@jaredbusch Thanks
Must of been a setting i was missing in my NGINX conf file. Made it too look more like yours and i'm working 🙂

@jaredbusch said in Ubuntu Questions:

@dafyre said in Ubuntu Questions:

If your Subnet is 255.255.255.224, then that's not going to work... The math works out to where you have two usable IP addresses with that subnet.

Check and make sure you have the subnet mask right.

.224 is not 2 IP addresses. That is a /27 with 32 IP addresses in the block with 30 usable (one of which is the gateway) in the traditional method of ISP handoff. But that is also not what he has. see the other post.

You are indeed correct. Some dummy didn't use his cheating tools correctly yesterday.

@pete-s They can.

Here is an ER4 I have with this scenario.

AT&T WAN: 12.X.X.70/30
AT&T Gateway: 12.X.X.69/30
AT&T Routed Block: 12.X.X.240/29 (My IP addresses)
My LAN: 10.1.1.0/24

Interface setup:

interfaces { ethernet eth0 { address 12.X.X.70/30 description "AT&T FIber" duplex full firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed 100 } ethernet eth1 { address 10.1.1.1/24 address 10.204.1.1/24 description "St Charles LAN" duplex auto firewall { in { name LAN_IN } local { name LAN_LOCAL } } speed auto vif 5 { address 10.204.5.1/24 description "Guest WiFi" mtu 1500 } } ethernet eth2 { duplex auto speed auto } ethernet eth3 { duplex auto speed auto } }

System:

system { gateway-address 12.X.X.69 }

Service-> Nat:

nat { rule 1 { description "Forward Telnet from Epicor" destination { group { address-group ATT242 } port 23 } inbound-interface eth0 inside-address { address 10.1.1.250 port 23 } log enable protocol tcp source { group { address-group EpicorIPAddr } } type destination } rule 2 { description "Forward RDP from Epicor" destination { group { address-group ATT242 } port 3389 } inbound-interface eth0 inside-address { address 10.1.1.12 port 3389 } log enable protocol tcp source { group { address-group EpicorIPAddr } } type destination } rule 3 { description "Allow SMTP from Google" destination { group { address-group ATT242 } port 25 } inbound-interface eth0 inside-address { address 10.1.1.5 port 25 } log disable protocol tcp source { group { network-group Google_SMTP_Networks } } type destination } rule 4 { description "Allow SMTP from Google" destination { group { address-group ATT242 } port 587 } inbound-interface eth0 inside-address { address 10.1.1.5 port 587 } log disable protocol tcp source { group { network-group Google_SMTP_Networks } } type destination } rule 5 { description "Inboud PBX traffic" destination { group { address-group PBX_Outside } } inbound-interface eth0 inside-address { address 10.1.1.30 } log disable protocol all source { group { } } type destination } rule 6 { description "Inbound Web Traffic" destination { group { address-group ATT242 port-group Web_Ports } } inbound-interface eth0 inside-address { address 10.1.1.22 } log disable protocol tcp source { group { } } type destination } rule 5900 { description "PBX Traffic" log disable outbound-interface eth0 outside-address { address 12.X.X.244 } protocol all source { group { address-group PBX_Inside } } type source } rule 5997 { description LAN log disable outbound-interface eth0 outside-address { address 12.X.X.242 } protocol all source { address 10.1.1.0/24 group { } } type source } rule 5998 { description "Public WiFI" log disable outbound-interface eth0 outside-address { address 12.X.X.243 } protocol all source { address 10.204.5.0/24 group { } } type source } rule 5999 { description "Default NAT Masquerade" log disable outbound-interface eth0 protocol all type masquerade } }

Firewall Groups:

firewall { group { address-group ATT242 { address 12.X.X.242 description "AT&T IP 242" } address-group ATT243 { address 12.X.X.243 description "AT&T IP 243" } address-group EpicorIPAddr { address 159.66.236.224 address 159.66.234.224 description "Epicor IP Addresses" } address-group Exchange_Servers { address 10.1.1.5 description "Internal Exchange Servers" } address-group Internal_Web { address 10.1.1.22 description "Internal Webservers" } address-group PBX_Inside { address 10.1.1.30 description "Phone System Internal IP" } address-group PBX_Outside { address 12.X.X.244 description "Phone System External IP" } network-group Google_SMTP_Networks { description "Networks used by Google to send SMTP" network 216.239.32.0/19 network 209.85.128.0/17 network 173.194.0.0/16 network 74.125.0.0/16 network 72.14.192.0/18 network 66.249.80.0/20 network 66.102.0.0/20 network 64.233.160.0/19 network 64.18.0.0/20 network 207.126.144.0/20 } network-group Private_LAN { description "Private LAN Networks" network 10.204.0.0/16 } port-group SMTP_Ports { description "Ports used for SMTP" port 25 port 587 } port-group Web_Ports { description "Inbound Web Ports" port 80 port 443 } }

@stacksofplates said in Best way to backup big data...:

We use Exagrids and tape. Though for only 45TB you could just build a box and Colo it. RHEL/CentOS now have VDO support so you get dedupe and compression on those volumes.

A supermicro box with 24 8TB drives is around $13K. That's around 90TB in RAID 10. I don't know pricing for smaller because we build with those. But it shouldn't be too expensive to build your own and ship to it off-site.

If it's large files likes raw video then compression and deduplication is unfortunately of very limited use.

We just use a standard supermicro 4U server with 24x3.5" drive bays. Running software RAID-6 with very modest hardware specs we have 250MB/s sustained write and 700MB/s read. More than enough to saturate a dual gigabit network link.

Two RAID-6 arrays with twelve 3.5" 10TB enterprise drives in each will give you around 200TB of storage. Or perhaps three RAID-6 arrays with 8 drives in each giving you about 180TB.

The most money in this type of config will be in the drives themselves. 10TB Seagate Exos X10 are about $330 each so 24 drives is $8K.

I have 17 Ruckus R610 APs and they only get rebooted when new firmware is applied.

@fateknollogee
I don't have experience with that particular brand but have used Intels NUCs in a number of different applications.

I think the CPU is too weak on that one. Intel have a couple of NUC models that are priced similarly and some with bundled Win10 and memory / HDD so I would have a look at those. Look for instance at the older model with the J3455 cpu.

We have both the Dell USB-C docks and a couple of the Thunderbolt models. So far we have had no problem with the USB-C. I even use one for my machine. The Thunderbolts were a bit problematic around the first part of 2017, but after several firmware updates they seem to have stabilized.

@stacksofplates said in Windows 10: telegram, messenger, skype:

@black3dynamite said in Windows 10: telegram, messenger, skype:

@stacksofplates said in Windows 10: telegram, messenger, skype:

@StorageNinja uses Franz. No idea how well it works.

So far Telegram, Skype, and messenger work. When setting up messenger, I get a review recent login prompt and it shows Chrome for Linux. Does that mean Franz is built off of Chrome?

I think it's an electron app So it's chrome under the hood.

That makes sense now. Because I only see this message, when using Skype from a browser.
0_1532297580309_2bce2d65-e7ba-4e80-99e6-7fb8ff18bd14-image.png

@gjacobse said in Fedora: VeraCrypt:

@scottalanmiller said in Fedora: VeraCrypt:

@gjacobse said in Fedora: VeraCrypt:

@scottalanmiller said in Fedora: VeraCrypt:

Normally I think everyone uses the built in encryption instead.

I'm not familiar with that, and will it work cross platform?

No, it's full disk.

Not looking for - nor do I currently need FDE -

That's why no one uses VeraCrypt, though. Full disk is built in and just a check box.

Found another annoyance with Google Sites and the attached email..

Send mail limits.... Ugh.. Like I now have to send more than two emails to get through my notification list. That is unacceptable. Yes, I know I could use something like MailChimp or similar.. but I don't have the free time to put into that right now. And if I move off of G-Sites to hosted.. would that be an issue any longer?
sigh

eta

I should add - that is PER DAY... so... Ugh... two days to cover the list.

I just looked. The only place to add comments with Alertmanager are when an alert is silenced. I looked in Grafana as well and that might be of use. Grafana will let you set alerts on specific metrics and then you can set annotations on those alerts. Here's a sample graph with alerts (they're the red dotted line).

0_1532217196124_alerts.png

You can click on the alert and give an annotation.

0_1532217291469_annotation.png

Then when you hover over the alert you can see the annotations and tags.

0_1532217335973_annotation-alert.png

@phlipelder said in Website hosting: Which direction to go:

I'm in the process of figuring out how to set up Wiki.js on Ubuntu running in Azure with a MongoDB backend and Apache fronting for SSL.

MongoDB will be phased out in Wiki.js 2.0.0
https://github.com/Requarks/wiki
0_1532199283945_03dba03f-a33e-4ce2-a8a5-d95a0c45e1b3-image.png

This would work on prem exchange. Probably works with a tweak for o365.
Get-mailbox | get-inboxrule | remove-inboxrule

The daemom is written in python and takes forever to rebuild the db if you restart it… I had ~1Tb in 2 millions of files. The thing is, it keeps track of the file chunks of every files… sort of joins object storage and file storage together. Very bandwith efficent, but horrible on cpu and I/O. I switched to nextcloud that lacks that feature, but it’s much faster and flexible.

@stacksofplates said in Looking to migrate Nginx and LetsEncrypt:

@jaredbusch said in Looking to migrate Nginx and LetsEncrypt:

@stacksofplates said in Looking to migrate Nginx and LetsEncrypt:

If you start over with a new system so you still get notifications of old certs expiring? Aren't these handled at the domain level so it knows that a new system has a newer cert? Honestly asking since I haven't run into this yet.

No. It is handled on the cert serial number level.

Ah ok.

I've moved things in the past by simply reissuing on the new server, and dealing with the expiring certs is an annoyance.

Most "hot new things" apply to existing technology. It's extremely rare that a new industry term arises before (or with) the invention of something. It's normally more a recognition of something that's been created. SaaS for example arose as a term decades after the idea was pioneered and at least five years after it was mainstream. But it doesn't make the things that predate the name not SaaS, it's just a super broad term.

@obsolesce said in Bringing up a Win10 VM on Fedora 28 Cinnamon Desktop:

@irj said in Bringing up a Win10 VM on Fedora 25 Cinnamon Desktop:

@obsolesce said in Bringing up a Win10 VM on Fedora 25 Cinnamon Desktop:

@irj said in Bringing up a Win10 VM on Fedora 25 Cinnamon Desktop:

Do I need virtio drivers if I have already installed spice tools? I am a little confused about the difference between the two. Because when I installed Spice Tools, it installed drivers for various components...

Spice Tools seems to work better.

Maybe update the OP to say it is best to install Spice Tools, but if you need to manually install virtio drivers, here are the steps....

Oh just realized this was my thread. Will do.

Edit: Yeah this is a little outdated. I'll fix it up. It's hard to keep all of my posts up to date... rather impossible.

If it is a significant change, i liek to make a new one referring back to the original.

@xylems said in Errors Building Guacamole Server on Fedora 28:

@travisdh1 step-by-step guide for the entire guacamole installation?

Definitely make it two parts, preferably two posts. Post one for setting up Guac. Post 2 for setting up LDAP.

Something like this format https://mangolassi.it/topic/16471/install-bookstack-on-fedora-27
Or this: https://mangolassi.it/topic/16380/install-nextcloud-13-0-0-on-fedora-27

@flaxking said in Is RD Gateway useful?:

Let me bring my question back at a different angle. If you were paying for a hosted, fully managed terminal server, what would be your expectations for how it would be secured?

Personally, I would sleep fine at night with RDP exposed, but with 2-step authentication, and good log monitoring (and enforcing the security built into RDP and Windows authentication). However, maybe that is not enough for a professional solution.

You can add RDPGuard to the RDS server too.

Although, like @travisdh1 stated, put HTTPS in front and your all good. I use an SSL-VPN myself.