Lekensteyn's questions

I would like to make a certain user have a specific source IP address. For this purpose, I added a secondary IP address to the network interface and tried to enforce the source IP using ip6tables and policy routing. Summary:

• All IPv6-traffic gets routed via a IPv4 OpenVPN interface (tap0), the gateway is 2001:db8::1.
• If the user is someuser, the source address must be 2001:db8::3
• Otherwise, the source address is 2001:db8::2.

The default routes and addresses are set up as follows:

ip -6 addr add 2001:db8::2/112 dev tap0
ip -6 route add default via 2001:db8::1 src 2001:db8::2 dev tap0

For the someuser router, I mark all outgoing packets and attempt to route those packets with a different source address by using a separate routing table. These are set up with:

ip6tables -t mangle -A OUTPUT -m owner --uid-owner someuser -j MARK --set-mark 123
ip -6 rule add fwmark 123 table 1002
ip -6 addr add 2001:db8::3/112 dev tap0
ip -6 route add default via 2001:db8::1 src 2001:db8::3 dev tap0 table 1002

For some reason, all traffic still have the 2001:db8::2 source address. I can see that the ip6tables rule is hit, but the source IP is still wrong. Verified with NFLOG target + Wireshark and with curl ip.appspot.com.

Any ideas what I did wrong?

The M³WAAG DKIM Key Rotation Best Practices document (pdf) recommends a "sufficiently" random DKIM selector name so that it cannot be guessed by browsing the DNS. A literal quotation:

4.3 Key Selector Naming Scheme

Define a naming scheme for the DKIM key selectors that is both meaningful for forensic analysis and is sufficiently random so the keys cannot be easily guessed by browsing the DNS.

NOTE: The selector naming scheme should also be designed to mitigate the risk that attackers can easily predict the names of future selectors and retrieve the associated keys. See Section 5 for a description of the process for publishing keys for future use

This may be relevant for short 512-bit RSA keys, but it does not seem to make sense to me for longer, say 2048-bit, RSA keys. The DNS holds public keys which are not secret and can be discovered by reading just a single signed mail. Security by obscurity with very little security?

Why would a random DKIM selector name be better, when would it make sense to follow their recommendation?

In order to not pass garbage to the back-end, I have a strict regex for a location directive. It looks like this:

location ^~ "/(some|stuff|more|bar|etc(-testing)?)/[a-zA-Z0-9]+/...(more|restrict).ext {
    # other directives
}

I would like to fold the line at 80 chars, is there a way to split up the configuration? The following results in a syntax error, but is something I am looking for:

location ^~ "/(some|stuff|more|bar|etc(-testing)?)/[a-zA-Z0-9]+/"\
            "...(more|restrict).ext" {
# results in a literal newline (%0A) being accepted
location ^~ "/(some|stuff|more|bar|etc(-testing)?)/[a-zA-Z0-9]+/
...(more|restrict).ext" {

I could not find hints in the documentation (http://wiki.nginx.org/ConfigNotation nor http://wiki.nginx.org/HttpCoreModule#location mention anything about folding lines)

I have several PHP sites which I want to separate in terms of permissions. Therefore I created a new user and set up a PHP pool for those users. Consider the below configuration:

• PHP-FPM is running as user php
• nginx is running as user nginx
• The webroot is /srv/http, accessible by both php and nginx.
• The file /srv/http/index.php is readable by php, but not readable by nginx.
• The file fastcgi_stuff contains basic fastcgi params for setting headers, setting the backend, etc. Assume that the webroot for static files and PHP files are the same.

The below nginx.conf contains the essentials of this configuration, it is placed in a server directive:

server_name example.com;
root /srv/http;

index index.php;
location ~ \.php$ {
    include fastcgi_stuff;
}

If I request http://example.com/ with the above configuration, the page is loaded as expected. For http://example.com/does.not.exist, I get a 404 as expected.

To prevent passing inexistent files to PHP-FPM, I tried adding one of the below lines:

    try_files $uri =404;
    if ( !-e $request_filename ){ return 404; }

Both do not work as advertised, it tries to open the files instead of checking for existence by doing stat() call. I confirmed this by checking the source code and running strace on a worker process.

This is one basic case I was having trouble with, another case is where I hide the extension and therefore put a try_files $uri.php =404 in the location block. Any suggestions?

In my network, I've some Ubuntu machines which need to download files from nl.archive.ubuntu.com. Since it's quite a waste of time to download everything multiple times, I've setup a squid proxy for caching the data.

Another use for this proxy was rewriting requests for archive.ubuntu.com or *.archive.ubuntu.com to nl.archive.ubuntu.com because this mirror is faster than the US mirrors.

This has worked quite well, but after a recent install of my caching machine, the configuration was lost. I remember having a separate perl program for handling this rewrite.

How do I setup such a squid proxy which rewrites the host *.example.com to www.example.com and cache the result of the latter?

I've setup svnserve with SASL authentication and encryption for encrypting the traffic. Anonymous access should be allowed. My configuration file conf/svnserve.conf (with comments stripped) looks like this:

[general]
anon-access = read
auth-access = write
realm = realm-of-repo

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

The related sasl configuration file:

pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /path/to/sasldb
mech_list: DIGEST-MD5

When supplying an username and password, everything works as expected: I can checkout and make changes. However, anonymous access (no username or password) fails with the next error message:

svn: SASL(-1): generic failure: All-whitespace username.

How do I enable anonymous SVN read access using svnserve and SASL ? I'm not looking for a solution with Apache.

I've managed to setup OpenVPN for full IPv4 connectivity using tap0. Now I want to do the same for IPv6.

Addresses and network setup (note that my real prefix is replaced by 2001:db8):

2001:db8::100:0:0/96    my assigned IPv6 range
2001:db8::100:abc:0/112 OpenVPN IPv6 range
2001:db8::100:abc:1     tap0 (on server) (set as gateway on client)
2001:db8::100:abc:2     tap0 (on client)
2001:db8::1:2:3:4       gateway for server

 Home laptop   (tap0: 2001:db8::100:abc:2/112 gateway 2001:db8::100:abc:1/112)
  |      | |      (running Kubuntu 10.10; OpenVPN 2.1.0-3ubuntu1)
  | wifi | |
   router  |
      |   OpenVPN
  INTERNET |
eth0  |   /tap0
     VPS        (eth0:2001:db8::1:2:3:4/64    gateway 2001:db8::1)
               (tap0: 2001:db8::100:abc:1/112)
                  (running Debian 6; OpenVPN 2.1.3-2)

The server has both native IPv4 and IPv6 connectivity, the client has only IPv4.

I can ping6 to and from my server over OpenVPN, but not to other machines (for example, ipv6.google.com).

net.ipv6.conf.all.forwarding is set to 1, I've tried disabling net.ipv6.conf.all.accept_ra as well, without luck.

Using tcpdump on both the server and client, I can see that packets are actually transferred over tap0 to eth0. The router (2001:db8::1) send a neighbor solicitation for the client (2001:db8::100:abc:2) to eth0 after it receives the ICMP6 echo-request. The server does not respond to that solicitation, which causes the ICMP6 echo-request not be routed to the destination.

How can I make this IPv6 connection work?

NTPd listens on UDP port 123 (all IP addresses), by default. Is this necessary for just updating the server time?

If it's necessary to listen on an address, what single address should be used? The possible addresses it can listen on are:

• 127.0.0.1
• server IP
• ::1 (IPv6)
• server IP (IPv6)

Why does it even have to listen on localhost (127.0.0.1 and ::1)? Nobody can reach the server on that address.

To bind NTPd to a single address, the -I option can be used. For my Debian box, I had to edit /etc/default/ntp, and replace -g by:

-g -I 1.2.3.4 -I 127.0.0.1

This causes NTPd to listen on the public address 1.2.3.4 (replace it by your own) and 127.0.0.1.

I'm running PHP (5.3.3) as an Apache module on a Apache (2.2.17) server.

PHP 5.3.5 is already compiled, can I just run make install to install the new PHP libraries or should the server be stopped before doing that? I'd like to avoid the latter (stopping the server) as there are many requests for static content (not PHP) as well.

Before commenting, I'm pretty sure that the upgrade will not break any PHP scripts.

I'm running a VPS with a webserver (Apache+PHP), a database (MySQL) and smtp server (Exim). OS: Debian Lenny. RAM: 512MB. Using (quota](http://packages.debian.org/lenny/quota).

At the moment, I've /tmp mounted as tmpfs. This is not ideal, as I've only 512MB RAM and thus, /tmp is only 256MB. I've decided to create a 1GB ext3 partition file (or whatever it's called) on /var/tmpdisk. (the decision on using ext3 was made after reading Askubuntu.com: Good filesystem for /tmp?)

For keeping /tmp clean while running, I've found tmpreaper: serverfault.com: Cleanup of /tmp

What would be recommended for quickly wiping /var/tmpdisk, while retaining the quota settings?

Currently, I'm thinking of doing the following on startup (/etc/rc.local?):

1. Check for the existence of /var/tmpdisk. if it does not exist, run dd if=/dev/zero of=/var/tmpdisk bs=1K count=1000000
2. Create the ext3 filesystem in /var/tmpdisk. This was the fastest way for me on clearing the "disk". Command: mkfs.ext3 -F /var/tmpdisk
3. Mount it on /tmp: mount -t ext3 -o loop,rw,nodev,noexec,nosuid,quota /var/tmpdisk /tmp

In this draft, I have not added a way for keeping the quota settings. Any ideas?

Yesterday I did something stupid which I today realised. I ran:

/root# chmod o-rwx * .*

This supposed to remove read, write and execute permissions for the world on all files in the current directory (/root). As soon as I did this, screen behaved weird, I couldn't run commands as a non-root user, and ssh refused to work unless I logged in with root.

This was caused by the fact that bash expanded .* to .. too! Now, how do I chmod all files in a directory with chmod, without using find, a loop or another language like perl?