In lighttpd we can block or deny access to a specific user agent.
Syntax to block user agent:
$HTTP["useragent"] =~ "User agent name" {url.access-deny = ( "" )}
where “User agent name” is any user agent.
Example:
$HTTP["useragent"] =~ "Xenu Link Sleuth" {url.access-deny = ( "" )}
Above example will block all requests with user agent name “Xenu Link Sleuth”.
To get mail alerts from keepalived(on every start change from MASTER to BACKUP or BACKUP to Master) we need to add following code in keepalived.conf file:
global_defs {
notification_email {
user@hostname.com
}
notification_email_from lb-alert@hostname.com
smtp_server your.smtpserver..com
smtp_connect_timeout 30
}
Next add following line in keepalived.conf’s vrrp_instance VI_1 block:
smtp_alert
After adding smtp_alert in vrrp_instance VI_1 block your code looks like below:
vrrp_instance VI_1 {
...Your Code...
...Your Code...
...Your Code...
smtp_alert
...Your Code...
...Your Code...
...Your Code...
}
After making above two changes restart keepalived.
$ service keepalived restart
Today morning when I am trying to start haproxy in one of server I got following error:
[ALERT] 096/213653 (26549) : Starting proxy webfarm: cannot bind socket
I have spent around 2 hours to debug this issue.
Here is the solution:
HAProxy will try to bind to Virtual IP which will only available in active node. Since our virtual IP is already bind to active node, this server unable to bind.
To resolve this issue we need to append net.ipv4.ip_nonlocal_bind=1 in /etc/sysctl.conf file.
Open /etc/sysctl.conf and append following line:
net.ipv4.ip_nonlocal_bind=1
After adding above line run following command to check if its updated or not:
$ sysctl -p
Output:
net.ipv4.ip_nonlocal_bind = 1
In output of sysctl -p we can see net.ipv4.ip_nonlocal_bind = 1.
Now start HAProxy:
$ service haproxy restart
Output:
* Restarting haproxy haproxy
After starting check HAProxy status:
$ service haproxy status
Output:
haproxy is running.
To find to which host your virtual IP is bind use following command:
$ ip addr
In output check if you can find your virtual IP.
To start HAProxy with init script set the ENABLED option to 1 in /etc/default/haproxy file
Open /etc/default/haproxy file
$ vim /etc/default/haproxy
Append following line:
ENABLED=1
After adding above line restart HAProxy.
$ service haproxy restart
Output:
* Restarting haproxy haproxy
First install apache2 on you Ubuntu machine then follow the procedure mentioned below to enable ssl/https.
Enable ssl:
$ sudo a2enmod ssl
Activate new virtual host:
$ sudo a2ensite default-ssl
Create self signed ssl certificate:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Above command will ask some details like country name, state, email address etc…
Set ssl certificates path in /etc/apache2/sites-available/default-ssl file:
$ vim /etc/apache2/sites-available/default-ssl
Find lines starting with SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile change them as following:
SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key
then save and exit from default-ssl file.
Now reload apache2:
$ sudo service apache2 reload
After reloading try accessing your hostname/IP with https on your browser.
Due to security reason at any instance if you want to disable http on your apache2 webserver comment following lines in /etc/apache2/ports.conf file.
First open /etc/apache2/ports.conf file with any editor.
Then search for following line in ports.conf file.
NameVirtualHost *:80 Listen 80
Comment above mentioned lines:
#NameVirtualHost *:80 #Listen 80
After commenting restart apache2.
$ service apache2 restart
Now try to access your website with http, it should show message as unable to connect.
To view nginx status some configuration upgrade is required in nginx.conf
I used following configuration to get nginx status:
location = /nginx_status {
stub_status on;
allow 192.168.2.20;
deny all;
}
Since its not a good idea to give access of nginx_status url, I am allowing only one IP and denying all.
After changing configuration restart nginx and view configuration from url http://yourhostname/ngins_status
Output of url looks something like below:
Active connections: 1 server accepts handled requests 10 10 55 Reading: 0 Writing: 1 Waiting: 0
Whenever there was requirement to protect a webiste or a particular folder in website with some username and password, we are used to do it with Apache2/Apache HTTP.
This time I thought to try with Nginx.
Here I am proxy passing all requests with upstream and I wanted to protect it some username and password.
Again I used apach2-utils module to protect website.
Install apache2-utils:
$ apt-get install apache2-utils
Now create a user with some password:
$ htpasswd -c /etc/nginx/conf.d/.htpasswd/passwd username
where username is some username as you wish, it will ask for password just enter some password.
After creating usename and password add following configuration nginx.conf’s http module.
upstream appcluster {
server 192.168.2.20:8080;
}
server {
listen *;
location / {
proxy_pass http://appcluster;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;
proxy_set_header X-Real-IP $remote_addr;
}
Upstream module will proxy pass all request that are coming to your hostname to port 8080 of ip 192.168.2.20.
After adding above configuration restart nginx and try to access you hostname, it should ask username and password.
In above configuration following 2 lines are responsible for protecting your website:
auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;
After adding all configurations in nginx.conf, following is my http module:
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
upstream appcluster {
server 192.168.2.20:8080;
}
server {
listen *;
location / {
proxy_pass http://appcluster;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
To redirect all http request to https add following rule in apache2.conf or httpd.conf or .htaccess file.
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://www.example.com/secureI am added above rule in .htaccess file which is secure directory. This rule will redirect all request coming to /secure directory to https authontication.
After adding restart apache2/httpd and test.
To enable expires headers or mod_expires with apache2 in Ubuntu OS use following command
$ a2enmod expires
.
Now restart apache2 with any of following command:
$ service apache2 restart or $ /etc/init.d/apache2 restart
There are 2 ways to add expire headers
To enable expires headers with FileMatch with ExpiresDefault directives add following lines in /etc/apache2/sites-available/default file:
<VirtualHost *:80>
...
...
<IfModule mod_expires.c>
<FilesMatch "\.(png|css|js|jpe?g|gif)$">
ExpiresActive On
ExpiresDefault "access plus 1 day"
</FilesMatch>
</IfModule>
</VirtualHost>
Above code will tell browsers to cache .png, .css, .js, .jpg, .jpeg, and gif for one day.
To enable expires headers with ExpiresByType add following lines in /etc/apache2/sites-available/default file:
<VirtualHost *:80>
...
...
ExpiresActive on
ExpiresByType image/jpg "access plus 60 days"
ExpiresByType image/png "access plus 60 days"
ExpiresByType image/gif "access plus 60 days"
ExpiresByType image/jpeg "access plus 60 days"
ExpiresByType text/css "access plus 1 days"
ExpiresByType image/x-icon "access plus 1 month"
ExpiresByType text/javascript "access plus 1 week"
ExpiresByType application/x-javascript "access plus 1 week"
ExpiresByType application/javascript "access plus 1 week"
</VirtualHost>
After any thing in /etc/apache2/sites-available/default file you need to restart apache2 to changes make effect.
You can use following units for in expires headers:
-Sany
By default apache tomcat runs on port 8080.
Instead of running tomcat on port 8080, we can also run it on port 80.
Run following command as root user in machine you want make tomcat to work on port 80.
$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination :8080
Above command is using Port Forwarding technique, where all requests coming to port 80 on eth0 are forwarded to port 8080.
Advantage of port forwarding technique is security. Since port numbers 0 to 1023 are privileged ports its not suggested to give direct access to no root users.
Now test tomcat on your machine with ip address or localhost
Example:
Either of the above command will get the response from tomcat ROOT webapp.
-Sany
Sany's Linux and Open Source Blog 