31 Aralık 2015 Perşembe

How to create a SSL with Letsencrypt

Letsencrypt for Nginx
Your web server ports (443,80) must be open the public;
user@webserver:~$ git clone https://github.com/letsencrypt/letsencrypt
user@webserver:~$ cd letsencrypt
user@webserver:~/letsencrypt$ ./letsencrypt-auto --help
user@webserver:$./letsencrypt-auto certonly --standalone --agree-tos --redirect --duplicate --text --email your@mailaddress -d yourdomain.com
Open Nginx config file;
server {
listen 443 ssl;

    ssl_certificate         /etc/letsencrypt/live/helloworld.letsencrypt.org/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/helloworld.letsencrypt.org/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/helloworld.letsencrypt.org/fullchain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on; ssl_stapling_verify on;
}
For more information ;
https://github.com/letsencrypt/letsencrypt
Gönderen zaman: Hiç yorum yok:
Etiketler: , , , , ,

15 Aralık 2015 Salı

Install Node.js with Standard Binary Packages

You can determine the CPU architecture of your server with these commands:
$ getconf LONG_BIT
64
$ uname -p
x86_64

You can download this file from the browser or from the console. The latter is shown below (Note: the specific Node.js version might be different for you):
$ wget http://nodejs.org/dist/v0.12.0/node-v0.12.0-linux-x64.tar.gz
From a console window, go to the directory to which the Node.js binary was downloaded, and then execute the following command to install the Node.js binary package in “/usr/local/” or "/usr/":
$ sudo tar -C /usr/local --strip-components 1 -xzf node-v0.12.7-linux-x86.tar.gz

You should now have both node and npm installed in “/usr/bin”. You can check this typing:
$ ls -l /usr/local/bin/node
$ ls -l /usr/local/bin/npm
Gönderen zaman: Hiç yorum yok:
Etiketler: , , ,

3 Aralık 2015 Perşembe

Dtrace installation on Debian 7

When I install the dtrace via systemtap I had an error like this "could not load module build-3.2.0-4-amd64/driver/dtracedrv.ko: No such file or directory"

How I solved the problem;
$sudo apt-get install linux-headers-$(uname -r)

Dtrace installation;

$git clone "https://github.com/dtrace4linux/linux.git" dtrace
$sudo apt-get install linux-headers-$(uname -r)
$cd dtrace
$tools/get-deps.pl
$sudo make all 
$sudo make install
$sudo make load
$sudo dtrace -l
Gönderen zaman: Hiç yorum yok:
Etiketler: , , ,

21 Nisan 2015 Salı

Haproxy Transparent Mode on Centos 7

Haproxy Transparent Mode on Centos 7

 HAProxy can’t do transparent binding or proxying alone. It must stand on a compiled and tuned Linux Kernel and operating system.
But Centos 7 supported haproxy transparent mode.
Step by step configuration; 
1. sysctl settings
2. iptables rules
3. ip route rules
4. HAProxy configuration

Step 1 is Sysctl serttings;
 – net.ipv4.ip_forward
  – net.ipv4.ip_nonlocal_bind
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
Step 2 is iptables rules;
#iptables -F -t mangle
#iptables -F
#iptables -F -t nat
#iptables -t mangle -N DIVERT
#iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#iptables -t mangle -A DIVERT -j MARK --set-mark 1

#iptables -t mangle -A DIVERT -j ACCEPT

 Step 3 is ip route rules;
tell the Operating System to forward packets marked by iptables to the loopback where HAProxy can catch them:
#ip rule add fwmark 1 lookup 100

#ip route add local 0.0.0.0/0 dev lo table 100

 Step 4 is haproxy configuration;
Finally, you can configure HAProxy.
  * Transparent binding can be configured like this:
frontend App_in
        bind ipofhaproxy:10421 transparent

        mode tcp

backend App_out
        mode tcp
        log global
        source 0.0.0.0 usesrc clientip
        balance roundrobin
        server backend1 ipofbackend01:10421 check
        server backend2 ipofbackend02:10421 check

Note: When you reboot the server ,ip rules will be delete.
Bash script will help you ;)
#!/bin/bash
iptables -F
iptables -F -t nat
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

Gönderen zaman: Hiç yorum yok:
Etiketler: , , , , , , ,

25 Şubat 2015 Çarşamba

Exporting SSL certificates from Windows to Linux

Exporting SSL certificates from Windows to  Linux 

Step 1:
Exporting ssl cert. from iis , format must be .pfx.

Step 2:
#cd /etc/nginx/
#mkdir ssl
#cd ssl
#mv /path/to/pfx/sslbackup.pfx
#chmod 400 sslbackup.fpx

Step 3:
3.1:
Export public cert.
#openssl pkcs12 -in ./sslbackup.pfx -clcerts -nokeys -out public.crt
3.2:
Export key
#openssl pkcs12 -in ./sslbackup.pfx -nocerts -nodes -out private.rsa
3.3:
Test the cert..
#openssl s_server -www -accept 443 -cert ./public.crt -key ./private.rsa
!!permisson kontrol #chmod 400 /etc/nginx/ssl/*

Step 4:
#nano /etc/nginx/sites-available/example.org.conf
upstream exampleapp{
        server web-app-node1;
        server web-app-node2;
        }

server {
        listen 80;
        listen 443 ssl;
        server_name example.org;

        ssl on;
        ssl_certificate /etc/nginx/ssl/public.crt;
        ssl_certificate_key /etc/nginx/ssl/private.rsa;

        location / {
        proxy_pass http://exampleapp;
        proxy_set_header Host $host;
        proxy_set_header X-Ssl on;
        }
}
#service nginx configtest

#service nginx reload
Gönderen zaman: Hiç yorum yok:
Etiketler: , , , ,

Exporting SSL certificates from Linux to Windows

Exporting SSL certificates from Linux to  Windows 


Step 1: Create pem file
#openssl rsa -in server.key -out nopassword.key
#cat nopassword.key > server.pem
#cat server.crt >> server.pem
#cat intermediate.crt >> server.pem

Pem file must be like this and there mustn't any whitespace;

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: certChainCA.crt)
-----END CERTIFICATE-----

Step 2: p12 file
#openssl pkcs12 -export -in server.pem -out server.p12


Step 3: Import the p12 file in IIS
Gönderen zaman: Hiç yorum yok:
Etiketler: , , , ,
Kaydol: Kayıtlar (Atom)