blindsnowmobile's questions

I need to setup DKIM to validate an email provider we are using. In the provider's documentation, they require us to add two records, a selector record and a policy record, like this:

selector._domainkey.mydomain.com TXT "k=rsa; p=mykeyhere"
_domainkey.mydomain.com  TXT "t=y; o=~"

I'm concerned about adding this new policy, because we have quite a few DKIM selectors setup in our DNS zone already, with no existing policy record (we use multiple third party providers that need to send email on our behalf). I want to make sure I don't break existing functionality by creating this record. From what I've read, you can only have a single policy per zone, so it is "shared", so to speak.

I've researched this a bit, and the policy the vendor is requiring, t=y; o=~, should be pretty harmless. It seems to say some emails may be signed, and to treat verified/unverified emails in the same way (reference).

Still, this would impact our production application, and I'm hoping to get some confidence that this is safe to add. Am I correct in my assumption that I can add this record without causing a bunch of our outbound email to be marked as spam? Or am I missing something?

Can someone explain what the "X-Forwarded-Proto2" header is in this HAProxy frontend stanza?:

frontend main *:443
  ...
  reqirep ^(X-Forwarded-Proto:)(.*) X-Forwarded-Proto2:\2
  ...

I understand that HAProxy is injecting a HTTP header. But why is there a 2 at the end of the new string? I'm referring to the number "2" at the end of the header, not the regex backreference.

I'm using HAproxy to load balance requests between Apache servers. I'm trying to disable HTTPS for a special use case (serving of kickstart files), and I'm using port 8000 to do this. I have an HAProxy configuration that looks roughly like this (some configuration has been omitted):

frontend provision_frontend_b
        bind 10.1.1.1:8000
        mode http
        default_backend provision_backendb


backend provision_backendb
        mode http
        server server1 127.0.0.1:8000 weight 1
        server server2 10.1.1.2:8000 weight 1

I want HAProxy to redirect requests made to the external IP on port 8000, to the loopback address on port 8000, where I have Apache listening. Apache is configured to serve static files over HTTP.

Strangely, when I hit the server from my browser using the frontend's DNS name: http://myhost.mydomain:8000, I get redirected to HTTPS and an SSL certificate error. When I try with the IP, http://10.1.1.1:8000, it works (and does not redirect to HTTPS).

Is there any reason why HAProxy would do this? It doesn't seem to be Apache, as I've configured HAProxy to redirect to other HTTP-only Apache servers, and still receive this error.

The only thing I see in the HAProxy config is another frontend configured to redirect to SSL:

frontend http_frontend
        bind :80
        mode http
        redirect scheme https if !{ ssl_fc }

However, it is listening on a different port. I attempted to comment the redirect out, and it did not resolve the issue.

I use PXE + kickstart in conjunction with Foreman, to install new hosts over the network. I've run into a problem while trying to install Red Hat 5. It looks like the older vmlinuz in RH5 does not support the same kernel parameters as the vmlinuz in RH6.

The problem I'm having is retrieving the kickstart file. The kickstart file is provided over HTTPS from Foreman. This works fine for RH6, so long as I specify a nameserver to use during installation (with nameserver=) as well as "noverifyssl", so the installer doesn't attempt to verify the self-signed certificate of my Foreman host.

These parameters don't seem to exist for RH5. As a results, RH5 is unable to resolve the hostname and pull its kickstart file.

I'm able to install RHEL 6 on a host with a PXE configuration file that looks like this:

default linux
label linux
kernel boot/RHEL_6_x86_64-x86_64-vmlinuz
append initrd=boot/RHEL_6_x86_64-x86_64-initrd.img ks=https://myforemanserver.domain/unattended/provision?token=2134134 nameserver=192.168.1.1 ksdevice=bootif network kssendmac noverifyssl
IPAPPEND 2

The same does not work for RHEL5, while using the vmlinuz and initrd for that release. According to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/s1-kickstart2-startinginstall.html, I should be able to specify DNS servers as "dns=". Unfortunately, that did not work for me either.

I could potentially disable SSL on the Foreman server, and just use an IP address over port 80. I'd prefer not to do that. Is there another way to do this?

Is it possible to have a DHCP server serve subnets for multiple network segments, but not its own local subnet?

I have a DHCP server on a subnet 10.x.x.x. It serves approximately 125 subnets on various 10.x networks. I'm attempting to migrate this DHCP server to a new server, which resides on a different subnet. I'm doing this with IP helper. The new DHCP server sits on a subnet 10.y.y.y, and I have test servers, which will act as DHCP clients, sitting on the 10.x.x.x that I want to use to test the new DHCP server.

However, so far, I've been unable to configure the server on 10.x.x.x to ignore hosts on its own subnet. If I remove the subnet stanza, I get an error that DHCP is not configured to listen on any interface. If I leave it, both servers attempt to answer the DHCPDISCOVER, and the old one seems to win (presumably because it's "closer").

I want the DHCP server on 10.x.x.x to listen on the local network interface (so it can continue to issue addresses to other networks), but not serve DHCP to the hosts on that network (so only the DHCP server over IP helper offers IP's).

Is there a way to do this?

Is it safe to run Foreman under the "thread" concurrency model in passenger, by setting PassengerConcurrencyModel=thread?

It seems like this should be an easy answer to find, but for some reason I'm having trouble. I've checked the Foreman site and user mailing list, but I'm not seeing anything that talks about concurrency.

Thanks.

EDIT: I'm running Passenger in Apache.

I'm administering hundreds of machines with Java interfaces that I sometimes need to get into. Unfortunately, the default Java settings in Windows block all of these applications from running, presumably because they use self-signed certificates. This means every time I want to get into a Java based management console on a machine, I have to manually add that URL to my Java exceptions list (in Windows).

According to the Oracle documentation, wildcards are not supported, but domains are: http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/exception_site_list.html

I'd like to add "https://example.com" into my Exceptions list and just have it allow everything under my domain. According to the documentation above, it sounds like this should work:

Wildcards are not supported. If only a domain is provided, any RIA from that domain is allowed to run. A domain can have multiple entries, for example, https://www.example.com and http://www.example.com.

However, it isn't working for me. I've added my top level domain for both http and https access, and it does not work. It only seems to work if the FQDN fully matches, which means I have to add every URL manually. Am I doing something wrong here? There has to be a better way to do this, aside from disabling Java security. I'm running Java 8 on Windows 7.

Thanks.

I'm trying to configure some Red Hat/CentOS servers to use an ipa-server on CentOS 6 for SSH authentication with public keys. I'm storing the public keys on the IPA server, which works great on Centos6 using "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" in /etc/ssh/sshd_config. However, on RH 5.10, neither the "AuthorizedKeysCommand" directive or the "/usr/bin/sss_ssh_authorizedkeys" command exist to pull the public key from the directory. Is there a different way to make this work? Googling this mostly returns instructions for setting it up on 6.

Is it possible to disable GPG checks on a per channel basis in Spacewalk?

For patching of my servers, I've converted from using local yum repositories on the clients under /etc/yum.repos.d, to registering the client with a spacewalk server.

However, we have an internal yum repository, and I don't have the GPG keys which were used to sign the packages. This isn't an problem when using local yum repos, as I can just disable gpg on the repository using gpgcheck=0. However, it doesn't appear that I can do something similar with spacewalk. Even though I don't have a key associated with the channel, installing from the command line gives GPG errors (ie: yum install -y somepackage).

From the CLI, I can get around this using the --nogpgcheck option to yum. However, we're using puppet in our environment to install some of these packages, and there doesn't appear to be a simple way to pass in optional parameters to yum through puppet.

I've seen some suggestions indicating I could set gpgcheck=0 in /etc/yum/pluginconf.d/rhnplugin.conf, but that will disable checks on all channels, and I'd rather just disable it for the internal packages, for which I don't have the keys.

I'm trying to configure WCCP + Squid with the following documentation: http://www.crypt.gen.nz/papers/cisco_squid_wccp.html

I have a cisco switch, a test client, and a squid proxy server. I think the switch is configured correctly, as I'm seeing GRE traffic coming across when I follow it with tcpdump. However, the traffic doesn't seem to make it to the squid server. My tunnel configuration on squid is as follows:

# cat /etc/sysconfig/network-scripts/ifcfg-tun0
DEVICE=tun0
TYPE=GRE
BOOTPROTO=none
MY_INNER_IPADDR=172.16.1.1
PEER_OUTER_IPADDR=10.1.1.1
PEER_INNER_IPADDR=172.16.1.2
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no
USERCTL=no

I think the server is failing to unencapsulate the GRE packet, and I have some confusion as to how this ifcfg file should be configured. Here, I have 10.1.1.1 as the address of the switch. The two 172.x addresses are not configured explicitly anywhere else, and I'm not sure if they need to be. When I bring up tun0, I can ping 172.16.1.1, but not .2. Since this config all exists on my squid server, I'm wondering if I need to bring up an interface with .2 on it?

Another strange thing I've noticed is that Red Hat (6) will not let me name the device gre0. I'm not sure if this could have something to do with my issue?

EDIT:

Sorry for the delay, I've been banging my head on the wall for the past few days. It's a Cisco 6509. The proxy server appears to register with the switch, but is in a state of "NOT Usable". Redirection and Packet Return are shown as "L2". I've set this to both GRE and L2 in my Squid configuration, but it doesn't seem to make a difference on the switch. I've also tried both "hash" and "mask" for assignment.

Here's the relevant switch configuration:

Standard IP access list WCCP-SQUID
10 permit 10.1.1.150 (1301 matches)

Extended IP access list WCCP-REDIRECT
10 permit tcp 10.1.1.0 0.0.0.31 10.2.1.0 0.0.255.255 eq www
20 permit tcp 10.1.1.0 0.0.0.31 10.2.1.0 0.0.255.255 eq 443

ip wccp web-cache redirect-list WCCP-REDIRECT group-list WCCP-SQUID

And here's some output I'm seeing from the debug log:

BUR-PII-CORA#show ip wccp web-cache detail
WCCP Cache-Engine information:
    Web Cache ID:          10.1.1.150
    Protocol Version:      2.0
    State:                 NOT Usable
    Redirection:           L2
    Packet Return:         L2
    Packets Redirected:    0
    Connect Time:          00:00:20
    Assignment:            MASK


BUR-PII-CORA#show ip wccp
Global WCCP information:
Router information:
    Router Identifier:                   10.1.1.1
    Protocol Version:                    2.0

Service Identifier: web-cache
    Number of Cache Engines:             0
    Number of routers:                   0
    Total Packets Redirected:            0
    Redirect access-list:                WCCP-REDIRECT
    Total Packets Denied Redirect:       0
    Total Packets Unassigned:            0
    Group access-list:                   WCCP-SQUID
    Total Messages Denied to Group:      0
    Total Authentication failures:       0

From the debug log:

May  2 12:26:10.502 PDT: WCCP-EVNT:S00: Here_I_Am packet from 10.1.1.150 w/bad rcv_id 00000000
May  2 12:26:20.502 PDT: WCCP-EVNT:S00: Here_I_Am packet from 10.1.1.150 w/bad rcv_id 00000000
May  2 12:26:20.502 PDT: WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.150 w/ rcv_id 00000017
May  2 12:26:25.502 PDT: WCCP-PKT:S00: Sending Removal_Query packet to 10.1.1.150w/ rcv_id 00000018
May  2 12:26:30.502 PDT: WCCP-EVNT:wccp_change_router_view: S00
May  2 12:26:30.502 PDT: WCCP-EVNT:wccp_change_router_view: deallocate rtr_view (24     bytes)
May  2 12:26:30.502 PDT: WCCP-EVNT:wccp_change_router_view: allocate hash rtr_view (1560 bytes)
May  2 12:26:30.502 PDT: WCCP-EVNT:wccp_change_router_view: rtr_view_size set to 24     bytes
May  2 12:26:30.502 PDT: WCCP-EVNT:S00: Built new router view: 0 routers, 0 usable web caches, change # 00000007

I'm trying to configure Start TLS on 389 Directory server, but I'm having all sorts of issues.

I've been following this doc: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/managing-certs.html

which specifies that I should create a certificate for both the directory server and admin server. I've imported the CA cert on both servers. I've tried to use the same server certificate for both. It will not allow me to do so. However, the admin and directory servers reside on the same host. If I generate a new certificate it will need to use the same hostname. I'm not sure if that's valid...

Has anyone out there set this up before? Any direction would be helpful. I have multmaster replication set up. From an external client, I'm attempting to do an ldapsearch -ZZ -x -h "myhost" -b "dc=example,dc=com" -D "cn=Directory Manager" -W "", and I'm getting a protocol error.

I'm looking to deploy 389 Directory in my environment to replace an existing iPlanet installation. I would be using it primarily to store user account data for authentication purposes. I have two physically separate data centers that I would like to share the same directory tree. My initial thinking is to setup 389 DS as follows:

• A Master/Consumer in DataCenter A
• A Master/Consumer in DataCenter B
• Replication agreement between both masters, to mirror the directory tree in both environments.

Does this sound like a reasonable approach? Is there a better way to do it? (ie: four masters?) Is there documentation for best practices when setting up 389 DS in situations such as this?