| Recover IP BEFORE loging in Spring Boot Posted: 11 Jul 2021 08:38 PM PDT I made an app using Spring Boot wich uses Spring Security to login. I can recover the IP after the login because I put the next code in my controller and share the objets in my model: @GetMapping("/") //http://localhost:8080/ tipo GET //Principio de Hollywood: "No me llames, yo te voy a llamar B)" public String inicio(Model model, @AuthenticationPrincipal User user) {//para recuperar el usuario que se inició sesión List<Persona> personas = (List<Persona>) ps.listarPersonas(); log.info("Ejecutando el controlador Spring MVC"); log.info("Usuario" + user); model.addAttribute("personas", personas);//en lugar de request.setAttribute double saldoTotal =0; for (Persona p : personas) { saldoTotal += p.getSaldo(); } model.addAttribute("saldoTotal", saldoTotal); model.addAttribute("totalClientes", personas.size());//comparte el numero total de clientes /* Recuperación de la ip interna y externa: */ String errorReport = "Sin Errores :)"; StringBuilder mainMessage = new StringBuilder(); try { URL conexion = new URL("http://checkip.amazonaws.com/"); URLConnection con = conexion.openConnection(); String str = null; BufferedReader reader = new BufferedReader(new InputStreamReader(con.getInputStream())); str = reader.readLine(); mainMessage.append("IP Real: " + str); // Local address mainMessage.append(" | Local Host Address: " + InetAddress.getLocalHost().getHostAddress()); mainMessage.append(" Local Host Name: " + InetAddress.getLocalHost().getHostName()); // Remote address mainMessage.append(" | Remote Host Address: " + InetAddress.getLoopbackAddress().getHostAddress()); mainMessage.append(" | Remote Host Address: " + InetAddress.getLoopbackAddress().getHostName()); } catch (UnknownHostException e) { // TODO Auto-generated catch block errorReport = e.getMessage(); model.addAttribute("error", errorReport); e.printStackTrace(); } catch (MalformedURLException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } model.addAttribute("ip", mainMessage.toString()); return "index"; //el nombre de la pagina a donde redirige este controlador }
And the result is the next: Shared IP in my footer : But I need to have it in the login page too , the thing is when i try to acces the url "/" spring security brings me to "/login", so I am not be able to get the IP from begining: footer without IP This is my security config, if helps: @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired private UserDetailsService userDetailsService; @Bean //con esto el objeto va a estar disponible dentro del contenedor de spring public BCryptPasswordEncoder passwordEncoder(){ return new BCryptPasswordEncoder(); } @Autowired public void configurerGlobal(AuthenticationManagerBuilder build) throws Exception{ //este objeto se agrega de manera automatica build.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception{ //restricción de URLs (autorización) http.authorizeRequests() .antMatchers("/editar/**", "/agregar/**", "/eliminar")//con esto restringiremos todos los paths dentro de editar .hasRole("ADMIN") .antMatchers("/") .hasAnyRole("USER", "ADMIN") .and() .formLogin() .loginPage("/login") .and() .exceptionHandling().accessDeniedPage("/errores/403") //extra // .and() // .csrf().disable() ; } }
THX  |
| How to allow public access on Oracle cloud VM instance? Posted: 11 Jul 2021 08:10 PM PDT I am using Oracle Linux 8, and trying to allow public access my VM. I disabled firewall but still can't be accessed. I found this official tutorial but no menu called Security Applications, so I can not set it. it seems blocked by Network ACL like in AWS EC2, but dunno how to allow it in oracle cloud compute.  |
| Cannot proceed wizard of adding custom domain on Firebase Hosting Posted: 11 Jul 2021 07:28 PM PDT I am trying to add custom domain to my new app on Firebase Hosting. Following official documents, I pressed "add custom domain" button in my project's Hosting page and stared a wizard. In the wizard step 1, I entered my domain "example.com" and press "next" button without check a redirect checkbox. Then spinner stared to spin but after 1-2 seconds, spinner disappeared and the wizard were still on step 1. I deleted the app and deployed again but same problem was occurred. Also I tried in secret window of Chrome but the situation did not change. The domain is connected to old VPS server. Any error was not shown. How can I solve this? I tried to another domain as a test but the result is same. Deleting and recreating the project did not affect the problem. screenshot  |
| Virsh console not responding after rebooting guest machine Posted: 11 Jul 2021 04:41 PM PDT I have a server running Ubuntu 20.04 with KVM. Whenever I install a guest VM (CentOS 7 or Fedora 34), virsh console works fine in the beginning. However, when I reboot this VM, virsh console stops working. Does anybody know what's going wrong in this case?  |
| Hey guys i wanna know can i run php, python and java app on dedicated server [closed] Posted: 11 Jul 2021 04:40 PM PDT Actually i am working with a startup and they want to start working on mainly 3(java, python, php) lang. Because they runs maximum software markets. They provides services on web application already available in market.  |
| Asp.net core To elastic beanstalk error 404 after deployment Posted: 11 Jul 2021 04:19 PM PDT I have an asp.net core web api that run an 404 after it get's deployed to elastic beanstalk. Any version from 1.0 to 5.0 all show the same error 404. The api works just fine on localhost but once it get uploded to elasticbeanstalk. It dosn't show anything. Here is the full error. This aspnetcoretoelasticbeanstalk-dev.us-east-1.elasticbeanstalk.com page can't be foundNo webpage was found for the web address: http://aspnetcoretoelasticbeanstalk-dev.us-east-1.elasticbeanstalk.com/ HTTP ERROR 404 If somone can help me on this, i'll really appreciate. Thank you in advance !!  |
| Nginx write permisions conflict in cache folder with php user Posted: 11 Jul 2021 03:45 PM PDT Re: 2 different users needing write permission to cache folder. Nginx does not allow a 'group' here. On my Nginx server with wordpress sites I want to use fastCGI caching, so I use the WP nginx-helper plugin. I chose the purge method of: 'Delete local server cache files. Checks for matching cache file in RT_WP_NGINX_HELPER_CACHE_PATH.' .... We set the path as /home/site-owner-user/nginx-cache/cache But due to the virtualmin PHP setup, it created it's own PHP pool for the virtual server and therefore ran PHP under the site-owner-user. But NGINX uses the cache folder as user 'www-data', however this directory was not writable by other users. Therefore when wordpress tried to clear the cache, the folder could not be deleted and recreated. I could fix this by manually changing the folder permissions, but when wordpress recreated the cache folder it would now be owned by the user 'classicwp' and NGINX could no longer write cache files to that location. When we tried to do a shared 'group' for them, nginx just ignored that. NGINX doesn't allow us to specify the file permissions for the cache files it creates. They're stuck at a level that does not allow the group to write. We CAN make it work when we change the PHP user to www-data (same as nginx), but this raises security problems if 20 wordpress clients all run as that same nginx user, www-data. So, what is the solution? Thanks for any ideas.  |
| Ansible synchronize module permissions failing Posted: 11 Jul 2021 06:50 PM PDT 0 I wish to synchronize letsencrypt credentials from host S to Host D using an ansible task running on host H. My current task looks like this: - name: Synchronize local letsencrypt directory ansible.posix.synchronize: src: /etc/letsencrypt dest: /etc/letsencrypt archive: true checksum: true delete: true recursive: true become_user: myuserid rsync_path: "sudo rsync" become: true delegate_to: S
On host S: drwxr-xr-x. 9 root root 4096 Jul 10 01:15 /etc/letsencrypt
On host D: drwxr-xr-x. 2 root root 6 Apr 8 07:58 /etc/letsencrypt
The error message I am getting is: TASK [sync_certs - rsync from certificate master host to certificate slave host] ****************************************** fatal: [D]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: Permission denied, please try again.", "unreachable": true}
Since root login is prohibited on all hosts, the task runs as an ordinary user with sudo permissions to execute "bash". This is the situation on all hosts. Any help would be greatly appreciated. PS: The following bash script runs successfully. Unfortunately, it asks for a passsword for myuserid. sudo /usr/bin/rsync --rsync-path="sudo rsync" --acls --archive --checksum --delete --links --numeric-ids --recursive --stats --times --verbose /etc/letsencrypt myuseridl@testFedora.jlhimpel.net::letsencrypt
 |
| Running Enterprise Search as a service Posted: 11 Jul 2021 09:46 PM PDT Elastic's Enterprise Search Installation Guide goes as far as starting the process locally - which is obviously not very stable. When installed from a .deb or .rpm, a service is actually set up and ready to use but unfortunately, it doesn't seem to be working!? When I start the service, all I can see is: $ systemctl status enterprise-search ● enterprise-search.service - Elastic Enterprise Search Loaded: loaded (/lib/systemd/system/enterprise-search.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2021-07-10 15:26:17 UTC; 3s ago Docs: https://www.elastic.co/guide/en/enterprise-search/current/index.html Main PID: 9144 (java) Tasks: 19 (limit: 9536) Memory: 209.0M CGroup: /system.slice/enterprise-search.service └─9144 java -cp /usr/share/enterprise-search/lib/war/lib/jruby-stdlib-9.2.13.0.jar:/usr/share/enterprise-search/lib/war/lib/jruby-core-9.2.13.0-complete.jar -Djruby.cli.warning.level=NIL -Djava.a> Jul 10 15:26:17 ip-172-31 systemd[1]: Started Elastic Enterprise Search. Jul 10 15:26:17 ip-172-31 enterprise-search[9144]: Found java executable in PATH Jul 10 15:26:18 ip-172-31 enterprise-search[9144]: Java version detected: 11.0.11 (major version: 11) Jul 10 15:26:18 ip-172-31 enterprise-search[9144]: Enterprise Search is starting... Jul 10 15:26:18 ip-172-31 enterprise-search[9144]: Logs can be found in the location configured via the 'log_directory' setting (typically /var/log/enterprise-search)
But the logs don't have any new entries and nothing's listening on the defined port. Whereas starting the search just as a normal process as sudo /usr/share/enterprise-search/bin/enterprise-search
Works perfectly fine. nohup is also not helpful, the process stops very shortly after it starts, exactly as seen in this post
I have added a comment to that thread but as it was already marked as solved I don't expect to see an answer. The solution provided did not work for me. Any suggestions? UPDATE journalctl -u enterprise-search.service reveals that the service is currently failing due to permission issues to its own log.
e.g. Jul 11 16:57:53 ip-172-31 enterprise-search[284346]: Unexpected exception while running Enterprise Search: Jul 11 16:57:53 ip-172-31 enterprise-search[284346]: Error: Permission denied - /var/log/enterprise-search/stats.log at org/jruby/RubyIO.java:1237:in `sysopen'
Changing the owner to enterprise-search for the following: app-server.log connectors.log filebeat stats.log system.log worker.log
resolves the issue temporarily but it will resourface when the logs get rotated. The initialisation now fails with: enterprise-search[286929]: Unexpected exception while running Enterprise Search: enterprise-search[286929]: NoMethodError: undefined method `join' for nil:NilClass enterprise-search[286929]: run! at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:115 enterprise-search[286929]: <main> at bin/enterprise-search-internal:15 systemd[1]: enterprise-search.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: enterprise-search.service: Failed with result 'exit-code'.
I'm guessing this will still be related to privileges but I'm a bit stuck as to what else I have to change. I also have no clue how to make sure that the logs stay with the enterprise-search user on rotation.  |
| How do I convert a multi-value SAML attribute to a single-value string in ADFS? Posted: 11 Jul 2021 09:43 PM PDT I previously asked a similar question about doing this in Azure AD. However, I've come to the conclusion that it is probably too limited to do this and I received no answers. However, in ADFS there is a lot more flexibility. I want to convert an active directory user's group membership to a single : delimited/enclosed string. So, if the AD user is a member of Group1 and Group2, then a claim will be issued with a string value of :Group1:Group2:. Or, preferably, it would use the SID of the group which is immutable. I don't think there is any built in way to do this based on my research, but maybe someone is more familiar with the claims rule language that can provide a method? Otherwise, it looks like I might be able to create a custom attribute store which can pretty much utilize any .NET code I want to process claims, as described here. Before I go down the road of creating my own custom attribute store, is anyone aware of a way to do what I am trying to do either using built-in ADFS functionality, or by utilizing a publicly provided custom attribute store similar to this one here? I am running ADFS 4.0.  |
| How can I protect SSH? Posted: 11 Jul 2021 05:17 PM PDT I check /var/log/secure and I have these logs: Jul 9 13:02:56 localhost sshd[30624]: Invalid user admin from 223.196.172.1 port 37566 Jul 9 13:02:57 localhost sshd[30624]: Connection closed by invalid user admin 223.196.172.1 port 37566 [preauth] Jul 9 13:03:05 localhost sshd[30626]: Invalid user admin from 223.196.174.150 port 61445 Jul 9 13:03:05 localhost sshd[30626]: Connection closed by invalid user admin 223.196.174.150 port 61445 [preauth] Jul 9 13:03:16 localhost sshd[30628]: Invalid user admin from 223.196.169.37 port 62329 Jul 9 13:03:24 localhost sshd[30628]: Connection closed by invalid user admin 223.196.169.37 port 62329 [preauth] Jul 9 13:03:29 localhost sshd[30630]: Invalid user admin from 223.196.169.37 port 64099 Jul 9 13:03:30 localhost sshd[30630]: Connection closed by invalid user admin 223.196.169.37 port 64099 [preauth] Jul 9 13:03:45 localhost sshd[30632]: Invalid user admin from 223.196.174.150 port 22816 Jul 9 13:03:46 localhost sshd[30632]: Connection closed by invalid user admin 223.196.174.150 port 22816 [preauth] Jul 9 13:06:17 localhost sshd[30637]: Invalid user admin from 223.196.168.33 port 33176 Jul 9 13:06:17 localhost sshd[30637]: Connection closed by invalid user admin 223.196.168.33 port 33176 [preauth] Jul 9 13:07:09 localhost sshd[30639]: Invalid user admin from 223.196.173.152 port 61780 Jul 9 13:07:25 localhost sshd[30641]: Invalid user admin from 223.196.168.33 port 54200 Jul 9 13:07:26 localhost sshd[30641]: Connection closed by invalid user admin 223.196.168.33 port 54200 [preauth] ...
It seems someone tries to log in by SSH. I disable login by root user and enable public/private key login, but is this a DDoS attack? And does it use RAM/CPU? What should I do?  |
| Docker macvlan drops UDP (DNS) traffic, TCP works Posted: 11 Jul 2021 09:32 PM PDT I'm trying to use macvlan to create a container that is a first-class citizen on my lan. I'm using a static IP (although I understand that using some 'tricks' it's possible to use DHCP as well). I understand its possible to do it with the host network, but I'm planning to run 2 separate DNS containers, and I want each of them to have a different IP, so host isn't the solution I'm looking for. My Setup Details about my network and host setup: - Unifi UGS Router, internal IP:
192.168.1.254 - Network mask:
192.168.1.0/24 - Host OS: Ubuntu 20.04 LTS (Focal Fossa)
- Docker version 20.10.2, build 20.10.2-0ubuntu1~20.04.2
- docker-compose version 1.28.5, build c4eb3a1f
- Hosts IP is received over a bridge interface (named
br-lan) which is attached to my ethernet port. I'm using [adguard-home][2] as test container's image, below is the docker-compose config output: version: '3.7' networks: br-lan: driver: macvlan driver_opts: parent: br-lan ipam: config: - gateway: 192.168.1.254 subnet: 192.168.1.0/24 driver: default services: adguard: dns: # adguards default upstream DNS servers - 9.9.9.10 - 149.112.112.10 - 2620:fe::10 - 2620:fe::fe:10 image: adguard/adguardhome mac_address: '00:01:02:03:04:05:06:07' # Some randomized MAC address mem_limit: 500mb networks: br-lan: ipv4_address: 192.168.1.53 restart: unless-stopped volumes: - /etc/localtime:/etc/localtime:ro - /srv/adguard/data/conf:/opt/adguardhome/conf:rw - /srv/adguard/data/work:/opt/adguardhome/work:rw
What Works This actually works for TCP, I can access the WebUI (ports 3000 and 80), and as long as DNS queries are done over TCP it works (tcp port 53). The container itself can access the web, and in turn the container can be accessed by the host as well as machines on the LAN. What Doesn't Work UDP DNS queries fail. How I'm testing? On a Windows 10 machine in the network I'm running the following PowerShell command: # Default (UDP) DNS Query - Fails ❯ Resolve-DnsName -DnsOnly -Server 192.168.1.53 -Name stackoverflow.com # Test regular UDP DNS Query <# The Error output is Resolve-DnsName : stackoverflow.com : DNS name does not exist At line:1 char:1 + Resolve-DnsName -DnsOnly -Server 192.168.1.53 -Name stackoverflow.c ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (stackoverflow.com:String) [Resolve-DnsName], Win32Exception + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName #> # TCP DNS Query - works ❯ Resolve-DnsName -DnsOnly -Server 192.168.1.53 -Name stackoverflow.com -TcpOnly Name Type TTL Section IPAddress ---- ---- --- ------- --------- stackoverflow.com A 2507 Answer 151.101.65.69 stackoverflow.com A 2507 Answer 151.101.129.69 stackoverflow.com A 2507 Answer 151.101.193.69 stackoverflow.com A 2507 Answer 151.101.1.69
What's my question and why I'm posting here? I can't figure out why UDP fails while TCP works. My searches about UDP and macvlan haven't been fruitful, and I was hoping someone here would be able to guide me on how to troubleshoot this so I can identify the flaw in my design, or explain what I can do to fix this.  |
| How to forward http to https with Lightsail Load balancer Posted: 11 Jul 2021 09:32 PM PDT I currently have an app built on a lightsail server. I used Amazon certificate to create SSL https with a load balancer. Under inbound traffic I have to protocols Http Enabled Https Enabled.
When I go to https://app.myexample.com sure enough I get an SSL certificate all good. However I'd like to forward http to https. When you go to http://app.myexample.com you get no secure connection (obviously). How can I force http to go to https? I was going to do it with an .htaccess file but I read somewhere that it should be done through the Load Balancer. Unfortunately all documentation for this is only for Elastic Beanstalk. I'm using Lightsail. How can I accomplish this on lightsail?   |
| openvpn - Authenticate/Decrypt packet error: packet HMAC authentication failed Posted: 11 Jul 2021 05:04 PM PDT I have this client ovpn file like this client proto udp explicit-exit-notify remote PUBLIC_IP 1194 dev tun resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server verify-x509-name server_2CAzflUWmRFturMk name auth SHA256 auth-nocache cipher AES-128-GCM tls-client tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3 <ca> -----BEGIN CERTIFICATE----- CERT -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- CERT -----END CERTIFICATE----- </cert> <key> -----BEGIN ENCRYPTED PRIVATE KEY----- KEY -----END ENCRYPTED PRIVATE KEY----- </key> <tls-crypt> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- KEY -----END OpenVPN Static key V1----- </tls-crypt>
and this server.conf port 1194 proto udp dev tun user nobody group nogroup persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 1.0.0.1" push "dhcp-option DNS 1.1.1.1" push "redirect-gateway def1 bypass-dhcp" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key 0 crl-verify crl.pem ca ca.crt cert server_2CAzflUWmRFturMk.crt key server_2CAzflUWmRFturMk.key auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 client-config-dir /etc/openvpn/ccd status /var/log/openvpn/status.log log /var/log/openvpn.log verb 3
ufw firewall is disabled and have generated the openvpn client file through this script (but have tried many different). here's the iptables sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:openvpn ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:openvpn ACCEPT udp -- anywhere anywhere udp dpt:openvpn AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_ACCEPT all -- anywhere anywhere AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000 AS0_ACCEPT tcp -- anywhere *.website.org state NEW tcp dpt:915 AS0_ACCEPT tcp -- anywhere *.website.org state NEW tcp dpt:914 AS0_ACCEPT udp -- anywhere *.website.org state NEW udp dpt:917 AS0_ACCEPT udp -- anywhere *.website.org state NEW udp dpt:916 AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_WEBACCEPT tcp -- anywhere *.website.org state NEW tcp dpt:943 ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 10.8.0.0/24 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 10.8.0.0/24 anywhere AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000 AS0_OUT_S2C all -- anywhere anywhere ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination AS0_OUT_LOCAL all -- anywhere anywhere ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain AS0_ACCEPT (7 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain AS0_IN (4 references) target prot opt source destination ACCEPT all -- anywhere Mico2026WebAppIaaSLinux AS0_IN_POST all -- anywhere anywhere Chain AS0_IN_NAT (0 references) target prot opt source destination MARK all -- anywhere anywhere MARK or 0x8000000 ACCEPT all -- anywhere anywhere Chain AS0_IN_POST (1 references) target prot opt source destination ACCEPT all -- anywhere 10.1.0.0/24 AS0_OUT all -- anywhere anywhere DROP all -- anywhere anywhere Chain AS0_IN_PRE (2 references) target prot opt source destination AS0_IN all -- anywhere link-local/16 AS0_IN all -- anywhere 192.168.0.0/16 AS0_IN all -- anywhere 172.16.0.0/12 AS0_IN all -- anywhere 10.0.0.0/8 ACCEPT all -- anywhere anywhere Chain AS0_IN_ROUTE (0 references) target prot opt source destination MARK all -- anywhere anywhere MARK or 0x4000000 ACCEPT all -- anywhere anywhere Chain AS0_OUT (2 references) target prot opt source destination AS0_OUT_POST all -- anywhere anywhere Chain AS0_OUT_LOCAL (1 references) target prot opt source destination DROP icmp -- anywhere anywhere icmp redirect ACCEPT all -- anywhere anywhere Chain AS0_OUT_POST (1 references) target prot opt source destination DROP all -- anywhere anywhere Chain AS0_OUT_S2C (1 references) target prot opt source destination AS0_OUT all -- anywhere anywhere Chain AS0_WEBACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination Chain ufw-after-logging-forward (1 references) target prot opt source destination Chain ufw-after-logging-input (1 references) target prot opt source destination Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination Chain ufw-before-input (1 references) target prot opt source destination Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination
The client is hanging on "waiting for server response" and the server logs this: openvpn.log Thu Jun 25 11:50:29 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019 Thu Jun 25 11:50:29 2020 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08 Thu Jun 25 11:50:29 2020 ECDH curve prime256v1 added Thu Jun 25 11:50:29 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Thu Jun 25 11:50:29 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Thu Jun 25 11:50:29 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Thu Jun 25 11:50:29 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Thu Jun 25 11:50:29 2020 TUN/TAP device tun0 opened Thu Jun 25 11:50:29 2020 TUN/TAP TX queue length set to 100 Thu Jun 25 11:50:29 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Jun 25 11:50:29 2020 /sbin/ip link set dev tun0 up mtu 1500 Thu Jun 25 11:50:29 2020 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 Thu Jun 25 11:50:29 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET Thu Jun 25 11:50:29 2020 Socket Buffers: R=[212992->212992] S=[212992->212992] Thu Jun 25 11:50:29 2020 UDPv4 link local (bound): [AF_INET][undef]:1194 Thu Jun 25 11:50:29 2020 UDPv4 link remote: [AF_UNSPEC] Thu Jun 25 11:50:29 2020 GID set to nogroup Thu Jun 25 11:50:29 2020 UID set to nobody Thu Jun 25 11:50:29 2020 MULTI: multi_init called, r=256 v=256 Thu Jun 25 11:50:29 2020 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 Thu Jun 25 11:50:29 2020 IFCONFIG POOL LIST Thu Jun 25 11:50:29 2020 Initialization Sequence Completed
and the other log (openvpnas.log) 2020-06-25 11:55:39+0000 [-] OVPN 2 OUT: 'Thu Jun 25 11:55:39 2020 Authenticate/Decrypt packet error: packet HMAC authentication failed' 2020-06-25 11:55:39+0000 [-] OVPN 2 OUT: 'Thu Jun 25 11:55:39 2020 TLS Error: incoming packet authentication failed from [AF_INET]IP:55955'
and that's the client log 2020-06-25 13:56:33.282083 SIGUSR1[soft,tls-error] received, process restarting 2020-06-25 13:56:33.282124 MANAGEMENT: >STATE:1593086193,RECONNECTING,tls-error,,,,, 2020-06-25 13:56:35.328014 MANAGEMENT: CMD 'hold release' 2020-06-25 13:56:35.328137 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2020-06-25 13:56:35.328327 TCP/UDP: Preserving recently used remote address: [AF_INET]1194 2020-06-25 13:56:35.328479 Socket Buffers: R=[786896->786896] S=[9216->9216] 2020-06-25 13:56:35.328505 UDP link local: (not bound) 2020-06-25 13:56:35.328531 UDP link remote: [AF_INET]SERVERIP:1194 2020-06-25 13:56:35.328575 MANAGEMENT: >STATE:1593086195,WAIT,,,,,, 2020-06-25 13:56:35.328919 MANAGEMENT: CMD 'hold release'
My vpn server used to works but I don't know what I did to break it. I tried also to reinstall openvpn, but don't know how to fix it and let clients connect  |
| ADO NET Destination has failed to acquire the connection with the following error message: "Login failed for user Posted: 11 Jul 2021 07:02 PM PDT Created a SSIS package, it is running fine when I run it on premise but when i try to execute it from sql server agent it gives me error for login failed for user, I am using SQL authentication to connect to the Azure database which are working fine on premise but erroring out on Job agent This the Error I am getting: Server Execute Package Utility Version 14.0.1000.169 for 64-bit Copyright (C) 2017 Microsoft. All rights reserved. Started: 10:59:46 AM Error: 2019-06-07 10:59:47.71 Code: 0xC0208452 Source: Data Flow Task ADO NET Destination [2] Description: ADO NET Destination has failed to acquire the connection {F51F409E-2990-4C40-8DFF-0B078AF481D4} with the following error message: "Login failed for user 'SVCASQLDW'.". End Error Error: 2019-06-07 10:59:47.71 Code: 0xC0047017 Source: Data Flow Task SSIS.Pipeline Description: ADO NET Destination failed validation and returned error code 0xC0208452. End Error Error: 2019-06-07 10:59:47.71 Code: 0xC004700C Source: Data Flow Task SSIS.Pipeline Description: One or more component failed validation. End Error Error: 2019-06-07 10:59:47.71 Code: 0xC0024107 Source: Data Flow Task Description: There were errors during task validation. End Error DTExec: The package execution returned DTSER_FAILURE (1). Started: 10:59:46 AM Finished: 10:59:47 AM Elapsed: 0.875 seconds. The package execution failed. The step failed.
 |
| Broadcast UPnP over WireGuard Posted: 11 Jul 2021 04:06 PM PDT I have few devices: VDS, custom NAS on linux, laptop PC. All of that successfully connected to one local subnetwork 10.1.1.0/24 Server configuration: [Interface] Address = 10.1.1.1/24 ListenPort = 5182 PrivateKey = *** [Peer] PublicKey = *** AllowedIPs = 10.1.1.2/32 [Peer] PublicKey = *** AllowedIPs = 10.1.1.12/32
Typical client: [Interface] Address = 10.1.1.2/32 PrivateKey = *** [Peer] PublicKey = *** AllowedIPs = 10.1.1.0/24,224.0.0.0/4 Endpoint = host.name:5182
A client interface (server is same) wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.1.1.2/24 scope global hub0 valid_lft forever preferred_lft forever
Server listen any address and port UNCONN 0 0 239.255.255.250:1900 0.0.0.0:* users:((minidlnad,pid=456,fd=5))
DLNA server can't be discovered, when I used OpenVPN this worked perfectly. So, I tried send a broadcast with socat and not receive it on other side, except my real local network.  |
| Postifx Dovecot lmtp, sieve not working Posted: 11 Jul 2021 05:04 PM PDT My mail server has a problem. I want to install sieve, but the rules do not work. As far as I found out, I think the handover at lmtp to dovecot does not work. e-mails can be received and sent, but the rules do not work. If I stop dovecot the mail is still stored in /var/vmail Where is the mistake? Debian 9.5 Postfix 3.1.8 Dovecot 2.2.27 Mail log when an email is received Aug 30 22:46:09 vps582284 postfix/smtpd[28317]: connect from mx09lb.world4you.com[81.19.149.119] Aug 30 22:46:09 vps582284 postfix/smtpd[28317]: 856843F6A9: client=mx09lb.world4you.com[81.19.149.119] Aug 30 22:46:09 vps582284 postfix/cleanup[28323]: 856843F6A9: message-id=<00bd01d440a2$76dcabc0$64960340$@source-domain.com> Aug 30 22:46:09 vps582284 postfix/qmgr[28309]: 856843F6A9: from=<daniel@source-domain.com>, size=1923, nrcpt=1 (queue active) Aug 30 22:46:09 vps582284 postfix/virtual[28324]: 856843F6A9: to=<test@dest-domain.com>, relay=virtual, delay=0.17, delays=0.15/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) Aug 30 22:46:09 vps582284 postfix/qmgr[28309]: 856843F6A9: removed Aug 30 22:46:09 vps582284 postfix/smtpd[28317]: disconnect from mx09lb.world4you.com[81.19.149.119] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
doveconf -n # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:150: listen=..:port has been replaced by service { inet_listener { port } } doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:150: protocol { listen } has been replaced by service { inet_listener { address } } doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:150: listen=..:port has been replaced by service { inet_listener { port } } doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:150: protocol { listen } has been replaced by service { inet_listener { address } } # OS: Linux 4.9.0-7-amd64 x86_64 Debian 9.5 auth_mechanisms = plain login disable_plaintext_auth = no mail_debug = yes mail_location = mbox:~/mail:INBOX=/var/mail/%u managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { mail_debug = yes sieve = /var/vmail/%d/%n/sieve sieve_dir = /var/vmail/%d/%n/sieve-scripts sieve_storage = /var/vmail/%d/%n/sieve-scripts } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = </etc/letsencrypt/live/dest-domain.com/fullchain.pem ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA ssl_dh_parameters_length = 2048 ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { mail_plugins = " sieve" postmaster_address = daniel@source-domain.com }
postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no compatibility_level = 2 inet_interfaces = all inet_protocols = all local_transport = virtual mailbox_size_limit = 0 mydestination = $myhostname, localhost dest-domain.com myhostname = mail.dest-domain.com mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 readme_directory = no recipient_delimiter = + relayhost = smtp_tls_ciphers = high smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_unverified_recipient, permit smtpd_relay_restrictions = smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/dest-domain.com/fullchain.pem smtpd_tls_ciphers = high smtpd_tls_dh1024_param_file = /etc/letsencrypt/live/dest-domain.com/dh.pem smtpd_tls_key_file = /etc/letsencrypt/live/dest-domain.com/privkey.pem smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:5000 postconf: warning: /etc/postfix/main.cf: unused parameter: dovecot_destination_recipient_limit=1
thank you, daniel  |
| Windows Admin Center Doesn't Connect Posted: 11 Jul 2021 08:06 PM PDT I've installed version 1804.25 of Windows Admin Center (WAC) onto my Windows 10 Pro v1709 laptop. I accepted the WAC self-signed cert, provided by the installer, on first page load. I then used the WAC interface to add two EC2 servers. That is, I specified the public DNS of the two machines, and then chose "use another account for this connection" and provided the EC2 server's "Administrator" account and password for both machines. WAC indicated that both machines were successfully confirmed and added. I successfully reached this point because I set IP inbound rules on the EC2 security group for WinRM, and opened the WinRM port on the servers' firewall. However, when I click "Connect" for either of these servers, I get the message: Couldn't Connect: Verify the connection details and then try again.
I notice there is also the option to connect to my local laptop, where WAC is running. When I choose this option - it still won't connect and gives the same error. In short, WAC acts healthy, but can't connect to anything. Any ideas? I can successfully connect to both EC2 servers via RDP. further details: - Did you install with the default port setting? Yes
- Is the machine where Windows Admin Center is installed joined to a domain? Yes
- Is the machine that you are trying to manage joined to a domain? No
- Windows version of the machine that you are trying to manage: Windows 2016 and Windows 2016 Core
- What browser are you using? Edge
 |
| How to log out from network path Posted: 11 Jul 2021 09:22 PM PDT I have successfully logged onto a network path. But now I need to log onto that same path with different credentials. The problem is that when I navigate to that path, I no longer get a login dialog, even after rebooting! Is there any way to log out of that path so that next time I try to navigate there the login dialog will appear?  |
| Using defaultAuthenticationType with PowerShell Web Access Posted: 11 Jul 2021 09:06 PM PDT PowerShell web access lets you choose the authentication type. By default, it uses a value of Default, which ends up being Negotiate. I have set up CredSSP to allow logging into the PSWA server itself with CredSSP, so that network authentication works from within the session (avoids a double hop issue, without delegating credentials all over the network). Anyway, I want CredSSP to be the default option on the sign-in page. Looking into the configuration options for the PSWA web app in IIS, there are several values that can be set to override the defaults. One of them is called defaultAuthenticationType which is a string but is set to 0. This seems like the right setting, but I can't get it to work. If I inspect the sign in web page I can see that the select box has the following values: 0 Default 1 Basic 2 Negotiate 4 CredSSP 5 Digest 6 Kerberos
3 is missing.
JosefZ found that 3 is NegotiateWithImplicitCredential according to this page, but on Windows PowerShell 5.1.15063.966 for me that name/value is missing from the enum. If I set defaultAuthenticationType to a number, then the web page defaults to a new option: 7 Admin Specified
I have tried 3 and 4, but neither one works. The login happens using Kerberos, and CredSSP is not used. If I select CredSSP manually it works as expected. If I set defaultAuthentcationType to a string like CredSSP, no Admin Specified option appears and it just defaults to Default again, and still Kerberos authentication is used. Has anyone been able to successfully set this? Web results have been very lacking.  |
| SMTP network ACL on AWS Posted: 11 Jul 2021 06:00 PM PDT I have a very restricted ACL for my VPC. We have a public subnet and a private subnet, each subnet has its own individual ACL. What I don't understand is why the following ACL works for sending email over port 465 via Amazon SES. public: - inbound: src 0.0.0.0/0, port 465
- outbound: dest 0.0.0.0/0, port 465
private: - inbound: N/A
- outbound: dest 0.0.0.0/0, port 465
I get both outbound, but the inbound for public doesn't make any sense. Where in the SMTP RFC say the smtp server (SES, a relay) will connect with the client back on port 465? I would expect client pick a high port as shown in the following netstat: tcp 104 0 ip-10-0-1-75.ec:36836 ec2-54-243-225-221.:urd CLOSE_WAIT tcp 0 0 ip-10-0-1-75.ec:50903 ec2-54-243-161-229.:urd ESTABLISHED
urd is 465 from what I understand. So my instance in the private subnet routes the request to the NAT instance, and the NAT (in public subnet) sends the packets to the remote server. So why is 465 needed inbound anyway?  |
| OpenVPN client nslookup failure after disconnect Posted: 11 Jul 2021 07:02 PM PDT Currently I am trying to route my traffic through a gateway running Debian Linux which forwards all incoming traffic thorugh a VPN connection (Client -> Gateway with OpenVPN client -> VPN server -> Internet). This works fine exept it loses the connection from time to time and is unable to reconnect ifself due to nslookup timeouts. This happens every few days, mostly at night (as far as I know, some servers are terminating the session if no traffic was sent for a long time). When happening, I'll try to connect through SSH but after entering the username the server waits about 20 seconds before asking for the password which is also strange. Normally it askes for the password immediately. When looking into the syslog this one comes up: Jul 20 00:50:11 gateway ovpn-cyberghost[23893]: RESOLVE: Cannot resolve host address: 5-nl.cg-dialup.net: Temporary failure in name resolution
ifconfig and route shows, that the VPN interface is still up but seems to be hung up. root@gateway:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.129.57.169 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth2 10.129.57.169 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 93.190.138.125 192.168.0.1 255.255.255.255 UGH 0 0 0 eth2 128.0.0.0 10.129.57.169 128.0.0.0 UG 0 0 0 tun0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 217.23.12.229 192.168.0.1 255.255.255.255 UGH 0 0 0 eth2
Heres my OpenVPN config: client remote 5-nl.cg-dialup.net 443 dev tun proto udp auth-user-pass /etc/openvpn/auth.txt route-nopull resolv-retry infinite redirect-gateway def1 persist-key persist-tun writepid /run/openvpn.pid nobind cipher AES-256-CBC auth MD5 ping 5 ping-restart 20 persist-local-ip ping-timer-rem explicit-exit-notify 2 script-security 2 remote-cert-tls server route-delay 5 tun-mtu 1500 fragment 1300 mssfix 1300 verb 1 comp-lzo
Heres my resolv.conf: root@gateway:~# cat /etc/resolv.conf nameserver 85.214.20.141 nameserver 213.73.91.35
Changing the nameservers, for example to 127.0.0.1 (bind9 correctly installed as a dns resolver), did not solve anything but I do not expect to find the problem here. I guess, the following is the reason: The server closed the session due inactivity of the client so the client tries to reconnect. In the process of reconnecting OpenVPN resolves the hostname of the VPN server but it uses the broken VPN interface which is set as the default gateway instead of the correct default gateway. No cleanup is made (remove tun0 interface and deleting the routes), which would perhaps solve the problem. Also I think there could be an issue having two default gateways but I am not sure. After terminating the OpenVPN process manually and starting it again everything works fine like nothing ever happend. I don't know how either tell OpenVPN to use the eth2 interface for that initial nslookup or to get OpenVPN to cleanup the routes. Did I forgot to add something in the config file (I didn't found any helpful commands in the manpage)?  |
| Wireless authentication with DD-WRT, Cisco and Microsoft Posted: 11 Jul 2021 10:03 PM PDT I'm looking for a way to authenticate my wireless users beyond them just knowing the wireless password. Ideally they would join the access point then get dumped to the login portal that they'd have to log in with their current user name and password, which would get checked against AD. Additionally, I'd be looking for two features: 1) That users could be "remembered" for 30 days (or some period of time) so they don't need to log in every time they want to use wireless 2) Somehow we could lock users out through some action in AD My access points are Buffalo routers running DD-WRT. I have mostly Windows 7 machines and servers running Server 2008 r2. In addition I have a Cisco router and ASA firewall. Can this be done with the equipment I have? I looked at a few "captive portals" for DD-WRT but they seem outdated. Any help is appreciated.  |
| Is it possible to add an os variant to the virt-manager list? Posted: 11 Jul 2021 09:51 PM PDT I just installed RHEL 7.1 on a server. I'm using it to study for the RHCSA/RHCE exams. One of the steps in the study guide is to install a VM through virt-manager using installation media on an FTP server. The OS variant list only goes up to RHEL 7.0. I attempted to install 7.1 but it threw an error every time: An unknown error has occurred
The dialog that contains the error also provides debug information and a backtrace leading up to the error. I have not been able to find any cause of the problem when sifting through this data. I downloaded the RHEL 7.0 installation media. When pointing the VM at that during the configuration the installation does not throw the error and runs normally. I find it strange that virt-manager on RHEL 7.1 can't install a RHEL 7.1 VM. But that's neither here nor there. Is it possible to add RHEL 7.1 to the list? If so will it be recognized or are there other things that virt-manager relies on to ensure the process functions correctly?  |
| Django, mod_wsgi, pyvenv-3.4 - configuration Posted: 11 Jul 2021 10:03 PM PDT I'm trying to deploy my first, simple django website. I have an VPS with Ubuntu 14.07 Server, Apache 2.4.7 with mod_wsgi.
So, i added this vhost: <VirtualHost *:80> ServerName api.XXX.net ServerAdmin webmaster@XXX.net DocumentRoot /var/www/XXX.net/api WSGIScriptAlias / /var/www/XXX.net/api/backgrounds-apps-server/XXX/index.wsgi WSGIDaemonProcess api.XXX.net processes=2 threads=15 python-path=/var/www/XXX.net/api:/var/www/XXX.net/api/lib/python3.4/site-packages WSGIProcessGroup api.XXX.net <Directory /var/www/XXX.net/api/backgrounds-apps-server> Order allow,deny Allow from all </Directory> Alias /static/ /var/www/XXX.net/api/backgrounds-apps-server/XXX/static/ <Location "/static/"> Options -Indexes </Location> LogLevel info ErrorLog ${APACHE_LOG_DIR}/api_XXX_error.log CustomLog ${APACHE_LOG_DIR}/api_XXX_access.log combined </VirtualHost>
and my index.wsgi: import os, sys, site # Add the site-packages of the chosen virtualenv to work with site.addsitedir('/var/www/XXX.net/api/lib/python3.4/site-packages') # Add the app's directory to the PYTHONPATH sys.path.append('/var/www/XXX.net/api/backgrounds-apps-server') sys.path.append('/var/www/XXX.net/api/backgrounds-apps-server/movies_wallpaper') os.environ.setdefault("DJANGO_SETTINGS_MODULE", "movies_wallpaper.settings") #Activate your virtual environment from django.core.wsgi import get_wsgi_application application = get_wsgi_application()
But when I'm trying to load the page I'm getting 500 Error. In apache log we can see this: [Mon Oct 06 16:27:42.625220 2014] [:info] [pid 3050] mod_wsgi (pid=3050): Adding '/var/www/XXX.net/api' to path. [Mon Oct 06 16:27:42.625433 2014] [:info] [pid 3050] mod_wsgi (pid=3050): Adding '/var/www/XXX.net/api/lib/python3.4/site-packages' to path. [Mon Oct 06 16:27:42.626344 2014] [:info] [pid 3050] [remote 188.121.29.164:61055] mod_wsgi (pid=3050, process='api.XXX.net', application='api.XXX.net|'): Loading WSGI script '/var/www/XXX.net/api/backgrounds-apps-server/movies_wallpaper/index.wsgi'. [Mon Oct 06 14:27:43.418048 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] mod_wsgi (pid=3050): Target WSGI script '/var/www/XXX.net/api/backgrounds-apps-server/movies_wallpaper/index.wsgi' cannot be loaded as Python module. [Mon Oct 06 14:27:43.418082 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] mod_wsgi (pid=3050): Exception occurred processing WSGI script '/var/www/XXX.net/api/backgrounds-apps-server/movies_wallpaper/index.wsgi'. [Mon Oct 06 14:27:43.418106 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] Traceback (most recent call last): [Mon Oct 06 14:27:43.418128 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/backgrounds-apps-server/movies_wallpaper/index.wsgi", line 14, in <module> [Mon Oct 06 14:27:43.418189 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] application = get_wsgi_application() [Mon Oct 06 14:27:43.418201 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/lib/python3.4/site-packages/django/core/wsgi.py", line 14, in get_wsgi_application [Mon Oct 06 14:27:43.418243 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] django.setup() [Mon Oct 06 14:27:43.418254 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/lib/python3.4/site-packages/django/__init__.py", line 21, in setup [Mon Oct 06 14:27:43.418295 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] apps.populate(settings.INSTALLED_APPS) [Mon Oct 06 14:27:43.418307 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/lib/python3.4/site-packages/django/apps/registry.py", line 108, in populate [Mon Oct 06 14:27:43.418444 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] app_config.import_models(all_models) [Mon Oct 06 14:27:43.418457 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/lib/python3.4/site-packages/django/apps/config.py", line 197, in import_models [Mon Oct 06 14:27:43.418552 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] self.models_module = import_module(models_module_name) [Mon Oct 06 14:27:43.418564 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module [Mon Oct 06 14:27:43.418611 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] __import__(name) [Mon Oct 06 14:27:43.418621 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/backgrounds-apps-server/movies_wallpaper/movies/models.py", line 6, in <module> [Mon Oct 06 14:27:43.418682 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] from easy_thumbnails.fields import ThumbnailerImageField [Mon Oct 06 14:27:43.418694 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/lib/python3.4/site-packages/easy_thumbnails/fields.py", line 2, in <module> [Mon Oct 06 14:27:43.418759 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] from easy_thumbnails import files [Mon Oct 06 14:27:43.418783 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/lib/python3.4/site-packages/easy_thumbnails/files.py", line 14, in <module> [Mon Oct 06 14:27:43.419070 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] from easy_thumbnails import engine, exceptions, models, utils, signals, storage [Mon Oct 06 14:27:43.419086 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] File "/var/www/XXX.net/api/lib/python3.4/site-packages/easy_thumbnails/engine.py", line 10, in <module> [Mon Oct 06 14:27:43.419155 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] import Image [Mon Oct 06 14:27:43.419176 2014] [:error] [pid 3050] [remote 188.121.29.164:61055] ImportError: No module named Image
Pillow is installed in virtual environment (pyvenv-3.4) and under idle python3.4 works fine. Can someone tell me what is wrong with my configuration?  |
| Running php-fpm with httpd 2.4.4 in CentOS 6.4 Posted: 11 Jul 2021 06:00 PM PDT I upgraded to httpd 2.4.4 from the httpd 2.2 that shipped with CentOS/RHEL 6.4. I'm running into an error trying to serve Roundcube mail using php-fpm. We tried a number of solutions on #httpd at Freenode. I would greatly appreciate any insight. It worked well with httpd 2.2. These instructions were followed so far: https://wiki.apache.org/httpd/PHP-FPM The error I get is Forbidden: You don't have permission to access / on this server. The error log says: [Fri Sep 06 15:26:23.542241 2013] [autoindex:error] [pid 16868:tid 140266652563200] [client 129.105.171.78:50823] AH01276: Cannot serve directory /var/www/roundcubemail/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
VirtualHost in /etc/httpd/conf.d/ssl.conf <VirtualHost *:443> ServerName mail.mydomain.org DocumentRoot /var/www/roundcubemail SSLEngine on SSLCertificateFile /etc/pki/tls/certs/domain.crt SSLCertificateKeyFile /etc/pki/tls/private/domain.key ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/roundcubemail/$1 </VirtualHost>
/etc/httpd/conf.d/roundcubemail.conf <Directory "/var/www/roundcubemail/"> Options -Indexes SetOutputFilter DEFLATE AllowOverride All Require all granted </Directory>
/var/www/roundcubemail/.htaccess AddDefaultCharset UTF-8 AddType text/x-component .htc <IfModule mod_php5.c> php_flag display_errors Off php_flag log_errors On # php_value error_log logs/errors php_value upload_max_filesize 5M php_value post_max_size 6M php_value memory_limit 64M php_flag zlib.output_compression Off php_flag magic_quotes_gpc Off php_flag magic_quotes_runtime Off php_flag zend.ze1_compatibility_mode Off php_flag suhosin.session.encrypt Off #php_value session.cookie_path / php_flag session.auto_start Off php_value session.gc_maxlifetime 21600 php_value session.gc_divisor 500 php_value session.gc_probability 1 # http://bugs.php.net/bug.php?id=30766 php_value mbstring.func_overload 0 </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico # security rules RewriteRule \.git - [F] RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ - [F] RewriteRule ^/?(SQL|bin) - [F] </IfModule> <IfModule mod_deflate.c> SetOutputFilter DEFLATE </IfModule> <IfModule mod_headers.c> # replace 'append' with 'merge' for Apache version 2.2.9 and later #Header append Cache-Control public env=!NO_CACHE </IfModule> <IfModule mod_expires.c> ExpiresActive On ExpiresDefault "access plus 1 month" </IfModule> FileETag MTime Size <IfModule mod_autoindex.c> Options -Indexes </ifModule>
 |
| Unexpected behaviour when dynamically add node in HAproxy server Posted: 11 Jul 2021 08:06 PM PDT I wanted to use HAProxy for my web app for load balancing purpose. I am trying to add a new rabbitmq node dynamically in HAProxy server using command : haproxy -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid). I am doing tcp connection mode with leastconn balance algorithm in load balancing. What is expected is when there is 3 connection in one rabbitmq, I add a new rabbit server in HAProxy server. so the next connection would pass to 2nd rabbitmq server which is not happening in my case. It distributes the connection in haphazardly manner. Here is my config file: defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 5000 srvtimeout 5000 listen rabbitmq 0.0.0.0:5672 mode tcp stats enable balance leastconn option tcplog server rabbit01 xx.xx.xx.xx:5672 check server rabbit02 xx.xx.xx.xx:5672 check listen tomcatq 0.0.0.0:80 mode http stats enable balance roundrobin stats refresh 10s stats refresh 10s stats uri /lb?stats stats auth admin:admin option httplog
What is the problem causing this behavior? Any suggestion will appreciated.  |
| Mysterious per-session CPU limiting? Posted: 11 Jul 2021 04:06 PM PDT TL;DR: CPU-hungry processes are sharing cores on a multi-core server while other cores sit idle, whereas I expect the Linux scheduler to distribute jobs evenly across cores. What could cause this behavior? My workgroup has a new 4-core server running SuSE that is experiencing some strange CPU-scheduling behavior that our admin (the guy who set up the box) didn't know about and can't seem to fix. I'm hoping you all can help me diagnose what might be causing this strange behavior. Here are the symptoms: 1) Every SSH session seems to be limited to using a single core. I have tested this a variety of ways, but the simplest was creating a simple infinite-looping C program and running multiple copies. They always share one core if started from a single SSH session, and I can't even control which core; it seems to be set at login time. Furthermore, even using multiple simultaneous SSH sessions, the only cores that I can ever utilize this way are cores 0 and 3; 1 and 2 never get touched, no matter how many sessions or processes I start. 2) If, from an SSH session like the ones mentioned above, I start my program with "nohup" to divorce it from the current session, it will use a different core than the rest of the programs started from that session. However, all nohup-started programs from the same SSH session will again share a core with each other. Interestingly, these nohup-started programs are always assigned to cores 1 and 2. The expected behavior, of course, is what I've always seen on other Linux systems (I'm mostly familiar with RHEL, Fedora, and Ubuntu): I should be able to utilize all 4 cores from a single session with or without using nohup; furthermore, jobs should occasionally jump cores to balance the load time evenly between them. Here's an example of 2 processes running on one core: http://i.imgur.com/K9rH3.png (Sorry, can't post images directly yet, even though I've got enough cred on other StackExchange sites). Note in the above that each "burn" process takes up 100% of one core if run in isolation, but here they are sharing a core for some reason while three cores sit idle. Also note that these two processes shared the "Cpu3" core in excess of 20 minutes without changing to another core to balance the load (this was after the image was taken; after 20 minutes I stopped watching). My first thought when encountering this problem was that "ulimit" was in effect, but it doesn't look like it to my (admittedly non-expert) eye: dmonner@bass:~> ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 128465 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) 13988192 open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 128465 virtual memory (kbytes, -v) 40007280 file locks (-x) unlimited
Additionally, /etc/security/limits.conf is empty (or at least has no lines that aren't comments), so I don't think it's PAM enforcing limits. I have sudo access on the machine, and even if I 'sudo su' and then run processes, I am core-limited in the same way. So: Does anyone have ideas as to what can cause this kind of behavior, and how to get rid of it?  |
| SNMP Custom Script Execution in Win 2008R2 Posted: 11 Jul 2021 09:06 PM PDT I'm trying to execute a custom Script that is readable from SNMP service. Let's try to explain my purpose. - I have a Win2008R2 server
- I have a PowerShell Script that "echo" something and return an Integer (error code ...)
- I'm trying to get my Script executed when a snmpwalk is launch toward my Server
Assuing I have my own OIDs, how can I do that ? Is this even possible ? Under Unix/Linux environement, I just have to add a line in snmpd.conf.  |
No comments:
Post a Comment