Monday, May 16, 2011

How to configure cPanel + SSL + suPHP + SharedIP

Getting cPanel and suPHP and SSL with a shared IP to work takes some manual configuration.

If you receive the following error when browsing to a SSL+sharedIP+suPHP site, then these directions are for you:


Internal Server Error 

The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, webmaster@training.nts.wustl.edu and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 Server at training.nts.wustl.edu Port 443


The following errors will show up in the log file:

root@prism [/usr/local/apache/logs]# cat /usr/local/apache/logs/suphp_log | grep Mismatch
[Fri May 13 14:11:29 2011] [warn] Mismatch between target UID (99) and UID (1006) of file "/home/training/public_html/test.php"
[Fri May 13 14:11:35 2011] [warn] Mismatch between target UID (99) and UID (1006) of file "/home/training/public_html/test.php"
[Mon May 16 08:27:48 2011] [warn] Mismatch between target UID (99) and UID (1006) of file "/home/training/public_html/test.php"



Original Files:
=============================

root@prism [/var/cpanel/userdata]# cat /var/cpanel/userdata/nobody/main
--- 
addon_domains: {}

main_domain: prism.nts.wustl.edu
parked_domains: []

sub_domains: 
  - training.nts.wustl.edu





root@prism [/var/cpanel/userdata]# cat /var/cpanel/userdata/nobody/training.nts.wustl.edu_SSL
--- 
documentroot: /home/training/public_html
group: nobody
hascgi: 1
homedir: /usr/local/apache/htdocs
ip: 128.252.69.1
owner: root
phpopenbasedirprotect: 1
port: 443
serveradmin: webmaster@training.nts.wustl.edu
serveralias: www.training.nts.wustl.edu
servername: training.nts.wustl.edu
ssl: 1
sslcacertificatefile: /etc/ssl/certs/training.nts.wustl.edu.cabundle
sslcertificatefile: /etc/ssl/certs/training.nts.wustl.edu.crt
sslcertificatekeyfile: /etc/ssl/private/training.nts.wustl.edu.key
usecanonicalname: 'Off'
user: nobody
userdirprotect: -1



The above files generated the following snippet from /usr/local/apache/conf/httpd.conf:




    ServerName training.nts.wustl.edu
    ServerAlias www.training.nts.wustl.edu
    DocumentRoot /home/training/public_html
    ServerAdmin webmaster@training.nts.wustl.edu
    UseCanonicalName Off
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu combined
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    ## User nobody # Needed for Cpanel::ApacheConf
    
        suPHP_UserGroup nobody nobody
    
    ScriptAlias /cgi-bin/ /home/training/public_html/cgi-bin/
    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/training.nts.wustl.edu.crt
    SSLCertificateKeyFile /etc/ssl/private/training.nts.wustl.edu.key
        SSLCACertificateFile /etc/ssl/certs/training.nts.wustl.edu.cabundle
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu-ssl_log combined
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    
        SSLOptions +StdEnvVars
    

    # To customize this VirtualHost use an include file at the following location
    # Include "/usr/local/apache/conf/userdata/ssl/2/nobody/training.nts.wustl.edu/*.conf"










Following These Directions:
====================================

* Manually adjust the files in /var/cpanel/userdata 
 * moving the SSL host file from the "nobody" user folder 
          to the actual/original user (training), 
 * edit the file to change the user and group names, 
 * edit the "main" file to remove that domain from the 
          nobody user. 

* Remove the cache files for any files you've moved or changed,

* Run /scripts/updateuserdomains and then /scripts/rebuildhttpdconf

* This should results in the suPHP_UserGroup being the "training"
  instead of nobody in httpd.conf. At this point you can restart
  apache to make sure everything works as expected still.


Detailed Commands run:
===================================
root@prism [/var/cpanel/userdata/nobody]# mv training.nts.wustl.edu_SSL ../training/

root@prism [/var/cpanel/userdata/nobody]# rm training.nts.wustl.edu_SSL.cache 
rm: remove regular file `training.nts.wustl.edu_SSL.cache'? y

root@prism [/var/cpanel/userdata/nobody]# vi main

root@prism [/var/cpanel/userdata/nobody]# rm main.cache 
rm: remove regular file `main.cache'? y

root@prism [/var/cpanel/userdata/nobody]# cd ../training/

root@prism [/var/cpanel/userdata/training]# vi training.nts.wustl.edu_SSL

root@prism [/var/cpanel/userdata/training]# /scripts/updateuserdomains

root@prism [/var/cpanel/userdata/training]# /scripts/rebuildhttpdconf
Built /usr/local/apache/conf/httpd.conf OK

root@prism [/var/cpanel/userdata/training]# /etc/init.d/httpd restart



Updated Files:
===============================

root@prism [/var/cpanel/userdata]# cat /var/cpanel/userdata/nobody/main 
--- 
addon_domains: {}

main_domain: prism.nts.wustl.edu
parked_domains: []

sub_domains: []



root@prism [/var/cpanel/userdata]# cat /var/cpanel/userdata/training/training.nts.wustl.edu_SSL 
--- 
documentroot: /home/training/public_html
group: training
hascgi: 1
homedir: /usr/local/apache/htdocs
ip: 128.252.69.1
owner: root
phpopenbasedirprotect: 1
port: 443
serveradmin: webmaster@training.nts.wustl.edu
serveralias: www.training.nts.wustl.edu
servername: training.nts.wustl.edu
ssl: 1
sslcacertificatefile: /etc/ssl/certs/training.nts.wustl.edu.cabundle
sslcertificatefile: /etc/ssl/certs/training.nts.wustl.edu.crt
sslcertificatekeyfile: /etc/ssl/private/training.nts.wustl.edu.key
usecanonicalname: 'Off'
user: training
userdirprotect: -1




The above files generated the following snippet from /usr/local/apache/conf/httpd.conf:


    ServerName training.nts.wustl.edu
    ServerAlias www.training.nts.wustl.edu
    DocumentRoot /home/training/public_html
    ServerAdmin webmaster@training.nts.wustl.edu
    UseCanonicalName Off
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu combined
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    ## User training # Needed for Cpanel::ApacheConf
    
        suPHP_UserGroup training training
    
    
        php4_admin_value open_basedir "/home/training:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        php5_admin_value open_basedir "/home/training:/usr/lib/php:/usr/local/lib/php:/tmp"
    
    
        
            php_admin_value open_basedir "/home/training:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        
        
            php_admin_value open_basedir "/home/training:/usr/lib/php:/usr/local/lib/php:/tmp"
        
        
            php_admin_value open_basedir "/home/training:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        
    
    
        SuexecUserGroup training training
    
    ScriptAlias /cgi-bin/ /home/training/public_html/cgi-bin/
    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/training.nts.wustl.edu.crt
    SSLCertificateKeyFile /etc/ssl/private/training.nts.wustl.edu.key
        SSLCACertificateFile /etc/ssl/certs/training.nts.wustl.edu.cabundle
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu-ssl_log combined
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    
        SSLOptions +StdEnvVars
    

    # To customize this VirtualHost use an include file at the following location
    # Include "/usr/local/apache/conf/userdata/ssl/2/training/training.nts.wustl.edu/*.conf"






Sunday, May 15, 2011

Using puppet to manage users, groups, and ssh keys.

UPDATE 2014/07/18.  This document has been updated, go here:

        http://blog.zweck.net/2014/07/puppet-module-to-manage-users-groups.html

Everything has been moved to a Github Repository.




Create the following file /etc/puppet/modules/useradd/manifests/init.pp:

## init.pp (useradd)


define add_user ( $name, $uid, $password, $shell, $groups, $sshkeytype, $sshkey) {

 $homedir = $kernel ? {
  'SunOS' => '/export/home',
  default   => '/home'
 }
 
 $username = $title
 user { $username:
  comment => "$name",
  home    => "$homedir/$username",
  shell   => "$shell",
  uid     => $uid,
  gid => $uid,
  managehome => 'true',
  password  => "$password",
  groups => $groups
 }

 group { $username:
  gid => "$uid"
 }

 ssh_authorized_key{ $username: 
  user => "$username",
  ensure => present, 
  type => "$sshkeytype", 
  key => "$sshkey", 
  name => "$username" 
 } 
}

Create and/or edit your /etc/puppet/manifests/sites.pp file:

node "default" {

 # This is the account I use to build machines, so I can use puppet
 # to create the real user accounts afterwards. 
 user { installer:
  ensure => "absent"
 }


 add_user { jemurray:
  name    => "Jason E. Murray",
  uid      => "777",
  password => '$1$abcedfghijklkmnopqrstuvwxyz',
  shell => "/bin/bash",
  groups => ['sudo', 'jemurray'],
  sshkeytype => "ssh-dss",
  sshkey => "AAAAB3NzaC1kc3MAAACBAJzMVL4afDQBJ3rcM9LlHqxg0rmkWDwoWehS4nIpBLJL9qGoyR1YBzPvpD1VufsUqgUXH9dYdfaiVum4IaTgyu2Tb0ezR4Nx2Jkcnp+8jFh/Cys3zgMvzJaIw/Au45E9h4vBdwvouj1Sg0YaY5mGuKZ2w121uPLawjc3DJsNSc+jAAAAFQCb7+Vtir8w+o/CIDiSPXr6MVj16QAAAIBFHMnBixvQax
ekLK70eR9TgYUAXsh0MHT8VT+XMUWlOC8u8yVEOTDzrU1ZL2vNWo4NZL6ex9ffx0JRS5hSCU/o8aVcoC4viCC7SGmntNb0nQo+iKUyTQbGcmMoPG9lO498prML66GbOYWzTedc4XT683kyWV4k0iVixyvLsfLnAAAAIB4PmZfjdTtYwC7cE/upvfC/HWpKHHAn66YW6PRTCwZPqCd2AvHAMX/l7nbk1u+BL0YtymawzNT97FcYuvM1UWrJ+fT8i
sTyHsoUkf76irVxcTBH0SReChHbYeWa2bATEvaj0u2597H4O7qYHJ6IZpTTAeWP0EeKDABfonAr+ZJw=="
 }
}


You can call add_user as many times as you want.

Tuesday, February 22, 2011

Basic IPv6 point-to-point interface setup on a Cisco router.

We have been slowly rolling out IPv6 throughout this past year. Here is a basic configuration to get IPv6 P2P links between 2 routers. This was mocked up in GNS3 for OSX.


Router1:

ipv6 unicast-routing
interface GigabitEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 negotiation auto
 ipv6 address FE80::9 link-local
 ipv6 address 2604:3E00:1:1::1/64
 ipv6 enable

Router2:

ipv6 unicast-routing
interface GigabitEthernet1/0
 ip address 192.168.1.2 255.255.255.0
 negotiation auto
 ipv6 address FE80::11 link-local
 ipv6 address 2604:3E00:1:1::2/64
 ipv6 enable


Ping test from Router1 to Router2:

ping ipv6 2604:3E00:1:1::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2604:3E00:1:1::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms


We statically set our link-local address so a easily understandable next hope can be determined when we view the routing table. What we do is setup all link-local addresses exactly the same on each router. For example all LL addresses on router1 are: FE80::9, all LL addresses on router2 are: FE80::11, etc... In the example below you can see how this makes it easier for a human to get the next hop.


Router1> show ipv6 route
IPv6 Routing Table - default - 11 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OE2 ::/0 [110/1], tag 2552
     via FE80::11, GigabitEthernet1/0
OE2 2000:2000:666::/64 [110/1]
     via FE80::11, GigabitEthernet1/0
OE2 2000:2000:1000::/64 [110/1]
     via FE80::11, GigabitEthernet1/0
OE2 2000:2000:2000::/64 [110/1]
     via FE80::11, GigabitEthernet1/0
OE2 2000:2000:3000::/64 [110/1]


Need to see the IP's associated with the interface, run:

Router1> show ipv6 interface gi 1/0
GigabitEthernet1/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::9 
  No Virtual link-local address(es):
  Global unicast address(es):
    2604:3E00:1:1::1, subnet is 2604:3E00:1:1::/64 

Wednesday, February 16, 2011

RedHat 5.x patches not applying

For some unknown number of days, weeks, months... There has been a problem installing patches one of my RedHat 5.x servers. Basically when you run 'yum update' it says there are no updates to be installed:


root@server1 [/etc/yum.repos.d]# yum update
Loaded plugins: rhnplugin, security
Excluding Packages in global exclude list
Finished
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update


But the RH website said there were over 300 patches that needed to be applied.


The fix was the clear the metadata:


root@server1 [/etc]# yum clean metadata
Loaded plugins: rhnplugin, security
14 metadata files removed
1 sqlite files removed
0 metadata files removed




Now everything works:


root@server1 [/etc]# yum update
Loaded plugins: rhnplugin, security
rhel-x86_64-server-5 | 1.4 kB 00:00
rhel-x86_64-server-5/primary | 3.7 MB 00:00
rhel-x86_64-server-5 10994/10994
Excluding Packages in global exclude list
Finished
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package NetworkManager.x86_64 1:0.7.0-10.el5_5.2 set to be updated
---> Package NetworkManager-glib.x86_64 1:0.7.0-10.el5_5.2 set to be updated
---> Package OpenIPMI.x86_64 0:2.0.16-11.el5 set to be updated
---> Package OpenIPMI-libs.x86_64 0:2.0.16-11.el5 set to be updated
---> Package OpenIPMI-tools.x86_64 0:2.0.16-11.el5 set to be updated
---> Package acl.x86_64 0:2.2.39-6.el5 set to be updated
...


RedHat is just like Solaris... A major pain in my ass.

Friday, February 11, 2011

OpenBSD, athn, wireless sniffer

Set athn0 into monitor mode:


     sudo ifconfig athn0 -bssid -chan media autoselect mediaopts monitor nwid "" -nwkey -wpa -wpapsk


Run tcpdump to capture the 802.11 frames:


     sudo tcpdump -i athn0 -y ieee802_11_radio

Friday, January 28, 2011

Rancid failing to write term with ssh client ServerAliveInterval

We found that rancid was no longer able to perform a 'write terminal' after we setup the /etc/ssh/ssh_config option: ServerAliveInterval 5

Every single time you would do:

ssh router.example.com
term length 0
write term

The router would send a TCP FIN at the exact same spot halfway though the config:

...
13:53:39.199206 IP rancid.example.com.54509 > router.example.com.ssh: Flags [.], ack 18941, win 41440, length 0
13:53:39.199327 IP router.example.com.ssh > rancid.example.com.54509: Flags [P.], seq 18941:18973, ack 2697, win 2920, length 32
13:53:39.199337 IP rancid.example.com.54509 > router.example.com.ssh: Flags [.], ack 18973, win 41440, length 0
13:53:39.199605 IP router.example.com.ssh > rancid.example.com.54509: Flags [P.], seq 18973:19005, ack 2697, win 2920, length 32
13:53:39.199615 IP rancid.example.com.54509 > router.example.com.ssh: Flags [.], ack 19005, win 41440, length 0
13:53:39.199675 IP router.example.com.ssh > rancid.example.com.54509: Flags [FP.], seq 19005, ack 2697, win 2920, length 0
13:53:39.199858 IP rancid.example.com.54509 > router.example.com.ssh: Flags [F.], seq 2697, ack 19006, win 41440, length 0
13:53:39.201624 IP router.example.com.ssh > rancid.example.com.54509: Flags [.], ack 2698, win 2920, length 0


After checking every single network switch, interface, cable, IP, firewall, etc. The problem was:


ServerAliveInterval


Once this was either removed or changed to a value greater then 5, for example 300, it worked just fine.


Friday, January 14, 2011

Anycast DNS setup using Linux and Cisco routers.

Cisco Router Configuration:

ip sla 101
dns anycast.example.com name-server 10.10.10.1
frequency 30
ip sla schedule 101 life forever start-time now
!
track 101 ip sla 101
!
ip route 10.0.0.1 255.255.255.255 10.10.10.1 track 101




Here is the IP route on the router:

router# show ip route 10.0.0.1
Routing entry for 10.0.0.1/32
Known via "static", distance 1, metric 0
Redistributing via eigrp 1234
Advertised by eigrp 1234 route-map STATIC-TO-EIGRP
bgp 1234
Routing Descriptor Blocks:
* 10.10.10.1
Route metric is 0, traffic share count is 1




Then you can see that this same address is also available from multiple locations:


router# show ip eigrp topology 10.0.0.1/32
EIGRP-IPv4 Topology Entry for AS(1234)/ID(10.9.9.1) for 10.0.0.1/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2562560
Descriptor Blocks:
10.10.10.1, from Rstatic, Send flag is 0x0
...
10.8.8.1 (Vlan20), from 10.6.6.1, Send flag is 0x0
...
10.7.7.1 (Vlan30), from 10.4.4.1, Send flag is 0x0



On the Unix server I have the following network interfaces setup:

eth0 Link encap:Ethernet HWaddr 00:15:17:A6:25:97
inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0

lo:1 Link encap:Local Loopback
inet addr:10.0.0.1 Mask:255.255.255.255



To summarize the whole setup.

1) The router does a DNS query to the DNS server that is directly connected to it every 30 seconds.
2) If the DNS query succeeds the static router stays in the table.
3) If the test fails the route is withdrawn.

1) If a DNS query is sent to 10.0.0.1 the router will process this by sending the query to the IP address the static route points to.
2) The DNS server accepts the query on the management interface, then passes it to the lo:1 interface for processing.


Depending on where you are at you automatically get routed to the closest server:

jemurray@pluto:~$ traceroute 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 60 byte packets
1 l3-core-vl7.nts.example.com (10.50.1.46) 0.309 ms 0.338 ms 0.381 ms
2 anycast.ip.example.com (10.0.0.1) 0.202 ms 0.195 ms 0.180 ms


jemurray@paddington:~$ sudo traceroute 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 52 byte packets
1 nts-desk120-brook.nts.example.com (10.50.120.125) 0 ms 0 ms 0 ms
2 anycast.ip.example.com (10.0.0.1) 0 ms 0 ms 0 ms



The best thing about this setup is:

1) If a server fails you automatically fail over to the next closest server. This way the client does not have to deal with DNS times outs.
2) Depending on your location you are automatically routed to the closest server. This will help with DNS response time.
3) It is not that hard to setup.
4) Nothing special is needed either the router or the server.

Setup HE IPv6 Tunnel in Ubuntu Linux

Script to build the tunnel:

jemurray@glock:/etc$ more /etc/init.d/he6tunnel.sh

#!/bin/bash

## Setup the Tunnel Dynamic IP
/usr/bin/wget --no-check-certificate https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO\&pass=MY-MD5-PASSWORD-GOES-HERE\&user_id=MY-CUSTOMER-ID-GOES-HERE\&tunnel_id=41636

## Setup the Linux proto41 tunnel
/sbin/ifconfig sit0 up
/sbin/ifconfig sit0 inet6 tunnel ::209.51.181.2
/sbin/ifconfig sit1 up
/sbin/ifconfig sit1 inet6 add 2001:470:1f10:2cc::2/64
/sbin/route -A inet6 add ::/0 dev sit1

## Route the static block
/sbin/route -A inet6 add 2001:470:1f11:2cc::/64 dev eth0

## Setup first IP on eth0 interface
/sbin/ifconfig eth0 inet6 add 2001:470:1f11:2cc::1/64


Setup RADV to hand out IPv6 addresses to clients:

jemurray@glock:/etc$ cat /etc/radvd.conf
interface eth0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
# prefix 2001:4978:268::/64 {
prefix 2001:470:1f11:2cc::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
AdvPreferredLifetime 20;
AdvValidLifetime 30;
};
RDNSS 2001:470:1f11:2cc::1 {
AdvRDNSSLifetime 20;
};
};



Client:

jemurray@kimber:~ $ ifconfig en1
en1: flags=8863 mtu 1500
ether 00:1c:b3:ba:e3:f9
inet6 fe80::21c:b3ff:feba:e3f9%en1 prefixlen 64 scopeid 0x6
inet6 2001:470:1f11:2cc:21c:b3ff:feba:e3f9 prefixlen 64 autoconf
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
media: autoselect
status: active



jemurray@kimber:~ $ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:1f11:2cc:21c:b3ff:feba:e3f9 --> 2001:4860:b007::63
16 bytes from 2001:4860:b007::63, icmp_seq=0 hlim=56 time=135.405 ms
16 bytes from 2001:4860:b007::63, icmp_seq=1 hlim=56 time=33.788 ms
16 bytes from 2001:4860:b007::63, icmp_seq=2 hlim=56 time=33.910 ms
^C
--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 33.788/67.701/135.405/47.874 ms



Followers

Contributors