=== markthomas is now known as markthomas|away | ||
=== denbeiren is now known as zz_denbeiren | ||
=== Tm_Tr is now known as Guest46635 | ||
nox_42 | I am trying to use nginx to load balance two nginx web servers and I am getting a 502 error. I also don't see anything out of the ordinary in the error/access logs on the nginx web servers. | 03:20 |
---|---|---|
nox_42 | Any ideas? | 03:21 |
sarnold | check logs on all three systems? nginx error logs, access logs, syslog, firewall logs, etc? | 03:23 |
nox_42 | Everything but firewall logs. | 03:28 |
nox_42 | Haproxy logs look like 104.183.250.151:55964 [06/Aug/2015:02:38:01.225] appname appname/resonategroup 308/0/1/-1/309 502 204 - - SH-- 0/0/0/0/0 0/0 "GET / HTTP/1.1" | 03:28 |
nox_42 | I could be overlooking something but I couldn't find anything that stuck out. | 03:29 |
patdk-lap | heh? | 03:30 |
patdk-lap | your using nginx to load balance? where does haproxy come into it? | 03:30 |
nox_42 | Oh my bad. I've actually tried both. | 03:31 |
nox_42 | I got a 502 error with both of them. | 03:31 |
patdk-lap | that means your proxy can't talk to the backends | 03:31 |
patdk-lap | so basically the configs from ALL of them will have to be posted | 03:32 |
patdk-lap | in order for anyone to know what is going on | 03:32 |
nox_42 | Do you mind taking a look if I post the configs? | 03:34 |
patdk-lap | if not in a few more seconds, I will be gone | 03:36 |
nox_42 | Ok here is my nginx web server config http://pastebin.com/rzscrXzW | 03:40 |
nox_42 | Here is my load balancer config http://pastebin.com/5jRfJFjp | 03:43 |
nox_42 | Do you need my nginx.conf file for the web servers? | 03:44 |
patdk-lap | heh? | 03:44 |
patdk-lap | wasn't that the first one? | 03:44 |
patdk-lap | if it wasn't, what was that first one? | 03:44 |
nox_42 | The first one was the site config file. | 03:45 |
sarnold | 1.1.1.1? o_O | 03:45 |
nox_42 | Drop in IP. I'm removed the actual IPs. | 03:45 |
patdk-lap | ip's should not be in there at all | 03:45 |
patdk-lap | but since there is only one server section, it becomes the default and will work around that mistake | 03:46 |
patdk-lap | what does the logs in the webservers look like? | 03:48 |
nox_42 | They aren't showing any errors. I'm also not seeing any access logs from the actual load balancer though. | 03:49 |
patdk-lap | ping works between them all? | 03:49 |
patdk-lap | telnet works from the load balancer to the web servers on port 80? | 03:49 |
neonixcoder | How can I run "dpkg --configure -a" non interactively? | 03:53 |
nox_42 | Yep they both work. | 03:53 |
nox_42 | They are Linode VPS but all in the same data center. Could it be something on linode's end? | 03:54 |
patdk-lap | no | 03:54 |
sarnold | nox_42: if they can ping each other, and ssh from one to the other works, it's probably not linode's issue.. | 03:57 |
sarnold | neonixcoder: look for debconf noninteractive frontend | 03:57 |
neonixcoder | Sarnold: Let me have a look.. | 03:58 |
nox_42 | Yeah, at this point i am just trying to throw anything out there that might be an issue. | 04:03 |
patdk-lap | only so much we could help with | 04:06 |
patdk-lap | the configs look fine | 04:06 |
nox_42 | It looks like I am getting this error in the error.log file on the nginx load balancer upstream prematurely closed connection while reading response header from upstream, | 04:06 |
patdk-lap | need logs, need unmunged configs | 04:06 |
nox_42 | Hmm could it have anything to do with php-fpm? | 04:42 |
=== shirgall is now known as Guest54075 | ||
=== Lcawte|Away is now known as Lcawte | ||
lordievader | Good morning. | 08:21 |
fishcooker | morning lordievader | 09:12 |
Waddup | how do i unmount a drive? ubuntu server 14.04 does not have unmount command as per what i see on web | 09:30 |
mwhudson | uh | 09:35 |
mwhudson | the command is umount ? | 09:35 |
Waddup | ah | 09:37 |
Waddup | lemme give it a try | 09:37 |
Waddup | oh it worked lol | 09:37 |
mybalzitch | lol | 09:37 |
mybalzitch | umount also secretly destroys all the data | 09:37 |
mybalzitch | so jokes on you, sucker! | 09:37 |
Waddup | its a new drive so no data. | 09:39 |
Waddup | no joke | 09:39 |
Waddup | lol | 09:39 |
mybalzitch | ahha | 09:39 |
=== utlemming is now known as utlemming_away | ||
jerto | Hi all | 12:22 |
jerto | I need some help regarding file permissions. Each time I create a file in my home, its permissions are 0600 and for a folder it is 0700. How can I set 0644 and 0755 as default chmod ? | 12:23 |
RoyK | !umask | 12:24 |
RoyK | jerto: man umask | 12:24 |
jerto | RoyK: umask is OK (0022) | 12:25 |
RoyK | and if you run 'touch newfile' what permissions does that get? | 12:25 |
jerto | 644 | 12:26 |
RoyK | then it works... :) | 12:26 |
jerto | Hmmm | 12:26 |
jerto | OK, so it only happens when I push files in ftp | 12:27 |
jerto | I'm going to check my ftp parameters | 12:27 |
RoyK | then it's the umask in the ftp server | 12:27 |
RoyK | and btw, don't use FTP | 12:27 |
RoyK | just don't | 12:28 |
mybalzitch | sftp ftws | 12:28 |
mybalzitch | -s | 12:28 |
RoyK | use sftp/scp/rsync/somethingoverssh - don't use ftp | 12:28 |
jerto | OK, I'll go for sftp then | 12:28 |
RoyK | nothing to install - it just works | 12:29 |
jerto | RoyK: Nothing to install for sftp ? | 12:32 |
RoyK | jerto: it's part of openssh | 12:32 |
jerto | OK Cool | 12:34 |
jerto | RoyK: OK FTP server removed, SFTP OK and CHMOD OK. Thanks for the help | 12:39 |
RoyK | :) | 12:42 |
=== Luke_ is now known as Luke | ||
thegoat | i have a text file with roughly 1.05 million lines in it. is there a way in linux to tell me which line is the longest? | 13:57 |
Sling | thegoat: cat filename | awk '{print length, $0}'|sort -nr|head -1 | 13:59 |
mybalzitch | Sling: nice. | 13:59 |
Sling | unless this file is so big that this might cause memory issues, then you will need to find some other solution that only reads it in line by line | 13:59 |
jelly | possibly, add the line number ($NR) into the print as well | 14:00 |
TJ- | thegoat: "wc --max-line-length /path/to/file" | 14:03 |
TJ- | thegoat: ahh, that only shows the length of the line, but which line | 14:04 |
thegoat | right, i need the actual string | 14:04 |
Sling | yea wc -L is just the length | 14:08 |
TJ- | thegoat: "awk 'length>LEN{LEN=length;LINE=NR;TEXT=$0}ENDFILE{print LINE, LEN, TEXT}' /path/to/file" | 14:11 |
=== utlemming_away is now known as utlemming | ||
DammitJim | has anyone set up hp's insight manager to monitor a ubuntu server? | 14:29 |
DammitJim | in Windows I know one just sets up the SNMP community string, but everywhere I read, it says to install an hp agent on Linux? | 14:30 |
thegoat | TJ-: thanks...that last command did the trick | 14:38 |
=== IdleOne is now known as Guest41975 | ||
=== Guest41975 is now known as IdleOne | ||
kpettit | anybody know of a simple way to block countries? I'm getting plagued with hack attempts through HTTP, SSH, SIP, etc. It's becoming a huge time burder and I'd rather just blacklist countries known to cause me problems. But can't find a easy way to do it | 16:46 |
patdk-wk | xtables geoip block | 16:46 |
patdk-wk | it takes some work to setup though | 16:46 |
kpettit | never even heard of it. | 16:47 |
kpettit | is it easy to duplicate effort on multiple servers? I've got like 20 I have to take care of | 16:47 |
patdk-wk | the issue is compiling the geoip tables into kernel modules to be used | 16:48 |
patdk-wk | it's very picky about how that is done | 16:48 |
kpettit | web servers are ubuntu, phone servers are centos | 16:48 |
patdk-wk | once you do that, it's simple | 16:48 |
kpettit | bummer, so it's not a apt-get sort of install? | 16:48 |
patdk-wk | it is | 16:48 |
patdk-wk | for the kernel module | 16:48 |
patdk-wk | but the geoip tables are licensed | 16:48 |
patdk-wk | use the licensed tables, pay for the tables, use the public tables, make your own | 16:49 |
patdk-wk | doesn't matter, but have to compile them into a usable format to be used | 16:49 |
kpettit | I'd pay for easy. Right now i just need to lower the admin hours I spend on blocking attackers | 16:51 |
RoyK | kpettit: ansible, perhaps? or puppet? or chef? or cfengine? | 16:51 |
kpettit | I use ansible. So if I can get something I can duplicate that would be wonderful. It's just madining how crazy agressive these guys get. | 16:51 |
kpettit | I have one server that had 1million SSH login attemtps in 1 month. Freaking crazy | 16:52 |
RoyK | ssh throttling in iptables should be easy - or fail2ban, perhaps | 16:52 |
kpettit | I require SSH keys, use fail2ban, etc | 16:52 |
RoyK | fail2ban should be usable for most services given a little config | 16:52 |
RoyK | ok | 16:53 |
kpettit | password auth is turned off, etc | 16:53 |
RoyK | wise | 16:53 |
kpettit | that doesn't help me for web or sip though | 16:53 |
RoyK | sip what? asterisk? | 16:54 |
kpettit | yeah. I do alot of phone systems. | 16:54 |
RoyK | fail2ban just reads logs - it can be used for anything, really | 16:54 |
kpettit | On the ones I can I have a whitelist, but some I can't get away with that. | 16:54 |
kpettit | fail2ban works great with SIP | 16:54 |
kpettit | but it's still alot of volume and I'd rather just have a iptbales rule that blocks places that don't need access on every system I have | 16:55 |
RoyK | I'd block everything and open where's needed and then have fail2ban to use iptables to block after attacks | 16:56 |
RoyK | there are configs for apache/nginx etc in fail2ban | 16:58 |
patdk-wk | I know some people that just setup a crapload of astrisk sip fail2ban rules a few weeks ago | 16:58 |
patdk-wk | I don't see why building the geoip tables is that hard | 16:59 |
patdk-wk | you only have to do it once a month | 16:59 |
patdk-wk | then push it out to all your servers using ansible | 16:59 |
patdk-wk | and it could be fully automated very easily | 16:59 |
RoyK | patdk-wk: perhaps overkill to block whole countries_ | 17:00 |
RoyK | ? | 17:00 |
patdk-wk | that wasn't my option | 17:00 |
patdk-wk | that was his request | 17:00 |
patdk-wk | so just attempting to give him the only real answer to his question | 17:00 |
kpettit | patdk-wk: I'll look at it and give it at ry | 17:00 |
patdk-wk | if he asked the wrong question, well :) | 17:00 |
patdk-wk | but yes, there is no turnkey solution in any linux install, to do it | 17:01 |
kpettit | patdk-wk: I've just never tried it so was curious how hard it will be. Anything that works from a central list like that is great I think. and if I can script with ansible that's even better. So thanks for the suggestion | 17:01 |
patdk-wk | it's not hard | 17:01 |
patdk-wk | just doing it the first time is alittle tricky, and causes most people to have an issue or two | 17:01 |
patdk-wk | but once that is solved, it's simple | 17:01 |
kpettit | Yeah I just mainly wanted to make sure I didn't re-invent the wheel and script something that's easier done another way | 17:01 |
RoyK | looks like the standard asterisk rules in debian8 (which is what I'm running now) handles SIP | 17:02 |
RoyK | patdk-wk: do you have that truckload of asterisk fail2ban rules? | 17:02 |
patdk-wk | I don't | 17:03 |
patdk-wk | could probably get it | 17:03 |
patdk-wk | not sure if it's company property or not | 17:03 |
RoyK | ask if (s)he could share it - guess a lot of people would like that | 17:04 |
RoyK | I have made sure that my emplyer knows that everything I write is GPLed :P | 17:04 |
kpettit | fail2ban is great, but alot of the defaults don't work. | 17:04 |
kpettit | but if you hunt and peck and test them out it does great. | 17:05 |
RoyK | kpettit: shouldn't be so hard to fix - it's just regex | 17:05 |
RoyK | kpettit: and please post fixes when you make them :) | 17:05 |
kpettit | yeah it's just hunting them down and testing. I'm awful with regex so usually end up doing the google and trial/error | 17:05 |
RoyK | kpettit: we all started that way | 17:05 |
kpettit | haha, I just old and have always had a hard time learning it | 17:07 |
RoyK | :) | 17:07 |
=== utlemming is now known as utlemming_away | ||
=== utlemming_away is now known as utlemming | ||
=== zz_denbeiren is now known as denbeiren | ||
=== beisner is now known as beisner-afk | ||
=== beisner-afk is now known as beisner | ||
=== jerto1 is now known as jerto | ||
=== Lcawte is now known as Lcawte|Away |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!