@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@emad-r 3650 :)

One of the main reasons that normal certs cannot be bought with forever expiration is because then people would be less apt to update them as ciphers are broken.

Look at how many people still use(d) SSLv1 SHA1, etc., long after they were proven broken.

@jaredbusch said in Nginx Certificate Authentication issue:

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

ls -laZ /etc/pki/nginx/ca.crt

-rw-r--r-- root root ?

i specified -laZ intentionally to show the SELinux context also.

I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

drwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:cert_t:s0 .. lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. root root unconfined_u:object_r:cert_t:s0 dhparam.pem -rwxr-xr-x. root root system_u:object_r:bin_t:s0 make-dummy-cert -rw-r--r--. root root system_u:object_r:cert_t:s0 Makefile -rwxr-xr-x. root root system_u:object_r:cert_t:s0 renew-dummy-cert

Thanks this pointed me in the right direction, a useful guide coming soon

@scottalanmiller said in Install Alfresco Community Edition On Ubuntu 17.04:

@stacksofplates said in Install Alfresco Community Edition On Ubuntu 17.04:

@scottalanmiller said in Install Alfresco Community Edition On Ubuntu 17.04:

@nashbrydges said in Install Alfresco Community Edition On Ubuntu 17.04:

@scottalanmiller Just testing it out for now but so far so good. I had a client ask me for a good document management solution that wouldn't break the bank and could be hosted locally so I immediately thought of this. I've given him access to see if this could work and from the sounds of his feedback, he might want it setup.

Cool, would be good to see some threads on it. Been so long since I've used it.

I use the hosted one. They gave you 10GB for free. Idk if they still do that or not.

I didn't even know that they did hosted.

Ya the free one didn't seem advertised much. I'll have to see if I can find a sign up link again.

Thanks @JaredBusch this will be a huge help! I'll give this a try later this evening when I'm back.

@black3dynamite said in Problem with Nginx conf file:

Comparing the two configs

CRM under location / does not have this:
proxy_set_header X-Forwarded-Proto $scheme;

That probably went missing when I was troubleshooting. I was copy pasting in pieces and removing them trying to figure out why it was not working.

@JaredBusch said in Looking for how-to on setting up a proxy:

server {
client_max_body_size 40M;
listen 80;
server_name support.bundystl.com;
rewrite ^ https://$server_name$request_uri? permanent;
}

Yep, got all that done and it's working well. What I was referring to was redirecting traffic to HTTPS. Essentially this is the part of the file I was missing...

server { client_max_body_size 40M; listen 80; server_name support.bundystl.com; rewrite ^ https://$server_name$request_uri? permanent; }

This way you can share the config(s) under conf.d between multiple machines using the same roles (or whatever Salt calls them) and have different main NGINX server settings.

@travisdh1 said in SSL between a proxy and its target:

@Dashrender said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

It's industry standard public/private key encryption, so shouldn't be an issue.

You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.

I'm fully aware of SQRL - I asked Scott on Day one of ML if he would support it when it became available, sadly it's still not released to the wild :(

Location matters very little. I would stick to the standards.

@nashbrydges said in Installing RocketChat on Ubuntu 16.10 with Snaps:

@scottalanmiller I had this running when I was testing it out vs. Mattermost but one thing I've discovered with Mattermost is that, when you post a message with an attachment, deleting the message does NOT delete the attachment. The file is forever on your server. Yep, that's true. It never deletes the file. So now I'm back to looking at Rocket.Chat and wonder if it also does the same thing. Does anyone know?

Never looked into that behaviour. Interesting question.

@Dashrender said:

Have you done any reading on Carousel? Something about ads being faster - though some are saying that it reduces choice...

Nope, and a quick search I cannot even turn up what you are referring to.

That's a standard systemctl cannot start message. And it is just telling you that you need to tail /var/log/messages to see what the error was.

You can take them as arguments when you first run the script, that is the more "UNIX" way. Or you can prompt for them as you go.

@JaredBusch They are just looking for me to automate the process. I can use any automation tool or language.

@coliver said in Problems with Exchange 2010 and NginX reverse proxy:

@JaredBusch said in Problems with Exchange 2010 and NginX reverse proxy:

[10:54 jbusch ~]$ sudo dnf copr enable a15/NGINX-extras [sudo] password for jbusch: You are about to enable a Copr repository. Please note that this repository is not part of the main Fedora distribution, and quality may vary. The Fedora Project does not exercise any power over the contents of this repository beyond the rules outlined in the Copr FAQ at <https://fedorahosted.org/copr/wiki/UserDocs#WhatIcanbuildinCopr>, and packages are not held to any quality or security level. Please do not file bug reports about these packages in Fedora Bugzilla. In case of problems, contact the owner of this repository. Do you want to continue? [y/N]:

Well at least you are adequately warned.

That was on my Fedora 25 (Korora) desktop. SO I know I cannot install it anyway.

@travisdh1 said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

@JaredBusch said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

@aaronstuder said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

Any updates to this?

Use Certbot never this method. keep your life simpler.

Yeah. If the old way is working, that should keep working. However, certbot is easier to use.

When my system came up for renew after certbot was out, I installed certbot and renewed that way. everything is in the same pace. nothing had to be changed in the config files.

@anonymous said:

I think I will have to port forward the relay port to the ScreenConnect server?

From the reading I have done, yes. That connection is not SSL, but pre encrypted by ScreenConnect itself.

@johnhooks said:

semanage port -m -t http_port_t -p tcp 4567

I had to add semanage first but then it worked.

@scottalanmiller said:

That Facebook is using HHVM in production makes me a little more comfortable with it.

True, but I would guess that Facebook's application runs mostly on code that Facebook is responsible for maintaining. On the other hand, most WordPress websites have at least a couple of third party plugins and/or themes and those usually assume you're running on PHP 5 so there's a higher chance of stuff like this happening.

Probably wouldn't be an issue very often but I would be more paranoid about updates breaking things if I were running HHVM in production.

More advanced load balancing appears to be the biggest feature.

@Ambarishrh said:

@JaredBusch Nice! was not aware of that, so CentOs already switched to MariaDB? :)

Yes. RHEL = CentOS.

@technobabble said:

And found out that it's pronounced Engine X.

Lol. Yup.

I think this thread must have picked up a few buzzwords along the way. Buzz word. Buzzword. Buzzy fuzzy word...

It seems to me like the new iproute2 tools are more powerful, at least according to some articles I've seen... and they have been around since 1999 according to Wikipedia, lol.