Stuff I'm Up To

Technical Ramblings

Damn that Proxy! — December 12, 2018

Damn that Proxy!

In Windows when you run into an application that doesn’t use proxy settings and doesn’t look at the environmental variable,  IE or netsh settings, then you’re kind of stuck when you must send web traffic through a proxy.

That was until we discovered proxycap.

Proxy cap is a very flexible solution that can add specific rules for various requirements. It will then intercept matching traffic and direct it to the proxy without the application even realising there is a proxy.

The example we based this on is the application Bluestacks, not being able to proxy. When we Goggled a solution we came up with posts about using proxycap. We could then add in rules only for the programs bluestacks.exe and hd-player.exe using https to be intercepted and Bluestacks would then work – even though it knew nothing about proxies.

Proxycap seems very clever in that it seems to just modify the Windows firewall to make the magic happen. It’s very flexible in that you could even set different apps to use different proxies. It also supports authentication.

It’s a commercial product, but sometimes you just have to pay the price.

Advertisements
VMWare Horizon Load Balancing — November 21, 2018

VMWare Horizon Load Balancing

We’re in the process of installing a new Horizon 7 infrastructure  and as part of the process the vendor added load balancers all over the place. I asked with question of why not use an Open Source solution for that?

My go to web server, proxy, load balancer is Nginx and as we already have a HA pair setup I thought we’d try to use that – even if it meant putting in a new one dedicated to the task in the longer term.


As the plan is to use a load balancer in front of the connection servers and the only tunnelling that will take place will be for external systems, our requirement will be to LB the https traffic (TCP 443) for the authentication. The PCoIP/Blast traffic will be directed straight to the ESX Host/client.

The previous document on load balancing with Nginx means I only need to add in the config needed for horizon. By using the same syncing of config it immediately becomes available on the secondary load balancer.

I created a new config file /etc/nginx/sites-available/horizon and then as standard, symbolic link it to sites-enabled to make it live.

upstream connectionservers {
ip_hash;
server 192.168.0.236:443;
server 192.168.0.237:443;
}
server {
listen 443 ssl;
server_name horizon.domain.tld;
location ~ / {
proxy_pass https://connectionservers;
}
}

This adds our two connection servers into an upstream group called connectionservers which I then point the  proxy_pass  directive to.

The ip_hash directive ensures we have session stickiness based on the clients IP address. When a client connects they’ll stay directed to the connection server they were given until and unless the connection server becomes unavailable.

nginx.conf

Within the nginx.conf ensure you have the reverse proxy options set in the http {} section:

enable reverse proxy
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_header_buffer_size 64k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 16k;
proxy_buffers 32 16k;
proxy_busy_buffers_size 64k;

The SSL configuration on the HA pair is standard throughout all of our servers that it “proxies” for. We have a wildcard certificate and the HA proxies only services under *.domain.tld – our horizon.domain.tld fits this pattern so no changes necessary.

All the standard Nginx SSL related security settings for certificate, stapling, ciphers, HSTS are located in our /etc/nginx/snippets/ssl.conf file and is included in the nginx.conf using:

include snippets/ssl.conf

snippets/ssl.conf

ssl_certificate /etc/ssl/certs/wildcard.pem;
ssl_certificate_key /etc/ssl/private/wildcard_key.cer;
ssl_dhparam /etc/ssl/private/dhparam.pem;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

add_header X-Content-Type-Options nosniff;
add_header Accept "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT";
add_header Access-Control-Expose-Headers "Authorization";
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";

proxy_cookie_path / "/; HTTPOnly; Secure";

Note: Depending on your requirements for other system you may need to include content security policy settings to satisfy CORS (Cross Origin Resource Sharing). In fact you MUST do this to allow Chrome and Firefox to work with Blast over HTML.

In our PCoIP client we add the new server as horizon.domain.tld and we get through the authentication and on to the selection of the available pools. So clearly the load balancing is doing the job. You can check the /var/log/nginx/access.log to confirm.

If you miss out the ip_hash directive for session stickiness you’ll find you can’t get past the authentication stage.

Proxy Fun and Games — October 11, 2018

Proxy Fun and Games

I seem to spend most of may day trying to sort out issues regarding getting different applications through the corporate proxy server. I’m really hoping one day we can setup a transparent proxy if for no other reason than to make our development lives easier.

At present we need use a browser proxy script (http://wpad/wpad.dat) to determine which of the corporate proxy servers to use. We have an internet proxy and a Gov’t gateway proxy. Depending where the user is trying to go determines which proxy they must use.

The script works just fine for 99% of our user base.

However, when it comes to the other 1% there’s need to tell not just the browser what proxy to use, but in the development world we need to inform the various development tools how to use a proxy too. This is where the pain is.

We need to setup a proxy in several places eg. for the operating system, for the browser, for Git, for NPM/Yarn, for Composer, for Java…

Operating System

Windows

Open a CMD/PowerShell window with Administrative permissions

C:> netsh winhttp set proxy http://username:password@192.168.0.117:8080 "<local>"

You may not need the username and password here as the OS will send your Windows credentials.

The <local> means bypass the proxy for any local address. You may add into that for other specific servers eg. "<local>,server.domain.tld"

Also set the Environment variables for the proxy

Windows Key + R

control sysdm.cpl,,3

Click the environment settings and add in the following settings to your user variables.

http_proxy=http://username:password@192.168.0.117:8080
https_proxy=http://username:password@192.168.0.117:8080
all_proxy=http://username:password@192.168.0.117:8080
no_proxy=localhost,domain.local,192.168.56.2

Linux

$ sudo vi /etc/envronment

http_proxy=http://username:password@192.168.0.117:8080
https_proxy=http://username:password@192.168.0.117:8080
all_proxy=http://username:password@192.168.0.117:8080
no_proxy=localhost,domain.local,192.168.56.2

Git proxy settings

$ git config --global http.proxy http://username:password@192.168.0.117:8080

You’ll probably need to ensure this is set for the sudo environment too if you ever have the need to install global requirements with npm.

$ sudo git config --global http.proxy http://username:password@192.168.0.117:8080

NPM proxy settings

$ npm config set proxy http://username:password@192.168.0.117:8080

Again you’ll probably need to ensure it’s replicated into sudo.

$ sudo npm config set proxy http://username:password@192.168.0.117:8080

This actually writes to a file in your home folder called .npmrc which you can edit if you need to put in some backslashes to escape and special characters in your password. eg. c:\Users\myuser\.npmrc or ~/.npmrc and the sudo version will write it into the root users home folder.

Yarn proxy settings

As Yarn is essentially npm on steroids it works the same way but writes to ~/.yarnrc

$ yarn config set proxy http://username:password@192.168.0.117:8080
$ sudo yarn config set proxy http://username:password@192.168.0.117:8080

Composer proxy settings

Thankfully this is capable of using the Operating System proxy environment variables. So if you set them as above for Windows and/or Linux you should be good to go.

Java proxy settings

This has it’s own rules just like all the others. But you may also run into Java applications having their own proxy settings too. Such as gradle which has it’s own properties file to setup the proxy. They all seem to be a similar pattern though, edit a properties file and add in:

http.proxyHost=192.168.0.117
http.proxyPort=8080
http.nonProxyHosts=localhost|127.*|[::1]|*.domain.local

Typically this is done in the JRE’s lib/new.properties file so it applies to Java globally. eg. My net.properties file is located under c:\Program Files\Java\jdk1.80_151\lib and has plenty of helpful commented examples on how to set things.

Under Debian my net.properties is located under /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib

They can also be passed to the Java command line as -D parameters eg.

$ java -Dhttp.proxyHost=192.168.0.117 -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts="localhost|domain.local"

 

JIRA, Confluence and Nginx — September 15, 2018

JIRA, Confluence and Nginx

With Atlassian Jira Software and Confluence installed onto the same server I thought I’d investigate setting things up so we don’t have to use the default TCP port type of access over HTTP. instead let’s setup a reverse proxy using HTTPS over TCP 443 that forwards to the TCP 8080 and 8090 ports.

The aim is to get Jira accessible as https://jira.domain.local and Confluence as https://jira.domain.local/confluence.

Continue reading

Sudo and Proxy / Environment Settings — August 15, 2018

Sudo and Proxy / Environment Settings

When you run a program using sudo what tends to happen is the sudo/root account fails to do anything useful on the internet. It times out trying to connect to systems to download updates that are required by elevated permissions.

We discovered using sudo composer self-update failed to update the core instance of composer, not because of permissions, but because it could not get to the internet to download it.

Set the environment variables that get persisted within your /etc/sudoers file by running:

$ sudo visudo

Seach for the line

Defaults    env_reset

and change it to

Defaults    env_keep += "ftp_proxy http_proxy https_proxy no_proxy"

Now your proxy will be set within your sudo environment too.

References

Source: https://stackoverflow.com/questions/8633461/how-to-keep-environment-variables-when-using-sudo

Nginx and Keepalived — May 15, 2018

Nginx and Keepalived

I have a need to deploy a High Availability Load Balanced reverse proxy solution. We have a back end web service that requires resilience. To achieve this I’ve been looking at Nginx and Keepalived. The Nginx Plus product appears to contain high availability support – but we’re in the realms of zero budget and open source/community supported products.

The front end reverse proxy I’ll use is Nginx, but it could be anything. The clever part is going to be using keepalived to pass a single IP address between two servers.

Continue reading

NPM Behind a Proxy — April 13, 2018

NPM Behind a Proxy

Whilst trying to deploy a Node.js script to one of our windows servers I realised that NPM wasn’t downloading the necessary components because it wasn’t even trying to use the corporate proxy server.

It’s a Windows server so I checked the proxy settings

c:> netsh winhttp show proxy

Current WinHTTP proxy settings:

    Proxy Server(s) : http://192.168.0.117:8080
    Bypass List : <local>

That seemed to be telling the OS to use the corporate proxy. But the NPM progress bar just remained frozen and no modules were downloaded.

NPM has it’s own proxy settings in your user profile .npmrc file. You can edit the file and add them in yourself:

proxy=http://192.168.0.117:8080/
https-proxy=http://192.168.0.117:8080

or at the command prompt:

c:> npm config set proxy http://<username>:<password>@<proxy-server-url>:<port>
c:> npm config set https-proxy http://<username>:<password>@<proxy-server-url>:<port>
Android Trusted CA Certificate — September 20, 2017

Android Trusted CA Certificate

We have been tested by some of our Android Lollipop tablets. Adding a trusted CA certificate used to be as easy as visiting the proxy portal and clicking the install certificate button.

Now these devices come up with an error complaining that there is “no certificate in file”.

Reading a lot of Android nightmare posts about converting the PEM certificate to pfx/p12 using openssl and then rooting the device and delivering the certificate into the folder for the cacerts using the command line it turned out to be far simpler.

Continue reading

Squid Kerberos Nightmare — July 25, 2017

Squid Kerberos Nightmare

What a terrible sequence of events we suffered today. Took quite a bit of head scratching, log reading and plenty of Google fu to resolve.

We use Squid with an LDAP and authenticated lookup to establish if a user is a member of an AD group to allow them through the proxy. For some very strange reason the authentication and lookup began failing today.

Continue reading

Squid3 changes for Debian Jessie — July 21, 2017
Windows Proxy Fun & Games — January 20, 2017
Nginx, Not Just a Web Server — October 26, 2016

Nginx, Not Just a Web Server

Nginx is capable of more than serving web pages. It can load balance, cache and act as a reverse proxy.

We recently had need to access two web services on the same server through a single interface. This is where the reverse proxy came in.

  • Service A runs on port 9010
  • Service B runs on port 9020
  • Access to both services needs to be via a single front end using traditional http over port 80

Not ideal, but it’s not my system design, just a challenge we need to face. The way we tackled it was using an Nginx reverse proxy and split the calls to specific URL paths on each web service to the relevant underlying back end service.

Continue reading