Linux

If you want to automatically (or force a specific) login requests to Grafana coming from a given source IP with Traefik, you can do it with a separate router and a middleware. This requires basic authentication to be enabled on grafana (it is by default). Suppose you start with a default Traefik configuration exposing your grafana to anyone on https://grafana.example.org: labels: - "traefik.enable=true" - "traefik.http.routers.grafana.rule=Host(`grafana.example.org`)" - "traefik.http.routers.grafana.service=grafana" - "traefik.http.routers.grafana.tls=true" - "traefik.http.routers.grafana.tls.certresolver=myresolver" - "traefik.http.routers.grafana.entrypoints=websecure" - "traefik.http.services.grafana.loadbalancer.server.port=3000" To force requests coming from the IP 1.1.1.1 to be authenticated as the foobar user, add the following labels after enabling traefik and before the router grafana: ...

CentOS 8 End of Life has been effective since January 31 2021, official mirrors do not provide any packages anymore. Here is how to upgrade to latest release of CentOS 8 and switch to Stream. As always, prior to any system change, you should ensure you have a working recent backup. Upgrade to latest CentOS 8 sed -i -e 's/mirrorlist/#mirrorlist/g' -e 's|#baseurl=http://mirror.centos.org|baseurl=https://vault.centos.org|g' /etc/yum.repos.d/*.repo yum update reboot cat /etc/centos-release CentOS Linux release 8.5.2111 Make sure everything is working as expected. ...

Goals: collect observables from supported feeds collect observables from unsupported feeds with elastic-tip Setup elasticsearch and kibana for filebeat We could use superuser elastic to setup filebeat but we are going to use a dedicated user with just the minimum permissions. Open Kibana and go to Stack Management > Security > Roles. Click Create role and enter the following settings: Role name: filebeat_threatintel_setup Cluster privileges: monitor, manage_ilm, manage_ml Index privileges: Indices: filebeat-* Privileges: manage, write, read Click Create role. ...

Goals: single node elasticsearch single node kibana password for all accounts https between all components behind traefik future post: collect network logs (routers) future post: collect application logs (web servers, dns servers, docker) future post: collect application metrics future post: correlate with threat intelligence Create compose file version: '3' services: es: image: docker.elastic.co/elasticsearch/elasticsearch:7.16.3 container_name: elastic_es restart: always env_file: - ./.env environment: ES_JAVA_OPTS: "-Xms2g -Xmx2g" node.name: "es" discovery.type: "single-node" bootstrap.memory_lock: "true" # minimal security xpack.security.enabled: "true" # no encryption on internode communication xpack.security.transport.ssl.enabled: "false" # https traffic xpack.security.http.ssl.enabled: "true" xpack.security.http.ssl.key: "${CERTS_DIR}/es.key" xpack.security.http.ssl.certificate: "${CERTS_DIR}/es_chain.crt" xpack.security.http.ssl.certificate_authorities: "${CERTS_DIR}/ca.crt" ulimits: memlock: soft: -1 hard: -1 networks: - reverseproxy - default volumes: - data:/usr/share/elasticsearch/data - certs:${CERTS_DIR}:ro labels: - "traefik.enable=true" - "traefik.http.routers.elastic.rule=Host(`elasticsearch.foobar.com`)" - "traefik.http.routers.elastic.service=elastic" - "traefik.http.routers.elastic.tls=true" - "traefik.http.routers.elastic.tls.certresolver=le" - "traefik.http.routers.elastic.entrypoints=websecure" - "traefik.http.services.elastic.loadbalancer.server.port=9200" - "traefik.http.services.elastic.loadbalancer.server.scheme=https" - "traefik.http.services.elastic.loadbalancer.serversTransport=elastic" - "traefik.http.serversTransports.elastic.serverName=es" - "traefik.http.serversTransports.elastic.insecureSkipVerify=true" deploy: resources: limits: cpus: "4.0" memory: 4000M memswap_limit: 4000M kibana: image: docker.elastic.co/kibana/kibana:7.16.3 container_name: elastic_kibana restart: always depends_on: - es env_file: - ./.env - ./.env.kibana environment: - ELASTICSEARCH_URL="https://es:9200" - ELASTICSEARCH_HOSTS=["https://es:9200"] # minimal security: defined in environment files # kibana has to trust elasticsearch certificate - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES="${CERTS_DIR}/ca.crt" # https traffic between other components and kibana - SERVER_SSL_ENABLED=true - SERVER_SSL_KEY=${CERTS_DIR}/kibana.key - SERVER_SSL_CERTIFICATE=${CERTS_DIR}/kibana_chain.crt - SERVER_PUBLICBASEURL=https://kibana.foobar.com networks: - reverseproxy - default volumes: - certs:${CERTS_DIR}:ro labels: - "traefik.enable=true" - "traefik.http.routers.kibana.rule=Host(`kibana.foobar.com`)" - "traefik.http.routers.kibana.service=kibana" - "traefik.http.routers.kibana.tls=true" - "traefik.http.routers.kibana.tls.certresolver=le" - "traefik.http.routers.kibana.entrypoints=websecure" - "traefik.http.services.kibana.loadbalancer.server.port=5601" - "traefik.http.services.kibana.loadbalancer.server.scheme=https" - "traefik.http.services.kibana.loadbalancer.serversTransport=kibana" - "traefik.http.serversTransports.kibana.serverName=kibana" - "traefik.http.serversTransports.kibana.insecureSkipVerify=true" deploy: resources: limits: cpus: "4.0" memory: 4000M memswap_limit: 4000M volumes: data: certs: name: elastic_certs external: true networks: reverseproxy: external: true Create a file named .env with the following content: ...

Traefik itself does not include WAF capabilities. If you want to add this capability, you can opt to replace Traefik with Apache httpd or nginx coupled with ModSecurity, however you loose the autoconfiguration of Traefik. Fortunately, Alexis Couvreur has developed a ModSecurity plugin for Traefik to forward requests received by Traefik to another webserver (running ModSecurity) before actually forwarding the requests to the application server. If the ModSecurity webserver returns a code > 400, then Traefik will reject the request, otherwise it will forward it to the application server. ...

Gitea is great when you want a fast, light and yet user-friendly git repositories. Alternatives would be Gogs, Gitlab or even Github. Gitea documentation tells you to use docker exec to perform a backup. However, this prevents you from using an additional volume to dump the backup into. Instead, I prefer to use a similar command using docker run. Assuming the following: the container network is called gitea_default, you only need this if you use an external database such as MySQL the container is called gitea the backup directory is in the current directory and named backups docker run --rm -it --network gitea_default --volumes-from gitea --volume $(pwd)/backups:/backups --user git --workdir /backups --entrypoint '/app/gitea/gitea' gitea/gitea:1.15.10 dump -c /data/gitea/conf/app.ini

If you have the power of multiple servers connected to a UPS, you probably need to shut them down when the power goes down and before the UPS runs out of juice. Unless your UPS can be connected to the network, you usually can only connect a single device to it using good old serial or brand new USB. That single host now knows about the UPS status, but what about all the other systems? That’s when Network UPS Tools, aka NUT, comes into play. ...

Recently, I had to set up a new PKI. I was going to go with the good old OpenSSL but it’s 2021, there must be a more userfriendly and, more importantly, automated approach. There are many open-source possibilities: EJBCA, cfssl, Hashicorp Vault, Smallstep Certificates. I chose to use Smallstep certificates because it has all the features I need and they are not behind a pay-wall: lightweight: small Go binary, you can run it with a file-based database (similar to SQLite) user friendly CLI: compared to openssl commands ACME protocol: useful for Traefik reverse proxy OIDC authentication support: the guys are super friendly and available on their Discord channel Be sure to check their website, they have other features that you might want, especially their Certificate Manager. They also have a SaaS offering if you do not want to get your hands dirty. ...

I recently installed an Ubuntu 21.04 and when I wanted to install Atom editor, I was given the following warning about apt-key being deprecated: Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). After a bit of Googling around, I stumbled on this post on askubuntu.com explaining why apt-key was being deprecated. Then the folks at docker.com give a nice easy command to convert an old PGP key in base64 to a keyring. ...

After reading many articles and trying many things, this is how I solved it. For docker daemon itself to use a proxy, configure environment variables using systemd file /etc/systemd/system/docker.service.d/http-proxy.conf : [Service] Environment="HTTP_PROXY=http://user:pass@proxy.domain.com:3128/" Environment="HTTPS_PROXY=http://user:pass@proxy.domain.com:3128/" Environment="NO_PROXY=localhost,docker,*.domain.com" For gitlab-runner daemon itself to use a proxy, configure environment variables using systemd file /etc/systemd/system/gitlab-runner.service.d/http-proxy.conf : [Service] Environment="HTTP_PROXY=http://user:pass@proxy.domain.com:3128/" Environment="HTTPS_PROXY=http://user:pass@proxy.domain.com:3128/" Environment="NO_PROXY=localhost,docker,*.domain.com" Reload systemd and restart docker daemon: systemctl daemon-reload systemctl restart docker For git commands run by gitlab-runner to use a proxy, use gitlab-runner config file. In /etc/gitlab-runner/config.toml , under [[runners]] , add the following line: ...