Derek Neely

...notes for thyself, but useful for all...

SFTP Server Setup with Chroot

Nov 04, 2016 by derek


I've had to setup a few SFTP servers as of late with "jailed" or chroot'ed users. All in all this is pretty straight forward but there is one thing I always forget I do at the end to make it 'cleaner' for users when they login.



Create the root sftp directory for our users to be jailed too.

# mkdir /sftp

Setup the group the sftp users will be in.

# groupadd sftpgroup

Create an sftp user, set their primary group as 'sftponly' , and set their password.

# useradd -g sftpgroup -d /sftp/sftpuser -m -s /sbin/nologin sftpuser
# passwd sftpuser

Setup the sftp subsystem of the ssh daemon. Comment out 'sftp-server' and add in internal-sftp

# vi /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

At the bottom of the sshd_config add the following for the group's chroot directory.

Match Group sftpgroup
        ChrootDirectory /sftp
        ForceCommand internal-sftp

Now you can restart the ssh daemon to enable the new configs

# service sshd restart

Now the one little extra bit I like to do is to not only have them chroot'ed but also make the user's home/root directory writeable by them and keep them out of the real root and jump into other directories.

So we lock the user out of being able to read the root directory and then 'fake' the user's home directory path back to itself. 

# chmod 711 /sftp
# cd sftp
# ln -s . sftp

What this does is trick the system into what their home directory is. The configuration we put into the sshd_config tells the system when the user logs in that their / is /sftp/ so then the system tries to put the user in their home directory /sftp/sftpuser. However, without creating a soft link back to itself that path does not exist. So the link makes this possible and the user can write to their directory.


Linux, SSH

Proxy Load Balancing Word Press (multi-domain WP)

Oct 03, 2016 by derek


So, you have a Wordpress site and you want to get it up and and behind a load balancer. In this case we'll be setting up a Layer 7 load balancer (proxy load balancer) by using Nginx. The configuration for Nginx is easy enough to setup and configure. I would look something like this:


upstream wordpress {
    server wordpress1;
    server wordpress2;

server {
    listen 80;
    listen [::]:80;


    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://wordpress/;


So, the problem here is that you have your site all configured and working with Now, you'll need to hop on over to your backend WP servers (Apache or Nginx) and have them also now listen and respond to wordpress as a server alias or additional domain.


ServerAlias wordpress


server_name wordpress

This sets the backend servers up to listen and respond to these requests. However, you still have a problem. Wordpress has the domain name all configured in its settings and should a request land on the virtual host but with a different name, it'll redirect back out to the site's configured URL. So, in this case with everything configured and ready to go, you'll find yourself in a infinite redirect scenario and your browswer will be reporting 'Too Many Redirects'.


So, 2 things to check/configure here.

1) Double check your .htaccess file to make sure you're not forcing any additional redirects based on domain name or http vs. https. This was a small hiccup I ran into when forcing SSL for a particular WP site. Don't worry, you can still force SSL but now you'll be doing it at the load balancer level. Instead of passing traffic in the location block of the above config example. Do a 301 redirect to a server setup on port 443 and configured with your certificates and move the location block into this server config.


2) You'll need to now override the way Wordpress is handling the domain names. You'll need it to be a little more flexible in what it'll answer too. In this case we need it to also work for the 'wordpress' domain configured as our upstream cluster we're now passing traffic back too. The easiest way to do this, is to pretty much blow the domain setting/configuration wide open by adding the following below $table_prefix:

define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST']);
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST']);


Alrighty, so you've got your Nginx load balancer config setup, Apache/Nginx backend server aliases added, .htaccess redirects removed, and Wordpress ready for any domain, and therefore should be good to go.

Clustering, Nginx, Proxy

Mac OSX Ultrawide Monitor Setup with SwitchResX

Sep 26, 2016 by derek

When I first got these nice looking LG Ultrawide displays here at work I spent a considerable amount of time getting the resolutions right. All in all I wound up having to use SwitchResX to get them to work properly. That was a while ago and I forgot the torment I went through to get it right. 

Well, with the latest update to Sierra, I got a pleasant reminder. So, here you are, the SwitchResX settings I finally got to work with these puppies.

<<< Page 5 of 10 >>>


Tweet Tweet Tweet

© 2016 Derek Neely