Categories
Network

Run letsencrypt as a normal user

Install and change permission to work with your normal user account.

yum install yum-utils -y
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum install certbot -y

useradd certmaster
chown certmaster: /etc/letsencrypt/ -R
chown certmaster: /var/log/letsencrypt/ -R
chown certmaster: /var/lib/letsencrypt/ -R

You might want to allow your certmaster account to reload nginx or another service then a new certificate exists. To allow certmaster to reload nginx configuration, create sudoers file /etc/sudoers.d/certmaster with this content.

certmaster ALL=NOPASSWD: /usr/bin/systemctl reload nginx.service
certmaster ALL=NOPASSWD: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf

Example of cron script to run.

# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
# Updates all certificates on saturday morning, checks nginx config and reloads
15 2 * * * certmaster chronic /usr/bin/certbot --no-self-upgrade renew && sudo /usr/sbin/nginx -t -c /etc/nginx/nginx.conf && sudo /usr/bin/systemctl reload nginx.service
Categories
Network

Encrypt private key OpenVPN

You can password protect your key file so that ed an extra password is needed to connect with openvpn. It will also work with embedded certificates in .ovpn

OpenVPN asking for a password
Categories
Network

Round-Robin webservers with letsencrypt

Nginx on Edge servers

Configure your edgeservers to redirect all http challanges to your main webserver.

Categories
Network

Embedding certificates in .ovpn

You can simplify OpenVPN distribution by only use one file for both config and certificates. A normal .ovpn file with separate .key and .crt files looks like this.

client dev tun 
dev-node Dalesjo VPN 
proto tcp 
remote my-server 443 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
remote-cert-tls server 
verb 3 
comp-lzo yes

ca DALESJO-OpenVPN.crt
cert DALESJO-SADAL.crt
key DALESJO-SADAL.key
tls-auth DALESJO-Server.tls 1
Categories
Network

Varnish reload

A reload of the varnish server does not destroy your cache but reloads your vcl.  Check your vcl file for errors before trying a reload.

varnishd -C -f /etc/varnish/default.vcl && systemctl reload varnish.service && systemctl status varnish.service varnishncsa.service
Categories
Linux

Run commands over SSH

Run one or multiple commands on a remote server

ssh root@host <<'ENDSSH'
#commands to run on remote host
ENDSSH

Run a local script on a remote server. (none interactive, cant open nano). the script does not need to start with #/!bin/bash

ssh root@host < dalesjo-install-postfix.sh

Run a command interactive, ex start nano on remote server.

ssh -t root@cdn2.dalesjo.com 'nano /etc/postfix/main.cf'
Categories
Linux

Uninstall compiled software

When uninstalling software you compiled yourself you can run make -n install to see what the make install command did. For Nginx you only had to remove /sbin/nginx before installning NginX from YUM.

# make -n install
make -f objs/Makefile install
make[1]: Entering directory `/root/install/cache/nginx-1.9.9'
test -d '/' || mkdir -p '/'
test -d '/' || mkdir -p '/'
test ! -f '/sbin' || mv '/sbin' '/sbin.old'
cp objs/nginx '/sbin'
test -d '/etc/nginx' || mkdir -p '/etc/nginx'
cp conf/koi-win '/etc/nginx'
cp conf/koi-utf '/etc/nginx'
cp conf/win-utf '/etc/nginx'
test -f '/etc/nginx/mime.types' || cp conf/mime.types '/etc/nginx'
cp conf/mime.types '/etc/nginx/mime.types.default'
test -f '/etc/nginx/fastcgi_params' || cp conf/fastcgi_params '/etc/nginx'
cp conf/fastcgi_params '/etc/nginx/fastcgi_params.default'
test -f '/etc/nginx/fastcgi.conf' || cp conf/fastcgi.conf '/etc/nginx'
cp conf/fastcgi.conf '/etc/nginx/fastcgi.conf.default'
test -f '/etc/nginx/uwsgi_params' || cp conf/uwsgi_params '/etc/nginx'
cp conf/uwsgi_params '/etc/nginx/uwsgi_params.default'
test -f '/etc/nginx/scgi_params' || cp conf/scgi_params '/etc/nginx'
cp conf/scgi_params '/etc/nginx/scgi_params.default'
test -f '/etc/nginx/nginx.conf' || cp conf/nginx.conf '/etc/nginx/nginx.conf'
cp conf/nginx.conf '/etc/nginx/nginx.conf.default'
test -d '/var/run/nginx' || mkdir -p '/var/run/nginx'
test -d '/var/log/nginx/access' || mkdir -p '/var/log/nginx/access'
test -d '//html' || cp -R html '/'
test -d '/var/log/nginx/errors' || mkdir -p '/var/log/nginx/errors'
make[1]: Leaving directory `/root/install/cache/nginx-1.9.9'

Source

Javier Rivera on askubuntu

Categories
Powershell

Keepalive in varnish

Varnish

Default in varnish 5.2.1 keepalive is enabled, and set with a timeout of timeout_idle=5 seconds. which means that if no traffic goes through the tcp pipe in 5 seconds the TCP connection is closed.

If you are running HLS with a chunksize of 8 seconds you want to change timeout_idle to 8 seconds. you can change timeout_idle in a default installation by adding the following to /etc/varnish/varnish.params.

DAEMON_OPTS="-p timeout_idle=8"
Categories
Linux Network

Add a second network card

To add a second ip-number to an network interface create a new ifcfg file ex /etc/sysconfig/network-scripts/ifcfg-enp1s0f0:0

TYPE="Ethernet"
BOOTPROTO="static"
DEVICE="enp1s0f0:1"
ONBOOT="no"
ZONE=public
IPADDR=80.67.x.x
PREFIX=31
GATEWAY=80.67.x.x

The default configuration for that interface might have parameters such as UUID, NAME those are not needed. change ONBOOT to yes after testing the configuration. To test run.

systemctl restart network.service
Categories
Linux

SSH Filtering

The goal is to allow root to login with username/password from local IP-addresses. But only allow root to login with public key authentication from internet.

First change the following settings in /etc/ssh/sshd_config. this will allow normal users to login with username/password but root users must use public key authentication.

PasswordAuthentication yes
PermitRootLogin without-password

Second, add the following to the end of /etc/ssh/sshd_config. Its important that you are in the end of the file because how sshd_config is read by the daemon.

Match address 192.168.0.0/16
 PermitRootLogin yes