Aug
14
Posted on 14-08-2009
Filed Under (Apache, Linux Networking, Redhat & Fedora, UNIX/Linux) by Ravi Bhure

IT infra going day to day very critical and costly, So for that we need simple IP based load balancing solution that handles ssl traffic. Basically it’s very easy and secure way to manage your server load balancing.
This example will shows you how we use this with easy steps

The Configuration =
* Load Balancer:  <10.0.0.77>  // will be our haproxy server # This will listen on many ports that we will bind as per requirement
* Web Server 1: <10.0.1.209>  // web application server 1    #This will listen on tcp mode
* Web Server 2: <10.0.1.210>  // web application server 2   #This will listen on tcp mode
* Web Server 3: <10.0.1.227>  // web application server 3   #This will listen on http mode
* Admin Panel Port 8088: <10.0.0.77>  // Statistics Panel on port 8080  #This will listen on http mode

Get and Install haproxy
We’ll be using the 1.3.17 src files to install haproxy. You can get them from http://haproxy.1wt.eu/

wget http://haproxy.1wt.eu/download/1.3/src/haproxy-1.3.19.tar.gz

tar xvzf haproxy-1.3.19.tar.gz

cd haproxy-1.3.19

make TARGET=linux26 ARCH=x86_64

make install

Now add user haproxy or what ever need to run config

[root@ravi.com ~]# useradd haproxy

cp /path/to/haproxy-1.3.19/examples/haproxy.init /etc/init.d/haproxy

chmod +x /etc/init.d/haproxy

create the /etc/haproxy folder and create haproxy.cfg config file in it.

mkdir /etc/haproxy

Now Please add your config file haproxy.cfg in /etc/haproxy

Configure /etc/haproxy/haproxy.cfg

#[root@app71 haproxy]# more haproxy.cfg
global
log 127.0.0.1   local0
log 127.0.0.1   local1 notice
#log loghost    local0 info
maxconn 25000    # count about 1 GB per 25000 connections
#debug
#quiet
user ravi
group ravi

defaults
log         global
mode        tcp
option      dontlognull
retries 3
option         redispatch
maxconn     20000
contimeout      5000
clitimeout      50000
srvtimeout      50000

#Configuration for www.ravi.com
listen VIP:www.ravi.com:10.0.0.77:80
bind            10.0.0.77:80    # or any other IP:port combination we listen to.
bind            10.0.0.77:443    # or any other IP:port combination we listen to.
mode            tcp
option          ssl-hello-chk
option          forwardfor    # set the client’s IP in X-Forwarded-For.
balance         roundrobin
# set the maxconn parameter below to match Apache’s MaxClients minus
# one or two connections so that you can still directly connect to it.
# you have to set server health check it it’s down it showing you on stat
# Set server weights normally it should be 1 for all
server          app139:10.0.1.209:80 10.0.1.209 weight 1 maxconn 5000 check
server          app140:10.0.1.210:80 10.0.1.210 weight 1 maxconn 5000 check

listen VIP:www.ravi.com:10.0.0.77:8080
bind            10.0.0.77:8080    # or any other IP:port combination we listen to.
mode            http
option          forwardfor    # set the client’s IP in X-Forwarded-For.
balance         roundrobin
# set the maxconn parameter below to match Apache’s MaxClients minus
# one or two connections so that you can still directly connect to it.
# you have to set server health check it it’s down it showing you on stat
# Set server weights normally it should be 1 for all
server          app127:10.0.1.227:8080 10.0.1.227 weight 1 maxconn 5000 check

# Enable the stats page on a dedicated port (8088). Monitoring request errors
# on the frontend will tell us how many potential attacks were blocked.
listen  ha_stats 10.0.0.77:8088
mode            http
stats enable
stats auth user:password ##Auth user pass

edit the /etc/sysctl.conf and add the end of file then run sysctl -p to load the setting

net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65023
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_max_tw_buckets = 400000
net.core.somaxconn = 10000

start haproxy using (/etc/init.d/haproxy start or /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid)

Configuring logging

Edit /etc/sysconfig/syslog

1.SYSLOGD_OPTIONS=”-m 0 -r”

Edit /etc/syslog.conf. Add the following:

1.local0.* /var/log/haproxy/haproxy.log
2.local1.* /var/log/haproxy/haproxy-1.log

Restart Syslog

service syslog restart

Now check with

ps auxwww | grep haproxy

Thanks

Ravi

(2) Comments    Read More   
Apr
16
Posted on 16-04-2009
Filed Under (Apache, Subversion(svn)) by Arun Bagul

Introduction

Recently we started development work on  openSLM. As per our plan we will complete  openLSM web server  customization within two months from now…

So I installed Subversion and WebSVN latest version to serve by purpose. WebSVN 2.2 is one of the best tool to view or browse your subversion repository on web  by using  WebSVN and apache or any other web server. you can  download WebSVN from here http://websvn.tigris.org/

Requirement – webserver (apache) + PHP + subversion repository

1] How to configure –


Download the WebSVN as mentioned above then place the downloaded source in apache htdocs where you want.
Go to include directory where you will see one file like config.php.dist something like that rename that file
“config.php” and just modify few parameter as listed below ….

//////////////////  arun ////////////////////

$config->setSVNCommandPath(‘/usr/bin’);
$config->setDiffPath(‘/usr/bin’);
$config->setEnscriptPath(‘/usr/bin’);
$config->setSedPath(‘/bin’);
$config->setTarPath(‘/bin’);
$config->setGZipPath(‘/bin’);

$config->addRepository(‘openlsm_webserver’,’/home/subversion/openlsm_webserver_apr2009′);

* above “openlsm_webserver” is my repository name and “/home/subversion/openlsm_webserver_apr2009” is physical path of
svn repository

2] How to enable  authentication ~

In old version fo WebSVN (I guess 1.6 ) authenication per repository  was not possible (as I remember). Now WebSVN 2.2 version  you can configure WebSVN to use the Subversion authentication or access file to control access via WebSVN + Apache based authentication

$config->useAuthenticationFile(‘/path/to/accessfile’); // Global access file
$config->useAuthenticationFile(‘/path/to/accessfile’, ‘myrep’); // Access file per repository

* That’s it all you need to use this wounderful tool to browse your svn repositories….

Thank you,
Arun Bagul

(0) Comments    Read More   
Jun
18
Posted on 18-06-2008
Filed Under (Apache) by Arun Bagul

Introduction –

(0) Comments    Read More   
Dec
19
Posted on 19-12-2007
Filed Under (Apache) by Arun Bagul

I facing same problem since few day after creating certificate for Secure HTTPS sites. then whenever I am browsing sites with https it was showing me error like “Website Certified by Unknown Authority – unable to verify the identity of indiangnu.org site”

I was thinking that this might be problem with browser incompatibility issue and my borwser is not supporting HTTPS. But I was wrong and finally I found that there is some simple miss configuration on server side.

* Virtual Hosting of My Site –

<VirtualHost 192.168.1.200:443>
ServerAdmin webmaster@indiangnu.org
ServerName www.indiangnu.org
DocumentRoot /home/indgnu/public_html

User indgnu
Group indgnu
ScriptAlias /cgi-bin/ /home/indgnu/public_html/cgi-bin/

SSLEnable
SSLCertificateFile /usr/share/ssl/certs/indiangnu.org.crt
SSLCertificateKeyFile /usr/share/ssl/private/indiangnu.org.key
SSLCACertificateFile /usr/share/ssl/certs/intermediate.crt

SSLLogFile /var/log/apache/domlogs/indiangnu.org-ssl_data_log

</VirtualHost>

If you are using Certificate authorize by CA then you need to add this line and intermediate.crt Certificate of your CA.

SSLCACertificateFile /usr/share/ssl/certs/intermediate.crt

If you are using Self signed Certificate then you may not face this problem..

* The options might depends upon the version of Apache.

* Screenshot of error

https

Thank you,

Arun Bagul

(0) Comments    Read More   
Dec
01
Posted on 01-12-2007
Filed Under (Apache) by Arun Bagul

Apache is the most widely used web server. For secure HTTP protocol we need to check whether mod_ssl (Secure Socket Layer) module of Apache is installed/loaded or not… this mod_ssl module may be loaded as static or daynamic module. The static mean SSL support will be part of apache binary and in case of dynamic loading the so ie shared object file will be load by apache during run time.

  • How to chceck- is mod_ssl loaded ?

[root@indiangnu.org ~]# /usr/local/apache/bin/httpd -l
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_so.c
mod_setenvif.c
mod_ssl.c
mod_frontpage.c
suexec: enabled; valid wrapper /usr/local/apache/bin/suexec
[root@indiangnu.org ~]# httpd -l

  • Apache configuration file

#set port 80 for HTTP and 443 for HTTPS

<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

# Setting to vitual hosting

NameVirtualHost 192.168.1.100:80
NameVirtualHost 192.168.1.100:443

#virtual hosting for HTTP

<VirtualHost 192.168.1.100:80>
ServerName nishit.indiangnu.org
ServerAlias www.nishit.indiangnu.org
DocumentRoot /home/nishit/public_html
#BytesLog /usr/local/apache/domlogs/nishit.indiangnu.org-bytes_log
CustomLog /usr/local/apache/domlogs/nishit.indiangnu.org combined
ScriptAlias /cgi-bin/ /home/nishit/public_html/cgi-bin/
</VirtualHost>

# vitual hosting for HTTPS
<VirtualHost 192.168.1.100:443>
SSLEngine On
SSLCertificateFile
/usr/local/apache/conf/ssl.crt/indiangnu.org.crt
SSLCertificateKeyFile
/usr/local/apache/conf/ssl.key/indiangnu.org.key
ServerName nishit.indiangnu.org
ServerAlias www.nishit.indiangnu.org
ServerAdmin webmaster@nishit.indiangnu.org
DocumentRoot /home/nishit/public_html
</VirtualHost>

#done

# Now restart apache server and check on which port apache is listening

[root@indiangnu.org ~]# netstat -nlp | grep :80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 14037/httpd
[root@indiangnu.org ~]# netstat -nlp | grep :443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 14037/httpd
[root@indiangnu.org~]#

#Then restart apache and browse the sites

  • How to generate SSL Certificate

1)

[root@indiangnu.org~]# openssl genrsa -out /etc/ssl/certs/indiangnu.org.key 1024
Generating RSA private key, 1024 bit long modulus
…………..++++++
……………………………………………………..++++++
e is 65537 (0x10001)

2)

[root@indiangnu.org~]# openssl rsa -in /etc/ssl/certs/indiangnu.org.key -out /etc/ssl/certs/indiangnu.org.pem
writing RSA key
[root@indiangnu.org~]# ls
indiangnu.org.key
[root@indiangnu.org~]# cat indiangnu.org.key
—–BEGIN RSA PRIVATE KEY—–
MIICXAIBAAKBgQDIPCf524g9caXTu7nGd4Tsu+ou84e5L9uBeQ3u00b4A7z5j89M
8+bec9E4n4pd0QCBVgO6snCrd/BHKpa8QkL/o6nJaww3jPuNlPmw95GpjwETDTvv
9wH+k/eZtNWTG4vz5txUklcLekXrwPfBGWVkLQK9T0DfZFUdjYtZX6d/VQIDAQAB
AoGAayoe7w96bAAeEyLee4TOBHFSFYzK7+bYIQQr280Bp41An4RDG1lSD26G5Dom
sK1CCvaBCnOj73FCjKQThnAkMH8+PjugVJOknjrP4gZ+yGNN2QATG9RKfLOJ/Uzy
CNWCUynGFp8EXcoldMcGvtcGZeMx4WN12QtGTGXrkJj6FYUCQQD/v3J4K+ofA9Kx
ujKjthzasjGS+Lb48BWqy+SzSzIJWI04vsxTxnf1INzCwqVlrJiJUVrZR36GKaTr
0f6i6mOfAkEAyG6ydcmyc0eZnCpqicYsOQ+861M6sKw9Xt0YMfFV4rbybTToKZTL
2OjWhvN484KiAsvD1F+DD6UTizy4D6OYiwJBAJA4CLglo3/b6wuYQYg6YSkehYAo
yx20XbOUCSLmS5AjpHeUeKrhZ7IO1w7pLtYYL2h4PS/79ih4AW2OXPbIEGcCQDzF
i6i5KjlX6VR3a+wwQTJf+jkj+DSfVNBRm0dxVEg0jlbcZtRMwG4ZUwqCAhdbcYIF
hG/9McDpnX5nP6vGP7cCQF4BmpeqQ+pGlyCIh+oE7O7FZxxL8Q/ucRRqDUcKtcZr
opKSxvs6Uez9l14TqgiFVKShB3CRuBCFkAxyYqxYafI=
—–END RSA PRIVATE KEY—–

3)

[root@indiangnu.org~]# openssl req -new -key /etc/ssl/certs/indiangnu.org.key -out /etc/ssl/certs/indiangnu.org.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:MH
Locality Name (eg, city) [Newbury]:Mumbai
Organization Name (eg, company) [My Company Ltd]:IndianGNU.org
Organizational Unit Name (eg, section) []:System
Common Name (eg, your name or your server’s hostname) []:nishit.indiangnu.org
Email Address []:to@nishit.indiangnu.org

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@indiangnu.org~]#

4) If you want to force an SSL connection and redirect all traffic to port 80 to port 443 (HTTPS), use this instead:

RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

Thank you,

Arun

(0) Comments    Read More   
Dec
27
Posted on 27-12-2006
Filed Under (Apache, Subversion(svn)) by Arun Bagul

Introduction –

There are three different methods of accessing subversion repository…

1] Local filesystem or Network filesystem accessed by client directly
2] Apache HTTP using WebDAV module
3] svnserve tunneled over an SSH (svn + ssh)

First of all I am creating base directory for svn as “/var/repos_base”

root@arun:~# mkdir /var/repos_base
root@arun:~# ls -ld  /var/repos_base
drwxr-xr-x 2 root root 4096 2006-12-26 16:32 /var/repos_base
root@arun:~#

How to get help ?

root@arun:~# svnadmin  help
root@arun:~# svn help
root@arun:~# svnlook  help
root@arun:~# svnsync  help
root@arun:~# svnversion  –help
root@arun:~# svnserve  –help

1] How to create svn repository ?

“svnadmin” command is used to perform adminitrative task in subversion. Like creating, taking dump, hotcopy, recovering & verifying subversion repository.

root@arun:~# svnadmin  create  /var/repos_base/myrepository

Here “/var/repos_base/myrepository” is the physical location of repository….

root@arun:~# ls -l /var/repos_base/myrepository/
total 28
drwxr-xr-x 2 root root 4096 2006-12-26 16:34 conf
drwxr-xr-x 2 root root 4096 2006-12-26 16:34 dav
drwxr-sr-x 5 root root 4096 2006-12-26 16:34 db
-r–r–r– 1 root root    2 2006-12-26 16:34 format
drwxr-xr-x 2 root root 4096 2006-12-26 16:34 hooks
drwxr-xr-x 2 root root 4096 2006-12-26 16:34 locks
-rw-r–r– 1 root root  229 2006-12-26 16:34 README.txt
root@arun:~#

2] How to create trunk , branches etc directories in svn repository ?

method (1) ~ Local filesystem

root@arun:~# svn  mkdir   file:///var/repos_base/myrepository/trunk/

Log message unchanged or not specified
a)bort, c)ontinue, e)dit
c

Committed revision 1.
root@arun:~# svn  mkdir   file:///var/repos_base/myrepository/branches

Log message unchanged or not specified
a)bort, c)ontinue, e)dit
c

Committed revision 2.
root@arun:~#

root@arun:~# svn  list   file:///var/repos_base/myrepository/
branches/
trunk/
root@arun:~#

method (2) ~ Apache HTTP using WebDAV module

arunsb@arun:~$ svn  mkdir    http://192.168.0.1/myrepository/trunk/

Log message unchanged or not specified
a)bort, c)ontinue, e)dit
c
Authentication realm: <http://192.168.0.1:80> || Welcome to Subversion Repository ||
Password for ‘arunsb’:

Committed revision 1.
arunsb@arun:~$ svn   mkdir    http://192.168.0.1/myrepository/branches/

Log message unchanged or not specified
a)bort, c)ontinue, e)dit
c

Committed revision 2.
arunsb@arun:~$ svn  list  http://192.168.0.1/myrepository/
branches/
trunk/
arunsb@arun:~$

method (3) ~ svnserve tunneled over an SSH (svn + ssh)

arunsb@arun:~$ svn mkdir  svn://192.168.0.1/myrepository/branches/

Log message unchanged or not specified
a)bort, c)ontinue, e)dit
c
Authentication realm: <svn://192.168.0.1:3690> ” || Welcome to Subversion Repository ||”
Password for ‘arunsb’:

Committed revision 1.
arunsb@arun:~$ svn mkdir  svn://192.168.0.1/myrepository/trunk/

Log message unchanged or not specified
a)bort, c)ontinue, e)dit
c

Committed revision 2.
arunsb@arun:~$ svn list  svn://192.168.0.1/myrepository/
branches/
trunk/
arunsb@arun:~$

3] How to import un-versioned data in svn ?

root@arun:~# ls -l  /root/source_code/
total 12
-rwxr-xr-x 1 root root    3 2006-12-26 20:01 arun.html
-rw-r–r– 1 root root 2119 2006-12-26 20:03 License
-rwxr-xr-x 1 root root   64 2006-12-26 20:01 my.pl
root@arun:~#

* I wanted to import this data….

method (1)

root@arun:~# svn import   /root/source_code/ file:///var/repos_base/myrepository/trunk/    -m “welcome to first import”
Adding         /root/source_code/my.pl
Adding         /root/source_code/License
Adding         /root/source_code/arun.html

Committed revision 3.
root@arun:~#

List the imported data from svn repository –

arunsb@arun:~$ svn list file:///var/repos_base/myrepository/trunk/
License
arun.html
my.pl
arunsb@arun:~$

method (2)

arunsb@arun:~$ svn import   /root/source_code/   http://192.168.0.1/myrepository/trunk/  -m “welcome to first import”
Authentication realm: <http://192.168.0.1:80> || Welcome to Subversion Repository ||
Password for ‘arunsb’:
Adding         /root/source_code/my.pl
Adding         /root/source_code/License
Adding         /root/source_code/arun.html

Committed revision 3.
arunsb@arun:~$

method (3)

arunsb@arun:~$ svn import   /root/source_code/   svn://192.168.0.1/myrepository/trunk/  -m “welcome to first import”
Authentication realm: <svn://192.168.0.1:3690> ” || Welcome to Subversion Repository ||”
Password for ‘arunsb’:
Adding         /root/source_code/my.pl
Adding         /root/source_code/License
Adding         /root/source_code/arun.html

Committed revision 3.
arunsb@arun:~$

4] How to check out the svn repository ?

method (1)

arunsb@arun:~$ svn checkout file:///var/repos_base/myrepository/trunk/  /home/arunsb/mysource_code/
A    /home/arunsb/mysource_code/my.pl
A    /home/arunsb/mysource_code/License
A    /home/arunsb/mysource_code/arun.html
Checked out revision 3.
arunsb@arun:~$

method (2)

arunsb@arun:~$ svn checkout   http://192.168.0.1/myrepository/trunk/   /home/arunsb/mysource_code/
Authentication realm: <http://192.168.0.1:80> || Welcome to Subversion Repository ||
Password for ‘arunsb’:
Checked out revision 2.
arunsb@arun:~$

method (3)

arunsb@arun:~$ svn co svn://192.168.0.1/myrepository/trunk/   /home/arunsb/mysource_code/
Authentication realm: <svn://192.168.0.1:3690> ” || Welcome to Subversion Repository ||”
Password for ‘arunsb’:
Checked out revision 2.
arunsb@arun:~$

* Now check checked out data…

arunsb@arun:~$ ls -l /home/arunsb/mysource_code/
total 12
-rwxr-xr-x 1 arunsb oinstall    3 2006-12-26 20:42 arun.html
-rw-r–r– 1 arunsb oinstall 2119 2006-12-26 20:42 License
-rwxr-xr-x 1 arunsb oinstall   64 2006-12-26 20:42 my.pl
arunsb@arun:~$

** Now go to “/home/arunsb/mysource_code/”

arunsb@arun:~/mysource_code$ cd  /home/arunsb/mysource_code/
arunsb@arun:~/mysource_code$ ls
arun.html  License  my.pl
arunsb@arun:~/mysource_code$

* How to get information about svn repository –

arunsb@arun:~/mysource_code$ svn info
Path: .
URL: file:///var/repos_base/myrepository/trunk
Repository Root: file:///var/repos_base/myrepository
Repository UUID: 361de285-9226-493b-aed7-a95619a457c0
Revision: 3
Node Kind: directory
Schedule: normal
Last Changed Author: root
Last Changed Rev: 3
Last Changed Date: 2006-12-26 20:38:14 +0530 (Fri, 26 Dec 2006)
arunsb@arun:~/mysource_code$

4] How to commit data ?

Now create  new file “new_file.php” in modify the file…

arunsb@arun:~/mysource_code$ touch  new_file.php
arunsb@arun:~/mysource_code$ ls
arun.html  License  my.pl  new_file.php
arunsb@arun:~/mysource_code$ vi new_file.php
arunsb@arun:~/mysource_code$ mkdir  new_dir
arunsb@arun:~/mysource_code$ ls
arun.html  License  my.pl  new_dir  new_file.php
arunsb@arun:~/mysource_code$

* Now check the status… ‘?’ means file or directory NOT in svn repository

arunsb@arun:~/mysource_code$ svn  status
?      new_dir
?      new_file.php
arunsb@arun:~/mysource_code$

* Now add  newly created files and directories…

arunsb@arun:~/mysource_code$ svn add  new_dir
A         new_dir
arunsb@arun:~/mysource_code$ svn add  new_file.php
A         new_file.php
arunsb@arun:~/mysource_code$

* Another method to add directory is…

arunsb@arun:~/mysource_code$ svn mkdir new_dir2
A         new_dir2
arunsb@arun:~/mysource_code$

* Now check the status… ‘A’ means data is modified

arunsb@arun:~/mysource_code$ svn  status
A      new_dir
A      new_dir2
A      new_file.php
arunsb@arun:~/mysource_code$

* commit modified to svn repository…

arunsb@arun:~/mysource_code$ svn commit  -m “committing  data”
Adding         new_dir
Adding         new_dir2
Adding         new_file.php
Transmitting file data .
Committed revision 4.
arunsb@arun:~/mysource_code$

5] How to check svn status (working copy) –

arunsb@arun:~/mysource_code$ svn status
arunsb@arun:~/mysource_code$

arunsb@arun:~/mysource_code$ svn  status
A      new_dir
A      new_dir2
A      new_file.php
arunsb@arun:~/mysource_code$

6] How to update svn working copy –

arunsb@arun:~/mysource_code$ svn update
At revision 4.
arunsb@arun:~/mysource_code$

* update working copy to specific revision….

arunsb@arun:~/mysource_code$ svn update -r20

7] How to check  svn log (working copy) –

arunsb@arun:~/mysource_code$ svn log
————————————————————————
r1 | arunsb | 2008-12-26 21:53:04 +0530 (Fri, 26 Dec 2006) | 1 line
————————————————————————
arunsb@arun:~/mysource_code$

Thank you,
Arun Bagul

(2) Comments    Read More   

www.flickr.com
arunbagul's photos More of arunbagul's photos
Get Adobe Flash player
-->