Skip navigation

Category Archives: Uncategorized

Hello,

If by any chance you are interested in following what else I have been up to you can see at blog.perfectlylogical.com. I am now doing computer security, so my new blog is more focused on those types of posts like; configuration mistakes, tools/scripts, or ways I do things. That being said this blog will remain up just as inactive as it has been, and I may move the Pound blog post to my other post.

Cheers

Advertisements

HTTPS reverse proxy to multiple unique hosts

This is a guide on to setup pound proxy to act as a reverse proxy for multiple https websites using a wildcard ssl certificate.

I am configuring this on an ubuntu machine, I had it originally setup the reverse proxying with nginx but that was without using ssl. When I tried to implement the nginx reverse ssl reverse proxy I was only getting access to the first server configured because of a design flaw in HTTPS. HTTP reverse proxies work by forwarding based on the “Host: ” field in the header but because this is encrypted it can not make the proper forwarding condition. I then tried to setup squid to do this but I couldn’t get it to build with the ssl support. After doing a quick Google search I then found a proxy called pound.

When pound is configured to use https it is expecting the certificate in pem format which means it wants the wildcard certificate and the certificate private key file in one file as well as the intermediary certificates as well if needed. An issue with go-daddy certs is that they are sometimes not be trusted by browsers, to avoid this error the intermediary certificate chain must be included in the pem file.

Pound is able to handle multiple ssl sites pointing to it because it handles the whole ssl transaction on its end then forwards to the receptive web server based on the header Host value. This also means that connections from the proxy to the web servers is over http and not secure. You can use other measures to secure traffic between internal hosts and ease the paranoia.

The diagram below is test environment setup

||—–(192.168.1.5)Proxy.mydomain.com(1.2.3.4) —– INTERNET
||
||————-Test1.mydomain.com(192.168.1.11)
||
||————-Test2.mydomain.com(192.168.1.12)
||
||————-Test3.mydomain.com(192.168.1.13)

All your externalo DNS records for Test1, Test2 and Test3 will point to 1.2.3.4. Then you can either have your internal dns configured or the /etc/hthosts file to resolv the full domain nnames to teh right IP’s so that the right site is forwarded to the rigth webserver. Below is a copy of the config file that was used in /etc/pound/pound.cfg.

apt-get install pound
echo “1” > /etc/defaults/pound
edit the pound.cfg file to match the format of pound.cfg like below
service pound start


/etc/pound/pound.cfg sample
## Minimal sample pound.cfg
######################################################################
## global options:
User        "www-data"
Group        "www-data"
#RootJail    "/chroot/pound"
## Logging: (goes to syslog by default)
##    0    no logging
##    1    normal
##    2    extended
##    3    Apache-style (common log format)
LogLevel    1
## check backend every X secs:
Alive        30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine    ""

######################################################################
## listen, redirect and ... to:
# Here is a more complex example: assume your static images (GIF/JPEG) are to be served from  a  single  back-end  192.168.0.10.  In
#       addition,  192.168.0.11  is  to  do  the  hosting for www.myserver.com with URL-based sessions, and 192.168.0.20 (a 1GHz PIII) and
#       192.168.0.21 (800Mhz Duron) are for all other requests (cookie-based sessions).  The logging will be done by the back-end servers.
#       The configuration file may look like this:
# Main listening ports
ListenHTTPS
  Address 1.2.3.4
  Port    443
  Cert    "/etc/ssl/certs/mydomain.com.pem"


  Service
    HeadRequire "Host:.*test1.mydomain.com.*"
    BackEnd
      Address 192.168.1.11
      Port    80
    End
  End

  Service
    HeadRequire "Host:.*test2.mydomain.com.*"
    BackEnd
      Address 192.168.1.12
      Port    80
    End
  End

  Service
    HeadRequire "Host:.*test3.mydomain.com.*"
    BackEnd
      Address 192.168.1.13
      Port    80
    End
  End
End

For my 0.3 I was to figure out the best build factor on koji for the PandaBoards. Due to unforeseen technical issues with hongkong the arm koji server. Even if the site was fully restored and functionally by Wednesday I am not sure I would have had a moment where I could take down all but one of the PandaBoard builders to do my testing.

So I am going to include some info that was shared with me by our professor Chris Tyler. He had said in his preliminary testing with the httpd package with the build factor set to 4 allowing for two consecutive jobs then running 4 there was a overall increase of jobs done as compared to building 3 jobs in sequence. He had also told me that the httpd package was not really as good test for measuring purposing but for the use of quick testing it was sufficient.

For my 0.3 I will be doing testing on the Koji farm to determine the optimum build factor for the PandaBoards. Currently it is 2 which is the default for Koji, this currently only allows for one task to be built at a time on board which was good for the guru plug and the beagle board, but not the PandaBoard which has more than twice the potential of the other boards on the build farm.

The idea from Chris Tyler is to take down all but one machine on  the build farm and queue a bunch of jobs edit the build factor and watch the time taken for builds and determine what the best build factor is.  The package I plan to test this out on is the firefox rpm for arm. I am planning to do testing on this sometime over the next couple of days.

When the PandaBoard boots it reserves 33554432 bytes (32MB) of RAM for VRAM. As these is no need for video this RAM can be better used by the builder so I went about removing the video drivers from the kernel.

I have successfully compiled a kernel that has no video drivers in it for the purpose of build machines. Thus I was able to reach over 900MB of RAM in the operating system along with the my previously built MLO and u-boot.bin files. How I disabled the drivers from the kernel is that I ran the command

make ARCH=arm CROSS_COMPILE=/path/to/cross/compiler menuconfig

In the menu I went to system type and under ARM System Type I selected TI OMAP. Under that option I went to TI OMAP2/3/4 Specific Features disabled TI OMAP2 and TI OMAP3 and then disabled OMAP 4430 SDP board from the list of the two remaining boards(Figure 1). I then went back to the main menu and went into the Deveice Driver subsection of the main menu. Went down to the Multimedia Support and deselected it. Then went into the graphics support sub menu, disabled all options except Backlight & LCD device support.(Figure 2)

Figure 1 Showing TI OMAP2/3/4/ Specific Features

Figure 2 Showing Graphics Support configuration.

I then exited the menuconfig and saved the config as the default. I then compiled the uImage for the kernel from the .config that got created from the menuconfig with the make command below.

make ARCH=arm CROSS_COMPILE=/path/to/cross/compiler uImage

A copy of the full boot files can be downloaded from here.
The .config that got generated can be downloaded from here

The output from the free -m command that should 907MB available to Fedora is below.

[root@cdot-panda-5-1 kernel]# free -m
Unknown HZ value! (94) Assume 100.
             total       used       free     shared    buffers     cached
Mem:           907         15        892          0          0          3
-/+ buffers/cache:         11        895
Swap:            0          0          0

To avoid errors on boot about not finding modules I copied the /lib/modules/2.6.35-g6d019da-dirty to /lib/modules/2.6.35.3

To test the stablilty of my uImage with the 900MB of RAM I did a native compile of the kernel on the PandaBoard. I successfully got the compile without the board crashing that process took about 74 minutes. I am not sure if that is normal for native compiles but I am happy that my board did not seem to have stability issues

With the IT field having such a large area of departments and options to go into schools do not really go into much detail with their curriculum and give a broader knowledge base for people to start with. This is good to start out in the field and build your experience and determine what aspect you would like to go into with further detail.

This is where certifications come into play. They provide a means to further your knowledge in a specific area and a way to prove to employers that you have attained a certain level of knowledge. There are many certification providers for many aspects of the field. There are certifications for project management, repairing and troubleshooting pcs, build and troubleshooting networks, security, programming, operating system use and configuration, virtualization software.

There are some starting certifications that will be good to have when you all depending on where you want to go. For the system administrator the Microsoft Certified System Administrator(MCSA)  or the Microsoft Certified System Engineer(MCSE) gives you the starting point for managing Windows servres. CompTIA A+ for persons who want to get into the repair and troubleshooting of computers is a good place to start. CompTIA Network+ covers the basics about building networks and trouble shooting them from the standpoint of not needing to configure the devices yourself.  Network+ does more of the theory behind the network and server configurations. Cisco Certified Network Associate(CCNA) builds the knowledge base for the holder to build networks, configure and troubleshoot routers and switches.

Apple has announced that OS 4 for the iPhone will have multitasking. This is a break for the iPhone where many users complain that they want to run multiple applications. Apple has released the API’s to developers that allow for this functionality so you can expect there to apps that will have this functionality soon. To get a list of the programs running the user would simply have to press the home screen button twice to view this information. The trade off with the use of multitasking is that you can expect your battery life to be less than it is now. The other downside to this is that only users with the iPhone 3GS and up will benefit as this is will not be supported by the iPhone 3G and older.

Another new feature to the iPhone OS is that it will support the ability to encrypt all e-mail and attachments, unlocking them with a user-entered pin code. This means that if the phone is stole sensitive emails will not be at risk of exposure. It will also support Exchange 2010 and allow users to sync multiple exchange accounts to a single device. A platform that will let advertisers and software developers embed a range of multimedia ads directly into an iPhone 4 application.

The iPhone is stilling missing flash and java support and will not likely support it in future releases.

Blackberry Recently released a scaled down version of their Blackberry Enterprise Server (BES). This product is free and has most of the functionality of its Full counterpart. It supports up to 30 devices at a time and 200 emails a day and a about 100 users in total. This release is more geared towards small businesses that would need the BES infrastructure for day to day business and convenience, but cant not afford the licensing or cannot justify spending that much on a licensing. If the company starts out with BES express and outgrows this version it is full upgradable to the full version allowing for full scalability.

The up and coming System Administrators can also benefit from this free software because this can have the time to play with it in a test environment and get comfortable with the features and ways of getting things done, with out having an employer having to train them. Thus making them more adverse and capable at the start of a job.

BES Express can be downloaded from the Blackberry Website registration is required for download.

The Welcome Screen for BES Express 5.0`
Welcome

Role Management
Role Management

There are some useful tools that I have come across though my experiences. There are some tools that are useful for techies and others for regular users. All of the following programs  do not require licensing or purchasing.

  • Sysinternals’ Suite- This is a collection of troubleshooting tools that help with problems like determining which programs are running on start up using autoruns. Using TCPView to determine what connections are being made and your computer are making. As well as task manager on steriods such as process explorer and process monitor. Sysinternal Suite’s Download
  • Unlocker- Have you ever tried to delete a file or stop a program and get the error  that the “file is in use and the action cannot be performed”. This neat little program that helps you to determine which program is stopping you from deleting a file or stopping a program. It not only shows you what is locking the file or process it allows you to kill the process that is stopping you. You can try unlocker from here.
  • NMAP- This utility is used to scans networks for network exploration, inventory or security auditing purposes. You can try nmap from here.
  • Linux Utilities- This is for the linux buff that uses windows but wants the comfort and functionality of linux command line programs. Download from here.
  • Curl- Used to test various settings for websites. You can connect to a website fully from the command line and see the https headers and other connection information that will be useful to test connection and website issues. Link on how to use Curl
  • Putty- This is used to connect to remote devices such as ssh servers, computers, ftp servers, routers and switches. This program is typically used to administrate remote devices with minimal administrative effort.
  • Sun VirtualBox- This a program that allows you to test, configure and host virtual machines for your personal use. It is a noce program to have as to enable testing programs without risking the safety of your own machine.Video on how to install Virtual Box.

Hey all,

New to this whole blogging thing, so it took me sometime to come with what to talk about.  After some thought I guess i will talk about anything computer related seeing as that is what I want to get into in the long run.

Not quite sure of what to post about at this point in time but to get a general idea of whats going to be posted here are things like

  • Interesting Products
  • Security related news
  • Useful little programs
  • Operating systems thoughts
  • Certification Updates
  • Upcoming projects and undertakings