Skip to content

Wasting time

Quit twitter. Now if I could only do the same with reddit and hacker news.. I might have a shot at doing something with my life. :)
Later edit 7th May: well, that didn't last long, I reactivated my twitter account. But HN and Reddit remain banned. So, partial victory.

Setting up Varnish in a CentOS server

I've seen Varnish

Varnish is one of those small, shiny, remarcable jewels of the open source world.
It can make an enormous difference in how your web application responds and how fast your web site loads.
It's all in it's caching feature and not only; I've seen people use it as an web application firewall (search github) and out of the box it will only forward well formed HTTP requests to your backend, acting as a filter against malicious activity or scans against your server.
It'll also take the brunt of a syn flood attack, sparing Apache HTTPD or Nginx which usually go belly up quite fast.


Performing an install of Varnish in CentOS 6 is quite trivial as they provide a yum repo:
yum -y install https://repo.varnish-cache.org/redhat/varnish-3.0.el6.rpm
yum install varnish
Out of the box it will listen on port 6081 and will not do much caching. If you want to modify how it works you need to edit 2 files:
/etc/sysconfig/varnish
/etc/varnish/default.vcl
The first file tells Varnish what kind of cache to use and how big, also on which ports to listen to.
The second file configures the backend servers and the way in which the caching is done. Configuring caching in Varnish is not for the faint of heart, so do a serious read-up of the documentation before-hand; there are also many examples online.

Both those files come with working defaults, all you need to do is point your web traffic at it and here you have 2 choices at least:
1 - Assuming Varnish sits on the same IP/machine as the backend, change the port of your web server to something other than 80 (like 8080) and set Varnish to use port 80
2 - Do a redirect from iptables, this is my favourite as it doesn't need any reconfiguration of the web servers:
iptables -t nat -I PREROUTING -i lo -j ACCEPT 
iptables -t nat -I PREROUTING -s LOCAL_IP -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 6081 

Before you do that, however, you need to tell Varnish which is the backend web server. This is done in /etc/varnish/default.vcl like this:
backend default {
  .host = "LOCAL_IP";
  .port = "80";
}

* LOCAL_IP is your servers IP
You can check the configuration is correct with this command: varnishd -C -f /etc/varnish/default.vcl
Restart Varnish so it's up and running with your configuration: service varnish restart
You can use the commands varnishtop or varnishstat to see what is going on.
Once you do this HTTP traffic will go through Varnish and then to your backend, one consequence of this is that your Apache log will show that all requests are coming from the local IP instead of your visitors' IPs. You can solve that by installing and configuring mod_rpaf.


Enjoy!

Bypassing BT HomeHub

So you have BT Infinity, the white Openreach modem is up and running and you have broadband via wired or wifi through the fancy BT HomeHub; but you are a geek or a freak and you want to run your own router.
You want to use your local linux box, custom dd-wrt router or who knows, perhaps a Raspberry PI. Fair enough. Here's how to do it:
1 - disconnect the BT HomeHub router from the white modem
2 - connect your linux machine to the modem (LAN1 port usually)
3 - run pppoe-setup on the linux machine and answer the questions accordingly. Interestingly the user/password I used seem to be sort of gibberish, but do work: "Internet@btbroadband.com" and the password "broadband".
I chose not to let pppoe-setup set the DNS or firewall for me, ymmv. Start the connection with /sbin/ifup ppp0.

That's it, enjoy your broadband!

Links: https://community.bt.com/t5/BT-Infinity-Speed-Connection/Openreach-How-I-can-connect-my-PC-directly-into-Openreach-white/td-p/716632

"Fixing" Firefox

For quite some time now Firefox has a shitty behaviour regarding the address bar, which may be OK for grandma, but it gets in the way of power users.
I was too lazy to do anything about it until now, but it's 2015, I am getting old and less tolerant, so here are my pet peeves:
A - modify urls that do not look like traditional addresses and add a www prefix and .com suffix
B - send a single word address to a google search instead of opening it (kills internal addresses such as "http://wiki")
C - the protocol gets hidden, but when you copy/paste the url from the address bar it gets included, e.g. I copy "www.nux.ro", but when I paste it in an editor it actually comes up as "http://www.nux.ro"


So here's how to fix it - open a new tab, go to "about:config" and:
- to fix A search for "browser.fixup.alternate.enabled" and double click it so the value changes to "false"
- to fix B search for "keyword.enabled" and double click it so the value changes to "false"
- to fic C search for "browser.urlbar.trimURLs" and double click it so the value changes to "false"


That's it. Now you can enjoy a better browsing experience! ;-)

Changing an AD password from CentOS Linux

Changing the AD password from linux is surprisingly straighforward.
Just run the passwd command as you would normally!
If that doesn't do it, then just issue this command, replacing of course the variables with your own values:
smbpasswd -r $AD-server -U $AD-username

Voilà, enjoy!

Nested virt - Xenserver on KVM

At openvm.eu we need to test templates on Xenserver and KVM, however the basic OS for the build environment is CentOS 7 (with KVM).
In order to test the templates on Xenserver we had to run this HV as a KVM guest (gotta love virtualisation!); however by default Xenserver will complain that you can't run any HVM guests, only paravirt ones (PV). This sucks because PV is used less and less with HVM being in the spotlight.

Luckily with KVM we can forward the VMX CPU flag to a guest and as such make it available to Xenserver, for it's HVM mode.

There are a few things to be aware of though:
1 - in libvirt do give the Xenserver VM a good CPU profile (I used Core2duo) and make sure the VMX flag is set on "require"
2 - stock CentOS 7 kernel has a problem with nested virt at the moment, do use a newer kernel[1] (I'm using kernel-ml from elrepo-kernel)
3 - make sure the kvm_intel module is loaded with the option nested=1. For this to happen I reload/rebooted with this in /etc/modprobe.d/kvm-intel.conf:
options kvm-intel nested=1

Now enjoy docker on centos, in xenserver on kvm on centos. :-)


[1] - https://bugzilla.kernel.org/show_bug.cgi?id=45931 - this will likely be fixed in future CentOS/RH kernel updates, I hope

Stella 6.6 released

As a result of CentOS 6.6 release we have bumped up the version as well, so enjoy all the goodies of CentOS + extra desktop stuff with the new Stella.

Download it from the usual locations and let us know if you run into any issues!


Nux!

The poodle bites the web

Heartbleed is not even cold in its grave and here comes another SSL vulnerability: Poodle.
You can read more about it here and there, tl;dr it exploits a weakness in SSLv3 to allow MITM attacks:
https://www.imperialviolet.org/2014/10/14/poodle.html (local copy)
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

To fix this in Apache HTTPD edit your ssl configuration file (eg /etc/httpd/conf.d/ssl.conf in CentOS) to have this SSLProtocol line:
SSLProtocol all -SSLv2 -SSLv3
If you're running CPanel there's more you need to do:
- go in "Home » Service Configuration » cPanel Web Services Configuration" and add ":-SSLv3"
- go in "Home »Service Configuration »Apache Configuration»Include Editor", add the following in "Pre Main Include":
SSLProtocol All -SSLv2 -SSLv3
- be warned than on older CPanel installations (CentOS 5), removing SSLv3 (:-SSLV3) from the cipher list might cause Apache not to start at all.


- If you are running Webmin/Virtualmin:
echo ssl_version=10 >> /etc/webmin/miniserv.conf
service webmin restart
- also be warned that these changes may affect some older browsers, such as IE6, test before you change.

Install Skype on CentOS 7 (and other RH clones)

Hello there. CentOS 7 is a fresh and major release, but fear not, Skype works well on it.
As usual, just yum install skype if you have my nux-dextop repo installed or just grab the latest RPM from here http://li.nux.ro/download/nux/dextop/el7/x86_64/ and install it.

Don't be shy and let me know if you encounter any issues - rpm at li.nux.ro !

512k routes ought to be enough for everyone

Today someone announced some more IPv4 classes on the Internet, nothing new here, but this meant the global routing table has exceeded 500k entries (501,525 as we speak).
This has caused a lot of very popular Cisco router models to go belly up because their default value for the IPv4 table size is 512k which in this case was not enough to hold the global table.[1]
Here in UK I noticed a lot of companies had problems, from smaller ones like Coreix to bigger ones like BT, the impact was pretty large. I imagine this problem was felt globally.

This default value can be changed easily[2], but it requires a reboot of the router which in the network engineering world is a big thing as it is one of the most critical pieces of infrastructure; everyone should plan their maintenance windows accordingly.






[1] - Theoretically the table should hold up to 512k entries, but the memory is not exclusively used for it, some of it goes to IPv6, some to maintaining various sessions, MPLS etc, so it crapped out at around 500k.
[2] - http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html