haproxy since version 1.5 supports native SSL. It uses a combined PEM file for encrypting connections.

StartSSL is a popular provider of free SSL certificates (which I happen to use), but only provides separate ssl.crt and ssl.key files.

To install these with haproxy they need to be combined into a single PEM file. It is helpful to also present the intermediary certificates, which can be downloaded on the StartSSL website as well. Otherwise clients might not recognize the certificate as valid because they cannot verify the certificate chain.

To combine them into one, cat works just fine:

cat ssl.crt sub.class2.server.ca.pem ca.pem ssl.key > ssl.pem

Install it in haproxy by adding a bind option to the frontend block, e.g.

bind :443 ssl crt /etc/haproxy/ssl.pem bind :::443 ssl crt /etc/haproxy/ssl.pem

This is what I'm running on l4x.org.

posted at 01:00 | path: /unix | permanent link to this entry

Let's say you want to use a system wide ssh identity file to access (or push) shared server state from different users on the system.

The naive way is to chmod 0640 /system/wide/id_rsa. Only ssh will complain loudly about that without a way to disable the error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/git-readonly/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/git-readonly/id_rsa

The usual answer to this is that you do not do that. Use different keys per user or host based checking or an ssh-agent.

But lets say you really want to. A viable workaround is to make a copy of the file with the right permissions:

My ssh wrapper for this is:

RSA=$HOME/.ssh/git-readonly-id_rsa
cat /etc/git-readonly/id_rsa > "$RSA"
chmod 0600 "$RSA"
exec ssh  -o UserKnownHostsFile=/etc/git-readonly/known_hosts -o StrictHostKeyChecking=yes -i "$RSA" "$@"

Use at your own risk!

posted at 16:00 | path: /unix | permanent link to this entry

I just had a random hard drive corruption on my headless Mac Mini running Debian Wheezy. Restarting it dropped to a prompt. So I had to get out the monitor and keyboard to press 'Y' a few times. This made me do 2 things I had postponed for a while for the risk of bricking the system:

1. Getting rid of rEFIt and instead use grub in native EFI mode.

   This guide was very helpful. Only I used the existing fat32 partition on the drive. This also allowed me to delete the existing MacOS partition, very helpful on a 120G ssd. The free'd 50G of disk space I subsequently used to...

2. Make the root partition readonly

   I used the now empty 50G, mkfs.ext4 as ext4 (disk alignment should start at a multiple of 64M) and hooked it up as /var. With /home already on a different disk I could use the ReadonlyRoot article on the Debian wiki to mount my root filesystem readonly. Hopefully this will prevent any future corruption preventing the system from booting.

posted at 18:00 | path: /unix | permanent link to this entry