Stuff I'm Up To

Technical Ramblings

Nginx, Not Just a Web Server — October 26, 2016

Nginx, Not Just a Web Server

Nginx is capable of more than serving web pages. It can load balance, cache and act as a reverse proxy.

We recently had need to access two web services on the same server through a single interface. This is where the reverse proxy came in.

  • Service A runs on port 9010
  • Service B runs on port 9020
  • Access to both services needs to be via a single front end using traditional http over port 80

Not ideal, but it’s not my system design, just a challenge we need to face. The way we tackled it was using an Nginx reverse proxy and split the calls to specific URL paths on each web service to the relevant underlying back end service.

Continue reading

Set up Government Email Services Securely — October 25, 2016
VMWare View 5.3 & vSphere 5.5 —

VMWare View 5.3 & vSphere 5.5

As part of our patching process we applied security patches to one of the vSphere ESXi servers. All seemed to go well until we tried to compose systems onto it. We ended up with VDI clients being added to the server, but they’d never start up.

Clearly this was something to do with the patches that were applied.

Checking the log bundle we produced it was certainly an SSL related issue. Those damned certificates again! Well not quite.

Reading through the vmware-vdicomposer.log I picked up on a few of these messages:

Machine Name: VDICOMPOSER, Timestamp: 24/10/2016 15:01:52, App Domain Name: SviWebService.exe, Thread Identity: , Windows Identity: NT AUTHORITY\SYSTEM, OS Version: Microsoft Windows NT 6.1.7601 Service Pack 1, reason: ServiceUnreachable access host: vdiesx01.domain.local access port: 902 disk datastore path: [vdiesx01_fio] VDITestNew_1/VDITestNew_11-internal.vmdk expected certificate thumbprint:

Very strange, a blank thumbprint. Checking the VDI database table dbo.VPX_HOSTS we compared the expected thumbprint to the actual thumbprint on the vSphere server and all looked good. But something couldn’t be right.

Continue reading

VMWare Horizon Client for Linux — October 21, 2016

VMWare Horizon Client for Linux

That was an interesting challenge. A colleague was trying to install the VMWare Horizon Client into Linux without any real Linux experience. I know that installing things into Linux isn’t as cut and dried as running a setup program in Windows, but VMWare really don’t help themselves by making this easy for Linux noobs.

The actual install runs a .bundle file script which does carry out the install fairly seamlessly, but when it finishes it turns out that it looks for some older dependencies than are available on the flavour of Linux being used.

How’s a Linux noob supposed to understand that?

Continue reading

OpenVPN & iptables —

OpenVPN & iptables

Some time ago I setup an OpenVPN server so we could securely logon to IT systems from outside the network. This worked really well until I rebooted it the other day. Then I discovered I could still successfully connect to the OpenVPN server, but I couldn’t route any traffic to internal hosts.

Turns out I’d forgotten to make my iptables firewall rules persistent.

Continue reading

vCenter Server Appliance Patching — October 20, 2016

vCenter Server Appliance Patching

The online manual suggests that all you need do is mount (attach) the ISO onto the VCSA and then from the command line stage and install the patches:

# software-packages stage --iso
# software-packages install --staged

After mounting the ISO to VCSA the hurdle I encountered from the command line was that software-packages “command not found”.

So I gave up on the command line and went back to the web GUI (very unlike me).

Continue reading

VMWare Updates —

VMWare Updates

As we’re running the VSCA appliance we can’t use the GUI Update Manager plug-in as that only works with Windows, despite VMWare being very Linux based. So, for us, keeping the hosts up to date is a manual process from the command line.

Download the latest VMWare updates from the support site.

Then stick them onto a volume that all the hosts have access to. For big infrequent storage we use a Synology NAS and an NFS share that is mounted on all servers.

Make sure SSH is enabled on the host you want to update, under Manage, Settings, Security Profile in VCSA.

Migrate all of your running hosts off to another and put it into maintenance mode. The non-running will get migrated by maintenance mode.

~ # esxcli software vib update -d /vmfs/volumes/SYNOLOGY/vSphere/5.5/Updates/

Continue reading

RDP Server Certificate — October 18, 2016

RDP Server Certificate

With Windows Server 2012 it seems they’ve decided to do away with the GUI for managing the RDP admin connection unless you install the full RDS product.

So when you get a new certificate for the server you need to update the RDP service somehow. By far the easiest way is to use the tsconfig.msc (Remote Desktop Session Host Configuration) GUI from an old 2008 server and connect to the new 2012 system to change the certificate.

But sometimes there’s no choice other than command line. For this you’ll need to get the thumbprint of the certificate you want to use from the Local Computer certificate store (using mmc).

Continue reading

Exim4, DKIM & Smarthost — October 13, 2016
Comodo SSL Certs & Android — October 10, 2016

Comodo SSL Certs & Android

After buying a cheap SSL certificate I found I’d missed something important during the install.

Usually it’s just a case of copy the certificate and key files to /etc/ssl/certs and /etc/ssl/private, respectively and then pointing the Nginx config at them to get it working.

Well all was well in the GUI world of Linux and Windows browsers. But My Android said the certificate wasn’t trusted. Looks like there’s some CA intermediates that need sorting.

Continue reading

Cheap SSL Certificates —
Exim4 & DKIM — October 8, 2016

Exim4 & DKIM

Where possible I try to get mail systems setup so that they can be verified as true senders by the recipient by using SPF and DKIM. Seems a shame that few mail systems actually seem to do this as it would trim a lot of spam from the net.

Having moved to another server I needed to move the mail sender with it. This particular system only needs to send email out as there is another system that receives mail for this domain. So All I need do is install an SMTP service and make sure it signs it’s messages with the same private key as I previously used, so it matches the public key that is published in DNS.

Previously the system used Postfix and OpenDKIM, but as this needs to be a barebones simple system I figured I’d stick with Debian’s default mailer Exim4. Turns out this was a good choice as it has DKIM built in.

Continue reading