Home Blog

OSI Model Cheat Sheet

0
OSI Model
OSI Model

If anyone need a good OSI Model cheat sheet, as me:

OSI Model
OSI Model

WordPress with Let’s Encrypt SSL Certificate on a Load Balancer

0
SSL-Offloading
SSL-Offloading

Hi again,

As many of you know a lot of “Production” applications need to be configured to provide High Availability. With that in mind, a best practice architecture to your application is to add a Load Balancer as a front end who distribute your traffic between your application nodes, as you can appreciate on the next image:

Load Balancer HA
Load Balancer HA

SSL Offloading

In this case, my “Production” application is my blog, and I will install a SSL Certificate on the Cloud Load Balancer (CLB) to offloading the encryption/decryption to the CLB instead of doing it on the webserver. That way your webservers uses port 80 (HTTP), as always, and you serve your content trought port 443(HTTPS).

SSL-Offloading
SSL-Offloading

Here are the what I use to configure my WordPress with SSL Certificate:

  • SSL Certificate issued using Let’s Encrypt
  • A Client of Let’s Encrypt called acme
  • A Cloud Load Balancer
  • A WordPress installation

1Step 1: Install acme.sh client

There is a lot of ACME clients supported by Let’s Encrypt, the most popular is Certbot. However, I prefer to use acme.sh.

Let’s install it:

2Step 2: Issue SSL Certificate

Once acme.sh is installed, we proceed to issue our first SSL Certificate:

Where the explained options are:
–issue: Issue a new certificate
-d (–domain) : Specifies a domain, used to issue, renew or revoke, etc.
-w (–webroot) : Specifies the web root folder for web root mode. This is the DocumentRoot where your site is hosted and it is necessary to verify it by Let’s Encrypt.

Cloud Load Balancer

3Step 3: Install SSL Certificate on Cloud Load Balancer

So, at this moment we have our SSL Certificate, Private Key, and Intermediate CA Certificate ready to install on our Cloud Load Balancer (CLB)

So we should go to https://mycloud.rackspace.com -> Rackspace Cloud -> Networking -> Cloud Load Balancers:

Then, to Optional Features and Enable/Configure on “Secure Traffic SSL”:

Cloud Load Balancer
Cloud Load Balancer

Finally, we add our SSL Certificate, Private Key, and Intermediate CA Certificate to the CLB and save the configuration:

Cloud Load Balancer
Cloud Load Balancer
Updating URLs

4Step 4: Configure WordPress

We are almost done, at this time we already have configured our SSL on the CLB to provide WordPress over HTTPS, however, WordPress is still with HTTP, so we need to reconfigure our WordPress with SSL.

Database queries

First of all, we should update the links from http to https; we are going to do it directly on the database doing the following queries:

Warning: Change all instances of example.com to your own. If you have the www as part of your WordPress Address (URL) in the WordPress Settings, add the www.
Also, if you have a custom table prefix in the WordPress database, something other than the default wp_, then you must change all the instances of wp_ to your own table prefix.

  1. Update any embedded attachments/images that use http:This one updates the src attributes that use double quotes:

    This one takes care of any src attributes that use single quotes:
  2. Update any hard-coded URLs for links.This one updates the URL for href attributes that use double quotes:

    This one updates the URL for href attributes that use single quotes:
  3. Update any “pinged” links:
  4. This step is just a confirmation step to make sure that there are no remaining http URLs for your site in the wp_posts table, except the GUID URLs.
    You must replace WP_DB_NAME, near the beginning of the query, with the name of your database.
    This will confirm that nowhere in the wp_posts table is there a remaining http URL, outside of the GUID column. This ignores URLs in the GUID column.
    This query only searches; it does not replace anything, nor make any changes. So, this is safe to run. It’s a safe and quick way to check the wp_posts table while ignoring the guid column.
    This SQL query should return an empty set. That would mean that it found no http URLs for your site. (This is all just 1 query. It’s 1 very, very long line.)
    Warning: Remember to replace WP_DB_NAME, near the beginning of the query, with the name of your database.
  5. Now, we move to the wp_comments table. This changes any comment author URLs that point to the http version of your site. This is in case you’ve ever replied to a comment while your URL was pointing to http.
  6. This updates the content of the comments on your site. If there are any links in the comments that are linking to an http URL on your site, they will be updated to https.
  7. Now we move to the wp_postmeta table. This takes care of any custom post meta that points to the http version of your site.
  8. Now we move to the wp_options table. Update the “WordPress Address (URL)” and “Site Address (URL)”.
    For the WordPress Address URL, you may have to modify example.com. If you have WordPress installed in some other directory, then modify this according to your own WordPress URL. For example, some people have WordPress installed in a subdirectory named “blog”, and so their WordPress Address would be https://example.com/blog.

    This one will update the Site Address URL (this is the home page of your site):

WordPress Control Panel

Besides, with run the queries directly on the database, we can update, or verify,  the blog URLs, by going to Settings > General
And updating your WordPress Address (URL) and Site Address (URL) address fields.

WordPress Config File

Finally, we should add the following line to our wp_config.php file

 

Now, you have configured WordPress with Let’s Encrypt SSL Certificate on a Load Balancer.

Build a Dynamic DNS Client with Rackspace API

0
Rackspace-Cloud-DNS
Rackspace-Cloud-DNS

This time I’ve want to create a homemade Server with my Raspberry Pi2 and publish it using my own sub-domain, the main problem is that the ISP provide me an dynamic IP and we should ensure that if my IP address change the sub-domain record should point to the new IP.

The instructions assume that you:
– Have a domain
– Have already changed your NS records to point to dns1.stabletransit.com and dns2.stabletransit.com.

1.- You should download the latest version of rsdns from github

2.- Go to your Rackspace portal (https://mycloud.rackspace.com/) and grab your Username & API key (It’s under “Your Account” -> “Account Settings” -> “API Key)

3.- Create a configuration file for rsdns (~/.rsdns_config) with your settings.

4.- You need your domain created on Rackspace(It’s under “Networking” -> “Cloud DNS” -> “Create Domain”) if you don’t have your domain created you are able to created using rsdns:

5.- Once you have a domain setup you need to create an A record. To create the A record you going to need an IP address, you can use http://icanhazip.com to get your actual current IP. Again to create a record you are able to do it from Rackspace panel (It’s under “Networking” -> “Cloud DNS” -> YOUR_DOMAIN -> “Add Record”) or you can use rsdns:

In the above the TTL is set to 1hr (3600 secs), this is so that DNS caches do not keep the record too long. That’s all the pre-work done, now lets get your dynamic host setup!

6.- The script to update your a record is rsdns-dc.sh, and you run it like this:

The script uses icanhazip to get your current IP, it then update the A record with it.

I never switch off my router so I have create a created a cronjob to run that script every 2 hours, plus the 1hr TTL should mean that the record is roughly in sync with my IP without making unnecessary requests

7.- I use CentOS, so I can simply drop the following file called rsdns-dc into /etc/cron.d/ with this…

Now we are done! Private Dynamic DNS on your own zone using the Rackspace API.

Spamassassin Error: cannot create user preferences file //.spamassassin/user_prefs: Permission denied on VestaCP – CentOS

4
Spamassassin
Spamassassin

When yo configure spamassassin on VestaCP (CentOS) sometimes you might have some problems with the autolearn feature and also with the bayes plugin of spamassassin.
The error looks like:

Basically the error are the permissions on: //.spamassassin/user_prefs

To fix it follow the next steps:

– Create the user spamd, in order to avoid to run spamassassin with the user nobody:

– Edit the file /etc/exim/exim.conf.

Change the line:

to

– Restart exim an spamassassin

After that verify that the files bayes_seen, bayes_toks and user_prefs exists on the spamd home (In this case /var/lib/spamassassin)

Done!

SFTP Jailed

0
SFTP Jailed

To configure your server to use a jailed user on SFTP you should do:

1. Edit the sshd_config file
We need to comment the following line:

And add the uncomment line, your modification will be same as:

Also, at the end of the file we should to add the next lines:

After save all the changes, we must restart the sshd daemon

2. Add sftponly group

3. Add jailed user and add to sftponly group

4. IMPORTANT – Create directory and establish correct permissions

*** If you have any connection problem please double check the permissions on the folders and check the logs on /var/log/secure ***

5. Mount DocumentRoot path on jailed user home directory

6. Make the mount point permanent, editing the fstab file:

Add the mount point at the end of the file:

Save and exit

7. Test connection: