Latest Server related questions

Windows Server 2019 Environment

I have 2 writable DCs and 1 RODC out in a DMZ that will all need to use a gMSA for some software we are deploying. This is my first time ever making use of gMSAs / MSAs, and while everything went well for creation and deployment on my writable DCs, the RODC threw an error:

'''Install-ADServiceAccount : Cannot install service account. Error Message: '{Access Denied} A ...

I am using multiple mail services for my domain sliver.proteuslake.asia, such as Mailjet, Google, and Atlassian. I have already added three TXT records for my domain:

• "v=spf1 include:spf.mailjet.com ?all"

• "atlassian-sending-domain-verification=fb8692b2-027c-4abc-8ce7-311fd467211e"

• "google-site-verification=DQ0PYy6fwkssvVgmuTx0-eU-kMGZoaCKvXX2wWTZD-I"

These records are used for different purpose ...

I am using HAProxy for SSL offloading and letsencrypt certificates. Previously, I was using the tls-sni-01-port flag - which is no longer supported.

Does anyone have a recipe that has been working in this configuration?

Can you please help me with a bash string for finding and listing only parent directories NOT containing subdirectories with today file date, so i can delete them recursively?

My Env is CentOS and dir structure like this:

path='/data/mesos/slaves/somedir/frameworks/somedir/executors/' this path is include 3 subdir -appname -runs -onemoresubdir (here i need to search files with new date)

Thanks in a ...

I am currently working on setting up a database in Google Cloud Platform (GCP), and I would like to create a non-public DNS alias for it. The purpose of this alias is to provide a more user-friendly name for accessing the database internally within my GCP project, without exposing the actual database endpoint or IP address.

I have explored various options within GCP, but I haven't found a straigh ...

I have created a Network Load Balancer on AWS with two public subnets. For one of the subnet, I have allocated a static elastic IP. When trying to reach the NLB using the static IP I get ERR_EMPTY_RESPONSE, but it works correctly when using the DNS name of the NLB (e.g. xxx-yyy.elb.us-east-1.amazonaws.com).

If I run the command host xxx-yyy.elb.us-east-1.amazonaws.com I get a different IP from the st ...

Is there a way to black list cookies purely through Nginx?

I tried this: https://stackoverflow.com/questions/67548886/remove-specific-cookie-in-nginx-reverse-proxy

But it doesn't seem to cover cases where there are multiples of the same cookie and it is not great performance wise

Isn't there a built in way to do this?

I am working on a Google cloud function for beforeSignIn trigger which needs to fetch some data from a microservice hosted on a AWS Fargate instance. The request times out but only in the Google cloud function environment with this one particular domain. The code runs fine locally.

A simplified version of the code looks like this:

import { Auth } from 'gcip-cloud-functions';
import fetch from 'node-fe ...

Normally, when booting into the Hetzner rescue system, using the 'zfs' command will automatically install zfs tooling inside the rescue system. This is currently not working;

checking whether inode_owner_or_capable() takes user_ns... configure: error: 
        *** None of the expected "capability" interfaces were detected.
        *** This may be because your kernel version is newer than what is
   ...

We store customer information that we shouldn't have access to, and don't want to inconvenience users by making them lose information if they forget their passwords, is there a good way to solve this problem, so that the devs who have access to our AWS can't read customer data, and so the customers can reset their passwords, without losing access to their data?

I have a machine with a RAID-1 (sda) hosting Debian 10 and a RAID-5 being used for storage (sdb), both using independent PGs. Recently the RAID-5 was corrupted, so I recreated it and set up the LVM again:

pvcreate /dev/sdb1
vgcreate "server-h01-space" /dev/sdb1
lvcreate -n "storage" -L 20.5T server-h01-space

During setup pvcreate and vgcreate reported an existing XFS signature and offered to wip ...

How can I best secure Proxmox Web UI?

What I have done:

• Added SSL
• Added two-factor authentication

What I have planned:

• Change default port 8006 to a random port, such as 3462
• Add tunneling by SSH, and change the SSH port to a random port, such as 3462 (is tunneling required when I have two-factor authentication?)

What else can I do?

Currently I am able to setup a SSO NFS setup with openldap ldap server and Truenas NFS server (with LDAP access configured). The ubuntu clients are able to use pam-mount to mount the nfs home shares. The purpose is have each LDAP users to authenticate using pam-ldap and nss-ldap and then mount the appropriate nfs home shares. The setup is working.

There are four possible approaches as I see.

Approac ...

I have a proxmox cluster with pfsense acting as a firewall and gateway for the cluster nodes and VMs. VMs have no problem, but the cluster nodes can't browse any websites using SSL, which of course breaks package updates and things like that.

When I connect directly to the outbound gateway that pfsense uses then all works fine.

I'm not sure where to start with troubleshooting this issue.

for example ru ...

I am tearing my hair out over this sudden refusal of Windows 11 Pro on my PC to use the appropriately configured crypto in IKEv2 negotiation. It worked fine for a long time, until it didn't. This issue persists over new installs. Meaning I have deleted partitions and reinstalled more than once. In the past this fixed the issue for a while, but no longer. This leads me to believe it may be related to upd ...

The actual problem I'm having:

My email server (exim, but it hardly matters for this), which I've been running for years, forwards email via /etc/aliases (i.e. [email protected] points to ~5 people) and individual user's .forward files (i.e. my .forward has "[email protected]"). This has been problematic off and on for years, with various services refusing to accept mail for various periods, but r ...

I have an Asustor NAS with RAID 5 4-Drive running, after system update it reboot into the initialize page in web console, I think it's part of the upgrade process so I started the initialize progress, after few minute later I felt something wrong and unplug the power, the NAS boot into a clean OS, all setting has GONE and unable to mount the RAID.

after checking mdadm and fdisk in terminal, I found ...

I have this rule:

sudo iptables -t mangle -A OUTPUT -m owner --uid-owner myuser -j MARK --set-mark 1

But instead of matching with a user, I would like to match with a system service. Cold you help me?

I live in a country that recently launched a heavy censorship protocol on Internet. most of the IPv4s are restricted or completely banned.

I have two servers , one in my country and another one in Germany that has access to free internet.

I need to figure something like this

using this command to make the tunnel :

ssh -v -N -f -L [local_ipv6_address]:[local_port]:[remote_ipv6_address]:[remote_port] [user] ...

I'm trying to harden server security by following suggestions given by securityscorecard.com. I can access Webmin / Virtualmin via the IP directly with:

https://[my-ip]:10000

It does so with a self-signed SSL cert and the securityscorecard service does not like it.

I have a domain cert and can also, preferably, access Virtualmin like:

https://[my-domain]:10000

How can I disable access via https:/ ...

i use a debian box with a MD-RAID1 with two drives and a LVM. My problem is that, obviously, i#m only able to boot from the first drive, but not the second.

root@myhost:/home/myuser# fdisk -l
Disk /dev/sda: 447,1 GiB, 480103981056 bytes, 937703088 sectors
Units: sectors of 1 * 512 = 512 bytes                     
Sector size (logical/physical): 512 bytes / 4096 bytes                     
I/O size ( ...

I have the problem that my two servers (master, worker) can not connect to each other. However, connections outside e.g. "google.com" are possible. I have already tried to allow all ICMP connections, which are otherwise forbidden in the prerouting. However, this has not helped at all.

When pinging from my master to the worker I get the following output:

3 packets transmitted, 0 received, 100% packet los ...

I added drives to an md RAID5 array, and quickly realized that I forgot to create a partition as is best practice (something I’ve also learned from bitter experience). How can I cancel this operation and re-add them?

Right now I froze the rebuild. As a safe workaround I can let the rebuild finish, fail one and replace it, etc. But this would take a week. Would failing both now also work?

Note: The ...

I have recently installed a gitlab server on a Fedora Server VM hosted locally on my computer. To install the gilab server I used this command : sudo yum install -y gitlab-ce.

I had no errors during the installation but when I try to connect to the gitlab instance with the command ssh [email protected] I have this message :

Last login: Sat Apr 22 16:33:11 2023 from 10.0.2.2.

instead of :

Welcome to ...

I've been pushing on this for days, I'm really hoping some kind soul can help.

Nginx is sitting on an Ubuntu machine in Azure. On that same machine, Docker engine is running a Gitlab container (which uses nginx for serving it up.)

I've gotten as far as getting everything working the way I want, except just over plain http. Yesterday I added SSL, which was not successful, and now I'm having trouble e ...

Say I have an image named org-image-name, I want to create a new image that will be identical but have a different name (say new-image-name). How can I do it using CLI? Or maybe there is an aliases feature?

I have an image named old-image-name in OpenStack. I want to rename it (say to new-image-name).

I know I can do it using "Edit Image" in the web interface. But how can I do it from command line/script?

I have the following entries in the sudoers file:

christian ALL=(root)NOPASSWD: /usr/sbin/shutdown
christian ALL=(root)NOPASSWD: /usr/bin/systemctl start mc

When running sudo shutdown -h now or sudo systemctl start mc, I still have to enter the password, even though I've set the NOPASSWD option for these commands. I am not sure why, because as far as I've read, this should be the correct syntax for it ...

I want to map subdomain to local IPs on my machine to achieve a IP for each of my virtual machines.

I know I can setup a DNS on my own machine but that will only resolve the domain on my own machine.

subdomain.domain.com -> Public IP -> Internal IP 1
subdomain2.domain.com -> Public IP -> Internal IP 2
subdomain2.domain.com -> Public IP -> Internal IP 3

is there anything that might ...

I'm having troubles setting up a auto renew for LetsEncrypt certificates.

I run nginx under Docker container that serves Django application.

Here is my docker-compose file:

version: '3.8'

services:
  app:
    image: registry.myimage.app
    restart: always
    build:
      context: .
      dockerfile: ./app/Dockerfile
    ports:
      - "8000:8000"
    command: /start
    expose:
      - 8000
    env_fi ...