Abc Xyz's questions

I am writing iptables rulles and have problem with preventing flood SYN. Found that synproxy should be the right solution. But when testing, I found that it don't mark packets as INVALID, so iptables rule wont drop it.

$iptables -t raw    -A PREROUTING -p tcp -m tcp -m multiport --dports 25,80,443,587 --syn -j  CT --notrack  
$iptables -t filter -A INPUT      -p tcp -m tcp -m multiport --dports 25,80,443,587 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
$iptables -t filter -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IPTABLES=INVALID "                                                                
$iptables -t filter -A INPUT -m conntrack --ctstate INVALID -j DROP
$iptables -A INPUT -j LOG --log-prefix "IPTABLES=PASS "

As I understand it correctly, synproxy target should set invalid state to all packets that does not created 3 way hanshake, but when i use hping3 -c 10000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.0.50 packets are logged as PASS not INVALID.

I also addded to sysctl more strict conntracking, this is necessary to have ACK packets (from 3WHS) marked as INVALID state.

/etc/sysctl.conf
net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_timestamps = 1

I was using this blog post to understand whats happen. But there is nothing more i can change.

Could someone point me what I'm doing wrong?

iptables -nvL
Chain PREROUTING (policy ACCEPT 69965 packets, 9252K bytes)
 pkts bytes target     prot opt in     out     source               destination
38184 6109K CT         tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0 tcp dpt:80 flags:0x17/0x02 NOTRACK

Chain INPUT (policy DROP 98 packets, 4346 bytes)
 pkts bytes target     prot opt in     out     source               destination
34063 5450K SYNPROXY   tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp multiport dports 25,80,150,443,587 ctstate INVALID,UNTRACKED SYNPROXY sack-perm t imestamp wscale 7 mss 1460
    0     0 LOG        all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 4 prefix "IPTABLES=INVALID1 "
    0     0 DROP       all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID

Lately i was working on uploading big files to website, this upload eat whole bandwidth and crippled my network. So i implemented chunking one 1MB chunk per second and its working but now I'm thinking could I use traffic control to achieve the same with better result.

My question: Is traffic control that smart and can distinguish between www browsing and www bulk upload/download big files.

tc qdisc add dev imq0 root handle 1:0 htb default 666
tc class add dev imq0 parent 1:0 classid 1:1   htb rate 90000kbit ceil 90000kbit

tc class add dev imq0 parent 1:1 classid 1:888 htb rate 10000kbit ceil 40000kbit prio 0    # browse www traffic
tc class add dev imq0 parent 1:1 classid 1:666 htb rate 10000kbit ceil 40000kbit prio 1    # bulk www traffic

tc filter add dev imq0 protocol ip parent 1:1 prio 2 u32 match ip tos 0x08 0xff  flowid 1:666 # bulk www traffic
tc filter add dev imq0 protocol ip parent 1:0 prio 2 u32 match ip sport   80 0xffff flowid 1:888  # http
tc filter add dev imq0 protocol ip parent 1:0 prio 2 u32 match ip sport  443 0xffff flowid 1:888  # https

Would something like this work? (Cant check it now.)

Cant wrap my mind on this problem. I want to put external ip to internal machines ("LAN").

            200.0.0.1               /-->[eth0 s2] 200.0.0.2
[internet]<---->[eth0 s1 eth1]<--[sw]-->[eth0 s3] 200.0.0.3
                                    \-->[eth0 s4] 200.0.0.4

I want to be able to ping s2,s3,s4 from internet and internet from s2,s3,s4. I don't want to set many ip 200.0.0.2,200.0.0.3,200.0.0.4 on [eth0 s1] then SNAT/DNAT it to internal ip.

Is it possible to do that?

Do i need to set something like promiscuous mode on [eth0 s1]?

I have two test servers master and slave:

Master is updating slave but very slowly. How to speed this up.

Master (192.168.0.122) /etc/named.conf

zone "domain.com." {
    type master;
    file "caching-example/domain.com.db";
    //allow-update { key rndc-key;};
    notify yes;
    also-notify    { 192.168.0.66; };
    allow-transfer { 192.168.0.66; };
};

Slave (192.168.0.66) /etc/named.conf

zone "domain.com" {
    type slave;
    file "caching-example/domain.com.db";
    //allow-update { key rndc-key; };
    //allow-transfer { none; };
    allow-notify { 192.168.0.122; };
    masters      { 192.168.0.122; };
}

Master /var/named/caching-example/domain.com.db zone

$TTL    3600
$ORIGIN domain.com.
@       IN      SOA     darkstar.example.net.    root.example.net. (
                 2012033101         ; Serial
                       3600         ; Refresh
                       1800         ; Retry
                     604800         ; Expire
                      43200 )       ; Negative Cache TTL

    IN      NS      darkstar.example.net.

@       IN      A       162.144.18.114
www     IN      A       162.144.18.114

Now when i cahnge by hand master /var/named/caching-example/domain.com.db zone

$TTL    3600
$ORIGIN domain.com.
@       IN      SOA     darkstar.example.net.    root.example.net. (
                 2012033102         ; Serial
                       3600         ; Refresh
                       1800         ; Retry
                     604800         ; Expire
                      43200 )       ; Negative Cache TTL

    IN      NS      darkstar.example.net.

@       IN      A       8.8.8.8
www     IN      A       8.8.8.8

Nothing happens Master have domain.com at 8.8.8.8 and slave have domain.com at 162.144.18.114.

dig @192.168.0.122 domain.com

domain.com.     3600    IN  A   8.8.8.8

dig @192.168.0.66 domain.com

domain.com.     3600    IN  A   162.144.18.114

On slave was trying to use rndc but without success rndc refresh domain.com

zone refresh queued

Master is updating a slave but very slowly, is there any way to speed this up? I found that Negative Cache TTL is reposnsible for update time, but bind requires config reload. Is it possible to do update automatically?

Is it possible to force zone update from/on slave?

** EDIT **

Feb 16 01:00:21 darkstar named[1460]: client @0x7fec000bfea0 192.168.0.122#49018: received notify for zone 'domain.com'
Feb 16 01:00:21 darkstar named[1460]: zone domain.com/IN: notify from 192.168.0.122#49018: serial 2012033102
Feb 16 01:00:21 darkstar named[1460]: zone domain.com/IN: Transfer started.
Feb 16 01:00:21 darkstar named[1460]: transfer of 'domain.com/IN' from 192.168.0.122#53: connected using 192.168.0.66#51117
Feb 16 01:00:21 darkstar named[1460]: zone domain.com/IN: transferred serial 2012033102
Feb 16 01:00:21 darkstar named[1460]: transfer of 'domain.com/IN' from 192.168.0.122#53: Transfer status: success
Feb 16 01:00:21 darkstar named[1460]: transfer of 'domain.com/IN' from 192.168.0.122#53: Transfer completed: 1 messages, 5 records, 176 bytes, 0.003 secs (58666 bytes/sec)

[Case1] When copying file from server (being on client) to client, packets are marked incorrect with 3 (root).

[Case2] When copying file from server (being on server) to client, packets are marked correct with 1003 (test1).

Server ip 192.168.0.16, test1 is server user.

Client ip 192.168.0.10, client is client user.

[Case1]

[email protected]:~$ scp -P 22 [email protected]:/home/test1/archlinux-bootstrap-2016.03.01-x86_64.tar.gz /tmp/

ps check, while copying:

[email protected]:~$ ps aux | grep scp
root      1653  0.1  0.0  32668  4408 ?        Ss   19:31   0:00  \_ sshd: test1 [priv]
test1      1655  3.0  0.0  36104  6912 ?        S    19:31   0:00      \_ sshd: test1@notty
test1      1656  1.3  0.0  27516  2648 ?        Ss   19:31   0:00          \_ scp -f /home/test1/archlinux-bootstrap-2016.03.01-x86_64.tar.gz

bmon [class 1:3 is a root user] [class 1:1003 is a test1 user]

  imq0 (outgoing)              │   1.17MiB    818      │   1.12MiB    781
    qdisc 1: (htb)             │      0         0      │   1.12MiB    781
      cls :3 (fw)              │      0         0      │      0         0
      cls :3eb (fw)            │      0         0      │      0         0
      class 1:1 (htb)          │      0         0      │   1.12MiB    781   99%
        class 1:2 (htb)        │      0         0      │    430B        1    0%
        class 1:3 (htb)        │      0         0      │   1.12MiB    780   208%
        class 1:1003 (htb)     │      0         0      │      0         0    0%
        class 1:5 (htb)        │      0         0      │      0         0    0%
        class 1:6 (htb)        │      0         0      │      0         0    0%

[Case2]

[email protected]:~$ scp -P 22 archlinux-bootstrap-2016.03.01-x86_64.tar.gz [email protected]:~/

ps check, while copying:

[email protected]:~$ ps aux | grep scp
root      1637  0.0  0.0  32668  4400 ?        Ss   19:29   0:00  \_ sshd: test1 [priv]
test1      1639  0.0  0.0  32668  3240 ?        S    19:30   0:00      \_ sshd: test1@pts/3
test1      1640  0.0  0.0  20540  3296 pts/3    Ss   19:30   0:00          \_ -bash
test1      1650  0.0  0.0  27516  2640 pts/3    S+   19:30   0:00              \_ scp -P 22 archlinux-bootstrap-2016.03.01-x86_64.tar.gz [email protected]:~/
test1      1651  0.0  0.0  30636  6748 pts/3    S+   19:30   0:00                  \_ /usr/bin/ssh -x -oForwardAgent=no -oPermitLocalCommand=no -oClearAllForwardings=yes -p 22 -l

bmon [class 1:3 is a root user] [class 1:1003 is a test1 user]

  imq0                         │ 142.83KiB    103      │  98.50KiB     68
    qdisc 1: (htb)             │      0         0      │  98.50KiB     68
      cls :3eb (fw)            │      0         0      │      0         0
      cls :3 (fw)              │      0         0      │      0         0
      class 1:1 (htb)          │      0         0      │  98.50KiB     68    1%
        class 1:2 (htb)        │      0         0      │    533B        2    0%
        class 1:3 (htb)        │      0         0      │      0         0    0%
        class 1:1003 (htb)     │      0         0      │  97.97KiB     66   100%
        class 1:5 (htb)        │      0         0      │      0         0    0%

Iptables rules:

# IN
  iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 1
  iptables -t mangle -A PREROUTING -j CONNMARK  --restore-mark
# OUT
  iptables -t mangle -N IMQ-OUT
  iptables -t mangle -A POSTROUTING -o eth0 -j IMQ-OUT
  iptables -t mangle -A IMQ-OUT -o eth0 -m owner --uid-owner root -j MARK --set-mark 3
  iptables -t mangle -A IMQ-OUT -o eth0 -m owner --uid-owner root -j RETURN
  iptables -t mangle -A IMQ-OUT -o eth0 -m owner --uid-owner test1 -j MARK --set-mark 1003
  iptables -t mangle -A IMQ-OUT -o eth0 -m owner --uid-owner test1 -j RETURN
  iptables -t mangle -A POSTROUTING -j CONNMARK  --save-mark
  iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0

Could someone explain me why in [Case1] server thinks that outgoing connection is root connection even if ps shows user test1?

Right now I'm trying to use cgroup to shape traffic, by user.

Same situation with cgroup.

echo '1003' > /cgroup/cpu_mem_blkio/users/test1/net_cls.classid
iptables -t mangle -A IMQ-OUT -o eth0 -m cgroup --cgroup 1003 -j MARK --set-mark 1003

My goal is to limit bandwidth per system user with tc, IMQ interfaces and iptables. Right now i have problem with bulk downloads (i.e. scp) that is creating lag on interactive programs such as ssh server.

This is my config:

# UPLOAD # OUTBOUND #
tc qdisc add dev imq0 root handle 1:0 htb default 11
  tc class add dev imq0 parent 1:0 classid 1:1  htb rate 700kbit ceil 700kbit
  tc class add dev imq0 parent 1:1 classid 1:10 htb rate 450kbit ceil 700kbit prio 0
  tc class add dev imq0 parent 1:1 classid 1:11 htb rate 250kbit ceil 250kbit prio 1
  tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10
  tc filter add dev imq0 parent 1:0 prio 1 protocol ip handle 11 fw flowid 1:11

# DOWNLOAD # INBOUND #
tc qdisc add dev imq1 root handle 2:0 htb default 11
  tc class add dev imq1 parent 2:0 classid 2:2  htb rate 7000kbit ceil 7000kbit
  tc class add dev imq1 parent 2:1 classid 2:10 htb rate 4500kbit ceil 7000kbit prio 0
  tc class add dev imq1 parent 2:1 classid 2:11 htb rate 2500kbit ceil 2500kbit prio 1
  tc filter add dev imq1 parent 2:0 prio 0 protocol ip handle 10 fw flowid 2:10
  tc filter add dev imq1 parent 2:0 prio 1 protocol ip handle 11 fw flowid 2:11

iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 1
iptables -t mangle -A PREROUTING -j CONNMARK  --restore-mark

iptables -t mangle -N IMQ-OUT
iptables -t mangle -A POSTROUTING -o eth0 -j IMQ-OUT
  iptables -t mangle -A IMQ-OUT -p tcp -m length --length :64 -j MARK --set-mark 10
  iptables -t mangle -A IMQ-OUT -p tcp -m length --length :64 -j RETURN
  iptables -t mangle -A IMQ-OUT -m owner --uid-owner root -j MARK --set-mark 10
  iptables -t mangle -A IMQ-OUT -m owner --uid-owner root -j RETURN
  iptables -t mangle -A IMQ-OUT -m owner --uid-owner test1 -j MARK --set-mark 11
  iptables -t mangle -A IMQ-OUT -m owner --uid-owner test1 -j RETURN
iptables -t mangle -A POSTROUTING -j CONNMARK  --save-mark
iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0

Class and filter after executing config:

tc class show dev imq0
class htb 1:11 parent 1:1 prio 1 rate 250000bit ceil 700000bit burst 1599b cburst 1599b 
class htb 1:10 parent 1:1 prio 0 rate 450000bit ceil 700000bit burst 1600b cburst 1599b 
class htb 1:1 root rate 700Kbit ceil 700Kbit burst 1600b cburst 1600b

tc filter show dev imq0
filter parent 1: protocol ip pref 1 fw 
filter parent 1: protocol ip pref 1 fw handle 0xb classid 1:11 
filter parent 1: protocol ip pref 49152 fw 
filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10

Was trying to add qdisc with sfq like this

#  tc qdisc add dev imq0 parent 1:10 handle 10:0 sfq perturb 10
#  tc qdisc add dev imq0 parent 1:11 handle 11:0 sfq perturb 10
#  tc qdisc add dev imq1 parent 2:10 handle 10:0 sfq perturb 10
#  tc qdisc add dev imq1 parent 2:11 handle 11:0 sfq perturb 10

but what it does is freezing my computer (reboot needed).

I'm new to this topic, any help appreciated.

Previously (about 5months ago) everything was working well, right now, instead of @app index.html is served.

Same problem on nginx version: 1.6.2 and 1.8

This is my /etc/nginx.conf

http {
    include       mime.types;
    default_type  application/octet-stream;
    server {
        listen       80;
        server_name  localhost;
        root   /opt/app/server/html;

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /var/www/html;
        }
    }
    include /etc/nginx/conf.d/*.conf;
}

This is my /etc/nginx/conf.d/user_example.conf

server {
    listen 80;
    server_name user.example.com;
    root /home/user/webapps/;

    location / {
        try_files $uri $uri/ @app; (removed index.html;)
    }

    location @app {
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_pass http://127.0.0.1:9000;
    }
}

Could someone explain me why @app is skipped?

Hm this could be another question, but ... If i remove /home/user/webapps/index.html and go to user.example.com I get 403 Forbidden. And i want to 'execute' proxy_pass from @app, what i need to change?

Changed config - but still would like to know how to use that named location.

server {
    listen 80;
    server_name user.example.com;
    root /home/user/webapps/;

    location / {
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_pass http://127.0.0.1:9000;
    }
}

Problem was not the named location @app but $uri/ wrong permissions over directory /home/user/webapps. Problem solved.

cgrulesengd can't move pid to task file while running as deamon, if I restart cgrulesengd all pids are moved correctly to task file, but new pid's not.

So, if i log in as hello user, and then run from root cgrulesengd -n -d, user hello and all his processes are moved to /cgrup/mem/hello/tasks file. But when i log out and login, user hello isn't affected anymore by cgrulesengd.

This is my test file.

#!/bin/bash
USER='hello'
cgdelete memory:${USER}/

cgclear
/etc/rc.d/rc.cgred stop

umount /cgroup/mem
rm -fr /cgroup/mem/

mkdir /cgroup/mem
mount -t cgroup -o memory mem /cgroup/mem

mkdir /cgroup/mem/${USER}

chown root:root   /cgroup/mem/${USER}/*
chown ${USER}:root /cgroup/mem/${USER}/tasks

echo 100M > /cgroup/mem/${USER}/memory.limit_in_bytes
echo 100M > /cgroup/mem/${USER}/memory.memsw.limit_in_bytes

[ ! -f '/etc/cgrules.conf_orig' ] && cp -pa /etc/cgrules.conf /etc/cgrules.conf_orig
echo "${USER} memory ${USER}/" > /etc/cgrules.conf
#echo "*       *       system/" >> /etc/cgrules.conf

/etc/rc.d/rc.cgred start
#cgrulesengd -n -d

ls -all /cgroup/mem/${USER}/tasks
cat /cgroup/mem/${USER}/tasks

echo -n "memory.limit_in_bytes  "
cat /cgroup/mem/${USER}/memory.limit_in_bytes
echo -n "memory.max_usage_in_byte  "
cat /cgroup/mem/${USER}/memory.max_usage_in_bytes

echo -n "memory.memsw.limit_in_bytes  "
cat /cgroup/mem/${USER}/memory.memsw.limit_in_bytes
echo -n "memory.memsw.max_usage_in_bytes  "
cat /cgroup/mem/${USER}/memory.memsw.max_usage_in_bytes

Output:

./test_cgred.sh 
Stopping CGroup Rules Engine Daemon...                     [  OK  ]
umount: /cgroup/mem: not mounted
Starting CGroup Rules Engine Daemon:                       [  OK  ]
-rw-r--r-- 1 hello root 0 Sep 26 00:46 /cgroup/mem/hello/tasks
memory.limit_in_bytes  104857600
memory.max_usage_in_byte  0
memory.memsw.limit_in_bytes  104857600
memory.memsw.max_usage_in_bytes  0

I just found that when memory.max_usage_in_byte and memory.memsw.max_usage_in_bytes is != 0 all new pids are moved correctly.

My question are:

1. Why i get 0 in memory.max_usage_in_byte and memory.memsw.max_usage_in_bytes?
2. Why new pid isn't automatically attached to task file?

Version: libcgroup-0.41-x86_64-1

Temporary solution: added echo $$ >> /cgroup/mem/$USER/tasks to /etc/profile.

Is it possible to limit memory usage per user not per group?

This is my config ...

/etc/cgconfig.conf

mount {
    cpu     = /cgroup/cpu_and_mem;
    cpuacct = /cgroup/cpu_and_mem;
    memory  = /cgroup/cpu_and_mem;
}
group small {
        cpu {
                cpu.shares="100";
        }
        cpuacct {
                cpuacct.usage="0";
        }
        memory {
                memory.limit_in_bytes="200M";
                memory.memsw.limit_in_bytes="200M";
        }
}

/etc/cgrules.conf

@guests      cpu,cpuacct,memory      small
user1        cpu,cpuacct,memory      small
user2        cpu,cpuacct,memory      small

Right now i see only one option to create group small1 and link user1 to that group, then user2 to small2 and so on, like this:

/etc/cgconfig.conf

group small1 {
        cpu {
                cpu.shares="100";
...
group small2 {
        cpu {
                cpu.shares="100";
...

/etc/cgrules.conf

user1        cpu,cpuacct,memory      small1
user2        cpu,cpuacct,memory      small2

Does anybody know better way of doing this?

I'm trying to use postfix + policyd2 to limit amount of outgoing emails. But when implementing policyd2 policies i get Access denied - no mater what i do i get denied.

• Postfix version 2.11.4
• PolicyD2 (cluebringer) version 2.0.14-1

Error box from email client:

An error occurred while sending mail. The mail server responded: 4.7.1 <[email protected]>: Recipient address rejected: Access denied. Please check the message recipient [email protected] and try again.

When i turn off policyd2 in postfix /etc/postfix/main.cf everything works:

smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031
smtpd_recipient_restrictions=check_policy_service inet:127.0.0.1:10031, 

If i turn it back on, this is what i get /var/log/maillog:

postfix/smtpd[3228]: >>> START Helo command RESTRICTIONS <<<
postfix/smtpd[3228]: generic_checks: name=reject_invalid_helo_hostname                   
postfix/smtpd[3228]: reject_invalid_hostaddr: [192.168.0.10]
postfix/smtpd[3228]: generic_checks: name=reject_invalid_helo_hostname status=0
postfix/smtpd[3228]: >>> END Helo command RESTRICTIONS <<<
postfix/smtpd[3228]: >>> START Recipient address RESTRICTIONS <<<
postfix/smtpd[3228]: generic_checks: name=check_policy_service
postfix/smtpd[3228]: trying... [127.0.0.1]
postfix/smtpd[3228]: auto_clnt_open: connected to 127.0.0.1:10031
postfix/smtpd[3228]: send attr request = smtpd_access_policy
postfix/smtpd[3228]: send attr protocol_state = RCPT
postfix/smtpd[3228]: send attr protocol_name = ESMTP
postfix/smtpd[3228]: send attr client_address = 88.88.88.88
postfix/smtpd[3228]: send attr client_name = example.pl
postfix/smtpd[3228]: send attr reverse_client_name = example.pl
postfix/smtpd[3228]: send attr helo_name = [192.168.0.10]
postfix/smtpd[3228]: send attr sender = [email protected]
postfix/smtpd[3228]: send attr recipient = [email protected]
postfix/smtpd[3228]: send attr recipient_count = 0
postfix/smtpd[3228]: send attr queue_id = 
postfix/smtpd[3228]: send attr instance = c9c.5584b989.ab0c0.0
postfix/smtpd[3228]: send attr size = 368
postfix/smtpd[3228]: send attr etrn_domain = 
postfix/smtpd[3228]: send attr stress = 
postfix/smtpd[3228]: send attr sasl_method = PLAIN
postfix/smtpd[3228]: send attr sasl_username = [email protected]
postfix/smtpd[3228]: send attr sasl_sender = 
postfix/smtpd[3228]: send attr ccert_subject = 
postfix/smtpd[3228]: send attr ccert_issuer = 
postfix/smtpd[3228]: send attr ccert_fingerprint = 
postfix/smtpd[3228]: send attr ccert_pubkey_fingerprint = 
postfix/smtpd[3228]: send attr encryption_protocol = TLSv1
postfix/smtpd[3228]: send attr encryption_cipher = ECDHE-RSA-AES256-SHA
postfix/smtpd[3228]: send attr encryption_keysize = 256
postfix/smtpd[3228]: 127.0.0.1:10031: wanted attribute: action
postfix/smtpd[3228]: input attribute name: action
postfix/smtpd[3228]: input attribute value: DEFER
postfix/smtpd[3228]: 127.0.0.1:10031: wanted attribute: (list terminator)
postfix/smtpd[3228]: input attribute name: (end)
postfix/smtpd[3228]: check_table_result: inet:127.0.0.1:10031 DEFER policy query
postfix/smtpd[3228]: NOQUEUE: reject: RCPT from example.pl[88.88.88.88]: 450 4.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.10]>
postfix/smtpd[3228]: generic_checks: name=check_policy_service status=2
postfix/smtpd[3228]: >>> END Recipient address RESTRICTIONS <<<
postfix/smtpd[3228]: > example.pl[88.88.88.88]: 450 4.7.1 <[email protected]>: Recipient address rejected: Access denied
postfix/smtpd[3228]: watchdog_pat: 0x83b23a8

Policy example.

Create policy:

INSERT INTO policies VALUES (1, 'In Out', 10, 'In Out Policy', 0);
INSERT INTO policy_members VALUES (1, 1, 'any', 'any', '' ,0);

Add quotas - actions:

INSERT INTO quotas (PolicyID,Name,Track,Period,Verdict,Data) VALUES (1,'Sender:user@domain', 'Sender:user@domain', 60, 'DEFER', 'Deferring: To many messages from sender in last 60s.');
INSERT INTO quotas (PolicyID,Name,Track,Period,Verdict,Data) VALUES (1,'Recipient:@domain', 'Recipient:@domain', 60, 'REJECT', 'Quota limit reached.');

Add quota limits:

INSERT INTO quotas_limits (QuotasID, Type, CounterLimit) VALUES (1,'MessageCount', 12);
INSERT INTO quotas_limits (QuotasID, Type, CounterLimit) VALUES (2,'MessageCount', 20);

Can't use web gui (no PHP) - so I'm not sure if it is correct. Was searching and trying different policy examples but the error remains exactly the same.

Why i can't use variable $user in proxy_pass - like in example below?

server {
    listen 80;
    server_name ~^(?P<user>[a-z|A-Z|0-9|_|-]+)\.example\.net$;
    root /home/$user/webapps/;

    location /app/ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://unix:/home/$user/webapps/app/run/gunicorn.sock:/;
    }
}

Is this possible to achieve or should i give up?

And this one would be perfect, but it is also not working.

server {
    listen 80;
    server_name ~^(?P<user>[a-z|A-Z|0-9|_|-]+)\.example\.net$;
    root /home/$user/webapps/;

    location ~ ^\/(?P<app>[\w-_]+)(\/.*)?$ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://unix:/home/$user/webapps/$app/run/gunicorn.sock:/;
    }
}

I read this and that and here but none of them cover proxy_pass through unix socket.

I want to inject "project name" to every link on a web page.

Example: link and site http://localhost/osqa/ is working, but when I'm on the osqa page, all links are directing to localhost directly http://localhost/account/signin/ - are broken ...

so i want to rewrite/redirect all links to point to project name location, like http://localhost/osqa/account/signin/

Is it possible, if yes then how to do it? Right now I'm learning about rewrite and try_files.

This is my project tree structure, project names are (osqa, forum, other_project, another_project):

/home/user/webapps/
├── osqa
│   ├── osqa
│   ├── media
│   └── static
├── forum
│   ├── forum
│   ├── media
│   └── static
├── other_project
│   ├── other_project
│   ├── media
│   └── static
└── another_project
    ├── another_project
    ├── media
    └── static

This is my nginx config:

server {
    listen 8080;
    server_name localhost;
    root /home/user/webapps/;

location ~ ^\/(?P<app>[\w-_]+)(/.*)?$ {
    alias /home/user/webapps/$app/;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://unix:/home/user/webapps/$app/run/gunicorn.sock:/;
    }
}

I was changing root path and rewriting uri but without success, yet.

Creating regex captures for multiple locations.

Tree structure:

/home/user/webapps/
├── index.html           <= content: root.
├── osqa
│   ├── index.html       <= content: osqa test A.
│   ├── osqa             <= django project
│   │   ├── index.html   <= content: osqa test B.
│   │   └── osqa
│   │       ├── settings.py
│   │       └── wsgi.py
│   ├── run
│   └── static
└── forum
    ├── index.html       <= content: forum test A.
    ├── forum            <= django project
    │   ├── index.html   <= content: forum test B.
    │   └── forum
    │       ├── settings.py
    │       └── wsgi.py
    ├── run
    └── static

This nginx config is working:

server {
    listen 8080;
    server_name localhost;
    root /home/user/webapps/;
    location /osqa/ {
        alias /home/user/webapps/osqa/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass h ttp://unix:/home/user/webapps/osqa/run/gunicorn.sock:/;
    }
    location /forum/ {
        alias /home/user/webapps/forum/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass h ttp://unix:/home/user/webapps/forum/run/gunicorn.sock:/;
    }

trying to join those locations into one PCRE regex

    location ~ webapps\/(?P<app>[\w-_]+) {
        alias /home/user/webapps/$app/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass h ttp://unix:/home/user/webapps/$app/run/gunicorn.sock:/;
    }

what i get:

localhost:8080/osqa/osqa/
returns: osqa test B
localhost:8080/osqa/
returns: 403 Forbidden
localhost:8080
returns: osqa test A

what i expected:

localhost:8080/osqa/osqa/
returns: osqa test B
localhost:8080/osqa/
returns: django site
localhost:8080
returns: root

I read about user dir, location, SF post and still can't figure out how to do it.

What should i add or change, where should i look ? (I'm almost out of ideas)