Home / user-78565

Shadur's questions

Martin Hope
Shadur-don't-feed-the-AI
Asked: 2025-01-22 19:07:16 +0800 CST
  • 5

I'm setting up haproxy to act as intermediary between the internet and a number of services running in an otherwise-isolated k8s cluster.

I've already successfully tested the connection to backend via plain http, but now I'm trying to handle the SSL component on there as well and for some reason no matter what I try I'm getting the following in the logs:

Jan 22 11:10:22 jake haproxy[170526]: 95.214.55.185:34832 [22/Jan/2025:11:10:21.968] xanadu-ingress-front/3: SSL handshake failure (error:0A000076:SSL routines::no suitable signature algorithm)

Trying to troubleshoot via openssl s_client gives me the following (IP addresses and DNS names changed to protect the guilty):

shadur@luminosity:~$ openssl s_client --connect teapot.example.com:443 
Connecting to 1.2.3.4 CONNECTED(00000003)
40E7B2BBBA7F0000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:../ssl/record/rec_layer_s3.c:907:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 335 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

haproxy config file below:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private


        # generated 2025-01-22, Mozilla Guideline v5.7, HAProxy 3.1.2, OpenSSL 3.4.0, intermediate config
        # https://ssl-config.mozilla.org/#server=haproxy&version=3.1.2&config=intermediate&openssl=3.4.0&guideline=5.7
        # intermediate configuration
        ssl-default-bind-curves X25519:prime256v1:secp384r1
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2 no-tls-tickets

        ssl-default-server-curves X25519:prime256v1:secp384r1
        ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
        ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets

        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
        ssl-dh-param-file /etc/ssl/private/dhparam


defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

crt-store company
  crt-base /etc/ssl/certs/
  key-base /etc/ssl/private/
  load crt "company.com-full.pem" key "company.nl.key" alias "company"
  load crt "company.net-full.pem" key "company.net.key" alias "company.net"

frontend xanadu-ingress-front
  bind 1.2.3.4:80
  bind 1:2:3:4:5:6:7:8:80 transparent
  bind 1.2.3.4:443 ssl crt-list /etc/ssl/crt-lists/company.list alpn h2,http/1.1
  http-request redirect scheme https unless { ssl_fc }
  default_backend xanadu-ingress-back
  option httplog

backend xanadu-ingress-back
  mode http
  server xanadu 172.16.41.80:80 check

I'm fairly sure I'm missing something very simple and obvious but I can't figure out what. Any help would be appreciated.

ssl
Martin Hope
Shadur
Asked: 2018-05-29 23:56:26 +0800 CST
  • 1

I'm mostly a command-line user of PostgreSQL myself, but for others I've recently had cause to set up a PHPPGAdmin frontend.

However, I've run into a problem - while on the command line users have no problem logging in and connecting to the database they're supposed to have access to, in the PHPPGAdmin frontend they're not able to see the databases they don't own (but have read access to).

I have tried the following:

GRANT CONNECT ON DATABASE example TO otheruser;
GRANT USAGE ON SCHEMA public TO otheruser;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO otheruser;

As said before, when using software or direct command line connection this is sufficient to let them connect and SELECT from the database; the problem seems to be with PHPPGAdmin.

Any suggestions as to what I may be overlooking are welcome.

postgresql
Martin Hope
Shadur
Asked: 2018-04-20 00:07:59 +0800 CST
  • 1

I recently set up a new webhosting server at work on a Debian Stretch system using Apache 2.4 and PHP7 via proxy_fcgi and php-fpm.

It worked fine in the testing stages, but the first customer is using a Moodle website which makes extensive use of so-called 'slash arguments' (IE, requests to, say, index.php/these/are/parameters/ ).

Following the instructions on moodle's website I tried setting AcceptPathInfo to On, and even tried disabling security_limit_extensions in PHP, but so far nothing seems to be working.

Relevant configs are pasted below. I'm pretty positive I missed something simple somewhere, but I've run out of ideas where to look.

(Note: Regular php works fine; slash arguments do not. When setting cgi.fix_pathinfo to 0 asking for https://www.domain.nl/lib/javascript.php/foo/bar results in "No input file specified"; setting it to 1 results in "No valid Javascript files found" which at least suggests that the script is called but the arguments aren't passed correctly into the proxy...)

Apache:

<VirtualHost *:443>
    ServerName www.domain.nl
    ServerAlias domain.nl new.domain.nl

    DocumentRoot /home/webclients/www.domain.nl/public_html/
    Alias /cgi-bin/ /home/webclients/www.domain.nl/cgi-bin/
    CustomLog /var/log/apache2/www.domain.nl/access.log combined
    ErrorLog /home/webclients/www.domain.nl/logs/error.log
    TransferLog /home/webclients/www.domain.nl/logs/access.log

    ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/domain.sock|fcgi://localhost/home/webclients/www.domain.nl/public_html
    SSLOptions +StdEnvVars

    <IfModule mod_suexec.c>
        SuExecUserGroup domain webclients
    </IfModule>

    <Directory /home/webclients/www.domain.nl/public_html/>
        AllowOverride All
        AcceptPathInfo On
        Require all granted
    </Directory>

    SSLEngine on
    #       LogLevel info
    SSLCertificateFile /etc/ssl/certs/www.domain.nl.pem
    SSLCertificateKeyFile /etc/ssl/private/www.domain.nl.key
    SSLCACertificateFile /etc/ssl/intermediate/intermediate-rapidssl-rsacag1.pem
    # Enable HSTS
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"



</VirtualHost>
# vim:syntax=apache

php-fpm pool file:

[domain]

prefix=/

include=/etc/php/7.0/fpm/pool.d/defaults

php_admin_value[error_log] = /home/webclients/www.domain.nl/logs/php-error.log
php_admin_value[cgi.fix_pathinfo] = 0
security.limit_extensions =
apache-2.4
Martin Hope
Shadur
Asked: 2018-04-14 02:53:28 +0800 CST
  • 1

At work we've recently deployed several S3 storage servers. However, not all of our customers have the ability to work with S3 storage due to old hardware/software.

We tried to work around the problem by creating a samba "proxy" that mounts the S3 storage devices, then shares that mount to the windows network.

Both samba and s3fs seem to be configured correctly; I can mount the S3 storage points, and I can turn directories into samba shares. However, when I try to make a samba share out of the s3fs mount point, windows reports a "permission denied".

samba.log isn't terribly more informative, merely saying chdir (/s3mounts/dvoijen) failed, reason: Permission denied

I've tried setting the umask in fstab to 000, but it's had no effect.

Relevant fstab line:

dvoijen     /s3mounts/dvoijen                   fuse.s3fs  _netdev,noauto,url=https://s3-eu01.{redacted}/,passwd_file=/etc/passwd-s3fs-dvoijen,umask=000 0 0

Relevant smb.conf block:

[dvoijen]
    comment = S3 bucket dvoijen
    path = /s3mounts/dvoijen/
    valid users = "@SYSTEMECCLOUD\Domain Admins"
    admin users = "@SYSTEMECCLOUD\Domain Admins"
    force group = "Domain Admins"
    browseable = yes
    writable = yes
    read only = no
    inherit acls = yes         
    inherit permissions = yes
    force create mode = 0660
    create mask = 0777
    directory mask = 0777
    force directory mode = 0770
    access based share enum = yes
    hide unreadable = yes

(Yes, I know, possible security issues, we'll worry about those once we have it working and before it's deployed into production)

I'm pretty sure I'm missing something painfully obvious, but I can't figure out what.

UPDATE: In an effort to eliminate possible errors, we moved the samba share to /s3mounts/, which works fine, except that opening the share doesn't show the mount point when it's mounted (it's visible when the S3 bucket isn't mounted to it). I'm now more and more convinced I'm missing a permission issue somewhere, but what?

New config:

[s3mounts]
    comment = S3 buckets
    path = /s3mounts/
    valid users = "@SYSTEMECCLOUD\Domain Admins"
    admin users = "@SYSTEMECCLOUD\Domain Admins"
    force group = "Domain Admins"
    browseable = yes
    writable = yes
    read only = no
    inherit acls = yes         
    inherit permissions = yes
    force create mode = 0660
    create mask = 0777
    directory mask = 0777
    force directory mode = 0770
    access based share enum = yes
    hide unreadable = yes

EDIT 2 The problem's been resolved; I'll post the fix as soon as I'm sure why what I did worked.

debian
Martin Hope
Shadur
Asked: 2017-10-13 05:50:16 +0800 CST
  • 1

( Yes, I've seen syslog-ng does not recognize "python" keyword . However, 1) the mentioned solution doesn't help me because I checked and mod-python is loaded, and 2) it applies to file destination rather than the parser)

After having some trouble getting syslog-ng to output to a program someone pointed out that syslog-ng has the ability to incorporate Python code in a parser and directed me at https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/python-parser.html .

However, even the example script failed to work with the error message:

Error parsing parser expression, parser plugin python not found in /etc/syslog-ng/conf.d/50-python.conf at line 2, column 2:
included from /etc/syslog-ng/syslog-ng.conf line 162, column 1

    python(class("brocadeParser"));
    ^^^^^^

I googled for the error message, and I checked the above SE question. However, after running syslog-ng -V I found that the python module was in fact loaded:

syslog-ng 3.8.1
Installer-Version: 3.8.1
Revision: 3.8.1-10
Module-Directory: /usr/lib/syslog-ng/3.8
Module-Path: /usr/lib/syslog-ng/3.8
Available-Modules: linux-kmsg-format,riemann,grok-parser,basicfuncs,cryptofuncs,redis,system-source,afuser,geoip-plugin,mod-python,graphite,afstomp,pseudofile,date,afsocket,kvformat,confgen,afprog,syslogformat,add-contextual-data,sdjournal,json-plugin,afsmtp,affile,afamqp,dbparser,disk-buffer,afsql,csvparser,cef,afmongodb
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: off

Does anyone have any suggestions at what might be wrong?

syslog-ng
Martin Hope
Shadur
Asked: 2017-04-06 02:10:18 +0800 CST
  • 3

I'm trying to track down the source cause of a breakin on a serverhosting customer's website.

auditd is a great help in showing me what directory to look in when yet another bit of malware (the site is something of a mess, but not mine to clear up even if I wanted to) activates and screws up the site, but the audit logs are tricky to read because it also logs the ssh activity from a monitoring script that connects every two minutes to check various statuses, as well as another monitoring system that's triggered by cron.

I've made several attempts in auditctl to tell it to stop reporting these:

root@zelia:/var/log/audit# auditctl -l 
-a never,user -F auid=116
-a never,task -F auid=116
-a never,exit -S all -F auid=116
-a never,exit -S all -F uid=116

(UID 116, user 'meminfo' is the one I want to suppress)

However, every few minutes I still get the following:

type=USER_ACCT msg=audit(1491386883.189:462708): pid=1502 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="meminfo" exe="/usr/sbin/sshd" hostname=prtg.systemec.nl addr=89.20.80.149 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1491386883.189:462709): pid=1502 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="meminfo" exe="/usr/sbin/sshd" hostname=monitor.company.internal addr=89.20.80.149 terminal=ssh res=success'
type=LOGIN msg=audit(1491386883.189:462710): pid=1502 uid=0 old-auid=4294967295 auid=116 old-ses=4294967295 ses=368164 res=1
type=USER_ACCT msg=audit(1491386883.197:462711): pid=1504 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="meminfo" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1491386883.197:462712): pid=1504 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="meminfo" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1491386883.213:462713): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="user@116" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1491386883.365:462714): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="user@116" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

As a result, audit logs keep filling up and I'm missing important backlog.

On the other hand, while I don't think the breakin is happening via SSH, a log of who logs onto the server when may be useful to have handy.

Obviously, the rules I attempted to add to keep meminfo suppressed don't work correctly. What am I doing wrong?

ADDENDUM For some reason, adding auditctl -a never,task afterwards causes the never,task rule to be loaded first and everything gets suppressed, including what I really did want to see.

ADDENDUM #2 As explained in this question, the messages I'm trying to suppress are generated by default by the PAM subsystems and not by additional rules in audit.rules, so that's an additional problem...

linux
Martin Hope
Shadur
Asked: 2017-03-29 09:24:11 +0800 CST
  • 43

I'm running a private game server on a headless linux box. Because I'm not an idiot, said server is running as its own unprivileged user with the bare minimum access rights it needs to download updates and modify the world database.

I also created a systemd unit file to properly start, stop and restart the server when needed (for said updates, for example).

However, in order to actually call systemctl or service <game> start/stop/restart I still need to log in as either root or a sudo capable user.

Is there a way to tell systemd that for the <game> service, unprivileged user gamesrv is permitted to run the start/stop/restart commands?

linux
Martin Hope
Shadur
Asked: 2012-08-09 01:03:35 +0800 CST
  • 7

I've been tasked to look into implementing DNSSEC on our name servers. While the technical side of this (generate keys, sign zones, prepare rollovers) are relatively straightforward, I've run into a logistical problem.

From the documentation I've been reading, 1024 bits is a good size for a Zone-Signing Key, and proper procedure would be one ZSK for each zone with about a one-month rollover

However, it takes up to 10 minutes on a reasonably fast computer with decent entropy to generate an 1024-bit key... And the ISP I work for hosts over three thousand zones. Unless I somehow automate the process from start to finish, this isn't going to be workable -- and even if I do, by the time the process finishes it'd be almost time to start with the NEXT rollover.

In short, this isn't feasible. Right now I'm restricting DNSSEC to customers who explicitly ask for it, but that's stopgap at best.

My questions:

  • Am I going way overboard with the key length?
  • How can I speed up the key generation process?
  • Should I create individual Key-signing keys for each zone as well as ZSKs?

EDIT: Added the exact commands I'm using to generate the keys:

caleburn: ~/Projects/Systemec/DNS-magic/DNSSEC/keys/ >time dnssec-keygen -r/dev/random -a RSASHA256 -f KSK -b 1280 -n ZONE example.com 
Generating key pair.............................+++++ ...+++++ 
Kexample.com.+008+10282

real    9m46.094s
user    0m0.092s
sys 0m0.140s

caleburn: ~/Projects/Systemec/DNS-magic/DNSSEC/keys/ >time dnssec-keygen -r/dev/random -a RSASHA256  -b 1280 -n ZONE example.com 
Generating key pair.........................+++++ .........+++++ 
Kexample.com.+008+22173

real    12m47.739s
user    0m0.124s
sys 0m0.076s
domain-name-system