Come on now, gimme some Bitcoins ... Please buy some and donate them to me.... - 16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug
Stream Control Transmission Protocol (SCTP) is a message oriented, reliable transport protocol with direct support for multihoming that runs on top of Internet Protocol (IPv4/IPv6).
Recently had to install a USSD gateway for a Telcom's firm on SLES 11-SP3, to handle the Sigtran part of it, install lksctp-tools, it works well
http://lksctp.sourceforge.net/
Get the latest build from
http://sourceforge.net/projects/lksctp/files/lksctp-tools/
Solution to bypass Distributed Monitoring in Zabbix
Jeez NO BitCoins ... So, PLEASE .. If this helped you in any way and you have some spare BitCoins, you may donate them to me :-). If you don't have any, please buy some and donate them to me.... - 16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug
I started with distributed monitoring with Zabbix, but after I did my
Place a 'master' script in crontab, query the Zabbix database for all the active alarms and get the Master Zabbix server to pull these values and alarm on them.
Quick and dirty solution, but for now it works for me.
So lets get started, create this script below, I use the directory /etc/zabbix/scripts, where you place yours is up to you. I use Postgres for my Zabbix databases in the various countries, but I'm sure to adopt the sql for some other database will not be that difficult...
This script is fired from crontab every 5 minutes, this line below must be placed in root's crontab
The main script get_zabbix_alarms.sh fires the following sql scripts
priority5.sql, priority4.sql, priority3.sql, priority2.sql, priority1.sql, all_alarms.sql
The scripts check_*.sh is fired by the Master Zabbix server towards the Zabbix server in country.
The *.sh scripts must be made executable with chmod +x *.sh and the following owners must be set on the scripts, see below
Below is what the priority*.sql scripts look like, make 6 files, named
priority5.sql, priority4.sql, priority3.sql, priority2.sql, priority1.sql and all_alarms.sql
Change the
t.priority
line to 5 for the priority5.sql
line to 4 for the priority4.sql
line to 3 for the priority3.sql
line to 2 for the priority2.sql
line to 1 for the priority1.sql
line to t.priority>=0 for the all_alarms.sql
And the sql produces a log (*.alarmlog) with the contents below
The scripts that are fired by the Master Zabbix server, the check*.sh scripts looks like this below
You would need 5 scripts, check_war.sh, check_info.sh, check_high.sh, check_dis.sh and check_ave.sh, just change the alarmlog name in the sh scripts to suit the priority of the alarm
Run the get_zabbix_alarms.sh manually to see if it works, if you get a Postgres password failure, add the user and password to the /opt/directory_where_postgres_resides/.pgpass
localhost:5432:*:zabbix:the_password
And try again
On the Master Zabbix server I created a template that I then assign to the hosts (Remote Zabbix servers) that I want to monitor
And these are the triggers
Remember to set your zabbix_agentd.conf to accept the incoming requests from the Master Zabbix Server and of course restart the agent once done
REMEMBER those BitCoins....
I started with distributed monitoring with Zabbix, but after I did my
- Zabbix Certified Specialist course is intended for those who have just begun to understand Zabbix and want to get on track fast and in the right way. During the course you will learn about the main functionality of Zabbix monitoring software, its installation, setup and further maintenance.
- Zabbix Certified Professional course is designed for administrators of large enterprises and companies that use Zabbix to monitor large amounts of devices located in multiple datacenters.
Place a 'master' script in crontab, query the Zabbix database for all the active alarms and get the Master Zabbix server to pull these values and alarm on them.
Quick and dirty solution, but for now it works for me.
So lets get started, create this script below, I use the directory /etc/zabbix/scripts, where you place yours is up to you. I use Postgres for my Zabbix databases in the various countries, but I'm sure to adopt the sql for some other database will not be that difficult...
#!/bin/bash # This script will fire various sql queries to get the different priority
# alarms in the Zabbix database which are active at the moment. # The resulting logfiles's (alarmlogs) owner will then be changed to Zabbix,
# so that the Zabbix agent can read the files # The Items and Triggers are then fired by the Master Zabbix server
# indicating the amount of alarms on the Zabbix Server in country # This script will fix the problem with Distributed Monitoring, where the
# Master Zabbix server does not get updated from the in-country # Zabbix servers # King Rat 25 July 2014 zabdir="/etc/zabbix/scripts/*.alarmlog" for d in $zabdir do echo " priority | host | description | date_time ----------+--------------------+----------------------------------------------------------+---------------------" > $d chown postgres:postgres $d done if [ -f /etc/zabbix/scripts/all_alarms.alarmlog ]; then chown postgres:postgres /etc/zabbix/scripts/all_alarms.alarmlog else touch /etc/zabbix/scripts/all_alarms.alarmlog chown postgres:postgres /etc/zabbix/scripts/all_alarms.alarmlog fi su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority5.sql -o /etc/zabbix/scripts/priority5alarms.alarmlog" su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority4.sql -o /etc/zabbix/scripts/priority4alarms.alarmlog" su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority3.sql -o /etc/zabbix/scripts/priority3alarms.alarmlog" su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority2.sql -o /etc/zabbix/scripts/priority2alarms.alarmlog" su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority1.sql -o /etc/zabbix/scripts/priority1alarms.alarmlog" su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/all_alarms.sql -o /etc/zabbix/scripts/all_alarms.alarmlog" for d in $zabdir do chown zabbix:zabbix $d done
This script is fired from crontab every 5 minutes, this line below must be placed in root's crontab
*/5 * * * * /etc/zabbix/scripts/get_zabbix_alarms.sh
The main script get_zabbix_alarms.sh fires the following sql scripts
priority5.sql, priority4.sql, priority3.sql, priority2.sql, priority1.sql, all_alarms.sql
The scripts check_*.sh is fired by the Master Zabbix server towards the Zabbix server in country.
The *.sh scripts must be made executable with chmod +x *.sh and the following owners must be set on the scripts, see below
srv1:/etc/zabbix/scripts # ls -ltr total 72 -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority5.sql -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority4.sql -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority3.sql -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority2.sql -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority1.sql -rwxr-xr-x 1 root root 2038 Jul 25 07:45 get_zabbix_alarms.sh -rwxr-xr-x 1 zabbix zabbix 374 Jul 25 07:45 check_war.sh -rwxr-xr-x 1 zabbix zabbix 394 Jul 25 07:45 check_info.sh -rwxr-xr-x 1 zabbix zabbix 376 Jul 25 07:45 check_high.sh -rwxr-xr-x 1 zabbix zabbix 386 Jul 25 07:45 check_dis.sh -rwxr-xr-x 1 zabbix zabbix 380 Jul 25 07:45 check_ave.sh -rw-r--r-- 1 postgres postgres 893 Jul 25 07:45 all_alarms.sql srv1:/etc/zabbix/scripts #
Below is what the priority*.sql scripts look like, make 6 files, named
priority5.sql, priority4.sql, priority3.sql, priority2.sql, priority1.sql and all_alarms.sql
Change the
t.priority
line to 5 for the priority5.sql
line to 4 for the priority4.sql
line to 3 for the priority3.sql
line to 2 for the priority2.sql
line to 1 for the priority1.sql
line to t.priority>=0 for the all_alarms.sql
srv1:/etc/zabbix/scripts # cat priority5.sql --SQL script to get all priority 5 alarms SELECT DISTINCT case when t.priority = 0 then 'Not classified' when t.priority = 1 then 'Information' when t.priority = 2 then 'Low ' when t.priority = 3 then 'Medium ' when t.priority = 4 then 'High ' when t.priority = 5 then 'Emergency' else 'Error no priority found' end priority, h.host, t.description, to_char(to_timestamp(t.lastchange),'YYYY-MM-DD HH24:MI:SS') date_time FROM zabbix_server.triggers AS t , zabbix_server.hosts AS h , zabbix_server.items AS i , zabbix_server.functions AS f , zabbix_server.acknowledges Inner Join zabbix_server.events ON events.eventid = acknowledges.eventid WHERE t.priority=5 AND f.itemid=i.itemid AND h.hostid=i.hostid AND t.triggerid=f.triggerid AND t.status=0 AND i.status=0 AND h.hostid not in (-1) AND h.status=0 AND ((t.value=1)) AND t.value<>2 order by 1 desc, t.description srv1:/etc/zabbix/scripts #
And the sql produces a log (*.alarmlog) with the contents below
srv1:/etc/zabbix/scripts # cat priority4alarms.alarmlog priority | host | description | date_time ----------+------+----------------------------------------------------+--------------------- High | srv1 | Free disk space is less than 10% on volume /backup | 2014-07-24 02:03:32 (1 row) srv1:/etc/zabbix/scripts #
The scripts that are fired by the Master Zabbix server, the check*.sh scripts looks like this below
srv1:/etc/zabbix/scripts # cat check_high.sh #!/bin/bash # This is the script that gets fire by the Zabbix Master server to
# list the High Priority alarms # King Rat 25 July 2014 if [ `cat /etc/zabbix/scripts/priority4alarms.alarmlog | grep "row" | wc -l` -gt 0 ]; then cat /etc/zabbix/scripts/priority4alarms.alarmlog | grep "row" | awk '{print substr($1,2,4)}' else echo "No High priority alarms" fi srv1:/etc/zabbix/scripts #
You would need 5 scripts, check_war.sh, check_info.sh, check_high.sh, check_dis.sh and check_ave.sh, just change the alarmlog name in the sh scripts to suit the priority of the alarm
Run the get_zabbix_alarms.sh manually to see if it works, if you get a Postgres password failure, add the user and password to the /opt/directory_where_postgres_resides/.pgpass
srv1:/etc/zabbix/scripts # ./get_zabbix_alarms.sh Password for user zabbix: Session terminated, killing shell... ...killed. Password for user zabbix: Session terminated, killing shell... ...killed. Password for user zabbix: Session terminated, killing shell... ...killed. Password for user zabbix: Session terminated, killing shell... ...killed. Password for user zabbix: Session terminated, killing shell... ...killed. Password for user zabbix: Session terminated, killing shell... ...killed. srv1:/etc/zabbix/scripts # srv1:/etc/zabbix/scripts #
localhost:5432:*:zabbix:the_password
And try again
srv1:/etc/zabbix/scripts # ./get_zabbix_alarms.sh srv1:/etc/zabbix/scripts # ls -ltr total 72 -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority5.sql -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority4.sql -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority3.sql -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority2.sql -rw-r--r-- 1 postgres postgres 884 Jul 25 07:45 priority1.sql -rwxr-xr-x 1 root root 2038 Jul 25 07:45 get_zabbix_alarms.sh -rwxr-xr-x 1 zabbix zabbix 374 Jul 25 07:45 check_war.sh -rwxr-xr-x 1 zabbix zabbix 394 Jul 25 07:45 check_info.sh -rwxr-xr-x 1 zabbix zabbix 376 Jul 25 07:45 check_high.sh -rwxr-xr-x 1 zabbix zabbix 386 Jul 25 07:45 check_dis.sh -rwxr-xr-x 1 zabbix zabbix 380 Jul 25 07:45 check_ave.sh -rw-r--r-- 1 postgres postgres 893 Jul 25 07:45 all_alarms.sql -rw-r--r-- 1 zabbix zabbix 98 Jul 25 13:34 priority5alarms.alarmlog -rw-r--r-- 1 zabbix zabbix 507 Jul 25 13:34 priority4alarms.alarmlog -rw-r--r-- 1 zabbix zabbix 245 Jul 25 13:34 priority3alarms.alarmlog -rw-r--r-- 1 zabbix zabbix 2589 Jul 25 13:34 priority2alarms.alarmlog -rw-r--r-- 1 zabbix zabbix 432 Jul 25 13:34 priority1alarms.alarmlog -rw-r--r-- 1 zabbix zabbix 3406 Jul 25 13:34 all_alarms.alarmlog srv1:/etc/zabbix/scripts # date Fri Jul 25 13:35:02 SAST 2014 srv1:/etc/zabbix/scripts #
On the Master Zabbix server I created a template that I then assign to the hosts (Remote Zabbix servers) that I want to monitor
REMEMBER those BitCoins....
Add plsh to Postgres 9.3
Nope no BitCoins yet... So, yet again....If this helped you in any way and you have some spare BitCoins, you may donate them to me -16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug
PLEASE.....Pretty PLEASE?
Problem with Postgres is that you cannot move, rename files etc from within the Postgres psql. Well this has changed with this brilliant binary from Peter Eisentraut, see https://github.com/petere/plsh
Thanks Peter!!
Peter's Blog
The binary allow you to run a bash or sh shell from a function. See below how I implemented it
Download the GZ file from https://github.com/petere/plsh and place it in /opt/temp, the file is called plsh-1.20130823.tar.gz
Gunzip and untar the file, my Postgres is installed under /opt/app, so the -C will extract the files to a new directory under /opt/app/pgdata, this is up to you where you want to place it
I renamed the plsh-1.20130823 to plsh just to make it easier to remember, the plsh-1.20130823 directory was created with the tar command above. I then changed the ownership of the plsh directory to postgres as well.
su to your postgres user and change directory to /opt/app/pgdata/plsh
Now to build the binary, use make, make install
If you encounter problem with the make complaining about the pg_config file, you can make the binary with
And you are done, keep in mind if you want to move, rename, copy etc any files, Postgres must have permissions to do this, what I did is to give Postgres sudo rights to the /bin directory where cp, mv, chown etc lives
To do this, as root type visudo and add this to the file
An example of the function creation is below, keep in mind you have to create the extension plsh, touch a test file in /opt/temp called testThisFile
PLEASE.....Pretty PLEASE?
Problem with Postgres is that you cannot move, rename files etc from within the Postgres psql. Well this has changed with this brilliant binary from Peter Eisentraut, see https://github.com/petere/plsh
Thanks Peter!!
Peter's Blog
The binary allow you to run a bash or sh shell from a function. See below how I implemented it
Download the GZ file from https://github.com/petere/plsh and place it in /opt/temp, the file is called plsh-1.20130823.tar.gz
super173:/opt/temp # ls -ltr total 1467348 -rw-r--r-- 1 root root 11182 Jul 15 12:11 plsh-1.20130823.tar.gz super173:/opt/temp #
Gunzip and untar the file, my Postgres is installed under /opt/app, so the -C will extract the files to a new directory under /opt/app/pgdata, this is up to you where you want to place it
super173:/opt/temp # gunzip plsh-1.20130823.tar.gz super173:/opt/temp # tar -xvf plsh-1.20130823.tar -C /opt/app/pgdata/ plsh-1.20130823/ plsh-1.20130823/.travis.yml plsh-1.20130823/COPYING plsh-1.20130823/Makefile plsh-1.20130823/NEWS plsh-1.20130823/README.md plsh-1.20130823/plsh--1--2.sql plsh-1.20130823/plsh--unpackaged--1.sql plsh-1.20130823/plsh-inline.sql plsh-1.20130823/plsh-noinline.sql plsh-1.20130823/plsh.c plsh-1.20130823/plsh.control plsh-1.20130823/test/ plsh-1.20130823/test/expected/ plsh-1.20130823/test/expected/crlf.out plsh-1.20130823/test/expected/event_trigger.out plsh-1.20130823/test/expected/function.out plsh-1.20130823/test/expected/init.out plsh-1.20130823/test/expected/init_1.out plsh-1.20130823/test/expected/inline.out plsh-1.20130823/test/expected/psql.out plsh-1.20130823/test/expected/psql_1.out plsh-1.20130823/test/expected/trigger.out plsh-1.20130823/test/expected/trigger_1.out plsh-1.20130823/test/sql/ plsh-1.20130823/test/sql/crlf.sql plsh-1.20130823/test/sql/event_trigger.sql plsh-1.20130823/test/sql/function.sql plsh-1.20130823/test/sql/init.sql plsh-1.20130823/test/sql/inline.sql plsh-1.20130823/test/sql/psql.sql plsh-1.20130823/test/sql/trigger.sql super173:/opt/temp #
I renamed the plsh-1.20130823 to plsh just to make it easier to remember, the plsh-1.20130823 directory was created with the tar command above. I then changed the ownership of the plsh directory to postgres as well.
super173:/opt/app/pgdata # cd /opt/app/pgdata
super173:/opt/app/pgdata # ls -ltr total 8 drwx------ 16 postgres postgres 4096 Jun 30 09:16 9.3 drwxrwxr-x 4 postgres postgres 4096 Jul 15 12:16 plsh-1.20130823
super173:/opt/app/pgdata # mv plsh-1.20130823 plsh super173:/opt/app/pgdata # chown -R postgres:postgres plsh/
su to your postgres user and change directory to /opt/app/pgdata/plsh
super173:/opt/app/pgdata # su - postgres postgres@super173:~> cd /opt/app/pgdata/plsh/
Now to build the binary, use make, make install
postgres@super173:/opt/app/pgdata/plsh> make gcc -O2 -Wall -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fpic -I. -I. -I/opt/app/PostgreSQL/9.3/include/postgresql/server -I/opt/app/PostgreSQL/9.3/include/postgresql/internal -D_GNU_SOURCE -I/opt/local/20130819/0d87f820-0a63-11e3-9b6d-000c29d23b02/include/libxml2 -I/usr/local/include/libxml2 -I/usr/local/include -c -o plsh.o plsh.c gcc -O2 -Wall -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fpic -shared -o plsh.so plsh.o -L/opt/app/PostgreSQL/9.3/lib -L/opt/local/20130819/0d87f820-0a63-11e3-9b6d-000c29d23b02/lib -L/usr/local/lib -Wl,--as-needed -Wl,-rpath,'/opt/app/PostgreSQL/9.3/lib',--enable-new-dtags cp plsh-inline.sql plsh.sql cp plsh.sql plsh--2.sql postgres@super173:/opt/app/pgdata/plsh> make install /bin/mkdir -p '/opt/app/PostgreSQL/9.3/lib/postgresql' /bin/mkdir -p '/opt/app/PostgreSQL/9.3/share/postgresql/extension' /bin/mkdir -p '/opt/app/PostgreSQL/9.3/share/postgresql/extension' /usr/bin/install -c -m 755 plsh.so '/opt/app/PostgreSQL/9.3/lib/postgresql/plsh.so' /usr/bin/install -c -m 644 ./plsh.control '/opt/app/PostgreSQL/9.3/share/postgresql/extension/' /usr/bin/install -c -m 644 ./plsh--unpackaged--1.sql ./plsh--1--2.sql plsh--2.sql '/opt/app/PostgreSQL/9.3/share/postgresql/extension/' postgres@super173:/opt/app/pgdata/plsh>
If you encounter problem with the make complaining about the pg_config file, you can make the binary with
You can test your make with make installcheckmake PG_CONFIG=/where/ever/your/pgconfig/file/is/pg_config make install PG_CONFIG=/where/ever/your/pgconfig/file/is/pg_config
postgres@super173:/opt/app/pgdata/plsh> make installcheck /opt/app/PostgreSQL/9.3/lib/postgresql/pgxs/src/makefiles/../../src/test/regress/pg_regress --inputdir=. --psqldir='/opt/app/PostgreSQL/9.3/bin' --inputdir=test --dbname=contrib_regression init function trigger crlf psql inline event_trigger (using postmaster on Unix socket, default port) ============== dropping database "contrib_regression" ============== NOTICE: database "contrib_regression" does not exist, skipping DROP DATABASE ============== creating database "contrib_regression" ============== CREATE DATABASE ALTER DATABASE ============== running regression test queries ============== test init ... ok test function ... ok test trigger ... ok test crlf ... ok test psql ... ok test inline ... ok test event_trigger ... ok ===================== All 7 tests passed. ===================== postgres@super173:/opt/app/pgdata/plsh>
And you are done, keep in mind if you want to move, rename, copy etc any files, Postgres must have permissions to do this, what I did is to give Postgres sudo rights to the /bin directory where cp, mv, chown etc lives
To do this, as root type visudo and add this to the file
visudo # Runas alias specification # User privilege specification root ALL=(ALL) ALL postgres ALL=(ALL) NOPASSWD: /bin/ # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL
An example of the function creation is below, keep in mind you have to create the extension plsh, touch a test file in /opt/temp called testThisFile
CREATE EXTENSION plsh; CREATE or REPLACE FUNCTION renameFileBash(inputDir text, inputFile text, outputDir text, outputFile text) RETURNS text AS ' #!/bin/bash cp $1$2 $3$4; cp $3$4 $3$4".bkp"; sudo mv $3$4 /opt/temp/$4".tmp"; sudo chown testuser:testgroup /opt/temp/$4".tmp"; sudo chmod 664 /opt/temp/$4".tmp"; sudo mv /opt/temp/$4".tmp" /opt/temp/$4".somextension"; echo $3$4; ' LANGUAGE plsh;
commit;
select renameFileBash('/opt/temp/', 'testThisFile', '/opt/temp/', 'mvFileAllOver')
Running https for Apache2 on SLES
I have received NO BitCoins yet..so yet again ... If this helped you in any way and you have some spare BitCoins, you may donate them to me - 16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug
PLEASE.....
I use Zabbix, see www.zabbix.com for monitoring the servers at work, problem is that the front end runs on http and not https, which poses a problem for some of our customers... but fear not my little minions... below is how to activate https on Apache2 using SLES 11 SP3
Make sure apache2 is started
Make sure that you have some kind of index page that can be displayed with normal http
Check if the webpage is displayed with http
With https you should get an error
Stop apache2 and make sure you are in the directory /etc/apache2
Start by creating all the certificates needed. Let's generate our own Certificate Authority key. In this step, we are impersonating someone like Verisign or Thawte. Well, not impersonating, but we are going to do the same thing for ourselves that they would normally do.
For the certificate I used the pass phrase (insert your pass phase here, for example I used M1cr0s0f7), make sure that you use the same for all certificates. Note that those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.
Next, we’ll need to use that key to create a certificate. Before we do this, the information that you will enter here is NOT the information you will enter later for your own server. Remember, we are emulating a Certificate Authority here. When we generate our server certificate, we will put in the real information which must differ from what is here. Notice that we are making it good for 3650 days, or 10 years. Adjust to what you need.
Our Server Key and CSR
Next is to create a key that corresponds to our server. The first one we made was for the Certificate Authority. This one will be generated by and for our own server. Remember the pass phase M1cr0s0f7
Now, we have to create a signing request, or CSR, from the server key we just made.To generate our signed certificate, we’ll need to first have a signing request so we can make the signed certificate.
To create the CSR, we do this, this has to have the REAL information, no bull, special attention to this part below, Common Name (eg, YOUR name) []:SuperNinja4.xxxx.com, it must be the server name that you have set in /etc/hosts
Let sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate.
The command we’re going to run looks like this below
Generate server.key that won’t prompt for a password
Now, we have a little problem. Our server.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:
Placing the files
At this stage, you should now have a bunch of files. Just having them doesn’t get us anywhere, so let’s get them installed. First, we are going to change some permissions, because we don’t want just anyone having access to these files. To apply the appropriate permissions, run this below
Now, here’s where things depend on the distribution that you are using.
I will try and describe what I am doing so that if you are not on SLES, you will still be able to get this working.
In SLES, the apache2 config directory is located at /etc/apache2. Underneath that, there are a handful of directories. The three we care about are /etc/apache2/ssl.crt, /etc/apache2/ssl.csr, and /etc/apache2/ssl.key. The server.crt needs to be moved to /etc/apache2/ssl.crt. The server.csr file needs to be moved to /etc/apache2/ssl.csr. And the server.key file needs to be moved to /etc/apache2/ssl.key:
System configuration
First thing is to edit /etc/sysconfig/apache2. Search through that file for the directive called APACHE_MODULES. Make sure you see ’ssl’ in there. If not, add it. Then, search through the file and find APACHE_SERVER_FLAGS. Make sure it has ‘SSL’ in it. If not, add it. Save and close the file. Note that in APACHE_SERVER_FLAGS, ssl must be in caps SSL.
You can also manage apache’s modules with the ‘a2enmod’ command. To view the list of loaded modules, run ‘a2enmod -l’. Make sure that ssl is loaded
Next, open up the config file that tells apache2 which ports to listen on. In SLES, this file is /etc/apache2/listen.conf. Add the Listen port 443, add the following lines
Listen 443
NameVirtualHost *:443
Next is to setup the vhost.template, make a file called vhost-ssl.conf in the directory /etc/apache2/vhosts.d, make sure that
ServerName SuperNinja4.xxxx.com
ServerAdmin root@SuperNinja4.xxxx.com
Is set to what you used in the certificates
Start apache2 and make sure that there are no errors
Another handy command to check what is loaded is httpd2
Check if port 443 is listening
NEXT..... Check if https works....
WOOOOPPPPPEEEE!! https
In theory, Zabbix front end has it's webpages in /srv/www/htdocs, so Zabbix should now work with https as well, this was done with the setting in the vhost-ssl.conf file in the directory /etc/apache2/vhosts.d, this part below
Happy https ing... remember my BitCoins... please.... pretty please.... please please.....
PLEASE.....
I use Zabbix, see www.zabbix.com for monitoring the servers at work, problem is that the front end runs on http and not https, which poses a problem for some of our customers... but fear not my little minions... below is how to activate https on Apache2 using SLES 11 SP3
Make sure apache2 is started
SuperNinja4:~ # service apache2 status Checking for httpd2: unused SuperNinja4:~ # service apache2 start Starting httpd2 (prefork) done SuperNinja4:~
Make sure that you have some kind of index page that can be displayed with normal http
SuperNinja4:~ # cd /srv/www/ SuperNinja4:/srv/www # ls cgi-bin hawk htdocs SuperNinja4:/srv/www # cd htdocs/ SuperNinja4:/srv/www/htdocs # ls apache_pb.gif apache_pb.png apache_pb2.gif apache_pb2.png apache_pb2_ani.gif favicon.ico gif index.html info2html.css robots.txt SuperNinja4:/srv/www/htdocs # vi index.html SuperNinja4:/srv/www/htdocs # cat index.html <html><body><h1>Hello this is King Rat - It works!</h1></body></html> SuperNinja4:/srv/www/htdocs #
Check if the webpage is displayed with http
Stop apache2 and make sure you are in the directory /etc/apache2
SuperNinja4:/srv/www/htdocs # cd /etc/apache2 SuperNinja4:/etc/apache2 # service apache2 stop Shutting down httpd2 (waiting for all children to terminate) done SuperNinja4:/etc/apache2 #
Start by creating all the certificates needed. Let's generate our own Certificate Authority key. In this step, we are impersonating someone like Verisign or Thawte. Well, not impersonating, but we are going to do the same thing for ourselves that they would normally do.
SuperNinja4:/etc/apache2 # openssl genrsa -des3 -out ca.key 4096 Generating RSA private key, 4096 bit long modulus ...................................++ ......................................++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key:
For the certificate I used the pass phrase (insert your pass phase here, for example I used M1cr0s0f7), make sure that you use the same for all certificates. Note that those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.
Next, we’ll need to use that key to create a certificate. Before we do this, the information that you will enter here is NOT the information you will enter later for your own server. Remember, we are emulating a Certificate Authority here. When we generate our server certificate, we will put in the real information which must differ from what is here. Notice that we are making it good for 3650 days, or 10 years. Adjust to what you need.
SuperNinja4:/etc/apache2 # openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:WA Locality Name (eg, city) []:Redmond Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microsoft Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:www.microsoft.com Email Address []:bill.gates@microsoft.com SuperNinja4:/etc/apache2 # ls -ltr total 136 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt SuperNinja4:/etc/apache2 #
Our Server Key and CSR
SuperNinja4:/etc/apache2 # openssl genrsa -des3 -out server.key 4096 Generating RSA private key, 4096 bit long modulus ...........................................................................................................................................................................................................................................................................................................................................................................................++ ............++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: SuperNinja4:/etc/apache2 # ls -ltr total 140 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw-r--r-- 1 root root 3311 Jul 8 09:46 server.key SuperNinja4:/etc/apache2 #
Now, we have to create a signing request, or CSR, from the server key we just made.To generate our signed certificate, we’ll need to first have a signing request so we can make the signed certificate.
To create the CSR, we do this, this has to have the REAL information, no bull, special attention to this part below, Common Name (eg, YOUR name) []:SuperNinja4.xxxx.com, it must be the server name that you have set in /etc/hosts
SuperNinja4:/etc/apache2 # openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:WZ Locality Name (eg, city) []:New York Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your company name here Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:SuperNinja4.xxxx.com Email Address []:root@SuperNinja4.xxxx.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: HIT ENTER An optional company name []: HIT ENTER SuperNinja4:/etc/apache2 # ls -ltr total 144 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw-r--r-- 1 root root 3311 Jul 8 09:46 server.key -rw-r--r-- 1 root root 1760 Jul 8 09:50 server.csr SuperNinja4:/etc/apache2 #
Sign the Certificate
Let sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate.
The command we’re going to run looks like this below
SuperNinja4:/etc/apache2 # openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt Signature ok subject=/C=US/ST=WZ/L=New York/O=xxxx/CN=SuperNinja4.xxxx.com/emailAddress=root@SuperNinja4.xxxx.com Getting CA Private Key Enter pass phrase for ca.key: SuperNinja4:/etc/apache2 # ls -ltr total 148 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw-r--r-- 1 root root 3311 Jul 8 09:46 server.key -rw-r--r-- 1 root root 1760 Jul 8 09:50 server.csr -rw-r--r-- 1 root root 1988 Jul 8 10:06 server.crt SuperNinja4:/etc/apache2 #
Generate server.key that won’t prompt for a password
Now, we have a little problem. Our server.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:
SuperNinja4:/etc/apache2 # openssl rsa -in server.key -out server.key.insecure Enter pass phrase for server.key: writing RSA key SuperNinja4:/etc/apache2 # mv server.key server.key.secure SuperNinja4:/etc/apache2 # mv server.key.insecure server.key SuperNinja4:/etc/apache2 # ls -ltr total 152 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw-r--r-- 1 root root 3311 Jul 8 09:46 server.key.secure -rw-r--r-- 1 root root 1760 Jul 8 09:50 server.csr -rw-r--r-- 1 root root 1988 Jul 8 10:06 server.crt -rw-r--r-- 1 root root 3243 Jul 8 10:08 server.key SuperNinja4:/etc/apache2 #
Placing the files
At this stage, you should now have a bunch of files. Just having them doesn’t get us anywhere, so let’s get them installed. First, we are going to change some permissions, because we don’t want just anyone having access to these files. To apply the appropriate permissions, run this below
SuperNinja4:/etc/apache2 # chmod 0600 server.key.secure server.key server.csr server.crt SuperNinja4:/etc/apache2 # ls -ltr total 152 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw------- 1 root root 3311 Jul 8 09:46 server.key.secure -rw------- 1 root root 1760 Jul 8 09:50 server.csr -rw------- 1 root root 1988 Jul 8 10:06 server.crt -rw------- 1 root root 3243 Jul 8 10:08 server.key SuperNinja4:/etc/apache2 #
Now, here’s where things depend on the distribution that you are using.
I will try and describe what I am doing so that if you are not on SLES, you will still be able to get this working.
In SLES, the apache2 config directory is located at /etc/apache2. Underneath that, there are a handful of directories. The three we care about are /etc/apache2/ssl.crt, /etc/apache2/ssl.csr, and /etc/apache2/ssl.key. The server.crt needs to be moved to /etc/apache2/ssl.crt. The server.csr file needs to be moved to /etc/apache2/ssl.csr. And the server.key file needs to be moved to /etc/apache2/ssl.key:
SuperNinja4:/etc/apache2 # mv /etc/apache2/server.key /etc/apache2/ssl.key/server.key SuperNinja4:/etc/apache2 # mv /etc/apache2/server.crt /etc/apache2/ssl.crt/server.crt SuperNinja4:/etc/apache2 # mv /etc/apache2/server.csr /etc/apache2/ssl.csr/server.csr SuperNinja4:/etc/apache2 # ls -ltr total 140 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw------- 1 root root 3311 Jul 8 09:46 server.key.secure drwx------ 2 root root 4096 Jul 8 10:11 ssl.key drwxr-xr-x 2 root root 4096 Jul 8 10:11 ssl.crt drwxr-xr-x 2 root root 4096 Jul 8 10:12 ssl.csr SuperNinja4:/etc/apache2 #
System configuration
First thing is to edit /etc/sysconfig/apache2. Search through that file for the directive called APACHE_MODULES. Make sure you see ’ssl’ in there. If not, add it. Then, search through the file and find APACHE_SERVER_FLAGS. Make sure it has ‘SSL’ in it. If not, add it. Save and close the file. Note that in APACHE_SERVER_FLAGS, ssl must be in caps SSL.
SuperNinja4:/etc/apache2 # vi /etc/sysconfig/apache2 SuperNinja4:/etc/apache2 # cat /etc/sysconfig/apache2 | grep APACHE_MODULES # * In the APACHE_MODULES variable, you can use mod_xyz or just xyz syntax. # APACHE_MODULES="authz_host alias auth dir log_config mime setenvif" # APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir" APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout ssl" SuperNinja4:/etc/apache2 # cat /etc/sysconfig/apache2 | grep APACHE_SERVER_FLAGS # * to finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS APACHE_SERVER_FLAGS="SSL" SuperNinja4:/etc/apache2 #
You can also manage apache’s modules with the ‘a2enmod’ command. To view the list of loaded modules, run ‘a2enmod -l’. Make sure that ssl is loaded
SuperNinja4:/etc/apache2 # a2enmod -l actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout ssl SuperNinja4:/etc/apache2 #
Next, open up the config file that tells apache2 which ports to listen on. In SLES, this file is /etc/apache2/listen.conf. Add the Listen port 443, add the following lines
Listen 443
NameVirtualHost *:443
SuperNinja4:/etc/apache2 # vi listen.conf SuperNinja4:/etc/apache2 # cat listen.conf # Listen: Allows you to bind Apache to specific IP addresses and/or # ports. See also the <VirtualHost> directive. # # http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # Listen 80 Listen 443 # Use name-based virtual hosting # # - on a specified address / port: # # # - name-based virtual hosting: # NameVirtualHost *:80 NameVirtualHost *:443 # # - on all addresses and ports. This is your best bet when you are on # dynamically assigned IP addresses: # SuperNinja4:/etc/apache2 #
Next is to setup the vhost.template, make a file called vhost-ssl.conf in the directory /etc/apache2/vhosts.d, make sure that
ServerName SuperNinja4.xxxx.com
ServerAdmin root@SuperNinja4.xxxx.com
Is set to what you used in the certificates
SuperNinja4:/etc/apache2/vhosts.d # vi vhost-ssl.conf SuperNinja4:/etc/apache2/vhosts.d # cat vhost-ssl.conf # Template for a VirtualHost with SSL # Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf. # Files must have the .conf suffix to be loaded. # # See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints # about virtual hosts. # NameVirtualHost statements should be added to /etc/apache2/listen.conf. # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # <IfDefine SSL> <IfDefine !NOSSL> ## ## SSL Virtual Host Context ## <VirtualHost *:443> # General setup for the virtual host DocumentRoot "/srv/www/htdocs/" ServerName SuperNinja4.xxxx.com ServerAdmin root@SuperNinja4.xxxx.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only: SSLProtocol all -SSLv2 -SSLv3 <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> CustomLog /var/log/apache2/ssl_request_log ssl_combined </VirtualHost> </IfDefine> </IfDefine> SuperNinja4:/etc/apache2/vhosts.d #
Start apache2 and make sure that there are no errors
SuperNinja4:/etc/apache2/vhosts.d # service apache2 start Starting httpd2 (prefork) [Tue Jul 08 10:28:29 2014] [warn] module ssl_module is already loaded, skipping [Tue Jul 08 10:28:29 2014] [warn] NameVirtualHost *:80 has no VirtualHosts done SuperNinja4:/etc/apache2/vhosts.d # SuperNinja4:/etc/apache2/vhosts.d # tail -200f /var/log/apache2/error_log [Tue Jul 08 09:01:35 2014] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Tue Jul 08 09:01:35 2014] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips PHP/5.3.17 configured -- resuming normal operations [Tue Jul 08 09:15:08 2014] [notice] caught SIGTERM, shutting down [Tue Jul 08 10:28:29 2014] [warn] module ssl_module is already loaded, skipping [Tue Jul 08 10:28:29 2014] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips PHP/5.3.17 configured -- resuming normal operations
Another handy command to check what is loaded is httpd2
SuperNinja4:/etc/apache2/vhosts.d # httpd2 -M [Tue Jul 08 10:42:10 2014] [warn] module ssl_module is already loaded, skipping [Tue Jul 08 10:42:10 2014] [warn] NameVirtualHost *:443 has no VirtualHosts [Tue Jul 08 10:42:10 2014] [warn] NameVirtualHost *:80 has no VirtualHosts Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_host_module (shared) authz_groupfile_module (shared) authz_default_module (shared) authz_user_module (shared) authn_dbm_module (shared) autoindex_module (shared) cgi_module (shared) dir_module (shared) env_module (shared) expires_module (shared) include_module (shared) log_config_module (shared) mime_module (shared) negotiation_module (shared) setenvif_module (shared) ssl_module (shared) suexec_module (shared) userdir_module (shared) php5_module (shared) reqtimeout_module (shared) Syntax OK SuperNinja4:/etc/apache2/vhosts.d #
Check if port 443 is listening
SuperNinja4:/etc/apache2/vhosts.d # netstat -antp | grep LIST | grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 6836/httpd2-prefork SuperNinja4:/etc/apache2/vhosts.d #
NEXT..... Check if https works....
WOOOOPPPPPEEEE!! https
# General setup for the virtual host DocumentRoot "/srv/www/htdocs/" ServerName SuperNinja4.xxxx.com ServerAdmin root@SuperNinja4.xxxx.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_logHappy https ing... remember my BitCoins... please.... pretty please.... please please.....
Using a engine hoist to lift a Chinese made milling machine and lathe
Finally after 2 years of the machine being on my garage floor, I got it back on its table, yeah
Moving into the rental 2 years ago, we thought this will be temporary, mmmh 2 years down the drain and we still in the rental. Initially I had 4 guys picking up the machine and placing it on the floor. That proved to be extremely dangerous, broken backs, broken toes, broken fingers, so I decided this time I'll do it better, so off to the tool shop and bought this Cherry Picker as the Americans call it. We call it a Engine Crane...
Very important, fill the jack with HYDRAULIC oil before you use it, I made the mistake if just using it when I got it home and off course blew the one seal as all the oil ran out while in storage....
I also decided to get a load leveler, 750KG LOAD LEVELER WITH HOOKS. I was scared that the machine might tip over to one side and seeing that I'm alone in my quest.... This was important...
Got some 6mm steel cable and made 4 short ropes from the steel cable. Used 2 x 16mm threaded rods through the base of the machine and then LIFT.... scared the living daylights out of me, having a 500kg machine 1.5m off the ground... not for me thanks...
Ready..... uuum no....
Now for the lathe
Dog walking straps are handy for something else...
Little Ariel inspecting my work
Whoopee, now for some serious metalwork...
Moving into the rental 2 years ago, we thought this will be temporary, mmmh 2 years down the drain and we still in the rental. Initially I had 4 guys picking up the machine and placing it on the floor. That proved to be extremely dangerous, broken backs, broken toes, broken fingers, so I decided this time I'll do it better, so off to the tool shop and bought this Cherry Picker as the Americans call it. We call it a Engine Crane...
I also decided to get a load leveler, 750KG LOAD LEVELER WITH HOOKS. I was scared that the machine might tip over to one side and seeing that I'm alone in my quest.... This was important...
Got some 6mm steel cable and made 4 short ropes from the steel cable. Used 2 x 16mm threaded rods through the base of the machine and then LIFT.... scared the living daylights out of me, having a 500kg machine 1.5m off the ground... not for me thanks...
Zabbix check for RAID failures
As always ... If this helped you in any way and you have some spare BitCoins, you may donate them to me - 16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug
Strange thing about Zabbix, support for hardware errors, I suppose one can use IPMI, but what a shlepp to setup, I think a good way to monitor disks in a Linux machine is to use a utility called
Download the rpm and save to /etc/zabbix/scripts
Install the RPM
vi a script called zx_raid_status.stage1.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save
vi a script called zx_raid_status_pdstat.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save
vi a script called zx_raid_status_ldstat.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save
You should have the following when done
Make the scripts executable with chmod +x *.sh and set the owner to Zabbix
Run the file manually to make sure that it works - zx_raid_status.stage1.sh
Add the following line to the root crontab, this line will run the script every 5 min and write logfiles to /tmp, The logfiles in /tmp will contain the number of errors on the disks
Change the Zabbix config file
and add this to the bottom of the file
UserParameter=raid.lderror,/etc/zabbix/scripts/zx_raid_status.ldstat.sh
UserParameter=raid.pderror,/etc/zabbix/scripts/zx_raid_status.pdstat.sh
Stop and start the Zabbix agent
The ITEMS and TRIGGERS are setup on the Zabbix server as follow
Strange thing about Zabbix, support for hardware errors, I suppose one can use IPMI, but what a shlepp to setup, I think a good way to monitor disks in a Linux machine is to use a utility called
hpacucliDownload the rpm and save to /etc/zabbix/scripts
Install the RPM
svr1:/etc/zabbix/scripts # ls -ltr *.rpm -rw-r--r-- 1 root root 6504897 Mar 25 11:27 hpacucli-9.0-24.0.noarch.rpm svr1:/etc/zabbix/scripts # rpm -ivh hpacucli-9.0-24.0.noarch.rpm Preparing... ########################################### [100%] 1:hpacucli ########################################### [100%] svr1:/etc/zabbix/scripts #
vi a script called zx_raid_status.stage1.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save
#!/bin/bash # Script (run by root) to get raid status # Changelog # 0.3 HP GEN 8 2 x controllers - King Rat 20130405 # 0.2 Provide absolute path to hpacucli binary, and make logging clearer # 0.1 Base version - 20120423 # Params # Version VER="0.3" if [ -f /etc/zabbix/scripts/diskstatus.log ];then rm /etc/zabbix/scripts/diskstatus.log fi touch /etc/zabbix/scripts/diskstatus.log chown zabbix:zabbix /etc/zabbix/scripts/diskstatus.log # The logical disk(s) LOGFILE="/etc/zabbix/scripts/diskstatus.log" echo "Version "$VER > $LOGFILE echo "Disk(s) last checked at "`date` >> $LOGFILE echo `hostname -a` >> $LOGFILE LDSTAT="/tmp/zx_ldstatus" > ${LDSTAT} # The physical disks PDSTAT="/tmp/zx_pdstatus" > ${PDSTAT} # Our logger tag TAG="zx_raidstatus" # The app location APP="/usr/sbin/hpacucli" # Functions nocont() { # How many controllers ${APP} ctrl all show config | grep -i "slot" | awk '{print $6}' > /etc/zabbix/scripts/cont.txt sort /etc/zabbix/scripts/cont.txt > /etc/zabbix/scripts/sort.log } out() { # Write to the log file logger -s -t ${TAG} } runroot() { # This has to be run as root if [ `whoami` != 'root' ] then echo "This has to be run by root" | out exit fi } pdstatus() { while read line; do # This check the status of all physical disks ${APP} ctrl slot=$line pd all show status | out ${APP} ctrl slot=$line pd all show status >> $LOGFILE ECNT=`${APP} ctrl slot=$line pd all show status | egrep -i "(fail|error|offline|rebuild|ignoring|degraded|skipping|nok)" | wc -l` if [ ${ECNT} -gt 0 ] then echo "${ECNT} non-OK statuses being reported (physical disk)" | out echo "${ECNT} non-OK statuses being reported (physical disk)" >> $LOGFILE echo ${ECNT} > ${PDSTAT} else echo 0 > ${PDSTAT} echo "Physical drives - all ok" >> $LOGFILE fi done < /etc/zabbix/scripts/sort.log } ldstatus() { while read line; do # This check the status of all physical disks ${APP} ctrl slot=$line logicaldrive all show status | out ${APP} ctrl slot=$line logicaldrive all show status >>$LOGFILE ECNT=`${APP} ctrl slot=$line pd all show status | egrep -i "(fail|error|offline|rebuild|ignoring|degraded|skipping|nok)" | wc -l` if [ ${ECNT} -gt 0 ] then echo "${ECNT} non-OK statuses being reported (logical disk)" | out echo "${ECNT} non-OK statuses being reported (logical disk)" >> $LOGFILE echo ${ECNT} > ${LDSTAT} else echo 0 > ${LDSTAT} echo "Logical drives - all ok" >> $LOGFILE fi done < /etc/zabbix/scripts/sort.log } # Execute echo "${VER} started" runroot nocont ldstatus pdstatus
vi a script called zx_raid_status_pdstat.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save
#!/bin/sh # This is the second stage run by zabbix to get the last physical disk error count # Changelog # 0.1 Base version # Params # Our version VER="0.1" # Our files to read PDSTAT="/tmp/zx_pdstatus" cat ${PDSTAT}
vi a script called zx_raid_status_ldstat.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save
#!/bin/sh # This is the second stage run by zabbix to get the last logical disk error count # Changelog # 0.1 Base version # Params # Our version VER="0.1" # Our files to read LDSTAT="/tmp/zx_ldstatus" cat ${LDSTAT}
You should have the following when done
svr1:/opt/temp # cd /etc/zabbix/scripts/ svr1:/etc/zabbix/scripts # ls -ltr total 6492 -rw-r--r-- 1 root root 1503 Mar 25 11:25 zx_raid_status.stage1.sh -rw-r--r-- 1 root root 242 Mar 25 11:25 zx_raid_status.pdstat.sh -rw-r--r-- 1 root root 241 Mar 25 11:25 zx_raid_status.ldstat.sh -rw-r--r-- 1 root root 6504897 Mar 25 11:27 hpacucli-9.0-24.0.noarch.rpm svr1:/etc/zabbix/scripts #
Make the scripts executable with chmod +x *.sh and set the owner to Zabbix
svr1:/etc/zabbix/scripts # chmod +x zx*.sh svr1:/etc/zabbix/scripts # chown zabbix:zabbix zx*.sh svr1:/etc/zabbix/scripts # ls -ltr zx*.sh -rwxr-xr-x 1 zabbix zabbix 1503 Mar 25 11:25 zx_raid_status.stage1.sh -rwxr-xr-x 1 zabbix zabbix 242 Mar 25 11:25 zx_raid_status.pdstat.sh -rwxr-xr-x 1 zabbix zabbix 241 Mar 25 11:25 zx_raid_status.ldstat.sh svr1:/etc/zabbix/scripts #
Run the file manually to make sure that it works - zx_raid_status.stage1.sh
svr1:/etc/zabbix/scripts # /etc/zabbix/scripts/zx_raid_status.stage1.sh 0.2 started zx_raidstatus: zx_raidstatus: logicaldrive 1 (279.4 GB, RAID 1): OK zx_raidstatus: logicaldrive 2 (1.1 TB, RAID 0): OK zx_raidstatus: logicaldrive 3 (1.4 TB, RAID 1+0): Failed zx_raidstatus: zx_raidstatus: 4 non-OK statuses being reported (logical disk) zx_raidstatus: zx_raidstatus: physicaldrive 2C:1:1 (port 2C:box 1:bay 1, 300 GB): OK zx_raidstatus: physicaldrive 2C:1:2 (port 2C:box 1:bay 2, 300 GB): OK zx_raidstatus: physicaldrive 2C:1:3 (port 2C:box 1:bay 3, 300 GB): OK zx_raidstatus: physicaldrive 2C:1:4 (port 2C:box 1:bay 4, 300 GB): OK zx_raidstatus: physicaldrive 3C:1:5 (port 3C:box 1:bay 5, 300 GB): OK zx_raidstatus: physicaldrive 3C:1:6 (port 3C:box 1:bay 6, 300 GB): OK zx_raidstatus: physicaldrive 3C:1:7 (port 3C:box 1:bay 7, 300 GB): Failed zx_raidstatus: physicaldrive 3C:1:8 (port 3C:box 1:bay 8, 300 GB): Failed zx_raidstatus: physicaldrive 4C:2:1 (port 4C:box 2:bay 1, 300 GB): OK zx_raidstatus: physicaldrive 4C:2:2 (port 4C:box 2:bay 2, 300 GB): OK zx_raidstatus: physicaldrive 4C:2:3 (port 4C:box 2:bay 3, 300 GB): OK zx_raidstatus: physicaldrive 4C:2:4 (port 4C:box 2:bay 4, 300 GB): Failed zx_raidstatus: physicaldrive 5C:2:5 (port 5C:box 2:bay 5, 300 GB): OK zx_raidstatus: physicaldrive 5C:2:6 (port 5C:box 2:bay 6, 300 GB): OK zx_raidstatus: physicaldrive 5C:2:7 (port 5C:box 2:bay 7, 300 GB): OK zx_raidstatus: physicaldrive 5C:2:8 (port 5C:box 2:bay 8, 300 GB): Failed zx_raidstatus: zx_raidstatus: 4 non-OK statuses being reported (physical disk) svr1:/etc/zabbix/scripts #
Add the following line to the root crontab, this line will run the script every 5 min and write logfiles to /tmp, The logfiles in /tmp will contain the number of errors on the disks
*/5 * * * * /etc/zabbix/scripts/zx_raid_status.stage1.sh > /dev/null 2>&1
svr1:/etc/zabbix/scripts # crontab -l # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/crontab.XXXXIM2c9I installed on Mon Mar 25 11:37:16 2013) # (Cron version V5.0 -- $Id: crontab.c,v 1.12 2004/01/23 18:56:42 vixie Exp $) */5 * * * * /etc/zabbix/scripts/zx_raid_status.stage1.sh > /dev/null 2>&1 svr1:/etc/zabbix/scripts #
Change the Zabbix config file
svr1:/etc/zabbix/scripts # vi /etc/zabbix/zabbix_agentd.conf
and add this to the bottom of the file
UserParameter=raid.lderror,/etc/zabbix/scripts/zx_raid_status.ldstat.sh
UserParameter=raid.pderror,/etc/zabbix/scripts/zx_raid_status.pdstat.sh
svr1:/etc/zabbix/scripts # tail /etc/zabbix/zabbix_agentd.conf #UserParameter=mysql.qps,mysqladmin -uroot status|cut -f9 -d":" #UserParameter=mysql.version,mysql -V UserParameter=raid.lderror,/etc/zabbix/scripts/zx_raid_status.ldstat.sh UserParameter=raid.pderror,/etc/zabbix/scripts/zx_raid_status.pdstat.sh svr1:/etc/zabbix/scripts #
Stop and start the Zabbix agent
svr1:/etc/zabbix/scripts # /etc/init.d/zabbix-agent stop Shutdown may take a while.... Shutting down zabbix_agent: done svr1:/etc/zabbix/scripts # /etc/init.d/zabbix-agent start Starting zabbix_agent: done svr1:/etc/zabbix/scripts # /etc/init.d/zabbix-agent status Zabbix agent running(PID): 16290 16291 16292 16293 16294 svr1:/etc/zabbix/scripts #
The ITEMS and TRIGGERS are setup on the Zabbix server as follow
Subscribe to:
Posts (Atom)