CSchulz's questions

I am trying to configure my apache that it is delivering all certificates files to get always a positive validation.
To be clear there is no issue with any browsers, I am talking about openssl s_client and curl.

Running for example openssl s_client gives the following output:

CONNECTED(00000003)
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=DE/CN=xxx
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
...
subject=/C=DE/CN=xxx
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4602 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: C45A306052F9815DF5ED7CDC7B6AD21FE4E54AC47A7B51BF3BF433748DECB318
    Session-ID-ctx:
    Master-Key: 8396742DE006FC8CEAEDE280B2CD839D0575D1FAD51498C855825BED82D484CC28F8F1D9F549512F08182FCD3BFF3FCD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 67 85 0d a9 99 68 b2 cc-d6 fb a6 8f ee ba 67 4f   g....h........gO
    0010 - 09 c1 e9 a3 1d 3e a0 49-96 54 7f df cf 0d fb ef   .....>.I.T......
    0020 - 57 3c c3 b4 8b e2 d9 b2-c1 92 db c7 c1 0c 3f 4b   W<............?K
    0030 - 1c 3b 14 f4 bf 8d 94 09-7f 00 f7 20 9a 2b 6f f0   .;......... .+o.
    0040 - 34 48 d2 68 a5 e5 a0 58-3c 84 8b aa 3b 9a 27 27   4H.h...X<...;.''
    0050 - 16 4b cd 3d cb 74 40 b8-08 96 a4 95 52 86 f4 aa   [email protected]...
    0060 - d9 38 fb 9f 3f fc a8 ab-b9 c9 72 20 cd 3c 75 06   .8..?.....r .<u.
    0070 - 2e b6 81 df bb e1 a6 b7-f4 bb 52 e1 8c ba 20 42   ..........R... B
    0080 - e5 db 5c 48 cd 30 d6 f2-23 24 c6 be 6c 23 09 fa   ..\H.0..#$..l#..
    0090 - 9a cf 44 78 13 e7 f6 3e-7d c1 4e e3 1f 81 08 46   ..Dx...>}.N....F
    00a0 - 49 3c 0e 80 00 d4 f5 f1-ad 95 99 9d 6f 33 e9 62   I<..........o3.b
    00b0 - b2 82 14 a2 5d 82 95 49-88 8c 54 e2 d4 64 a6 1d   ....]..I..T..d..
    00c0 - e0 0f 75 88 57 ec 9a 81-41 0c 7b 71 81 8a 93 34   ..u.W...A.{q...4

    Start Time: 1411561048
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed

My apache configuration looks like:

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl/....cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/....key.pem
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

I also tried to use the ca-bundle.pem as SSLCertificateChainFile and/or SSLCACertificateFile.
Second results in 19 (self signed certificate in certificate chain).

How can I configure apache to deliver the "right" CA file to get around installing the CA cert on the client?

What is wrong?

Thanks for any hints.

I need to resync my RAID and noticed that it isn't a big consumer.
I have booted my system with the Rescue CD and started the resync.

Looking at top it seems that the processes doesn't take much resources.

Can I force the mdadm to use ALL resources for the resync?

cat /sys/block/md0/md/sync_speed_m*
200000 (system)
50000 (system)

I have noticed that more and more people using the DNS based SPF records and I want to enhance my spam filter.
I am using SPF and greylisting after each other and my idea would be to use only greylisting if SPF fails or similar.

I have searched the internet for a soluation, but it seems that most people only wish a new feature for example for sqlgrey doing it, which is being declined by the author, because it isn't the main task of a greylisting tool.

Has anyone such filter chain running and can help me out?
Thanks in advance.

I have found How can I chroot ssh connections? and a lot of different blog articles and similar (http://undeadly.org/cgi?action=article&sid=20080220110039, https://unix.stackexchange.com/q/14398/57364, etc). I am using the internal sftp subsystem like described in the articles.

Subsystem     sftp   internal-sftp

Match Group www-data
  ChrootDirectory %h
  AllowTcpForwarding no

I can connect and authenticate with the server, but the SSH session is instantly closed.

Here is a part of the auth.log:

Feb 18 23:36:21 w sshd[358]: Accepted publickey for network from xxx port 50280 ssh2
Feb 18 23:36:21 w sshd[358]: debug1: monitor_read_log: child log fd closed
Feb 18 23:36:21 w sshd[358]: debug1: monitor_child_preauth: network has been authenticated by privileged process
Feb 18 23:36:21 w sshd[358]: debug1: PAM: establishing credentials
Feb 18 23:36:21 w sshd[358]: pam_unix(sshd:session): session opened for user network by (uid=0)
Feb 18 23:36:21 w sshd[358]: User child is on pid 363
Feb 18 23:36:21 w sshd[363]: debug1: SELinux support disabled
Feb 18 23:36:21 w sshd[363]: debug1: PAM: establishing credentials
Feb 18 23:36:21 w sshd[358]: debug1: session_new: session 0
Feb 18 23:36:21 w sshd[358]: debug1: SELinux support disabled
Feb 18 23:36:21 w sshd[358]: debug1: session_by_tty: session 0 tty /dev/pts/1
Feb 18 23:36:21 w sshd[358]: debug1: session_pty_cleanup: session 0 release /dev/pts/1
Feb 18 23:36:21 w sshd[358]: debug1: PAM: cleanup
Feb 18 23:36:21 w sshd[358]: debug1: PAM: closing session
Feb 18 23:36:21 w sshd[358]: pam_unix(sshd:session): session closed for user network
Feb 18 23:36:21 w sshd[358]: debug1: PAM: deleting credentials

What is wrong?

EDIT:
I got following message on the client side:

/bin/bash: No such file or directory

I don't understand why it is a problem.
I thought with the "new" version of OpenSSH the copy part is past?

I am trying to use the rewrite engine of nginx to redirect requests.
On the same machine I have a Jetty running on port 8080, which is delivering some content.

I want to check if the content is available on Jetty otherwise I want to redirect it.
For that I have to locations added, one is used for the redirect on the Jetty and the other should check it.

location /nexus/ {
    rewrite ^/nexus/(.*)$ http://A:8080/nexus/$1 permanent;
}

location ~* "^/releases/([a-z]*)/(.*)$" {
    try_files /nexus/content/repositories nexus/content/repositories /nexus/content/;
    # rewrite ^/releases/test/(.*)$ http://A:8080/nexus/content/repositories/Test/$2 break;
}

My idea was to use try_files, but the first parameters should be files or directories.
Is there any other method to test if an URL is accessible?

At the moment I am using Nginx for checking the reachable of the URL, perhaps I can better use Jetty, which is in front of Nexus.
Nginx was just a choice and if there are better possibilities, I am willing to switch. :)

Here some details about the environment:

I want to create a local copy of a remote repo. This shall be done, because we are running some tools which are using the repo very often and we want to prevent wasting bandwidth.
There are no writing processes on the local copy. It should be updated before the tools are being started.

My first idea was to use svnsync, but we can't use it. I read some tutorials about it and it needs a configuration on master side. On the one side it is not possible to do that on the other side there is no possibility to allow incoming transmissions. The master triggers the sync of the slave if I am right
svnadmin hotcopy works only on file base.

It is not possible to switch to git, because I am using statsvn for some statistics.

The remote repo is reachable over HTTPS. Is there any possibility to create a copy of it?

Thanks for any hints.

I am trying to use two different isp connections to load balance the request. I have tried it with ip route:

ip route replace default scope global nexthop dev ppp0 weight 1 nexthop dev ppp1 weight 1

But it doesn't work well. Nearly all requests timed out.

I am using squid 2.7. Is there any other possibility to use that?

I have an apache2 server with active mod-wsgi, but I can't get the environment variable PYTHON_EGG_CACHE.
Here the important lines out of my virtualhost.conf:

    DAV svn
    SVNParentPath /var/svn
    SVNListParentPath Off

    WSGIProcessGroup sites
    WSGIApplicationGroup %{GLOBAL}
    SetEnv PYTHON_EGG_CACHE /var/trac/eggs

    AuthType Basic
    AuthName "Restricted SVN"
    AuthBasicProvider wsgi
    WSGIAuthUserScript /var/trac/cgi-bin/acctmgr_auth.wsgi
    Require valid-user

And here the acctmgr_auth.wsgi:

import os, sys
os.environ['PYTHON_EGG_CACHE'] = PYTHON_EGG_CACHE

from trac.env import open_environment, Environment

acct_mgr = None

def check_password(environ, user, password):
    global acct_mgr

    # Try loading the env from the global cache, addit it if needed
    environ['PYTHON_EGG_CACHE']
    env = open_environment(environ['trac.env_path'], use_cache=True)

    if acct_mgr is None:
        from acct_mgr.api import AccountManager
        acct_mgr = AccountManager

    if acct_mgr(env).check_password(user, password):
        return True
    else:
        return False

def groups_for_user(environ, user):
    return ['']

The single environ['PYTHON_EGG_CACHE'] is just a test, but I get a

KeyError: 'PYTHON_EGG_CACHE'

.

I also tried following, but I get the same error as above:

        RewriteCond ${lowercase:%{REQUEST_URI}} ^/svn/([^/]+)
        RewriteRule . - [E=trac.svn_path:/var/trac/envs/%1]

What is wrong?

Thanks for any advices.

EDIT: After some resarch I think I found the problem. The mod_dav is configured for the location /svn and it processes the request immediately, so the rewritecond and rewriterule will be ignored.
Is there any possibility to set environment variables with mod_dav?