Sysadmin Blog

Reverse Proxy mit HTTP Auth im Backend

Damit man über einen Reverse-Proxy auf einen Web-Server zugreifen kann, welcher seinerseits wieder mit HTTP Basic Authentifizierung geschützt ist (und im Backend andere Login-Informationen als für die Anmeldung am Reverse Proxy erforderlich sind), muss die HTTP-Authentifizierung für den Backend-Server im Proxy-Abschnitt mitgegeben werden.

Dazu muss zuerst Benutzername und Passwort in eine Base64-Zeichenkette encodiert werden:

echo -n "User:Pass" | base64
VXNlcjpQYXNz

(auch wenn kein Benutzername benutzt wird, muss das Doppelpunkt im zu encodierenden String enthalten sein!)

Danach in der Konfiguration des als Reverse-Proxy verwendeten Frontend-Servers folgendes z.B. in einen Location-Abschnitt hinzufügen.

Apache:

RequestHeader set Authorization "Basic VXNlcjpQYXNz"

Nginx:

proxy_set_header Authorization "Basic VXNlcjpQYXNz";

Technischer Hintergrund:

Sofern dieselben Anmelde-Informationen im Backend verwendet werden wie im Frontend (Reverse-Proxy), sollte dieses bei der nachfolgenden HTTP-Auth Anfrage transparent vom Client Web-Browser weitergereicht werden, und obiger Parameter ist nicht notwendig.

Wird hingegen versucht, sich mit unterschiedlichen HTTP-Auth Passwörter anzumelden (zuerst dasjenige für den Reverse-Proxy, dann dasjenige, welches der Backend-Webserver verlangt), ist darauf sofort die Anmeldung am Proxy nicht mehr gültig -> Ein Zugriff würde so also nie funktionieren!

Check certificate on a server

Issue the following command:

openssl s_client -CApath /etc/ssl/certs/ -connect :993

For testing on a mail server supporting both non-encrypted and encrypted (TLS) connections using STARTTLS method:

openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect :25

There should be stated quite at end of command output:

    Verify return code: 0 (ok)

before an eventual greeting message of the server.

A bit above, you can check the certificate chain completeness:

Certificate chain
 0 s:/description=3UwjnK9kRZ2wUo8e/C=CH/CN=domain1.ownspace.ch/emailAddress=hostmaster@ownspace.ch
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---

The last i(ssuer) is the root cert that most client will trust.

Postfix Mail Queue Cleaner

This small shell script removes all messages originating from a certain sender address out of the postfix mail queue.


#! /bin/bash
if [ "$1" == "" ]; then
  echo "please give e-mail address"
  exit 1
else
  emailaddr=$1
fi
for id in `mailq | egrep "[0-9A-F]{10} " | grep "$emailaddr" | cut -d " " -f 1`
do
  echo $id
  postsuper -d $id
done

Asus ASMB4 iKVM Remote Console

A real PITA is to use the Console redirection of the integrated / optional iKVM of ASUS servers.

Access to the web-GUI (directly or even forwarded like 127.0.0.1:8080 tunneled through ssh to the iKVM's real ip behind a jump host) is quite straight-forward and easy to use.

But the console redirection slightly doesn't work even directly (server has the IP address you type in your web-browser) and with properly installed Java Web Start, at least with version 2.13 of the iKVM firmware.

So this workaround may help:
1. Log in to the Web-GUI

2. Start the Java console under Remote Control

3. Download the .jnlp file instead of opening Java Web Start directly
4. Edit the file as following:


127.0.0.1:8080
to
127.0.0.1

(for example if you have forwaded or mapped the real port 80 to
8080, this has to be only the IP address WITHOUT the port)


0
to
7578

(this has to be the port where the (local) Java Client will connect to the remote server's console and not '0', may also be another port when you do a port mapping or forwarding)

5. Now open the jviewer.jnlp file with Java Web Start.

The console should now show up...

(for all ports involved see the related link to the ASUS support site)

In some situations, there even the download of the JAVA files stucks with 0%. Perhaps then you experience some troubles with SSL because some INTEL ikvm will try to use HTTPS (even if you connect to the iKVM GUI with only HTTP). So use again a manually edited .jnlp file:

1. Download the jnlp file instead of opening directly

2. Change the line with the keyword codebase by replacing the "https://" with just "http://"

3. Open the jviewer.jnlp file with Java Web Start

rsync to WebDAV drive

For having an intuitive GUI synchronisation client, you may use grsync using a gvfs path on Linux or a Drive Letter on Windows where the WebDAV Storage is preliminary mounted. Or go for the commercial sync tool GoodSync which has WebDAV protocol built-in.

But now, when you try to synchronise with the WebDAV storage (e.g. to OwnSpace Web Storge or to Dropbox), you probably get many "file not found" errors and you end up with no files on the WebDAV storage.

To get that to work, you must use the rsync option "--inplace". Search for rsync options or an option meaning "directly write to files instead of temporary files".

Using Windows for direct access (WebDAV) to storage.ownspace.ch

You can actually map network drives to webdav locations. To do so use this:

1. Open Windows Explorer
2. Rightclick on 'Computer'
3. Go to 'map network drive'
4. Choose station/drive letter
5. Enter this path:

\\storage.ownspace.ch@SSL\files\shares\my-files

6. Press OK and your set.

Playing WMA Pro content using 32bit mplayer on 64bit Linux

Problem

You cannot play new WMA media (aka wma9) content on your 64bit Linux system because of missing audio format support, e.g you get an error message similar like that:

Cannot find codec for audio format 0x162.

Solution

Get win32codecs

Unpack the files to /usr/lib/codecs ,e.g. with

    tar xvjf essential-20071007.tar.bz2
    mkdir -p /usr/lib/codecs
    mv essential-20071007/* /usr/lib/codecs/
    ln -s /usr/lib/codecs /usr/lib/win32

add the path to the library search path so the libraries can be found:

    echo "/usr/lib/win32/" > /etc/ld.so.conf.d/win32codecs.conf
    ldconfig

Obtain the mplayer 32bit package (built for Ubuntu 9.10 Karmic Koala). Only the 32bit version can make use of the win32codecs!

Install the deb package:

    dpkg -i mplayer32_1.0svn_amd64.deb

Run the 32bit mplayer with /usr/bin/mplayer32

MPlayer should now play the stream or file, enjoy!!

Open Office Dictionaries

To add a new spelling dictionary, hyphenation dictionary or thesaurus files for another language, at least for OpenOffice 2.x:

Close all OpenOffice applications
Obtain the file for your language from OpenOffice Dictionaries Wiki
Unpack the zip-file to the dictionaries directory, e.g.:

    cd /usr/lib/openoffice/share/dict/ooo
    unzip /path/where/downloaded/de_CH-20071211.zip

Run install-dict:

    /usr/lib/openoffice/install-dict

Now you should see the new language module with Tools / Options / Language Settings / Writing Aids under "Available language modules"

Paths may vary, on my gentoo machine, the OpenOffice files are under /usr/lib/openoffice/

Primary Domain Controller not found

Errormessage "Could not Find Primary DC" appears in Server Manager or when you would join a domain or set up a trust relationship between two domains.

This behavior can occur if the 1b (domain master browser) and 1c (domain controller) NetBIOS names for the PDC are not registered in the Windows Internet Naming Service (WINS). This can occur when the WINS servers in the two domains do not replicate to each other or there aren't any WINS server available at a remote place (on the other side of a firewall or router)

Resolution:

Make these entries in LMHOSTS:

  10.0.0.1   PDCName   #PRE #DOM:DomainName
  10.0.0.1   "Domain         \0x1b"   #PRE

- Replace 10.0.0.1 in the example with the IP address of the PDC in the remote domain.
- Replace the PDCName with the NetBIOS name of the domain PDC.
- Replace DomainName with the Windows NT 4.0 domain name of the target domain.

So far, this is a common thing, but the next line is also required:

A NetBIOS type, also called NetBIOS suffix, must be indicated for the appropriate domain. Specially important is, that this suffix must be at the end of the domain name, with is 15 characters plus 1, total 16 characters in lenght. When you specify the NetBIOS suffix (\0x1b) after the Domain name (must be the sixteenth character), the spacing between the quotation marks is critical. There must be a total of 20 characters within the quotation marks (the domain name plus the appropriate number of spaces to pad up to 15 characters plus the backslash (\) plus the NetBIOS hex representation of the service type).

How To run Windows Explorer as an administrator?

* FAQ: RUN WINDOWS EXPLORER AS AN ADMINISTRATOR
( contributed by John Savill, http://www.windows2000faq.com )

Q. How do I run Windows Explorer as an administrator when I'm logged on as a different user?

A. The impersonation service, Runas, is a nice Windows 2000 feature. But Runas can't run Windows Explorer impersonated because in Win2K, new Windows Explorer windows are spawned as threads of the main explorer.exe invocation. You can circumvent this behavior in the following way:

1. Select Start, Run, and type

runas /user:administrator "\"c:\program files\internet
explorer\iexplore\" c:\\"

2. Click OK.
3. When the system prompts you, enter your Administrator password.

This command executes Windows Explorer in the desired context; adding a local path makes Windows Explorer emulate the default (i.e., no Windows Explorer bars or buttons).