Main Menu

Comments

Tags Cloud

There are no tagged articles!

+ All tags

somertechs.com

Nginx Behind Haproxy x-forwarded-for getting real client ip

Print PDF

Friday, 18 December 2009 19:31 Last Updated on Monday, 04 January 2010 19:35 Written by somer orbay

Hello,

This time i`m going to tell a very important tip about haproxy and nginx.

When you run a LB (Load Balancer) in front of any web server software (nginx, apache, etc...) the LB will send its ip address to the backend server so the server software (in my example thats nginx) will log the LB`s ip in the logs and within any application that does logging.

Whats the problem with that ?

Its very simple because we need to log the client`s ip address at the logs when they visit our site. In my case the geoip module was not functioning after i had installed the LB in front of two backend servers. (One server was having both LB and backend server and the other one was the second backend server, i used iptables port forwarding to have LB at the same ip on the first server).

So lets correct this problem

First things first

Correct the haproxy to send the x-forwarded-for header to the backend servers and close keep-alive.

Open haproxy.cfg and add the following at the global and listen section

option httpclose

option forwardfor

Now haproxy will send the x-forwarded-for header to the backend.

So haproxy is doing its job but how are we going to get the x-forwarded-for header information read by our backend server software, in my case thats nginx so i`ll talk about that here.  

You need a special module for nginx and compile nginx again to have it added.

Thats nginx http real ip module

http://wiki.nginx.org/NginxHttpRealIpModule

Use --with-http_realip_module option while you configure the nginx.  

When you finish installing the module then go to the corresponding vhost configuration file (example domain.conf) where you need to log the real client ip addresses from The LB.  

set_real_ip_from load balancer ip address;

real_ip_header X-Forwarded-For;

The above will tell nginx to get x-forwarded-for header from haproxy on the specific ip so it`ll log and read the correct client ip addresses on the vhost.  

Dont forget to restart nginx and haproxy after you make the changes.

For apache look for mod_extract or mod_rpaf.

Hope it helps you.

Thanks

Ftp to ftp transfer scripts

Print PDF

Vps and dedicated

Wednesday, 18 March 2009 12:28 Last Updated on Wednesday, 18 March 2009 12:43 Written by somer orbay

Its very hard to transfer files between two servers when you have a slow connection speed so there are some scripts that can automate the transfers between servers without downloading to your pc first.
Here is the first one (A simple php script)
http://somertechs.com/ftptoftp.zip
Another one is startftp (More detailed php script)
http://www.startftp.com/startftp_personal_edition.zip
Add your comment

Reset ssh port to 22

Print PDF

Server management - Vps and dedicated

Sunday, 01 March 2009 19:04 Written by somer orbay

If you have changed the shell default Port 22 on a cPanel powered server , restarting sshd from the WHM will fail.
You have to ssh to the server and issue the following command to restart sshd:
/sbin/service sshd restart
To, temporarily, reset your shell port back to 22, run the following command from the Address field in browser:
SERVER_MAIN_IP:2087/scripts2/doautofixer?autofix=safesshrestart
Now, you should be able to access shell, and you need to restart sshd at the prompt using the command mentioned above.
Add your comment

Ffmpeg installation scripts

Print PDF

Server management - Vps and dedicated

Wednesday, 04 March 2009 15:15 Written by somer orbay

Many people wants to use ffmpeg installation on their servers but they dont know how to do this so the programmer at sherin.in created a script which automates the install of ffmpeg with other componenets such as mplayer, mencoder, flvtool ...
Complete list of the tools are
*MPlayer
*Codecs
*Flvtool
*Lame
*Libogg
*Libvorbis
*Vorbis-tools
*Libtheora
*FFMPEG
*AMR 3gp Encoder and decoder (amrnb,amrwb-)
*ffmpeg-php
*Ruby
*wmf Lib
*faad2
*facc
*a52dec-0.7.4
* xvid/div decoder
*x264  
You can get the script from
http://www.sherin.in/ffmpeg/index.php?option=com_content&task=view&id=25&Itemid=39
There are two versions of the script, one for the shared hosts and other one for vps/dedicated hosts (root account is not required).
Instructions
http://www.sherin.in/ffmpeg/index.php?option=com_content&task=view&id=14&Itemid=1
Ffmpeginstall is the FOSS India 2008 Award Winner Project
Add your comment

Openvpn installation

Print PDF

Server management - Vps and dedicated

Sunday, 01 March 2009 18:31 Last Updated on Sunday, 01 March 2009 18:52 Written by somer orbay

Before starting you have to add dag wieers repo from here
http://dag.wieers.com/rpm/FAQ.php#B 
If you are on a  vps then you`ll need your vps provider enable tun/tap devices for you.  If you are on a dedicated server you can issue following commands at ssh to create the device
mknod /dev/net/tun c 10 200
modprobe tun
Go to ssh
yum install openssl openssl-devel

2. Right, now you want to install OpenVPN, here are the commands,


yum install openvpn -y
#Now check that it works
service openvpn start
service openvpn stop
3. A few things to setup before you can make certificates, issue these commands,

find / -name "easy-rsa"
#you should get an output like this…
/usr/share/doc/openvpn-2.0.7/easy-rsa
#Now, make a copy of the easy-rsa directory, to /etc/openvpn/ ( make sure you #have put the right version number in i.e. mine was -2.0.7, change if needed)
cp -R /usr/share/doc/openvpn-2.0.7/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
chmod 777 *
mkdir /etc/openvpn/keys
4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
You can use any editor you like, I used vi.
Change the line
export KEY_DIR=$D/keysto

export KEY_DIR=/etc/openvpn/keysAlso at the bottom of this file you will see something similar to this,

export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=SOMEWHERE
export KEY_ORG="My Org"
export KEY_EMAIL=me@mydomain.comChange this to your own values.
5. Now its time to make the certificates, enter these commands

. ./vars
./clean-all
./build-ca  # just hit enter to the defaults apart from Common Name, this must be unique
# call it something like mydomain-ca

./build-key-server server
./build-key client1   # remember that common name must be unique e.g. use mydomain-client1
# and YES you want to sign the keys

./build-key client2  # do this step for as many clients as you need.

./build-dh
6. We are almost done now… right we need to create a few config files, you can download my template from here,

cd /etc/openvpnCode:
wget www.designpc.co.uk/downloads/server.conf   # make sure you change a few things in the server.conf file, like DNS
# servers

touch server-tcp.log~ this makes the log file..

touch ipp.txt this makes the IP reservation list.

7. You need to make a few changes to OpenVPN itself. Go to..


cd /etc/init.d/edit the openvpn file
#Uncomment this line (line 119)

echo 1 > /proc/sys/net/ipv4/ip_forward Add these lines below it, changing 123.123.123.123 to your public IP address,


 iptables -t nat -A POSTROUTING -s 192.168.2.3 -j SNAT --to 123.123.123.123
 iptables -t nat -A POSTROUTING -s 192.168.2.4 -j SNAT --to 123.123.123.123
 iptables -t nat -A POSTROUTING -s 192.168.2.5 -j SNAT --to 123.123.123.123
 iptables -t nat -A POSTROUTING -s 192.168.2.6 -j SNAT --to 123.123.123.123
 iptables -t nat -A POSTROUTING -s 192.168.2.7 -j SNAT --to 123.123.123.123
 iptables -t nat -A POSTROUTING -s 192.168.2.8 -j SNAT --to 123.123.123.123
 iptables -t nat -A POSTROUTING -s 192.168.2.9 -j SNAT --to 123.123.123.123
 iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT -to 123.123.123.123
Now install iptables if you don’t have it already,


yum install iptables
#test it
service iptables start
service iptables stop
8. Now for the client config files. If your client is a Windows machine, make sure you have installed OpenVPN, use the gui version, downloadable from here;
http://www.designpc.co.uk/downloads/openvpn-2.0.9-gui-1.0.3-install.exe
You need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/
## WARNING ## Use a secure way of transferring these files off the server, something like WinSCP.
ca.crt
client1.csr
client1.key
client1.crt
Put these files in this directory C:\Program Files\OpenVPN\config\
Now you need to make a client config, here is an example..

client
dev tun
proto tcp
#Change my.publicdomain.com to your public domain or IP address
remote my.publicdomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
#DNS Options here, CHANGE THESE !!
push "dhcp-option DNS 123.123.123.123"
push "dhcp-option DNS 123.123.123.124"
comp-lzo
verb 3
Make sure you edit any of the lines with comments above them.
Call this file client1.opvn and put it in C:\Program Files\OpenVPN\config\
Make sure the file extension is .opvn not .txt
To connect right click on OpenVPN in the taskbar >> Connect
To test ping 192.168.2.1
If you get a response, you in business
...........................................................................................
Credits
Stanton Finley, for all the YUM configs
OpenVPN.net
Originally posted by stuartornum of webhostingtalk. http://www.webhostingtalk.com/member.php?u=58423
Add your comment

More Articles...