Recent Questions - Server Fault |
- PEERING connectivity issues between VPC's?
- Ubuntu 20.04 false subnet per interface isc-dhcp-server
- mount error(13): Permission denied on GNU/Linux
- SQS is not working for multiple ECS (fargate) instances
- DNS lookup spam running up Route 53 bill
- multiple interfaces match the same shared network dhcpd
- nginx reverse proxy IP_adr/1881 to localhost:1881 proxy_pass
- VPN clients gets disconnected in my machine very frequently (2 or 3 times per hour). clients I'm using are FortiClient VPN and Cisco AnyConnect VPN
- mail from google computer engine not working, email defer delivery
- Specifying a rule to block RDP access on Windows Server 2019 except for a range of addresses
- Windows ntp client not syncing with linux server
- Postfix overwrites the sender
- "gcloud app deploy" hangs on "Building and pushing image for service"
- Access denied for virtual users.Proftpd
- Why is Docker volume world-writable if set to /tmp?
- Is 250Mbs on a cheap VPS enough for 500 CCU listening to radio stream?
- How do you mount a k8s service account token as an enviromnet variable?
- GCP External HTTPs Load Balancer - 404 - 503 - SSL Exception (Remote host terminated connection, read handshake, socket closed & upstream connect)
- How to set logic to create multiple machines on azure using terraform?
- SSL for devices in local network
- What's the point of Azure Service Endpoint?
- iptables v1.8.2 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain OUTPUT
- How to route all VM traffic through specific physical interface over a Linux bridge?
- Sonicwall Global VPN user either can't reach internet, or LAN depending on Access List
- linux + tput: No value for $TERM and no -T specified
- proxy_fcgi:error (70008)Partial results are valid but processing is incomplete. AH01075
- TFS BuildHttpClient UpdateDefinition C# example
- Regex nginx location with named location
- Can't request computer certificate
- Encryption on Solaris (using Keystore)
| PEERING connectivity issues between VPC's? Posted: 08 Mar 2022 06:29 AM PST Cloud you help me about network infrastructure below referece "PEERING" ? We have in you GCP Cloud 2(two) VPC The First - "vpc-shared-nonprod" Projetc Name: "Shared" Subnet Name: subnet-shared-nonprod "10.1.0.0/24" The Second "vpc-4i-shared-prod" Projetc Name: "Shared" Subnet Name: subnet-shared-prod "10.2.0.0/24" We are not able to create PEERING between the Projects "vpc-shared-nonprod" "Shared - 10.1.0.0/24" and "vpc-shared-prod" "Shared - 10.2.0.0/24" |
| Ubuntu 20.04 false subnet per interface isc-dhcp-server Posted: 08 Mar 2022 05:08 AM PST This morning I have configure my interfaces And tried to configure my DHCP server: on /etc/default/isc-dhcp-server I add this: However, any subnet return from the dhcp server is from: 192.168.0.0/24 and I have no idea why, so I checked dhcp manual: """ Please note that the current implementation assumes clients only have a single network interface. A client with two network interfaces will see unpredictable behavior. This is considered a bug, and will be fixed in a later release. It may be helpful to enable the one-lease-per-client parameter so that roaming clients do not trigger this same behavior. """ Do you have any idea ? |
| mount error(13): Permission denied on GNU/Linux Posted: 08 Mar 2022 04:59 AM PST I need help with mounting a windows shared drive on Linux. I tried searching for the solution on google and on this site, but unable to find one. I verified the user is having access to the shared drive. NOTE: All the commands are being run with root. sudo mount.cifs //domain.local/IT /mnt/share/ -o user=domain/username Here is the error message i'm getting. mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) |
| SQS is not working for multiple ECS (fargate) instances Posted: 08 Mar 2022 04:58 AM PST I am using an application load balancer, under this ALB, a target group is provided. In this target group, two fargate ECS instances are running. These two instances use the same PHP docker image. When i upload an csv file, the tasks in the csv file will be moved to the SQS. Here the tasks are not passing to the SQS and no error messages were showing.So i changed the ECS instance number to 1 ( initially it was 2) then SQS is working fine. So how do i resolve this issue for multiple ECS containers. |
| DNS lookup spam running up Route 53 bill Posted: 08 Mar 2022 04:33 AM PST Throughout 21 we saw around 15M DNS queries/month. In January 2022 we saw almost 300M and I didn't notice.... then February almost 1 TRILLION...... and I noticed because of the bill. Amazon isn't really helping yet I told them this is obviously spam. This isn't application layer there is nothing I can do right...? |
| multiple interfaces match the same shared network dhcpd Posted: 08 Mar 2022 04:03 AM PST my netplan: my dhcpd.conf I have no idea why I get isc-dhcp-status: multiple interfaces match the same shared network dhcpd ens192 ens224. Thank you. |
| nginx reverse proxy IP_adr/1881 to localhost:1881 proxy_pass Posted: 08 Mar 2022 03:59 AM PST I have read this post, and try many thing but i have issue with rewrite regex. here I have many node.js processes as backends with always different port to access. With Nginx reverse proxy in the same server i want to pass for exemple : I can get 1881 from That i tried : Thank you for your help, have a good day |
| Posted: 08 Mar 2022 03:51 AM PST VPN clients gets disconnected in my machine very frequently (2 or 3 times per hour). clients I'm using are FortiClient VPN and Cisco AnyConnect VPN. Log file from FortiClient is as below, 3/8/2022 2:04:27 PM info sslvpn date=2022-03-08 time=14:04:26 logver=1 id=96600 type=securityevent subtype=sslvpn eventtype=status level=info uid=556CBFD17961472AB2443601856E703C devid=FCT8000116156976 hostname=DESKTOP-XXXXXX pcdomain=N/A deviceip=xxx.xxx.xxx.xxx devicemac=01-05-9b-3c-7v-00 site=N/A fctver=7.0.2.0090 fgtserial=FCT8000116156976 emsserial=N/A os="Microsoft Windows 10 Professional Edition, 64-bit (build 19041)" user=xxxxxxxxxxx@AzureAD msg="SSLVPN tunnel status" vpnstate=connected vpntunnel=vpn.xxxxxxxx.co.uk 3/8/2022 2:17:26 PM error sslvpn FortiSslvpn: 8888: error: poll_send_ssl -SSL_get_error(): 5, try:1 3/8/2022 2:17:26 PM error sslvpn FortiSslvpn: 8888: error: poll_send_ssl - WSAGetLastError():2745, try:1 3/8/2022 2:17:26 PM error sslvpn FortiSslvpn: 8888: error: poll_send_ssl -data size: 50, try:1 3/8/2022 2:17:26 PM error sslvpn FortiSslvpn: 8888: [handle_driver_read_event]: error: poll_send 3/8/2022 2:18:55 PM info sslvpn FortiSslvpn: 12472: Ras: connection to fortissl terminated In windows events logs following messages appear, Connectivity state in standby: Disconnected. Reason: Policy Setting 7026 - Dump after return from D3 after cmd The system is entering connected standby. Reason: Idle timeout I was not in idle state for long time when disconnecting. There are no internet connectivity issues for me Please add your thoughts for this issue. Thanks in advance. |
| mail from google computer engine not working, email defer delivery Posted: 08 Mar 2022 03:46 AM PST mail from cPanel installed google computer engine not working, email defer delivery error 220-appsunshine.cprapid.com ESMTP Exim 4.94.2 #2 Tue, 08 Mar 2022 21:27:17 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Specifying a rule to block RDP access on Windows Server 2019 except for a range of addresses Posted: 08 Mar 2022 03:45 AM PST I want to block access by an IP range to RDP on my Windows 2019 VPS. Since I have a dynamic IP from my internet provider, I can't be certain what IP I will be using to access Remote Desktop myself (actually I use some other remote access software but want to keep Remote Desktop available just in case so I can still access the server if the other software doesn't work) I'm guessing that at least the first number of the ip address e.g. 123.xxx.xxx.xxx - the 123 part.. would probably not change. I found an article here about how to configure a rule for the firewall for RDP. However, I'm uncertain how to specify a range. How would I specify the range of all numbers starting with 123. ? |
| Windows ntp client not syncing with linux server Posted: 08 Mar 2022 03:26 AM PST I am trying to syncronyze the time of three computer on a local network. Although having the smallest drift/error possible with the world/internet would be grate, it is not my concert. My main concern is to have the best possible syncronization between the three computer. To achieve this, I have set up one of the two Ubuntu machines (192.168.1.50) to act as an ntp server. I have done this by edit the ubuntu ntp server config file in Then, I have checked that the other Ubuntu computer (192.168.1.71) is syncronized with it. First I have added This seems to work properly, and 0.001271 offset is acceptable for my purpose. Next is to do the same with windows (192.168.1.201). First I check that the computers are in deed not synchronized: Which makes sense as thw windows client is so far syncronized to I changed the time server with Then, checked again the time difference between the ubuntu ntp server and this windows machine: Which shows that the windows ntp client is clearly not synchronized with the ubuntu ntp server. However, if I check the status: It clearly sas that the source is the right one (192.168.1.50) and that it was syncronized just before the query. |
| Posted: 08 Mar 2022 03:18 AM PST So i'm having issues with my postfix server. It is a relay and it works with Linux machines (SUSE Leap 15.2 and SLES 12 SP5) but not with my Solaris machines (Solaris 8 ans Solaris 10). Here is the command i type on the Solaris 8 machine : And here is the And my problem is here, it changes the normal sender which i need I'm looking for hints because i know it's not a problem in my postfix configuration since it works with other machines in Linux. |
| "gcloud app deploy" hangs on "Building and pushing image for service" Posted: 08 Mar 2022 03:00 AM PST I suddenly can't deploy using gcloud app deploy. It hangs on "Building and pushing image for service [default]". At that time, the Python process takes 99% CPU, and continues until the deploy times out. I've tried upgrading Python to no avail. It occurs regardless of Google Appengine Project. Have tried installing different versions of gcloud CLI to no avail. My teammates can deploy successfully using the same commands. Any ideas? |
| Access denied for virtual users.Proftpd Posted: 08 Mar 2022 02:48 AM PST I can't connect to ftp server as virtual user but i can connect as ubuntu user. I tried set permission for directory 777, 0755, 775 to Here's my config: https://pastebin.com/Y3KWu8up My virtual user home directory is |
| Why is Docker volume world-writable if set to /tmp? Posted: 08 Mar 2022 04:29 AM PST For the context : test 1 : volume is |
| Is 250Mbs on a cheap VPS enough for 500 CCU listening to radio stream? Posted: 08 Mar 2022 02:56 AM PST I'd like to use a cheap VPS hosted by OVH, France (1 vCore, 2 GB RAM, 40 GB SSD NVMe, 250 Mbps unmetered) to host an icecast server which will be used for an event this month. There will be up to 500 CCUs listening to the 128 kbps audio stream. based on my reading of this article, it seems to me that 250 Mbps should be enough to respond to the load, but i haven't got any experience in managing this kind of problem. My reasoning is that 128kb*500CCU + 10% overhead = approx 70 Mb/s. I'm also wondering if the 250 Mbps unmetered supplied by OVH are guaranteed, or whether the load on other services hosted by other clients using the machine could have an impact on performance. (I asked OVH already but they weren't especially helpful) thank you for your insights! samuel |
| How do you mount a k8s service account token as an enviromnet variable? Posted: 08 Mar 2022 05:04 AM PST When you associate a service account to a pod, it gets mounted in the |
| Posted: 08 Mar 2022 05:07 AM PST We're load testing a MIG (with 2 instances) hosted behind the HTTPs load balancer using JMeter. Observation 1: We randomly receive Based on GCP: The above statement doesn't assist with respect to troubleshooting or getting the same resolved or isolation of the cause for the issue. we didn't find anything w.r.t. these error messages within GCP docs or other articles. Observation 2: We randomly receive random SSL exceptions; Remote host terminated connection, read handshake, socket closed & upstream connect @ JMeter's end. Steps taken
So, we are looking @ what are we missing or what else can we fine-tune/modify for testing purposes in order to get the above mentioned issues resolved. Thank you. Gaurav_N17 |
| How to set logic to create multiple machines on azure using terraform? Posted: 08 Mar 2022 03:14 AM PST Below is the template I have for azure VM. In Google cloud, we have option to set count for creating multiple machines, as I heard. How to create multiple machines using a single template, so that based on variable value, those many number of machines should be created. Sample template for azure windows server VM. github url: link I want to keep this repo permanently public, so not posting the direct files here. |
| SSL for devices in local network Posted: 08 Mar 2022 06:17 AM PST Initial questionWe make devices which run a webserver and the user can control some functionality of the device by browsing directly to the IP of the device. This can be a fixed IP when a direct WiFi or ethernet connection is used but in most cases this is the IP that the device has received from a DHCP server in the network. More and more HTTPS is required to access some of the more advanced functionality of a browser. For example to access cache (https://developer.mozilla.org/en-US/docs/Web/API/Cache), to allow the webcam to be used (https://blog.mozilla.org/webrtc/camera-microphone-require-https-in-firefox-68/), Service Workers (https://www.digicert.com/dc/blog/https-only-features-in-browsers/), ... The list keeps growing every day. I'm all pro to have secure systems but I think there is one major issue. The way HTTPS (TLS) is set up a certificate is only marked as valid if the domain name matches the one in the certificate and the certificate authority is accepted by the client's browser, the chain of trust as it is called. This works beautifully on the web where fixed hostnames are used. However when users are not using the internet but their local network the hostname is not known beforehand. Sometimes users can use local DNS, mDNS but this is not always the case. Many times users just use the internal IPv4 address. This is where the trouble begins because there are two options with using the devices we make:
Option number 2 is the cause that we do not force the devices to be accessed by HTTPS because it simply alarms to many users and floods customer service. Five years ago this was not really an issue because everything could be done without HTTPS. With more and more API's now only working in a 'Secure Context' this is really becoming a problem for us. Therefore I think the need is becoming very big to come up with a system to use HTTPS without the hostname system, strictly in internal networks. I could imagine that the private IPv4 ranges could be excluded from the warnings or something more clever. This brings me to my question, do you face the same problems and how can this be solved? Update 1As pointed out in the first comment the now proposed solution is to use a wildcard certificate and to configure a DNS entry for the device on a public domain. This however has the issue that the client still requires an active internet connection. This is certainly not always the case in these kind of setups. Update 2I also found this article on Let's encrypt which talks about the same subject without giving a solution: https://letsencrypt.org/docs/certificates-for-localhost/ Update 3: hypothetical solution ideaAfter reading the below answers and comments I was thinking of a possible secure solution for the problem. Would the below setup (if it would be allowed) secure?
I think this would solve the problem completely and have the following advantages:
Please comment if I overlook something. Update 4:I want to thank everyone for all the help and thinking along. The conclusion for me is that the whole idea behind certificates and the trust chain behind it doesn't allow what I want. This is because there is simply no way for a CA to be sure that the internal IP address I'm pointing to is uniquely owned by the device that I want to reach. An internal IP, for example 192.168.0.10, is owned by thousands devices and thus it is not possible to grant a certificate which allows browsers to show no warning display. The only option is to do the certificate validation by manual intervention (installing the device certificate, pushing your own device's CA to the user, and the various more complex options as proposed in the answers). This is simply something I need to live with. Nevertheless I think I'm going to open a ticket with Firefox and Chrome. Because I think that for internal IP-addresses a simple grey non-secure warning, as with HTTP, is more than enough of a warning. The red warnings should only be shown when making use of HTTPS in the use case it was designed for. Update 5:I have filed a bug report at Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1705543 I'm posting this link as a reference so anyone can follow the issue. |
| What's the point of Azure Service Endpoint? Posted: 08 Mar 2022 06:20 AM PST I guess I'm missing something, but I just don't get Service Endpoints. Let's say I have Azure SQL, and I want to secure it as much as possible. Now, I can use the Firewall IP rules to protect from unauthorized access from the public web. This, if I get it right, has nothing do to with Service Endpoint. So I can set an endpoint to connect, say, a VM in my subscription to the Azure SQL. But what's the difference if I do or don't have a service endpoint? From what I gathered, the service endpoint makes my resources access the SQL via Azure backbone instead of via the public IP. So that means that service endpoints has nothing to do with outside access, which is still protected using the Firewall's IP rules. Is that correct? Does service endpoint protect against Azure resources accessing using public IP? I really feel I miss something... Thanks! |
| iptables v1.8.2 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain OUTPUT Posted: 08 Mar 2022 06:02 AM PST on debian 10 trying to apply following iptable rules: but error at last: |
| How to route all VM traffic through specific physical interface over a Linux bridge? Posted: 08 Mar 2022 03:03 AM PST My objective is to have all KVM guest VMs send and receive traffic on I have a host Linux machine (CentOS 7) with several NICs, 2 of which are in use in this scenario, The em1 interface has an IP of I have created a route on my Netgear firewall to direct From the host VM, I can ping both the "bridge gateway", the VM guest, and the firewall gateway to the internet: And from the guest VM, I can ping This is my config for And My routing table on the VM host: The guest VM was started with Guest VM And the guest VM routing table: As requested, my host bridge output: Question/Problem: How do I / why can't I route into my guest VM, or rather, why can't my guest VM get out to the internet? |
| Sonicwall Global VPN user either can't reach internet, or LAN depending on Access List Posted: 08 Mar 2022 05:04 AM PST I have a Sonicwall running firmware 6.5.4.4-44n and have a standard VPN (not SSL-VPN) setup which I'm connecting to via the Global VPN Client for Windows. The WAN Group VPN is setup to be a "Split Tunnel" and I have both "Set Default Gateway as this Gateway" and "Apply VPN Control List" NOT checked (checking either doesn't seem to make a difference in the behavior) What I would like to accomplish is users connected to the VPN can access the "X0 Subnet" (which is an Object defined as 10.0.0.0/255.255.255.0) through the VPN and the rest of the internet via their own external connection (NOT route internet traffic through the VPN). That I've found is my users can either:
Perhaps I'm missing what "VPN Access" means, but this seems like the opposite behavior as what I would expect. (Giving "X0 Subnet" access results in the user not being able to access the "X0 Subnet"). I've been trying different configurations and following various internet posts for the past 2 days without making any progress. Does anyone have an idea of what is going on here? With "LAN Networks" in the access list, here is my client route map. My (non VPN client network is 10.0.2.0/24. The remote network I'm trying to access is 10.0.0.0/24, which is in the "LAN Subnets" list) Thanks in advance |
| linux + tput: No value for $TERM and no -T specified Posted: 08 Mar 2022 05:04 AM PST I use in my bash script the tput command in order to colored the text as when I run the script from putty or console every thing is ok but when I run some external WIN application engine that run the script via SSH the we get the following error on tput please advice what need to set ( ENV or else ) in my bash script in order to use the tput command ? what value need to set for $TERM ( in my bash script ) ? |
| proxy_fcgi:error (70008)Partial results are valid but processing is incomplete. AH01075 Posted: 08 Mar 2022 03:30 AM PST I have a server running with:
On the browser there is an ajax script that each 5 sec sends a query to a php file to update a timestamp on the DB, this script works well on other servers, but here with not so many users it log the following error:
I have no idea what it is and how to fix it. I have searched the entire web and I didn't find much, any hint would be appreciated. Edit 1: I switch the error mode to debug and the full log for the error is this:
|
| TFS BuildHttpClient UpdateDefinition C# example Posted: 08 Mar 2022 04:03 AM PST I need to update a vNext Build Definition programmatically. The reason for the need to programmatically update the build definition is that we are running the RTM version of Team Foundation Server 2015, and as of that release certain parts of the vNext Build Definitions are not exposed to the web GUI, and there is (as yet) no other way to change them. (Assuming that you want to keep your database in a supported state, and refuse to modify the database directly.) Our corporate environment and all machines recently went through a domain change. The TFS server was moved to the new domain with no issues. However, the vNext Build definition has an internal reference to the old server name in the URL field, which still has the old domain name inside it. So far, I have the following code which should update the URL of each build definition of a certain project. The call to GetDefinitonsAsync clearly returns the proper build DefinitionReferences to me, but UpdateDefinitionAsync does not seem to have any effect. This code snippet compiles and runs without error. However, when I examine the build definition afterward, it has not been updated and remains as before. There are no exceptions seen by the debugger, and there are no event viewer or DebugView messages of relevance. Regarding the above code snippet, I am uncertain about whether I am suppose to obtain the BuildDefinition that I need to pass to UpdateDefinition by casting the DefinitionReference (subclass) to BuildDefinition or not, but I see nothing close in the BuildHttpClient class that will give me a BuildDefiniton from a DefinitonReference. Any help would be appreciated. Thanks! |
| Regex nginx location with named location Posted: 08 Mar 2022 04:03 AM PST I have the following set up - a production version of some software; and several development versions - there's also myradio-lordaro, among others. Both of these work perfectly fine, but copying out the same /myradio-* config several times seems inefficient and I feel like I can do better. Is it possible to generalise the development configs into one that uses regex to redirect nginx to the correct location? The @myradiodev is used successfully for all dev versions, so I don't believe that's the issue, but my own attempts to do it have just resulted in various 403 or 404 errors, with no clear idea where nginx is trying to access. [Other recommendations as to how to clean this up appreciated (was originally converted from an apache config)] |
| Can't request computer certificate Posted: 08 Mar 2022 06:02 AM PST I am using MMC with the snaping of certificates. I am requesting certificates from a brand new installation of a CA. Requesting User certificates works perfectly. Requesting Computer certificates fails and says the RPC service is unavailable. What should I check? |
| Encryption on Solaris (using Keystore) Posted: 08 Mar 2022 03:03 AM PST I am trying do draft up a secure way to encrypt (on the fly, invoking it from an app) and decrypt sensible information (credit cards) using AES-256. The target platform is:
The optimal solution would be to be able to save the keys inside a Key Store, and use encrpyt/decrypt (paired with UUENCODE so that the resulting encrypted string can be saved inside a normal DB field). We have succesfully tested the whole chain using just AES-128 (out-of-the-box with a basic Solaris install) and we understand we need to upgrade the target env. with the correct Solaris package to get to AES-256 [SUNWcry package - the unbundled Solaris Data Encryption Kit]. What escapes me is how to make "encrypt" access a key from the keystore. Oracle documentation mentions "-K" as a command line parameter (note this is an uppercase K) to do this (see here, for example), but the "-K" switch seems not to be available on our test machine. Is this possible? Is this linked to the specific Solaris version? If not, can we obtain this by installing something else? (We haven't yet installed the crypto package to get to AES-256 so no idea if this will come "for free" with that). |
| You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment