The version of find doesn’t support the -newermt predicate

If your version of find doesn’t support the -newermt predicate,you can use the -newer predicate. That predicate needs a file as a reference: instead of an absolute modification date, it will use the modification date of the file. You can create appropriate “marker files” for this purpose, for example:

touch /tmp/mark.start -d “2016-11-22 10:00”
touch /tmp/mark.end -d “2016-11-23 23:00”
And then rewrite using -newer predicate:

find /some/path -newer /tmp/mark.start ! -newer /tmp/mark.end
Finally, your tar won’t work if the argument list is too long and xargs splits to multiple executions, because all executions will recreate the tar file. You need to use the -T flag of tar instead of xargs:

find /some/path -print0 | tar acf out.tar.gz –null -T-

More example:

Find files newer than “start” and older than “end”

touch /tmp/mark.start -d “2016-02-16 00:00”

touch a -d “2016-02-15 00:01”

touch b -d “2016-02-16 00:01”

touch c -d “2016-02-17 00:00”

touch d -d “2016-02-18 00:00”

touch e -d “2016-02-19 00:01”

touch /tmp/mark.end -d “2016-02-19 00:00”
Command: find . -type f -newer /tmp/mark.start ! -newer /tmp/mark.end

========================================================================

Output:

-bash-3.2$ find . -type f -newer /tmp/mark.start ! -newer /tmp/mark.end

./d

./b

./c

-bash-3.2$

How to Use SSL Certificates with HAProxy

Overview

If your application makes use of SSL certificates, then some decisions need to be made about how to use them with a load balancer.

A simple setup of one server usually sees a client’s SSL connection being decrypted by the server receiving the request. Because a load balancer sits between a client and one or more servers, where the SSL connection is decrypted becomes a concern.

There are two main strategies.

SSL Termination is the practice of terminating/decrypting an SSL connection at the load balancer, and sending unencrypted connections to the backend servers.

This means the load balancer is responsible for decrypting an SSL connection – a slow and CPU intensive process relative to accepting non-SSL requests.

This is the opposite of SSL Pass-Through, which sends SSL connections directly to the proxied servers.

With SSL-Pass-Through, the SSL connection is terminated at each proxied server, distributing the CPU load across those servers. However, you lose the ability to add or edit HTTP headers, as the connection is simply routed through the load balancer to the proxied servers.

This means your application servers will lose the ability to get the X-Forwarded-* headers, which may include the client’s IP address, port and scheme used.

Which strategy you choose is up to you and your application needs. SSL Termination is the most typical I’ve seen, but pass-thru is likely more secure.

There is a combination of the two strategies, where SSL connections are terminated at the load balancer, adjusted as needed, and then proxied off to the backend servers as a new SSL connection. This may provide the best of both security and ability to send the client’s information. The trade off is more CPU power being used all-around, and a little more complexity in configuration.

HAProxy with SSL Termination

We’ll cover the most typical use case first – SSL Termination. As stated, we need to have the load balancer handle the SSL connection. This means having the SSL Certificate live on the load balancer server.

We saw how to create a self-signed certificate in a previous edition of SFH. We’ll re-use that information for setting up a self-signed SSL certificate for HAProxy to use.

Keep in mind that for a production SSL Certificate (not a self-signed one), you won’t need to generate or sign a certificate yourself – you’ll just need to create a Certificate Signing Request (csr) and pass that to whomever you purchase a certificate from.

First, we’ll create a self-signed certificate for *.567ss.com, which is handy for demonstration purposes, and lets use one the same certificate when our server IP addresses might change while testing locally. For example, if our local server exists at 192.168.33.10, but then our Virtual Machine IP changes to 192.168.33.11, then we don’t need to re-create the self-signed certificate.

I use the 567ss.com service as it allows us to use a hostname rather than directly accessing the servers via an IP address, all without having to edit my computers’ Host file.

As this process is outlined in a passed edition on SSL certificates, I’ll simple show the steps to generate a self-signed certificate here:

$ sudo mkdir /etc/ssl/567ss.com

$ sudo openssl genrsa -out /etc/ssl/567ss.com/567ss.com.key 1024

$ sudo openssl req -new -key /etc/ssl/567ss.com/567ss.com.key \

-out /etc/ssl/567ss.com/567ss.com.csr

> Country Name (2 letter code) [AU]:US

> State or Province Name (full name) [Some-State]:Connecticut

> Locality Name (eg, city) []:New Haven

> Organization Name (eg, company) [Internet Widgits Pty Ltd]:SFH

> Organizational Unit Name (eg, section) []:

> Common Name (e.g. server FQDN or YOUR name) []:*.567ss.com

> Email Address []:

 

> Please enter the following ‘extra’ attributes to be sent with your certificate request

> A challenge password []:

> An optional company name []:

$ sudo openssl x509 -req -days 365 -in /etc/ssl/567ss.com/567ss.com.csr \

-signkey /etc/ssl/567ss.com/567ss.com.key \

-out /etc/ssl/567ss.com/567ss.com.crt

This leaves us with a 567ss.com.csr, 567ss.com.key and 567ss.com.crt file.

Next, after the certificates are created, we need to create a pem file. A pem file is essentially just the certificate, the key and optionally certificate authorities concatenated into one file. In our example, we’ll simply concatenate the certificate and key files together (in that order) to create a 567ss.com.pem file. This is HAProxy’s preferred way to read an SSL certificate.

$ sudo cat /etc/ssl/567ss.com/567ss.com.crt /etc/ssl/567ss.com/567ss.com.key \

| sudo tee /etc/ssl/567ss.com/567ss.com.pem

When purchasing a real certificate, you won’t necessarily get a concatenated “bundle” file. You may have to concatenate them yourself. However, many do provide a bundle file. If you do, it might not be a pem file, but instead be a bundle, cert, cert, key file or some similar name for the same concept. This Stack Overflow answer explains that nicely.

In any case, once we have a pem file for HAproxy to use, we can adjust our configuration just a bit to handle SSL connections.

We’ll setup our application to accept both http and https connections. In the last edition on HAProxy, we had this frontend:

frontend localnodes

bind *:80

mode http

default_backend nodes

To terminate an SSL connection in HAProxy, we can now add a binding to the standard SSL port 443, and let HAProxy know where the SSL certificates are:

frontend localhost

bind *:80

bind *:443 ssl crt /etc/ssl/567ss.com/567ss.com.pem

mode http

default_backend nodes

In the above example, we’re using the backend “nodes”. The backend, luckily, doesn’t really need to be configured in any particular way. In the previous edition on HAProxy, we had the backend like so:

backend nodes

mode http

balance roundrobin

option forwardfor

option httpchk HEAD / HTTP/1.1\r\nHost:localhost

server web01 172.17.0.3:9000 check

server web02 172.17.0.3:9001 check

server web03 172.17.0.3:9002 check

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

Because the SSL connection is terminated at the Load Balancer, we’re still sending regular HTTP requests to the backend servers. We don’t need to change this configuration, as it works the same!

SSL Only

If you’d like the site to be SSL-only, you can add a redirect directive to the frontend configuration:

frontend localhost

bind *:80

bind *:443 ssl crt /etc/ssl/567ss.com/567ss.com.pem

redirect scheme https if !{ ssl_fc }

mode http

default_backend nodes

Above, we added the redirect directive, which will redirect from “http” to “https” if the connection was not made with an SSL connection. More information on ssl_fc is available here.

HAProxy with SSL Pass-Through

With SSL Pass-Through, we’ll have our backend servers handle the SSL connection, rather than the load balancer.

The job of the load balancer then is simply to proxy a request off to its configured backend servers. Because the connection remains encrypted, HAProxy can’t do anything with it other than redirect a request to another server.

In this setup, we need to use TCP mode over HTTP mode in both the frontend and backend configurations. HAProxy will treat the connection as just a stream of information to proxy to a server, rather than use its functions available for HTTP requests.

First, we’ll tweak the frontend configuration:

frontend localhost

bind *:80

bind *:443

option tcplog

mode tcp

default_backend nodes

This still binds to both port 80 and port 443, giving the opportunity to use both regular and SSL connections.

As mentioned, to pass a secure connection off to a backend server without encrypting it, we need to use TCP mode (mode tcp) instead. This also means we need to set the logging to tcp instead of the default http (option tcplog). Read more on log formats here to see the difference between tcplog and httplog.

Next, we need to tweak our backend configuration. Notably, we once again need to change this to TCP mode, and we remove some directives to reflect the loss of ability to edit/add HTTP headers:

backend nodes

mode tcp

balance roundrobin

option ssl-hello-chk

server web01 172.17.0.3:443 check

server web02 172.17.0.4:443 check

As you can see, this is set to mode tcp – Both frontend and backend configurations need to be set to this mode.

We also remove option forwardfor and the http-request options – these can’t be used in TCP mode, and we couldn’t inject headers into a request that’s encrypted anyway.

For health checks, we can use ssl-hello-chk which checks the connection as well as its ability to handle SSL (SSLv3 specifically) connections.

In this example, I have two fictitious server backend that accept SSL certificates. If you’ve read the edition SSL certificates, you can see how to integrate them with Apache or Nginx in order to create a web server backend, which handles SSL traffic. With SSL Pass-Through, no SSL certificates need to be created or used within HAproxy. The backend servers can handle SSL connections just as they would if there was only one server used in the stack without a load balancer.

 

Resources

http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/

 

http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

 

 

How to upgrade haproxy 1.6.10 linux on centos 7

To upgrade HAProxy to version 1.6.10 to be compatible with Snapt follow the steps

wget http://www.haproxy.org/download/1.6/src/haproxy-1.6.10.tar.gz

tar xvf haproxy-1.6.10.tar.gz

cd haproxy-1.6.10

make TARGET=linux26 USE_ZLIB=yes USE_OPENSSL=yes USE_PCRE=yes

cp /usr/sbin/haproxy /usr/sbin/haproxy_bak

cp ./haproxy /usr/sbin/haproxy

 

# haproxy -v

HA-Proxy version 1.6.10 2016/11/20

Copyright 2000-2016 Willy Tarreau willy@haproxy.org

 

It’s ok!

How to Encrypt Messages & Files Using OpenSSL on Linux

OpenSSL is an effective cryptography toolbox. Many of us have used OpenSSL for making RSA Private Keys or CSR (Certificate Signing Request). However, did you realize that you can use OpenSSL to encrypt files or messages? This article will assist you how to encrypt messages and files using OpenSSL.

Encrypt and Decrypt Messages

The following command will encrypt message “Welcome to 567ss.com” using Base64 Encoding:

# echo “Welcome to 567ss.com” | openssl enc -base64

D2VsY29tZSB0byA1Njdzcy5jb20K

Note:

 enc: Encoding with Ciphers

 -base64: Base64 Encoding

To decrypt the message we need to reverse the order and use -d option for decryption.

# echo “D2VsY29tZSB0byA1Njdzcy5jb20K” | openssl enc -base64 -d

Welcome to 567ss.com

Encrypt and Decrypt File:

To encrypt the file use the following command:

# openssl enc -aes-256-cbc -in /etc/fstab -out fstab.dat

enter aes-256-cbc encryption password:

Verifying – enter aes-256-cbc encryption password:

Note:

 enc: Encoding with Ciphers

 -aes-256-cbc: The Encryption Cipher

 -out: enc option used to specify the name of the out filename

To decrypt the file use following command:

# openssl enc -aes-256-cbc -d -in fstab.dat > fstab.txt

enter aes-256-cbc decryption password:

How to Upgrade PHP version 5.4 to 5.6 on CentOS/RHEL 6/7

For CentOS/RHEL 7:

# rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm
# rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
For CentOS/RHEL 6:

# rpm -Uvh https://mirror.webtatic.com/yum/el6/latest.rpm
For CentOS/RHEL 5:

# rpm -Uvh http://mirror.webtatic.com/yum/el5/latest.rpm
After installing Webtatic yum repository, you have to remove the old version of php-common package. It will also delete it dependencies packages.
# yum remove php-common

yum install -y php56w php56w-opcache php56w-xml php56w-mcrypt php56w-gd php56w-devel php56w-mysql php56w-intl php56w-mbstring php56w-fpm php56w-common php56w-soap

Error installing mysql2: Failed to build gem native extension

you want running bundle install or gem install mysql2 it gives the following error:

Error installing mysql2: ERROR: Failed to build gem native extension.

How to fix this and successfully install mysql2?

On Ubuntu/Debian and other distributions using aptitude:

sudo apt-get install libmysql-ruby libmysqlclient-dev
Package libmysql-ruby has been phased out and replaced by ruby-mysql. This is where I found the solution.

If the above command doesn't work because libmysql-ruby cannot be found, the following should be sufficient:

sudo apt-get install libmysqlclient-dev
On Red Hat/CentOS and other distributions using yum:

sudo yum install mysql-devel
On Mac OS X with Homebrew:

brew install mysql

how to know if a perl module is allready installed

we can use command like this:

perl -MModule::Name -e “print \”Module installed.\\n\”;”

example if I want to check if the Module Net::LDAP::Control::Persistent is installed I have to run this command

perl -MNet::LDAP::Control::PersistentSearch -e “print \”Module installed.\\n\”;”
In case that this module is Installed the console will print

Module installed
In case that this module is not installed the console will print something like this:

Can’t locate Net/LDAP/Control/PersistentSearch.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .).
BEGIN failed–compilation aborted.

How to change the default SSH port on centos 7

The Secure Shell (SSH) Protocol by default uses port 22. Accepting this value does not make your system insecure, nor will changing the port provide a significant variance in security. However, changing the default SSH server listening port will stop many automated attacks and a bit harder to guess which port SSH is accessible from. The attacker should execute a nmap like scan against your host to discover the port SSH service listens. So changing the default SSH port has no meaning on private networks, but maybe it’s useful and it’s a simple security hardening technique on public accessible hosts.

vi /etc/ssh/sshd_config
Edit the line which states ‘Port 22’. But before doing so, you’ll want to read the note below. Choose an appropriate port, also making sure it not currently used on the system. I would suggest to use a mnemonic port, like port 22222 and to use the same port to all your publicly accessible hosts, in order not to lookup which port uses which host for ssh.

# What ports, IPs and protocols we listen for
Port 22222

for centos 7 or redhat 7 you can use:

systemctl restart sshd

Verify SSH is listening on the new port by either using telnet or connecting to it. Note how the port number now needs to be declared.

telnet 567ss.com 22222
ssh user@567ss.com -p 22222

How to resize current X-Window color depth

Your Problem

You want to know, under which color depth your X-Server is currently running. This means you want to know wether you have 256, 65536 or 12 Mio different colors available (i.e. 2^8, 2^16 or 2^24).

The difference between 2^8 and 2^16 colors is big, but between 2^16 and 2^24 colors it is almost not visible at all. It is important if you work with images, however!

The Solution

Simply use the tool xquery with the option -c: It will show your color depth:

> xquery -c
0 16
This screen has only 2^16 colors, i.e. 65536! If your display is working at 2^24 colors – which one should expect in our days – the output should show this:

> xquery -c
0 24