boris quiroz's questions

The error reporting of one of my services reported problems to connect to my MySQL server. This problems were not consistent, it just happened a few times to different servers.

I started debugging using strace and noticed that MySQL is reading both /etc/hosts.allow and /etc/hosts.deny every time it tries to open a new connection:

read(127, "# /etc/hosts.allow: list of hosts that are allowed to access the system.\n#                   See the manual pages hosts_access(5) and hosts_options(5).\n#\n# Example:    ALL: LOCAL @some_netgroup\n#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu\n#\n# If you're going to protect the portmapper use the name \"portmap\" for the\n# daemon name. Remember that you can only use the keyword \"ALL\" and IP\n# addresses (NOT host or domain names) for the portmapper, as well as for\n# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)\n# for further information.\n#\n\n", 4096) = 580
read(127, "", 4096)                     = 0
close(127)                              = 0
munmap(0x7f94533f9000, 4096)            = 0
open("/etc/hosts.deny", O_RDONLY)       = 127
fstat(127, {st_mode=S_IFREG|0644, st_size=880, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f94533f9000
read(127, "# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.\n#                  See the manual pages hosts_access(5) and hosts_options(5).\n#\n# Example:    ALL: some.host.name, .some.domain\n#             ALL EXCEPT in.fingerd: other.host.name, .other.domain\n#\n# If you're going to protect the portmapper use the name \"portmap\" for the\n# daemon name. Remember that you can only use the keyword \"ALL\" and IP\n# addresses (NOT host or domain names) for the portmapper, as well as for\n# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)\n# for further information.\n#\n# The PARANOID wildcard matches any host whose name does not match its\n# address.\n#\n# You may wish to enable this to ensure any programs that don't\n# validate looked up hostnames still leave understandable logs. In past\n# versions of Debian this has been the default.\n# ALL: PARANOID\n\n", 4096) = 880
read(127, "", 4096)                     = 0
close(127)                              = 0
[...]
getpeername(127, {sa_family=AF_INET, sin_port=htons(33362), sin_addr=inet_addr("10.2.3.19")}, [16]) = 0
getsockname(127, {sa_family=AF_INET, sin_port=htons(3306), sin_addr=inet_addr("10.2.2.9")}, [16]) = 0

I guess this is the expected behaviour, but I want to know if is there any way I can bypass the read of those files? I think just adding the ip address to the /etc/hosts.allow will do it (as the IP will be matched from that file and the deny wont be read)...

I was wondering if is there any way to track different HTTP codes that HAProxy send to clients.

For example, have a log with just a list of different status codes:

200
200
302
404
499
500

Having that, I can graph it with rrdtool or something else.

I've the following problem with Nginx and GeoIP and will be nice if you can give me some pointers about the solution.

Note: I know this can be solved on DNS side, but that won't be possible by now so I'm looking for other solution.

The problem
My www.domain.com has 1.1.1.1 IP address located in Amazon running Nginx with a redirect like this:

location / {
proxy_pass http://2.2.2.2
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

On 2.2.2.2 there's another nginx using geoIP. The problem is that all my clients seems to come from 1.1.1.1, as 2nd nginx is geolocating by $remote_addr.

Is there any way to catch real client IP ($remote_addr on 1.1.1.1) and pass it as a different variable to 2.2.2.2 and use it on geolocalization?

Any tip, comment or RTFM is welcome. I'll keep looking for a solution to try to answer this question.

Thanks.

Just moved from Amazon to Joyent (doesn't matter why) and setting up my Chef Server I found following problem:

As you may know, Chef sets the IP address according to the route table. So in my case, the IP informed from the client to the server is my public IP.

I've a recipe to dynamically write the /etc/hosts file, using the IP and FQDN informed from the client. The problem, is that I need to use the private IP so all traffic reach a local machine will be, in fact, local.

I tried using node['network']['ipaddress_eth1'] on hosts.erb template file, but is not working.

What cloud I be missing? Is there any other way to write my hosts file using my private IP?

Thanks

Update

There's actually a way to find what I'm looking for, using shef:

chef > asdf = node['network']['interfaces']['eth1']['addresses'].keys.select { |a| a[/\A\d+\.\d+\.\d+\.\d+\Z/] }.first

This will return the IP address on my eth1.

I've, more or less, following configuration on AWS:

Elastic load balancer with 3 machines o 3 different availability zones. My security group allows 0.0.0.0/0:80 as it's my rails application (nginx, unicorn).

I was wondering if there's any way to deny access to my app to an specific public ip address? I've been reading AWS documentation, but as SG's are "deny all" there's no way to deny just one specific IP address.

Any ideas? iptables on the 3 machines behind load balancer?

Thanks!