dzhi's questions

I'm trying to achieve rootless PHP-FPM pod running in Kubernetes.

I tried simply running process in Kubernetes pod via init script that does php-fpm -FO as www-data user but it complaints about not having permissions to access /dev/stderr (log output location). Adding www-data user to the tty group also didn't help.

I tried specifying another location like /proc/self/fd/2 and even /dev/pts/1 as log location but to no avail.

Funny thing is, when I run docker run -itd app:latest su -l www-data -s /bin/sh -c php-fpm -FO &, basically the same startup command via Docker directly, it starts and works just fine.

I don't have any securityContext configured in Kubernetes that could affect process from starting normally.

Any suggestions/ideas to try?

I'd like to be able to mount my backup server on-demand by using my keys on my client terminal only as I don't leave my SSH keys on servers I manage. Does SSHFS support ssh-gent forwarding and how?

Didn't find answers to that in the documentation.

Thanks in advance!

I have Ubuntu server with Docker to serve MySQL and SSH/SFTP and I need all ports except 3306 and 22 to be firewalled, pretty standard and trivial requirement, right?

Now, I managed to find a sort of solution but it doesn't work fully for me as after applying it, either:

1. I can't access any of the mentioned services (by default)
2. I can't access the internet from within containers (if I put iptables: false in Docker's daemon.json config file)

I tried a number of other search results but they're mostly so complex that I don't understand what they're doing or they're heavily scripted making me, an iptables layman, an impossible task to take something from it.

Proposed solution looks rather simple and easy to comprehend but entire Docker networking complexity makes it much harder to debug.

Can someone please share their working iptables rules for Docker hosts or at least guide me in right direction?

I use docker-compose to launch services and this is my yaml:

version: '3.7'

services:
  mysql:
    container_name: 'mysql'
    image: mysql:8.0.13
    command: --default-authentication-plugin=mysql_native_password
    user: 1000:1000
    ports:
      - "3306:3306"
    volumes:
      - ./data:/var/lib/mysql
      - ./config/custom.cnf:/etc/mysql/conf.d/custom.cnf
    networks:
      - database
    restart: always

networks:
  database:
    driver: bridge

Edit: What I found is that allowing Docker to manage iptables rules is recommended and less demanding, at least in a long term and its okay to let Docker open required ports even though I didn't do that in a way I prefer, its still valid. What I want at this point is to find out is it possible to use iptables to block the ports opened by Docker and how (via mangle prerouting perhaps?). Any suggestions? Thanks a ton!

Requirement: I want to use NFS share as persistent volume and update deployment by performing rolling updates (GKE).

Problem: Persistent disk, volume and NFS share exist and are bound/mounted but when the app code is modified, pushed and built as an image, performing rolling update doesn't update the code.

• Any ideas why?
• Is this recommended update strategy or you'd suggest doing it otherwise?

(note that using persistent volume is hard requirement.)

Thanks in advance!

Just set up an ElasticSearch container to use with company's Laravel app. Creating docker-compose.yml and running it is flawless and straight-forward but the issue occurs when I want to firewall this thing so that it's only accessible from one, specific IP of the mentioned Laravel app.

While researching I noticed that plenty of people are having these issues where traffic to port forwarded by Docker gets completely exposed to the public and that they're unable to firewall it properly.

I found several solutions in last 6 hours of which none were working. I assume this has something to do with the way Docker processes/forwards the inbound traffic and my iptables knowledge isn't so vast so that I could understand what's happening on my own.

This is my docker-compose.yml (for what it's worth):

version: '3.4'

services:

  elasticsearch:
    image: khezen/elasticsearch:6.1.1
    container_name: elasticsearch

    environment:
      NETWORK_HOST: 0.0.0.0
      HOSTS: 127.0.0.1
      CLUSTER_NAME: fd-es
      NODE_NAME: node-1
      HEAP_SIZE: 31g
      HTTP_SSL: "true"
      ELASTIC_PWD: "somepasswd"
      HTTP_CORS_ENABLE: "true"
      HTTP_CORS_ALLOW_ORIGIN: /https?:\/\/localhost(:[0-9]+)?/

    ulimits:
      memlock:
       soft: -1
       hard: -1

    volumes:
      - ./config/elasticsearch.yml:/elasticsearch/config/elasticsearch.yml
      - ./data:/elasticsearch/data
      - ./logs:/elasticsearch/logs

    ports:
      - 9200:9200

    networks:
      - es-network

    restart: always

networks:
  es-network:
    driver: bridge

These are my currently used iptables rules which are to some degree what I want but all traffic to port 9200 from any client is still let through instead of being accessible only from my app:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [779:162776]
:DOCKER - [0:0]
-A DOCKER -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER -o docker0 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER -p tcp --dport 9200 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 44344 -j ACCEPT
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -j DROP

I tried disabling Docker's iptables support and disabling bridge networking and tweaked iptables rules couple of dozen of times but to no avail.

I'd appreciate any suggestion and help to make this happen because I'm out of ideas and search results for this problem.

Thanks in advance!

I'm trying to filter out multiple directories from URL with Nginx but to no avail. All instructions I saw on web are only relevant when only one directory is to be removed but nobody shows instructions for multiple.

This is the URL:

https://www.domain.com/pages/l/something.html

What I want is:

https://www.domain.com/something.html

Note the removed /pages/l/ segment.

Also, I need URL rewritten and 301 (permanent) redirected so no SEO is harmed.

How do I achieve this?

I'm setting up a webserver for WordPress.

WordPress requires it's stuff to be owned by www user or it has problems installing plugins and themes (asks for server FTP credentials, it's stupid, I know).

This wouldn't be a problem, but I want to give one ssh user an empty WWW directory so they could download/unpack/setup WordPress themselves (hands off method).

After they download and unpack WordPress archive, all files are owned by that particular user and they have issues managing plugins/themes installation or updates for already mentioned reasons.

What would be the most convenient and safe way of achieving the both goals, letting user to feel like at home and have fully working WordPress install?

Seems setfacl could be the decent solution, to make all new stuff under one directory inherit permissions I set.

Could anyone offer hint or suggestion on how to achieve what I'm trying to or even guide me in other direction?

I'm using Nginx with PHP-FPM.

Thanks!

I have a domain.co and just bought domain.com and want to use SSL on it.

Having in mind this H5BP apache config for HTTP to HTTPS redirect:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

Once in place, will it automatically start redirecting all HTTP pages from domain.co to HTTPS pages on domain.com or I have to modify rule to something like this or similar?

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://domain.com/$1 [R=301,L]
</IfModule>

I run Apache 2.4 and PHP-FPM via ProxyPassmatch in httpd.conf, not vhost (for what it's worth):

ProxyPassMatch ^/(.*\.php)$ unix:/var/run/php-fpm.sock|fcgi://127.0.0.1/home/user/www

I wanted to create a subdomain to run a CMS on but quickly I figured out that PHP files aren't being processed on that subdomain probably due to my lack of understanding how to set it up.

I'm not sure whether I need to create a vhost with separate ProxyPassMatch directive or default one above will work.

httpd.conf:

ServerRoot "/usr/local"
Listen 192.168.1.2:80

LoadModule authn_file_module libexec/apache24/mod_authn_file.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
LoadModule filter_module libexec/apache24/mod_filter.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule env_module libexec/apache24/mod_env.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
LoadModule actions_module libexec/apache24/mod_actions.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf

<IfModule unixd_module>

User www
Group www

</IfModule>

ServerAdmin [email protected]
ServerName 192.168.1.2:80

<Directory />

    AllowOverride none
    Require all denied

</Directory>

DocumentRoot "/home/user/www"

<Directory "/home/user/www">

    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted

</Directory>

<IfModule dir_module>

    DirectoryIndex index.html index.php

</IfModule>

<Files ".ht*">

    Require all denied

</Files>

ErrorLog "/var/log/apache/error.log"

LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog "/var/log/apache/access.log" combined

</IfModule>

<IfModule alias_module>

    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"

</IfModule>

<Directory "/usr/local/www/apache24/cgi-bin">

    AllowOverride None
    Options None
    Require all denied

</Directory>

<IfModule mime_module>

    TypesConfig etc/apache24/mime.types
    AddType application/x-compress .Z

</IfModule>

EnableMMAP On

Include etc/apache24/extra/httpd-mpm.conf
Include etc/apache24/extra/httpd-default.conf
Include etc/apache24/extra/h5bp.conf
Include etc/apache24/Includes/*.conf

ProxyPassMatch ^/(.*\.php)$ unix:/var/run/php-fpm.sock|fcgi://127.0.0.1/home/user/www

subdomain vhost:

<VirtualHost *:80>

    DocumentRoot "/home/user/www/xxx"
    ServerName xxx.domain.com
    DirectoryIndex index.php 

<Directory "/home/user/www/xxx">

    AllowOverride FileInfo
    Require all granted

</Directory>

</VirtualHost>

default php-fpm pool:

[global]
pid = run/php-fpm.pid
error_log = log/php/error.log

[www]
user = user
group = user

listen = /var/run/php-fpm.sock
listen.owner = user
listen.group = user
listen.mode = 0660

listen.allowed_clients = 127.0.0.1

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

access.log = /var/log/php/access.log
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"

chdir = /home/user/www

catch_workers_output = yes

security.limit_extensions = .php
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

In Cloudflare I set up a CNAME record pointing to xxx.domain.com:

All I get in browser is:

"File not found"

and in logs:

[proxy_fcgi:error] [pid 44810] [client xxx.xx.x.xxx] AH01071: Got error 'Primary script unknown\n'

I would appreciate a hint/push in right direction.

Thanks

Just set up a dedicated database jail running databases/mariadb55-server and for some reason it won't start on demand nor on boot.

Any suggestions?

# service mysql-server start
Starting mysql.
/usr/sbin/daemon: Permission denied
/usr/local/etc/rc.d/mysql-server: WARNING: failed to start mysql

Not sure what permissions this error is referring to.

My environment:

# env
USER=root
LOGNAME=root
HOME=/root
SHELL=/bin/csh
BLOCKSIZE=K
MAIL=/var/mail/root
MM_CHARSET=UTF-8
LANG=en_US.UTF-8
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin
TERM=screen-256color
HOSTTYPE=FreeBSD
VENDOR=amd
OSTYPE=FreeBSD
MACHTYPE=x86_64
SHLVL=1
PWD=/var/db
GROUP=wheel
HOST=db

Another question is, why mariadb55-server doesn't respect the /usr/local/etc/my.cnf rather uses /var/db/mysql/something ?

Just set up a FreeBSD jail to run httpd in it and all works good except these two, rewrite/proxy modules.

These are error logs excerpts:

mod_rewrite error:

[rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite: could not init rewrite_mapr_lock_acquire in child

mod_proxy error:

[proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init proxy_mutex in child

Not sure permissions of what are being denied as html in document root is being served just fine when these modules are disabled.

I tried googling but found nothing but rubbish.

Seems I just can't nail the right rc.conf configuration for IPv6 on my FreeBSD 10 VPS. I'd like to go completely IPv6 and tutorials/instructions i followed aren't really working for me somehow.

It's just a basic, minimalistic web server VPS with one NIC.

/etc/rc.conf

ifconfig_vtnet0_ipv6="inet6 2a00:f48:1024:feed:b00b:feed:b3c9:c7c9 prefixlen 64"
ipv6_defaultrouter="2a00:f48:1024:feed::1"
rtsold_enable="YES"
ip6addrctl_policy="ipv6_prefer"

/etc/resolv.conf

nameserver 2001:4860:4860:8888
nameserver 2001:4860:4860:8844

Is that the right defaultrouter field value? It would help if somebody suggested changes or shown their configs.

I run 10.0-RELEASE on my server and I'm wondering something.

If I do buildworld with official source from svn, will i be able to use freebsd-update to upgrade in the future or I have to settle with one of those two methods (binary or src) of upgrading?

Thanks

I just set up VPS to run Apache with php5-fpm which is set to run every user pool as user:user.

Reason for this is simply to allow users to actually own their own files created by various CMS scripts instead of them being owned by www-data. Such content couldn't be altered/deleted by those users.

php5-fpm seems to solve this issue for me.

What are security implications of such setup if any?

I set up a Debian 6 VPS to host couple of small sites and it works beautifully for default one.

Next i created new user and copy/paste default vhost file and enabled it with a2ensite and only adjusted paths accordingly for that new user but for some reason PHP files aren't parsed and only their source is displayed.

So, recap: identical vhost settings, PHP module enabled, short tags on (but not used)

To make it clear: I search and found bunch of "solutions" here and on the web elsewhere but none of those seemed to work for me.

Just noticed this string in logs :

PHP Fatal error:  Unknown: Failed opening required '/home/tester/public_html/index.php' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0

[Thu Mar 21 20:28:55 2013] [error] [client xxx.xxx.xxx.xxx] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/tester/public_html/index.php) is not within the allowed path(s): (/home/user/public_html:/tmp) in Unknown on line 0

And this is my default vhost file content:

<VirtualHost *:80>

        ServerAdmin [email protected]
        ServerName domain.com
        ServerAlias www.domain.com
        DocumentRoot /home/user/public_html/
        ErrorLog /home/user/logs/error.log
        CustomLog /home/user/logs/access.log combined

        <Directory "/home/user/public_html">
        AllowOverride All
                php_admin_flag engine on
                php_admin_value open_basedir "/home/user/public_html:/tmp"
        </Directory>

</VirtualHost>

Could PHP's open_basedir be the culprit of this issue?

I'd like Apache index pages to show my company banner w/ link to homepage on top.

Instead of:

Index of /pub/something

to show

[Company Banner]
Index of /pub/something

I added these lines to .htaccess:

HeaderName HEADER.html 
ReadmeName README.html 

and edited HEADER.html to include banner with link but that banner is only shown to /pub and not /pub/dir pages.

THis is what i currently have in .htaccess:

Options +Indexes
HeaderName HEADER.html
ReadmeName README.html

hese's the my htaccess template, i wonder if anything could be added to increase website performance..

# Defaults
AddDefaultCharset UTF-8
DefaultLanguage en-US
ServerSignature Off
FileETag None
Header unset ETag
Options -MultiViews
#Options All -Indexes


# Force the latest IE version or ChromeFrame
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
BrowserMatch MSIE ie
Header set X-UA-Compatible "IE=Edge,chrome=1" env=ie
</IfModule>
</IfModule>


# Proxy X-UA Setup
<IfModule mod_headers.c>
Header append Vary User-Agent
</IfModule>


#Rewrites
Options +FollowSymlinks
RewriteEngine On
RewriteBase /


# Redirect to non-WWW
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

# Redirect to WWW
RewriteCond %{HTTP_HOST} ^domain.com
RewriteRule (.*) http://www.domain.com/$1 [R=301,L]

# Redirect index to root
RewriteRule ^(.*)index\.(php|html)$ /$1 [R=301,L]


# Caching
ExpiresActive On
ExpiresDefault A0
Header set Cache-Control "public"

# 1 Year Long Cache
<FilesMatch "\.(flv|fla|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|png|jpg|jpeg|gif|swf|js|css|ttf|eot|woff|svg|svgz)$">
ExpiresDefault A31622400
</FilesMatch>

# Proxy Caching
<FilesMatch "\.(css|js|png)$">
ExpiresDefault A31622400
Header set Cache-Control "private"
</FilesMatch>


# Protect against DOS attacks by limiting file upload size
LimitRequestBody 10240000


# Proper SVG serving
AddType image/svg+xml svg svgz 
AddEncoding gzip svgz


# GZip Compression
<IfModule mod_deflate.c>
<FilesMatch "\.(php|html|css|js|xml|txt|ttf|otf|eot|svg)$" >
SetOutputFilter DEFLATE
</FilesMatch>
</IfModule>


# Error page
ErrorDocument 404 /404.html


# Deny access to sensitive files
<FilesMatch "\.(htaccess|ini|log|psd)$">
Order Allow,Deny
Deny from all
</FilesMatch>

How to enable either Gzip or Deflate compression via .htaccess and which one is best these days? Code examples needed.