modify a RequestURI with nginx

Posted on 21. January 2013 by Marcus Pauli

Sometimes it is necessary to modify the RequestURI, to strip some GET-pairs. Here is a way how this could be done using nginx. Though we all know that if is evil, it’s sometimes quite handy.

# the »Evil Facebook-Like-Hack.«
location / {
  # initialize variables with empty values
  set $01 "";set $02 "";set $03 "";set $04 "";
  set $05 "";set $06 "";set $07 "";set $08 "";

  # if GET key exists, copy its value
  if ($arg_productName) { set $01 productName=$arg_productName;}
  if ($arg_linkId) { set $02 linkId=$arg_linkId;}
  if ($arg_target) { set $03 target=$arg_target;}
  if ($arg_id) { set $04 id=$arg_id;}
  if ($arg_linkValue) { set $05 linkValue=$arg_linkValue;}
  if ($arg_groupId) { set $06 groupId=$arg_groupId;}
  if ($arg_articleId) { set $07 articleId=$arg_articleId;}
  if ($arg_version) { set $08 version=$arg_version;}

  # if a GET-key has fb_ in its name then do the funky URL-magic.
  if ($args ~* fb_ ) {
    # clear the GET-array so that the URI has no GET-pairs
    set $args "";
    # rewrite the given URL and add the GET-pairs we create above
    rewrite ^ $scheme://$host$uri?$01$02$03$04$05$06$07$08 break;
  }
}

The only drawback is that the URL we receive contains at least a ? for a case when none of the given keys exists – but that’s a minor thing I’d say.

Posted in Linux, Webserver | Tagged , | Leave a comment

find out if your Nginx is really serving the right hosts

Posted on 30. June 2012 by Marcus Pauli

Quite I while ago, I posted an article on how to find out whether Apache is still serving the hosts it is configured for. This time, I will show the bash code for doing the same but with nginx.

for entry in $(grep -h server_name _config/nginx/* | sed -e 's/server_name//g' -e 's/;//g' -e 's/#.*$//g' -e 's/_//g' );do echo -n $(nslookup "$entry" | grep -A1 Name | grep Address | awk '{print $2}');echo " $entry";done
Posted in howto, Linux, Webserver | Tagged , , , , , , , , , , | Leave a comment

Gentoo ebuild: Nginx With Support For Upstream Fair Proxy Load Balancer And HTTP-Auth against LDAP

Posted on 23. April 2012 by Marcus Pauli

In a previous article we already presented a modified nginx ebuild containing support for gnosek’s Upstream Fair Proxy Load Balancer. Now, we wanted to have HTTP-Auth against a LDAP server. So we crawled the almighty internet and stumbled over nginx-auth-ldap. Therefore, we updated our last ebuild and extended it with this plugin.

As documentation there is only a small config example. However, anyone who already is  familiar with HTTP-Auth against LDAP with Apache and/or Lighttpd will find this extension pretty straight-forward.

Here you can have a look at the ebuild and there is the SVN checkout path.

The new USE flag is called auth_ldap, gnosek’s plugin can be used with upstream_fair. Add them to your NGINX_MODULES_HTTP in /etc/make.conf

Have a lot of fun!

Posted in howto, Linux, Software, Webserver | Tagged , , , , , , , , | Leave a comment

Gentoo ebuild: Nginx With Support For Upstream Fair Proxy Load Balancer

Posted on 10. January 2012 by Marcus Pauli

Nginx is a powerful web server and therefore our choice. Unfortunately, the Gentoo ebuild is missing one essential extension: a load balancer that is querying the servers not via round robin but by their current load. Therefore, we had to extend the default ebuild to support gnosek’s upstream_fair module.

How to use this ebuild:

  1. download the ebuild (currently, we only have one for nginx 1.1.12)
  2. place it anywhere portage has access to (i.e. rough: /usr/portage/www-servers/nginx/)
  3. run ebuild nginx-1.1.12-r2.ebuild digest
  4. add upstream_fair to NGINX_MODULES_HTTP in /etc/make.conf
  5. add your keywords to /etc/portage/package.keywords
  6. emerge nginx
  7. done.
Posted in howto, Linux, Software, Webserver | Tagged , , , , , , , , | 1 Comment

dovecot: remove maildirs

Posted on 17. November 2011 by Marcus Pauli

We are running dovecot as MDA. Dovecot gets its user details from OpenLDAP and adds new users automatically.  But removing a user in LDAP does not mean it gets removed in Dovecot as well. To have this a little bit more comfortable, I created this little script here:

#!/bin/bash

MAILDIR="/mails"
LDAP_HOST="ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock"
LDAP_BIND_USER="cn=Manager,dc=example,dc=com"
LDAP_BIND_PASS="password"
LDAP_BASE_DN="ou=People,dc=example,dc=com"

  for DOMAINDIR in $MAILDIR/*;do
    if [ -d $DOMAINDIR ];then
      DOMAIN=$(echo $DOMAINDIR | sed 's/// /g' | awk '{print $4}')
      for USERDIR in $DOMAINDIR/*;do
        if [ -d $USERDIR ];then
          USER=$(echo $USERDIR | sed 's/// /g' | awk '{print $5}')
          MAIL="$USER@$DOMAIN"
          EXISTS=$(ldapsearch -H $LDAP_HOST -D $LDAP_BIND_USER 
                     -w $LDAP_BIND_PASS -x -b $LDAP_BASE_DN 
                     mail=$MAIL mail | grep -c dn:)
          if [ "$EXISTS" == "0" ];then
            echo "$MAIL is obsolete."
            echo -n "Removing userdir..."
            rm -rf $USERDIR
            echo " done."
          fi
        fi
      done
    fi
done

What the script does is to crawl every subdirectory of MAILDIR. This is where we receive the domain names through a sed/awk-combination. For every domain name we crawl its userbase. A similar sed/awk-combination is being used to receive the user names. Then we create an eMail address out of the two retrieved bits of information.  Now we are ready to check this mail address against the LDAP. If we receive a negative answer (address is not found and therefore no “dn”), we can be sure the eMail account has been removed. Finally, we remove the mail directory of the non-existing user.

The script itself should be handed over to the cron, I’d say.

Here is the download for the lazy.

Posted in howto, Linux, Mailserver | Tagged , , , , , , , , , , , , | Leave a comment

Locate all Apple serial numbers in a subnet

Posted on 11. November 2011 by Marcus Pauli

The command ioreg -l | grep IOPlatformSerialNumber will show you your Mac’s serial number. With this, you can find out when your Mac has been created if you enter this number to https://selfsolve.apple.com/agreementWarrantyDynamic.do

For a whole network of Macs, this can become very boring. However, there is a nice way to solve this task more conveniently. The following script is your little helper.

It needs two arguments: an IP range (i.e. 192.168.0) and an user that is allowed to log into every Mac. Of course it would be great if every Mac would have your public key already in its authorized_keys file.

You will need nmap installed for we need it to check whether port 22 is opened.

What the script does is to check every IP from IP-range.1 to IP-range.254 if port 22 is opened. If so, we try to log in and to run the ioreg command. The output is grep’d and awk’d so that we receive nothing but the serial number. If we have the serial, we add this together with the host’s IP to a file.

#!/bin/bash
if [ "$#" == "2" ] ; then
  _IP_RANGE=$1
  _SSH_USER=$2
else
  echo "usage $0 IP-range ssh-user";
  echo "IP-range should be of format xxx.yyy.zzz (no trailing .)"
  echo "ssh-user must exist on every accessible host"
  exit 1;
fi

_I=0

while [ $_I -lt 254 ]; do
  ((_I++))
  currentip="$_IP_RANGE.$_I"
  if [ $(nmap $currentip -p22 | grep -c open ) -eq 1 ]; then
    ssh-keyscan $currentip 2>/dev/null 1>> ~/.ssh/known_hosts
    currentserial=$(ssh $_SSH_USER@$currentip ioreg -l | grep 
                     IOPlatformSerialNumber | awk '{print $4}')
    if [ $currentserial ];then
      echo "$currentip $currentserial" >> $_IP_RANGE.txt
    fi
  fi
done
Posted in howto, Software | Tagged , , , , , , , , , , , , | Leave a comment

SVN: search all repositories for file

Posted on 29. September 2011 by Marcus Pauli

Say you have shell access to the SVN server of you desire which contains like a million repos. Say you are looking for a file but don’t know where it is, you can do the following:

myfile="FILE.NAME"; for dir in /var/svn/*; do echo -n "$dir"; 
svn list -R file:///$dir | grep -i $myfile;echo "... done"; done

At first, you tell which string to look for. »svn list -R file:///$dir« gives us a listing of al files in the current repository, the file is being found via case-insensitive search by grepping the output. And first but not least, we are performing this for every directory (==repository) of »/var/svn«. The echos around are just to make it fancy. :)

(via stackoverflow)

Posted in howto, Linux, Verschiedenes | Tagged | Leave a comment

sslh: let https,ssh and openvpn share a single port

Posted on 2. September 2011 by Marcus Pauli

Introduction

Maybe you know the situation: You successfully logged in to a corporate network and somehow you can’t reach your server. You check all possibilities and realize that some of the ports you desperately need to manage your daily life have been blocked. And mostly this happens when you have to have shell access.

The first thing you think of is to set up OpenVPN. Unfortunately, the default port 1194 is blocked for UDP and TCP. So having a normal OpenVPN is not an option.

Port 80 and 443 are accessible, but you already have services running there.

Wouldn’t it be absolutely great to be able to share one of these ports, to have two or three services listening on a single port? Indeed.

This is possible: sslh is an easy-to-configure and small tool which is doing exactly what we want. (Fantastic, isn’t it?)

Configuration

sshl has been packaged for Debian, gentoo and FreeBSD. I will show you the gentoo-way.

1. install your favourite webserver and configure it to listen on localhost:443
2. install OpenVPN an let it run in TCP mode on localhost:1194
3. set up OpenSSH to listen to localhost:22
4. install sslh:

emerge sslh

edit /etc/conf.d/sslh to look like this (replace the x-es with your IP)

OPTIONS="--listen xxx.xxx.xxx.xxx:443 --ssl localhost:443 
 --ssh localhost:22 --openvpn localhost:1194"

restart your services (if necessary), start sslh and add it to your default runlevel:

/etc/init.d/sslh start
rc-update add sslh default

That’s all. Really. :)

 


Posted in howto, Linux, Software | Tagged , , , , , , | Leave a comment

If Your Squirrel Won't Keep The House Clean

Posted on 25. July 2011 by Marcus Pauli

There are not many usable open source webmailer. We are running two: Squirrelmail and Roundcube. Besides that this can be really annoying when it comes to server-side filtering, this offers lots of benefits to our users. Some like it simple and rough – these tend to Squirrelmail -, others like it more stylish – these usually choose Roundcube and its fancy AJAX interface.

However, the Squirrelmail – or at least our version which is 1.4.18 – doesn’t clean its data directory by itself. In this directory you can find user preferences and uploaded attachments. Obviously, we don’t want to remove any user’s settings but the already sent attachments.

Luckily, an attachment file gets a new name: a hash. Whereas user settings contain two very important characters: . and _

This makes it very easy for us to set up a cron job which removes an uploaded file that is older than 7 days (just to be sure)

And this is how we do it:

crontab -e

add this line

@daily find /YOUR/PATH/TO/SQUIRRELMAIL'S/DATA/DIRECTORY -type f 
-not ( -iname '*.*' -o -iname '*_*' ) -mtime +7 -exec rm -f {} ;

save, exit and you’re done. :)

This will set up a daily cron job (usually running at 3.00 am) that scans a given directory recursively for files (-type f) which don’t contain a dot or an underscore (-not ( -iname ‘*.*’ -o -iname ‘*_*’ )) and have been last modified at least 7 days ago (-mtime +7) and finally deletes them (-exec rm -f {} ;)

Posted in howto, Linux, Mailserver | Tagged , , , , , , | Leave a comment

Howto split a SQL database dump into table-wise files

Posted on 12. July 2011 by Marcus Pauli

sql files containing a single database

Splitting a sql file containing a whole database into per-table files is quite easy:

  1. Grep the .sql for any occurence of DROP TABLE.
  2. Generate the file name from the table name that is included in the DROP TABLE statement.
  3. Echo the output to a file.

Here is a little script that expects a .sql file as input:

#!/bin/bash

file=$1 # the input file
directory="$file-splitted" # the output directory
output="$directory/header" # the first file containing the header
GREP="DROP TABLE" # what we are looking for

mkdir $directory # create the output directory

while read line
do
   # if the current line contains the wanted statement
   if [ $(echo "$line" | grep -c "$GREP") == "1" ]
   then
      # extract the file name
      myfile=$(echo $line | awk '{print $5}' | sed -e 's/`//g' -e 's/;//g')
      # set the new file name
      output="$directory/$myfile"
   fi
       echo "$line" >> $output # write to file
done < $file

Here you can download the script if you don’t want to copy & paste.

[UPDATE] sql files containing multiple databases

Stephan Schier [thanks a lot] extended the script in a way that it’s working with complete MySQL snapshots:

#!/bin/bash

file=$1 # the input file
directory="$file-splitted" # the output directory
output="$directory/__header" # the first file containing the header
GREPTABLE="DROP TABLE" # the string we are looking for to find a new table
GREPDB="Current Database: " # the string we are looking for to find a new database

mkdir $directory # create the output directory
while read line
do
  # if the current line contains the wanted DB
  if [ $(echo "$line" | grep -c "$GREPDB") == "1" ]
    then
    # extract database name
    mydb=$(echo $line | awk '{print $4}' | sed -e 's/`//g')
    # create db directory
    mkdir $directory/$mydb
    # set the new header file name
    output="$directory/$mydb/__header"
  elif [ $(echo "$line" | grep -c "$GREPTABLE") == "1" ]
  then
    # extract the file name
    myfile=$(echo $line | awk '{print $5}' | sed -e 's/`//g' -e 's/;//g')
    # set the new file name
    if [ -z "$mydb" ]
    then
      output="$directory/$myfile"
    else
      output="$directory/$mydb/$myfile"
    fi
  fi
  echo "$line" >> $output # write to file
done < $file

Here you can download the updated script if you don’t want to copy & paste.

 

 

Posted in howto, Linux | Tagged , , , , , , , , , , | 2 Comments