Lighttpd – block user agent

 

In lighttpd we can block or deny access to a specific user agent.

Syntax to block user agent:

$HTTP["useragent"] =~ "User agent name" {url.access-deny = ( "" )}

where “User agent name” is any user agent.

Example:

$HTTP["useragent"] =~ "Xenu Link Sleuth" {url.access-deny = ( "" )}

Above example will block all requests with user agent name “Xenu Link Sleuth”.

Advertisements

keepalived mail notification

 

To get mail alerts from keepalived(on every start change from MASTER to BACKUP or BACKUP to Master) we need to add following code in keepalived.conf file:

global_defs {
  notification_email {
    user@hostname.com
  }
  notification_email_from lb-alert@hostname.com
  smtp_server your.smtpserver..com
  smtp_connect_timeout 30
}

Next add following line in keepalived.conf’s vrrp_instance VI_1 block:

smtp_alert

After adding smtp_alert in vrrp_instance VI_1 block your code looks like below:

vrrp_instance VI_1 {
  ...Your Code...
  ...Your Code...
  ...Your Code...
  smtp_alert
  ...Your Code...
  ...Your Code...
  ...Your Code...
}

After making above two changes restart keepalived.

$ service keepalived restart

HAProxy – Starting proxy webfarm: cannot bind socket

Today morning when I am trying to start haproxy in one of server I got following error:

[ALERT] 096/213653 (26549) : Starting proxy webfarm: cannot bind socket

I have spent around 2 hours to debug this issue.

Here is the solution:

HAProxy will try to bind to Virtual IP which will only available in active node. Since our virtual IP is already bind to active node, this server unable to bind.

To resolve this issue we need to append net.ipv4.ip_nonlocal_bind=1 in /etc/sysctl.conf file.

Open /etc/sysctl.conf and append following line:

net.ipv4.ip_nonlocal_bind=1

After adding above line run following command to check if its updated or not:

$ sysctl -p

Output:

net.ipv4.ip_nonlocal_bind = 1

In output of sysctl -p we can see net.ipv4.ip_nonlocal_bind = 1.

Now start HAProxy:

$ service haproxy restart

Output:
* Restarting haproxy haproxy

After starting check HAProxy status:

$ service haproxy status

Output:
haproxy is running.

To find where is your virtual IP

To find to which host your virtual IP is bind use following command:

$ ip addr

In output check if you can find your virtual IP.

Start HAProxy with init script

To start HAProxy with init script set the ENABLED option to in /etc/default/haproxy file

Open /etc/default/haproxy file

$ vim /etc/default/haproxy

Append following line:

ENABLED=1

After adding above line restart HAProxy.

$ service haproxy restart 

Output:
* Restarting haproxy haproxy

Enable ssl/https with apache2 on Ubuntu

 

First install apache2 on you Ubuntu machine then follow the procedure mentioned below to enable ssl/https.

Enable ssl:

$ sudo a2enmod ssl

Activate new virtual host:

$ sudo a2ensite default-ssl

Create self signed ssl certificate:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Above command will ask some details like country name, state, email address etc…

Set ssl certificates path in /etc/apache2/sites-available/default-ssl file:

$ vim /etc/apache2/sites-available/default-ssl

Find lines starting with SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile change them as following:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

then save and exit from default-ssl file.

Now reload apache2:

$ sudo service apache2 reload

After reloading try accessing your hostname/IP with https on your browser.

Apache2 disable http

 

Due to security reason at any instance if you want to disable http on your apache2 webserver comment following lines in /etc/apache2/ports.conf file.

First open /etc/apache2/ports.conf file with any editor.

Then search for following line in ports.conf file.

NameVirtualHost *:80
Listen 80

Comment above mentioned lines:

#NameVirtualHost *:80
#Listen 80

After commenting restart apache2.

$ service apache2 restart

Now try to access your website with http, it should show message as unable to connect.

How to view nginx status

 

To view nginx status some configuration upgrade is required in nginx.conf

I used following configuration to get nginx status:

location = /nginx_status {
  stub_status on;
  allow 192.168.2.20;
  deny all;
}

Since its not a good idea to give access of nginx_status url, I am allowing only one IP and denying all.

After changing configuration restart nginx and view configuration from url http://yourhostname/ngins_status

Output of url looks something like below:

Active connections: 1 
server accepts handled requests
 10 10 55 
Reading: 0 Writing: 1 Waiting: 0

Nginx password protect website

 

Whenever there was requirement to protect a webiste or a particular folder in website with some username and password, we are used to do it with Apache2/Apache HTTP.

This time I thought to try with Nginx.

Here I am proxy passing all requests with upstream and I wanted to protect it some username and password.

Again I used apach2-utils module to protect website.

Install apache2-utils:

$ apt-get install apache2-utils

Now create a user with some password:

$ htpasswd -c /etc/nginx/conf.d/.htpasswd/passwd username

where username is some username as you wish, it will ask for password just enter some password.

After creating usename and password add following configuration nginx.conf’s http module.

upstream appcluster {

server 192.168.2.20:8080;
}

server {
listen *;
location / {
proxy_pass http://appcluster;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;
proxy_set_header X-Real-IP $remote_addr;

}

Upstream module will proxy pass all request that are coming to your hostname to port 8080 of ip 192.168.2.20.

After adding above configuration restart nginx and try to access you hostname, it should ask username and password.

In above configuration following 2 lines are responsible for protecting your website:

auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;

After adding all configurations in nginx.conf, following is my http module:

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;

default_type application/octet-stream;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

upstream appcluster {

server 192.168.2.20:8080;
}

server {
listen *;
location / {
proxy_pass http://appcluster;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;
proxy_set_header X-Real-IP $remote_addr;

}
}
}

Apache httpd redirect all requests to https

 

To redirect all http request to https add following rule in apache2.conf or httpd.conf or .htaccess file.

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://www.example.com/secure

I am added above rule in .htaccess file which is secure directory. This rule will redirect all request coming to /secure directory to https authontication.

After adding restart apache2/httpd and test.

Ubuntu – Apache2 enable expires headers

 

To enable expires headers or mod_expires with apache2 in Ubuntu OS use following command

$ a2enmod expires

.

Now restart apache2 with any of following command:

$ service apache2 restart

or

$ /etc/init.d/apache2 restart

There are 2 ways to add expire headers

  • FileMatch with ExpiresDefault directives
  • ExpiresByType

To enable expires headers with FileMatch with ExpiresDefault directives add following lines in /etc/apache2/sites-available/default file:

<VirtualHost *:80>
...
...
<IfModule mod_expires.c>
          <FilesMatch "\.(png|css|js|jpe?g|gif)$">
                      ExpiresActive On
                      ExpiresDefault "access plus 1 day"
          </FilesMatch>
</IfModule>
</VirtualHost>

Above code will tell browsers to cache .png, .css, .js, .jpg, .jpeg, and gif for one day.

To enable expires headers with ExpiresByType add following lines in /etc/apache2/sites-available/default file:

<VirtualHost *:80>
...
...
          ExpiresActive on

          ExpiresByType image/jpg "access plus 60 days"
          ExpiresByType image/png "access plus 60 days"
          ExpiresByType image/gif "access plus 60 days"
          ExpiresByType image/jpeg "access plus 60 days"

          ExpiresByType text/css "access plus 1 days"

          ExpiresByType image/x-icon "access plus 1 month"

          ExpiresByType text/javascript "access plus 1 week"
          ExpiresByType application/x-javascript "access plus 1 week"
          ExpiresByType application/javascript "access plus 1 week"
</VirtualHost>

After any thing in /etc/apache2/sites-available/default file you need to restart apache2 to changes make effect.

You can use following units for in expires headers:

  • years
  • months
  • weeks
  • days
  • hours
  • minutes
  • seconds

-Sany

Linux – Run apache tomcat on port 80

 

By default apache tomcat runs on port 8080.

Instead of running tomcat on port 8080, we can also run it on port 80.

Run following command as root user in machine you want make tomcat to work on port 80.

$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination :8080

Above command is using Port Forwarding technique, where all requests coming to port 80 on eth0 are forwarded to port 8080.

Advantage of port forwarding technique is security. Since port numbers 0 to 1023 are privileged ports its not suggested to give direct access to no root users.

Now test tomcat on your machine with ip address or localhost

Example:

http://127.0.0.1

http://locahlost

Either of the above command will get the response from  tomcat ROOT webapp.

-Sany