czwartek, 20 sierpnia 2020

CentOS 7/8 UEFI with ESP on RAID1

Kickstart configuration for RAID1 setup on UEFI firmware. 
clearpart --all --initlabel 
part raid.A0 --fstype=raid --ondisk=sda --size=512
part raid.A1 --fstype=raid --ondisk=sda --size=200
part raid.A2 --fstype=raid --ondisk=sda --size=1 --grow
part raid.B0 --fstype=raid --ondisk=sdb --size=512
part raid.B1 --fstype=raid --ondisk=sdb --size=200
part raid.B2 --fstype=raid --ondisk=sdb --size=1 --grow
raid /boot     --device=0 --fstype=ext4  --level=1 raid.A0 raid.B0
raid /boot/efi --device=1 --fstype=efi   --level=1 raid.A1 raid.B1
raid pv.1      --device=2 --fstype=lvmpv --level=1 raid.A2 raid.B2
volgroup storage pv.1
logvol /    --fstype=ext4 --name=root --vgname=storage --size=8192
logvol swap --name=swap   --vgname=storage --size=8192
logvol /srv --fstype=xfs  --name=srv --vgname=storage --size=1 --grow
All partitions are marked as RAID type (no esp or boot).
MDRAID for  ESP is created with 1.0 metadata format (metadata at the end of the partition).

Autor: o Brak komentarzy:

środa, 27 maja 2020

Apache + PHP - deny policy

This is sample config for apache + php (mod_php) which by default blocks all .php and allow only specified locations: 
php_admin_value engine off
<FilesMatch "\.php$">
  Deny from All
</FilesMatch>
<Location /index.php>
  Allow From All
  php_admin_value engine on
</Location>
<Location /sample/>
 Allow From All
 php_admin_value engine on
</Location>
This assume there is catch all to index.ph somewhere (.htaccess or vhost).
Autor: o Brak komentarzy:

czwartek, 6 lutego 2020

IPSec policy via plain old setkey

In old days I sometimes used IPSec keying (PSK) via manual rules (no IKE at all). I needed sample config for some PoC stuff. So for "future" use: On one side: 
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P in  ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P out ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
On other side: 
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P out ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P in  ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
Change spdadd policy direction only.
Autor: o Brak komentarzy:

piątek, 24 stycznia 2020

What is my IP? DNS way...

What is my IP via custom DNS server: 
dig @ip.socha.it tell-me-my-ip +short
Other use cases 
dig @ip.socha.it ip +short
dig @ip.nauka.ga ip +short
dig @ip.automatus.cf ip +short

dig @ip.socha.it ip TXT +short 
dig @ip.socha.it ip TXT +short +tcp
Autor: o Brak komentarzy:

What is my IP? The nginx way...

Pure nginx solution ;) 
curl -sf ip.socha.it
or 
curl -sf ip.socha.it/eol

Nginx configuration: 
server {
        listen 80;
        server_name ip.socha.it;
        default_type "text/plain";
        location /eol {
          return 200 "$remote_addr\n";
        }
        location / {
          return 200 $remote_addr;
        }
}
Autor: o Brak komentarzy:

niedziela, 19 stycznia 2020

Traefik v2 - private docker repository

It's time to migrate from Traefik v1 to Traefik v2.

Sample project based on docker-compose service definition: priavate docker registry.

Quick setup
curl -sf automatus.cf/private-registry | bash

Or step by step.

  • Install docker & docker-compose
  • Create required directories 
    mkdir registry
cd registry
mkdir {auth,default}
  • Create docker-compose.yml file: 
    version: '3'

services:
  gateway:
    image: traefik:2.1
    restart: always
    command: 
      - "--providers.docker"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--certificatesResolvers.le.acme.httpchallenge=true"
      - "--certificatesResolvers.le.acme.httpchallenge.entryPoint=http"
      - "--certificatesResolvers.le.acme.storage=/acme/acme.json"
     #- "--api.insecure=true"
     #- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
    ports:
      - 80:80
      - 443:443
      # API
      #- 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - acme:/acme
      - ./auth:/auth

  registry:
    restart: always
    image: registry:2
    environment:
      REGISTRY_HTTP_SECRET: change-me
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.http.rule=Host(`hostname-change-me`)" 
      - "traefik.http.routers.http.entrypoints=http"
      - "traefik.http.routers.https.rule=Host(`hostname-change-me`)" 
      - "traefik.http.routers.https.entrypoints=https"
      - "traefik.http.routers.https.tls=true"
      - "traefik.http.routers.https.tls.certresolver=le"
      - "traefik.http.middlewares.server-header.headers.customresponseheaders.server=docker-registry"
      - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.auth.basicauth.usersFile=/auth/passwd"
      - "traefik.http.middlewares.auth.basicauth.realm=REGISTRY"
      - "traefik.http.routers.http.middlewares=redirect,server-header"
      - "traefik.http.routers.https.middlewares=server-header,auth"
    volumes:
      - registry:/var/lib/registry

  # Catch-all default vhost
  default:
    image: nginx:stable
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.default.rule=HostRegexp(`{default:.*}`)" 
      - "traefik.http.routers.default.entrypoints=http"
      - "traefik.http.routers.default.priority=1"
      - "traefik.http.routers.default.middlewares=server-header"
    volumes:
      - ./default/default.conf:/etc/nginx/conf.d/default.conf

volumes:
  acme:
  registry:

# vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent :
  • Create default/default.conf file: 
    server { 
   listen 80 default_server; 
   return 204;
}
  • Create user and passwrd for registry access: 
    htpasswd -c auth/passwd username >auth/passwd
#or
docker run --rm -it httpd:alpine htpasswd >auth/passwd
  • Start project 
    docker-compose up -d
    • Autor: o Brak komentarzy:
    Subskrybuj: Posty (Atom)