Category Archives: IT

NGINX: display reverse proxy headers

If you are having trouble with a web application sitting behind a reverse proxy, debugging can be facilitated by having your (backend) web-server displaying the headers that it receives.

<?php
echo “<h1>Headers received from the reverse proxy</h1>";
$headers =  getallheaders();
foreach($headers as $key=>$val){
  echo $key . ': ' . $val . '<br>';
}
?>

Command	parameter 1	parameter 2	output
proxy_set_header	X-Real-IP	$remote_addr;	IP Address of client
proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;	IP Address of client
proxy_set_header	X-Forwarded-Host	$server_name;	called vhost
proxy_set_header	X-Forwarded-Proto	$scheme;	https or http
proxy_set_header

Header commands and outputs

If you want to test how your page and headers look like from outside, call it from a site like https://testlocal.ly .

NGINX: HTTP basic authentication

Leave a reply

The ngx_http_auth_basic_module module allows limiting access to resources by validating the user name and password using the “HTTP Basic Authentication” protocol.
Access can also be limited by address. Simultaneous limitation of access by address and by password is controlled by the satisfy directive.
Add the following to the vhost config file to limit access:

location / {
    auth_basic           “Restricted access";
    auth_basic_user_file /etc/nginx/passwords/passwords;
}

This enables validation of user name and password using the “HTTP Basic Authentication” protocol. The specified parameter is used as a realm. The special value off cancels the effect of the auth_basic directive inherited from the previous configuration level.
Specifies a file that keeps user names and passwords, in the following format:

# comment
name1:password1
name2:password2:comment
name3:password3

The following password types are supported:

encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the “openssl passwd” command;
hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;

Create password for first user:

htpasswd -c /etc/nginx/passwords/passwords paul

To add an additional user:

htpasswd /etc/nginx/passwords/passwords pierre

To allow per adddress:

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}

Allows access if all (all) or at least one (any) of the ngx_http_access_module, ngx_http_auth_basic_module, ngx_http_auth_request_module, or ngx_http_auth_jwt_module modules allow access.

location / {
    satisfy any;
    allow 192.168.1.0/24;
    allow 10.0.X.0/24;
    deny  all;

    auth_basic           "closed site";
    auth_basic_user_file conf/htpasswd;
}

Source: https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
Source: https://nginx.org/en/docs/http/ngx_http_access_module.html

NGINX: enable configuration

Leave a reply

After creating a website or a reverse proxy vhost through the configuration file, the vhost has to be enabled:

ln -s /etc/nginx/sites-available/my.domain.com /etc/nginx/sites-enabled/my.domain.com

You can test the configuration file using the following command:

nginx -t

Do not forget to restart NGINX for the changes to be applied:

systemctl restart nginx

ATTENTION:
Always activate the vhost before generating the let’s encrypt SSL certificates. Failure to do so will result in having the default configuration file to be used which might result in the creation of two different vhosts using the same domain name. This will lead to one configuration being skipped on NGINX startup.

NGINX: limit access from IP range

Leave a reply

To limit access to a website / subfolder to certain IP addresses:

location / {
    allow 10.0.X.0/24;
    allow 10.123.123.123;
    allow 10.0.Y.0/24;
    deny  all;
#   proxy_pass http://$http_host$uri$is_args$args
}

Ubuntu: user management

Leave a reply

Add user

sudo adduser paul

Change root password

sudo passwd root

Ubuntu: enable root access from SSH

Leave a reply

Connecting to a server via SSH as root user is disabled by default. To enable this, edit the sshd configuration file:

nano /etc/ssh/sshd_config

Find the following line:

#PermitRootLogin prohibit-password

Change it to this.

PermitRootLogin yes

Now restart the ssh service:

systemctl restart sshd

Time zone adjustment

Leave a reply

To check if the server is in the same timezone than your workstation:

date

To modify the time zone:

sudo timedatectl set-timezone Europe/Luxembourg

Change timezone:

dpkg-reconfigure tzdata

Unzip

Leave a reply

sudo apt install unzip

unzip file.zip -d destination_folder

Find differences between folders

Leave a reply

diff -rq /.../folder1 /.../folder2

The r flag assures that each directory is recursively looked at.
The q flag activates the brief mode: without this flag, diff will tell us the actual line-by-line differences for any files that exist in both locations but are not identical.

To check differences between remote shares:

diff -rq /Volumes/Movies-1 /Volumes/Movies-2

This also works with rsync:

rsync -avun $SOURCE $TARGET

In case you want to avoid corrupt files, you want to check for checksums too:

rsync -avnc $SOURCE $TARGET

SAMBA (install and configure)

Leave a reply

Install and configure Samba

sudo apt-get install samba -y

Once the software is installed, you’re ready to configure your first share. Open the samba configuration file:

Your Samba shares will be configured in /etc/samba/smb.conf, so open that file with the command:

sudo nano /etc/samba/smb.conf

Scroll to the bottom and add the following for each share:

[ShareName] 
path = /var/www/www.website.com 
valid users = paul
 browsable = yes
 writable = yes 
read only = no

[ShareName] is the visible name of the share when connecting to the server
valid users: the list of users that are allowed to access this share. The user needs to be added to Samba and a password needs to be generated.
path: the absolute path on the disk
browsable: make the share visible or invisible on the network
writable: make the share writable (or not)
read-only: make the share read-only (or not)

Save (CTRL-O) and close (CTRL-X) the configuration file.
Restart the Samba daemon:

sudo systemctl restart smbd

Add a user to Samba

After limiting access to a list of users (see above), you have to add the user to Samba and create a password for him/her.

sudo smbpasswd -a paul

You will be prompted to enter the password and confirm it for user paul. After creating the user, you have to enable him/her.

Enable a user

sudo smbpasswd -e paul

Disable a user

sudo smbpasswd -d paul

Delete a user

sudo smbpasswd -x paul