version: "3.5"
services:
gateway:
image: traefik:2.4
restart: always
environment:
DO_AUTH_TOKEN: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
command:
- --providers.docker
- --providers.docker.exposedbydefault=false
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.le.acme.httpchallenge=false
- --certificatesresolvers.le.acme.httpchallenge.entryPoint=http
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=digitalocean
- --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0"
- --certificatesResolvers.le.acme.storage=/acme/acme.json
#- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- acme:/acme
default:
image: nginx:stable
restart: always
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect.redirectscheme.scheme=https
- traefik.http.routers.app-http.rule=HostRegexp(`{default:.*}`)
- traefik.http.routers.app-http.entrypoints=http
- traefik.http.routers.app-http.middlewares=redirect
- traefik.http.routers.app-https.rule=HostRegexp(`{default:.*}`)
- traefik.http.routers.app-https.entrypoints=https
- traefik.http.routers.app-https.tls=true
- traefik.http.routers.app-https.tls.certresolver=le
- traefik.http.routers.app-https.tls.domains[0].main=test.example.com
- traefik.http.routers.app-https.tls.domains[0].sans=*.test.example.com,other.example.pl,*.other.example.pl
volumes:
- ./:/usr/share/nginx/html
volumes:
acme:
# vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent :
niedziela, 28 lutego 2021
Traefik wildcard TLS with Digital Ocean DNS provider
czwartek, 20 sierpnia 2020
CentOS 7/8 UEFI with ESP on RAID1
Kickstart configuration for RAID1 setup on UEFI firmware.
clearpart --all --initlabel part raid.A0 --fstype=raid --ondisk=sda --size=512 part raid.A1 --fstype=raid --ondisk=sda --size=200 part raid.A2 --fstype=raid --ondisk=sda --size=1 --grow part raid.B0 --fstype=raid --ondisk=sdb --size=512 part raid.B1 --fstype=raid --ondisk=sdb --size=200 part raid.B2 --fstype=raid --ondisk=sdb --size=1 --grow raid /boot --device=0 --fstype=ext4 --level=1 raid.A0 raid.B0 raid /boot/efi --device=1 --fstype=efi --level=1 raid.A1 raid.B1 raid pv.1 --device=2 --fstype=lvmpv --level=1 raid.A2 raid.B2 volgroup storage pv.1 logvol / --fstype=ext4 --name=root --vgname=storage --size=8192 logvol swap --name=swap --vgname=storage --size=8192 logvol /srv --fstype=xfs --name=srv --vgname=storage --size=1 --growAll partitions are marked as RAID type (no esp or boot).
MDRAID for ESP is created with 1.0 metadata format (metadata at the end of the partition).
środa, 27 maja 2020
Apache + PHP - deny policy
This is sample config for apache + php (mod_php) which by default blocks all .php and allow only specified locations:
php_admin_value engine off <FilesMatch "\.php$"> Deny from All </FilesMatch> <Location /index.php> Allow From All php_admin_value engine on </Location> <Location /sample/> Allow From All php_admin_value engine on </Location>This assume there is catch all to index.ph somewhere (.htaccess or vhost).
czwartek, 6 lutego 2020
IPSec policy via plain old setkey
In old days I sometimes used IPSec keying (PSK) via manual rules (no IKE at all). I needed sample config for some PoC stuff.
So for "future" use:
On one side:
#!/usr/sbin/setkey -f flush; spdflush; add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>"; add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>"; spdadd 100.100.0.0/16 100.64.0.0/16 any -P in ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require; spdadd 100.64.0.0/16 100.100.0.0/16 any -P out ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;On other side:
#!/usr/sbin/setkey -f flush; spdflush; add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>"; add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>"; spdadd 100.100.0.0/16 100.64.0.0/16 any -P out ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require; spdadd 100.64.0.0/16 100.100.0.0/16 any -P in ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;Change spdadd policy direction only.
piątek, 24 stycznia 2020
What is my IP? DNS way...
What is my IP via custom DNS server:
dig @ip.socha.it tell-me-my-ip +shortOther use cases
dig @ip.socha.it ip +short dig @ip.nauka.ga ip +short dig @ip.automatus.cf ip +short dig @ip.socha.it ip TXT +short dig @ip.socha.it ip TXT +short +tcp
What is my IP? The nginx way...
Pure nginx solution ;)
Nginx configuration:
curl -sf ip.socha.itor
curl -sf ip.socha.it/eol
Nginx configuration:
server {
listen 80;
server_name ip.socha.it;
default_type "text/plain";
location /eol {
return 200 "$remote_addr\n";
}
location / {
return 200 $remote_addr;
}
}
niedziela, 19 stycznia 2020
Traefik v2 - private docker repository
It's time to migrate from Traefik v1 to Traefik v2.
Sample project based on docker-compose service definition: priavate docker registry.
Quick setup
Or step by step.Install docker & docker-compose
Create required directories
Create docker-compose.yml file:
Create default/default.conf file:
Create user and passwrd for registry access:
Start project
curl -sf automatus.cf/private-registry | bash
Or step by step.
mkdir registry
cd registry
mkdir {auth,default}
version: '3'
services:
gateway:
image: traefik:2.1
restart: always
command:
- "--providers.docker"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--certificatesResolvers.le.acme.httpchallenge=true"
- "--certificatesResolvers.le.acme.httpchallenge.entryPoint=http"
- "--certificatesResolvers.le.acme.storage=/acme/acme.json"
#- "--api.insecure=true"
#- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
- 80:80
- 443:443
# API
#- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- acme:/acme
- ./auth:/auth
registry:
restart: always
image: registry:2
environment:
REGISTRY_HTTP_SECRET: change-me
labels:
- "traefik.enable=true"
- "traefik.http.routers.http.rule=Host(`hostname-change-me`)"
- "traefik.http.routers.http.entrypoints=http"
- "traefik.http.routers.https.rule=Host(`hostname-change-me`)"
- "traefik.http.routers.https.entrypoints=https"
- "traefik.http.routers.https.tls=true"
- "traefik.http.routers.https.tls.certresolver=le"
- "traefik.http.middlewares.server-header.headers.customresponseheaders.server=docker-registry"
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.auth.basicauth.usersFile=/auth/passwd"
- "traefik.http.middlewares.auth.basicauth.realm=REGISTRY"
- "traefik.http.routers.http.middlewares=redirect,server-header"
- "traefik.http.routers.https.middlewares=server-header,auth"
volumes:
- registry:/var/lib/registry
# Catch-all default vhost
default:
image: nginx:stable
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.default.rule=HostRegexp(`{default:.*}`)"
- "traefik.http.routers.default.entrypoints=http"
- "traefik.http.routers.default.priority=1"
- "traefik.http.routers.default.middlewares=server-header"
volumes:
- ./default/default.conf:/etc/nginx/conf.d/default.conf
volumes:
acme:
registry:
# vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent :
server {
listen 80 default_server;
return 204;
}
htpasswd -c auth/passwd username >auth/passwd #or docker run --rm -it httpd:alpine htpasswd >auth/passwd
docker-compose up -d
Subskrybuj:
Posty (Atom)