D.Bugger's questions

As the title says: our CentOS system should in principle be accessible by everyone, but we have to block a range with a lot of unwanted activities (say 45.0.0.0/8), and then we want to allow a sub-range (say 45.91.0.0/16) because that range belongs to a client.

I could give you the settings I already tried in firewalld, but the mistakes I made are likely to distract you too much... I'll list therefore the two zones I created:

firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client domino http https smtp ssh websockets
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="135.181.173.14" reject


firewall-cmd --zone=drop --list-all
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 45.0.0.0/8
  services: domino http https smtp websockets
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="45.91.0.0/16" accept

How can this be accomplished in firewalld?

I checked the (Help) databases but couldn't find out if I can create Custom Application Events, and if I can, how they can be used. For instance, I'd like an Agent to write a specific text in the log.nsf database and DDM should pick it up and process it according to what's specified in the Handler. Or if there is an XPages error, I can output something to the log database and DDM should find out about it and process it.

How can this be accomplished? Is there a description somewhere available? TIA

I'm trying to configure nginx as a reverse proxy server for a web application on a back-end Domino server. We have 99.9% working, but that last 0.1% is really bugging me.

I'll explain. In some cases, the application returns a partial refresh with a special response header called X-XspLocation. If it exists, it contains a url to be redirected to by the client. It's a header generated and used by the XPages environment, my code itself doesn't set or read it. Its value is then:

http://localhost:81/database.nsf/page.xsp/ThankYou

and I want it to be just this: /ThankYou

I tried in a million ways, but it seems impossible to alter its value. As soon as I use proxy_hide_header X-XspLocation; no new headers can be added using add_header! If I leave the hide out, I get double values in the header, so I know my replacement value is correct. Here's my latest attempt that failed:

map $sent_http_x_xsplocation $xsplocation_new {
    "~http://localhost:81/database.nsf/page.xsp/(.*)" "/$1";
}
server {
    ...
    location / {
      proxy_pass   http://localhost:81/database.nsf/page.xsp/;
      # redirect X-XspLocation
      proxy_hide_header X-XspLocation;
      add_header X-XspLocation $xsplocation_new;
      #add_header X-XspLocation2 $xsplocation_new;
    }
}

I even tried with njs to change the header, it probably failed because I don't know how to use js_set or js_content to call a function that doesn't return anything.

Why is it so darned difficult to modify a response header??

The real question is of course: how can I make this work?? Thanks for your assistance!!

More info

In order to prove that the map works, I tested with the following:

    location / {
      proxy_pass   http://localhost:81/database.nsf/page.xsp/;
      # redirect X-XspLocation
      # proxy_hide_header X-XspLocation;
      # add_header X-XspLocation $xsplocation_new;
      add_header X-XspLocation2 $xsplocation_new;
    }

The result is now that the original header plus the new header X-XspLocation2 are present, and the 2nd one is exactly what I need in X-XspLocation.

By the way, nginx version: nginx/1.18.0 on Ubuntu 16.04.6 LTS (My client's provider's system, not mine...)

The full censored config file

map $sent_http_x_xsplocation $xsplocation_new {
    "~http://localhost:81/database.nsf/page.xsp/(.*)" "/$1";
}

server {
    listen       4443 ssl;
    server_name  www.myclient.nl;

    ssl_certificate       /etc/nginx/ssl/www.myclient.nl.pem;
    ssl_certificate_key   /etc/nginx/ssl/www.myclient.nl.pem;

    # do not allow google to index this website
    # TODO: remove when going to production
    add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

    # replace redirects in response header fields Location and Refresh
    proxy_redirect http://localhost:81/database.nsf/page.xsp/ https://www.myclient.nl:4443/;
    proxy_redirect http://localhost:81/ https://www.myclient.nl:4443/;

    # tell domino not to encode the response so we can use sub_filter
    proxy_set_header Accept-Encoding "";

    # substitute response content
    sub_filter 'localhost:81'       'www.myclient.nl:4443';
    sub_filter 'www.myclient.nl' 'www.myclient.nl:4443'; #TODO: remove when going production
    sub_filter '/database.nsf/page.xsp/'  '/';
    sub_filter '/database.nsf/'           '/other/';
    sub_filter_once off;

    # Domino
    location = /favicon.ico {
      access_log off; log_not_found off;
      proxy_pass http://localhost:81/database.nsf/Images/favicon.ico/%24file/favicon.ico;
    }

    # root / homepage
    location = / { proxy_pass   http://localhost:81/database.nsf/page.xsp/HomePage; }

    #login
    location /names.nsf { proxy_pass http://localhost:81/names.nsf; }

    # XPages
    location /xsp/ { proxy_pass  http://localhost:81/xsp/; }
    location /domjava/ { proxy_pass  http://localhost:81/domjava/; }

    # training
    location ~* ^/.*-training/(.*) {
      proxy_pass http://localhost:81/database.nsf/page.xsp/training/$1;
    }
    location ~* ^/(.*)-training$ {
      proxy_pass http://localhost:81/database.nsf/page.xsp/$1;
    }

    # IMAGES
    # image resources - any case insensitive match with 'images'
    location ~* '/images/(.*)$' {
      proxy_pass   'http://localhost:81/database.nsf/Images/$1';
    }
    # images referenced from css in file.xsp have this url, redirect to backend correctly
    location ~* '/file.xsp/images/(.*)$' {
      proxy_pass   'http://localhost:81/database.nsf/Images/$1';
    }

    # file resources
    location /file.xsp/ { proxy_pass  http://localhost:81/database.nsf/file.xsp/; }

    # other resources
    location /other/ { proxy_pass   http://localhost:81/database.nsf/; }

    # all other urls
    location / {
      proxy_pass   http://localhost:81/database.nsf/page.xsp/;
      # redirect X-XspLocation
      #add_header X-XspLocation $xsplocation_new always;
      proxy_hide_header X-XspLocation;
      add_header X-XspLocation $xsplocation_new;
    }
}

I have an OpenVPN server installed on 192.168.0.3 as 10.10.10.1. I can connect from the Internet to my OpenVPN server, the connection is created. Now I have a server on the LAN with IP-address 192.168.0.11 and I'd like to expose it to the VPN als 10.10.10.11. How can I do that? I don't know beforehand what ports will be used by a client.

What I tried is this:

iptables -t nat -D PREROUTING -d 10.10.10.11 -j DNAT --to-destination 192.168.0.11

But if I try, on said OpenVPN server itself,

telnet 10.10.10.11 80 

it doesn't work, whereas

telnet 192.168.0.11 80

connects.

I also activated IP-forwarding on the server, using

echo 1 > /proc/sys/net/ipv4/ip_forward

Any hints?? thanks!!

Our Owncloud server's disk crashed, beyond repair. All the data is stored on mounted disks (RAID-1), and these seem intact. I have to confess that we don't have a backup of the configuration, as far as I can tell.

Is there a way to safely re-create an Owncloud server using existing data disks on Linux?

Update: screenshot