Milan Babuškov's questions

I'm trying to parse some output from SSL client to check if a bunch of servers have valid certificates. I'm looking at the output of this command:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -subject -dates

I notice that wildcard certificates issued from Let's Encrypt only list "CN = example.com" in "subject" field, while wildcard certificates issued from some other CA use "CN = *.example.com"

Is this normal? Will there be some certificates that are listed as "CN = example.com" in the "subject" field which are not wildcard and would break in the browser if I try to open "subdomain.example.com"?

Or is there maybe some better way to validate if certificate is for correct domain on the command line?

Thanks.

I'm using HAProxy 1.4.22. I have the following haproxy.conf file:

global
    maxconn 100000
    daemon

defaults
    mode http
    retries 1
    contimeout 8000
    clitimeout 120000
    srvtimeout 120000
    stats enable
    stats uri     /haproxy-stats
    stats auth admin:****************
    option httpchk

frontend http-in
    bind 16.9.13.39:80
    maxconn 100000
    acl is_l1 hdr_end(host) -i l1.mydomain.com
    acl is_l2 hdr_end(host) -i l2.mydomain.com
    acl is_l3 hdr_end(host) -i l3.mydomain.com
    acl is_l0 hdr_end(host) -i mydomain.com
    use_backend lora1 if is_l1
    use_backend lora2 if is_l2
    use_backend lora3 if is_l3
    use_backend lora0 if is_l0
    default_backend lora0

backend lora0
    balance roundrobin
    option forwardfor except 127.0.0.1  # stunnel already adds the header
    server s0 127.0.0.1:5000 check inter 60000

backend lora1
    balance source
    option forwardfor except 127.0.0.1  # stunnel already adds the header
    server s1 127.0.0.1:5001 check inter 60000

backend lora2
    balance source
    option forwardfor except 127.0.0.1  # stunnel already adds the header
    server s2 127.0.0.1:5002 check inter 60000

backend lora3
    balance source
    option forwardfor except 127.0.0.1  # stunnel already adds the header
    server s3 127.0.0.1:5003 check inter 60000

It all works fine. Except, for some 0.2% of the clients. Sometimes when the request comes for l1, l2 or l3. For example:

http://l3.mydomain.com/something

and HAProxy does not match the domain name for some reason and uses default backend instead.

I have set up logging in my application and it reports that hostname on the receiving end is in fact "l3.mydomain.com". Here are the headers that my application receives:

host: 'l3.mydomain.com',
'user-agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
referer: 'http://mydomain.com/menu/2034414/e2e1abb5500ed51391d6351b1cf03695',
'accept-encoding': 'gzip,deflate,sdch',
'accept-language': 'en-US,en;q=0.8',
'accept-charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3',
'x-proxy-id': '1407537728',
'x-forwarded-for': '10.201.4.168',
via: '1.1 10.201.255.254 (Mikrotik HttpProxy)'

Questions:

Am I using hdr_end() properly, and is there some special case when matching might fail?

Is there some way log the actual HTTP readers received by HAProxy, but only when nothing is matched and default_backend rule is used?

I have a VPS with standard LAMP stack and a busy website. Operating system is CentOS 5.5. Virtualization is done with VMWare. My server gets real slow about every 6 hours. Logging into it I see that 1.6GB of RAM is consumed. However, summing up the memory usage of active processes adds up only to about 700MB. Can anyone make any sense of this?

"free" shows this:

             total       used       free     shared    buffers     cached
Mem:       2059456    2049280      10176          0      14780     380968
-/+ buffers/cache:    1653532     405924
Swap:      2096472         96    2096376

While this is output of "ps":

[root@vmi29 /]# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  10348   688 ?        Rs   Jun05   0:01 init [3]
root         2  0.0  0.0      0     0 ?        S<   Jun05   0:00 [migration/0]
root         3  0.0  0.0      0     0 ?        SN   Jun05   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S<   Jun05   0:00 [migration/1]
root         5  0.0  0.0      0     0 ?        SN   Jun05   0:00 [ksoftirqd/1]
root         6  0.0  0.0      0     0 ?        S<   Jun05   0:00 [migration/2]
root         7  0.0  0.0      0     0 ?        SN   Jun05   0:00 [ksoftirqd/2]
root         8  0.0  0.0      0     0 ?        S<   Jun05   0:00 [migration/3]
root         9  0.0  0.0      0     0 ?        SN   Jun05   0:00 [ksoftirqd/3]
root        10  0.0  0.0      0     0 ?        S<   Jun05   0:06 [events/0]
root        11  0.0  0.0      0     0 ?        S<   Jun05   0:00 [events/1]
root        12  0.0  0.0      0     0 ?        S<   Jun05   0:00 [events/2]
root        13  0.0  0.0      0     0 ?        S<   Jun05   0:00 [events/3]
root        14  0.0  0.0      0     0 ?        S<   Jun05   0:00 [khelper]
root        31  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kthread]
root        38  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kblockd/0]
root        39  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kblockd/1]
root        40  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kblockd/2]
root        41  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kblockd/3]
root        42  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kacpid]
root       204  0.0  0.0      0     0 ?        S<   Jun05   0:00 [cqueue/0]
root       205  0.0  0.0      0     0 ?        S<   Jun05   0:00 [cqueue/1]
root       206  0.0  0.0      0     0 ?        S<   Jun05   0:00 [cqueue/2]
root       207  0.0  0.0      0     0 ?        S<   Jun05   0:00 [cqueue/3]
root       210  0.0  0.0      0     0 ?        S<   Jun05   0:00 [khubd]
root       212  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kseriod]
root       302  0.0  0.0      0     0 ?        S    Jun05   0:00 [khungtaskd]
root       303  0.0  0.0      0     0 ?        S    Jun05   0:00 [pdflush]
root       304  0.0  0.0      0     0 ?        S    Jun05   0:01 [pdflush]
root       305  0.0  0.0      0     0 ?        S<   Jun05   0:05 [kswapd0]
root       306  0.0  0.0      0     0 ?        S<   Jun05   0:00 [aio/0]
root       307  0.0  0.0      0     0 ?        S<   Jun05   0:00 [aio/1]
root       308  0.0  0.0      0     0 ?        S<   Jun05   0:00 [aio/2]
root       309  0.0  0.0      0     0 ?        S<   Jun05   0:00 [aio/3]
root       515  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kpsmoused]
root       582  0.0  0.0      0     0 ?        S<   Jun05   0:00 [mpt_poll_0]
root       583  0.0  0.0      0     0 ?        S<   Jun05   0:00 [mpt/0]
root       584  0.0  0.0      0     0 ?        S<   Jun05   0:00 [scsi_eh_0]
root       590  0.0  0.0      0     0 ?        S<   Jun05   0:00 [ata/0]
root       591  0.0  0.0      0     0 ?        S<   Jun05   0:00 [ata/1]
root       592  0.0  0.0      0     0 ?        S<   Jun05   0:00 [ata/2]
root       593  0.0  0.0      0     0 ?        S<   Jun05   0:00 [ata/3]
root       594  0.0  0.0      0     0 ?        S<   Jun05   0:00 [ata_aux]
root       610  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kstriped]
root       631  0.0  0.0      0     0 ?        S<   Jun05   0:05 [kjournald]
root       656  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kauditd]
root       689  0.0  0.0  13364   928 ?        S<s  Jun05   0:00 /sbin/udevd -d
root      2123  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kmpathd/0]
root      2124  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kmpathd/1]
root      2126  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kmpathd/2]
root      2127  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kmpathd/3]
root      2128  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kmpath_handlerd]
root      2203  0.0  0.0      0     0 ?        S<   Jun05   0:00 [kjournald]
root      2613  0.0  0.0   5908   648 ?        Ss   Jun05   0:00 syslogd -m 0
root      2617  0.0  0.0   3804   424 ?        Ss   Jun05   0:00 klogd -x
root      2707  0.0  0.0  10760   372 ?        Ss   Jun05   0:02 irqbalance
apache    2910  0.5  0.6 213964 12912 ?        S    00:22   0:07 /usr/sbin/httpd
dbus      3011  0.0  0.0  21256   904 ?        Ss   Jun05   0:00 dbus-daemon --system
root      3025  0.0  0.0   3800   576 ?        Ss   Jun05   0:00 /usr/sbin/acpid
68        3038  0.0  0.2  31152  4336 ?        Ss   Jun05   0:01 hald
root      3039  0.0  0.0  21692  1176 ?        S    Jun05   0:00 hald-runner
68        3046  0.0  0.0  12324   856 ?        S    Jun05   0:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.s
68        3052  0.0  0.0  12324   856 ?        S    Jun05   0:00 hald-addon-keyboard: listening on /dev/input/event0
root      3105  0.0  0.0  62624  1212 ?        Ss   Jun05   0:00 /usr/sbin/sshd
root      3264  0.0  0.0  74820  1156 ?        Ss   Jun05   0:00 crond
root      3292  0.0  0.0  18416   472 ?        S    Jun05   0:00 /usr/sbin/smartd -q never
root      3300  0.0  0.0   3792   480 tty2     Ss+  Jun05   0:00 /sbin/mingetty tty2
root      3301  0.0  0.0   3792   480 tty3     Ss+  Jun05   0:00 /sbin/mingetty tty3
root      3302  0.0  0.0   3792   484 tty4     Ss+  Jun05   0:00 /sbin/mingetty tty4
root      3304  0.0  0.0   3792   480 tty5     Ss+  Jun05   0:00 /sbin/mingetty tty5
root      3306  0.0  0.0   3792   480 tty6     Ss+  Jun05   0:00 /sbin/mingetty tty6
apache    5158  0.4  0.5 211896 11848 ?        S    00:28   0:04 /usr/sbin/httpd
apache    5519  0.4  0.5 211896 11992 ?        S    00:29   0:03 /usr/sbin/httpd
root      5649  0.0  0.0  63848  1184 pts/0    S    Jun05   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --soc
mysql     5696  2.1  1.9 411060 40392 pts/0    Rl   Jun05   2:01 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql
apache    5943  0.4  0.5 211896 12000 ?        S    00:30   0:03 /usr/sbin/httpd
apache    5976  0.6  0.5 211896 11792 ?        S    00:30   0:04 /usr/sbin/httpd
apache    6073  0.4  0.5 211896 11208 ?        S    00:31   0:03 /usr/sbin/httpd
apache    6122  0.4  0.5 211896 11848 ?        S    00:31   0:03 /usr/sbin/httpd
apache    6128  0.3  0.5 211896 11940 ?        S    00:31   0:02 /usr/sbin/httpd
apache    6159  0.5  0.5 211896 11872 ?        S    00:31   0:04 /usr/sbin/httpd
apache    6636  0.4  0.6 213960 13444 ?        S    00:32   0:02 /usr/sbin/httpd
apache    6787  0.3  0.5 211884 11308 ?        S    00:33   0:02 /usr/sbin/httpd
apache    6796  0.4  0.5 211884 12024 ?        S    00:33   0:02 /usr/sbin/httpd
apache    6801  0.3  0.5 211896 11920 ?        S    00:33   0:01 /usr/sbin/httpd
apache    6804  0.4  0.5 211884 11848 ?        S    00:33   0:02 /usr/sbin/httpd
apache    6825  0.4  0.5 211896 11972 ?        S    00:33   0:02 /usr/sbin/httpd
apache    6866  0.3  0.5 210860 11044 ?        S    00:33   0:01 /usr/sbin/httpd
apache    6870  0.2  0.5 211896 11108 ?        S    00:33   0:01 /usr/sbin/httpd
apache    6872  0.3  0.5 211896 11900 ?        S    00:33   0:01 /usr/sbin/httpd
apache    6993  0.3  0.5 211896 11836 ?        S    00:33   0:02 /usr/sbin/httpd
apache    6994  0.3  0.5 211896 11792 ?        S    00:33   0:01 /usr/sbin/httpd
apache    7136  0.2  0.5 211896 11432 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7143  0.2  0.5 210860 11052 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7145  0.2  0.5 211896 11136 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7266  0.2  0.6 213952 12748 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7299  0.2  0.5 211884 11276 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7311  0.2  0.5 211884 11300 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7313  0.3  0.5 211884 11876 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7345  0.2  0.5 210872 11100 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7349  0.2  0.5 210860 11008 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7350  0.2  0.5 211896 11832 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7351  0.1  0.5 211884 11072 ?        S    00:34   0:00 /usr/sbin/httpd
apache    7352  0.2  0.5 210872 11096 ?        S    00:34   0:01 /usr/sbin/httpd
apache    7449  0.1  0.5 210860 11020 ?        S    00:35   0:00 /usr/sbin/httpd
root      7490  0.3  0.0      0     0 ?        S    Jun05   3:11 [vmmemctl]
root      7597  0.0  0.0  72656  1260 ?        Ss   Jun05   0:06 /usr/lib/vmware-tools/sbin64/vmware-guestd --background /va
apache    7720  0.1  0.5 210860 10748 ?        S    00:36   0:00 /usr/sbin/httpd
apache    7726  0.1  0.4 209836  9304 ?        R    00:36   0:00 /usr/sbin/httpd
apache    7727  0.1  0.5 210860 10916 ?        S    00:36   0:00 /usr/sbin/httpd
apache    7731  0.1  0.5 210860 10780 ?        S    00:36   0:00 /usr/sbin/httpd
apache    7732  0.3  0.5 210860 10916 ?        S    00:36   0:01 /usr/sbin/httpd
apache    7733  0.1  0.5 210872 11000 ?        S    00:36   0:00 /usr/sbin/httpd
apache    7735  0.1  0.5 211884 11048 ?        S    00:36   0:00 /usr/sbin/httpd
apache    7761  0.1  0.5 210860 10552 ?        S    00:36   0:00 /usr/sbin/httpd
apache    7776  0.1  0.4 209836  8648 ?        R    00:37   0:00 /usr/sbin/httpd
apache    7790  0.2  0.3 208812  7724 ?        R    00:40   0:00 /usr/sbin/httpd
apache    7800  0.2  0.3 208812  8088 ?        R    00:40   0:00 /usr/sbin/httpd
root      7801  0.0  0.0   3792   484 tty1     Ss+  00:41   0:00 /sbin/mingetty tty1
apache    7820  0.2  0.3 208812  7552 ?        R    00:41   0:00 /usr/sbin/httpd
apache    7834  0.2  0.3 207788  6756 ?        R    00:42   0:00 /usr/sbin/httpd
apache    7864  0.2  0.2 207788  6148 ?        R    00:42   0:00 /usr/sbin/httpd
apache    7872  0.3  0.2 207788  5856 ?        R    00:43   0:00 /usr/sbin/httpd
apache    7874  2.5  0.3 207788  6336 ?        R    00:43   0:00 /usr/sbin/httpd
root      7875  0.3  0.0  63844  1056 ?        S    00:43   0:00 sh -c lsb_release -sd 2>/dev/null
root      7879  1.6  0.0  65604   964 pts/0    R+   00:43   0:00 ps aux
root     16316  0.0  0.1  90128  3272 ?        Ss   Jun05   0:00 sshd: milanb [priv]
milanb   16358  0.0  0.0  90128  1752 ?        S    Jun05   0:00 sshd: milanb@pts/0
milanb   16360  0.0  0.0  66076  1480 pts/0    Ss   Jun05   0:00 -bash
root     16875  0.0  0.0 101068  1324 pts/0    S    Jun05   0:00 su -
root     16877  0.0  0.0  66184  1692 pts/0    S    Jun05   0:00 -bash
root     24373  0.0  0.3 206764  7348 ?        Rs   Jun05   0:01 /usr/sbin/httpd

UPDATE:

Here, it happens again (about a hour later this time).

[root@vmi29 ~]# cat /proc/meminfo
MemTotal:      2059456 kB
MemFree:         17340 kB
Buffers:         17788 kB
Cached:         407804 kB
SwapCached:          0 kB
Active:         517704 kB
Inactive:       122188 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:      2059456 kB
LowFree:         17340 kB
SwapTotal:     2096472 kB
SwapFree:      2096376 kB
Dirty:             160 kB
Writeback:           0 kB
AnonPages:      214436 kB
Mapped:          13296 kB
Slab:            27392 kB
PageTables:      18780 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:   3126200 kB
Committed_AS:   514788 kB
VmallocTotal: 34359738367 kB
VmallocUsed:    264012 kB
VmallocChunk: 34359473911 kB
HugePages_Total:     0
HugePages_Free:      0
HugePages_Rsvd:      0
Hugepagesize:     2048 kB

iostat output:

[root@vmi29 ~]# iostat
Linux 2.6.18-194.3.1.el5 (vmi29)        06/06/2010

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           6.33    0.00    1.07    1.83    0.00   90.78

Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
sda              12.02        44.47       123.40    2526367    7011298
sda1              0.00         0.04         0.10       2036       5466
sda2              0.00         0.03         0.00       1681        200
sda3             12.01        44.39       123.30    2522226    7005632

Free:

[root@vmi29 ~]# free -m
             total       used       free     shared    buffers     cached
Mem:          2011       2002          8          0         15        386
-/+ buffers/cache:       1600        410
Swap:         2047          0       2047

Command that Nathan Powell suggested:

[root@vmi29 ~]# ps aux | awk '{SUM += $3} END { print SUM }'
20.2

Update2:

[root@vmi29 ~]# ps aux | awk '{SUM += $4} END { print SUM }'
12.5

Free:

[root@vmi29 ~]# free
             total       used       free     shared    buffers     cached
Mem:       2059456    2038316      21140          0       7360     492800
-/+ buffers/cache:    1538156     521300
Swap:      2096472        100    2096372

I have Apache 2.2.4 server with a lot of messages like this in the access_log:

::1 - - [15/May/2010:19:55:01 +0200] "OPTIONS * HTTP/1.0" 400 543
::1 - - [15/May/2010:20:22:17 +0200] "OPTIONS * HTTP/1.0" 400 543
::1 - - [15/May/2010:20:24:58 +0200] "OPTIONS * HTTP/1.0" 400 543
::1 - - [15/May/2010:20:25:55 +0200] "OPTIONS * HTTP/1.0" 400 543
::1 - - [15/May/2010:20:27:14 +0200] "OPTIONS * HTTP/1.0" 400 543

These are the "internal dummy connections" as explained on this page:

http://wiki.apache.org/httpd/InternalDummyConnection

The page also hits my main problem: "In 2.2.6 and earlier, in certain configurations, these requests may hit a heavy-weight dynamic web page and cause unnecessary load on the server. You can avoid this by using mod_rewrite to respond with a redirect when accessed with that specific User-Agent or IP address."

Well, obviously I cannot use UserAgent because I minimized the server signature, but I could use IP address. However, I don't have a clue what should the RewriteCond and RewriteRule look for IPv6 address ::1.

The website where this runs is using CodeIgniter, so there is already the following .htaccess in place, I just need to add to it:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^/system.*
RewriteRule ^(.*)$ /index.php?/$1 [G]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?/$1 [L]

Any idea how to write this .htaccess rule?

Solved: Adding another rule makes OPTIONS fall through current rules and be handled the same way as Apache is doing by default.

RewriteEngine on
RewriteCond %{REQUEST_URI} ^/system.*
RewriteRule ^(.*)$ /index.php?/$1 [G]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REMOTE_HOST} !^::1$
RewriteRule ^(.*)$ /index.php?/$1 [L]

I never access the website via localhost on IPv6, so this works great.

I host my websites on a server that has some problems with MySQL. Looking at PHPMyAdmin statistics tab, I see these stats:

PHPMyAdmin stats http://www.slagalica.tv/henet.mysql.png

It shows that 99.68% connections have beed aborted. I googled a little bit about it, but I can't figure out what it really means. What is the reason for this and how can it be fixed?

We're currently using Nagios to monitor about 20 Linux machines (services and functional links). I just find out about Munin and I wonder if this is a Nagios replacement, or it can be used together with Nagios? I don't want to spend hours setting it up, just to discover that I already have all that functionality with Nagios.

I'd especially appreciate if someone who used both programs can give some insight about your experience. Which is better for which task and what do you recommend to use?

Note: we also used Cacti for some time. The main problem we have with Nagios is that setup takes too long and isn't very straightforward.

I have a server that has 4GB of RAM. On it, I have installation of 32bit Slackware Linux 12.1. Of course, it is not using all of 4GB of RAM. I'd soon like to increase the RAM to 8GB, and am looking for a way for the system to use it. The system is used as a database server and is under high load during the day.

AFAICT, I have two options: stay with 32bit and rebuild the kernel and lose some performance. Or go with 64bit and reinstall everything. Looking at 64bit versions of Slackware, I could run -current or Slamd64.

Now, on to the questions:

1. Should I stay with 32bit or go with 64bit?

2. If I go 64bit, should I use -current or Slamd64?

P.S. I hope to get answers from someone actually using any of these configurations in production, not just copy/paste something I could find myself via Google.