nginx reverse proxy for ADFS 3.0 server

2016-03-22 / Linux, Microsoft / 2 Comments

Problem:
After setting up a nginx reverse proxy for a ADFS 3.0, instead of MS WAP, it was coming back connection reset by peer. When browsing to the site via IP or anything other than the original hostname it would return this error.

Nginx for some reason was not passing the host header in the reverse proxy request. When connecting to the backend server it was only using the IP of the upstream server causing ADFS to not accept connections.

Solution:

1. Run the below command get get the certhash and the appid from the ADFS server
netsh http show sslcert

2. Run the command to enable http.sys to listen on all IPs with this certificate.
netsh http add sslcert ipport=0.0.0.0:443 certhash=5117dffde15446cf1cfd8bd855cfef25202c6c17 appid='{5d89a20c-beab-4389-9447-324788eb944a}'

Keep in mind if you have other things running on this server it could cause conflict. However, if its setup correctly, nothing else should be on the server.

The nginx config looked like this

upstream adfs_backend {
    server 1x2.xx8.xx.xx:443;
    keepalive 100;
}

server {
        listen   443;
        server_name xxsecurity.customer.com;
        ssl    on;
        ssl_certificate    /etc/ssl/private/adfs.cer;
        ssl_certificate_key    /etc/ssl/private/adfs.key;


     location / {
        proxy_pass https://adfs_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
    }
}
Read More

Windows NFS server and issues with php rename() and chown

2014-11-14 / Linux, SAN, Server, Server 2008 R2 / 0 Comments

Problem: Windows NFS has various mount points exported. on a UNIX system you use php and a method to move/rename files using php rename() .

while normally chown is restricted to root access, you can still chown to yourself in linux.

the rename() method in php also does a chown() which changes the owner to itself, not sure why, but it does. This caused problems when connected to our NFS server hosted in windows and we were unable to reproduce it on a local linux storage or a linux NFS server. The problem was due to the nature of Windows NFS server.

“Users accessing NFS shares from a Windows Server 2008 R2 based NFS server may get the error “Permission Denied” while trying to run the ‘chown’ command from UNIX NFS clients. This can happen even though the user is the owner of the files. The UNIX “root” user does not exhibit these issues.”

Solution: Apply recommended registry setting for Windows Server 2008 R2, although we were running Server 2012 this is still relevant
http://support.microsoft.com/kb/2708985

Read More

Extend encrypted LVM By adding new physical disk

2014-01-23 / Linux, SAN, VMWare / 0 Comments

1. Verify the volume group and the logical volume name:

pvdisplay
lvdisplay

2. Add a new hard disk device to add to the volume group (in this example /dev/sdd):


pvcreate /dev/sdd
vgextend existing_volume_group /dev/sdd

3. After extending the volume group, extend the underlying Logical Volume (500GB):


sudo lvextend -L+500G /dev/existing_volume_group/logicalvolume_data

4. Resize the Crypt:

sudo cryptsetup resize /dev/mapper/

5. Resize filesystem:

sudo resize2fs /dev/mapper/

Read More

Ubuntu 12 LIO iSCSI Target with SCSI-3

2012-08-14 / Linux, SAN, Server / 0 Comments

Problem:
Needed a quick solution to add storage to a failover cluster in a lab environment. LIO iSCSI supports scsi-3 persistent reservation iscsi. I decided to go with this solution.

Solution:

1. Install Ubuntu
install ubuntu
apt-get update
apt-get upgrade
apt-get install lio-utils

2. configure lio

attach additional storage to your ubuntu server. The following configuration can be used via command line first to test. Once everything is working you can make it static by modifying the files listed.

a. setup your devices to be used.

nano /etc/target/tcm_start.sh

tcm_node --block iblock_0/iscsiarray1 /dev/sdb
tcm_node --block iblock_0/iscsiarray2 /dev/sdc
tcm_node --block iblock_0/iscsiarray3 /dev/sdd
tcm_node --block iblock_0/iscsiarray4 /dev/sde

b. setup your iscsi target

nano /etc/target/lio_start.sh

lio_node --addlun iqn.2012.com.linux:iscsi.local:lun1 1 1 iscsi01 iblock_0/iscsiarray1
lio_node --addnp iqn.2012.com.linux:iscsi.local:lun1 1 10.0.0.1:3260
lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun1 1
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun1 1 iqn.2012.com.microsoft:uranus.galaxy.local 1 1
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun1 1 iqn.2012.com.microsoft:neptune.galaxy.local 1 1
lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun1 1

lio_node --addlun iqn.2012.com.linux:iscsi.local:lun2 2 2 iscsi02 iblock_0/iscsiarray2
lio_node --addnp iqn.2012.com.linux:iscsi.local:lun2 2 10.0.0.1:3260
lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun2 2
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun2 2 iqn.2012.com.microsoft:uranus.galaxy.local 2 2
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun2 2 iqn.2012.com.microsoft:neptune.galaxy.local 2 2
lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun2 2

lio_node --addlun iqn.2012.com.linux:iscsi.local:lun3 3 3 iscsi03 iblock_0/iscsiarray3
lio_node --addnp iqn.2012.com.linux:iscsi.local:lun3 3 10.0.0.1:3260
lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun3 3
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun3 3 iqn.2012.com.microsoft:uranus.galaxy.local 3 3
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun3 3 iqn.2012.com.microsoft:neptune.galaxy.local 3 3
lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun3 3

lio_node --addlun iqn.2012.com.linux:iscsi.local:lun4 4 4 iscsi04 iblock_0/iscsiarray4
lio_node --addnp iqn.2012.com.linux:iscsi.local:lun4 4 10.0.0.1:3260
lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun4 4
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun4 4 iqn.2012.com.microsoft:uranus.galaxy.local 4 4
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun4 4 iqn.2012.com.microsoft:neptune.galaxy.local 4 4
lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun4 4
Read More

Configure mediawiki for LDAP authentication with Microsoft active directory

2011-08-15 / Linux, Random, Server / 3 Comments

Problem:

Needed to enable  Microsoft Active Directory authentication to our internal mediawiki site.

Solution:

enable Ldapauthentication.php extension. modify localsettings.php file to include the following:

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( “ADSITE” );
$wgLDAPServerNames = array( “ADSITE”=>”wcp01xdc.ADSITE.local”  );
$wgLDAPBaseDNs = array( “ADSITE”=>”dc=ADSITE,dc=local” );
$wgLDAPSearchStrings = array(“ADSITE” => “ADSITE\\USER-NAME”);
$wgLDAPSearchAttributes = array( “ADSITE”=>”sAMAccountName” );
$wgLDAPLowerCaseUsername = array( “ADSITE”=>true );
$wgLDAPRequiredGroups = array( “ADSITE”=>array(“cn=information technology,ou=users,ou=information technology,ou=ADSITE,dc=ADSITE,dc=local”) );
$wgLDAPGroupUseFullDN = array( “ADSITE”=>true );
$wgLDAPGroupsUseMemberOf = array( “ADSITE”=>true );
$wgLDAPGroupObjectclass = array( “ADSITE”=>”group” );
$wgLDAPGroupAttribute = array( “ADSITE”=>”member” );
$wgLDAPGroupSearchNestedGroups = array( “ADSITE”=>true );
$wgLDAPGroupNameAttribute = array( “ADSITE”=>”cn” );
$wgLDAPPreferences = array( “ADSITE”=>true );
$wgLDAPDisableAutoCreate = array( “ADSITE”=>false );
$wgMinimalPasswordLength = 1;
$wgLDAPUseSSL = false;
$wgLDAPEncryptionType = array( “ADSITE”=>”clear” );
$wgUseLocal = false;
#$wgLDAPDebug = 99;
#$wgDebugLogGroups[“ldap”] = “/tmp/wikildapdebug.log” ;

Replace “ADSITE” with the name of your domain. It is currently setup for clear text authentication. After you get clear text authentication working you should enable tsl or ssl authentication if need be.

the setting $wgLDAPRequiredGroups is optional and is used to allow only certain groups to login the wiki. in this case “Information Technology”

Read More