Category Archives: networking

networking

Querying Active Users on Active Directory

Leave a comment

Here’s how to query non-disabled users on Active Directory. There are 2 conditions I want to set:

1. Object is of type user / person

(objectCategory=person)

2. User is active, not disabled
This is a tricky one, luckily there’s a way to use bitwise filter to find not-disabled users. The flag for disabled account in AD is 0x02 (decimal 2), hence we can create a negative condition which reverse this condition:

(!UserAccountControl:1.2.840.113556.1.4.803:=2)

The odd 1.2.840.113556.1.4.803 portion there is actually a bitwise OR operation (thanks Microsoft for making it so subtle)

So combining both condition together with (& operator here’s my final query

(&(!UserAccountControl:1.2.840.113556.1.4.803:=2)(objectCategory=person))
active directory
networking

Permanently Adding IP Route To Mac OSX VPN Connection

Leave a comment

I’m annoyed, each time I connect to my office VPN I have to manually add an IP route so certain IP group is resolvable. Here’s how you can make the change permanent:

Add the route command to /etc/ppp/ip-up. This file gets executed each time VPN connection is activated.

#File: /etc/ppp/ip-up
#!/bin/sh
/sbin/route add 192.168.16.0/24 $5

In the above configuration I routed any IP starting with 192.168.16 to the newly established VPN connection (denoted by $5 variable).

You can check your IP routing table by using netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default                 UGSc           36        0    ppp0
default            192.168.1.1        UGScI          14        0     en0
25                 link#8             UC              1        0    ham0
25.84.162.40       7a:79:19:51:a5:3c  UHLWIi          1        1     lo0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              1   143939     lo0
169.254            link#4             UCS             0        0     en0
192.168.1          link#4             UCS             4        0     en0
192.168.1.1        0:60:64:91:be:65   UHLWIir        18      618     en0   1183
192.168.1.2        127.0.0.1          UHS             0        0     lo0
192.168.1.5        0:23:ae:a:c9:63    UHLWI           0       21     en0   1016
192.168.1.8        1c:1a:c0:6f:b7:6a  UHLWI           0        0     en0   1139
192.168.1.9        1c:1a:c0:6f:b7:6b  UHLWI           0        0     en0   1140
192.168.16              UGSc            1        0    ppp0
192.168.18         ppp0               USc             0        0    ppp0
          UHr            40       16    ppp0
     192.168.1.1        UGHS            1      376     en0
networking, programming

HTTP Strict Transport Security

Leave a comment

Here’s another gotchas (and novel feature) of the internet world: HSTS (Http Strict Transport Security).

Basically a website can provide a Strict-Transport-Security response header to force the browser to use HTTPS automatically for all subsequent request for a duration of time.

hsts

The response header above says for the next 31536000 seconds (1 year), the browser has to use HTTPS to access this domain, and all its subdomains.

This becomes a gotcha if you’re testing a new subdomain over HTTP by updating your local host file, you might be wondering why your browser wouldn’t let you to connect using HTTP immediately — without consulting with the web server first.

Fortunately it can be overcame by simply clearing your browser cache.

networking, server

Configuring NGINX Load Balancer Reverse Proxy

Leave a comment

Below is example of NGINX reverse proxy with 2 backend load balanced:

upstream backend {
  ip_hash;
  server localhost:8080 fail_timeout=3;
  server localhost:8081 fail_timeout=3;
}

server {
  listen 80;
  server_name mydomain.com;

  location / {
    proxy_pass http://backend/;
    proxy_redirect default;
    proxy_cookie_domain localhost mydomain.com;
  }
}
  • The upstream directive defines a cluster named backend of 2 backend servers (localhost:8080 and localhost:8081). fail_timeout parameter specifies request to the node will be deemed fail if no response is obtained after 3 seconds.
  • The ip_hash directive causes request coming from same ip to be associated with the same backend. This is often called sticky session. Other popular strategy is using cookie.
  • The cluster name backend is referenced by proxy_pass directive inside location

Add down parameter to avoid request being passed to specific backend:

upstream backend {
  ip_hash;
  server localhost:8080 fail_timeout=3;
  server localhost:8081 fail_timeout=3 down;
}

This is handy when performing no-outage release.

Don’t forget to reload the configuration using nginx -s reload

Read Related NGINX Docos

java, networking

Transferring File Using FTPS in Java

Leave a comment

Here’s a sample code on setting up FTPS file transfer in Java. Make sure you have setup SSLContext trusting the FTPS server’s certificate.

SSLContext sslContext = /* setup SSLContext */
FTPSClient ftps = new FTPSClient(true, sslContext);
ftps.connect(hostname, port);

// Timeout exception will be raised if no response received after 20s
ftps.setDataTimeout(20000);

// Authenticate
ftps.user("ftp_user")
ret = ftps.pass("ftp_pass");

// Define protection buffer size and protocol. Following are the default for implicit FTP (FTPS)
ftps.parsePBSZ(0);
ftps.execPROT("P");

// Set passive mode and file transfer type
ftps.type(FTP.BINARY_FILE_TYPE);
ftps.enterLocalPassiveMode();

// Remote path where file will be downloaded from
ftps.changeWorkingDirectory("/remote/path");

// Retrieve a file called "file.txt" from remote server
FileOutputStream local = new FileOutputStream("file.txt");
ftps.retrieveFile("file.txt", local);

This code uses commons-net package, make sure it is included in maven dependencies:


  commons-net
  commons-net
  3.3

The actual FTPS code will vary greatly depending on your FTPS server setup. The above assumes FTPS server is running in passive mode with normal username / password authentication.

networking

Setup IMAP on Exchange Server 2013

Leave a comment

Turn On IMAP Services

On the windows server where exchange runs, ensure Microsoft Exchange IMAP4 and Microsoft Exchange IMAP4 Backend started and set the mode to automatic.

imap-svc

Setup Firewall / NAT Port Forwarding On The Router

By default IMAP listens to port 143 and 993 (SSL), the idea here is by setting up port forwarding, packets that hits your office IP will be translated and forwarded into the exchange server. There are no generic instruction on how to do this as each router type is different, however conceptually you want to setup a rule to this effect:

When a packet arrives to to port 143 and/or 993, translate it into and forward it to port 143 and/or 993

Keep in mind the Windows server has its own firewall so you might need to open the ports there too

Setup DNS Alias

Typically you would want imap.mycompany.com to point to the Windows server that hosts Exchange. This can be achieved by adding a DNS A Record on your internet domain manager (provided by your domain hosting).

Observe IMAP Settings on Exchange Admin Center (EAC)

Make sure you have it enabled, selected login method to your liking etc:

exchange-eac

And Finally Setup IMAP on Your Phone / Email Client

Depending on your setting, the IMAP details might look like this:

  • IMAP server: imap.mycompany.com
  • Port: 143
  • Enable TLS: true
  • Username:
  • Password:
networking

AWS EC2 Nginx Reverse Proxy And localhost Slowness

Leave a comment

This is something really odd I yet to fully understand, but for time being I’ve decided using localhost on AWS ec2 is bad. (at least on Windows Server 2008 R2)

I think it might have something to do with internal DNS or address routing, but my nginx-reverse-proxied tomcat is 4-5x slower when I bind it into localhost as opposed of the local IP. We’re talking 1 minute to load a 300kb css file!

Open a command prompt and run ipconfig /all and your local ip should be under IPv4 Address under Ethernet adapter Local Area Connection 2:

ec2-local-ip

On tomcat, edit your server.xml, find your element and add address attribute:

And finally update nginx.conf to point the reverse proxy backend to above IP.

After doing this now my reverse proxy is much faster, only few seconds to load 300kb css file.

networking

hMailServer for Outbound Only SMTP Server

2 Comments

If you ever needed to write program that sends email, most likely you’ll need a SMTP server. Here’s how you can configure one on a Windows box using hMailServer.

New Domain

After downloading and installing, you need to add a new domain to hMailServer. In my case I will not be using hMailServer to accept incoming email, hence I did not put the company’s email domain. Doing so will cause email to your colleague to be routed locally and likely fails.

So go ahead add a new domain, and just give it the local machine name (eg: devbox01.local). You have to pick a name that resembles an actual domain (with a dot and suffix), otherwise hMailServer will rejects it.

New Account

Once you’ve setup the domain, create a new account

hmail

Set a password, and that’s it you’re done. You can now use the SMTP server for outbound email

  • Username:
  • Password: whatever password you put in
  • SMTP host: devbox01
  • SMTP port: 25

Important

Now what’s left to do is configuring firewall. If you program runs on the same box you might not need to do anything. However it’s good to check that no outside traffic from internet can connect to port 25 so no-one can abuse your SMTP server.

And as a last word of warning, do not assume all mails will be delivered. This SMTP setup is very basic. Depending on the content you send, SPF, reverse DNS entry, spam filtering of receipient, and gazillion other things, your email might not go through

 

networking

About Apache Compression and Content-Length Header

1 Comment

Just resolved an interesting problem today, one of our code breaks because the response header set by the web server did not include Content-Length.

Spent quite a while investigating and turns out this is due to gzip compression. As seen below Content-Encoding is gzip and I think this causes Content-Length to be omitted.

apache-resp-headers

Gzip compression can be disabled on apache via .htaccess config. In my case I disabled all compression to swf file by adding following configuration


  SetEnv no-gzip 1
networking

Testing TCP Firewall With Netcat

Leave a comment

Simplest way to test if a port is open on firewall is through telnet, but problem with that is what if you don’t have anything listening? What if you’re preparing infrastructure for a new app-server deployment — telnet won’t work unless there’s something listening on the server.

With netcat you can create a simple listener that echoes whatever character passed to it. Netcat should be available on standard UNIX system via nc command.

If you want to test if port 1234 has been allowed through on firewall:

  1. On the server, run nc -l -p 1234. Netcat will wait incoming connection to port 1234.
  2. On the client, simply do telnet 1234 (assuming the server ip is )

If the server is on Windows, there’s even a Windows version of Netcat available.