Wednesday, September 14, 2016

Odoo 9 Apache2 Reverse Proxy SSL

Prerequisite: Apache2 enabled
Enabling Apache2 module
# a2enmod proxy_http headers remoteip rewrite
To enable Apache2 cache to disk
# a2enmod cache cache_disk
Edit Default Virtual Host for SSL
# vi /etc/apache2/sites-available/default-ssl.conf
...
ProxyRequests off
SSLProxyEngine on
SSLEngine on
RequestHeader set "X-Forwarded-Proto" "https"
SetEnv proxy-nokeepalive 1
Proxypass "/" "http://localhost:8069/" # 127.0.0.1
ProxyPassReverse "/" "http://localhost:8069/" # 127.0.0.1
ProxyErrorOverride off
...
Restart Apache2
# /etc/init.d/apache2 restart
Run Odoo for localhost only
# vi /etc/odoo/openerp-server.conf
...
proxy_mode = true
xmlrpc_interface = 127.0.0.1
...
Restart Odoo
# /etc/init.d/odoo restart
References:
  • https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html 
  • https://httpd.apache.org/docs/2.4/mod/mod_proxy.html 
  • http://www.wirasoenaryo.com/how-to-use-apache-as-reverse-proxy-on-odoo/ 
  • https://www.leaseweb.com/labs/2014/12/tutorial-apache-2-4-transparent-reverse-proxy/ 
  • https://www.odoo.com/forum/help-1/question/how-to-set-up-odoo-8-with-ssl-and-apache2-61282 
  • https://www.digitalocean.com/community/tutorials/how-to-configure-apache-content-caching-on-ubuntu-14-04
Posted by at
Labels:

Debian Jessie: enabling Apache2 SSL using self sign key

Install apache2
# apt-get install apache2 openssl
Create self sign key
# mkdir -p /etc/ssl/localcerts
# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
# chmod 600 /etc/ssl/localcerts/apache*
Edit Apache default SSL
# vi /etc/apache2/sites-available/default-ssl.conf
...
#SSLCertificateFile     /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateFile      /etc/ssl/localcerts/apache.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key
...
Create link to enable default-ssl.conf
# ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
Enabling Apacle SSL
# a2enmod ssl
Redirect all http request to https
# vi /etc/apache2/sites-available/000-default.conf 
...
#DocumentRoot /var/www/html # we don't need root document
...
Redirect permanent / https://www.example.com # redirect all request can replace with ip address
...
Restart Apache2
# /etc/init.d/apache2 restart
References:
  • https://wiki.debian.org/Self-Signed_Certificate
  • https://wiki.apache.org/httpd/RedirectSSL
Posted by at
Labels:

Tuesday, August 30, 2016

Android Studio 2.1.3: failed to find Build Tools revision 24.0.1

Software
  • Android SDK Manager 25.1.7 (Stand Alone)
  • Android Studio 2.13
  • Oracle JDK 1.8.0_102
  • Windows 10 x64
If you change/upgrade Android SDK Build-tools into latest, in my case from 24.0.1 to 24.0.2, your previous project may not compile nor run properly. The error may like this:
Error:A problem occurred configuring project ':app'.
> failed to find Build Tools revision 24.0.1
To fix it, do these:
  1. in 1: Project change view to Android
  2. Go to Grandle Scripts and open Grandle Script (Module:app) 
  3. change buildToolsVersion "24.0.1"  ->    buildToolsVersion "24.0.2" 
    • ...
    • android {
    •     compileSdkVersion 24
    •     buildToolsVersion "24.0.1" 
    • ...
  4. Sync your project


Posted by at
Labels:

Wednesday, August 24, 2016

Fail2ban: optional regex filter

Optional regex filter:

SSH, edit or replace /etc/fail2ban/filter.d/sshd.conf or /etc/fail2ban/filter.d/sshd-ddos.conf

^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$
^%(__prefix_line)sFailed \S+ for .*? from (?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$
^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$
^%(__prefix_line)sUser .+ from not allowed because not in any group\s*$
^%(__prefix_line)srefused connect from \S+ \(\)\s*$
^%(__prefix_line)s(?:error: )?Received disconnect from : 3: .*: Auth fail(?: \[preauth\])?$
^%(__prefix_line)sUser .+ from not allowed because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from (?: port \d*)?(?: ssh\d*)? \[preauth\]$
^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*$
^%(__prefix_line)sConnection closed by \[preauth\]$
^%(__prefix_line)sReceived disconnect from : 11: (Bye Bye)? \[preauth\]$
^%(__prefix_line)sReceived disconnect from : 3: \S+: Auth fail$

Postfix-sasl, edit or replace /etc/fail2ban/filter.d/postfix-sasl.conf

^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
lost connection after AUTH from (.*)\[\]

Postfix, edit or replace /etc/fail2ban/filter.d/postfix.conf


^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]);
from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]:?$
lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[\]
connect from unknown\[\]
disconnect from unknown\[\]?$
statistics: max connection rate 1/60s for (smtp:)?$
statistics: max connection rate 1 for (smtp:)?$

ProFTP, edit or replace /etc/fail2ban/filter.d/proftpd.conf 

^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
USER \S+: no such user found from \S* ?\[\] to \S+\s*$
\(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+.*$
\(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password.*$
\(\S+\[\]\)[: -]+ SSH2 session closed.

References:

  1. http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
  2. http://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh
  3. http://security.stackexchange.com/questions/10869/fail2ban-does-not-ban-failed-root-login-attempt
  4. http://serverfault.com/questions/681703/regex-for-multiple-sshd-received-disconnect-from-preauth
  5. https://github.com/fail2ban/fail2ban/pull/1206/files
  6. http://serverfault.com/questions/335983/postfix-connection-lost-after-auth
Posted by at
Labels:

Saturday, August 20, 2016

Install Google Play Store into Genymotion Android 6

THIS PAGE IS OUT OF DATE. Genymotion does not provide free anymore

Software:
  • VirtualBox 5.1.4
  • Genymotion 2.7.2 
  • Windows 10 build 10586
I need to build PrintService application for non branded printer. I need to install some Printer plugins from Google Play Store to test how they work.
  1. Flash Genymotion-ARM-Translation_v1.1.zip and restart. Download: http://www.mirrorcreator.com/files/0ZIO8PME/Genymotion-ARM-Translation_v1.1.zip_links 
  2. Flash gapps-L-4-21-15.zip and reboot. Download: https://www.androidfilehost.com/?fid=96042739161891406 
  3. Configure genymotion virtual device: Network -> NAT (Default) and google sign in.
  4. Flash benzo-gapps-M-20151011-signed-chroma-r3.zip and reboot. Download https://www.androidfilehost.com/?fid=24052804347835438 or http://opengapps.org/?download=true&arch=arm&api=6.0&variant=nano  (choose pico for minimal package). 
References:
  • https://z3ntu.github.io/2015/12/10/play-services-with-genymotion.html
Posted by at
Labels:
Subscribe to: Posts (Atom)