Category Archives: Linux

Lsync monitoring on Rackspace Cloud

mkdir -p /usr/lib/rackspace-monitoring-agent/plugins/
cd /usr/lib/rackspace-monitoring-agent/plugins/
wget https://raw.githubusercontent.com/racker/rackspace-monitoring-agent-plugins-contrib/master/lsyncd-status.sh
chmod 755 lsyncd-status.sh

You can test the above script by calling it directly to see if it is working and reporting stats:

/usr/lib/rackspace-monitoring-agent/plugins/lsyncd-status.sh

Now, we need to create the alert itself.
[To get the token, you can use this]

curl -i -X POST \
-H 'X-Auth-Token: [AUTH_TOKEN]' \
-H 'Content-Type: application/json; charset=UTF-8' \
-H 'Accept: application/json' \
--data-binary \
'{"label": "Lsyncd", "type": "agent.plugin", "details": {"file": "lsyncd-status.sh","args": ["arg1","arg2"]}}' \
'https://monitoring.api.rackspacecloud.com/v1.0/[ACCOUNT_ID]/entities/[ENTITY_ID]/checks'

NOTE: ENTITY_ID is the Monitoring ID, NOT the server ID!!

Once the alert has been created, you can add the alarm manually via the Control Panel:

if (metric['lsyncd_status'] != 'running') {
return new AlarmStatus(CRITICAL, 'Lsyncd Service is NOT running.');
}
if (metric['lsyncd_status'] == 'running' && metric['percent_used_watches'] >= 80) {
return new AlarmStatus(WARNING, 'Lsyncd is running but the number of directories has reached 80% of notify watches.');
}
if (metric['lsyncd_status'] == 'running' && metric['percent_used_watches'] >= 95) {
return new AlarmStatus(CRITICAL, 'Lsyncd is running but the number of directories has reached 95% of notify watches.');
}
return new AlarmStatus(OK, 'Lsyncd Service is running.');

Make sure to test and save the alert.

Rackspace Cloud Driveclient not working

First of all, checks the logs: /var/log/driveclient.log

You might find 403 errors and lines that are showing that the agent can’t connect properly.

In this case, the first step is trying to re-register the backup agent:
3) Maybe the customer has changed the API key so try re-register the backup agent:

# /usr/local/bin/driveclient --configure
WARNING: Agent already configured. Overwrite? [Y/n]: Y
Username: My_Username
Password: My_APIKey

Desired Output:

Registration successful!
Bootstrap created at: /etc/driveclient/bootstrap.json

In case you get something like “ERROR: Registration failed: Could not authenticate user. Identity returned 401“, this means that you probably need to force a bit the registration, using the following command:

# driveclient -u USER_NAME -k API_KEY -t LON -l raxcloudserver -a lon.backup.api.rackspacecloud.com -c

Force reset/repush network configuration Rackspace Cloud server

Run the following command on the Cloud server (this works only on Linux servers):

UUID=`uuidgen`; xenstore-write data/host/$UUID '{"name":"resetnetwork","value":""}'; sleep 10; xenstore-read data/guest/$UUID; unset UUID

If completed successfully it will return something like this:

{"message": "", "returncode": "0"}

Verify that private key and SSL certificate are matching via command line

# openssl rsa -modulus -noout -in private_key.key | openssl md5
(stdin)= b650539so2020gwoge778b6981a38c

# openssl x509 -modulus -noout -in mysite_certificate.crt | openssl md5
(stdin)= b650539so2020gwoge778b6981a38c

the outputs must match 🙂

Apache ProxyPass for WordPress master-slave setup

Simple way

Ensure certain traffic goes to a certain server (master), you can use this:

<LocationMatch "^/wordpress/wp-admin/?.*>
ProxyPreserveHost On
ProxyPass http://ip.of.master.server/
</LocationMatch>

For a better setup with Variables, just follow the… following steps 🙂

Step One: Configure Environment

We need to setup some environment variables to get this to work correctly.
Add the following to your environment on the slave server(s):

RHEL/CentOS: /etc/sysconfig/httpdi

OPTIONS="-DSLAVE"
export MASTER_SERVER="SERVERIP HERE"

Ubuntu: /etc/apache2/envvars

export APACHE_ARGUMENTS="-DSLAVE"
export MASTER_SERVER="SERVERIP HERE"

Step Two: Configure your VirtualHost

In your VirtualHost configuration do something like the following.

<IfDefine SLAVE>
RewriteEngine On
ProxyPreserveHost On
ProxyPass /wp-admin/http://${MASTER_SERVER}/wp-admin/
ProxyPassReverse /wp-admin/http://${MASTER_SERVER}/wp-admin/

RewriteCond %{REQUEST_METHOD} =POST
RewriteRule . http://${MASTER_SERVER}%{REQUEST_URI} [P]
</IfDefine>

Block UserAgent libwww-perl and test

If you want to apply this globally, edit /etc/httpd/conf/httpd.conf (Centos). Otherwise, just modify the related vhost config file, adding the following:

ServerSignature Off
SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot
<Location />
Order allow,deny
Allow from all
Deny from env=bad_bot
</Location>

How to test:

Check if the site responds:

$ curl -I http://www.mywebsite.com
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2014 17:12:16 GMT
Server: Apache
Last-Modified: Thu, 13 Nov 2014 16:00:35 GMT
ETag: "1fa5dc-9dd5-507bf9cd66ec0"
Accept-Ranges: bytes
Content-Length: 40405
Vary: Accept-Encoding,Cookie
Content-Type: text/html; charset=UTF-8

Check if the agent libwww-perl is allowed or forbidden:

$ curl -A "libwww-perl" -I http://www.mywebsite.com
HTTP/1.1 403 Forbidden
Date: Thu, 13 Nov 2014 17:12:51 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

Check if using Mozilla as agent works or not:

$ curl -A "Mozilla/5.0 (iPhone; U; CPU PerformanceOptimized iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5" -I http://www.mywebsite.com
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2014 17:13:27 GMT
Server: Apache
Last-Modified: Thu, 13 Nov 2014 16:00:35 GMT
ETag: "1fa5dc-9dd5-507bf9cd66ec0"
Accept-Ranges: bytes
Content-Length: 40405
Vary: Accept-Encoding,Cookie
Content-Type: text/html; charset=UTF-8

How to bypass Varnish

Test loading speed ignoring Varnish

>> adding “Cookie: NO_CACHE=1” will make Varnish to pass the request directly to Apache

time curl -I http://example.com/pagetotest -H "Cookie: NO_CACHE=1"

Source IP in Apache logs

If your server is under a load balancer, you might see HTTP requests coming from the Load Balancer’s IP instead of the actual visitor. Generally, load balancers are “recording” the original source IP in the X-Forwarded-For header. This means that this is the header that we need to log in our Apache logs to get the information that we want.

Here how to make this happen:

Default rule:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Modified rule that includes the X-Forwarded-For definition:

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined


==============================================

>> Best way:


On httpd.conf:
=====================
SetEnvIfNoCase X-Forwarded-For "." from_proxy=1

LogFormat "%{CF-Connecting-IP}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" forwarded
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
=======================

On vhost.conf
============================
CustomLog /var/log/httpd/vhost-access.log forwarded env=from_proxy
CustomLog /var/log/httpd/vhost-access.log combined env=!from_proxy
============================

Source: https://community.rackspace.com/products/f/25/t/211

Apache Rewrite rules

Rewrite rules examples:

This can be added in vhost configuration OR in .htaccess file

How to rewrite all web request on my site without www to www.domain.com

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteRule (.*) http://www.example.com$1 [R,L]

How to redirect all web requests on port 80 (or HTTP) to port 443 (HTTPS)

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]

How to disable TRACE and TRACK methods on Apache

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

How to exclude mod_status from being rewritten by existing rules (placed before the problem rule)

RewriteCond %{REQUEST_URI} !=/server-status

How do I redirect all web requests on www.mysite.net/web to www.mysite.net/sect1/web

RewriteCond %{http_host} ^[www\.]*example\.com
RewriteRule ^web(/)?$ /sect1/web [R=301,L]

Rewrite all non-www to www

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Force all URLs to be lowercase

RewriteEngine On
RewriteMap lc int:tolower
RewriteCond %{REQUEST_URI} [A-Z]
RewriteRule (.*) ${lc:$1} [R=301,L]

WordPress notes

Reset Admin Password

UPDATE wp_users SET user_pass=MD5('newpassword123') WHERE ID = 1;

Create New Admin account

mysql> INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_status`, `display_name`) VALUES ('username', MD5('password'), 'friendly-name', '[email protected]', 'http://example.com', '0', 'Your Name');
mysql> SELECT LAST_INSERT_ID() INTO @userid;INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @userid, 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}'), (NULL, @userid, 'wp_user_level', '10');

Show error in case white screen appears
Try adding this line to wp-config.php to see the errors on the page:

define( 'WP_DEBUG', true );

Change the site URL

mysql> SELECT * FROM wp_options WHERE option_name = 'siteurl' OR option_name = 'home' ;
mysql> UPDATE wp_options SET option_value = 'http://staging.mysite.com' WHERE option_name = 'siteurl' OR option_name = 'home' ;

Disable all plugins

mysql> UPDATE wp_options SET option_value = 'a:0:{}' WHERE option_name = 'active_plugins';

Show users and Privileges

mysql> SELECT user_login,user_registered,meta_value FROM wp_users INNER JOIN wp_usermeta ON wp_users.id = wp_usermeta.user_id and meta_key = 'wp_capabilities';
+---------------+---------------------+---------------------------------+
| user_login | user_registered | meta_value |
+---------------+---------------------+---------------------------------+
| administrator | 2013-12-21 10:36:30 | a:1:{s:13:"administrator";b:1;} |
| author | 2014-11-25 15:50:34 | a:1:{s:6:"author";b:1;} |
| editor | 2014-11-25 15:51:18 | a:1:{s:6:"editor";b:1;} |
| contributor | 2014-11-25 15:51:48 | a:1:{s:11:"contributor";b:1;} |
| subscriber | 2014-11-25 15:52:11 | a:1:{s:10:"subscriber";b:1;} |
+---------------+---------------------+---------------------------------+
5 rows in set (0.01 sec)

Update theme to Twenty Fourteen

mysql> UPDATE wp_options SET option_value = 'twentyfourteen' WHERE option_name = 'template' OR option_name = 'stylesheet';
mysql> UPDATE wp_options SET option_value = 'Twenty Fourteen' WHERE option_name = 'current_theme';

Administration Over SSL
Add the below lines to the wp-config.php file above the ‘/* That’s all, stop editing! Happy blogging. */’ line

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);

This ensures the login AND the administration is done over SSL

You could also use the below .htaccess:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^/?(wp-admin/|wp-login\.php) https://mysite.com%{REQUEST_URI}%{QUERY_STRING} [R=301,QSA,L]

Find out how many SQL queries are executed every time a page is loaded.
Add the below to one of the theme files, I usually add to footer.php

if ( current_user_can( 'manage_options' ) ) {
echo $wpdb->num_queries . " SQL queries performed.";
} else {
// Uncomment the below line to show SQL queries to everybody
// echo $wpdb->num_queries . " SQL queries performed.";
}

Here are some configuration parameters you can add to your wp-config.php file for FTP.

define('FS_METHOD', 'direct'); 
/*
forces the filesystem method. It should only be "direct", "ssh2", "ftpext", or "ftpsockets". Generally, you should only change this if you are experiencing update problems. If you change it and it doesn't help, change it back/remove it. Under most circumstances, setting it to 'ftpsockets' will work if the automatically chosen method does not.

(Primary Preference) "direct" forces it to use Direct File I/O requests from within PHP, this is fraught with opening up security issues on poorly configured hosts, This is chosen automatically when appropriate.
(Secondary Preference) "ssh2" is to force the usage of the SSH PHP Extension if installed
(3rd Preference) "ftpext" is to force the usage of the FTP PHP Extension for FTP Access, and finally
(4th Preference) "ftpsockets" utilises the PHP Sockets Class for FTP Access.
*/
define('FTP_BASE', '/var/www/vhosts/example.com/httpdocs/'); // is the full path to the "base"(ABSPATH) folder of the WordPress installation. 
define('FTP_CONTENT_DIR', '/var/www/vhosts/example.com/httpdocs/wp-content/'); // is the full path to the wp-content folder of the WordPress installation.
define('FTP_PLUGIN_DIR ', '/var/www/vhosts/example.com/httpdocs/plugins/'); // is the full path to the plugins folder of the WordPress installation. 
define('FTP_PUBKEY', '/var/www/vhosts/example.com/httpdocs/.ssh/id_rsa.pub'); // is the full path to your SSH public key. 
define('FTP_PRIKEY', '/var/www/vhosts/example.com/httpdocs/.ssh/id_rsa'); // is the full path to your SSH private key. 
define('FTP_USER', 'FTPusername'); // is the FTP username
define('FTP_PASS', 'FTPpassword'); // is the password for the FTP User
define('FTP_HOST', 'localhost'); // FTP Host - usually localhost.
define('FTP_SSL', false); // This is for "Secure FTP" not for SFTP.

xmlrpc.php

I’d recommend restricting xmlrpc.php POSTs to only IPs that need it by adding the following rules to the top of your .htaccess file, updating accordingly the line ‘allow from’ with a list of IPs space separated or simply completely remove that line to block its execution:

# ----------------------------------------------------
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
# ----------------------------------------------------

My notepad

Chris' IT notes…