Re: [CentOS] haproxy + Apache + virtual hosts -> wrong host is displayed

2016-06-24 Thread Alexander Farber 
Ok, I had to add ServerAlias for each server, didn't think of it because
before I had a mod_rewrite rule to remove the "www." prefix...

On Fri, Jun 24, 2016 at 9:58 PM, Alexander Farber <
alexander.far...@gmail.com> wrote:

>
> On CentOS 7.2.1511 I have installed:
> haproxy-1.5.14-3.el7.x86_64
> httpd-2.4.6-40.el7.centos.1.x86_64
>
> The /etc/haproxy/haproxy.cfg binds HAProxy to
> ports 80 and 443 and accepts HTTPS to slova.de:
>
> defaults
> modehttp
> option http-server-close
> option forwardfor   except 127.0.0.0/8
> option  redispatch
> 
> frontend public
> bind 144.76.184.151:80
> bind 144.76.184.151:443 ssl crt /etc/pki/tls/certs/slova.de.pem
> reqidel ^X-Forwarded-Proto:
> reqidel ^X-Forwarded-For:
> reqadd X-Forwarded-Proto:\ https if { ssl_fc }
> option forwardfor
> default_backend apache
>
> backend apache
> server domain 127.0.0.1:8080
>
> The /etc/httpd/conf/httpd.conf binds Apache
> to port 8080 and serves several Wordpress sites:
>
> Listen 127.0.0.1:8080
> ServerName 144.76.184.151
>
> 
> DocumentRoot /var/www/html/afarber.de
> ServerName afarber.de
> ErrorLog logs/afarber.de/error_log
> CustomLog logs/afarber.de/access_log common
> 
>
> 
> DocumentRoot /var/www/html/ruhrgebietsingle.de
> ServerName ruhrgebietsingle.de
> ErrorLog logs/ruhrgebietsingle.de/error_log
> CustomLog logs/ruhrgebietsingle.de/access_log common
> 
>
> 
> DocumentRoot /var/www/html/bukvy.de
> ServerName bukvy.de
> ErrorLog logs/bukvy.de/error_log
> CustomLog logs/bukvy.de/access_log common
> 
>
> 
> DocumentRoot /var/www/html/slova.de
> ServerName slova.de
> ErrorLog logs/slova.de/error_log
> CustomLog logs/slova.de/access_log common
> 
>
> When I open http://slova.de or https://slova.de 
> they work fine. But when I try to open same URLs
> with "www." prepended, the browser displays
> http://afarber.de  (the 1st site out of 4)
>
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] haproxy + Apache + virtual hosts -> wrong host is displayed

2016-06-24 Thread Alexander Farber 
Hello,

I hope my question is not off-topic here.

On CentOS 7.2.1511 I have installed:
haproxy-1.5.14-3.el7.x86_64
httpd-2.4.6-40.el7.centos.1.x86_64

The /etc/haproxy/haproxy.cfg binds HAProxy to
ports 80 and 443 and accepts HTTPS to slova.de:

defaults
modehttp
option http-server-close
option forwardfor   except 127.0.0.0/8
option  redispatch

frontend public
bind 144.76.184.151:80
bind 144.76.184.151:443 ssl crt /etc/pki/tls/certs/slova.de.pem
reqidel ^X-Forwarded-Proto:
reqidel ^X-Forwarded-For:
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
option forwardfor
default_backend apache

backend apache
server domain 127.0.0.1:8080

The /etc/httpd/conf/httpd.conf binds Apache
to port 8080 and serves several Wordpress sites:

Listen 127.0.0.1:8080
ServerName 144.76.184.151


DocumentRoot /var/www/html/afarber.de
ServerName afarber.de
ErrorLog logs/afarber.de/error_log
CustomLog logs/afarber.de/access_log common



DocumentRoot /var/www/html/ruhrgebietsingle.de
ServerName ruhrgebietsingle.de
ErrorLog logs/ruhrgebietsingle.de/error_log
CustomLog logs/ruhrgebietsingle.de/access_log common



DocumentRoot /var/www/html/bukvy.de
ServerName bukvy.de
ErrorLog logs/bukvy.de/error_log
CustomLog logs/bukvy.de/access_log common



DocumentRoot /var/www/html/slova.de
ServerName slova.de
ErrorLog logs/slova.de/error_log
CustomLog logs/slova.de/access_log common


When I open http://slova.de or https://www.slova.de
they work fine. But when I try to open same URLs
with "www." prepended, the browser displays
http://ruhrgebietsingle.de (the 2nd site out of 4)

Why does it happen? I just can not figure it out.

What tool would help here to debug?

Thank you
Alex
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability

2016-06-24 Thread John R Pierce 

On 6/24/2016 9:20 AM, James B. Byrne wrote:

We received a notice from our pci-dss auditors respecting this:

CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the
IP Identification field at 0 for all non-fragmented packets, which
could allow remote attackers to determine that a target system is
running Linux.



2.4 kernels are kinda old.   kinda really really old.are you still 
running CentOS 4 on PCI audited systems ?!??



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability

2016-06-24 Thread James B. Byrne 
We received a notice from our pci-dss auditors respecting this:

CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the
IP Identification field at 0 for all non-fragmented packets, which
could allow remote attackers to determine that a target system is
running Linux.

The NVD entry for which contains this note:

 CHANGE> [Cox changed vote from REVIEWING to NOOP]
 Cox> So I asked some kernel guys about this - it's not considered
   an issue.  There are several other ways to identify Linux on
   the wire and people who care about this kind of thing rewrite
   their packets in various ways via firewall technology to trick
   the identifier programs.


So, what packet mangling may be done in iptables to solve this without
breaking udp transmission? I take it that we are talking about
something in the prerouting chain but what kind of mangelling is safe?
Is there an example somewhere?

-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-virt] PCI Passthrough not working

2016-06-24 Thread Francis Greaves 
Here is my post issued again from the beginning in some sort of logical order I 
hope, with additional information as suggested by George Dunlap. 

I am having trouble getting PCI Passthrough to work from Dom0 to DomU 
I am using Xen 4.6 with CentOS kernel 3.18.34-20.el7.x86_64 on a Dell Poweredge 
T430. 
When I plug in a device to the USB port, nothing happens. I am Watching 
/var/log/messages in the DomU. Nothing 

Here is my lspci on the Dom0 filtered to show USB and PCI devices 

00:1a.0 USB controller: Intel Corporation C610/X99 series chipset USB Enhanced 
Host Controller #2 (rev 05) 
00:1d.0 USB controller: Intel Corporation C610/X99 series chipset USB Enhanced 
Host Controller #1 (rev 05) 

00:02.0 PCI bridge: Intel Corporation Xeon E7 v3/Xeon E5 v3/Core i7 PCI Express 
Root Port 2 (rev 02) 
00:03.0 PCI bridge: Intel Corporation Xeon E7 v3/Xeon E5 v3/Core i7 PCI Express 
Root Port 3 (rev 02) 
00:1c.0 PCI bridge: Intel Corporation C610/X99 series chipset PCI Express Root 
Port #1 (rev d5) 
00:1c.1 PCI bridge: Intel Corporation C610/X99 series chipset PCI Express Root 
Port #2 (rev d5) 
00:1c.2 PCI bridge: Intel Corporation C610/X99 series chipset PCI Express Root 
Port #3 (rev d5) 
00:1c.4 PCI bridge: Intel Corporation C610/X99 series chipset PCI Express Root 
Port #5 (rev d5) 
01:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit 
Ethernet PCIe 
01:00.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit 
Ethernet PCIe 
04:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit 
Ethernet PCIe 
04:00.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit 
Ethernet PCIe 
05:00.0 PCI bridge: Renesas Technology Corp. Device 001d 
06:00.0 PCI bridge: Renesas Technology Corp. Device 001d 
07:00.0 PCI bridge: Renesas Technology Corp. Device 001a 
0a:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5719 Gigabit 
Ethernet PCIe (rev 01) 
0a:00.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5719 Gigabit 
Ethernet PCIe (rev 01) 
0a:00.2 Ethernet controller: Broadcom Corporation NetXtreme BCM5719 Gigabit 
Ethernet PCIe (rev 01) 
0a:00.3 Ethernet controller: Broadcom Corporation NetXtreme BCM5719 Gigabit 
Ethernet PCIe (rev 01) 
7f:10.0 System peripheral: Intel Corporation Xeon E7 v3/Xeon E5 v3/Core i7 PCIe 
Ring Interface (rev 02) 
7f:10.1 Performance counters: Intel Corporation Xeon E7 v3/Xeon E5 v3/Core i7 
PCIe Ring Interface (rev 02) 
80:02.0 PCI bridge: Intel Corporation Xeon E7 v3/Xeon E5 v3/Core i7 PCI Express 
Root Port 2 (rev 02) 
80:02.2 PCI bridge: Intel Corporation Xeon E7 v3/Xeon E5 v3/Core i7 PCI Express 
Root Port 2 (rev 02) 
ff:10.0 System peripheral: Intel Corporation Xeon E7 v3/Xeon E5 v3/Core i7 PCIe 
Ring Interface (rev 02) 
ff:10.1 Performance counters: Intel Corporation Xeon E7 v3/Xeon E5 v3/Core i7 
PCIe Ring Interface (rev 02) 

Here is my lspci on the DomU 

00:00.0 USB controller: Intel Corporation Wellsburg USB Enhanced Host 
Controller #2 (rev 05) 


Prior to starting the DomU I issue command: 

xl pci-assignable-add 00:1a.0 
xl pci-assignable-list 
:00:1a.0 

So this is OK 

Now for the config file for the DomU 

# Guest name == 
name = "metsat.fsoft.nnet" 

# Kernel command line options 
extra = "root=/dev/xvda1 swiotlb=force" 

# Initial memory allocation (MB) 
memory = 2048 

# Number of VCPUS 
vcpus = 2 

# two ethernet devices, one for the network, one for the Eumetcast receiver 
vif = ['mac=00:16:3E:00:00:35, bridge=xenbr5', 'mac=00:16:3E:00:00:36, 
bridge=xenbr6'] 

# Disk Devices 
disk = ['phy:/dev/xen_vg/metsat_disk,xvda,w', 
'phy:/dev/xen_vg/metsat_swap,xvdb,w', 'phy:/dev/xen_vg/metsat_receive,xvdc,w'] 

# for Eumetcast Dongle 
pci=['00:1a.0,rdm_policy=relaxed,permissive=1'] 

on_poweroff = 'destroy' 
on_reboot = 'restart' 
on_crash = 'restart' 

# Run section == 
bootloader = "/usr/lib/xen/bin/pygrub" 
== 

I have pcifront showing as a module in the DomU and the usb shows in dmesg 
as: 
[ 3.167543] usbcore: registered new interface driver usbfs 
[ 3.167563] usbcore: registered new interface driver hub 
[ 3.167585] usbcore: registered new device driver usb 
[ 3.196056] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 
[ 3.196060] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 
[ 3.196064] usb usb1: Product: EHCI Host Controller 
[ 3.196068] usb usb1: Manufacturer: Linux 3.2.0-4-686-pae ehci_hcd 
[ 3.196071] usb usb1: SerialNumber: :00:00.0 
[ 3.508036] usb 1-1: new high-speed USB device number 2 using ehci_hcd 
[ 19.064072] usb 1-1: device not accepting address 2, error -110 
[ 19.176070] usb 1-1: new high-speed USB device number 3 using ehci_hcd 
[ 34.732067] usb 1-1: device not accepting address 3, error -110 
[ 34.844082] usb 1-1: new high-speed USB device number

Re: [CentOS-virt] PCI Passthrough not working

2016-06-24 Thread George Dunlap 
On Wed, Jun 22, 2016 at 10:56 AM, Francis Greaves  wrote:
> Further to my messages back in May I have at last got round to trying to
> get my DomU to recognise USB devices.
>
> I am using Xen 4.6 with CentOS kernel 3.18.34-20.el7.x86_64.
> I have to manually make the port available before creating the DomU by
> issuing the command:
> xl pci-assignable-add 00:1a.0
> otherwise nothing shows in:
> xl pci-assignable-list
>
> I have added this to my .cfg file as per the May Emails:
> pci=['00:1a.0,rdm_policy=relaxed']

The two-stage process for assigning pci devices (first
pci-assignible-add, then pci-add) is a "seatbelt" to make sure that an
accidental mis-type doesn't cause you to grab (say) your hard disk
controller instead of your USB controller.

You can add "seize=1" to your pci string to have xl automatically do
both steps for you.  Obviously, use this with care. :-)

More on your next post...

 -George
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt