In my centos7 server, I have set up Telegraf and InfluxDB. InfluxDB successfully receives data from Telegraf and stores them in the database. But when I reconfigure both services to use https, I see the following error in Telegraf's logs
Dec 29 15:13:11 localhost.localdomain telegraf[31779]: 2020-12-29T13:13:11Z E! [outputs.influxdb] When writing to [https://127.0.0.1:8086]: Post "https://127.0.0.1:8086/write?db=GRAFANA": dial tcp 127.0.0.1:8086: connect: connection refused
Dec 29 15:13:11 localhost.localdomain telegraf[31779]: 2020-12-29T13:13:11Z E! [agent] Error writing to outputs.influxdb: could not write any address
InfluxDB doesn't show any errors in it's logs.
Below is my telegraf.conf file:
[agent]
hostname = "local"
flush_interval = "15s"
interval = "15s"
# Input Plugins
[[inputs.cpu]]
percpu = true
totalcpu = true
collect_cpu_time = false
report_active = false
[[inputs.disk]]
ignore_fs = ["tmpfs", "devtmpfs", "devfs"]
[[inputs.io]]
[[inputs.mem]]
[[inputs.net]]
[[inputs.system]]
[[inputs.swap]]
[[inputs.netstat]]
[[inputs.processes]]
[[inputs.kernel]]
# Output Plugin InfluxDB
[[outputs.influxdb]]
database = "GRAFANA"
urls = [ "https://127.0.0.1:8086" ]
insecure_skip_verify = true
username = "telegrafuser"
password = "metricsmetricsmetricsmetrics"
And this is the uncommented [http] section of the influxdb.conf
# Determines whether HTTP endpoint is enabled.
enabled = false
# Determines whether the Flux query endpoint is enabled.
flux-enabled = true
# The bind address used by the HTTP service.
bind-address = ":8086"
# Determines whether user authentication is enabled over HTTP/HTTPS.
auth-enabled = false
# Determines whether HTTPS is enabled.
https-enabled = true
# The SSL certificate to use when HTTPS is enabled.
https-certificate = "/etc/ssl/server-cert.pem"
# Use a separate private key location.
https-private-key = "/etc/ssl/server-key.pem"
Related
I have installed gitlab-ce 13.2.0 on my server and the container-registry was immediately available.
from a other sever (or my local machine) I can login, but when pushing a image to the container-registry I get a 404-error: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "<!DOCTYPE html>\n<html>\n<head>...
in my gitlab.rb I have:
external_url 'https://git.xxxxxxxx.com'
nginx['enable'] = true
nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/trusted-certs/xxxxxxxx.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/trusted-certs/xxxxxxxx.com.key"
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
registry_external_url 'https://git.xxxxxxxx.com'
what is confusing, is that the registry_external_url is the same as the external_url. There are those lines in the gitlab.rb:
### Settings used by GitLab application
# gitlab_rails['registry_enabled'] = true
# gitlab_rails['registry_host'] = "git.xxxxxxxx.com"
# gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
But when I uncomment this, I cannot login.
what can be the problem here?
This is actually because you are using https port without proxying the registry in nginx.
Fix these lines according to the following in gitlab.rb:
registry_nginx['enable'] = true
registry_nginx['listen_https'] = true
registry_nginx['redirect_http_to_https'] = true
registry_external_url 'https://registry.YOUR_DOMAIN.gtld'
You don't need to touch nginx['ssl_*] parameters when you are using letsencrypt since the chef would take care.
How is your image named? Your image name must match exactly not only the registry URL, but project too.
You can't just build "myimage:latest" and push it. It must be like git.xxxxxxxx.com/mygroup/myproject:latest. You can obtain correct name from $CI_REGISTRY_IMAGE predefined variable.
I have splunk and try to enable splunk SSO instead of nornal authentiation. I have configuraitons as follows:
In /opt/splunk/etc/system/local/server.conf
[general]
trustedIP = 192.168.1.208
serverName = Splunk_Core_02
pass4SymmKey = $7$RRvdYDdIlj4P2geQdtHluTRb7OfvZhTFTZGJ7z5JiZAkJ6Q1at6j0Q==
sessionTimeout = 30s
[sslConfig]
sslPassword = $7$m6pB5a0PWFg64VlNZGgunhGElO3qLiAc6NrhfLO+tpX2jR7WC7qm1Q==
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
quota = MAX
slaves = *
stack_id = download-trial
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[license]
active_group = Enterprise
[diskUsage]
minFreeSpace = 1024
[lmpool:test_splunk]
quota = MAX
slaves = *
stack_id = enterprise
In /opt/splunk/etc/system/local/web.conf
[settings]
#SSO
SSOMode = permissive
trustedIP = 192.168.1.208,192.168.2.15,127.0.0.1
remoteUser = REMOTE-USER
#tools.proxy.on = False
root_endpoint = /splunk
#SSL
enableSplunkWebSSL = 0
httpport = 8000
mgmtHostPort = 127.0.0.1:8089
appServerPorts = 8065
splunkdConnectionTimeout = 30
enableSplunkWebClientNetloc = False
# SSL certificate files.
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem
serverCert = $SPLUNK_HOME/etc/auth/splunkweb/cert.pem
...
I see http://192.168.1.208:8000/debug/sso page, I see SSO is not enabled. What's wrong with my configurations?
There are several documentations says in server.conf, the trustedIP is 127.0.0.1. But none of them mention that only 127.0.0.1 is eligible to enable/activate SSO. So do not configure other IP address, instead of 127.0.0.1.
And in server.conf(/opt/splunk/etc/system/local/), you could only configure one trustedIP, and it is 127.0.0.1.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkSSO
Have you restarted splunk after making these changes?
In /opt/splunk/etc/system/local/web.conf,
remoteUser = REMOTE-USER is more likley to be REMOTE_USER
You have to use SAML.. I am using SAML for SSO purpose.. You need to contact IT guy and he will provide you IDP file upload it and share with your Splunk Connection file. You can download it from same window. Go to Users -> Authentication Method > SAML. Once everything is placed Then you have to create groups on AD and same thing you need to do on Splunk under SAML configuration.. Let me know if you need more details..
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/HowSAMLSSOworks
I'm starting using traefik for blue/green deployment. I would like to use the REST API, so I have to put my configuration in the [web] section:
[web]
address = ":8080"
readOnly = false
[backends]
[backends.back]
[backends.back.loadbalancer.stickiness]
cookieName = "backend"
[backends.back.servers.S000]
url = "http://HOST_IP_ADDRESS:30000"
weight = 1
[backends.back.servers.S001]
url = "http://HOST_IP_ADDRESS:30001"
weight = 1
[frontends]
[frontends.front]
backend = "back"
passHostHeader = true
But it's not initialized with those values. However if I use PUT to http://localhost:8091/api/providers/web I can see the web provider OK. And if I use this same configuration for [file] it works right (but I'm unable to update it via API)
Is there any web to initialize [web] backends/frontends?
web section is deprecated.
try this:
# Enable API and dashboard
[api]
# Name of the related entry point
entryPoint = "traefik"
# Enabled Dashboard
dashboard = true
We have an internet facing MX server whereby all users authenticate their outgoing connection to submit emails via port 587. This MX server routes incoming mail for our domain to an internal postfix smtp server which then delivers mail to local imap servers.
The internal postfix smtp server users LDAP alias_maps = ldap:/etc/postfix/ldap-aliases.cf, to lookup which imap server a users mailbox resides on.
There is a postfix option...
reject_sender_login_mismatch
that can be mapped...
smtpd_sender_login_maps = ldap:/etc/postfix/smtpd_sender_login.cf
However - I get the following error
Jul 4 11:23:26 smtp-1.domain1.com postfix/smtpd[31530]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
No users authenticate to the internal postfix smtp server - all it does is route emails from the MX server. I believe the reason I see the warning "no SASL support" is because postfix doesn't handle the authentication as it's taken care of by the MX server.
postconf -n
alias_database = hash:/etc/aliases
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain
mydomain = domain1.com
myhostname = smtp-1.domain1.com
mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8, xxx.16.0.0/12, xxx.168.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
unknown_local_recipient_reject_code = 550
However, with a different config "smtpd_sender_restrictions = reject_unverified_sender"
If the "envelope From field" contains an invalid forged address the following is logged - which is great to stop unknown email address being forged - but doesn't help if it's forged with a known email address.
NOQUEUE: reject: RCPT from mx.domain1.com[xxx.xxx.192.130]: 450 4.1.7 : Sender address rejected: unverified address: unknown user: "hejem"; from= to= proto=ESMTP helo=
-bash-4.1$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain
mydomain = domain1.com
myhostname = smtp-1.domain1.com
mynetworks = xxx.xxx.xxx.0/21, xxx.xxx.xxx.0/22, xxx.0.0.0/xxx, xxx.xxx.0.0/12, xxx.xxx.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sender_restrictions = reject_unverified_sender"
What I want to achieve is my local internal postfix to check the "envelope From field" to ensure it's not been spoofed by knowing the sending user's username and looking up it's assigned "From" aliases in LDAP if it doesn't match i.e. they're spoofing then reject the mail.
Any advice how to implement this check in postfix?
Thanks
Firstly, it is not considered a good practice to activate reject_unverified_sender in postfix services. If you want to prevent mails being sent from non-existing addresses in your domain, you should prefer reject_unlisted_sender.
You can not be sure of spoofing of existing mail addresses without activating authentication (SASL) mechanism on postfix service. Thus, to prevent spoofing of existing addresses:
Make sure that smtpd_sender_login_maps is properly configured.
Activate SASL authentication on postfix
Configure reject_authenticated_sender_login_mismatch or reject_sender_login_mismatch depending on your preference.
Further Reading (from postfix SASL documentation)
Envelope sender address authorization
By default an SMTP client may specify any envelope sender address in the MAIL FROM command. That is because the Postfix SMTP server only knows the remote SMTP client hostname and IP address, but not the user who controls the remote SMTP client.
This changes the moment an SMTP client uses SASL authentication. Now, the Postfix SMTP server knows who the sender is. Given a table of envelope sender addresses and SASL login names, the Postfix SMTP server can decide if the SASL authenticated client is allowed to use a particular envelope sender address:
/etc/postfix/main.cf:
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_recipient_restrictions =
...
reject_sender_login_mismatch
permit_sasl_authenticated
Problem Description
- We are having problems with a JAX-WS Webservice that wants to connect to
a server using HTTPS in combination with a proxy server.
The setups is as follows:
- WebSphere 6.0.1.47 running on AIX Version: 5300-10-07-1119
- A JAX-WS Webservice application
What happens is as follows:
JAX-WS application in WAS tries to connect to
'https://target.example.domain/url' while using a proxy server
- When the transport chain is started, the following error appears (i have
included the corresponding ffdc's as attachments to this mail) :
java.io.IOException: Async IO operation failed, reason: RC: 76 A socket
must be already connected.;
When we:
1) Use a HTTP destination and DO NOT use a Proxy Server then the
application works
2) Use a HTTPS destination and DO NOT use a Proxy Server then the
application works
3) Use a HTTP destination and USE a Proxy Server then the
application works
4) Use a HTTPS destination and USE a Proxy Server then the application
displays the error described above.
ffdc logs
" ------Start of DE processing------ = [1/14/15 13:04:39:913 CET] , key = java.io.IOException com.ibm.ws.websvcs.transport.http.HTTPConnection.connect 213
Exception = java.io.IOException
Source = com.ibm.ws.websvcs.transport.http.HTTPConnection.connect
probeid = 213
Stack Dump = java.io.IOException: Async IO operation failed, reason: RC: 76 A socket must be already connected.
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:679)
at com.ibm.io.async.ResultHandler$CompletionProcessingRunnable.run(ResultHandler.ja va:910)
at java.lang.Thread.run(Thread.java:813)
Dump of callerThis =
Object type = com.ibm.ws.websvcs.transport.http.HTTPConnection
com.ibm.ws.websvcs.transport.http.HTTPConnection#db30db3
Exception = java.io.IOException
Source = com.ibm.ws.websvcs.transport.http.HTTPConnection.connect
probeid = 213
Dump of callerThis =
Object type = com.ibm.ws.websvcs.transport.http.HTTPConnection
_tc =
defaultMessageFile = com.ibm.ejs.resources.seriousMessages
EXTENSION_NAME_DPID = DiagnosticProvider
ivDumpEnabled = false
ivResourceBundleName = com.ibm.ws.websvcs.resources.websvcsMessages
ivLogger = null
ivDiagnosticProviderID = null
anyTracingEnabled = true
ivLevel = 1
ivName = com.ibm.ws.websvcs.transport.http.HTTPConnection
ivDebugEnabled = true
ivEventEnabled = true
ivEntryEnabled = true
ivDetailEnabled = true
ivConfigEnabled = true
ivInfoEnabled = true
ivServiceEnabled = true
ivWarningEnabled = true
ivErrorEnabled = true
ivFatalEnabled = true
chainname = HttpsOutboundChain:xx-proxy- xxxxx.xxx.xxxx.com:8080:1665256594:10.21.197.161:9443
............."
We have tried setting the properties (https.proxyHost, https.proxyPort) at System level and also in the SOAP header, nothing works.
We are using BindingProv
Any help is much appreciated