Derek Neely

...notes for thyself, but useful for all...

VI - .vimrc config


Nov 21, 2016 by derek

I know you can get pretty robust with the .vimrc config but I don't need much. The fact that I get some of this is plenty for me. So here is current .vimrc I use.

# vi ~/.vimrc

syntax on
set autoindent
set ts=4
set number


syntax on: turns on syntax highlighting (works for quite a few file types and configs)

autoindent: indentation for the next line will be the same as the current line

ts=X: sets the number of spaces for your tab

number: adds line numbers to the editor

Linux, Mac

SFTP Server Setup with Chroot


Nov 04, 2016 by derek

 

I've had to setup a few SFTP servers as of late with "jailed" or chroot'ed users. All in all this is pretty straight forward but there is one thing I always forget I do at the end to make it 'cleaner' for users when they login.

 

 

Create the root sftp directory for our users to be jailed too.

# mkdir /sftp

Setup the group the sftp users will be in.

# groupadd sftpgroup

Create an sftp user, set their primary group as 'sftponly' , and set their password.

# useradd -g sftpgroup -d /sftp/sftpuser -m -s /sbin/nologin sftpuser
# passwd sftpuser

Setup the sftp subsystem of the ssh daemon. Comment out 'sftp-server' and add in internal-sftp

# vi /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

At the bottom of the sshd_config add the following for the group's chroot directory.

Match Group sftpgroup
        ChrootDirectory /sftp
        ForceCommand internal-sftp

Now you can restart the ssh daemon to enable the new configs

# service sshd restart

Now the one little extra bit I like to do is to not only have them chroot'ed but also make the user's home/root directory writeable by them and keep them out of the real root and jump into other directories.

So we lock the user out of being able to read the root directory and then 'fake' the user's home directory path back to itself. 

# chmod 711 /sftp
# cd sftp
# ln -s . sftp

What this does is trick the system into what their home directory is. The configuration we put into the sshd_config tells the system when the user logs in that their / is /sftp/ so then the system tries to put the user in their home directory /sftp/sftpuser. However, without creating a soft link back to itself that path does not exist. So the link makes this possible and the user can write to their directory.

 

Linux, SSH

Proxy Load Balancing Word Press (multi-domain WP)


Oct 03, 2016 by derek

 

So, you have a Wordpress site and you want to get it up and and behind a load balancer. In this case we'll be setting up a Layer 7 load balancer (proxy load balancer) by using Nginx. The configuration for Nginx is easy enough to setup and configure. I would look something like this:

 

upstream wordpress {
    server wordpress1;
    server wordpress2;
}

server {
    listen 80;
    listen [::]:80;

    server_name .example.com;

    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://wordpress/;
    }
}

 

So, the problem here is that you have your site all configured and working with www.example.com. Now, you'll need to hop on over to your backend WP servers (Apache or Nginx) and have them also now listen and respond to wordpress as a server alias or additional domain.

Apache:

ServerAlias wordpress

Nginx:

server_name .example.com wordpress

This sets the backend servers up to listen and respond to these requests. However, you still have a problem. Wordpress has the domain name all configured in its settings and should a request land on the virtual host but with a different name, it'll redirect back out to the site's configured URL. So, in this case with everything configured and ready to go, you'll find yourself in a infinite redirect scenario and your browswer will be reporting 'Too Many Redirects'.

 

So, 2 things to check/configure here.

1) Double check your .htaccess file to make sure you're not forcing any additional redirects based on domain name or http vs. https. This was a small hiccup I ran into when forcing SSL for a particular WP site. Don't worry, you can still force SSL but now you'll be doing it at the load balancer level. Instead of passing traffic in the location block of the above config example. Do a 301 redirect to a server setup on port 443 and configured with your certificates and move the location block into this server config.

 

2) You'll need to now override the way Wordpress is handling the domain names. You'll need it to be a little more flexible in what it'll answer too. In this case we need it to also work for the 'wordpress' domain configured as our upstream cluster we're now passing traffic back too. The easiest way to do this, is to pretty much blow the domain setting/configuration wide open by adding the following below $table_prefix:

define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST']);
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST']);

 

Alrighty, so you've got your Nginx load balancer config setup, Apache/Nginx backend server aliases added, .htaccess redirects removed, and Wordpress ready for any domain, and therefore should be good to go.

Clustering, Nginx, Proxy
Page 1 of 7 >>>

Social


Tweet Tweet Tweet


© 2016 Derek Neely