Installing nginx on Windows subsystem for Linux

Install nginix

sudo apt-get install nginx

Add the below line (in bold) to /etc/nginx/nginx.conf

user www-data;
master_process off;
worker_processes 4;

Comment out this line in /etc/nginx/sites-available/default

# listen [::]:80 default_server ipv6only=on;

$ sudo service nginx start

Test it out from the command line:

curl http://127.0.0.1

Should see HTML output for Welcome to nginx!

Posted in Uncategorized | Leave a comment

Setting up Juniper junos command aliases

At command prompt, create the file:

root@lab-SRX% vi /var/db/scripts/op/sit.slax

version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

match / {
         {

                var $cmd =  'show interfaces terse';
                var $out = jcs:invoke($cmd);
                copy-of ($out);
        }
}

Edit configuration to activate the script:

set system scripts op file sit.slax

Run the alias at CLI:

root@lab-SRX> op sit
<< output of show interfaces terse >>

See more Juniper automation at:
http://forums.juniper.net/jnet/attachments/jnet/Day1Books/6/7/This%20Week%20Applying%20Junos%20Automation_update.pdf

Posted in Networking | Leave a comment

Thanks to NOAA and xpath, I know when it’s the best time to walk my dog

Luna loves to go to the beach, especially when it’s during low tide.

 

Now, I could go visit local websites daily for the low tides in my area, but…

notimeforthat

Lucky for Luna, her daddy knows how to sling some computer coding, so… a script was developed to process daily tide predictions via data directly from NOAA and display only those that are in morning or early evening when it’s a good time to go for a walk on the beach.

Now, I get a daily email in my inbox with the low tide predictions for mornings/evenings of the next three days.

selfhandslap

If interested, the python code is over at my github, and it uses lxml / xpath to process and filter the NOAA XML data.

https://github.com/jaredevans/check_lowtides

Posted in Programming | Leave a comment

Let’s Encrypt! Checking your HTTPS certificate expiration date

Let’s Encrypt offers free HTTPS certificate for your website.  The catch is that they are valid for only 90 days so the certificate has to be renewed four times a year.

The instructions here have made it painless to automatically renew the certificates via a cronjob.

However, if you want to manually check the certificates, here’s a nice shell script to give you a quick overview and shows how many days are left.

cert="/etc/letsencrypt/live/site.com/cert.pem"
echo " "
echo "############"
if openssl x509 -checkend 86400 -noout -in $cert
then
  echo "The certificate $cert is good for at least another day!"
  today=`date +%D`
  expiredate=`openssl x509 -enddate -noout -in $cert  | awk -F'=' '{print $2}'`
  expdate="date +%D --date='$expiredate'"
  ed=`eval $expdate`
  daysleft=`echo $(($(($(date -u -d "$ed" "+%s") - $(date -u -d "$today" "+%s"))) / 86400))`
  echo "        Today's date: $today , expiring on: $ed , $daysleft days left to go."
else
  echo "The certificate $cert has expired or will do so within 24 hours!"
  echo "(or is invalid/not found)"
fi
echo "############"
echo " "

The output looks like this:

############
The certificate /etc/letsencrypt/live/site.com/cert.pem is good for at least another day!
        Today's date: 03/08/16 , expiring on: 04/22/16 , 45 days left to go.
############

Posted in Linux | Leave a comment

Windows – Registering Putty for SSHS:// custom URI Scheme

One of things that I do to simplify my job is to maintain a local webpage listing servers that I can SSH into.  With Windows, I can register the sshs:// URI scheme to putty.exe Windows executable.  Any links starting with sshs:// will be opened up automatically using Putty.

All the servers require public/private key to successfully complete the connection, so I create a custom session inside the Putty Configuration app, which sets the private key to use.  For example, you can see the the one for ‘zappy’ session.

putty

Create a Windows registry file: register_ssh_session_putty.reg
Copy and paste below registry entries.
Double-click on the reg file to insert into Windows Registry.
——————————————

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\sshs]
@="URL:SSHS Protocol"
"URL Protocol"=""

[HKEY_CLASSES_ROOT\sshs\shell]

[HKEY_CLASSES_ROOT\sshs\shell\open]

[HKEY_CLASSES_ROOT\sshs\shell\open\command]
@="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Command \"$uri = [System.Uri]'%1';&\"${env:ProgramFiles(x86)}\\PuTTY\\putty.exe\" -load $uri.UserInfo \""

In the local webpage that you maintain, use sshs:// links
To start the putty session named zappy
sshs://zappy@putty

Posted in Linux, Programming | Leave a comment

Quickly get a Flask/Python app running quickly alongside phpMyAdmin

Quick guide to setting up a Flask/Python web app at default root URL alongside phpMyAdmin running off \phpmyadmin

sudo apt-get install nginx
sudo apt-get install mysql-server

Be sure to install mysql server before installing phpmyadmin.
sudo apt-get install phpmyadmin

sudo apt-get install python-pip python-dev php5-fpm

sudo pip install virtualenv

mkdir -p /var/www/fk

Add your account to group www-data so can edit/create files inside /var/www
adduser jared www-data

This script will initialize permissions  inside /var/www so there’s no issue editing/creating files.

mkdir -p ~/bin

edit ~/bin/fixweb.sh

#!/bin/sh

sudo chown -R www-data:www-data /var/www
sudo chgrp -R www-data /var/www
sudo chmod -R g+rw /var/www
find /var/www -type d -print0 | sudo xargs -0 chmod g+s

Make script executable and run it to set correct permissions for web directories

chmod u+x ~/bin/fixweb.sh
sudo ~/bin/fixweb.sh

with your account – login to www-data group
newgrp – www-data

edit /etc/php5/fpm/php.ini

    cgi.fix_pathinfo=0

Confirm inside  /etc/php5/fpm/pool.d/www.conf :

listen = /var/run/php5-fpm.sock

service php5-fpm restart

cd /var/www/fk
virtualenv venv

.   venv/bin/activate

Now inside the virtual environment
pip install uwsgi
pip install Flask
deactivate

edit /var/www/fk/fk.py

 
from flask import Flask
app = Flask(__name__)
app.debug = True

@app.route('/')
def index():
    return 'Flask Index Page'

@app.route('/hello')
def hello():
    return 'Hello World from Flask'

if __name__ == "__main__":
    app.run()

edit /var/www/fk/wsgi.py

from fk import app

if __name__ == "__main__":
   app.run()

edit /var/www/fk/wsgi-fk.ini

[uwsgi]
module = wsgi:application

master = true
processes = 5

socket = socket_fk.sock
chmod-socket = 664
vacuum = true

die-on-term = true

edit /etc/init/fk.conf

description "uWSGI instance to serve Flask webapp"

start on runlevel [2345]
stop on runlevel [!2345]

setuid www-data
setgid www-data

script
   cd /var/www/fk
   . venv/bin/activate
   # uwsgi --ini flasktest.ini
   uwsgi -s socket_fk.sock --catch-exceptions --module fk --callable app
   # uwsgi --catch-exceptions --ini flasktest.ini
end script

NGINX default config
edit /etc/nginx/sites-available/default

server {
   listen 80 default_server;

   root /usr/share/nginx/html;
   index index.html index.htm;

   # Make site accessible from http://localhost/
   server_name localhost;

   location / { try_files $uri @fk; }
      location @fk {
      include uwsgi_params;
      uwsgi_pass unix:/var/www/fk/socket_fk.sock;
   }

   location /phpmyadmin {
      root /usr/share/;
      index index.php index.html index.htm;
      location ~ ^/phpmyadmin/(.+\.php)$ {
         try_files $uri =404;
         root /usr/share/;
         fastcgi_pass unix:/var/run/php5-fpm.sock;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
      }
      location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
         root /usr/share/;
      }
   }
   location /phpMyAdmin {
      rewrite ^/* /phpmyadmin last;
   }
}

sudo stop fk ; sleep 1 ; sudo start fk

systemd script for Ubuntu 15.04
/etc/systemd/system/fk.service

[Unit]
Description=uWSGI instance to serve fk
After=network.target

[Service]
User=www-data
Group=www-data
WorkingDirectory=/var/www/fk
Environment="PATH=/var/www/fk/venv/bin"
#ExecStart=/var/www/fk/venv/bin/uwsgi --ini fk.ini
ExecStart=/var/www/fk/venv/bin/uwsgi -s /var/www/fk/socket_fk.sock --catch-exceptions --module fk --callable app

[Install]
WantedBy=multi-user.target

sudo systemctl start fk
sudo systemctl enable fk

sudo systemctl stop nginx
sudo systemctl start nginx

 

Posted in Programming | Leave a comment

Ultimate NGINX reverse proxy to WordPress / PHP / Python / Django / Golang / Flask

For years, I’ve relied on Apache web server on my personal machine to continually hone my web programming chops and it doesn’t hurt to readily have a working server configuration for quick reference.

While Apache has performed brilliantly, it was time to switch and get more comfortable with NGINX. It is frequently chosen to reverse proxy and route HTTP traffic towards remote processes which actually ingest the web requests and process them.

In the real world, with reverse proxying, NGINX can manage many thousands of requests by offloading the dirty work to other servers to handle.  In my small development setup with all the required processes running on the same machine, NGINX merely hands off the work onto these local services and it all stays on the same machine.

I like to have several resources at my disposal to muck around with.  These include:

  1. WordPress blog site which is hosted at the default location ‘/’
  2. phpMyAdmin which greatly simplifies MySQL database administration stuff.
  3. Playground for my PHP programming stuff
  4. Playground for my Python progamming stuff
  5. A Django web framework site that I can beat up on
  6. Playground for my Go programming stuff.
  7. Playground for Flask web framework

My desired configuration is pictured below:

nginx

The below lists all the steps to get a fully working NGINX reverse proxy to all these resources, located at their respective branch off the default web domain.

Most tutorials out there will tell you how to set up each of these resources but assumes that you want it to be seen at the default ‘/’ location which doesn’t work well when you want multiple stuff running at the same time.  It makes more sense to split them off into their own branch off the default web location.

This was done on a vanilla Ubuntu system.  I used the localhost server since this was limited to my machine for development reasons.  Adjust as needed for a publicly accessible server with a fully qualified domain name.


Reverse proxy to phpmyadmin and default WordPress site

The goal here:

http://site.com/ → to wordpress
http://site.com/phpmyadmin → to phpmyadmin

sudo apt-get install nginx
sudo service nginx start

sudo apt-get install phpmyadmin     (ignore when asked for apache2 or lighttpd)

phpmyadmin installed in /usr/share/phpmyadmin

sudo apt-get install php5-fpm
sudo vi /etc/php5/fpm/php.ini and edit:

cgi.fix_pathinfo=0

sudo vi /etc/php5/fpm/pool.d/www.conf and edit:

listen = /var/run/php5-fpm.sock

sudo service php5-fpm restart
sudo vi /etc/nginx/sites-available/default
(This is not the final configuration but will get phpmyadmin working)

note that: /phpMyAdmin will be redirected to /phpmyadmin

server {
   listen 80;
   root /usr/share/nginx/html;
   index index.php index.html index.htm;

   server_name localhost;

   location / {
      try_files $uri $uri/ /index.html;
   }

   error_page 404 /404.html;

   error_page 500 502 503 504 /50x.html;
   location = /50x.html {
      root /usr/share/nginx/html;
   }

# pass the PHP scripts to FastCGI server listening on the php-fpm socket
   location ~ \.php$ {
      try_files $uri =404;
      fastcgi_pass unix:/var/run/php5-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
   }

   location /phpmyadmin {
      root /usr/share/;
      index index.php index.html index.htm;
      location ~ ^/phpmyadmin/(.+\.php)$ {
         try_files $uri =404;
         root /usr/share/;
         fastcgi_pass unix:/var/run/php5-fpm.sock;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
      }
      location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
           root /usr/share/;
       }
   }
   location /phpMyAdmin {
      rewrite ^/* /phpmyadmin last;
   }
}

service nginx reload


Reverse proxy to Default WordPress site

WordPress was already installed in /var/www/www.jaredlog.com so the steps for installation of WordPress won’t be covered here.  Plenty of online tutorials out there to help you with this.

edit /etc/nginx/sites-available/default

root /var/www/www.jaredlog.com;
index index.php index.html index.htm;
server_name localhost;

location / {
   try_files $uri $uri/ /index.html;
}

error_page 404 /404.html;

error_page 500 502 503 504 /50x.html;
location = /50x.html {
   root /usr/share/nginx/html;
}

# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
   try_files $uri =404;
   fastcgi_pass unix:/var/run/php5-fpm.sock;
   fastcgi_index index.php;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   include fastcgi_params;
}

Reverse proxy to uWSGI python with unix socket

The goal here:

http://site.com/pythontest → to Python playground

With python stuff, we will make use of virtual environments to simplify the versioning of python and included packages.

sudo apt-get install python-dev python-pip

sudo pip install virtualenv

cd /var/www/pythontest
virtualenv pytontestenv

Activate the virtual environment
source pythontestenv/bin/activate

(deactivate later on after installation of packages).

pip install uwsgi
uwsgi –version

Setup a simple uWSGI app with unix socket for less overhead
(the Django w/Guincorn setup is mentioned later on)

edit /var/www/pythontest/wsgi.py

def application(environ, start_response):
    start_response('200 OK', [('Content-Type', 'text/html')])
    return ["<h1 style='color:blue'>Hello There, this is WSGI!</h1>"]

Test it
uwsgi –socket 0.0.0.0:8080 –protocol=http -w wsgi

Open web browser and visit http://localhost:8080

Can deactivate virtual environment now
deactivate

edit /var/www/pythontest/pythontest.ini

[uwsgi]
module = wsgi:application

master = true
processes = 5

socket = pythontest.sock
chmod-socket = 664
vacuum = true

die-on-term = true

edit /etc/init/pythontest.conf

description "uWSGI instance to serve pythontest"

start on runlevel [2345]
stop on runlevel [!2345]

setuid www-data
setgid www-data

script
   cd /var/www/pythontest
   . pythontestenv/bin/activate
   uwsgi -ini pythontest.ini
end script

sudo stop pythontest ; sleep 2 ; sudo start pythontest

See it running:
ps wwwauxg | grep uwsgi

add to /etc/nginx/sites-available/default

location /pythontest {
   include uwsgi_params;
   uwsgi_pass unix:/var/www/pythontest/pythontest.sock;
}

sudo service nginx configtest
sudo stop pythontest ; sleep 2 ; sudo start pythontest
sudo service nginx restart


Django installation with Gunicorn, MySQL and unix socket

The goal here:

http://site.com/djangotest → to Django playground

Create MySQL database djangotest

sudo apt-get install libmysqlclient-dev

cd /var/www/djangotest
source djangotestenv/bin/activate
pip install MySQL-python
pip install django
pip install gunicorn
deactivate

django-admin.py startproject djangotest .

edit /var/www/pythontest/djangotest/djangotest/settings.py

DATABASES = {
   'default': {
      'ENGINE': 'django.db.backends.mysql',
      'OPTIONS': {
          'read_default_file': '/var/www/pythontest/djangotest/my.cnf',
      },
   }
}

add to end of settings.py

STATIC_ROOT = os.path.join(BASE_DIR, "static/")

Create /var/www/pythontest/djangotest/my.cnf

[client]
database = djangotest
host = localhost
user = dbuser
password = yayouwish
default-character-set = utf8

./manage.py makemigrations
./manage.py migrate
./manage.py createsuperuser
./manage.py collectstatic

edit urls.py:

urlpatterns = [
   url(r’^djangotest/admin/’, include(admin.site.urls)),
   url(r’^djangotest/’, include(admin.site.urls)),
]

./manage.py runserver 0.0.0.0:8000

Open web browser to localhost:8000 to confirm.

localhost:8000/admin (log into django)

Gunicorn testing

source djangotestenv/bin/activate
gunicorn –bind 0.0.0.0:8000 djangotest.wsgi:application

confirm via web browser on port 8000
deactivate

/etc/init/djangotest.conf

description "Gunicorn instance to serve djangotest"

start on runlevel [2345]
stop on runlevel [!2345]

setuid www-data
setgid www-data

script
   cd /var/www/djangotest
   . djangotestenv/bin/activate
   /var/www/djangotest/djangotestenv/bin/gunicorn –workers 3 –bind unix:/var/www/djangotest/djangotest.sock djangotest.wsgi:application
end script

sudo stop djangotest ; sleep 2 ; sudo start djangotest

nginx configuration for django:

location /static/ {
   root /var/www/djangotest;
}

location /djangotest {
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_pass http://unix:/var/www/djangotest/djangotest.sock;
}

Reverse proxy to Go

The goal here:

http://site.com/gotest → to Golang playground

GVM makes it easier to develop with different versions of Go and packages your projects need.   Visit:  https://github.com/moovweb/gvm  for more information

sudo apt-get install curl git mercurial make binutils bison gcc

bash < <(curl -s -S -L https://raw.githubusercontent.com/moovweb/gvm/master/binscripts/gvm-installer)

gvm listall

gvm install go1.4.2
gvm use go1.4.2 –default
gvm list

source ~/.gvm/scripts/gvm

cd ~
mkdir -p go/{bin,pkg,src}

Put in .bashrc or .bash_profile

export GOPATH=$HOME/go
export GOBIN=$GOPATH/bin
export PATH=$PATH:$GOPATH/bin

cd ~/go/src
mkdir hello
cd hello

vi hello.go

package main

import (
   "fmt"
   "net/http"
)

func main() {
   http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
      fmt.Fprintf(w, "Hello there, Gopher")
   })

   http.ListenAndServe(":"3000″, nil)
}

go run hello.go

Open web browser to localhost:3000 and confirm you see the output.

sudo vi /etc/nginx/sites-enabled/default and add:

location /gotest {
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $remote_addr;
   proxy_set_header Host $host;
   proxy_pass http://127.0.0.1:3000;
}

Open web browser to localhost/gotest and you should see the same output

go install hello.go     (installs hello binary in your ~/go/bin directory)

cp ~/go/bin/hello   /var/www/gotest

edit /etc/init/gotest.conf

description "instance to serve gotest"

start on runlevel [2345]
stop on runlevel [!2345]

setuid www-data
setgid www-data

script
   exec /var/www/gotest/hello
end script

stop gotest ; sleep 2 ; start gotest


Reverse proxy to Flask with unix socket

The goal here:

http://site.com/flasktest → to Flask playground

mkdir /var/www/flasktest
cd /var/www/flasktest/
virtualenv flasktestenv

. flasktestenv/bin/activate
pip install Flask
pip install uwsgi
deactivate

vi flasktest.py

from flask import Flask
app = Flask(__name__)
app.debug = True

@app.route('/flasktest')
def index():
   return 'Flask Index Page'

@app.route('/flasktest/hello')
def hello():
   return 'Hello World from Flask'

edit /var/www/flasktest/wsgi.py

from flasktest import app

if __name__ == "__main__":
   app.run()

. flasktestenv/bin/activate
uwsgi –socket 0.0.0.0:8000 –protocol=http -w wsgi

verify working by checking via web browser at http://localhost:8000/flasktest
deactivate

/var/www/flasktest/flasktest.ini

[uwsgi]
module = wsgi

master = true
processes = 5

socket = flasktest.sock
chmod-socket = 660
vacuum = true

die-on-term = true

/etc/init/flasktest.conf

description "uWSGI instance to serve flasktest"

start on runlevel [2345]
stop on runlevel [!2345]

setuid www-data
setgid www-data

script
   cd /var/www/flasktest
   . flasktestenv/bin/activate
#   uwsgi --ini flasktest.ini
    uwsgi -s flasktest.sock --catch-exceptions --module flasktest --callable app
#   uwsgi --catch-exceptions --ini flasktest.ini
end script

/etc/nginx/sites-available/default

   location /flasktest {
        include uwsgi_params;
        uwsgi_pass unix:/var/www/flasktest/flasktest.sock;
   }

stop flasktest ; sleep 2 ; start flasktest

service nginx restart

open web browser to http://localhost/flasktest


Finally, here’s the final NGINX configuration in all its glory:

default.nginx.config

If you have better ideas for the NGINX configuration than what is seen here, feel free to comment below!


 

Posted in Linux, Programming | 1 Comment

Mobaxterm – setting up Git with CA certificate bundle

On my Windows machine, I use Mobaxterm, which is a great environment based on Cygwin and gives me an UNIX-like alternative to Windows command window.

Git can be set up but needs some configuration first before it’ll work flawlessly.

http://mobaxterm.mobatek.net/plugins.html  and get plugins for curl, openssl, git

Will likely see this error, when cloning a Git repo, and Git cannot find the CA certificate bundle required for secure access to Git.

git clone https://github.com/jaredevans/progtest

Cloning into 'progtest'...
 fatal: unable to access 'https://github.com/jaredevans/progtest/': 
SSL certificate problem, verify that the CA cert is OK. 
Details:
 error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed

To fix this, download & install the CA certificate bundle, then tell Git where to find it!

In Mobaxterm shell:

 mkdir -p /etc/pki/tls/certs
 curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/ca-bundle.crt
 git config --system http.sslcainfo /etc/pki/tls/ca-bundle.crt
 git config -l

git clone https://github.com/jaredevans/progtest

Cloning into 'progtest'...
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (3/3), done.
Checking connectivity... done.

Note: commands with colorized output like:

git log

will output messed up escape characters (can’t correctly show the colors).  To fix this:

git config --global core.pager more
Posted in Linux, Programming, Web/Tech | Leave a comment

GNS3: Offloading DHCP service to another router acting as DHCP server

Most tutorial examples (for reasons of simplicity) will include DHCP server configuration on the same router that’s connected to the multiple VLANs so that IP addresses can be provided to devices on the network.

For a more clean (and realistic) setup, the DHCP crud can be taken out of the core router and moved to a different router acting solely as a DHCP server for your network as seen below in the topology:

dhcp-offloading

This simple topology has the standard R1 “Router-on-a-Stick” set up with two VLANs, one for PC1 and different one for PC3.  There are many tutorials out there for the “ROAS” configuration so that step will not be covered here.  RDHCP is a separate router acting as a DHCP server and will take care of all DHCP requests.

Realistic networks almost always run a separate DHCP server to provide IP addresses to devices on the network.  Since a router can be set to act as a DHCP server, it’s ideal for a lab demonstrating the proof-of-concept of offloading DHCP service to another device / server.

In the topology, R1 (10.10.10.1) and RDHCP (10.10.10.10) are directly connected with each other.

When a DHCP request is broadcast by a device, it will bubble up to R1’s sub-interface for the VLAN and at which point, a DHCP relay agent can take over and forward the request to the offloaded DHCP server.

On R1,

include the line for DHCP relay agent on each of the sub-interfaces for the VLANs:

interface FastEthernet1/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip helper-address 10.10.10.10
!
interface FastEthernet1/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 10.10.10.10
!

When DHCP packets are forwarded to RDHCP, the DHCP server will know which pool to use by checking the IP addresses of the sub-interface that sent the traffic.

If 192.168.10.1, then RDHCP knows to use the pool for VLAN 10, 192.168.20.1 for VLAN 20 pool.

RDHCP:

ip dhcp   excluded-address   192.168.10.1   192.168.10.20
ip dhcp  excluded-address  192.168.20.1   192.168.20.20

ip dhcp pool TEN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool TWENTY
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!

RDHCP also needs to know where to send back its DHCP responses so that the packets can make it all the way back to the devices.  Set up two static routes, one for each VLAN to send back the traffic to R1. R1 can then route the packets onto the right VLAN:

RDHCP:

ip route   192.168.10.0   255.255.255.0   10.10.10.1
ip route   192.168.20.0   255.255.255.0   10.10.10.1

routes1

Test a VPCS PC and have it make a DHCP request. Note that it gets the first available IP address after the excluded range of the pool:

pc1

Verify the DHCP bindings on RDHCP to see a list of leased IP addresses that have been given out:

binding

Posted in Networking | Leave a comment

lightweight HTTP sink using socat

Quick n’ dirty way to run a HTTP sink (on a server that isn’t supposed to have a HTTP server running) to catch bots scanning all machines across your network.

socat -T 1 -d -d tcp-l:80,bind=192.168.200.115,reuseaddr,fork,su=nobody,crlf system:”echo -e \”\\\”HTTP/1.0 200 OK\\\nDocumentType: text/html\\\n\\\n<html>date: \$\(date\)<br>server:\$SOCAT_SOCKADDR:\$SOCAT_SOCKPORT<br>client: \$SOCAT_PEERADDR:\$SOCAT_PEERPORT\\\n<pre>\\\”\”; cat; echo -e \”\\\”\\\n</pre></html>\\\”\”” 2>&1 | grep connection
2015/03/30 21:11:23 socat[12223] N accepting connection from AF=2 192.168.200.100:65477 on AF=2 192.168.200.115:80

Leave it up and running to quickly identify and process bot IP addresses that should be blocked.  Modify port as needed for other services the bots are trying to find.

Posted in Networking | Leave a comment

Watching in real-time IPv4 network interface changes

Note: I ignore local loopback and virtual networks.  Your setup may be different.

watch -n 1 'ip addr | grep inet | grep -v inet6 | grep -v "127.0.0.1" | grep -v  192\.168\.76 | grep -v 172\.16\.  | awk '\''{print $2}'\'''

To include in your bash shell start up:

alias watchip='watch -n 1 '"'"'ip addr | grep inet | grep -v inet6 | grep -v 127.0.0.1 | grep -v 192\\.168\\.76 | grep -v 172\\.16\\.  | awk '"'"'\'"'"''"'"'{print $2}'"'"'\'"'"''"'"'  '"'"' '

Gotta love all those escaping quotes?!?!

Posted in Linux, Networking | Leave a comment

Boogie Board Sync and how to merge multiple PDFs into one PDF

My wife surprised me with a cool gadget called Boogie Board Sync, which allows me to write down notes in a natural way and digitally save them to PDFs.

bbs

It pretty much works as advertised. You write down a single page worth of notes, then press ‘Save’ button to save it. You have a choice to transfer a copy of the notes as a PNG image or PDF document (my preference).  Since Boogie Board records your writing as vectors, the final output is crystal clear when you print or view them on your computer or mobile device.

How sharp?  Here’s a close up of my terrible handwriting as a vector-based PDF at 400% zoom:

closeup1

 

I only have two gripes about the Boogie Board Sync:

  1. Each saved page is transferred individually as one page PDF.  There’s no way to group together a few pages of notes into a single PDF.
  2. I prefer to write on the board in landscape orientation, rather than portrait. The resulting PDFs come out sideways when you open them in a PDF viewer program.

bbs-list

 

 

unrotated

There’s no choice but going the extra mile to get Boogie Board Sync to work the way I want it to by collecting multiple pages of notes into a single PDF and all pages are rotated 90 degrees clockwise so that I can view them without constantly turning my head to the left.

There are multiple websites that will merge/rotate your PDFs into a single PDF but I’m leery about these sites. Who knows what they will do with your PDFs once you upload them to get their “free” service?  NO THANKS!  I prefer to do it locally on my computer.

There are, indeed, a number of paid software one could buy to run some PDF magic. However, being a computer geek, I preferred to go the open-source (free) approach, if there was one.

Sejda is a console-based command-line utility that can take care of PDF magic for you.

While the installation says Sejda requires (*quelle horreur*) Java 1.5 or older, it works fine with Java 1.7.

Once you have a working installation of Sejda, it’s a snap to group together PDFs into a single PDF and then rotate them 90 degrees:

Rotate each PDF file 90 degrees clockwise:
mkdir ./rotated
sejda-console rotate –pageRotation all:90 -o ./rotated –files *.PDF

Merge multiple PDFs into a single PDF:
cd ./rotated
sejda-console merge -o ./merged.pdf –files *.pdf

Here’s the final merged PDF that’s correctly rotated for ease of viewing:

merged

Posted in Web/Tech | 4 Comments

Removing default “Samsung Mobile” bookmark folder from Samsung Android devices

One of the annoyances about Samsung Android devices such as the Galaxy Tab 3 and Galaxy S3 or S4 is that when you open Chrome app, there is a bookmark folder called “Samsung Mobile” which opens by default.

This folder can be made to disappear if you disable the process that your phone provider is running to force this bookmark folder inside Chrome.

– Open the Android “Settings” app
– Scroll down to “Applications Manager”
– Scroll right to the list of “All” apps
– Scroll down and find the app you want to disable. In this case,  “com.android.providers.partnerbookmarks”
– Select it, then tap disable.

When you restart Chrome, the “Samsung Mobile” folder should be gone and Chrome will default to the Mobile Bookmarks folder.

Posted in Android | 2 Comments

Useful: how to move a running process into a screen terminal

broken-rope

One of the useful things about using screen (a terminal multiplexer) console is that you are able to detach from the screen terminal while keeping your running session alive.  At a later time (such as when you arrive home from work), you can reattach and resume the same running session and view any output while you were gone.

Sometimes I’m in this situation: I need to leave but I just started a long running process that I don’t want to restart but I didn’t initially start it from within a screen terminal.  I want to avoid killing off the process and bring it over into a screen terminal so that it can continue to run uninterrupted.  Enter reptyr which will allow you to attach a process to another terminal console.

[The following steps were done on Ubuntu 12.04]

Install reptyr

sudo apt-get install reptyr
sudo vi /etc/sysctl.d/10-ptrace.conf

change this line:

kernel.yama.ptrace_scope = 0

Reboot for this sysctl value to take effect.

Now your system is ready to let you reattach running processes to a different teriminal.

Start a long running program, we’ll use ‘top’ for this example:

# top

Suspend the ‘top’ process

CTRL-Z
[1]+  Stopped                 top

List jobs

# jobs -l 
[1]+  2961 Stopped (signal)        top

Resume job 1 in the background

# bg %1 

Detach the process from terminal

# disown %1 
bash: warning: deleting stopped job 1 with process group 2961

Start screen then reattach the process:

# screen

Find the process of the ‘top’ process and reattach it to screen terminal

# pgrep top 
2961

# reptyr 2961

You are now running the ‘top’ process inside the screen terminal.  You may proceed to detach from screen and go home and reattach to it at a later time.

Posted in Linux | 1 Comment

Better Late than Never: following up on Google HTTPS using DHE cipher suites

[Above image is the famous Caesar Cipher]

One of the things that irked me about how Google handled the security of their HTTPS traffic was the lack of DHE ciphers.  I banged out a post “Google and Amazon do not offer ciphers using Diffie-Hellman Ephemeral mode.“, way back in Oct 2010.

Tonight, out of the blue, I decided to see if anything had changed since then.  While it is more than a year ago today but a year after my original blog post, Google finally took the initiative to encrypt their HTTPS traffic using DHE ciphers, as seen here at their Google Online Security Blog.

Google servers will still offer a range of possible ciphers for HTTPS traffic, the ECDHE-RSA-RC4-SHA cipher is now the preferred one, which is supported by all modern browsers. Less secure ciphers are still offered to many visitors who are running ancient browsers supporting only the older ciphers.

This is a great step forward for the security of Google HTTPS traffic: each session of your interactions with Google will be encrypted with a different key that exists only for a short time in memory and never written to persistent storage.  If an attacker captures your HTTPS trafic and even a hijacked copy of Google server’s private key, the attacker is still missing one more piece, the ephemeral key that has long since disappeared.

Several decades down the road, if the attacker starts up a powerful (quantum?) computer for decryption attempts, a successful decryption would be limited to one HTTPS session. The attack would have to re-run for each one of the sessions.  This will make it very difficult for the attacker to reconstruct what transpired between you and Google during this time.

While it’s better late than never, thank you Google for boosting the security of your traffic, which only gets more sensitive each year as more people become dependent on your services.

Posted in Networking | Leave a comment