Stunnel can run multiple ips and certs in one instance

Apparently only the newer versions can do this, 4.15+, but the concept is simple:

setuid          = stunnel
setgid          = stunnel
debug           = 5
output          = /var/log/stunnel/stunnel.log
pid             = /var/run/stunnel/stunnel.pid
socket          = l:TCP_NODELAY=1
ciphers         = ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL
options         = NO_SSLv2

[https-site1]
accept          = 10.0.0.1:443
cert            = /etc/pki/tls/certs/site1.pem
connect         = 10.0.0.101:80
TIMEOUTclose    = 0

[https-site2]
accept          = 10.0.0.2:443
cert            = /etc/pki/tls/certs/site2.pem
connect         = 10.0.0.102:80
TIMEOUTclose    = 0

This is much better than running multiple instances of stunnel.

For what it’s worth, if you enable a log file, it’ll turn off sys logging, which is critical for extreme performance. Keep the debug level low. For https, disable v2 and set the cipher list the right way.

Expect script to print out IronPort config, showconfig

Logging this here for easy fetching later.

#!/usr/bin/expect

set timeout 30

spawn ssh USERNAME@HOSTNAME
expect_after eof { exit 0 }

## interact with SSH
expect {
  "yes/no" { send "yes\r" }
  -re ".assword:" { send "PASSWORD\r" }
}

expect "> " { send "showconfig\r" }
expect "> " { send "Y\r" }
expect "Press Any Key For More" { send "\r" }
set timeout 2
while 1 {
  expect {
      "Press Any Key For More" { send "\r" }
      timeout break
  }
}

expect "> " { send "exit\r" }

Make a Private/Public Key Pair, Self Signed, No Password

This is take straight from http://devsec.org/info/ssl-cert.html. I’m getting it on my blog, as a reference to myself, so I can make a key pair quickly in the future.

Make a new ssl private key:

* Generate a new unencrypted rsa private key in PEM format:

openssl genrsa -out privkey.pem 2048

You can create an encrypted key by adding the -des3 option.

#
To make a self-signed certificate:

* Create a certificate signing request (CSR) using your rsa private key:

openssl req -new -key privkey.pem -out certreq.csr

( This is also the type of CSR you would create to send to a root CA for them to sign for you. )

* Self-sign your CSR with your own private key:

openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem

openldap-2.3 on CentOS5 Tutorial

I had to get a dummy openldap setup that had “mail” as one of it’s attributes for the records. I specifically needed all the records to live in the root ou, meaning no Organizational Units, just the root, then all the records. Like this:

dn: cn=1,dc=example,dc=com
cn: 1
objectClass: top
objectClass: dkuser
mail: someemail1@somedomain1.com
mailHost: somesmtphostname1:25

dn: cn=2,dc=example,dc=com
cn: 2
objectClass: top
objectClass: dkuser
mail: someemail2@somedomain2.com
mailHost: somesmtphostname2:25

…. and so on.

It was hard to find a step by step instruction set. So, in this tutorial, I’ll give you command by command steps to install, configure and load openldap on a CentOS5 OS.

First, install the packages with Yum:

yum install openldap openldap-clients openldap-servers nss_ldap python-ldap

Next, set ldap to run at system startup time:

/sbin/chkconfig ldap on

Next, get your password for slapd.conf:

cd /etc/openldap/
/usr/sbin/slappasswd

…. it’ll prompt you for a new password, type it twice. All it does is spit out a password that you can copy paste into slapd. Looks like this:

New password:
Re-enter new password:
{SSHA}zskkuz1hd90SyXA4y+zN4AA0FBQorVEd

Read more

Load Balancing Techniques

Load balancing is a term that describes a method to distribute incoming socket connections to different servers. It’s not distributed computing, where jobs are broken up into a series of sub-jobs, so each server does a fraction of the overall work. It’s not that at all. Rather, incoming socket connections are spread out to different servers. Each incoming connection will communicate with the node it was delegated to, and the entire interaction will occur there. Each node is not aware of the other nodes existence.

Why do you need load balancing?
Simple answer: Scalability and Redundancy.

Scalability

If your application becomes busy, resource limits, such as bandwidth, cpu, memory, disk space, disk I/O, and more may reach its limits. In order to remedy such problem, you have two options: scale up, or scale out. Load balancing is a scale out technique. Rather than increasing server resources, you add cost effective, commodity servers, creating a “cluster” of servers that perform the same task. Scaling out is more cost effective, because commodity level hardware provides the most bang for the buck. High end super computers come at a premium, and can be avoided in many cases.

Redundancy

Servers crash, this is the rule, not the exception. Your architecture should be devised in a way to reduce or eliminate single points of failure (SPOF). Load balancing a cluster of servers that perform the same role provides room for a server to be taken out manually for maintenance tasks, without taking down the system. You can also withstand a server crashing. This is called High Availability, or HA for short. Load balancing is a tactic that assists with High Availability, but is not High Availability by itself. To achieve high availability, you need automated monitoring that checks the status of the applications in your cluster, and automates taking servers out of rotation, in response to failure detected. These tools are often bundled into Load Balancing software and appliances, but sometimes need to be programmed independently.

How to perform load balancing?

There are 3 well known ways:

  1. DNS based
  2. Hardware based
  3. Software based

Read more

hadoop-0.18.3 Could not create the Java virtual machine

Installed hadoop on a VM, and needed to set the java heap size, -Xmx1000m, lower than the default 1000 to get it to work.  I set the HADOOP_HEAPSIZE var in the conf/hadoop-env.sh dir to the lower value, but hadoop continued to spit out this error:

# hadoop -help
Could not create the Java virtual machine.
Exception in thread "main" java.lang.NoClassDefFoundError: Could_not_reserve_enough_space_for_object_heap
Caused by: java.lang.ClassNotFoundException: Could_not_reserve_enough_space_for_object_heap
        at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
Could not find the main class: Could_not_reserve_enough_space_for_object_heap.  Program will exit.

Didn’t matter what I set the HADOOP_MAXHEAP to, the problem persisted. I never did find the answer online, so figured I do the world a favor today and make a note about how to fix it. Maybe I’ll save someone else the 2 hours it took me to figure this out!

THE SOLUTION:

Read more