I want to redirect the incoming traffic to my server, in which iptables is working, to another server in LAN. However, I only want this to work if the incoming traffic is coming from a specific external IP address. Otherwise, the traffic should be dropped.

Let me put an example to clarify it:

• External client IP: 88.88.88.88
• Server IP (in same LAN): 172.26.0.99
• Destination IP (in same LAN): 172.26.0.11

Redirection example

1. Client (88.88.88.88) connects to SERVER IP (172.26.0.99)
2. Traffic is tunnelled to Destination IP (172.26.0.11).

Drop example

1. Stranger client (66.66.66.66) tries to connect to SERVER IP (172.26.0.99)
2. Traffic is DROPPED

I have two sites in the same IP with the follow configuration:

• site1.com
  • Multiples subdomains (ie.: foo.site1.com, bar.site1.com)
  • Everything listening on port 80, NOTHING in 443

• site2WithSSL.com
  • Listening on ports 80 and 443 (SSL)

I can access to https://site2WithSSL.com and to http://site1.com without problems. The issue comes when someone want to access to https://site1.com, nginx answers with the site2WithSSL.com I want to avoid this. I mean, whenever somebody access to https://site1.com no content has to be returned or just a redirect to https://

The configuration is:

server {
     listen      80;
     server_name    *.site1.com;

     // ...
}

server {
     server_name www.site2WithSSL.com;
     return 301 $scheme://site2WithSSL.com$request_uri;
}

server {
     listen 80;
     listen 443 ssl;
     server_name site2WithSSL.com;
     ssl_certificate site2WithSSL.crt;
     ssl_certificate_key site2WithSSL.key;

     // ...
 }

SOLVED: using a different ip for each site

I have Nginx with WebDAV module working and everything is right, except the files or the folders that contains any square brackets ] or [. That files/folder are never showed in the list.

I never had this problem with Apache, so I guess that Apache is doing some rewrite automatically. But now, I need to use nginx.

I just realize that it doesn't work either with the char ª. Clearly, it's an issue related to escape certain chars.

Using a web browser it works, but never with a WebDAV client (Cyberduck, Transmit, OSX Finder...)

This is my config file:

server {
    server_name my.server.com;

    root /home/web/dav;

    dav_methods PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods PROPFIND OPTIONS;

    auth_basic  "Description";
    auth_basic_user_file /etc/nginx/passwd.dav;


    location / {
    autoindex on;

        client_body_temp_path /var/www/php5fpm/tmp/client-tmp 1 2;
        create_full_put_path on;
        client_max_body_size 50m;
        dav_access user:rw group:r  all:r;
    }
}

Debug info:

• Web Browser: http://drop.difun.de/Chrome.png
• WebDAV Client: http://drop.difun.de/Transmit.png
• Transcript: http://drop.difun.de/transcript.txt
• tcpdump for web browser and webdav client: http://drop.difun.de/tcpdump.txt
• Source code, from Chrome: http://paste.laravel.com/tXN

Our company is using TokuDB on production and we are having a lot of problems trying to mitigate lag on our slave. Is very strange, because we're talking about very few rows... but with a few data it gets lagged.

Slave is a read-only DB.

For more information, we are using:

CPU: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz (4 cores)

RAM: 16Gb

HDD: 2Tb ST2000DM001 (EXT4 filesystem)

Here you can see some I/O performance outputs. I paste it outside of this post, because I think that of this way it will easier for reading.

iostat -x 1 output, when we have a lag situation http://paste.laravel.com/bjv

fio, for disk I/O: http://paste.laravel.com/bjG

We did a few disk tweaks, extracted from Steven Corona's book http://www.scalingphpbook.com:

• Changed I/O scheduler to noop.
• Turned off file system access times, noatime and nodiratime in /etc/fstab
• Increased the number of open files, in /etc/security/limits.conf:

* soft  nofile  999999
* hard  nofile  999999

Some tweaks we have made in config:

MASTER

# * Query Cache Configuration
query_cache_limit               = 0
query_cache_size                = 0
query_cache_type                = 0
innodb_file_per_table           = 1

innodb_file_format              = barracuda
innodb_flush_method             = O_DIRECT
innodb_flush_log_at_trx_commit  = 1
innodb_log_file_size            = 128M

innodb_buffer_pool_size         = 13500M
innodb_read_io_threads          = 16
innodb_write_io_threads         = 16
innodb_io_capacity              = 180
innodb_thread_concurrency       = 4

SLAVE

# * Query Cache Configuration
query_cache_limit               = 0
query_cache_size                = 0
query_cache_type                = 0
innodb_file_per_table           = 1

innodb_file_format              = barracuda
innodb_flush_method             = O_DIRECT
innodb_flush_log_at_trx_commit  = 2
sync_binlog                     = 1

innodb_log_file_size            = 128M
innodb_buffer_pool_size         = 13500M
innodb_read_io_threads          = 16
innodb_write_io_threads         = 16

innodb_io_capacity              = 180
innodb_thread_concurrency       = 4

i want to create a VLAN for 3 guest VMs. I already have it and every VM can ping each other, but the problem is that any guest CAN NOT have access to Internet

Network configuration in Host machine

# /etc/network/interfaces
auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
    address 188.165.x.x            <------ Internet's public ip
    netmask 255.255.255.0
    network 188.165.255.0
    broadcast 188.165.255.255
    gateway 188.165.y.y            <------- Internet's public gateway
    bridge_ports eth0
    bridge_fd 0
    bridge_stp on

auto eth0.3
iface eth0.3 inet manual
        mtu 1500
        vlan_raw_device eth0

auto vlan3
iface vlan3 inet static
        bridge_ports eth0.3
        bridge_maxwait 0
        bridge_stp off
        address 172.69.0.1
        netmask 255.255.255.0
        network 172.69.0.0
        broadcast 172.69.0.255

Route list in Host machine route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.69.0.0      0.0.0.0         255.255.255.0   U     0      0        0 vlan3
188.165.255.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         188.165.y.y 0.0.0.0         UG    0      0        0 br0

brctl showHost machine

bridge name bridge id       STP enabled interfaces
br0     8000.e840f20acc28   yes     eth0
                            tap10.0
                            vif10.0
                            vif7.0
vlan3   8000.e840f20acc28   no      eth0.3
                                    log01

Ping guest -> host working

PING 172.69.0.1 (172.69.0.1) 56(84) bytes of data.
64 bytes from 172.69.0.1: icmp_req=1 ttl=64 time=0.155 ms
64 bytes from 172.69.0.1: icmp_req=2 ttl=64 time=0.100 ms

Traceroute to, for example, Google's DNS ip

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  172.69.0.1 (172.69.0.1)  0.198 ms  0.237 ms  0.209 ms
 2  * * *

As you can see, it dies in host ip (gateway).

I don't know what I am doing wrong

I have a nginx with geoip, but it is not working rightly. The issue is the next:

Nginx are getting geodata from $_SERVER['REMOTE_ADDR'] instead of $_SERVER['HTTP_X_HAPROXY_IP'], which have the real client ip. So, the reported geodata belongs to my server ip instead of client ip.

Does anybody where could be the error to fix it?

Nginx version and compiled modules:

nginx -V
nginx version: nginx/1.2.3
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-    path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-pcre-jit --with-debug --with-file-aio --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_secure_link_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-auth-pam --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-echo --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-upstream-fair --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-dav-ext-module --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-syslog --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-cache-purge

nginx site conf (frontend machine)

server {
    root /var/www/storage;

    server_name ~^.*(\.)?mydomain.com$;

    if ($host ~ ^(.*)\.mydomain\.com$) {
            set $new_host $1.mydomain.com;
    }
    if ($host !~ ^(.*)\.mydomain\.com$) {
            set $new_host www.mydomain.com;
    }

    add_header Staging true;
    real_ip_header X-HAProxy-IP;
    set_real_ip_from 10.5.0.10/32;

    location /files {
            expires 30d;
            if ($uri !~ ^/files/([a-fA-F0-9]+)_(220|45)\.jpg$) {
                    return 403;
            }
            rewrite  ^/files/([a-fA-F0-9][a-fA-F0-9])([a-fA-F0-9][a-fA-F0-9])([a-fA-F0-9][a-fA-F0-9])([a-fA-F0-9][a-fA-F0-9])([a-fA-F0-9]+)_(220|45)\.jpg$ /files/$1/$2/$3/$4/$1$2$3$4$5_$6.jpg break;
            try_files $uri @to_backend;
    }

    location /assets {
            if ($uri ~ ^/assets/r([a-zA-Z0-9]+[^/])(/(css|js|fonts)/.*)) {
                    rewrite ^/assets/r([a-zA-Z0-9]+[^/])/(css|js|fonts)/(.*)$ /assets/$2/$3 break;
            }
            try_files $uri @to_backend;
    }

    location / {
            proxy_set_header Host $new_host;
            proxy_set_header X-HAProxy-IP $remote_addr;
            proxy_pass http://10.5.0.10:8080;
    }

    location @to_backend {
            proxy_set_header Host $new_host;
            proxy_pass http://10.5.0.10:8080;
    }
}

nginx.conf (backend machine)

http{
...
    ##
    # GeoIP Config
    ##
    geoip_country  /etc/nginx/geoip/GeoIP.dat; # the country IP database
    geoip_city     /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
...
}

fastcgi_params (backend machine)

### SET GEOIP Variables ###
fastcgi_param  GEOIP_COUNTRY_CODE               $geoip_country_code;
fastcgi_param  GEOIP_COUNTRY_CODE3              $geoip_country_code3;
fastcgi_param  GEOIP_COUNTRY_NAME               $geoip_country_name;
fastcgi_param  GEOIP_CITY_COUNTRY_CODE          $geoip_city_country_code;
fastcgi_param  GEOIP_CITY_COUNTRY_CODE3         $geoip_city_country_code3;
fastcgi_param  GEOIP_CITY_COUNTRY_NAME          $geoip_city_country_name;
fastcgi_param  GEOIP_REGION                     $geoip_region;
fastcgi_param  GEOIP_CITY                       $geoip_city;
fastcgi_param  GEOIP_POSTAL_CODE                $geoip_postal_code;
fastcgi_param  GEOIP_CITY_CONTINENT_CODE        $geoip_city_continent_code;
fastcgi_param  GEOIP_LATITUDE                   $geoip_latitude;
fastcgi_param  GEOIP_LONGITUDE                  $geoip_longitude;

haproxy.conf (frontend machine)

defaults
    log global
    option forwardfor
    option httpclose
    mode http
    retries 3
    option redispatch
    maxconn 4096
    contimeout 100000
    clitimeout 100000
    srvtimeout 100000

listen cluster_webs *:8080
    mode http
    option tcpka
    option httpchk
    option httpclose
    option forwardfor
    balance roundrobin
    server backend-stage 10.5.0.11:80 weight 1

$_SERVER dump: http://paste.laravel.com/7dy

Where 10.5.0.10 is frontend private ip and 10.5.0.11 backend private ip

I am using Xen Virtualization for my VM's and everything is going right with bridge mode. I can assign a public Internet ip to each VM.

I want to have a VLAN for my VM's and I am thinking about changing to vif-route mode. So, the point is: can I have a VLAN and assign different public ips to my VM's at the same time?

Thanks you

I have a problem with the Windows Server 2008 guest (hvm). I can't get a network interface running for him.

I also have a Debian guest and it's working ok, but I can't do it with the Win2k8 guest. When I started the VM, the machine freezes and I can't connect by ssh to the host.

/etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 188.165.B.C
        netmask 255.255.255.0
        network 188.165.B.0
        broadcast 188.165.255.255
        gateway 188.165.B.254

brctl show

bridge name bridge id       STP enabled interfaces
eth0        8000.e840f20acc28   no      peth0

/etc/xen/xend-config.sxp

...
(vif-script vif-bridge)
(network-script 'network-bridge') 
...

/etc/xen/win2k8.cfg

#  Networking
#
vif         = [ 'ip=5.39.F.G,mac=yy:yy:yy:yy:yy:yy,type=ioemu,bridge=eth0' ]

/etc/xen/debian.cfg

#  Networking
#
vif         = [ 'ip=178.33.D.E,mac=xx:xx:xx:xx:xx:xx' ]

As you can see, in the Debian guest I only have to specify an IP address and a MAC. But if I put that in the Win2k8 guest, the machine does not start.

I am using Xen 4.0

I have been waiting the DNS propagation for almost 24 hours. I'am no impatient, but I want to know if I configured my zone good or I have any error in it.

I think that is good, because if I use my server dns like my DNS secondary I can resolve and lookup host well.

;
; BIND data file for mydomain.net
;
$TTL    86400
@   IN  SOA mydomain.net. mydomain.net. (
        20120629    ; Serial
           10800    ; Refresh 3 hours
            3600    ; Retry 1 hour
          604800    ; Expire 1 week
         86400 )    ; Negative Cache TTL
;
@       IN  NS  ns1
@       IN  NS  ns2

    IN  MX  10 mail

ns1     IN  A   5.39.X.Y
ns2     IN  A   5.39.X.Z

There is not any errors in /var/syslog about bind daemon. Is everything correct? Do I only need to wait up to 48 hours for the right DNS propagation?

My nslookup from a remote machine with the nameserver of the bind host:

$ nslookup mydomain.net
Server:     bind-host-ip
Address:    bind-host-ip#53

Name:   mydomain.net
Address: domain-ip

I have a KVM virtualization in Debian with 2 guests (Debian and Windows 2008). I want to have a 'mount point' shared that can be accessed by the 3 system (host and 2 guests) at the same time. So the only thing that I found was a NFS/SMB network storage. I picked NFS

Due to my Ethernet network (10/100), the speed average that I get between accessing/transfering files between the 3 system is always 8~10MB/s.

The point is if is there any chance of get a boost system for sharing files between 3 system (at the same time) without wasting the speed of my SATA disks. I mean, without the Ethernet limitation of 10 MB/s

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
    address aaa.bbb.ccc.xxx (public ip1)
    netmask 255.255.255.0
    network aaa.bbb.ccc.0
    broadcast aaa.bbb.ccc.255
    gateway aaa.bbb.ccc.254 (ISP gateway)
    bridge_ports eth0
    bridge_fd 9
    bridge_hello 2
    bridge_maxage 12
    bridge_stp off

eth0 is my physical interface, br0 the bridge and vnet+ the VM's interfaces

# brctl show
bridge name bridge id       STP enabled     interfaces
br0     8000.e840f20acc28   no                 eth0
                                               vnet0
                                               vnet1

vnet0 and vnet1 have two publics different ips. But they also use the same gateway (ISP gateway) of the host

I have this scenario and everything it's working OK, but I want to configure my Shorewall and I can't do it.

My interfaces are:

br0 (bridge of eth0)
tun0 (OpenVPN)
vnet* (each one of bridged interfaces with public IP's)


Public Main IP: 188.165.X.Y
OpenVPN IP's: 172.28.0.x
Bridge: public ip's

So, I have the next configuration for shorewall:

/etc/shorewall/zones

#ZONE   TYPE        OPTIONS     IN          OUT
#                               OPTIONS     OPTIONS
fw      firewall
inet    ipv4
road    ipv4

/etc/shorewall/interfaces

#ZONE   INTERFACE   BROADCAST       OPTIONS
inet    br0         detect          routeback
road    tun+        detect          routeback

/etc/shorewall/policy

#SOURCE DEST    POLICY      LOG LIMIT:      CONNLIMIT:
#               LEVEL   BURST       MASK
$FW  all     ACCEPT
inet    $FW  DROP       info
road    all     DROP
inet    road    DROP

/etc/shorewall/tunnels

#TYPE           ZONE        GATEWAY     GATEWAY
#                                       ZONE
openvpnserver:1194          inet      0.0.0.0/0

The problem is that even with shorewall running I am able to ping or connect to the virtual machines behind the bridge

I just created a storage pool directory based in my Host KVM

# virsh pool-list --all

Name                 State      Autostart 
-----------------------------------------
guest_images_dir     active     yes

And the info:

# virsh pool-info guest_images_dir

Name:           guest_images_dir
UUID:           720c6735-9ca0-e7c2-18cf-396c729a512e
State:          running
Persistent:     yes
Autostart:      yes
Capacity:       920.54 GB
Allocation:     23.02 GB
Available:      897.51 GB

Here is the XML

# cat /etc/libvirt/storage/autostart/guest_images_dir.xml 

<pool type='dir'>
  <name>guest_images_dir</name>
  <uuid>720c6735-9ca0-e7c2-18cf-396c729a512e</uuid>
  <capacity>0</capacity>
  <allocation>0</allocation>
  <available>0</available>
  <source>
  </source>
  <target>
    <path>/home/virtuals/shared_dir_kvm</path>
    <permissions>
          <mode>0700</mode>
          <owner>-1</owner>
          <group>-1</group>
        </permissions>
  </target>
</pool>

But I can't see it on my guest Windows 2008. What else do I do?

Thanks

I fixed it in PORTS TRIGGER menu of my router. Thanks you anyway

I have a weird problem related with (i think) my cable-router and my configured vhosts in Apache2.

The point is I can't access from outside of my LAN to any of my configured vhosts if I set the http port of Apache to 80 and i add a NAT rule for it. Otherwise, if I set my Apache port to 81 (or any else) with its respective NAT rule on my router it works.

My router is an ARRIS TG952S and I am using Apache/2.2.22 (Debian)

ports.conf

NameVirtualHost *:80
Listen 80

vhost1.mydomain.net.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName vhost1.mydomain.net
    ServerAlias vhost1.mydomain.net www.vhost1.mydomain.net

vhost2.mydomain.net.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName vhost2.mydomain.net
    ServerAlias vhost2.mydomain.net www.vhost2.mydomain.net

DNS records (using FreeDNS) are:

mydomain.net        --> pointing to another server
vhost1.mydomain.net --> pointing to my server
vhost2.mydomain.net --> pointing to my server

iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-apache-noscript  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-apache  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-apache (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-noscript (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0 

Thanks you