How does HAProxy figure out SSL_FC_SNI for map_dom - ssl

I have a haproxy config using maps.
HAProxy config file has the below line:
%[ssl_fc_sni,lower,map_dom(/etc/haproxy/domain2backend.map)]
And in the domain2backend.map, i have the below entries:
dp.stg.corp.mydom.com dp_10293
/dp dp_10293
dp.admin.stg.corp.mydom.com dp_10345
Now when i access https://dp.admin.stg.corp.mydom.com/index.html it is directing me to backend dp_10293 . However using a simple full string match of map(/etc/haproxy/domain2backend.map) solves the problem and it directs me to proper backend dp_10345. The certs which i have is wildcard cert *.mydom.com
So how is map_dom comparing the domains and how is it directing request meant for dp.admin.stg.corp.mydom.com to backend of dp.stg.corp.mydom.com

Since i am using map_dom, it splits up the domain based on dots(.) and does a token matching and which ever is the first match, it returns that backend.
Here dp.admin.stg.corp.mydom.com matches any of
dp.admin.stg.corp.mydom.com
/dp
/admin
/stg
/corp
/mydom
/com
/dp.admin
/dp.admin.stg
/dp.admin.stg.corp
/dp.admin.stg.corp.mydom
/admin.stg.corp.mydom.com
/stg.corp.mydom.com
/corp.mydom.com
/mydom.com
And in my case, since i had a entry for /dp, it was routing to backend dp_10345.
Changing map_dom to map will fix it as map does a strict string comparison.

Related

Weird SSL common name mismatch

Today I came across a weird case of cn mismatch. I have two domains:
kpmg.talentsource.rs and
www.kpmg.talentsource.rs
both have prod.q.ssl.global.fastly.net as their CNAME
they have the same A records and certificates.
Nevertheless:
https://kpmg.talentsource.rs (OK)
https://www.kpmg.talentsource.rs (CN mismatch)
https://www.ssllabs.com/ssltest/analyze.html?d=kpmg.talentsource.rs&s=151.101.65.62
https://www.ssllabs.com/ssltest/analyze.html?d=www.kpmg.talentsource.rs&s=151.101.65.62
Note: none of the two has the kpmg.talentsource.rs in neither the the CN nor the SAN
Any ideas why this is happening?
The certificate has a Subject Alternative Name of *.talentsource.rs (among many others unrelated one).
Per X.509/TLS rules, a * matches only one level/label, it does not cross the dot so to say. So *.talentsource.rs matches an hostname of kpmg.talentsource.rs but NOT www.kpmg.talentsource.rs, hence the browser error.
You need either to add www.kpmg.talentsource.rs or *.kpmg.talentsource.rs as a SAN (note that it has talentsource.rs already in the list too) in this certificate or stop using www.kpmg.talentsource.rs at all (a redirection will not solve the problem as you still need the TLS handshake to complete first before getting the HTTP Location: header, so you still need appropriate certificate).

google load balancing path matching pattern priority

I want to have request for HOST/code4/* to go to backb and rest all to backa .
i only defined one rule while setting up the host and path as HOST=* , PATH=/code4, /code4/* , BACKEND=backb
But when i look in to console it shows hosts as shown in image with a extra rule of /* due to which my request i think my request to /code4 goes to backa.
What am i doing wrong ?
Why google is adding a /* route? Even if its adding then unmatch route make no sense, right ?

How can I block clients that consistently hit the same unpredictable URLs

My apache server goes down when a random client starts al lot of GET for same url. The problem is it happens with unpredictable url paths. With fail2ban i can ban a predetermined url but not prevent it for unknown url paths. Is there a way to resolve this?
Depending on your Web Server, you should be able to scan your web server logs for GET requests and ban people who make too many of them within a specific time period. You just need to be careful to avoid banning legitimate users, so the frequency of allowable GET requests is something to fine tune carefully.
Create a new Jail Filter: sudo nano /etc/fail2ban/filter.d/GETFlood.conf
Define the regex you need for identifying GET requests based on the logs for your Web server. With a standard Apache access.log, it would be: failregex = ^<HOST>.*\s"GET\s.*$
Add an entry to your /etc/fail2ban/jail.local:
[getflood]
enabled = true
action = iptables-allports[name=getflood]
filter = getflood
logpath = /var/log/apache2/*access.log
maxretry = 30
findtime = 90
bantime = 604800
Here, we let any individual IP Address make up to 30 GET requests every 90 seconds. Again, without more details about your server, you'll need to play around with these timings to avoid banning legitimate users.

2 DKIM on same domain

We are using an external service for our newsletter, which has required the followin DKIM setup in our domain gipote.dk:
_domainkey.gipote.dk. 43200 IN TXT "o=~"
default._domainkey.gipote.dk. 43200 IN TXT "k=rsa\; p=MIGf...ibnrkoqQIDAQAB"
(I truncated the public key for purpose of readability...)
However we are also sending out e-mail from our own server, which I would also like to sign.
Is it possible to have more than one public-key TXT record in our domain gipote.dk? If so, how should it be set up?
EDIT: I do not have access to the private key, that is used by the newsletter service. So I will not be able to just install that on my own server.
/ Carsten
I found out, that the answer is YES :-)
"default" can easily be replaced with another selector name.
Yes you can change the default to another selector.
BUT if you do the domain it is on will no longer verify the domain.
You need to Add a second key NOT CHANGE whats existing
using Google mail you end up with
default._domainkey "v=DKIM1; k=rsa; p=MIIBIj....."
google._domainkey "v=DKIM1; k=rsa; p=MIGfMA......"

How can I load balance FastAGI?

I am writing multiple AGIs using Perl that will be called from the Asterisk dialplan. I expect to receive numerous similtaneous calls so I need a way to load balance them. I have been advised to use FastAGI instead of AGI. The problem is that my AGIs will be distributed over many servers not just one, and I need that my entry point Asterisk dispatches the calls among those servers (where the agis reside) based on their availability. So, I thought of providing the FastAGI application with multiple IP addresses instead of one. Is it possible?
Any TCP reverse proxy would do the trick. HAProxy being one and nginx with the TCP module being another one.
A while back, I've crafted my own FastAGI proxy using node.js (nodast) to address this very specific problem and a bit more, including the ability to run FastAGI protocol over SSL and route requests based on AGI request location and parameters (such as $dnis, $channel, $language, ...)
Moreover, as the proxy configuration is basically javascript, you could actually load balance in really interesting ways.
A sample config would look as follow:
var config = {
listen : 9090,
upstreams : {
test : 'localhost:4573',
foobar : 'foobar.com:4573'
},
routes : {
'agi://(.*):([0-9]*)/(.*)' : function() {
if (this.$callerid === 'unknown') {
return ('agi://foobar/script/' + this.$3);
} else {
return ('agi://foobar/script/' + this.$3 + '?callerid' + this.$callerid);
}
},
'.*' : function() {
return ('agi://test/');
},
'agi://192.168.129.170:9090/' : 'agi://test/'
}
};
exports.config = config;
I have a large IVR implementation using FastAGI (24 E1's all doing FastAGI calls, peaks at about 80% so that's nearly 600 Asterisk channels calling FastAGI). I didn't find an easy way to do load balancing, but in my case there are different FastAGI calls: one at the beginning of the call to validate the user in a database, then a different one to check the user's balance or their most recent transactions, and another one to perform a transacion.
So what I did was send all the validation and simple queries to one application on one server and all the transaction calls to a different application on a different server.
A crude way to do load balancing if you have a lot of incoming calls on zaptel/dahdi channels would be to use different groups for the channels. For example suppose you have 2 FastAGI servers, and 4 E1's receiving calls. You can set up 2 E1's in group g1 and the other 2 E1's in group g2. Then you declare global variables like this:
[globals]
serverg1=ip_of_server1
serverg2=ip_of_server2
Then on your dialplan you call FastAGI like this:
AGI(agi://${server${CHANNEL(callgroup)}}/some_action)
On channels belonging to group g1, that will resolve to serverg1 which will resolve to ip_of_server1; on channels belonging to group g2, CHANNEL(callgroup) will resolve to g2 so you get ${serverg2} which resolves to ip_of_server2.
It's not the best solution because usually calls start coming in on one span and then another, etc so one server will get more work, but it's something.
To get real load balancing I guess we would have to write a FastAGI load balancing gateway, not a bad idea at all...
Mehhh... use the same constructs that would apply to load balancing something like web page requests.
One way is to round robin in DNS. So if you have vru1.example.com 10.0.1.100 and vru2.example.com 10.0.1.101 you put two entries in DNS like...
fastagi.example.com 10.0.1.100
fastagi.example.com 10.0.1.101
... then from the dial plan agi(agi://fastagi.example.com/youagi) should in theory alternate between 10.0.1.100 and 10.0.1.101. And you can add as many hosts as you need.
The other way to go is with something a bit too complicated to explain here but proxy tools like HAProxy should be able to route between multiple servers with the added benefit of being able to "take one out" of the mix for maintenance or do more advanced balancing like distribute equally based on current load.