weeheavy's questions

I got the following setup:

Internet => nginx[public:80 +443, SSL termination)
=> Varnish[localhost:81] => Apache[localhost:82]

Now some sites should only be reachable via HTTPS and a valid SSL certificate. For these few exceptions I'd like to activate HSTS, either on nginx (preferred, or on Apache).

The problem:

• On nginx, I'd need some logic à la if Host = foo.tld then set Strict-Transport-Security xxx, but according to http://wiki.nginx.org/IfIsEvil one should not use if in a location
• On Apache, I'd need something like if X-Forwarded-Proto 443 set Strict-Transport-Security xxx, but I don't seem to be able to construct this with SetEnvIf (Apache 2.2)

Is my logic flawed? Another idea for an approach?

This is the configuration currently active:

nginx

server {
        server_tokens off;

        listen xx.xx.xxx.xxx:80;
        server_name localhost;

        location / {
                proxy_pass http://127.0.0.1:81;
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port 80;
                proxy_set_header Host $host;
                add_header X-XSS-Protection "1; mode=block";
        }
}

server {
        server_tokens off;

        listen xx.xx.xxx.xxx:443 ssl;
        server_name localhost;

        ssl on;
        ssl_certificate /etc/ssl/foo.crt;
        ssl_certificate_key /etc/ssl/private/foo.key;

        ssl_session_timeout 10m;

        # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

        location / {
                proxy_pass http://127.0.0.1:81;
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port 443;
                proxy_set_header Host $host;
                add_header X-XSS-Protection "1; mode=block";
        }
}

Varnish

No special configuration.

Apache

<VirtualHost *:82>
[...] nothing special
</VirtualHost>

So my lighttpd was running fine for more than a year. Two days ago I decided to install Wordpress 3.0.1 (PHP was already in use by other tools).

So after some hours of very few hits (i might get 10 unique visitors per day at max), the system almost hangs with a load of 25-35, lighttpd eating all CPU and RAM (see top at the end of the post).

I read of similar problems, but none seemed to be exactly what occurs here. The "solutions" on the web were like installing a Wordpress Caching Plugin, which i did (W3 Total Cache). As the problem didn't occur during the night, I thought that was the problem. But right now the machine is totally overloaded, even OOM Killer is kicking in.

A lighttpd restart helps, but that's not a real solution.

System specs:

• Intel Celeron2Duo 2.2GHz
• 4GB RAM
• Debian Lenny 5.0.6
• Kernel: 2.6.26-2-amd64
• lighttpd 1.4.19
• MySQL 5.0.51a
• PHP 5.2.6-1+lenny

Changing the hardware is no option, as it's a home server made for low power consumption. Ideas? Thanks in advance.

top - 10:34:04 up 19:03,  1 user,  load average: 25.98, 22.97, 12.51
Tasks: 155 total,  15 running, 140 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.5%us, 95.6%sy,  0.0%ni,  0.0%id,  3.6%wa,  0.0%hi,  0.3%si,  0.0%st
Mem:   4062488k total,  4039436k used,    23052k free,      264k buffers
Swap:   979956k total,   979956k used,        0k free,     3012k cached
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                     
 3648 debian-t  20   0  136m 6972  116 R    7  0.2  30:48.27 transmission-da                              
 2569 root      20   0  196m  900  108 S    5  0.0   4:51.94 rsyslogd                                     
  316 munin     20   0 30592  548  136 D    4  0.0   0:04.68 sendmail                                     
 3377 root      20   0 66292 6864  208 D    4  0.2   2:01.44 python                                       
 3188 www-data  20   0 4074m 3.1g  124 R    4 81.2  12:20.23 lighttpd

Edit: I installed a temporary restart script as suggested by LatinSuD. So probably tomorrow I can tell details about the interval of that issue.

Goal: join a Solaris 10 machine to an existing Active Directory.

Steps I did:

1. Installed software (Samba 3.4.2 from http://www.sunfreeware.com)
2. Received a Kerberos ticket with kinit [email protected]
3. Join domain: net ads join -U admin-user
4. Start Samba and winbind

All steps are ok, checked this with klist, net getdomainsid , wbinfo -g and wbinfo -u.

Now the problem: getent passwd EXAMPLE+username returns nothing at all (on another Solaris 10 machine this works). Everytime I request somehing from AD, this shows up in log.winbind:

[2010/09/07 10:51:41,  0] winbindd/winbindd.c:750(request_len_recv)
  request_len_recv: Invalid request size received: 2088 (expected 2096)

According to google, I should ensure the version of libnss_winbind.so running does match the version of winbind that is running.

But how do I do that?

I configured Nagios to receive passive service checks via SNMP traps from SUN remote management boards (ILOM/ALOM in their slang).

This works great for ILOM-based SUN servers, but i couldn't find out if ALOM systems support sending SNMP traps. I know ALOM systems with CMT can.

Did anyone already do this or has experience with it?

I'd like to authenticate FTP clients either via username+password or a client certificate. Only FTPS is allowed.

User/password works, but while testing with curl (I don't have another option) and a client certificate, I need to pass a user. Isn't it technically possible to authenticate only by providing a certificate?

vsftpd.conf

passwd_chroot_enable=YES
chroot_local_user=YES
ssl_enable=YES
rsa_cert_file=usrlocal/ssl/certs/vsftpd.pem
force_local_data_ssl=YES
force_local_logins_ssl=YES

Tested with curl -v -k -E client-crt.pem --ftp-ssl-reqd ftp://server:21/testfile the output is:

* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DES-CBC3-SHA
* Server certificate:
*        SSL certificate verify result: self signed certificate (18), continuing anyway.
> USER anonymous
< 530 Anonymous sessions may not use encryption.
* Access denied: 530
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (67) Access denied: 530

This is theoretically ok, as i forbid anonymous access. If I specify a user with -u username:pass it works, but it would without a certificate too.

The client certificate seems to be ok, it looks like this:

client-crt.pem

-----BEGIN RSA PRIVATE KEY-----
content
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
content
-----END CERTIFICATE-----

What am I missing? Thanks in advance. (The OS is Solaris 10 SPARC).

Say I'd like to restrict access to a virtual host to multiple IP ranges. How to do that? The Perl regex syntax style doesn't work, and i don't want loose restrictions like *10.**

The code below works for a single range:

$HTTP["host"] == "adm.example.org" {
    $HTTP["remoteip"] != "10.0.0.0/28" {
            url.access-deny = ( "" )
        }
}

Thanks in advance.