Blog

how to operate nginx as reverse proxy and loadbalancer

sha256: 23ec4f8fb8b94de4b26d5184ae41bc3f36bf41dcda2695db9af14ac7eeb52ed1

got a Server behing NAT / Firewall ? Need Shell access to … ?

Server behind NAT/FW

user@server$ ssh -R 1234:localhost:22 my.public.jumpbox

Access Server

ssh my.public.jumpbox

user@jumpbox$ ssh -p 1234 localhost

user@server$

and you’re in :)

sha256: 81b4dc1d84f9f8bcbf5060f382853759fffa1e5824e2ae98ad5508a082db5dfd

another component of OpenBSD is relayd. it’s an integrated Loadbalancer & Proxy Service, like F5, Nginx and Others. But just like other BSD Services, straight, simple and easy to use … wanna see … ?

Setup 4 VM’s, one Loadbalancer and 3 Webserver. The Webserver should server the same content, while the Loadbalancer checks if a Webserver is running and redirects traffic to the host or not.

the configuration on the loadbalancer is simple like that:

did you always wanted to have a fullbgp table at home once ? Over your DSL / CM / LTE or whatever connection ? here a little howto :)

Setup VM

Install a VM with OpenBSD. Add 1 CPU, 1 GB RAM, 20 GB Disk, nothing special

Check our Upstream Provider

Check the Page from Lukasz and spend him a Beer if you ever meet him. He also mentioned my Post in his Slides (Thanks Lukas)

Clear History

have you ever checked in some binarys, confidential stuff or something else by mistake ? Git will keep all your history, that’s their design and purpose.

how ever, if you need to cleanup once, here is a short tutorial.

Kill Git Config

cd myrepo
cat .git/config -> note down the url
url=$(git config --get remote.origin.url)
rm -rf .git

Create New Repo

git init
git add .
git commit -m "Removed history, ..."

Push Remote

git remote add origin git@host/yourrepo  <- URL you noted down above
git remote add origin $url
git push -u --force origin master

All in One

_url=$(git remote -v |awk '/fetch/ { print $2 }')
rm -rf .git
git init
git add .
git commit -m "Removed history ..."
git remote add origin ${_url}
git push -u --force origin main
unset _url

and you’re done :)

assuming you have a apu2|apu3|apu4 from pcengines or a virtual machine running on KVM/Qemu. And you don’t have vga/dvi/hdmi whatever kind of video output. of course, you can install and run OpenBSD (or Linux) on this boxes.

Prepare USB Stick

write openbsdxx.img to an USB Stick. On MacOS, you can use Balena Etcher for example.

boot.conf

if you wanna install from an USB Stick, set the correct Port and Speed before booting.

stumpled upon a bug in openssh … did a small config change in sshd_config, deployed it with ansible … and lost connectifity to all these boxes immediately … and of course, i did a config check before reloading the sshd daemon, and the config check was fine.

i can’t belife that nobody else found this before, as it’s really simple to reproduce. and it’s working with openbsd, debian, centos and mostly on all system which have opensshd implemented (and that’s a lot of …)

https://serverfault.com/questions/142344/how-to-test-dns-glue-record

Check GlueRecords

host:~ $ dig +short ch. NS
c.nic.ch.
a.nic.ch.
h.nic.ch.
f.nic.ch.
g.nic.ch.
b.nic.ch.
e.nic.ch.

host:~ $ dig +norec @a.nic.ch. noflow.ch. NS

; <<>> DiG 9.10.6 <<>> +norec @a.nic.ch. noflow.ch. NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29211
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;noflow.ch. IN  NS

;; AUTHORITY SECTION:
noflow.ch.  3600  IN  NS  ns3.noflow.ch.
noflow.ch.  3600  IN  NS  ns2.noflow.ch.
noflow.ch.  3600  IN  NS  ns1.noflow.ch.

;; ADDITIONAL SECTION:
ns3.noflow.ch.  3600  IN  A 45.32.159.233
ns2.noflow.ch.  3600  IN  A 193.36.36.130
ns1.noflow.ch.  3600  IN  A 45.15.80.202

;; Query time: 12 msec
;; SERVER: 2001:620:0:ff::56#53(2001:620:0:ff::56)
;; WHEN: Wed Aug 26 23:09:52 CEST 2020
;; MSG SIZE  rcvd: 140

you can see, there are three gluerecords with (A) and none with (AAAA). need to talk with my domain hosting provider as i’d like to have AAAA as well …

Some Install Notes

https://checkmk.de/cms_install_packages_debian.html

download and scp check-mk-enterprise-1.6.0p15.demo_0.buster_amd64.deb -> enterprise microkernel, 2 x 10 Hosts download and scp check-mk-raw-1.6.0p15_0.buster_amd64.deb -> raw edition, nagios kernel

ssh root@localhost

apt-get install dpkg-sig libnet-snmp-perl snmp
wget https://checkmk.com/support/Check_MK-pubkey.gpg
gpg --import Check_MK-pubkey.gpg
dpkg-sig --verify /tmp/check-mk-enterprise-1.6.0p15.demo_0.buster_amd64.deb
apt-get install gdebi-core
gdebi /tmp/check-mk-raw-1.6.0p15_0.buster_amd64.deb
omd version

omd create mysite
omd config

oder

omd restore /tmp/mysite.tar.gz

Install v2.0 and migrate existing Config

https://checkmk.de/cms_install_packages_debian.html

download file: check-mk-raw-2.0.0p5_0.buster_amd64.deb

scp check-mk-raw-2.0.0p5_0.buster_amd64.deb host227:/tmp/

Prepare New Host

apt install -y dpkg-sig libnet-snmp-perl snmp

wget https://checkmk.com/support/Check_MK-pubkey.gpg
gpg --import Check_MK-pubkey.gpg
dpkg-sig --verify /tmp/check-mk-raw-2.0.0p5_0.buster_amd64.deb

apt-get install gdebi-core
gdebi /tmp/check-mk-raw-2.0.0p5_0.buster_amd64.deb

omd version

Backup old Server

Backup and copy to new Server

let’s do the opposite. you have some ipv6 connectifity and need to transport ipv4

Host A (IPv6 only)

root@hosta ~# ifconfig vio0
vio0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500
        lladdr 56:00:02:e7:9d:e5
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet6 fe80::5400:2ff:fee7:9de5%vio0 prefixlen 64 scopeid 0x1
        inet6 2a05:f480:1400:7b6:a9e0:6a15:217:cc5c prefixlen 64 autoconf pltime 604627 vltime 2591827
        inet6 2a05:f480:1400:7b6:446d:acb7:5fe4:450f prefixlen 64 autoconf autoconfprivacy pltime 86046 vltime 172537

root@hosta ~# i3
IPv4: !NETWORK
IPv6: 2a05:f480:1400:7b6:446d:acb7:5fe4:450f

Host B (Ipv6 only)

root@hostb ~# ifconfig vio0
vio0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500
        lladdr 56:00:02:e7:9d:f4
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet6 fe80::5400:2ff:fee7:9df4%vio0 prefixlen 64 scopeid 0x1
        inet6 2001:19f0:6801:1e3b:7982:92b4:5c8d:edfb prefixlen 64 autoconf pltime 604403 vltime 2591603
        inet6 2001:19f0:6801:1e3b:e6f:24db:27f7:de37 prefixlen 64 autoconf autoconfprivacy pltime 85502 vltime 171928

root@hostb ~# i3
IPv4: !NETWORK
IPv6: 2001:19f0:6801:1e3b:e6f:24db:27f7:de37

Configure GIF Interfaces

Host A

ifconfig gif0 inet6 tunnel 2a05:f480:1400:7b6:a9e0:6a15:217:cc5c 2001:19f0:6801:1e3b:7982:92b4:5c8d:edfb
ifconfig gif0 inet alias 10.0.0.1 10.0.0.2

Host B

ifconfig gif0 inet6 tunnel 2001:19f0:6801:1e3b:7982:92b4:5c8d:edfb 2a05:f480:1400:7b6:a9e0:6a15:217:cc5c
ifconfig gif0 inet alias 10.0.0.2 10.0.0.1

or make them persistent