środa, 27 maja 2020

Apache + PHP - deny policy

This is sample config for apache + php (mod_php) which by default blocks all .php and allow only specified locations:
php_admin_value engine off
<FilesMatch "\.php$">
  Deny from All
</FilesMatch>
<Location /index.php>
  Allow From All
  php_admin_value engine on
</Location>
<Location /sample/>
 Allow From All
 php_admin_value engine on
</Location>
This assume there is catch all to index.ph somewhere (.htaccess or vhost).

czwartek, 6 lutego 2020

IPSec policy via plain old setkey

In old days I sometimes used IPSec keying (PSK) via manual rules (no IKE at all). I needed sample config for some PoC stuff. So for "future" use: On one side:
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P in  ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P out ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
On other side:
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P out ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P in  ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
Change spdadd policy direction only.

piątek, 24 stycznia 2020

What is my IP? DNS way...

What is my IP via custom DNS server:
dig @ip.socha.it tell-me-my-ip +short
Other use cases
dig @ip.socha.it ip +short
dig @ip.nauka.ga ip +short
dig @ip.automatus.cf ip +short

dig @ip.socha.it ip TXT +short 
dig @ip.socha.it ip TXT +short +tcp

What is my IP? The nginx way...

Pure nginx solution ;)
curl -sf ip.socha.it
or
curl -sf ip.socha.it/eol

Nginx configuration:
server {
        listen 80;
        server_name ip.socha.it;
        default_type "text/plain";
        location /eol {
          return 200 "$remote_addr\n";
        }
        location / {
          return 200 $remote_addr;
        }
}

niedziela, 19 stycznia 2020

Traefik v2 - private docker repository

It's time to migrate from Traefik v1 to Traefik v2.

Sample project based on docker-compose service definition: priavate docker registry.

Quick setup
curl -sf automatus.cf/private-registry | bash

Or step by step.

  • Install docker & docker-compose
  • Create required directories
    mkdir registry
    cd registry
    mkdir {auth,default}
    
  • Create docker-compose.yml file:
    version: '3'
    
    services:
      gateway:
        image: traefik:2.1
        restart: always
        command: 
          - "--providers.docker"
          - "--providers.docker.exposedbydefault=false"
          - "--entrypoints.http.address=:80"
          - "--entrypoints.https.address=:443"
          - "--certificatesResolvers.le.acme.httpchallenge=true"
          - "--certificatesResolvers.le.acme.httpchallenge.entryPoint=http"
          - "--certificatesResolvers.le.acme.storage=/acme/acme.json"
         #- "--api.insecure=true"
         #- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
        ports:
          - 80:80
          - 443:443
          # API
          #- 8080:8080
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - acme:/acme
          - ./auth:/auth
    
      registry:
        restart: always
        image: registry:2
        environment:
          REGISTRY_HTTP_SECRET: change-me
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.http.rule=Host(`hostname-change-me`)" 
          - "traefik.http.routers.http.entrypoints=http"
          - "traefik.http.routers.https.rule=Host(`hostname-change-me`)" 
          - "traefik.http.routers.https.entrypoints=https"
          - "traefik.http.routers.https.tls=true"
          - "traefik.http.routers.https.tls.certresolver=le"
          - "traefik.http.middlewares.server-header.headers.customresponseheaders.server=docker-registry"
          - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
          - "traefik.http.middlewares.auth.basicauth.usersFile=/auth/passwd"
          - "traefik.http.middlewares.auth.basicauth.realm=REGISTRY"
          - "traefik.http.routers.http.middlewares=redirect,server-header"
          - "traefik.http.routers.https.middlewares=server-header,auth"
        volumes:
          - registry:/var/lib/registry
    
      # Catch-all default vhost
      default:
        image: nginx:stable
        restart: always
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.default.rule=HostRegexp(`{default:.*}`)" 
          - "traefik.http.routers.default.entrypoints=http"
          - "traefik.http.routers.default.priority=1"
          - "traefik.http.routers.default.middlewares=server-header"
        volumes:
          - ./default/default.conf:/etc/nginx/conf.d/default.conf
    
    volumes:
      acme:
      registry:
    
    # vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent : 
    
  • Create default/default.conf file:
    server { 
       listen 80 default_server; 
       return 204;
    }
    
  • Create user and passwrd for registry access:
    htpasswd -c auth/passwd username >auth/passwd
    #or
    docker run --rm -it httpd:alpine htpasswd >auth/passwd
    
  • Start project
    docker-compose up -d