Reverse Proxy mit HTTP Auth im Backend 
Friday, 5 May 2017, 15:27 - General, Knowledge, Apache Stuff, Linux Stuff, Nginx
Posted by Administrator
Damit man über einen Reverse-Proxy auf einen Web-Server zugreifen kann, welcher seinerseits wieder mit HTTP Basic Authentifizierung geschützt ist (und im Backend andere Login-Informationen als für die Anmeldung am Reverse Proxy erforderlich sind), muss die HTTP-Authentifizierung für den Backend-Server im Proxy-Abschnitt mitgegeben werden.

Dazu muss zuerst Benutzername und Passwort in eine Base64-Zeichenkette encodiert werden:
echo -n "User:Pass" | base64
(auch wenn kein Benutzername benutzt wird, muss das Doppelpunkt im zu encodierenden String enthalten sein!)

Danach in der Konfiguration des als Reverse-Proxy verwendeten Frontend-Servers folgendes z.B. in einen Location-Abschnitt hinzufügen.

RequestHeader set Authorization "Basic VXNlcjpQYXNz"

proxy_set_header Authorization "Basic VXNlcjpQYXNz";

Technischer Hintergrund:

Sofern dieselben Anmelde-Informationen im Backend verwendet werden wie im Frontend (Reverse-Proxy), sollte dieses bei der nachfolgenden HTTP-Auth Anfrage transparent vom Client Web-Browser weitergereicht werden, und obiger Parameter ist nicht notwendig.

Wird hingegen versucht, sich mit unterschiedlichen HTTP-Auth Passwörter anzumelden (zuerst dasjenige für den Reverse-Proxy, dann dasjenige, welches der Backend-Webserver verlangt), ist darauf sofort die Anmeldung am Proxy nicht mehr gültig -> Ein Zugriff würde so also nie funktionieren!
add comment ( 1282 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1818 )
Test SMTP Auth 
Thursday, 24 September 2015, 19:07 - Mail stuff
Posted by Administrator
Sometimes, you need to test SMTP auth (for sending e-mails) is working properly and you don't want (or can't) test with an ordinary email client.

One can test using a telnet session. But first, you must encode username and password using this command snipplet:
echo -en "testlogin" | openssl enc -base64
echo -en "testpass" | openssl enc -base64

telnet <your_server_address> 25 (or 587)

Now you do the same as an e-mail client:
HELO mybox.mydomain.tld
250 host.domain.tld
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 2.7.0 Authentication successful
221 2.0.0 Bye

If something with "Authentication successful" appears, login was able to authenticate against the mail server for sending e-mail.

REMARK: There are some other sites with examples in perl that don't work with full e-mail address usernames (user@domain.tld) because of lack of escaping the "@" sign that designates a perl array.
add comment ( 1359 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 507 )
Turning SSLv3 off on Apache Server to mitigate "POODLE" attack (CVE-2014-3566) 
Thursday, 16 October 2014, 10:22 - Apache Stuff, OpenSSL
Posted by Administrator
Add the following to your SSL configuration section:

# Disable SSLv2 & SSLv3 against POODLE issue (CVE-2014-3566)
SSLProtocol All -SSLv2 -SSLv3

Note to insert this to all VirtualHost sections where SSL is enabled!

Check your config:
apachectl configtest

Then restart apache server:
sudo service apache2 restart

To check if SSLv3 is turned off:
openssl s_client -connect server.domain.tld:443 -ssl3

Then you shold see a message like this:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40

To disable SSLv3 within other services:
see this post
add comment ( 1849 views )   |  permalink   |  related link   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 2712 )
Check certificate on a server 
Wednesday, 4 June 2014, 18:26 - Knowledge, OpenSSL
Posted by Administrator
Issue the following command:
openssl s_client -CApath /etc/ssl/certs/ -connect <host.domian.tld>:993

For testing on a mail server supporting both non-encrypted and encrypted (TLS) connections using STARTTLS method:
openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect <host.domian.tld>:25

There should be stated quite at end of command output:
    Verify return code: 0 (ok)

before an eventual greeting message of the server.

A bit above, you can check the certificate chain completeness:
Certificate chain
0 s:/description=3UwjnK9kRZ2wUo8e/C=CH/
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

The last i(ssuer) is the root cert that most client will trust.
add comment ( 2057 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1565 )
Postfix Mail Queue Cleaner 
Monday, 14 April 2014, 12:17 - Tools & more, Knowledge, Postfix Stuff
Posted by Administrator
This small shell script removes all messages originating from a certain sender address out of the postfix mail queue.

#! /bin/bash
if [ "$1" == "" ]; then
echo "please give e-mail address"
exit 1
for id in `mailq | egrep "[0-9A-F]{10} " | grep "$emailaddr" | cut -d " " -f 1`
echo $id
postsuper -d $id

add comment ( 2437 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 2842 )

<<First <Back | 1 | 2 | 3 | 4 | 5 | 6 | 7 | Next> Last>>