HA Proxy Configuration - configuration

I would like to configure a reverse HAProxy to my server. I was checking the version of my HAProxy and I realised that it does not display the info build openssl like other people. The missing portion is displayed below. I had openssl installed so which other steps I miss out here?
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with OpenSSL version : OpenSSL 1.0.2p 14 Aug 2018
Running on OpenSSL version : OpenSSL 1.0.2p 14 Aug 2018
My display:
haproxy -vv
HA-Proxy version 1.8.13 2018/07/30
Copyright 2000-2018 Willy Tarreau <willy#haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-unused-label
OPTIONS =
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with network namespace support.
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built without PCRE or PCRE2 support (using libc's regex instead)
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[TRACE] trace
[COMP] compression
[SPOE] spoe

Apparently you are missing compile options:
USE_OPENSSL=1 SSL_INC=/path/to/ssl/include SSL_LIB=/path/to/ssl/lib
I compile with
make TARGET=linux2628 USE_OPENSSL=1 SSL_INC=/path/to/include SSL_LIB=/path/to/lib
and my Build option look like this
Build options :
TARGET = linxu2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-unused-label
OPTIONS = USE_POLL=default USE_OPENSSL=1
if you see USE_OPENSSL=1, you should see missing parts about openssl version

Related

Why are the binaries generated by using Meson / Ninja much larger than those compiled by plain valac?

Same source file.
directe compile use valac.
⭕ valac --pkg gtk+-3.0 -X -lm --pkg libcanberra src/Application.vala
⭕ ls Application
-rwxrwxr-x 1 eexpss 48K 05-13 19:59 Application
here is part of my meson.build.
project('com.github.eexpress.cairo-timer', 'vala', 'c')
# i18n = import('i18n')
executable(
meson.project_name(),
'src/Application.vala',
dependencies: [
dependency('gtk+-3.0'),
# dependency('cairo'),
dependency('libcanberra')
],
# link_args : '-X',
# link_args : '-lm',
link_args : ['-X', '-lm',],
install: true
)
and use ninja to compile it.
⭕ cd build; ninja
⭕ ls com.github.eexpress.cairo-timer
-rwxrwxr-x 1 eexpss 98K 05-13 17:02 com.github.eexpress.cairo-timer
So the binary file is more larger than above one. why?
Because you didn't enable debugging for valac, but meson enables it by default. Add -g to valac and the output size should be close to equal.
To see how ninja and valac run the tools to build, enable verbose option by given -v to both commands.
The minor size differences are, as I assume, from file names in them. Compare the outputs, for example, from readelf --debug-dump=line hello to see the diff.

cf-cli keeps asking me to login even if I've done so

I'm trying to copy an image from Dockerhub to Bluemix registry by following the doc at https://new-console.eu-gb.bluemix.net/docs/containers/container_images_copying.html
I installed cf-cli and the IBM-Containers plugins on my Mac (OSX 10.11.6):
$ cf --version
cf version 6.21.0+dff2cf8-2016-07-27
$ cf plugins
Listing Installed Plugins...
OK
Plugin Name Version Command Name Command Help
IBM-Containers 0.8.897 ic IBM Containers plug-in
I've logged into my account:
$ cf login -a api.eu-gb.bluemix.net
API endpoint: api.eu-gb.bluemix.net
Email> andy#onthewings.net
Password>
Authenticating...
OK
Targeted org Haxe Foundation
Targeted space dev
API endpoint: https://api.eu-gb.bluemix.net (API version: 2.54.0)
User: andy#onthewings.net
Org: Haxe Foundation
Space: dev
$ cf ic login -a api.eu-gb.bluemix.net
$ cf ic info
Date/Time : 2016-08-22 08:43:39.352117576 +0800 HKT
Debug Mode : false
Host/URL : https://containers-api.eu-gb.bluemix.net
Registry Host : registry.eu-gb.bluemix.net
Bluemix API Host/URL : https://api.eu-gb.bluemix.net
Bluemix Org : Haxe Foundation(4a6547eb-37ae-4f41-9e7e-dcba87c99147)
Bluemix Space : dev(45d9dba9-068b-4918-82ff-1c2210a03dbc)
CLI Version : 0.8.897
However, when I try to copy an image, or to list the existing images, there is an error:
$ cf ic cpi gitlab/gitlab-ce:8.10.7-ce.0 registry.eu-gb.bluemix.net/gitlab-ce:8.10.7-ce.0
FAILED
The IBM Containers CLI must be initialized. Run "cf ic init" to initialize it.
$ cf ic images
FAILED
The IBM Containers CLI must be initialized. Run "cf ic init" to initialize it.
Any idea?
Oh, turn out I have to create a container registry namespace first. It can be done by trying to create a container in the web console. Select an existing image, say ibmliberty, and it will ask for creating a namespace for the current organisation.
After the namespace is created, run cf ic init, then the other commands will succeed as expected.

ECC Certificates not working in Chrome?

I'm attempting to configure HAProxy to serve an RSA or ECC certificate depending on the client's browser. I initially am trying to get ECC certificates configured, and I noticed that the latest version of Chrome does not support them. Wondering if anyone else is having this problem? I am using OS X 10.11.4 with the following versions:
Chrome (50.0.2661.94) (64-bit) [doesn't work]
Firefox (46.0) (64-bit) [works]
Safari (9.1 11601.5.17.1) (64-bit) [works]
cURL (7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5) [works]
The cURL command I call via curl --ciphers ecdhe_ecdsa_aes_128_sha --ssl --head --tlsv1.2 https://<url> and it returns 200 OK.
And I am using Ubuntu Xenial 16.04 LTS on the server side with the following versions:
[root#haproxy-server]: /etc/haproxy # haproxy -vv
HA-Proxy version 1.6.4 2016/03/13
Copyright 2000-2016 Willy Tarreau <willy#haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g-fips 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Here's the screenshot of the exact problem: http://imgur.com/wlmQbIi
Here's the screenshot of the same website with Safari: http://imgur.com/FEwmmj9
And finally, my haproxy.cfg file:
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
chroot /var/lib/haproxy
daemon
stats socket /run/haproxy/admin.sock level admin
maxconn 15000
spread-checks 5
tune.ssl.default-dh-param 2048
tune.ssl.maxrecord 1400
tune.idletimer 1000
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
log global
mode http
retries 3
balance roundrobin
hash-type map-based
option httplog
option dontlognull
option forwardfor
option http-server-close
option redispatch
option abortonclose
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 30s
timeout http-keep-alive 10s
timeout check 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-frontend
bind *:80 accept-proxy
reqadd X-Forwarded-Proto:\ http
use_backend %[req.hdr(host),lower,map_sub(/etc/haproxy/backend.map,test-backend)]
frontend https-frontend
bind *:443 accept-proxy ssl crt /etc/ssl/pem/ecc alpn http/1.1
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc\ %[ssl_fc_sni]\ %[ssl_fc_npn]
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubdomains;\ preload
rspadd X-Frame-Options:\ DENY
reqadd X-Forwarded-Proto:\ https
use_backend %[req.hdr(host),lower,map_sub(/etc/haproxy/backend.map,test-backend)]
backend test-backend
balance leastconn
redirect scheme https code 301 if !{ ssl_fc }
server test-server 10.10.10.40:80 check
I know this post is not in the right seciton of StackExchange (sorry!) but I wanted to post a potential solution. I think the problem is the elliptic curves support in Chrome vs. Firefox vs. Safari. From the SSLLabs website:
Safari 9 / OS X 10.11: secp256r1, secp384r1, secp521r1
Firefox 44 / OS X: secp256r1, secp384r1, secp521r1
Chrome 48 / OS X: secp256r1, secp384r1
The problem is the private key for the ECC certificate I was testing was generated with secp521r1 (http://imgur.com/dbrJQuW), which the latest version of Chrome on OS X 10.11 doesn't support.
See this issue: https://security.stackexchange.com/questions/100991/why-is-secp521r1-no-longer-supported-in-chrome-others
It seems that only the following two cipher suite are supported by your web server:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
I suppose that missing some cipher suite (at least TLS_RSA_WITH_AES_128_CBC_SHA) is the reason of your problem.
The cipher suite TLS_RSA_WITH_AES_128_CBC_SHA must be supported in TLS 1.2 (see the section 9 Mandatory Cipher Suites or RFC5246). In the same way I would you recommend to see forward and to include protocols
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
and the suites
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
are strictly recommended too. See TLS 1.3 specification. You use Nginx web server, which should support TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, which are very good because of combination the security and the performance. I'd recommend you to include all the Cipher Suites.
I'd recommend you additionally to use or at least to examine carefully the recommendation of Nginx setting for modern or intermediate web browsers by Mozilla SSL Configuration Generator. You can read more about the suites here.

Using Openssl S_server to test chrome HTTPS

I write a HTTPS Server by Openssl. Using Chrome to connect the server, It has ERR_CONNECTION_REFUSED. But Using Firefox to connect the server,It work fine.
I follow the sites http://blog.jorisvisscher.com/2015/07/22/create-a-simple-https-server-with-openssl-s_server/
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www
The result is the same.
How can I solve it!
Thanks for reading this Q!
Your chrome probably refused the connection because it was unsecure (here Firefox Developer Edition also refused). By default, openssl uses weak DH parameters, and unsupported protocols (like SSLv3), you should add additional options to secure your server.
First, generate stronger DH params:
openssl dhparam -out dhparam.pem 2048
Use at least 2048, the bigger, the better (I usually use 4096). Then run your server with this command instead:
openssl s_server -key key.pem -cert cert.pem -accept 44330 \
-no_ssl3 -dhparam dhparam.pem -www
Be aware that SSLv2 is also in ways of being deprecated (PCI compliance will fail for SSLv2 by the middle of this year), and there are also several ciphers that are unsecure.
If you'd like a really strong dhparam, consider installing a service for generating more entropy, like haveged (before generating dhparams):
apt-get install haveged

LiveReload Chrome Extention unable to connect to Guard server on Ubuntu 13.04 64bit

I have installed the necessary gems as follows :
~/Desktop/html5$ gem list
bundle (0.0.1)
bundler (1.3.5)
coderay (1.0.9)
em-websocket (0.5.0)
eventmachine (1.0.3)
ffi (1.8.1)
formatador (0.2.4)
guard (1.8.0)
guard-livereload (1.4.0)
guard-sass (1.2.0)
This is what my Guardfile looks like :
~/Desktop/html5$ more Guardfile
A sample Guardfile
More info at https://github.com/guard/guard#readme
guard 'livereload' do
watch(%r{.+\.(css|js|html)$})
end
This is what I get when I run : bundle exec guard
~/Desktop/html5$ bundle exec guard
12:05:56 - INFO - Guard uses NotifySend to send notifications.
12:05:56 - INFO - Guard uses TerminalTitle to send notifications.
12:05:56 - INFO - LiveReload is waiting for a browser to connect.
12:05:56 - INFO - Guard is now watching at '/home/praveen/Desktop/html5'
[1] guard(main)>
To make sure the Guard server is running , this is what i get when telneting
:~/Desktop/html5$ telnet 127.0.0.1 35729
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
When I make changes to the index.html in the monitored directory , this is what i get at the guard prompt
13:36:20 - INFO - Browser connected.
13:36:25 - INFO - Reloading browser: index.html
13:36:34 - INFO - Reloading browser: index.html
[1] guard(main)>
I have installed the chrome live reload plugin and given it file reading permission but when I click it , it doesn't change and thus does not reload the code change to any html or css in the /home/praveen/Desktop/html5 , pls let me know what can be done.
Praveen
After Struggling for 2 days , this is the method that I figured to work without hassle on Ubuntu 13.04, it has thus made my workflow seamless :
Install LiveReload from Through Python and CD to the directory that needs to be watched for changes
curl -O https://raw.github.com/pypa/pip/master/contrib/get-pip.py | python
pip install livereload
sudo apt-get install python-pip
pip install livereload
cd FolderToBeMonitored/
Create a file called Guardfile with the following contents to monitor for all changes to html and css files
Desktop/html5$ more Guardfile
#!/usr/bin/env python
from livereload.task import Task
Task.add('*.css')
Task.add('*.html')
Task.add('css/*.css')
praveen#praveen-XPS-L412Z:~/Desktop/html5$
Once the above is done , start the LiveReload with the below command :
livereload -b
Please note that liveReload uses 35729 as the default port but if it needs to be changed TO 1717 use
livereload -p 1717 -b
The default html file will launch automatically in the default browser , no need to install any buggy chrome extensions . to launch a particular file , use appropriate URL of the below format
http://127.0.0.1:35729/test.html
I prefer this way the Ruby gem installation followed by the chrome extension that needs to connect to the port method, I spent 2 days on this issue and it never worked until figuring out the above methodology that works without any chrome plugins.
I managed to make it working using this as guard file
I have Ubuntu 13.04 raringtail
# This will concatenate the javascript files specified in :files to public/js/all.js
guard :concat, type: "js", files: %w(), input_dir: "public/js", output: "public/js/all"
guard :concat, type: "css", files: %w(), input_dir: "public/css", output: "public/css/all"
guard 'livereload' do
watch(%r{/.+\.(css|html|js)$})
end
guard 'sass', :input => 'sass', :output => 'css'
The output is this in the terminal:
*dany#dany:/var/www/tucan$ guard
21:07:04 - INFO - Guard is using NotifySend to send notifications.
21:07:04 - INFO - Guard is using TerminalTitle to send notifications.
21:07:04 - INFO - LiveReload is waiting for a browser to connect.
21:07:04 - INFO - Guard is now watching at '/var/www/tucan'
[1] guard(main)> 21:07:23 - INFO - Browser connected.
21:07:23 - INFO - Browser connected.
*
Hope this helps someone