I ⊕ THINGS: November 2015

Saturday, November 21, 2015

Varnish 4.1 + Hitch SSL/TLS Termination via PROXY protocol default.vcl for Drupal 7

Hitch (https://hitch-tls.org/) config. The [] on ipv4 are weird but necessary! The pem file needs to be cat'd in following order: privkey cert intermediates dhparameter

# Listening
frontend = "[xxx.xxx.xxx.xxx]:443"
ciphers  = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
# Send traffic to the varnish backend
backend        = "[192.168.104.8]:80"
#use PROXY protocol
write-proxy-v2 = on
pem-file = "/etc/ssl/private/mysite.com.pem"

Information on PROXY protocol: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

Varnish needs to be called with:

varnishd -a :80,PROXY -T localhost:6082 -f /etc/varnish/default.vcl.......

Varnish default.vcl:

vcl 4.0;

import std;

backend default {

.host = "127.0.0.1";

.port = "81";

}

sub vcl_recv {

# Use anonymous, cached pages if all backends are down.

if (!std.healthy(req.backend_hint)) {

unset req.http.Cookie;

}

# Do not cache these paths.

if (req.url ~ "^/status\.php$" ||

req.url ~ "^/update\.php$" ||

req.url ~ "^/admin$" ||

req.url ~ "^/admin/.*$" ||

req.url ~ "^/flag/.*$" ||

req.url ~ "^.*/ajax/.*$" ||

req.url ~ "^.*/ahah/.*$") {

return (pass);

}

# Always cache the following file types for all users.

if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {

unset req.http.Cookie;

}

# Remove all cookies that Drupal doesn't need to know about.

if (req.http.Cookie) {

set req.http.Cookie = ";" + req.http.Cookie;

set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");

set req.http.Cookie = regsuball(req.http.Cookie, ";(SESS[a-z0-9]+|SSESS[a-z0-9]+|NO_CACHE)=", "; \1=");

set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");

set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");

if (req.http.Cookie == "") {

unset req.http.Cookie;

}

else {

return (pass);

}

# Set a header to track a cache HIT/MISS.

sub vcl_deliver {

if (obj.hits > 0) {

set resp.http.X-Varnish-Cache = "HIT";

}

else {

set resp.http.X-Varnish-Cache = "MISS";

}

sub vcl_backend_response {

if (beresp.status == 404 || beresp.status == 301 || beresp.status == 500) {

set beresp.ttl = 10m;

}

if (bereq.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {

unset beresp.http.set-cookie;

}

# Allow items to be stale if needed.

set beresp.grace = 6h;

}

# In the event of an error, show friendlier messages.

sub vcl_backend_error {

set beresp.http.Content-Type = "text/html; charset=utf-8";

synthetic({"

<html>

<head>

<title>Page Unavailable</title>

<style>

body { background: #303030; text-align: center; color: white; }

#page { border: 1px solid #CCC; width: 500px; margin: 100px auto 0; padding: 30px; background: #323232; }

a, a:link, a:visited { color: #CCC; }

.error { color: #222; }

</style>

</head>

<h1 class="title">Page Unavailable</h1>

<p>The page you requested is temporarily unavailable.</p>

<p>We're redirecting you to the <a href="/">homepage</a> in 5 seconds.</p>

<div class="error">(Error "} + beresp.status + " " + beresp.reason + {")</div>

</div>

</body>

</html>

"});

return (deliver);

}

sub vcl_synth {

set resp.http.Content-Type = "text/html; charset=utf-8";

synthetic({"

<html>

<head>

<title>Page Unavailable</title>

<style>

body { background: #303030; text-align: center; color: white; }

#page { border: 1px solid #CCC; width: 500px; margin: 100px auto 0; padding: 30px; background: #323232; }

a, a:link, a:visited { color: #CCC; }

.error { color: #222; }

</style>

</head>

<h1 class="title">Page Unavailable</h1>

<p>The page you requested is temporarily unavailable.</p>

<p>We're redirecting you to the <a href="/">homepage</a> in 5 seconds.</p>

<div class="error">(Error "} + resp.status + " " + resp.reason + {")</div>

</div>

</body>

</html>

"});

return (deliver);

}

How to set permissions on thousands of files in a AWS S3 bucket using s3cmd

We use xargs to run parallel processes, flag P specifies number of processes.
First we get all paths on S3+Filenames

s3cmd --recursive ls s3://mys3bucket/ | awk -F' ' '{print $4;}' | sort | uniq > paths.txt

Then we set permissions, in this case we set them to public, adjust for what you need!

cat paths.txt | xargs -P20 -I% s3cmd setacl --acl-public "%"

Friday, November 20, 2015

a working Varnish 4.1 VCL config for Drupal 7

vcl 4.0;

import std;

backend default {

.host = "127.0.0.1";

.port = "81";

}

sub vcl_recv {

# Use anonymous, cached pages if all backends are down.

if (!std.healthy(req.backend_hint)) {

unset req.http.Cookie;

}

if (req.restarts == 0) {

if (req.http.x-forwarded-for) {

set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;

}

else {

set req.http.X-Forwarded-For = client.ip;

}

# Do not cache these paths.

if (req.url ~ "^/status\.php$" ||

req.url ~ "^/update\.php$" ||

req.url ~ "^/admin$" ||

req.url ~ "^/admin/.*$" ||

req.url ~ "^/flag/.*$" ||

req.url ~ "^.*/ajax/.*$" ||

req.url ~ "^.*/ahah/.*$") {

return (pass);

}

# Always cache the following file types for all users. This list of extensions

# appears twice, once here and again in vcl_backend_response so make sure you edit both

# and keep them equal.

if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {

unset req.http.Cookie;

}

# Remove all cookies that Drupal doesn't need to know about. We explicitly

# list the ones that Drupal does need, the SESS and NO_CACHE. If, after

# running this code we find that either of these two cookies remains, we

# will pass as the page cannot be cached.

if (req.http.Cookie) {

# 1. Append a semi-colon to the front of the cookie string.

# 2. Remove all spaces that appear after semi-colons.

# 3. Match the cookies we want to keep, adding the space we removed

# previously back. (\1) is first matching group in the regsuball.

# 4. Remove all other cookies, identifying them by the fact that they have

# no space after the preceding semi-colon.

# 5. Remove all spaces and semi-colons from the beginning and end of the

# cookie string.

set req.http.Cookie = ";" + req.http.Cookie;

set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");

set req.http.Cookie = regsuball(req.http.Cookie, ";(SESS[a-z0-9]+|SSESS[a-z0-9]+|NO_CACHE)=", "; \1=");

set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");

set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");

if (req.http.Cookie == "") {

# If there are no remaining cookies, remove the cookie header. If there

# aren't any cookie headers, Varnish's default behavior will be to cache

# the page.

unset req.http.Cookie;

}

else {

# If there is any cookies left (a session or NO_CACHE cookie), do not

# cache the page. Pass it on to Apache directly.

return (pass);

}

# Set a header to track a cache HIT/MISS.

sub vcl_deliver {

if (obj.hits > 0) {

set resp.http.X-Varnish-Cache = "HIT";

}

else {

set resp.http.X-Varnish-Cache = "MISS";

}

# Code determining what to do when serving items from the Apache servers.

# beresp == Back-end response from the web server.

sub vcl_backend_response {

# We need this to cache 404s, 301s, 500s. Otherwise, depending on backend but

# definitely in Drupal's case these responses are not cacheable by default.

if (beresp.status == 404 || beresp.status == 301 || beresp.status == 500) {

set beresp.ttl = 10m;

}

# Don't allow static files to set cookies.

# (?i) denotes case insensitive in PCRE (perl compatible regular expressions).

# This list of extensions appears twice, once here and again in vcl_recv so

# make sure you edit both and keep them equal.

if (bereq.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {

unset beresp.http.set-cookie;

}

# Allow items to be stale if needed.

set beresp.grace = 6h;

}

# In the event of an error, show friendlier messages.

sub vcl_backend_error {

# Redirect to some other URL in the case of a homepage failure.

#if (bereq.url ~ "^/?$") {

# set beresp.status = 302;

# set beresp.http.Location = "http://backup.example.com/";

# Otherwise redirect to the homepage, which will likely be in the cache.

set beresp.http.Content-Type = "text/html; charset=utf-8";

synthetic({"

<html>

<head>

<title>Page Unavailable</title>

<style>

body { background: #303030; text-align: center; color: white; }

#page { border: 1px solid #CCC; width: 500px; margin: 100px auto 0; padding: 30px; background: #323232; }

a, a:link, a:visited { color: #CCC; }

.error { color: #222; }

</style>

</head>

<h1 class="title">Page Unavailable</h1>

<p>The page you requested is temporarily unavailable.</p>

<p>We're redirecting you to the <a href="/">homepage</a> in 5 seconds.</p>

<div class="error">(Error "} + beresp.status + " " + beresp.reason + {")</div>

</div>

</body>

</html>

"});

return (deliver);

}

sub vcl_synth {

set resp.http.Content-Type = "text/html; charset=utf-8";

synthetic({"

<html>

<head>

<title>Page Unavailable</title>

<style>

body { background: #303030; text-align: center; color: white; }

#page { border: 1px solid #CCC; width: 500px; margin: 100px auto 0; padding: 30px; background: #323232; }

a, a:link, a:visited { color: #CCC; }

.error { color: #222; }

</style>

</head>

<h1 class="title">Page Unavailable</h1>

<p>The page you requested is temporarily unavailable.</p>

<p>We're redirecting you to the <a href="/">homepage</a> in 5 seconds.</p>

<div class="error">(Error "} + resp.status + " " + resp.reason + {")</div>

</div>

</body>

</html>

"});

return (deliver);

}

Saturday, November 21, 2015

Varnish 4.1 + Hitch SSL/TLS Termination via PROXY protocol default.vcl for Drupal 7

How to set permissions on thousands of files in a AWS S3 bucket using s3cmd

Friday, November 20, 2015

a working Varnish 4.1 VCL config for Drupal 7

Tags