I user celery flower as a daemon, and nginx as proxy for it.
Flower uses port 5555.
Nginx serves it on url flower.mysite.com, and uses basic auth.
But flower still avaiable on mysite.com:5555, how could I make this url secure?
If you have nginx and your daemon on the same server, simply make your daemon listen on 127.0.0.1 and make nginx forward the requests to that address. It won't be available to any other user besides localhost. Simple and effective.
You need to block incoming connections using iptables if you google it you'll find a simple line to do it.
Sorry I don't know iptables syntax, I usually just google it my self
what's your operating system? If you're running Ubuntu you can just use ufw. I usually have the following roles in my provisioning scripts for servers:
ufw allow ssh
ufw allow http
ufw allow https
ufw logging off
echo 'y' | ufw enable
Expanding on the answer from alfredocambera:
Starting flower with a specific address will bind it to that address only, e.g.:
flower --address=127.0.0.1
Related
I am currently running a service with systemctl, and it is running as an http proxy, not normal http. Is this something that Google does? I am using port 8080 and I can't connect to it via http. My daemon is using port 8080, while using the type http-proxy (I am seeing this with the command nmap -sV -sC -p 8080 35.208.25.61 -vvvv -Pn). Instead, I want the daemon I'm running (wings.service) to use http, so it can use that type of connection to connect to my panel.
The panel is part of a piece of software along with the daemon, it's called pterodactyl. Anyways, I have tried everything on what to do, and I think this problem that I am addressing is the problem that causes dysfunction on my panel. I might just have to move to a different service to host my bots for discord.
Let me know if there's anything I can do to fix this.
As per I can understand you are unable to access the panel via web URL.
Pterodactyl web server can be installed using NGINX or Apache web servers, and both web servers by default listed on port 80 based on Pterodactyl web server installation guide, so you must enable HTTP port 80 traffic on your Compute Engine VM instance
The default firewall rules on GCP do not allow HTTP or HTTPS connections to your instances. However, it is fairly simple to add a rule that does allow them following this steps:
1.-Go to the VM instances page.
2.- Click the name of the desired instance.
3.- Click Edit button at the top of the page.
4.- Scroll down to the Firewalls section.
5.- Check the Allow HTTP or Allow HTTPS options under your desired VPC network.
6.- Click Save.
Note: The Pterodactyl panel and Daemon installation are not the same for each operating system, if after checking the VPC firewall rules on the VM settings and also the status of the web server in the instance (NGINX or Apache) you still cannot access your panel, please provide a step by step list with all commands you followed to complete the installation, including the OS version you used.
Error message: webiz.johocen.com took too long to respond.
But there is nothing wrong on GCP VM instance.
ping webiz.johocen.com got 0% lost 169ms average response
My website is a WordPress multisite on GCP via bitnami. This happened before, reset the VM will solve the problem, but will happen again sometimes later.
Any suggestion where I should look into?
Thanks
Bitnami Engineer here,
Sometimes, if you are experiencing poor performance, it is because you are being attacked by Internet bots. The reason for these attacks is that they are trying to find a security bug in your application code or in the software itself.
To know if you are being attacked, run the commands below:
cd /opt/bitnami/apache2/logs/
tail -n 10000 access_log | awk '{print $1}'| sort| uniq -c| sort -nr| head -n 10
This will show you the number of times that an IP address connected to your Web server. If you see that some IP addresses have many more connections than others, run the following command (remember to modify ATTACKER_IP with the correct IP):
cd /opt/bitnami/apache2/logs/
grep "ATTACKER_IP" access_log
If you see that the IP address is always attempting to connect to the same location, if it is a URL that you don’t know, or if it is trying to run binaries or scripts directly, it is likely that IP address is a bot.
To deny connections to these attackers, the easiest way is with your Apache configuration file. Follow these steps:
Edit the file at /opt/bitnami/apps/wordpress/conf/httpd-app.conf. The example below shows how to reject the 1.2.3.4 IP address in WordPress:
<Directory /opt/bitnami/apps/wordpress/htdocs>
deny from 1.2.3.4
...
</Directory>
Restart the Apache web server:
sudo /opt/bitnami/ctlscript.sh restart apache
More information here: https://docs.bitnami.com/google/apps/wordpress/troubleshooting/deny-connections-bots/
Currently i am using haproxy with manual updating backends which points to separate docker nginx containers for different apps.
What is best software to proxying request to different local nginx containers based on hostname?
I would have a simple map file or even /etc/hosts/ which my script would update when docker containers change, for example:
domain1 1.1.1.1
domain2 1.1.1.2
domain3 1.1.1.3
So ideal will be haproxy -> some software proxy or dns -> docker nginx
and software would use map file in fly, not reloading and point request to local ip address.
Maybe i would put varnish cache in front so it would need to be compatible with that too (and why wouldn't) so flow would be:
request -> haproxy (for load balancing in multiple servers)
-> varnish on public server ip ( for in memory caching based on host and route, so if there is cache return response immediately )
-> SOME PROXY OR DNS BASED ON SIMPLE MAP FILE which will further proxy to local ip of one of multiple docker nginx containers
-> docker nginx inside custom network
-> some app in container
What is best practice for this flow, should i put varnish somewhere else, and what is a software i am seeking for?
I am currently using one extra nginx and mapping $host to custom ip address in custom maps.conf file and gracefully reloading nginx on change, but i got feeling that there is better solution for this.
Also i forgot to mention that i dont need only http proxying based on map file, but tcp (ssh, smtp, ftp..) too, just in those cases i will not have haproxy and varnish in front and this app would be public faced on those port.
for example:
port:22
domain1 1.1.1.1
domain2 1.1.1.2
domain3 1.1.1.3
port:25
domain1 1.1.1.4
domain2 1.1.1.5
domain3 1.1.1.6
I think something like Muguet might solve your issue.
From their github repo:
When using Docker, it's sometimes a pain to access your containers
using specific IPs/ports.
Muguet provides you with a DNS Server that resolves auto-generated
hostnames to your containers IPs, plus a Reverse Proxy to access all
your web apps on port 80.
I think what you want is dnsmasq. This basically is a lightweight DNS service you run on your host running docker containers and it allows you to use hostnames instead of IP addresses. It's a pretty common way to solve this issue.
A nice guide to setting up dnsmasq can be found at:
http://docs.blowb.org/setup-host/dnsmasq.html
and searching dnsmasq and docker will point you to many more resources.
One thing to remember is on your haproxy host, make sure you modify the /etc/resolv.conf to include your dnsmasq server.
Note - I am fully aware that there are lot of similar issues posted before, but I tried NSG settings, psping but nothing seem to work
All, I brought up a RHEL7.3 server on Azure and installed JDK1.8 and Tomcat8. After starting Tomcat, I tried an http request from my browser:
http://XX.yy.zz.abc:8080/ but I was unable to get the index page
I also created an inbound security rule to allow HTTP and also allow IP range from our company.
Even worse is, when I tried pinging to this IP from my desktop computer, I am unable to ping the same - it is timing out.
Please note that in the past, I've been able to bring up servers and be able to connect from desktops without any issues - in a similar azure-companynetwork setup.
Am I missing anything here?
Ok, so pings do not work, you shouldn't even try that. What you should check is the firewall on you RHEL VM and check you've allowed port 8080 on you NSG, also your VM should have a PublicIP attached
According to your description, you had better check as the following ways:
1.Please ensure you could access your web by using 127.0.0.1:8080 on your VM.
2.Check your service listening.
netstat -ant|grep 8080
Please ensure 8080 is listening on tcp not tcp6.
3.Open firewall port on RHEL.
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
More information about RHEL firewall please refer to this link.
4.Open port on Azure NSG.
NSG could be associated with NIC and subnet, you should check all of them.
All,
It looks like there is an input firewall inside of RHEL7.3 that is preventing connections. I just stopped it using
service firewalld stop
I am able to get the home page.
We installed rstudio in a docker container and configured it following
https://support.rstudio.com/hc/en-us/articles/200552326-Running-RStudio-Server-with-a-Proxy
In order to use a sub-uri: example.com/rstudio. This is a work situation, and the server example.com is behind a firewall. To access websites behind the wall I typically tunnel like
ssh -L 8000:example.com:80 other_server
When I do this for example.com I can load pages like example.com/test.html. However, when I try localhost:8000/rstudio, it maps me right back to example.com/rstudio.
Is there something I could add to the configuration in the linked docs page that would make things work through the tunnel?
I can suggest you quick&dirty hack:
Add example.com = 127.0.0.1 at your local PC
ssh -L 8000:remote_server_ip:80 other_server
Try go to http://example.com/rstudio
It can be caused by mod_rewrite of your rstudio instance I think
Look here for more examples of SSH tunneling, maybe it will help too.