czwartek, 20 sierpnia 2020

CentOS 7/8 UEFI with ESP on RAID1

Kickstart configuration for RAID1 setup on UEFI firmware.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
clearpart --all --initlabel
part raid.A0 --fstype=raid --ondisk=sda --size=512
part raid.A1 --fstype=raid --ondisk=sda --size=200
part raid.A2 --fstype=raid --ondisk=sda --size=1 --grow
part raid.B0 --fstype=raid --ondisk=sdb --size=512
part raid.B1 --fstype=raid --ondisk=sdb --size=200
part raid.B2 --fstype=raid --ondisk=sdb --size=1 --grow
raid /boot     --device=0 --fstype=ext4  --level=1 raid.A0 raid.B0
raid /boot/efi --device=1 --fstype=efi   --level=1 raid.A1 raid.B1
raid pv.1      --device=2 --fstype=lvmpv --level=1 raid.A2 raid.B2
volgroup storage pv.1
logvol /    --fstype=ext4 --name=root --vgname=storage --size=8192
logvol swap --name=swap   --vgname=storage --size=8192
logvol /srv --fstype=xfs  --name=srv --vgname=storage --size=1 --grow
All partitions are marked as RAID type (no esp or boot).
MDRAID for  ESP is created with 1.0 metadata format (metadata at the end of the partition).

Autor: o Brak komentarzy:

środa, 27 maja 2020

Apache + PHP - deny policy

This is sample config for apache + php (mod_php) which by default blocks all .php and allow only specified locations:
1
2
3
4
5
6
7
8
9
10
11
12
php_admin_value engine off
<FilesMatch "\.php$">
  Deny from All
</FilesMatch>
<Location /index.php>
  Allow From All
  php_admin_value engine on
</Location>
<Location /sample/>
 Allow From All
 php_admin_value engine on
</Location>
This assume there is catch all to index.ph somewhere (.htaccess or vhost).
Autor: o Brak komentarzy:

czwartek, 6 lutego 2020

IPSec policy via plain old setkey

In old days I sometimes used IPSec keying (PSK) via manual rules (no IKE at all). I needed sample config for some PoC stuff. So for "future" use: On one side: 
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P in  ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P out ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
On other side: 
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P out ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P in  ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
Change spdadd policy direction only.
Autor: o Brak komentarzy:

piątek, 24 stycznia 2020

What is my IP? DNS way...

What is my IP via custom DNS server:
1
dig @ip.socha.it tell-me-my-ip +short
Other use cases
1
2
3
4
5
6
dig @ip.socha.it ip +short
dig @ip.nauka.ga ip +short
dig @ip.automatus.cf ip +short
 
dig @ip.socha.it ip TXT +short
dig @ip.socha.it ip TXT +short +tcp
Autor: o Brak komentarzy:

What is my IP? The nginx way...

Pure nginx solution ;)
1
curl -sf ip.socha.it
or
1
curl -sf ip.socha.it/eol

Nginx configuration:
1
2
3
4
5
6
7
8
9
10
11
server {
        listen 80;
        server_name ip.socha.it;
        default_type "text/plain";
        location /eol {
          return 200 "$remote_addr\n";
        }
        location / {
          return 200 $remote_addr;
        }
}
Autor: o Brak komentarzy:

niedziela, 19 stycznia 2020

Traefik v2 - private docker repository

It's time to migrate from Traefik v1 to Traefik v2.

Sample project based on docker-compose service definition: priavate docker registry.

Quick setup
1
curl -sf automatus.cf/private-registry | bash

Or step by step.

  • Install docker & docker-compose
  • Create required directories
    1
    2
    3
    mkdir registry
    cd registry
    mkdir {auth,default}
  • Create docker-compose.yml file:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    version: '3'
     
    services:
      gateway:
        image: traefik:2.1
        restart: always
        command:
          - "--providers.docker"
          - "--providers.docker.exposedbydefault=false"
          - "--entrypoints.http.address=:80"
          - "--entrypoints.https.address=:443"
          - "--certificatesResolvers.le.acme.httpchallenge=true"
          - "--certificatesResolvers.le.acme.httpchallenge.entryPoint=http"
          - "--certificatesResolvers.le.acme.storage=/acme/acme.json"
         #- "--api.insecure=true"
         #- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
        ports:
          - 80:80
          - 443:443
          # API
          #- 8080:8080
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - acme:/acme
          - ./auth:/auth
     
      registry:
        restart: always
        image: registry:2
        environment:
          REGISTRY_HTTP_SECRET: change-me
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.http.rule=Host(`hostname-change-me`)"
          - "traefik.http.routers.http.entrypoints=http"
          - "traefik.http.routers.https.rule=Host(`hostname-change-me`)"
          - "traefik.http.routers.https.entrypoints=https"
          - "traefik.http.routers.https.tls=true"
          - "traefik.http.routers.https.tls.certresolver=le"
          - "traefik.http.middlewares.server-header.headers.customresponseheaders.server=docker-registry"
          - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
          - "traefik.http.middlewares.auth.basicauth.usersFile=/auth/passwd"
          - "traefik.http.middlewares.auth.basicauth.realm=REGISTRY"
          - "traefik.http.routers.http.middlewares=redirect,server-header"
          - "traefik.http.routers.https.middlewares=server-header,auth"
        volumes:
          - registry:/var/lib/registry
     
      # Catch-all default vhost
      default:
        image: nginx:stable
        restart: always
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.default.rule=HostRegexp(`{default:.*}`)"
          - "traefik.http.routers.default.entrypoints=http"
          - "traefik.http.routers.default.priority=1"
          - "traefik.http.routers.default.middlewares=server-header"
        volumes:
          - ./default/default.conf:/etc/nginx/conf.d/default.conf
     
    volumes:
      acme:
      registry:
     
    # vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent :
  • Create default/default.conf file:
    1
    2
    3
    4
    server {
       listen 80 default_server;
       return 204;
    }
  • Create user and passwrd for registry access:
    1
    2
    3
    htpasswd -c auth/passwd username >auth/passwd
    #or
    docker run --rm -it httpd:alpine htpasswd >auth/passwd
  • Start project
    1
    docker-compose up -d
    • Autor: o Brak komentarzy:
    Subskrybuj: Posty (Atom)