Latest Server related questions

I have a setup with a NFS server sharing the /home directory with some clients. Randomly, those clients are not able to open any browser (firefox, chrome, vscode [which is browser based]). I have not been able to find the full cause. Normally a full restart of both server and clients fix things, the browsers open, but then the problem appears again. The problem is present only in the clients. Firefox, f ...

I have installed 5 LXC containers in Proxmox. Each container has a Apache2 webserver up and running inside, pointing to a registered domain.

So:
container1 points to example1.com and has a local ip address of 192.168.2.225
container2 points to example2.com and has a local ip address of 192.168.2.230
container3 points to example3.com and has a local ip address of 192.168.2.235
and so on.

I would like ...

Just recently started using a VPN that allows open ports above 2048. I host my own web server on port 80.

I need help configuring my web server to run on a port above 2048 but get redirected to port 80 so people don't have to write the URL like myserver.com:2049

Would virtual hosts do this? What would be the best step-by-step configuration for this?

Thank you in advance.

I need to measure the time that Firefox takes to build itself from the source code. Here's what I do normaly:

nohup ./mach build > my_log.log &

I then prepended time to it:

time nohup ./mach build > my_log.log &

However, this hasn't made it generate any report about the time spent, at the end of the my_log file.

Why not? How to fix it?

When setting up a server I use a reverse proxy and acme tool for dns01 support (I use either nginx + certbot or nginx + lego). I want to start using traefik instead.

I don't understand how traefik interacts with certbot (or lego, etc.), and I can't find relevant examples. I found many examples for getting certs using traefik itself.

Is certbot/lego not needed at all in a traefik setup? Can it do eve ...

I want to monitor SSH sessions, including login and logout events. When I run journalctl without any flags, I see both login events like:

Accepted publickey for root from 192.168.1.24 port 56464

and logout events like:

Disconnected from user root 192.168.1.24 port 56464

But when I want to reduce the output and filter only the sshd events I run journalctl -u sshd. In this case I see only the Acc ...

Linux OS: debian11 Everything worked, but I think today after sudo apt upgrade I installed new version of docker. Then docker daemon does not start:

$ sudo systemctl start docker
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.

I checked the logs:

Here are the start today

$ sudo journalctl -xu do ...

I'm trying to modularize my kickstart file; in particular, I'd like the %pre section to live in a separate file brought in using the %ksappend statement. However, this consistently fails with the installer saying '/run/install/ks.cfg is missing'; I'll note that my actual kickstart file is called ks_system.cfg, so I assume the ks.cfg being asked for is the one that results from initial parsing of the kic ...

I present the context: I have public fixed ip that it's set to my pfsense on the wan; I have internet on my lan; in my lan I have a local DNS server (ubuntu 22.04 with bind9 with ip 10.14.14.10) where I set the zone with an actual domain that I purchased (mm-it.ro); on the register (from where I purchased the domain). I set the domain mm-it.ro to point to my public IP (86.125.220.243); in pfsense, in ge ...

I'm using Mellanox ConnectX-5 100 GB NIC, Linux kernel 5.15 and my server has 32 cores (SMT disabled). But in the /sys/net//queues, the number of rx queues is 64, which is double the number of cores of my server? How to fix it

What is the best way to log custom HTTP headers like X-Foo: bar received by CloudFront?

I haven't tried Real-time logs, but Standard access logs seem to log only the pre-defined set of fields/headers. My custom ones do not show up in there.

Currently I am thinking of leveraging CloudFront Functions for some custom logging. Is there any better (more easy/efficient) approach?

I’m sure there is a straightforward solution, I’m running a Mongodb service thusly:

[Unit]
Description=Mongo server for Open Quartermaster. Version ${version}, using MongoDB tagged to "4".
Documentation=https://github.com/Epic-Breakfast-Productions/OpenQuarterMaster/tree/main/software/Infrastructure
After=docker.service
Wants=network-online.target docker.socket
Requires=docker.socket

[Service] ...

I am trying to use PAM and the pam_timestamp module to reduce the number of passwords I need to enter.

Test program via https://learning.oreilly.com/library/view/linux-security-cookbook/0596003919/ch04s01.html#linuxsckbk-CHP-4-SECT-1.2:

#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <pwd.h>
#include <sys/types.h>
#include <stdio.h>
#define MY_CON ...

I'm using Traefik as a reverse proxy to my homelab. I'd like to use HTTPS inside the lab using a custom CA. To do this, I've set up a ServersTransport that trusts my lab CA.

This worked well until a few days ago when a critical service's certificate expired. At that time, Traefik returned a page saying "Internal Server Error" and nothing else, and I had to log in to the proxy server to discover that it ...

I'm struggling with the title for this question, so feel free to edit it to make it more meaningful.

Let's say you have a task in Ansible and you register the output. For example:

- name: Set up working directory
  shell: mktemp -d
  register: workdir

And I want to use the registered output to do another task. For example:

- name: Create a file
  with_items: "{{ workdir.stdout }}"
  shell: touch {{ ...

This is my first question and hope that I'm in the right community. I bought a gg Domain a while ago and wanted, later needed, DNSSEC. After the purchase I encountered the problem, that I can not activate DNSSEC on basically any registrar / their name servers. They state, that it is not supported.

Yesterday I looked again and found, that there are many gg domains, which actually have a valid DNSS ...

Does anybody successfully configured OpenSSH on Windows with CA signed host certificates? OpenSSH doesn't use this signed certificate in my case.

I tried:

1. Sign generated by OpenSSH public certificate sing Hashicorp Vault.
2. Issue certificate key pair with the same ssh engine in Vault.

In a both ways OpenSSH on Windows writes error: sshd: error: Public key for PROGRAMDATA/ssh/ssh_host_ed25519_key does n ...

Using bind 9.18, my named.conf has something like this:

zone "my-domain.com" {
  type master;
  file "/usr/local/etc/namedb/master/my-domain.com.zone";
};

zone "32/29.114.115.116.IN-ADDR.ARPA" {
  type master;
  file "/usr/local/etc/namedb/master/my-domain.com.rev";
};

In the zone file, both ipv4 and ipv6 addresses may be present, and may represent the same host:

my-domain.com. IN A 116.115.114. ...

On my OpenLDAP server, I would like the accounts in my "ou=partners" OU to have "read" permissions to all objects in "ou=abos". Here is the tree of my DIT :

[ditTree][1]

My olcAccess is allowed on the server but does not grant the permission as I would like :

 olcAccess: {4}to dn.subtree="ou=abos,dc=MULTIPASS`,dc=LDAP" by dn.children="ou=partners,ou=accounts,dc=MULTIPASS,dc=LDAP" read

What is the  ...

I've created a policy that generates Services for every Deployment in a namespace. The one thing I can't figure out is that it's a Policy rather than a ClusterPolicy and I want to make the namespace attribute dynamic. (Because the policy is part of a Kustomize overlay that's used to define qa and prod environments.) It doesn't seem to be intepreting the variables in this field prior to validating the  ...

I'm wondering whether it would be a good practice to make sure the keys are generated in a safe environment, like a live Linux distribution, instead of just generating them in a day-to-day environment that could be potentially compromised already.

I know the private key will probably be generated only inside the FIDO hardware, but is it enough even in a compromised environment, or are there other ...

I recently set a postfix (+dovecot) mail server (on a VPS) and when I am in my own home network, which I put in mynetworks, I can both send and receive mails.

However when I am outside home I can only receive emails, which is not a behaviour I expect, as I probably need to send emails then. Here you have my settings, if you can help me out:

# See /usr/share/postfix/main.cf.dist for a commented, more c ...

We have a typical offline root and issuing intermediate CA Enterprise environment.

My problem is very similar to the one found here: Certificate revocation check fails for non-domain guest in spite of accessible CRL However, I have already tried the solution posted there and it has not fixed my problem. I have tested to make sure both the full and delta CRLs are accessible from non-domain computers. We r ...

My centos6 machine ipaddress is 192.168.56.10 (eth0). I have installed strongswan and a tproxy like v2ray with iptables:

iptables:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:SECGW_IN - [0:0]
-A PREROUTING -j SECGW_IN
-A SECGW_IN -d 127.0.0.1/32 -j RETURN
-A SECGW_IN -d 224.0.0.0/4 -j RETURN
-A SECGW_IN -d 255.255.255.255/3 ...

I am running a busy magento 2 load balanced web server with 3 back-end PHP-FPM servers and a shared EFS network filesystem on AWS cloud. There are lots of concurrent users and everything works fine except the fact that randomly, from time to time I see the following errors in the error log:

May 4 15:27:01 app-node php_fpm_error [04-May-2023 15:27:01] WARNING: [pool pool.name] child 135046 said into ...

I run a virtual mail server that forwards emails to my domain to a Gmail address, and I use PostSRSd to rewrite the addresses. For example, if someone sends an email to [email protected], my mail server will rewrite the address (to something like [email protected]) and forward it to my email at [email protected].

This rewriting is essential, because otherwise the forwarded emails  ...

Suppose I have two backends be1, be2 deployed in pods that use a postgres server in a pod, and I want to use pg_hba.conf to constrain access for better security, like:

hostssl db1  db1user    be1-headless.default.svc.cluster.local  md5
hostssl db2  db2user    be2-headless.default.svc.cluster.local  md5

I created headless services as well as clusterIP services for the backends, since a headless serv ...

I have incoming traffic on eth1 (vlan id 201) which is emitted by another machine which is doing

sudo tcpreplay -x 0.01 --loop=0 --intf1=eth12 Wireshark_bidirectional_data.pcap

I would like to rewrite the destination to target other devices e.g. 198.19.5.1... connected on eth1.

i've enabled

net.ipv4.ip_forward=1

and been trying to forward the data by doing:

table ip nat {
        chain postrouti ...

I have two applications that I have deployed to Digital Ocean using Laravel Forge. Both is building using Laravel, Vue, Inertia, Tailwindcss Stack. (inertia 1.0) When I try to start daemon for starting SSR for both server... the port seems to conflict and does not run the daemon as expected. If there is only one site.. everything works perfectly.

What is the issues.. and what is the right way of  ...

Here is my problem.

Our operating system is Debian 11. The main hard disk is doing fine. I have a 6TB external volume. If I choose to use parted to format this disk it will entail recompiling the Debian 11 kernel with CONFIG_EFI_PARTITION enabled as mentioned here

We are not allowed to recompile the kernel.

My query is : May I use fdisk to parition the 6TB disk into 3 2TB partitions ? Will that stil ...