HAProxy Geolocation map of ip addresses not matching any entries - load-balancing

I have the following line in my haproxy config:
http-request set-header x-geoip-country %[src,map(/etc/hap1.8/geo/country_iso_code.map)]
to set the country of origin but it only works if the key is the exact key ip and not CIDR notation ips that haproxy expects. the list is from maxmind and its formatted like;
1.0.0.0/24 AU
1.0.1.0/24 CN
1.0.16.0/20 JP
...
for example an ip of 1.0.0.45 would match 1.0.0.45 in the file but not 1.0.0.0/24. While that seems logical, it was in an example on haproxy so I'm asking if its possible to match against 10.0.0.0/24?

By default, map will match by string, not by ip. From the docs:
map_<match_type>(<map_file>[,<default_value>])
... If the <match_type> is not set, it defaults to "str" ...
To match by ip use map_ip:
http-request set-header x-geoip-country %[src,map_ip(/etc/hap1.8/geo/country_iso_code.map)]

Related

Editing IP source range in GCP

I understand that 0.0.0.0/0 this means that i'm allowed whatever my IP is to connect to this instance(server).
I'm trying to modify my GCP instance firewall rule, to allow my IP only to access this instance, I'm accessing it via ssh as it's an ubuntu server. So I've to specify in the rule some adress in the form of 0.0.0.0/0 where my public IP is not in this format.
I don't understand the following
what is /0 means ?
How to generate an IP that match this format ?
Should I be using my public IP or another kind of IP ?
Have a look at this Wiki Article on CIDR notation.
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation
In GCP (and possibly elsewhere), the CIDR range of 0.0.0.0/0 is used to donate any address at all.
If you want to restrict traffic to your Compute Engine instance at the IP level, then:
Determine your own IP address ... for example 1.2.3.4
Change the firewall rule to allow only traffic from 1.2.3.4/32
Given that an IP address (ipV4) is 32 bits then when we suffix a CIDR range with /32 we are saying the whole IP address must match.
1) Get the external ip from where you going to ssh with typing ( what is my ip ) in any browser , copy that ip
2) create firewall rule and use that external ip e.g 35.34.36.37/32 for port 22 (ssh ) with "apply to all instance" option set
3) If you are using putty for ssh then make sure to export the ssh key to the instance
After following all above step if should work
The best recommendation I would give is to open a case on issuetracker where your project will inspect closely by GCP team if you dont have any support package orthherwise open a case directly from your project.
The reason behind this recommendation is because some needs to inspect your project for solving your problem
I tired to provide my IP4/32 it still wasn't working. But i found a solution for this problem.
solution
First go to IAP
Copy this IP 35.235.240.0/20 under Preparing your project for IAP TCP forwarding
This range contains all IP addresses that IAP uses for TCP forwarding
Paste the copied IP inside the IP source of your firewall rule.
Go to What_Is_My_IP and copy your IPv4
Add your copied IP to the IP source range inside your firewall rule
save, and start your ssh connection to the VM

Can someone explain the host argument in BPF

I've been struggling with this for a while now, and I can't find any answers online. Looking up the documentation doesn't really help. I don't understand what the argument host in a BPF code is supposed to represent or how to use it properly. Does it work the same way as net? (not saying I know what net does, I just assumed they might be similar) Please help.
host can be used to match a destination or source IP address in packets, whereas net can be used to match all IPs in a subnet and takes a CIDR. For example:
# matches all packets with 192.168.1.1 as source or destination IP address:
host 192.168.1.1
# matches all packets with destination IP address 192.168.1.1
dst host 192.168.1.1
# matches all packets with a source IP address within 192.168.1.0-255
src net 192.168.1.0/24
Note that host 192.168.1.1 is equivalent to net 192.168.1.1/32.
Source: This is all documented at https://www.tcpdump.org/manpages/pcap-filter.7.html.

move domain from one server to another?

I have a website on a shared hosting and I'm trying to move it to an unmanaged VPS
the thing that I have set up my server and tried this tutorial to make my domain name point at my server but I had no luck.
because when ever I try to do this : ping www.mydomain.com
I still get the old host ip instead of mu new one.
I have waited more than 48 hours.
Do I have to delete some files on my old host ? or there is something i'm missing ?
thanks
There should be no need to delete anything at your old host.
You are getting old host IP address in ping result which tells that your domain is still resolving to old host instead of your own VPS.
Checkout the outputs of following things to confirm that DNS records are correct:
[1] Check DNS records of your domain from online DNS verification tool like intodns.com.
[2] Verify whether the new DNS records are propagated across the globe or not. You can check it from here - whatsmydns.net.
[3] Check the ping result without "www" i.e. ping yourdomain.com
Create a file at location /etc/bind/
Name it db.your_domain
Add the following in this file:
$TTL 86400
;SPF records
your_domain. IN TXT "v=spf1 a -all"
# IN SOA ns.your_domain. admin(or any email id).your_domain. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
your_domain. IN NS ns.your_domain.
; MX records
your_domain. IN MX 5 mail.your_domain.
;A records
your_domain. IN A ipv4 address
your_domain. IN AAAA ipv6 address
ns IN A ipv4 address
ns IN AAAA ipv6 address
mail IN A ipv4 address
mail IN AAAA ipv6 address
;CNAME
www IN CNAME your_domain.

HAProxy 1.5.12 hdr(<name>)/hdr_?

I ma trying to figure out which of the hdrs to use in this situation. According to the documentation http://www.haproxy.org/download/1.5/doc/configuration.txt the following is stated:
hdr(<name>) The HTTP header <name> will be looked up in each HTTP
request. Just as with the equivalent ACL 'hdr()' function,
the header name in parenthesis is not case sensitive. If the
header is absent or if it does not contain any value, the
roundrobin algorithm is applied instead.
An optional 'use_domain_only' parameter is available, for
reducing the hash algorithm to the main domain part with some
specific headers such as 'Host'. For instance, in the Host
value "haproxy.1wt.eu", only "1wt" will be considered.
This algorithm is static by default, which means that
changing a server's weight on the fly will have no effect,
but this can be changed using "hash-type".
1) Where is the list of different <name>s?
2) Which one do I use when trying to use haproxy as a reverse proxy in this case (subdomains), would I use hdr() or would I use hdr_dom() for example:
acl host_deusexmachina hdr(<name>) -i deus.ex.machina.mydomain.com
acl host_fela hdr(<name>) -i fela.mydomain.com
acl host_mydomain hdr(<name>) -i mydomain.com
The different names are the headers available in the HTTP protocol.
You should probably use Host.

ssh-config by host subnet

So I have a whole bunch of machines on my 10.10.10.x subnet, all of them are essentially configured in the same way. I differentiate these from machines on my 10.10.11.x subnet which serves a different purpose.
I'd like to be able to type 'ssh 10.x' to connect to machines on the 10. network and 'ssh 11.x' to connect to machines on the 11 network.
I know I can setup individual machines to allow access to the full ip, or the shorthand version like this in my ~/.ssh/config:
Host 10.10.10.11 10.11
HostName 10.10.10.11
User root
This can get pretty repetitive for lots of hosts on my network, so my question is, is there a way to specify this as a pattern, for the entire subnet, something like:
Host 10.10.10.x
User root
Host 10.x
HostName 10.10.10.x
User root
Thanks
This line will provide the desired functionality:
Host 192.168.1.*
IdentityFile KeyFile
If you attempt to connect a server whose ip is in this subnet, you will be able to establish an ssh connection.
From the ssh_config(5) Manpage:
A pattern consists of zero or more non-whitespace characters, ‘*’ (a
wildcard that matches zero or more characters), or ‘?’ (a wildcard that
matches exactly one character). For example, to specify a set of decla‐
rations for any host in the “.co.uk” set of domains, the following pat‐
tern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network
range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(‘!’). For example, to allow a key to be used from anywhere within an
organisation except from the “dialup” pool, the following entry (in
authorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
So you can just use host 10.*