• chevron_right

      Nginx GeoIP

      pubsub.slavino.sk / warlord0blog · Wednesday, 28 April, 2021 - 17:51 edit

    With the plus version of Nginx you get access to the compiled version of geoip2 plugin. This means you can use it out of the box just add it into the config and away you go. For the rest of us mortals we have to build and compile it ourselves. This is no slight undertaking &ellipsisRead the full post »

    Značky: #Docker, #Linux, #nginx

    • chevron_right

      Nginx Maintenance Mode

      pubsub.slavino.sk / warlord0blog · Friday, 5 February, 2021 - 18:10 edit

    We use a simple method of putting an Nginx site into maintenance mode. Just set a geo default variable on on and have it generate a HTTP 503 status response. Then Nginx delivers our maintenance page until we set it back to `off` nginx.conf By using a geo I can add in our own ip &ellipsisRead the full post »

    Značky: #Linux, #Web, #nginx, #bash

    • chevron_right

      step-ca and ACME

      pubsub.slavino.sk / warlord0blog · Friday, 15 January, 2021 - 12:18 edit

    We have a couple of hundred certs with Let’s Encrypt and it is a great service. Right now though we need to issue certs to internal systems and thought it would be great to use the same ACME method to do so. Add to that we’d like to issue some user certificates to use for &ellipsisRead the full post »

    Značky: #nginx, #Web, #Linux, #certificates

    • chevron_right

      Nginx SSL Certificate Error

      pubsub.slavino.sk / warlord0blog · Wednesday, 14 October, 2020 - 20:00 edit

    We’re using client side certificates on an Nginx host to ensure the credentials of the connecting users and haven’t used the site for a while. I tried to logon with a known good client certificate and know that nothing on the site config has changed and all I get in return is a 400 error &ellipsisRead the full post »

    Značky: #certificates, #nginx, #Linux, #Web

    • chevron_right

      Keycloak and OpenLDAP

      Warlord · pubsub.slavino.sk / warlord0blog · Friday, 24 July, 2020 - 17:39 edit

    After getting Keycloak up and running, it’s a breeze to connect it to LDAP and use the users from there, but there were a few things I missed about group membership and there’s a fun quirk to fix about the user name. Synchronising Users First task after creating a new realm is to go to &ellipsisRead the full post »

    Značky: #Linux, #authentication, #nginx, #security, #single-sign-on, #Linux

    • chevron_right

      Nginx and LDAP Authentication

      Warlord · pubsub.slavino.sk / warlord0blog · Saturday, 11 July, 2020 - 16:26 edit

    We want a little more control over some of our reverse proxies and wanted to place a little extra burden on the users as possible. To do this we chose to use the same passwords for authentication as we do everywhere else – hence LDAP. Thankfully Nginx have decided to include the module gx_http_auth_request_module in &ellipsisRead the full post »

    Značky: #Linux, #Web, #ldap, #nginx, #Linux

    • chevron_right

      Nginx Configuration Synchronisation

      Warlord · pubsub.slavino.sk / warlord0blog · Monday, 25 May, 2020 - 21:31 edit

    Back when I built the Nginx failovers using Nginx and Keepalived I also required that should the config change on the master then the config would automatically be copied to the backup. There are some important things you need to do for this to work correctly and not put your failover at risk of failing. &ellipsisRead the full post »

    Značky: #Linux, #Web, #nginx, #rsync, #ssh, #Linux

    Pure Nginx external HTTP upload

    As i leraned yesterday, the Movim requires HTTP upload servico on XMPP server, which i have not enabled yet. After fast look i found two Prosody's modules, which provides it. Because i don't believe Prosody's HTTP server (eg. not SNI support yet), i focus to its external HTTP upload module, which require external service.

    Background

    The mod_http_upload_external page describes some external solutions:

    1. the PHP and Go solution is not for me...
    2. the most close to my experiences goes the Python's solution, but i want to avoid external daemon, especially the Flask one, despite that i have all needed for it installed and used already (uWSGI, Flask, Python3, ...), because i know its performance limits and memory requirements.
    3. which interested me, is Nginx's Perl module. I consider this as good solution, ecause Debian's Nginx comes with Perl support via dynamic module. I am not very familiar with Perl and this implementation sounds as very simple task...

    I decided to try to utilize the Nginx's built-in DAV module and some external modules, namely HMAC Secure link and (as i learn later) Set misc.

    The DAV module itself provides support for PUT requests, nothing special. The "HMAC secure link" module is able to verify HMAC signature, but it cannot handle prosody's HMAC-SHA256 digest directly, because it expects Base64URL encoded HMAC, there is need to encode Prosody's hex string, which allows the "Set Misc" module in two steps, first decode hex string into binary value, and then then encode it as Base64 string.

    Nginx location

    After some playing i got this location config. Some point about:

    • here are two nested locations, not really needed, but Nginx search all regex global locations on any request, what can a litle reduce performance, this limits searching this location only for chosen prefix
    • nested location uses regular expression capture group, to eliminate prefix form URI, without needing map directive
    • nested location doesn't properly handles the missing token, while there is an if directive for it at start of location, it returns 500 code
    • nested location properly handles 409 response on existing file and 403 response on bad or missing token by some Nginx's set directive magic
    location /xmpp {
    root                    /srv;

    location ~ /xmpp/(?<fpath>.+)$ {
        dav_methods             PUT;
        create_full_put_path    on;                     # create directory, if needed
        dav_access              user:rw group:rw all:r; # set permissions
        client_max_body_size    100m;                   # default prosody's body size is 100 MB

        # encode $arg_v into Base64URL digest
        set                             $digest $arg_v;
        set_if_empty                    $digest "00";
        set_decode_hex                  $digest;
        set_encode_base64               $digest;

        # verify $digest
        secure_link_hmac                $digest;
        secure_link_hmac_secret         "123456";
        secure_link_hmac_algorithm      sha256;
        secure_link_hmac_message        "$fpath $content_length";

        # handle missing token
        set                         $missing $request_method$arg_v;
        if ($missing = "PUT")            {return 403;}

        # do not overwrite existing file
        if (-e $request_filename)   {set $exists $request_method;}
        if ($exists = "PUT")        {return 409;}

        # handle bad HMAC token
        if ($request_method = "PUT") {set $verified $request_method$secure_link_hmac;}
        if ($verified = "PUT")      {return 403;}
    }
}

    The missing token (and related 500 response) can be solved by set_if_empty directive, but i didn't play with it. solved.

    Testing

    I prefer shell testing of HTTP services, because i can do some scripts for it. Here is simple script to generate HMAC token and fire PUT request with it. It is not very intelligent, all things are hardcoded inside variables, but as an inspiration:

    kluc="123456"
subor="/tmp/aaa.txt"

velk=$(stat --printf="%s" "$subor")

text="${subor#/tmp/} $velk"

hmac=$(echo -n "$text" | openssl dgst -sha256 -hmac "$kluc" | cut -d" " -f2 )
echo "v=$hmac"

wget -qO- --server-response --body-file="$subor" --method=PUT \
    https://bonifac.skk/xmpp/aaa.txt?v=${hmac}

    Conclusion

    I am sure, that this solution can provide better performance than ĺinked Flask module, but I am not happy with this solution, because i see some problems:

    • while it is basically working, the "HMAC Secure link" module expects Base64URL encoded token, but "Set misc" module can provide only pure Base64 encoding, thus some combinations of the filename and size can be refused
    • it requires two external modules, which are not included in standard Debian package, and thus recompilation of Nginx can be required

    I spent some hours with this (including repackaging Nginx, reading docs, coffee and launch pause, etc), but it was wasted time. Next i will try the linked Perl Nginx's module. If someone know how to solve the Base64URL encoding problem, i will be happy if (s)he will share it.

    • chevron_right

      Home encryption and file access for external services on Debian

      Timothée Jaussoin · Monday, 13 November, 2017 - 10:18

    Little trick (and reminder for me). After using ecryptfs-migrate-home on my Debian machine to #encrypt my /home partition I found out that #nginx was not able to access projects that were hosted in this partition.

    Thanks to this GitHub Gitst by jhjguxin it seems that the #migration change the rights on the directory to 700 which prevent nginx to access files within it properly.

    To fix that you should at least allow read #access.

    # chmod 701 /home/user

    Et voilà :)