it turns out I've no clue what I'm doing. :(
My Goal is to create a separate pool with a custom user to host my site. My web content is placed within "/home/custom_user/www/html" (this is, because it makes it a little bit more easy to configure "vsftp" otherwise I was made to add my custom user to the "www-data" group to be able to upload files into "/var/www/xxx").
My custom pool config looks like:
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = custom_user
group = custom_user
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /var/run/php/php8.1-fpm-my-app.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = custom_user ; here I tried "www-data" too
listen.group = custom_user ; here I tried "www-data" too
Within my sites config I point to the socket of my app
fastcgi_pass unix:/var/run/php/php8.1-fpm-my-app.sock;
Soo ... long story short: Is it possible to run the main nginx thread under "www-data" user and my custom pool under "custom_user"?
Shall I stop trying to create a custom pool and put all in "/var/www" and try to configure vsftp properly, because I will never ever run a second page on this server?
Thanks, Christian
Related
I am developing a peer to peer call. I am using de.javawi.jstun.test .
I found this constructor in de.javawi.jstun.test.DiscoveryTest .
public DiscoveryTest(InetAddress sourceIaddress, int sourcePort, String stunServer, int stunServerPort) {
this.sourceIaddress = sourceIaddress;
this.sourcePort = sourcePort;
this.stunServer = stunServer;
this.stunServerPort = stunServerPort;
}
My question is What is the difference between the Source Port and the StunServerPort??
stunServerPort is the port the STUN server listens on for incoming binding requests. This is typically one of the standard STUN ports: 3478 or 3479.
sourcePort is the port the client behind a NAT has obtained locally to create a socket with. Most often, the client attempting to do P2P will ask the OS to randomly pick an available local port to send/receive from. You can probably pass 0 for sourcePort and let it pick the port for you as well. Or if you already have a socket, use the same port as your local, and DiscoveryTest will set the reuseaddr flag so it can have a socket co-exist.
Kapacitor configuration file contains following comment in [deadman] section:
# NOTE: for this to be of use you must also globally configure at least one alerting method.
But there is no more hints about how to set this global alerting method. Some alert handlers sections have a global boolean parameter but not the basic or old-school ones like snmp, httppost or even log. Is it not available?
Kapacitor documentation shortly introduces an [Alert] section. Would it be possible to set a global log event handler here?
From my understanding this means that in order to use the global configuration for the [deadman] node, you need to set the default parameters for one of the possible Kapacitor [Alert node] properties (smtp, mqtt, slack, ...)
The list of supported [Alert node] is available in the documentation
This configuration is done in the Kapacitor configuration file.
Here is an example of the email property
[smtp]
# Configure an SMTP email server
# Will use TLS and authentication if possible
# Only necessary for sending emails from alerts.
enabled = true
host = "smtp.host.com"
port = 465
username = "notify#host.com"
password = "password"
# From address for outgoing mail
from = "notify#host.com"
# List of default To addresses.
to = ["dest1#host.com","dest2#host.com"]
# Skip TLS certificate verify when connecting to SMTP server
no-verify = false
# Close idle connections after timeout
idle-timeout = "30s"
# If true the all alerts will be sent via Email
# without explicitly marking them in the TICKscript.
global = false
# Only applies if global is true.
# Sets all alerts in state-changes-only mode,
# meaning alerts will only be sent if the alert state changes.
state-changes-only = false
I am a beginner in Linux. I am using Plesk onyx with 17.5.3 Ubuntu 16.04 1705170317.16. My ExtendedLog configured in /etc/proftpd.conf is not working.
Following is my /etc/proftpd.conf
#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD"
#ServerType standalone ServerType inetd DefaultServer on LogFormat nijin "%t %h %u %D
%f \"%r\" %s %b" ExtendedLog /var/log/ftp.log ALL nijin <Global
DefaultRoot ~ psacln AllowOverwrite on
<IfModule mod_tls.c
# common settings for all virtual hosts
TLSEngine on
TLSRequired off
TLSLog /var/log/plesk/ftp_tls.log
TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate none
# As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
# that reuse the SSL session of the control connection, as a security measure.
# Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
TLSOptions NoSessionReuseRequired </IfModule PassivePorts 50001 50100 </Global DefaultTransferMode binary UseFtpUsers
on
TimesGMT off SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port. Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable. Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd) MaxInstances 30
#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.
#Include directive should point to place where FTP Virtual Hosts configurations
#preserved
ScoreboardFile /var/run/proftpd_scoreboard
# Primary log file mest be outside of system logrotate province
TransferLog /var/log/plesk/xferlog
#Change default group for new files and directories in vhosts dir to psacln
<Directory /var/www/vhosts
GroupOwner psacln </Directory
# Enable PAM authentication AuthPAM on AuthPAMConfig proftpd
IdentLookups off UseReverseDNS off
AuthGroupFile /etc/group
Include /etc/proftpd.d/*.conf
This is my customized configuration file. Added ExtendedLog /var/log/ftp.log in my configuration file. But extended log /var/log/ftp.log is not created yet. I touch this file manually but no use, logs are not populating.
Any answers will be appreciated.
Update: the permissions were set to 664
Try to set non-world writable permissions to /var/log/ftp.log as it recommended at http://www.proftpd.org/docs/directives/linked/config_ref_ExtendedLog.html
I have tested it by the following steps and it worked:
echo "ExtendedLog /var/log/ftp.log read,write" >> /etc/proftpd.conf
touch /var/log/ftp.log && chmod 644 /var/log/ftp.log
upload a test file
check the log:root#server:/# cat /var/log/ftp.log
192.168.34.219 UNKNOWN mario [14/Jun/2017:11:38:20 +0700] "STOR Google Chrome.lnk" 226 2356
I'm currently starting a Tcl socket server like this:
socket -server Server 0
This lets the operating system pick an available port to start listening on. The question is that I don't want it to pick any port between 1025 and 64k, instead want to know if I can specify a range of ports? Something like this:
socket -server Server 40000-41000
And then the operating system would pick an available port between 40000 and 41000 for the server to listen on. Is there a way to do this? I can't find it in the Tcl API, but is there some nice API call way to do it rather than iterating through the port range until finding an available port?
The OS itself doesn't provide an API capable of doing that, and Tcl doesn't wrap one up for you as it is actually a pretty rare requirement. Conventionally, servers either listen on specific ports (so clients can know exactly what service to ask for; e.g., 21 for FTP, 22 for SSH, 25 for SMTP, 80 for HTTP, 161 for SNMP, 443 for HTTPS, 993 for secure IMAP) or the clients have some other way of being told what to ask for and genuinely any port will do (0 is the special “pick a card, any card” address). You can ask a Tcl server socket for what port it is actually using fconfigure:
set portNumber [lindex [fconfigure $socket -sockname] 2]
But to get a server socket on a port in a specific range? No API for that. We have to cook something ourselves:
for {set port 40000} {$port <= 41000} {incr port} {
if {![catch {
set sock [socket -server $yourHandler $port]
}]} then {
break
}
}
# If we failed...
if {![info exist sock]} {
error "No ports free in range 40k-41k"
}
This works because failing to bind the port will make the socket creation fail (neatly, catchably) and you can then try to bind the next port. It will take a while to scan over the port range, but it will work.
It's probably neater to wrap this up in a procedure. And Tcl 8.6's try construct will make the code a little less obscure:
proc portInRange {from to handler} {
for {set p $from} {$p <= $to} {incr p} {
try {
return [socket -server $handler $p]
} on error {} continue
}
error "No ports free in range $from-$to"
}
No, there's no API for that.
Generally servers listen on a specific port so that the clients can find the server. So such an API is not particularly useful.
Best to just write it yourself.
I have a simple Python server which can handle multiple clients:
import select
import socket
import sys
host = ''
port = 50000
backlog = 5
size = 1024
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((host,port))
server.listen(backlog)
input = [server,sys.stdin]
running = 1
while running:
inputready,outputready,exceptready = select.select(input,[],[])
for s in inputready:
if s == server:
# handle the server socket
client, address = server.accept()
input.append(client)
elif s == sys.stdin:
# handle standard input
junk = sys.stdin.readline()
running = 0
else:
# handle all other sockets
data = s.recv(size)
if data:
s.send(data)
else:
s.close()
input.remove(s)
server.close()
One client connects to it and they can communicate. I have a third box from where I am sending a RST signal to the server (using Scapy). The TCP state diagram does not say if an endpoint is supposed to try to recover a connection when it sees a RESET. Is there any way I can force the server to recover the connection? (I want it to send back a SYN so that it gets connected to the third client)
Your question doesn't make much sense. TCP just doesn't work like that.
Re "The TCP state diagram does not say if an endpoint is supposed to try to recover a connection when it sees a RESET": RFC 793 #3.4 explicitly says "If the receiver was in any other state [than LISTEN or SYN-RECEIVED], it aborts the connection and advises the user and goes to the CLOSED state.".
An RST won't disturb a connection unless it arrives over that connection. I guess you could plausibly forge one, but you would have to know the current TCP sequence number, and you can't get that from within either of the peers, let alone a third host.
If you succeeded somehow, the connection would then be dead, finished, kaput. Can't see the point of that either.
I can't attach any meaning to your requirement for the server to send a SYN to the third host, in response to an RST from the third host, that has been made to appear as though it came from the second host. TCP just doesn't work anything like this either.
If you want the server to connect to the third host it will just have to call connect() like everybody else. In which case it becomes a client, of course.