Nginx, SSL & php5-fpm on Debian Wheezy

October 11th, 2014

I decided to take a break from my love affair with Apache and set up a recent development project on Nginx. I’ve seen nothing but good things in terms of speed and performance from Nginx. I decided to set up a LEMP server (Linux, Nginx, MySQL, PHP), minus the MySQL as it’s already installed on my VM host server, and plus SSL. Here’s the full setup tutorial on Debian Wheezy:

Step #1 – Installing the packages

apt-get install nginx-extras mysql-client
apt-get install php5-fpm php5-gd php5-mysql php-apc php-pear php5-cli php5-common php5-curl php5-mcrypt php5-cgi php5-memcached

MySQL can be installed into the mix with a simple:

apt-get install mysql-server

Read the rest of this entry »

Debian Wheezy Xen + Guest Howto

October 8th, 2014

Xen is usually my go to virtualization technology for Linux. Here’s a HOWTO on setting up Xen on Debian Wheezy and the first guest virtual machine.

First step is getting the required packages:

apt-get install xen-linux-system xen-tools xen-utils-4.1 xen-utils-common xenstore-utils xenwatch

Now, we’ll need to specify the Xen kernel as the default boot kernel on the host, and then reboot:
Read the rest of this entry »

MySQL Master-Master Replication, Heartbeat, DRBD, Apache, PHP, Varnish MegaHOWTO

October 8th, 2014

I created this HOWTO while building a new development environment today. The intention is to take a single Apache2/Varnish/MySQL environment and scale it to two servers, with one effectively a “hot-standby” – increase redundancy and continuity whilst maintaining current performance. This HOWTO is based on Linux Debian-76-wheezy-64-minimal 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

Our current server has IP 192.168.201.1/24 and our new server has IP 192.168.201.7.

Section #1: Set up MySQL Master/Master Replication


First, we’ll set up MySQL master to master replication. In this configuration, data can be written and read from either host. Bear in mind that issues may exist with autoincrement fields when written to at the same time. There are other caveats with replication so ensure to research them along with how to deal with corruption and repair before considering this setup for a live application. Also be sure to be using the same version of MySQL on both servers – this may not always be necessary, however unless you are very familiar with any changes between versions, not doing so could spell disaster.

Read the rest of this entry »

Linux Challenge Blackbox #1

October 5th, 2014

I put together a small blackbox challenge this afternoon. Download it now:

Challenge starts here

The challenge covers some Linux file manipulation, C/ASM, GDB and filesystem. Please post questions or feedback in the comments. No spoilers! If you’ve got the master password, contact me privately through the form and if you’re correct I’ll post your details here.

Update 6th Oct 14:00 GMT

I’ve received a lot of questions and clarifications. Here are some hints for the first part.. πŸ™‚

  1. Β The download file is hidden on this page. It’s not hard to find!
  2. Linux “file” command is helpful
  3. Make sure you have GDB installed and know how to use it

And for the second part…

  1. I <3 AES 256!

The final key is a 16 byte string padded out to 32 bytes.

The challenge has now been solved, and an excellent and very detailed solution posted by Reader Remi Pommarel (repk at triplefau dot lt). Here is Remi’s solution:

Spoiler Inside: Challenge Solution SelectShow

Please feel free to submit your own solutions!

Linux iproute2 multiple default gateways

October 5th, 2014

This article describes a Linux server set up with 2 interfaces (eth0) and (eth1). Each interface has a separate ISP, network details and default gateway. eth0 has two sets of network details on the same interface and so a virtual interface (eth0:0) must be created to handle the second IP.

By default, Linux only allows for one default gateway. Let’s see what happens if we try to use multiple uplinks with 1 default gateway. Assume eth0 is assigned 192.168.1.2/24 and eth1 is assigned 172.16.1.5/16. Let’s say our default gateway is 192.168.1.1 (which of course is found through eth0) but there’s also a 172.16.0.1 gateway on eth1 which we can’t enter as Linux only allows for the one.

Our routing table now looks like this:

root@www1:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.16.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth1

If a packet comes in to us, routed through the 172.16.0.1 gateway from say 8.8.8.8, our machine will receive it. When it tries to reply to 8.8.8.8 however, it runs down the routing table and sees that it’s not local to eth0 or eth1 and therefore will get routed out through the default gateway (192.168.1.1) – the problem is, this is the wrong gateway and so the target machine will ignore our response due to it being out of sequence and from the wrong IP.

Using iproute2, Linux can track multiple routing tables and therefore multiple default gateways. If the packet comes in through one interface and to one IP, it will go out via a specific default gateway. The script to achieve this is as follows:

Read the rest of this entry »

Debian Linux Wheezy OpenVPN & Squid3 HOWTO with Transparent Proxying

October 4th, 2014

Before my last extended period travelling and using public networks, I decided to set up a new low spec virtual machine on one of my hosted servers. I trust my datacenter and their uplinks more than I trust the free WiFi and public networks I travel through, and so while all my internet traffic is being routed over an encrypted tunnel to my dedicated server, I’m a lot happier.

I threw Squid3 into the mix, as it caches common assets and the sites I visit. This speeds up my web access and page load time.

OpenVPN can be configured more simply with a ‘static key’ configuration, however I’ve chosen to go down the PKI route for future growth. On my new VPN server I run:

apt-get install openvpn

Once OpenVPN is installed, I’ll need to set up my PKI system, certificate authority (CA), server certificate (vpn) and my first client certificate (npn)

Read the rest of this entry »