Tikejhya: Ashish Nepal

Knowledgebase

Month: September 2015 (Page 1 of 2)

Nginx Multiple satisfy Any [auth_request]

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

We had usecase where we needed to allow ip based or authentication via username and password.

This was all working with http://www.ashishnepal.com/nginx-restricting-access/ [statisfy Any with auth_basic and allow deny]

However there was certain access required to provide using UA (user_agent) which was not possible to do from IP or even to use username and password based authentication.

This could have been achieved in multiple ways: 1) using nginx @forwarder and sending 403 2) mapping call with user_agent and geo 3) using different backend with use of HAproxy or Varnish or even using any gateway and spoofing x-real-ip or x-forwarded-for and manipulating accordingly

But most elegant way would be nginx’s module auth_request.
Here Nginx comes very useful with auth_request.

location / {
satisfy any;

allow 192.168.x.x/24;
deny all;

auth_basic "Require Auth";
auth_basic_user_file conf.d/htpasswd;
auth_request /authentication;
}

location = /authentication {
if ($http_user_agent ~ canHazUA){
return 200;
}
return 403;
}

nginx Restricting Access

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Restricting Access using allow deny with satisfy Any.

Access can be allowed or denied based on the IP address of a client or by using HTTP basic authentication.

To allow or deny access from a certain set of addresses, or all addresses, use the allow and deny directives:

location / {
allow 192.168.1.1/24;
allow 127.0.0.1;
deny 192.168.1.2;
deny all;
}

Restricting access with allow deny can be complemented with use of http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

which allows to use either IP based restriction or User password based authentication. This is one of the key feature in Apache and majority of we want to have simillar use case senario:

location / {
auth_basic "closed site";
auth_basic_user_file conf/htpasswd;
}

So combining this two may look like this:

location / {
satisfy any;

allow 192.168.1.1/24;
allow 127.0.0.1;
deny 192.168.1.2;
deny all;

auth_basic "closed site";
auth_basic_user_file conf/htpasswd;
}

nginx basic_auth

The ngx_http_auth_basic_module module allows limiting access to resources by validating the user name and password using the “HTTP Basic Authentication” protocol.

location / {
auth_basic “closed site”;
auth_basic_user_file conf/htpasswd;
}

cronjob offset

How to setup cronjob with offset:

# This cron will execute every fifth minute.
1-59/5 * * * * echo "hello i am offsetting 1"
# This cron will execute every fifth minute which starts with 2nd minute hence, it would offset by 1 minute compared to above.
2-59/5 * * * * echo "hello i am offsetting 2"
# This cron will execute every fifth minute which starts with 3rd minute hence, it would offset by 2 minute compared to above.
3-59/5 * * * * echo "hello i am offsetting 3"

This can also be done using sleep 60; sleep 120; sleep 180;

Nginx cache cleanup

KEY: httpGETashishnepal.com/nginx/

echo -n "httpGETashishnepal.com/nginx/" | md5sum | awk '{print "/etc/nginx/cache/"substr($1,length($1),1)"/"substr($1,length($1)-2,2)"/"$1}'

Above solution would only work if your setup of nginx cache_key is on levels=1:2

Once you get the hashed filename it can be rm -rf’ed.

Starting nginx: nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size

#Starting nginx: nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size

Background
During the start and each re-configuration nginx selects the minimum possible sizes of hash tables such that the bucket size that stores keys with identical hash values does not exceed the configured parameter (hash bucket size). The size of a table is expressed in buckets. The adjustment is continued until the table size exceeds the hash max size parameter. Most hashes have the corresponding directives that allow changing these parameters, for example, for the server names hash they are server_names_hash_max_size and server_names_hash_bucket_size.

Solution: Generall you will need to increase the recommended sizes but if you are using duplicate proxy_set_header this hash size can easily get full.

Cause: 1) too many domains to map into hash 2) too low server_name_hash size 3) too many proxy_header values to set.

Check for duplicates of proxy_set_header.

awk values where second coloum matches

awk '$2==5' file

Check SSL details at the command line

# Check ssl details

#Remote cert
openssl s_client -connect ashishnepal.com:pop3s

#Local Cert
c="/path/to/cert"
openssl x509 -noout -dates -subject -issuer -in $c
openssl x509 -noout -dates -subject -issuer -in filename.crt

openssl s_client -host google.com -port 443 | openssl x509 -noout -dates -subject -issuer

print lines between start and end using awk and sed

AWK print pattern

[root@spark ~]# cat testfile
shit lot
of crap
in here
lets see

Awk print line starting with:
[root@spark ~]# awk '$1 ~ /^shit/' testfile
shit lot

sed print line between pattern
[root@spark ~]# sed -n '/shit/,/crap/p' testfile
shit lot
of crap

print lines between start and end using sed

print lines between start and end using sed

sed: Print line starting with 201 and ending with 2015
sed -n '/^201/{:start /2015$/!{N;b start};//p}'

How it works:
sed -n '/^STARTPATTERN/{:start /ENDPATTERN$/!{N;b start};//p}'

The “-n” option will not print anything unless an explicit request to print is found. I mentioned the “/p” flag to the substitute command as one way to turn printing back on. Let me clarify this. The command

sed ‘s/PATTERN/&/p’ file
acts like the cat program if PATTERN is not in the file: e.g. nothing is changed. If PATTERN is in the file, then each line that has this is printed twice. Add the “-n” option and the example acts like grep:

sed -n ‘s/PATTERN/&/p’ file
Nothing is printed, except those lines with PATTERN included.

The long argument of the -n command is either

sed –quiet ‘s/PATTERN/&/p’ file
or

sed –silent ‘s/PATTERN/&/p’ file

Page 1 of 2

Powered by WordPress & Theme by Anders Norén