Categories
Linux nginx Virtualization

Nginx ProxMox Proxy using Letsencrypt SSL cert

Why use a nginx proxmox proxy using letsencrypt ssl?

1st: why not?
2nd: Load balancing! Nginx is built to handle many concurrent connections at the same time from multitude of clients. This makes it ideal for being the point-of-contact for said clients. The server can pass requests to any number of backend servers to handle the bulk of the work, which spreads the load across your infrastructure. This design also provides you with flexibility in easily adding backend servers or taking them down as needed for maintenance.
3rd: Security! Many times Nginx can be secured to not allow access to certain parts of the underlying application so life doesnt throw you a curveball at 3AM on December 24th 2006(dont ask ūüôĀ ).
4th: Port firewall constraints! Sometimes you need to access an application on port 34563 but firewall¬†doesn’t allow access on random ports. You can allow incoming connections on port 80 via nginx but proxy them to the app on¬†34563.
5th: seriously… why not…..

Now you know why we may want nginx as ¬†a frontend proxy for our underlying app. so let’s get to setting it up for our use case which is to protect proxmox from bad actors! and to provide reliable access to our proxmox for ourselves. We are going to setup nginx to forward all traffic from port 80 to port 443 where letsencrypt will provide us with ssl encrypted access!

Install nginx light instead of full, so you have a smaller set of utilities but also a lighter install. you can install nginx or nginx-full also if you wish.

apt-get install nginx-light

remove default nginx config

rm /etc/nginx/sites-enabled/default

add new nginx config copying the code below

nano /etc/nginx/sites-enabled/default

add the folllowing in there

upstream proxmox {
    server "proxmoxdomain.com";
}

server {
    listen 80 default_server;
    location ~ /.well-known {
      root "/var/www/html";
      allow all;
    }
    rewrite ^(.*) https://$host$1 permanent;

}

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/proxmoxdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/proxmoxdomain.com/privkey.pem;
    include ssl-params.conf;
    proxy_redirect off;

        location ~ /.well-known {
                root "/var/www/html";
                allow all;
        }

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header  Host  $host;
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_pass https://localhost:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

install git

apt-get -y install git

grab a copy of letsencrypt client

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

get the certs

cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d proxmoxdomain.com

specify your email when asked, this is only to retrieve lost certs.
lets encrypt add emailAgree to the TOS.lets encrypt tos

you will get 4 files from this:

  • cert.pem: Your domain’s certificate
  • chain.pem: The Let’s Encrypt chain certificate
  • fullchain.pem: cert.pem and chain.pem combined
  • privkey.pem: Your certificate’s private key

these files are located in

  • /etc/letsencrypt/live/proxmoddomain.com

Now that your certs are live and running! restart your nginx and you are live!

service nginx restart

or

systemctl restart nginx
Categories
Linux shell

Linux distribution info & kernel info

Do you have multiple vms and real machines you use for random testing, and small tasks? need to know what machine you are on? what kernel you are using? what the current Linux distribution info is? what OS version did you last install on here? and more such questions? well! we have some of the answers for you. well maybe not answers, but more like small tools so you can get the answers!

Distribution info

lsb_release -a
on my ubuntu system it gives the following result :

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
Codename: xenial

On a debian system it gives the following result :

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.4 (jessie)
Release: 8.4
Codename: jessie

If¬†lsb_release -a doesn’t cut it for you then you can try
cat /etc/issue

as a result we see the following examples :

# cat /etc/issue
Debian GNU/Linux 8 \n \l

$ cat /etc/issue
Ubuntu Xenial Xerus (development branch) \n \l

In some cases where you suspect you are on centos or redhat, maybe because you noticed the package versions are old enough to be used by columbus while sailing the open seas, then you can use either

cat /etc/centos-release

or

cat /etc/redhat-release

which will give you result such as :

CentOS release 6.2 (Final)

Kernel Info

now as far as finding the kernel info goes you can get all the info you need via uname.

$ uname -a
Linux testhost 4.4.0-9-generic #24-Ubuntu SMP Mon Feb 29 19:33:19 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ uname -r
4.4.0-9-generic

as you can see uname -r gives you just the kernel version and uname -a gives you multiple pieces of info, like date the kernel was compiled, the arch (i.e. x86_64).

Categories
Linux tuts

Debian package management speed ups

debian logo
Debian is a Linux distro that’s used by millions of machines all over the planet.

No one likes to sit around waiting for slow mirrors while updating multiple packages but its a fact of life usually. In debian it means typing apt-get update and sitting around for a while, then doing the actual install or upgrade and getting some coffee. what if you could speed the process along somewhat? well now just like we showed you how to speed up apt downloads for ubuntu you can speed up the apt speeds for Debian! This way you can focus more on clashing some clans or something…. whatever you do in your free time that is.

Httpredir

In comes¬†httpredir, “It uses the geographic and network location of the user and the mirrors, the architecture of the requested files, IP address family, the availability and freshness of the mirrors, and a few other things” to find the closest and fastest mirror of data for you. This gives you the quickest way to get your files without resorting to new tools or alternate package managers. This is already there for Jessie ( debian 8 ) so no need to edit that, but for everyone else on older releases this will bring wonderful speedups.

setting up httpredir is simple :

edit your /etc/apt/soucres.list

deb http://ftp.us.debian.org/debian sid main
deb-src http://ftp.us.debian.org/debian sid main

replace with

deb http://httpredir.debian.org/debian sid main
deb-src http://httpredir.debian.org/debian sid main
Categories
General Linux shell

Aptitude installed package list

Today I got a new VPS… well great but now I need to install a bunch of new packages and libraries and helper apps. how do I remember it all? did I have python 2.6 or 2.7? not to mention which boost libs did I install? well here.s a couple of ways to deal with this issue of whats on my installed package list.

Using dkpg and apt-get

dpkg –get-selections > selections.txt

Scp / email / copy to USB or copy it bit by bit, whatever floats your boat. Move to new machine.

dpkg ‚Äďset-selections < selections.txt
apt-get update
apt-get upgrade

voil√† it should be ok. but there’s a lot of clutter, like libraries and dependencies that were needed on old machine and might not be needed again. so how to find a cleaned up list? or alteast one that shows the automated installed? there’s always aptitude Smile its simpler in syntax and better imho

Using Aptitude

aptitude search '~i'

which gives you aresult of all your packages like :

i   udev                                                                                               Р/dev/ and hotplug management daemon
i A unattended-upgrades                                                                                Рautomatic installation of security upgrades
i   upstart                                                                                            Рevent-based init daemon
i A usbutils                                                                                           РLinux USB utilities
i   util-linux                                                                                         РMiscellaneous system utilities
i   vim                                                                                                РVi IMproved Рenhanced vi editor
i   vim-common                                                                                         РVi IMproved РCommon files
i   vim-runtime                                                                                        РVi IMproved РRuntime files
i   wget                                                                                               Рretrieves files from the web

This of course scrolls all the packages past your view very quickly and can be …. hard on those of us that cant read 10000 words per minute. You can always output the results to a text file, note in my example I’m using the date command to insert current date and time into the file name, you can run this with a cron job to have a snapshot of your packages at a given time.

aptitude search '~i' > installed_packages_$(date +%F_%R).txt

Or if you just want a temp text file you can output to less or vim the same way.

aptitude search '~i' | less
aptitude search '~i' | vim

and if you want you can even grep / search / parse it on the fly like so

aptitude search '~i' | grep -i "X11"

i A libxpm4                         РX11 pixmap library
i A libxrandr2                      РX11 RandR extension library
i A libxss1                         РX11 Screen Saver extension library
i A libxt6                          РX11 toolkit intrinsics library
i A libxtst6¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† – X11 Testing — Record extension library
i A libxv1                          РX11 Video extension library
i A libxxf86dga1                    РX11 Direct Graphics Access extension libra
i A libxxf86vm1                     РX11 XFree86 video mode extension library
i A tk                              РToolkit for Tcl and X11 (default version)
i A tk8.6                           РTk toolkit for Tcl and X11 v8.6 Рwindowin
i A x11-common                      РX Window System (X.Org) infrastructure
i A x11-utils                       РX11 utilities

questions? comments? don’t hesitate to ask!