Thomas's questions

I have a OpenVPN Server on a MultiWAN Router (Ubuntu Based). The Problem is, that incoming packages not leaving the same WAN interface where they entered. I tested already with iptables MARK rules in combination with ip rules, but could not fix the problem. I know, I can define on the openvpn configuration with local 79.1.2.3 the outgoing ip, but I want it more flexible if possible. The OpenVPN Port Protocol is UDP if it matters.

$ ip r s|grep default
default via 83.1.2.3 dev vlan254 metric 1 
default via 79.1.2.3 dev ppp0 metric 2 
default via 192.168.0.251 dev vlan10 metric 3 onlink 

$ ip rule s
0:      from all lookup local 
100:    from all fwmark 0x1 lookup uplink1 
101:    from 83.1.2.3 lookup uplink1 
102:    from all to 83.1.2.3 lookup uplink1 
200:    from all fwmark 0x2 lookup uplink2 
201:    from 79.1.2.3 lookup uplink2 
300:    from all fwmark 0x3 lookup uplink3 
301:    from 192.168.0.254 lookup uplink3 
302:    from all to 192.168.0.254 lookup uplink3 
32766:  from all lookup main 
32767:  from all lookup default 

# iptables -L -vn -t mangle
Chain PREROUTING (policy ACCEPT 4785K packets, 5178M bytes)
 pkts bytes target     prot opt in     out     source               destination         
4785K 5178M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
3985K 5035M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x0
  351 46210 MARK       all  --  vlan254 *       0.0.0.0/0            0.0.0.0/0            MARK set 0x1
 3865  242K MARK       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            MARK set 0x2
  351 46210 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1 CONNMARK save
 3865  242K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2 CONNMARK save

Chain INPUT (policy ACCEPT 1658K packets, 1114M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 3127K packets, 4063M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1534K packets, 1241M bytes)
 pkts bytes target     prot opt in     out     source               destination         
1534K 1241M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
 657K  103M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x0
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:55394 MARK set 0x2
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1 CONNMARK save
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2 CONNMARK save

Chain POSTROUTING (policy ACCEPT 4639K packets, 5303M bytes)
 pkts bytes target     prot opt in     out     source               destination         
4639K 5303M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
3743K 4164M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x0
   90  7560 MARK       all  --  *      vlan254  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
57161 3664K MARK       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0            MARK set 0x2
 896K 1140M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save

So, the incomming packets comes from uplink2, but leaves uplink1 (the default gw).

Any Idea how I can solve my problem?

I am looking for a way, to automatically logon a User from computer startup script, without rebooting the machine. I know, I can write in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon... Keys or use Sysinternals autologon.exe, but this all don't work without a reboot.

OS: Windows >= 7

A while ago, I have seen a small until, who could do it. But I forgot about it and can't find it again. Or maybe there is any other solution?

I think, it is only possible with a GINA plugin?

I want that Apache disable keep-alive for http 1.1 when a specific host header is set. But I cant figure out how it is be done, because there are really less examples on the Net to SetEnvIfExpr. What I have is this:

SetEnvIfExpr "%{SERVER_NAME}==home.myhome.net" nokeepalive 1

But Apache won't accept it with this:

syntax error, unexpected T_OP_CONCAT, expecting '('

Any Idea?

Regards, Thomas

I can't get mod_rewrite work with the following Rules.

RewriteCond "%{SERVER_NAME}" "home.myhome.net"
RewriteCond "%{SERVER_PORT}" "^4388$"
RewriteRule (.*) https://home.myhome.net:4389%{REQUEST_URI} [QSA,R=301,L]

This Rule is set on my http virtual host section. Problem is, that redirect only works the first time. The second time when I enter a differnt URL on http port 4388 I get redirected to https://home.myhome.net:4388/...

for example:

• first I enter http://home.myhome.net:4388/pageA I get redirected to https://home.myhome.net:4389/pageA
• next time I enter http://home.myhome.net:4388/pageB and get redirected to https://home.myhome.net:4388/pageB

Any Idea how to fix that?

My OS details:

root@host:~# dpkg -l|grep apache
ii  apache2                                     2.4.18-2ubuntu3.5                            amd64        Apache HTTP Server
ii  apache2-bin                                 2.4.18-2ubuntu3.5                            amd64        Apache HTTP Server (modules and other binary files)
ii  apache2-data                                2.4.18-2ubuntu3.5                            all          Apache HTTP Server (common files)
ii  apache2-utils                               2.4.18-2ubuntu3.5                            amd64        Apache HTTP Server (utility programs for web servers)
ii  python-certbot-apache                       0.17.0-1+ubuntu16.04.1+certbot+1             all          Apache plugin for Certbot
root@host:~# lsb_release -d
Description:    Ubuntu 16.04.3 LTS

That's my Virtual Host Config, it is something different because I made some more tests, but same behavior. I also dropped for testing all other rewrite rules, with same result (and how I told in comments, for every test I flush my browser cache).

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond "%{SERVER_NAME}" "home.myhome.net"
        RewriteCond "%{SERVER_PORT}" "^4388$"
        RewriteRule ^ https://%{SERVER_NAME}:4389%{REQUEST_URI} [noescape,qsappend,redirect=301,last]
    </IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Oh, and I forgot to say, that this server is behind a NAT Gateway, which does a port forwarding from external port 4388 to internal host port 80 and also external port 4389 to internal port 443. Thats why I need to check for the port and hostname to match only external traffic.

EDIT: Okay, I have found something, but also don't have a solution: I compared the first and following browser request/response with the browser developer tools->network tab:

The first request give me the "301 Moved Permanently", but the following request gives me a "307 Internal Redirect".

So this seems a Server problem. Question is only, if it is a Bug in mod_rewrite or is it my fault, because the Rule is not okay.

EDIT: I tested now also with the current apache version 2.4.27-5.1+ubuntu16.04.1+deb.sury.org+1 from Ondřej Surý's Apache PPA

Regards, Thomas

I have set up SSL for mysql replication. The problem is, that it makes problems on the other local apps which use mysql.

Like postfix:

Jul 25 23:00:22 srv1 postfix/proxymap[3141]: warning: connect to mysql server 127.0.0.1: SSL connection error: unable to verify peer checksum
Jul 25 23:00:22 srv1 postfix/trivial-rewrite[3353]: warning: virtual_mailbox_domains: proxy:mysql:/etc/postfix/mysql-virtual_domains.cf: table lookup problem
Jul 25 23:00:22 srv1 postfix/trivial-rewrite[3353]: warning: virtual_mailbox_domains lookup failure

or amavis:

Jul 25 23:08:12 srv1 amavis[5625]: (05625-01) (!)connect_to_sql: unable to connect to DSN 'DBI:mysql:database=dbispconfig;host=127.0.0.1;port=3306': SSL connection error: unable to verify peer checksum

and also pureftp

Jul 25 23:02:42 srv1 pure-ftpd: (?@2a02:810c:XXXXXXXX) [ERROR] The SQL server seems to be down [SSL connection error: unable to verify peer checksum]

Because I dont need local encryption, i want to disable it, but I dont know how. I have only set a cnf entry for the clients with:

[client]
#ssl-ca=/etc/letsencrypt/live/mydomain/chain.pem
#ssl-mode=DISABLED
ssl=0

But without luck. For postfix I found in the docs this note:

Postfix 3.1 and earlier don't read [client] option group settings unless a non-empty option_file or option_group value are specified. To enable this, specify, for example "option_group = client".

So I added to all /etc/postfix/mysql-*.cf files the option_group syntax. But after the restart it is the same problem..

When I disable ssl on the server, the problems are gone. But I want to have ssl for security of the replication.

Any Ideas?

We have upgraded some of our routers to Ubuntu 16.04 and are now getting some performance problems with DNS. It seems that packets are sometimes truncated, but I have no clue what else I can do:

This are the messages from logfile:

Jun  8 10:33:01 proxy named[2827]: success resolving 'b1sync.zemanta.com/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:33:05 proxy named[2827]: success resolving 'b1sync.zemanta.com/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:33:05 proxy named[2827]: success resolving 'px.owneriq.net/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:33:25 proxy named[2827]: success resolving 'deliveryengine.synchroscript.adswizz.com/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:33:42 proxy named[2827]: success resolving 'acl.stayfriends.de/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:34:36 proxy named[2827]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:34:38 proxy named[2827]: success resolving 'boden-de.resultspage.com/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:34:50 proxy named[2827]: success resolving 'cdn.optimizely.com/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:34:56 proxy named[2827]: success resolving 'cdn.syndication.twimg.com/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:35:21 proxy named[2827]: success resolving 'plus.google.com/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:35:25 proxy named[2827]: success resolving 'd.agkn.com/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:35:47 proxy named[2827]: success resolving 'googleads.g.doubleclick.net/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:37:09 proxy named[2827]: success resolving 'e6858.dsce9.akamaiedge.net/A' (in '.'?) after disabling EDNS
Jun  8 10:40:43 proxy named[2827]: success resolving 'r1---sn-4g5e6nl7.gvt1.com/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jun  8 10:42:12 proxy named[2827]: success resolving 'tedbaker.tdefender.net/A' (in '.'?) after disabling EDNS
Jun  8 10:42:14 proxy named[2827]: success resolving 'tile-service.weather.microsoft.com/A' (in '.'?) after disabling EDNS
Jun  8 10:42:34 proxy named[2827]: success resolving 'e5886.x.akamaiedge.net/A' (in '.'?) after disabling EDNS
Jun  8 10:42:41 proxy named[2827]: success resolving 'i.salecycle.com/AAAA' (in '.'?) after disabling EDNS
Jun  8 10:42:48 proxy named[2827]: success resolving 's.mopub.com/A' (in '.'?) after disabling EDNS
Jun  8 10:42:53 proxy named[2827]: success resolving 'postback.pointwise.co/A' (in '.'?) after disabling EDNS
Jun  8 10:43:22 proxy named[2827]: success resolving 'detectportal.firefox.com/AAAA' (in '.'?) after disabling EDNS
Jun  8 10:43:31 proxy named[2827]: success resolving 'www.evi.com/A' (in '.'?) after disabling EDNS
Jun  8 10:43:34 proxy named[2827]: success resolving 'tg.symcd.com/AAAA' (in '.'?) after disabling EDNS
Jun  8 10:43:41 proxy named[2827]: success resolving 'googleads4.g.doubleclick.net/A' (in '.'?) after disabling EDNS
Jun  8 10:43:41 proxy named[2827]: success resolving 'googleads4.g.doubleclick.net/AAAA' (in '.'?) after disabling EDNS
Jun  8 10:43:42 proxy named[2827]: success resolving './NS' (in '.'?) after disabling EDNS
Jun  8 10:43:55 proxy named[2827]: success resolving 'ping.avast.com/A' (in '.'?) after disabling EDNS
Jun  8 10:43:59 proxy named[2827]: success resolving 'm2932843.iavs9x.avg.u.avcdn.net/AAAA' (in '.'?) after disabling EDNS
Jun  8 10:44:22 proxy named[2827]: success resolving 'www.stylight.de/A' (in '.'?) after disabling EDNS
Jun  8 10:45:16 proxy named[2827]: success resolving './NS' (in '.'?) after disabling EDNS
Jun  8 10:45:21 proxy named[2827]: success resolving 'www.ist-track.com/A' (in '.'?) after disabling EDNS
Jun  8 10:46:30 proxy named[2827]: success resolving './NS' (in '.'?) after disabling EDNS
Jun  8 10:46:39 proxy named[2827]: success resolving 'ocsp-ds.ws.symantec.com.edgekey.net/A' (in '.'?) after disabling EDNS
Jun  8 10:47:33 proxy named[2827]: success resolving 'download.cdn.mozilla.net/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets

I have been looking around the net for a solution. For example, this nice page: Why does BIND log messages about disabling EDNS or reducing the advertised packet size?

1. I have set the packet size to 512, but then I get also the "disabling EDNS" problem.
2. I have found that it is possible to disable EDNS in general, but this is for sure not the solution.
3. I tested with different nameservers.
4. I also tested with a different dns service (dnsmasq)

With the reply size test, I have found also that the destination DNS servers support a size of 4096. But sometimes the size gets reduced.

rst.x1008.rs.dns-oarc.net.
rst.x1968.x1008.rs.dns-oarc.net.
rst.x2454.x1968.x1008.rs.dns-oarc.net.
"74.125.73.76 DNS reply size limit is at least 2454"
"74.125.73.76 sent EDNS buffer size 4096"
"Tested at 2017-06-08 09:07:07 UTC"
rst.x4090.rs.dns-oarc.net.
rst.x4058.x4090.rs.dns-oarc.net.
rst.x4064.x4058.x4090.rs.dns-oarc.net.
"74.125.47.151 DNS reply size limit is at least 4090"
"74.125.47.151 sent EDNS buffer size 4096"
"Tested at 2017-06-08 09:06:18 UTC"
rst.x1008.rs.dns-oarc.net.
rst.x1253.x1008.rs.dns-oarc.net.
rst.x1447.x1253.x1008.rs.dns-oarc.net.
"2a00:1450:400c:c02::103 DNS reply size limit is at least 1447"
"2a00:1450:400c:c02::103 sent EDNS buffer size 4096"
"Tested at 2017-06-08 09:06:22 UTC"
rst.x4090.rs.dns-oarc.net.
rst.x4058.x4090.rs.dns-oarc.net.
rst.x4064.x4058.x4090.rs.dns-oarc.net.
"74.125.47.139 DNS reply size limit is at least 4090"
"74.125.47.139 sent EDNS buffer size 4096"
"Tested at 2017-06-08 09:07:13 UTC"
rst.x1008.rs.dns-oarc.net.
rst.x1253.x1008.rs.dns-oarc.net.
rst.x1447.x1253.x1008.rs.dns-oarc.net.
"2a00:1450:400c:c02::103 DNS reply size limit is at least 1447"
"2a00:1450:400c:c02::103 sent EDNS buffer size 4096"
"Tested at 2017-06-08 09:06:22 UTC"

The problem now is that I can't find the root problem. The two machines which have the problem have different NICs (one Intel and the other one Broadcom) — so I don't think it is a driver problem.

One machine has a DSL connection and the other one has 2 gateways (cable and ethernet in a failover config). So all of them have no router in front (only the second, with the ethernet, but it is only the failover link, and it happens also on both links).

I have also made a pcap dump, and found some "TCP Retransmisson" and "TCP Spurious Retransmission" — but don't know whether they are the problem. And with tcpdump I can see a lot of "bad udp cksum" — but not on Wireshark.

I try to make a admin website, which control access to the internet. When I allow access on this site to a client ip, the site write this ip in a acl file and reload squid. This works fine - access is allowed. And when I remove the ip and reload squid, the client get blocked. But when I have acceded google (https!) before, then the access to google is still possible. After some minutes inactivitiy access is also blocked. So somebody can build a tunnel and keep the internet open for them.

Is it possible to force disconnect of open CONNECT sessions?

a little example:

acl allowed_dst dstdomain "/etc/squid/allowed_dst"
acl allowed_clients src "/etc/squid/allowed_clients"

http_access allow allowed_dst
http_access allow allowed_clients
http_access deny all

I try to build a ldap query to MS Active Directory. I found that there is a LDAP_MATCHING_RULE_IN_CHAIN type to do so. Which results in the follow syntax:

(&(sAMAccountName=Benna)(memberof:1.2.840.113556.1.4.1941:=CN=Group1,OU=Root,DC=domain,DC=local))

Problem is:

The query* enumerate online the first nested group.

In my example the Group1 has the follow member groups:

• Domain Administrators
• Domain Members
• Domain Computers

And Benna is in Group Domain Members, but the query dont give me a result*.

When I change the filter to

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Group1,OU=Root,DC=domain,DC=local))

I can see, that the query enumerates only members of the Group "Domain Administrators"*.

So thats the reason that it not matches my query above.

Any reason why this happens?

*Tested with adsiedit.msc

EDIT:

ok - it seams that this is the reason

https://support.microsoft.com/en-us/kb/275523

but is it possible to build a query to the nested group also for the primaryGroupID attribute? Or is there any way to have a single ldap query, where you can use to find if a user is member of a group (which can also have nested groups)?

Thanks, Thomas