers.docker"
          - "--providers.docker.exposedbydefault=false"
          - "--entrypoints.http.address=:80"
          - "--entrypoints.https.address=:443"
          - "--certificatesResolvers.le.acme.httpchallenge=true"
          - "--certificatesResolvers.le.acme.httpchallenge.entryPoint=http"
          - "--certificatesResolvers.le.acme.storage=/acme/acme.json"
         #- "--api.insecure=true"
         #- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
        ports:
          - 80:80
          - 443:443
          # API
          #- 8080:8080
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - acme:/acme
          - ./auth:/auth
    
      registry:
        restart: always
        image: registry:2
        environment:
          REGISTRY_HTTP_SECRET: change-me
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.http.rule=Host(`hostname-change-me`)" 
          - "traefik.http.routers.http.entrypoints=http"
          - "traefik.http.routers.https.rule=Host(`hostname-change-me`)" 
          - "traefik.http.routers.https.entrypoints=https"
          - "traefik.http.routers.https.tls=true"
          - "traefik.http.routers.https.tls.certresolver=le"
          - "traefik.http.middlewares.server-header.headers.customresponseheaders.server=docker-registry"
          - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
          - "traefik.http.middlewares.auth.basicauth.usersFile=/auth/passwd"
          - "traefik.http.middlewares.auth.basicauth.realm=REGISTRY"
          - "traefik.http.routers.http.middlewares=redirect,server-header"
          - "traefik.http.routers.https.middlewares=server-header,auth"
        volumes:
          - registry:/var/lib/registry
    
      # Catch-all default vhost
      default:
        image: nginx:stable
        restart: always
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.default.rule=HostRegexp(`{default:.*}`)" 
          - "traefik.http.routers.default.entrypoints=http"
          - "traefik.http.routers.default.priority=1"
          - "traefik.http.routers.default.middlewares=server-header"
        volumes:
          - ./default/default.conf:/etc/nginx/conf.d/default.conf
    
    volumes:
      acme:
      registry:
    
    # vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent : 
    
  • Create default/default.conf file:
    server { 
       listen 80 default_server; 
       return 204;
    }
    
  • Create user and passwrd for registry access:
    htpasswd -c auth/passwd username >auth/passwd
    #or
    docker run --rm -it httpd:alpine htpasswd >auth/passwd
    
  • Start project
    docker-compose up -d