Reject Requests without a Host Name Header on NGINX

The Objective: Reject all requests that reach the NGINX server with our a host name in its header

Why it matters: When a request is made to via IP address (http://your.add.rress.here), it will return what is determined to be the “default server” for that IP address. This is often not the desired result. The result we are going for here is to close the connect with the requesting client.

The solution: 

  1. generate a bogus cert and store it in your /etc/nginx/certs/bogus/ (or  whichever folder you use for your certificates)
  2. create a “default.conf” configuration file in your /etc/nginx/conf.d/ (or whichever folder you include in your config)
  3. add the configuration to the “default.conf” file (update it if your folders are different for certs)
  4. test your configuration (/usr/sbin/nginx -t -c /etc/nginx/nginx.conf)
  5. if all is well, restart your service (sudo service nginx restart)
  6. validate it’s working as intended

Code Sample:
server {
listen 80 default_server;
server_name "";
return 444;
}
server {
listen 443 default_server ssl;
server_name "";
return 444;
ssl on;
ssl_certificate /etc/nginx/certs/bogus/cert.pem;
ssl_certificate_key /etc/nginx/certs/bogus/privkey.pem;
}

 

References:

  • http://nginx.org/en/docs/http/request_processing.html#how_to_prevent_undefined_server_names

Atlassian Monitoring with JMX (Java Management eXtension)

Want to know some details on what’s going on with your Atlassian application? (JIRA, Confluence, any JVM application).

 

Add these lines your Java Options:

-Dcom.sun.management.jmxremote.port=8686
-Dcom.sun.management.jmxremote.ssl=false
-Djava.rmi.server.hostname=SERVER.DOMAIN.COM

Create a jmxremote.password file

  1. Copy C:\Program Files\Atlassian\JIRA\jre\lib\management\jmxremote.password.template to C:\Program Files\Atlassian\JIRA\jre\lib\management\jmxremote.password
  2. Edit jmxremote.password to add your credentials
  3. Set permissions on jmxremote.password
    1. Set owner the the user your Atlassian application runs as
    2. Remove inheriting permissions
    3. Remove all account permissions except for owner
    4. save your settings

Start your service & launch jconsole

Note: Running jconsole.exe -debug is helpful for troubleshooting

Use your favorite monitoring tool to collect the stats

SolarWinds SAM module supports JMX

Windows computers not reporting to WSUS

Verify client configuration

Local Computer Policy

Verify Resultant Policy is correct

Verify Correct GPO’s are being applied

C:\>gpresult /scope computer

Update Group Policies

C:\>gpupdate /force

verify connectivity

ping wsus-server-01.domain.com

telenet wsus-server-01.domain.com 8530

If you are using a hosts file and having troubles with resolution, check out this post

Reset the client

wuauclt.exe /resetauthorization /detectnow

Force check in

wuauclt.exe /reportnow

Check WSUS in 10-15 minutes

If you are still having issues check out the client log file:

C:\Windows\WindowsUpdate.log

Windows hosts file not being used for resolution

windows version: Server 2003 R2 Standard x64 SP2

Verify it’s not working

ipconfig /flushdns

ipconfig /displaydns | more

Check for type-o’s!

Start with the simple solution first

Verify hosts file location

Open Registry Editor

Verify key: My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services|Tcpip\Parameters\DataBasePath

Copy Value data and paste it into Explorer to verify you are editing the correct file

Verify file permissions (This was my issue)

If machine\users is not given Read and Read & Execute permissions, add the account.

 

Synology: Remove orphaned AWR files when JPG is deleted in Photo Studio 6

Background

Hardware: Synology DS716+
Software: Synology Photo Station 6
Data Files: .jpg & .arw (raw)

The problem

When using a Synology NAS to manage your photos via the Photo Station 6 application when I delete the JPG the RAW (ARW) remains behind.

The solution

Search the photo directory for orphan .arw files (ones without a matching .jpg), then remove it. While we are at it, lets record what we delete to a file.

Deploy an Ubuntu docker image and mount the photos directory


Use the code


#!/usr/bin/python
import os
rootdir = '/mnt/photo/Dump/2016/2016-02_Muppo-playing'
files = os.listdir(rootdir)
for file in files:
if file.endswith('.ARW'):
filename, file_ext = os.path.splitext(rootdir + '/' + file)
if not os.path.isfile(filename + '.JPG'):
os.remove(rootdir + '/' + file)
print('REMOVED:' + rootdir + '/' + file)
with open("clean-up.log", "a") as logfile:
logfile.write("\n")
logfile.write('REMOVED:' + rootdir + '/' + file)

How to add Domain Admins to sudoers

This process assumes your linux machine has Centrify Express running on it.

Determine the group name

$adquery user rick -G

domain_admins

domain_users

jira-software-users

Add entry to sudoers file

sudo echo “%domain_admins ALL=(ALL) NOPASSWD: ALL” >> /etc/sudoers

 

 

 

Run nginx in a Docker container on a Synology

In this walk through we will perform the following:

Note: The actual nginx configuration will not be covered here.

  1. Deploy the nginx Docker container (vr-ngx-01)
  2. Mount the following folders and file:
    1. /etc/nginx/conf.d/
      1. it’s assumed your sites .conf file is in this director
    2. /etc/nginx/certs/
      1. it’s assumed your SSL certs live here and are properly referenced in your /etc/nginx/conf.d/your.site.conf
    3. /etc/nginx/nginx.conf
      1. it’s assumed SSL is configured and includes conf.d/*.conf
  3. Link vr-ngx-01 to the Home-Assistant container (vr-hass-01)
  4. Fire up the container and verify connectivity over a secured connection
  5. Remove local port mapping for vr-hass-01

1. Deploy the container

2. Mount the local folders & file

3. Link vr-ngx-01 to vr-hass-01

4. Verify site loads

Browse to https://YOUR-SYNOLOGY-NAME:4443

Note: to make this appear at https://www.virtualrick.com you can configure your router/firewall for port forwarding. Example: external TCP 443 forwards to internal TCP 4443.

5. Remove local port mapping for vr-hass-01

Now that the nginx container is linked to the home-assistant container, there is no need for the home-assistant service port (8123) to be available directly.

Make sure the home-assistant container is turned off, then edit the container and remove the local port configuration.

Running Home-Assistant in a Docker container on a Synology NAS

Update: Link to post following this one with steps for deploying nginx as a proxy for the Home-Assistant container deployed here: CLICK HERE

 

 

I recently received my Synology DS716+ and discovered it supports running Docker containers. I figured why not run Home-Assistant in a Docker container on the Synology? Doing this will free my Raspberry Pi for another project. Here is what I did to make this happen.

Mount Points:

/config

Store your configuration.yaml here

/scripts

Store any scripts called within your confiruation.yaml. I have a number of scripts used to execute remote commands on various devices.

/root/.ssh

I mount this folder so I can store the keys that are trusted on remote devices

Step by step screenshots

Download the image

Create the container

Launch the application

Using PowerShell to produce a list of databases from a list of server\instances

Need to produce a report showing all the databases in your environment? Why not include the name, size and owner while we are at it and export it to a csv file. Here you go!

Note: The SQLPS module is installed on a machine with Microsoft SQL Server Management Studio. I have tested this with MSSMS 2014.

The PowerShell Script

import-module "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\PowerShell\Modules\SQLPS" -DisableNameChecking
$rootdir = "C:\Users\VirtualRick\SQL Server Audit\"
$instances = import-csv $rootdir\server-instance.csv
ForEach($row in $instances)
{
$sqlPath = "SQLSERVER:\SQL\$($row.server)\$($row.instance)\Databases\"
dir $sqlPath | select Name, Size, Owner | export-csv $rootdir\export.csv -Append
}

 

server-instance.csv file example:

Server,Instance

MyServer,default

Networking not working after Windows 10 Update (version 1511, build 10586.3)

My device:  Lenovo ThinkPad Yogo 2

After applying the latest Windows 10, update, version 1511, build 10586.3, all of my networking was jacked up. I was unable to connect to any wireless networks (showed a small amount of sent packets, 0 received, and great single strength). I attempted to uninstall the device from device manager and when I rebooted the device reinstalled, but still nothing worked.

When I got home I attempted to use my USB Ethernet adapter and even that didn’t work.

The Solution

NOTE: Following the procedure below will reset all networking. This includes Hyper-V and VPN interfaces. (My Cisco VPN client rebuilt everything automatically when I attempted to connect).

Run “netcfg -d” from an admin command prompt, then reboot and reconfigure networking.

Microsoft Windows [Version 10.0.10586]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>netcfg -d
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
NetSetup object deleted successfully on MUX
Successfully commited changes to the registry
Successfully commited changes to the registry
We are going to reboot now to complete the clean up. Save all of your work.
Press any key to continue…

Need to check your windows version?

  1. Start menu
  2. type “about your pc”
  3. press enter

Capture

 

 

References:

  • http://windows.microsoft.com/en-us/windows/which-operating-system
  • http://windows.microsoft.com/en-us/windows-10/fix-network-connection-issues