?

Log in

No account? Create an account

How to Fix NGINX error “Failed to read PID from file”
trichevio

It seems to be a race between systemd and nginx. As if systemd was expecting the PID file to be populated before nginx had the time to create it.

mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx

 
Link: http://alfredoroca.github.io/nginx/2016/09/04/How-to-solve-failure-read-of-nginx-pid-file

Originally published at trichev.com/blog. You can comment here or there.


PostgreSQL upgrade on Red Hat 7
trichevio

Installation
Following instructions from here https://www.postgresql.org/download/linux/redhat/:
Select version: 9.6 (I needed 9.6 because of my specific product requirements)
Select platform: RHEL7
Install the repository RPM: yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-redhat96-9.6-3.noarch.rpm

yum install postgresql96 postgresql96-server postgresql96-libs postgresql96-contrib
/usr/pgsql-9.6/bin/postgresql96-setup initdb

My previous PostgreSQL was 9.2 and it was installed from RHEL repo, so all directories and configs are standards.

Upgrade
This is important! You can’t use pg_upgrade in this particular upgrade, because they *censored* changed “unix_socket_directory parameter” to “unix_socket_directories”. Check this out – https://www.postgresql.org/docs/9.3/release-9-3.html#AEN114343. Luckily there’s a workaround:

mv /usr/bin/pg_ctl{,-orig}
echo '#!/bin/bash' > /usr/bin/pg_ctl
echo '"$0"-orig "${@/unix_socket_directory/unix_socket_directories}"' >>  /usr/bin/pg_ctl
chmod +x /usr/bin/pg_ctl

Let’s stop the old PostgreSQL 9.2 service and disable it
systemctl stop postgresql
systemctl disable postgresql

Finally actual upgrade:

su - postgres
#with --check first
/usr/pgsql-9.6/bin/pg_upgrade --old-bindir=/usr/bin/ --new-bindir=/usr/pgsql-9.6/bin/ --old-datadir=/var/lib/pgsql/data --new-datadir=/var/lib/pgsql/9.6/data/ --check
#if everything is ok, then
/usr/pgsql-9.6/bin/pg_upgrade --old-bindir=/usr/bin/ --new-bindir=/usr/pgsql-9.6/bin/ --old-datadir=/var/lib/pgsql/data --new-datadir=/var/lib/pgsql/9.6/data/

Undo the “hack”:
mv -f /usr/bin/pg_ctl{-orig,}

systemctl enable postgresql-9.6
systemctl start postgresql-9.6
systemctl status postgresql-9.6

Let’s run this analyze_new_cluster.sh:

su - postgres
/var/lib/pgsql/analyze_new_cluster.sh

and also check DB version

psql -d 
SHOW server_version;
\q

 
Links:
https://www.postgresql.org/download/linux/redhat/
https://dba.stackexchange.com/questions/50135/pg-upgrade-unrecognized-configuration-parameter-unix-socket-directory
https://www.postgresql.org/docs/9.3/release-9-3.html#AEN114343
https://support.code42.com/Administrator/6/Planning_and_installing/PostgreSQL_upgrade_on_Red_Hat
http://www.uptimemadeeasy.com/databases/upgrade-postgresql/

Originally published at trichev.com/blog. You can comment here or there.


Flood (web interface for rtorrent) on CentOS 7
trichevio

Install rTorrent
install rtorrent screen
adduser rtorrent

Confgure rTorrent

vi /home/rtorrent/.rtorrent.rc
    # Where rTorrent saves the downloaded files
    directory = /srv/torrent/downloads

    # Where rTorrent saves the session
    session = /srv/torrent/.session

    # Which ports rTorrent can use (Make sure to open them in your router)
    port_range = 50000-50000
    port_random = no

    # Check the hash after the end of the download
    check_hash = yes

    # Enable DHT (for torrents without trackers)
    dht = auto
    dht_port = 6881
    peer_exchange = yes

    # Authorize UDP trackers
    use_udp_trackers = yes

    # Enable encryption when possible
    encryption = allow_incoming,try_outgoing,enable_retry

    # SCGI port, used to communicate with Flood
    scgi_port = 127.0.0.1:5000

mkdir /srv/torrent
mkdir /srv/torrent/downloads
mkdir /srv/torrent/.session
chmod 775 -R /srv/torrent
chown rtorrent:rtorrent -R /srv/torrent
chown rtorrent:rtorrent /home/rtorrent/.rtorrent.rc

vi /etc/systemd/system/rtorrent.service
    [Unit]
    Description=rTorrent
    After=network.target

    [Service]
    User=rtorrent
    Type=forking
    KillMode=none
    ExecStart=/usr/bin/screen -d -m -fa -S rtorrent /usr/bin/rtorrent
    ExecStop=/usr/bin/killall -w -s 2 /usr/bin/rtorrent
    WorkingDirectory=%h

    [Install]
    WantedBy=default.target

systemctl enable rtorrent.service
systemctl start rtorrent

Install Flood
yum install gcc-c++ make curl git -y
curl -sL https://rpm.nodesource.com/setup_8.x | bash -
yum install -y nodejs

cd /srv/torrent
git clone https://github.com/jfurrow/flood.git
cd flood
cp config.template.js config.js

To access flood remotely
vi config.js
floodServerHost: '0.0.0.0'

npm install

If no error, continue with:

npm install -g node-gyp
npm run build

Start Flood
adduser flood
chown -R flood:flood /srv/torrent/flood/

vi /etc/systemd/system/flood.service
    [Service]
    WorkingDirectory=/srv/torrent/flood
    ExecStart=/usr/bin/npm start
    Restart=always
    StandardOutput=syslog
    StandardError=syslog
    SyslogIdentifier=notell
    User=flood
    Group=flood
    Environment=NODE_ENV=production

    [Install]
    WantedBy=multi-user.target

systemctl enable flood
systemctl start flood

Flood should be available via http://IP:3000. You need to create a new user and you’re all set.

Links:
https://github.com/jfurrow/flood
https://freedif.org/flood-modern-web-ui-for-rtorrent
https://github.com/nodesource/distributions
https://wiki.archlinux.org/index.php/RTorrent
https://en.wikipedia.org/wiki/BitTorrent_protocol_encryption

Originally published at trichev.com/blog. You can comment here or there.


Samba 3 as a Domain Member (CentOS 6+PBIS)
trichevio

Requirements

Supported Samba versions:
– Samba version 3.0.25 or later versions in the 3.0 series
– Samba 3.2.X
– Samba 3.4.X
– Samba 3.5.X

Winbind must be installed and running when you are using Samba version 3.0.25 or later versions in the 3.0 series.
If you are using Samba version 3.2.X or 3.5.X, Winbind is not required.

Samba package must support ADS security.
PowerBroker Identity Services relies on ADS security in a Samba and PowerBroker Identity Services configuration.
For more information, see: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Installation and configuration

https://github.com/BeyondTrust/pbis-open/releases

wget https://github.com/BeyondTrust/pbis-open/releases/download/8.6.0/pbis-open-8.6.0.427.linux.x86_64.rpm.sh
./pbis-open-8.6.0.427.linux.x86_64.rpm.sh install

/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes sub.domain.com domainjoinusername
/opt/pbis/bin/update-dns

/opt/pbis/bin/get-status

yum install samba-3.6.23

mv /etc/samba/smb.conf /etc/samba/smb.conf_bk

vi /etc/samba/smb.conf
[global]
        workgroup = SUB
        realm = SUB.DOMAIN.COM
        server string = %h server
        security = ADS
        map to guest = Bad User
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
;        syslog = 0
        log file = /var/log/samba/log.%m
;        max log size = 1000
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        dns proxy = No
;        wins server = 10.10.10.10
;        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
;        idmap config * : range = 10000-33554431
;        idmap config * : range = 3000-7999
;        idmap config * : backend = tdb
;        printing = bsd
;        print command = lpr -r -P'%p' %s
;        lpq command = lpq -P'%p'
;        lprm command = lprm -P'%p' %j
        machine password timeout = 0
;        log level = 5
;        debug pid = true

[share]
        path = /smb/share
        valid users = @adgroup
        force user = aduser
        force group = domain^users
        read only = No
        acl check permissions = No
        create mask = 0640
        directory mask = 0750
        browseable = No

/opt/pbis/bin/samba-interop-install --check-version
Found smbd version 3.6.23-46el6_9
Samba version supported

/opt/pbis/bin/samba-interop-install --install --loglevel verbose

service smb restart;service nmb restart;

Troubleshooting

Issue: The primary group domain sid(S-1-2-34-5678901234-5678901234-5678901234-567) does not match the domain sid(S-1-2-34-2414616913-1771598462-3719962008) for aduser(S-1-22-1-1234567890)

Fix:
net getdomainsid
net setlocalsid S-1-2-34-5678901234-5678901234-5678901234-567

————————————————————————
# net ads join -U administrator
Enter administrator’s password: Passw0rd
Using short domain name — SUB
Joined ‘SMBTEST01V’ to dns domain ‘sub.domain.com’
————————————————————————

Debug:
smbclient //10.10.10.11/share/ -U SUB/aduser
smbclient -L 10.10.10.11 -U SUB/aduser
/opt/pbis/bin/enum-users
pbis status
/opt/pbis/domainjoin-cli query
/opt/pbis/bin/lwsm list
/opt/pbis/bin/lwsm set-log-target -p lsass – file /tmp/lsass.log
/opt/pbis/bin/lwsm set-log-level -p lsass – debug

“Troubleshooting PBIS-Samba Integration” from here https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf

Links:
https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://github.com/BeyondTrust/pbis-open/releases

Originally published at trichev.com/blog. You can comment here or there.


Display SFP+ transceiver details on the Juniper switch (EX4600)
trichevio

To check the PIC media type and status for a particular FPC, use the show chassis fpc pic-status fpc-slot command.

To display PIC hardware information, including the media type description, use the show chassis hardware command.
show chassis fpc <pic-status <fpc-slot >>
show chassis hardware

show chassis fpc pic-status

Slot 0   Online       EX4600-40F
  PIC 0  Online       24x10G-4x40G
  PIC 1  Online       EX4600-EM-8F


show chassis pic fpc-slot 0 pic-slot 0

FPC slot 0, PIC slot 0 information:
  Type             24x10G-4x40G
  State            Online
  PIC version      3.22
  Uptime           111 days, 1 hours, 11 minutes, 11 seconds

PIC port information:
                         Fiber                    Xcvr vendor       Wave-    Xcvr
  Port Cable type        type  Xcvr vendor        part number       length   Firmware
  2    10GBASE LR        SM    FINISAR CORP.      FTLX1471D3BCL-J1  1310 nm  0.0
  6    GIGE 1000LX10     SM    FINISAR CORP.      FTLF1318P3BTL-J1  1310 nm  0.0
  24   40GBASE SR4       MM    AVAGO              AFBR-79EQDZ-JU1   n/a      0.0


Some additional optic info…
show interfaces diagnostics optics xe-0/0/1

Physical interface: xe-0/0/1
    Laser bias current                        :  42.276 mA
    Laser output power                        :  0.6990 mW / -1.56 dBm
    Module temperature                        :  38 degrees C / 100 degrees F
    Module voltage                            :  3.3150 V
    Receiver signal average optical power     :  0.0001 mW / -40.00 dBm
    Laser bias current high alarm             :  Off
    Laser bias current low alarm              :  Off
    Laser bias current high warning           :  Off
    Laser bias current low warning            :  Off
    Laser output power high alarm             :  Off
    Laser output power low alarm              :  Off
    Laser output power high warning           :  Off
    Laser output power low warning            :  Off
    Module temperature high alarm             :  Off
    Module temperature low alarm              :  Off
    Module temperature high warning           :  Off
    Module temperature low warning            :  Off
    Module voltage high alarm                 :  Off
    Module voltage low alarm                  :  Off
    Module voltage high warning               :  Off
    Module voltage low warning                :  Off
    Laser rx power high alarm                 :  Off
    Laser rx power low alarm                  :  On
    Laser rx power high warning               :  Off
    Laser rx power low warning                :  On
    Laser bias current high alarm threshold   :  85.000 mA
    Laser bias current low alarm threshold    :  15.000 mA
    Laser bias current high warning threshold :  80.000 mA
    Laser bias current low warning threshold  :  20.000 mA
    Laser output power high alarm threshold   :  1.5840 mW / 2.00 dBm
    Laser output power low alarm threshold    :  0.1580 mW / -8.01 dBm
    Laser output power high warning threshold :  1.2580 mW / 1.00 dBm
    Laser output power low warning threshold  :  0.1990 mW / -7.01 dBm
    Module temperature high alarm threshold   :  78 degrees C / 172 degrees F
    Module temperature low alarm threshold    :  -13 degrees C / 9 degrees F
    Module temperature high warning threshold :  73 degrees C / 163 degrees F
    Module temperature low warning threshold  :  -8 degrees C / 18 degrees F
    Module voltage high alarm threshold       :  3.700 V
    Module voltage low alarm threshold        :  2.900 V
    Module voltage high warning threshold     :  3.600 V
    Module voltage low warning threshold      :  3.000 V
    Laser rx power high alarm threshold       :  1.7783 mW / 2.50 dBm
    Laser rx power low alarm threshold        :  0.0100 mW / -20.00 dBm
    Laser rx power high warning threshold     :  1.5849 mW / 2.00 dBm
    Laser rx power low warning threshold      :  0.0158 mW / -18.01 dBm

Originally published at trichev.com/blog. You can comment here or there.


Nginx with SSL as reverse proxy on CentOS 7
trichevio

FirewallD

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Nginx

yum install epel-release
yum install nginx

systemctl enable nginx
systemctl start nginx

setsebool -P httpd_can_network_relay 1
setsebool -P httpd_can_network_connect 1

getsebool -a | grep -i http

HTTPS

mkdir /etc/ssl/nginx/

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/drive.domain.com/dh4096.pem 4096

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/wiki.domain.com/dh4096.pem 4096


chown -R nginx:nginx /etc/ssl/nginx/
chmod 600 /etc/ssl/nginx/drive.domain.com/drive.domain.com.key
chmod 600 /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key
restorecon -Rv /etc/ssl/nginx/

Nginx configuration

vi /etc/nginx/nginx.conf
server {
    listen 80;
    return 301 https://$host$request_uri;
}

vi /etc/nginx/conf.d/wiki.domain.com.conf
server {

    listen 443;
    server_name wiki.domain.com www.wiki.domain.com;

    ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt;

    ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/dh4096.pem;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/wiki.domain.com.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://192.168.0.24:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://192.168.0.24:8080 https://wiki.domain.com;
    }
}

vi /etc/nginx/conf.d/drive.domain.com.conf
server {

    listen 443;
    server_name drive.domain.com www.drive.domain.com;

    ssl_certificate /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt;
    ssl_certificate_key /etc/ssl/nginx/drive.domain.com/drive.domain.com.key;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/drive.domain.com/dh4096.pem;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    70;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this topic first.
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;


    access_log            /var/log/nginx/drive.domain.com.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://192.168.0.23:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://192.168.0.23:8080 https://drive.domain.com;
      }
}

Links:
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins
https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
http://sharadchhetri.com/2014/07/21/owncloud-error-accessing-server-untrusted-domain/

Originally published at trichev.com/blog. You can comment here or there.


Mediawiki on CentOS 7
trichevio

FirewallD

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

#yum install policycoreutils-python
yum install epel-release

Nginx

yum install nginx

systemctl enable nginx
systemctl start nginx

vi /etc/nginx/conf.d/wiki.domain.com.conf

server {
    listen 80;
    server_name wiki.domain.com www.wiki.domain.com;

    # For Lets Encrypt, this needs to be served via HTTP
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html; # Specify here where the challenge file is placed
    }

    # enforce https
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name wiki.domain.com www.wiki.domain.com;

    ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt;
    ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key;

    # Example SSL/TLS configuration. Please read into the manual of
    # nginx before applying these.
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/dh4096.pem;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    70;
    ssl_stapling on;
    ssl_stapling_verify on;

    root /usr/share/nginx/html/;

    #client_max_body_size 5m;
    client_max_body_size 100m;
    client_body_timeout 60;

    location / {
        try_files $uri $uri/ @rewrite;
    }

    location @rewrite {
        rewrite ^/(.*)$ /index.php?title=$1&$args;
    }

    location ^~ /maintenance/ {
        return 403;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice

    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        try_files $uri /index.php;
        expires max;
        log_not_found off;
    }

    location = /_.gif {
        expires max;
        empty_gif;
    }

    location ^~ /cache/ {
        deny all;
    }

    location /dumps {
        root /usr/share/nginx/html/local;
        autoindex on;
    }
}

systemctl restart nginx

PHP

yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install php-fpm php-cli php-gd php-xml php-intl texlive php-xcache php-pgsql php-mbstring php-json php-openssl pcre

php --version

vi /etc/php.ini
cgi.fix_pathinfo=0

vi /etc/php-fpm.d/www.conf
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
group = nginx
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

systemctl enable php-fpm
systemctl start php-fpm

vi /usr/share/nginx/html/info.php
<?php phpinfo(); ?>

HTTPS

mkdir /etc/ssl/nginx/
restorecon -Rv /etc/ssl/nginx/

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/dh4096.pem 4096

PostgreSQL

yum install postgresql postgresql-server postgresql-contrib
postgresql-setup initdb
systemctl enable postgresql
systemctl start postgresql

vi /var/lib/pgsql/data/postgresql.conf
listen_addresses = 'localhost'
port = 5432

cat <<EOT > /var/lib/pgsql/data/pg_hba.conf
local all postgres trust
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
EOT

passwd postgres

su - postgres
psql -d template1 -c "ALTER USER postgres WITH PASSWORD 'newpassword';"

createuser -S -D -R -P -E wikiuser #(then enter the password)
createdb -O wikiuser wikidb
exit

systemctl restart postgresql

semanage boolean -m --on httpd_can_network_connect_db

MediaWiki

wget https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.1.tar.gz
tar zxvf mediawiki-1.29.1.tar.gz
mv mediawiki-1.29.1/* /usr/share/nginx/html/
chown -R nginx:nginx /usr/share/nginx/html/*
chmod -R 0755 /usr/share/nginx/html/*
chmod 600 /usr/share/nginx/html/LocalSettings.php

semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html'
restorecon -Rv '/usr/share/nginx/html'

systemctl restart php-fpm nginx; systemctl status php-fpm nginx

https://wiki.domain.com:20002/mw-config/index.php?page=Name
Name of wiki: wiki
Project namespace: Project
User rights profile: Private wiki
Settings for object caching: PHP object caching (APC, APCu, XCache or WinCache)

PostrgeSQL DB backup

pg_dump wikidb > wikidbdump2017_09_27.sql
pg_dumpall --globals > postgres_globals2017_09_27.sql

Issues

MediaWiki 1.29 internal error MediaWiki 1.29 requires at least PHP version 5.5.9, you are using PHP 5.4.16. Supported PHP versions Please consider upgrading your copy of PHP. PHP versions less than 5.5.0 are no longer supported by the PHP Group and will not receive security or bugfix updates. If for some reason you are unable to upgrade your PHP version, you will need to download an older version of MediaWiki from our website. See our compatibility page for details of which versions are compatible with prior versions of PHP. https://www.mediawiki.org/wiki/Compatibility#PHP

Links:
https://www.digitalocean.com/community/tutorials/how-to-install-mediawiki-on-centos-7
https://www.nginx.com/resources/wiki/start/topics/recipes/mediawiki/
https://www.rosehosting.com/blog/install-mediawiki-on-a-centos-7-vps/
https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Installing_MediaWiki

Originally published at trichev.com/blog. You can comment here or there.


Juniper Junos OS EX 4300 Series Ethernet Switch Port Security
trichevio

Interface configuration
set switch-options interface ge-2/0/17.0 interface-mac-limit 1
set switch-options interface ge-2/0/17.0 interface-mac-limit packet-action drop-and-log
set switch-options interface ge-2/0/17.0 persistent-learning

Clear specific interface MAC database
run clear ethernet-switching table interface ge-2/0/17.0
delete switch-options interface ge-2/0/17.0

Troubleshooting and verification
show interfaces ge-2/0/17 detail
show ethernet-switching interface ge-2/0/17
show ethernet-switching interface ge-2/0/17.0 brief

show configuration switch-options interface ge-2/0/17.0

interface-mac-limit {
    3;
    packet-action drop-and-log;
}
persistent-learning;

show ethernet-switching table interface ge-2/0/17.0

MAC database for interface ge-2/0/17.0

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC)

Ethernet switching table : 73 entries, 73 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical
    name                address             flags              interface
    vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0
    vlan.110            56:45:34:23:12:01   P             -   ge-2/0/17.0
    vlan.110            23:12:01:56:45:34   P             -   ge-2/0/17.0

show ethernet-switching table | match "01:12:23:34:45:56"

vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0

show ethernet-switching table | match "ge-2/0/17.0"
    vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0
    vlan.110            56:45:34:23:12:01   P             -   ge-2/0/17.0
    vlan.110            23:12:01:56:45:34   P             -   ge-2/0/17.0

show ethernet-switching interface ge-2/0/17.0
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
                         LH - MAC limit hit, DN - interface down,
                         SCTL - shutdown by Storm-control )

Logical             Vlan          TAG     MAC         STP               Logical              Tagging
interface           members               limit       state             interface flags
ge-2/0/17.0                               3                                AD,LH              untagged
                    vlan.110      110     65535       Forwarding                              untagged

show log messages | match ge-2/0/17

Link:
https://forums.juniper.net/t5/Ethernet-Switching/EX4300-Port-Security-MAC-Limiting-Allowed-MAC-amp-ELS/td-p/308978
http://www.juniper.net/documentation/en_US/junos10.2/topics/task/configuration/port-security-cli.html
http://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/ex4300/port-security.pdf
https://www.juniper.net/documentation/en_US/junos/topics/task/verification/port-security-qfx-series-mac-limiting.html
http://forums.juniper.net/t5/Junos/Mac-Filtering-on-EX4200-JUNOS/td-p/48473
https://networkengineering.stackexchange.com/questions/19181/how-can-i-view-a-list-of-which-macs-an-interface-is-restricted-to-on-a-juniper-s

Originally published at trichev.com/blog. You can comment here or there.


Owncloud 10.0 on CentOS 7
trichevio

FirewallD

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

MySQL(MariaDB)

yum install mariadb-server mariadb

systemctl enable mariadb
systemctl start mariadb

mysql_secure_installation

mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* to 'ownclouduser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
quit

PHP

yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm

#yum-config-manager --enable remi-php71
#yum --enablerepo=remi-php71 install php-fpm php-cli php-gd php-mcrypt php-mysql php-pear php-xml php-mbstring php-pdo php-json

vi /etc/yum.repos.d/remi-php71.repo
[remi-php71]
enabled=1

yum install php-fpm php-cli php-gd php-mcrypt php-mysqlnd php-pear php-xml php-mbstring php-pdo php-json php-pecl-zip php-intl

php --version

vi /etc/php.ini
cgi.fix_pathinfo=0

vi /etc/php-fpm.d/www.conf
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
group = nginx
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

systemctl enable php-fpm
systemctl start php-fpm

HTTPS

mkdir /etc/ssl/nginx/
restorecon -Rv /etc/ssl/nginx/

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com.key -subj "CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/dh4096.pem 4096

Nginx

yum install epel-release
yum install nginx

systemctl enable nginx
systemctl start nginx

vi /etc/nginx/conf.d/drive.domain.com.conf
upstream php-handler {
    #server 127.0.0.1:9000;
    # Depending on your used PHP version
    #server unix:/var/run/php5-fpm.sock;
    #server unix:/var/run/php7-fpm.sock;
    server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
    listen 80;
    server_name drive.domain.com www.drive.domain.com;

    # For Lets Encrypt, this needs to be served via HTTP
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html; # Specify here where the challenge file is placed
    }

    # enforce https
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name drive.domain.com www.drive.domain.com;

    ssl_certificate /etc/ssl/nginx/drive.domain.com.crt;
    ssl_certificate_key /etc/ssl/nginx/drive.domain.com.key;

    # Example SSL/TLS configuration. Please read into the manual of
    # nginx before applying these.
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/dh4096.pem;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    70;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this topic first.
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /usr/share/nginx/html;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 16400M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    # Enabling gzip would also make your server vulnerable to BREACH
    # if no additional measures are done. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        return 404;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        return 404;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
        fastcgi_param front_controller_active true;
        fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off; #Available since NGINX 1.7.11
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "max-age=15778463";
        # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into this topic first.
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map)$ {
        add_header Cache-Control "public, max-age=7200";
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

systemctl restart nginx

vi /usr/share/nginx/html/info.php
<? php phpinfo(); ?>

Owncload download and install

wget https://download.owncloud.org/community/owncloud-10.0.3.tar.bz2
tar jxvf owncloud-10.0.3.tar.bz2
mv owncloud/* /usr/share/nginx/html/
chown -R nginx:nginx /usr/share/nginx/html/

semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/data'
restorecon '/usr/share/nginx/html/data'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/config'
restorecon '/usr/share/nginx/html/config'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/apps'
restorecon '/usr/share/nginx/html/apps'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/assets'
restorecon '/usr/share/nginx/html/assets'

chown -R nginx:nginx /var/lib/php/session

Caching

APCu

yum install php-devel
yum groupinstall "Development Tools"
pecl install apcu

cat < /etc/php.d/20-apcu.ini
; APCu php extension
extension=apcu.so
EOF
vi /usr/share/nginx/html/config/config.php
'memcache.local' => '\OC\Memcache\APCu',

Redis

yum install centos-release-scl-rh
yum install rh-redis32-redis

pecl install redis

chown -R redis:redis /var/run/redis/
semanage fcontext -a -t redis_var_run_t '/var/run/redis(/.*)?'
restorecon -Rv /run/redis/

vi /etc/opt/rh/rh-redis32/redis.conf
unixsocket /var/run/redis/redis.sock
unixsocketperm 700

systemctl start rh-redis32-redis
systemctl enable rh-redis32-redis

yum install net-tools
ps ax | grep redis
netstat -tlnp | grep redis
cat < /etc/php.d/20-redis.ini
; Redis php extension
extension=redis.so
EOF
vi /usr/share/nginx/html/config/config.php
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host' => '/var/run/redis/redis.sock',
     'port' => 0,
],

usermod -a -G redis nginx

Additional SELinux configuration

setsebool -P daemons_enable_cluster_mode 1

semodule -l | grep my-redisserver
ausearch -c 'redis-server' --raw | audit2allow -M my-redisserver
semodule -i my-redisserver.pp
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp
ausearch -c 'nginx' --raw | audit2allow -M my-nginx
semodule -i my-nginx.pp

setsebool -P httpd_can_sendmail=1

systemctl restart php-fpm nginx; systemctl status php-fpm nginx

crontab -u nginx -e
*/15  *  *  *  * /usr/bin/php -f /usr/share/nginx/html/cron.php

yum install samba-client nfs-utils

Links:
https://www.howtoforge.com/tutorial/owncloud-centos-install/
https://tecadmin.net/install-owncloud-on-centos/
https://doc.owncloud.org/server/10.0/admin_manual
https://www.simplehelix.com/blog/uncategorized/installing-and-configuring-nginx-php-fpm-mariadb-on-centos-7/
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-upgrade-to-php-7-on-centos-7
https://stackoverflow.com/questions/6628275/how-to-get-my-session-to-write-to-apache
https://github.com/owncloud/core/issues/25927#issuecomment-262703655
https://doc.owncloud.org/server/9.1/admin_manual/installation/selinux_configuration.html#troubleshooting
https://doc.owncloud.org/server/10.0/admin_manual/configuration/server/caching_configuration.html#redis-label
https://help.nextcloud.com/t/install-nextcloud-into-root-directory-of-my-domain/2513?page=2
https://github.com/nrk/predis/issues/277
https://doc.owncloud.org/server/latest/admin_manual/installation/nginx_configuration.html#example-configurations

Originally published at trichev.com/blog. You can comment here or there.


CentOS 6 as smarthost (sendmail)
trichevio

yum install mailx sendmail sendmail-cf -y

vi /etc/mail/sendmail.mc

dnl define(`SMART_HOST', `smtp.domain.com')dnl
dnl MASQUERADE_AS(`domain.com')dnl

m4 /etc/mail/senmdmail.mc > /etc/mail/sendmail.cf

chkconfig sendmail on
service sendmail restart

Originally published at trichev.com/blog. You can comment here or there.