Wednesday, February 14, 2018

Working Reverse Proxy in IIS

Too many references I see about IIS talk about using URL Rewrite to proxy requests to other applications. It's never worked right for me. However, I've found in the past day or so, references that break that impasse.

Procedure

  1. Install URL Rewrite & Application Request Routing (ARR) into your IIS installation.
  2. Create an empty directory where IIS can access it. This is where web.config will live.
  3. Create a virtual directory in IIS for your application. Name it & the path per the subdirectory of the website you're creating (ex: /webservice ). Use the empty directory you created earlier.
  4. Replace the contents of web.config of the directory "hosting" the virtual directory, with a modified version of the example here.

References

web.config

Change DOMAINSERVERNAME to your "external" URL. Change 3000 to whatever local port your other application uses.

Formatted with CodeFormatter


 <?xml version="1.0" encoding="UTF-8"?>  
 <configuration>  
   <system.webServer>  
     <rewrite>  
       <rules>  
         <rule name="ReverseProxyInboundRule1" stopProcessing="true">  
           <match url="(.*)" />  
           <action type="Rewrite" url="http://localhost:3000/{R:1}" />  
           <serverVariables>  
             <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />  
             <set name="HTTP_ACCEPT_ENCODING" value="" />  
           </serverVariables>  
         </rule>  
       </rules>  
       <outboundRules>  
         <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">  
           <match filterByTags="A, Form, Img" pattern="^http(s)?://localhost:3000/(.*)" />  
           <action type="Rewrite" value="http{R:1}://DOMAINSERVERNAME/{R:2}" />  
         </rule>  
         <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">  
           <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />  
           <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />  
         </rule>  
         <preConditions>  
           <preCondition name="ResponseIsHtml1">  
             <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />  
           </preCondition>  
           <preCondition name="NeedsRestoringAcceptEncoding">  
             <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />  
           </preCondition>  
         </preConditions>  
       </outboundRules>  
     </rewrite>  
   </system.webServer>  
 </configuration>  


Thursday, November 16, 2017

Making sure a network share mounts after booting in Linux

I ran into a situation, where my CIFS / Samba share wasn't mounting automatically on boot. It appears to be a race condition: one that's resolvable by forcing another attempt later in the boot process. Create /etc/systemd/system/mountall.service, and use systemctl enable mountall to activate it.

[Unit]
Description=Ensure all drives are mapped
After=network.target

[Service]
Type=simple
ExecStartPre=/bin/sleep 5
ExecStart=/bin/mount -a

[Install]
WantedBy=multi-user.target

References





Wednesday, October 11, 2017

Attempts to fix 802.11ac WiFi networking issues

My boss and I have been dealing with WiFi issues in regards to various home & work situations. I've been trying to assemble a good strategy to deal with them, and there appears to be some promising leads.

  • 802.11ac environments, you have 5ghz available, as well as 2.4ghz. However, it turns out that "Dynamic Frequency Selection" is eager to not interfere with radar installations. Per a chart of 802.11 5ghz channels, that's channels 100-149 to avoid using in a major urban area; so I am currently not using that + have DFS turned off. Use a good WiFi analyzer app to pick the least used channel outside that range.
  • If you're supporting older iPhones for people, it may not like 40mhz 2.4ghz setups; found multiple posts online about that. Keep your 2.4ghz to 20mhz; and also to N-only mode if you've managed to ditch all your old B & G devices.
  • In a residential setting, turn the power down. And if you know your neighbors, ask them to as well. 50-75% should be fine; especially in an apartment complex.
  • I set my Fragmentation Threshold to 1500, and RTS Threshold to 1501 for now. I need to study these more, but your standard Ethernet framing isn't more than 1500 anyway; and I've read that in congested areas, "less is more".
  • I also read that if your devices aren't going to be switching SSIDs a lot, to try raising the DTIM above the default of 1 (2 or 3 seem to be valid), and/or raise your Beacon Interval past 100 (currently set mine at 3000). This is supposed to keep your wireless devices from waking up too much, and draining power. However, too high of a the settings are said to negatively impact realtime chat + video apps.
Added: good, but dense, eBook on this stuff

Added#2: some more suggested tweaking on the Frag/RTS setting. I'm trying 1312 for my settings now, since I do have IPv6 on my connection (1280 bytes +34 byte MAC header).

Friday, September 1, 2017

Quick conversion of iptables to FirewallD

I had a need to work with a CentOS 7 VM, that was still using sysconfig/iptables rules; but some other stuff I needed working on it wasn't connecting right. Poking around online + past experience, here's a snippet for anyone who is looking at a similar problem. This particular configuration (I scrubbed out other details) opens TCP 22,443, and 8443; and forwards 8443 to 443 (I probably didn't need that extra 443 opening).


yum install firewalld
systemctl enable firewalld && systemctl start firewalld
firewall-cmd --zone=public --add-port={22,443,8443}/tcp --permanent
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443 --permanent
systemctl stop iptables && systemctl stop ip6tables
systemctl disable iptables && systemctl disable ip6tables
firewall-cmd --reload

Friday, August 11, 2017

Using tinc VPN for linking up a Linux data cluster with static IPv6 addresses

10 years ago, I wrote up this tutorial on how to use tinc to create a basic IPv6 network between multiple sites. I followed up on that work with a more robust network: that is documented on my own website, and frankly could use some updating. At least one person made a cleaned up variant.

Over the past four years since leaving the employer I built that network up at, the acceptance and us of either tinc, and/or IPv6; has been rather mixed. However, I think I've found a use case for this past research: data clusters. In fact, another person (and another person as well) seems to have had a similar thought for his own needs. It also helps that most applications have full IPv6 support now: something that was barely in place 10 years ago.

Installation

CentOS/RHEL 7.x: yum install tinc ; you'll need to edit iptables & ip6tables files /etc/sysconfig , or use a firewalld command, to allow tcp and udp on port 655.

Debian/Ubuntu: grab the latest tinc-1.0.x deb from somewhere like Ubuntu Packages. It's also possible an apt install tinc will get you a new-enough version. You'll also need to run ufw allow 655/tcp && ufw allow 655/udp if you're using Uncomplicated Firewall.

Configuration


We're going to call this "privatelan", and assume you're using sudo / root to do this work. For editing, make sure you have nano, vi, etc. installed.
  1. mkdir -p -m=0700 /etc/tinc/privatelan/hosts
  2. In the past, you needed to edit /etc/tinc/nets.boot : but if you're using systemd, go ahead and delete it. Otherwise, edit it to have privatelan as a line in it.
  3. If ls /etc/init.d/tinc*finds a file, and you're using systemd, you'll need the systemd scripts. Download both .service files and copy those to /etc/systemd/system .
  4. You'll need to pick out / assign a ULA for this. You can use a ULA generator to pick a /64.
  5. Create and edit the files for /etc/tinc/privatelan/tinc.conf/etc/tinc/privatelan/tinc-up , and /etc/tinc/privatelan/tinc-down .
  6. chmod u+x /etc/tinc/privatelan/tinc-*
  7. tincd -n privatelan -K will generate a private key, and create a hostfile in /etc/tinc/privatelan/hosts. Optionally, you can edit that new hostfile with Compression=# (number being 1-11, with 1-9 being gzip, and 10-11 LZO).
  8. The master node needs a copy of the host file from every member system: those get copied to /etc/tinc/privatelan/hosts.
  9. All client nodes need copies of the master node host file. That file has to have something like Address=(DNS/IP) in the top of the file to be able to find that host with.
  10. When a node is ready, you can systemctl enable tinc@privatelan && systemctl restart tinc@privatelan ; check your distro if not using systemd.
  11. You should either add your new IPv6 addresses to your local DNS; or populate them as a batch in /etc/hosts.
  12. When in doubt, read the docs! Thanks!
  13. Added: on CentOS / RHEL systems, you may need to make sure SELinux isn't blocking anything ,by doing an audit2allow -a

Config files


tinc.conf

Name=node
Device=/dev/net/tun
Interface=privatelan
Mode=switch
#Comment next line if master
ConnectTo=master

tinc-up

#!/bin/sh
ip link set privatelan mtu 1280 qlen 4096 up
ip -6 address add 2001:db8:beef::1::1/64 dev privatelan

tinc-down

#!/bin/sh
ip -6 address del 2001:db8:beef::1::1/64 dev privatelan
ip link set privatelan down

hosts/node

Address=192.0.2.200
Compression=10

===SSHkey===

Tuesday, August 1, 2017

Accessing & upgrading a Debian Bitnami VM

So I stumbled across Bitnami recently. It's nice to be able to download ready-to-go VMs for different pieces of software. One I tried was a VMWare OVA that used Debian 8 as its base. But the current release of Debian is 9.1, and there wasn't an immediate issue involved in upgrading (MySQL -> MariaDB compatibility is an issue for some apps).

I. I needed SSH access. After loading the VM, I was able to enable SSH by following the Bitnami instructions for doing so. They add an extra /etc/ssh/sshd_not_to_be_run file to keep SSHD disabled, even after enabling the service.

II. I modified instructions from this source and another tool to make something work for me. Logged in as SSH under the bitnami user; for the last step, keep existing files if asked...

  1. sudo su -
  2. cp /etc/apt/sources.list /etc/apt/sources.list_backup
  3. apt install nano deborphan
  4. wget https://launchpad.net/~utappia/+archive/ubuntu/stable/+files/ucaresystem-core_3.0-1+xenial2_all.deb
  5. dpkg -i ucaresystem-core_3.0-1+xenial2_all.deb
  6. sed -i 's/jessie/stretch/g' /etc/apt/sources.list
  7. apt update && ucaresystem-core

III. Bitnami used the Extlinux bootloader for the VM I had; so I had to manually edit it to accept the newer kernel. nano /extlinux.conf ; change the kernel to /vmlinuz and change the initrd= to use /initrd.img as the target. For the end of the "append" line, add scsi_mod.use_blk_mq=y dm_mod.use_blk_mq=y or elevator=noop per what VMWare and others have suggested of late.

IV. Of course you should reboot the VM.

You should be able to modify this process to upgrade other Debian & Ubuntu VMs; just be wary of how things work on different versions (especially if you're trying to hop from something non-system-friendly).

Errata

Since you'd be using kernel 4.9 or better, give this a whirl in your /etc/sysctl.conf

net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_tw_reuse=1
net.core.somaxconn=1024
net.core.netdev_max_backlog=2048
fs.file-max=1000000
net.core.bpf_jit_enable=1


Updated Aug 2, 2017 to include extlinux.conf changes + use of TCP_BBR.

Friday, March 17, 2017

Weird missing drives error on a not-that-old laptop

I was working on a ASUS "Republic of Gamers" laptop for a coworker the other night. An otherwise decent piece of hardware was being operated off a 5400 RPM "quiet" hard drive: so I migrated the data over to a spare 500GB SSD using Parted Magic, and moved the old drive to the second bay. Pretty straightforward so far.

I probably spent the next hour trying to figure out why neither hard drive was coming up as a boot option. Disabling Secure Boot, re-enabling, togging the CSM, trying to do Startup Repair with the Windows 10 USB drive the system could detect, a BIOS/UEFI update... It turns out the BIOS/UEFI was detecting partitions, not physical drives; and I had partitioned the drives as GPT, not MSDOS format. Using Parted Magic again (gdisk and fdisk, specifically), I converted the partition tables back to MSDOS format, and then attempted to fix the Windows startup. I used instructions similar to these for getting things going again: boosect.exe /nt60 all was the magic command in the Windows 10 recovery command prompt.

Newer systems and laptops should be just fine with GPT, but this was interesting to me that the boot order of a UEFI system, was not detecting GPT-enabled drives.