Forum

Banshee, small sec feature

Mina
8 March 2015, 20:41
Hi.. Your spam regex is absolute TOSS Hugo

Mina
8 March 2015, 20:42
Well, I have tried to remove anything like ... or ' or /
Mina
8 March 2015, 20:43
Aaaarggggg, even putting everything in quote or code doesn't work -.-

I am trying to show a minor patch sigh.
Mina
8 March 2015, 20:50
 /* Get MySQL Administrative user's name:
*/
adm_user=root
do {
print "Enter MySQL Admin's user name: ";
system("/bin/stty -echo");
$adm_user = trim(fgets(STDIN));
system("/bin/stty echo");
print "\n";
} while ($adm_user == "");

/* Get MySQL root password
*/
do {
print "Enter MySQL $adm_user's password: ";
system("/bin/stty -echo");
$password = trim(fgets(STDIN));
system("/bin/stty echo");
print "\n";
} while ($password == "");

/* Connect to MySQL server
*/
ob_start();
$db = new MySQLi_connection(DB_HOSTNAME, "mysql", "$adm_user", $password);
ob_end_clean();

if ($db->connected == false) {
exit("Can't connect to MySQL database ($adm_user@mysql).\n");
}

... and so on.
Mina
8 March 2015, 20:51
Ok so it didn't like that I said I also have studied at Delft, L n R. And some other things but ah well, never mind. I was just pointing out that the db user isn't necessarily root (that in fact, it is good practice to not even have that user). And yaddi ya.. ah well. Some other time.
Mina
8 March 2015, 20:58
hmm, I was doing a bash, obviously $adm_user=root in assignment, and you know obviously the score..I haven't checked the code more for integrity; kinda just trusted you on it :p
Hugo Leisink
9 March 2015, 09:51
Hi Mina. I got the idea of your patch and implemented it correctly in the setup script. Thanks for the idea.
mina.
9 March 2015, 13:26
Geen problem.. glad to be of help. You are the one who has made these immense packages ^^
Mina
22 March 2015, 02:51
Hi again Hugo.

Hmm, I just finally hammered out a 2 day bug, so to speak with what I thought was a haproxy issue or ssl issue. I did backups of configs, and servers and what not but couldn't get it to work, even if it had before. It turns out it is banshee. Depiste turning off or on, the banshee toolkit, Banshee would work when going to the http{,s}://hostname/ site, but if one accesses it via a rev proxy (haproxy) , a host would be passed on which is defined in the server section but led to some redirect errors which never resolves. This was regardless of ToolkitID = Banshee was on or not.

I could probably look for the offending code, unless you might already suspect where it might trigger.

Sheesh, I should have somehow noticed but I missed it because when I added the actual hostname http://non-proxy/ it kept working, hence how I missed it.

I have now half my hair and half my mind left! =p
Hugo Leisink
22 March 2015, 18:10
If you ask me, this haproxy is buggy as hell. I did some testing myself, using the reqirep option for the HTTP Host header. For some requests, the header is replaced, for others not. Seems random. Not wasting my time on this crappy shit.

What if you use Hiawatha as a reverse proxy instead of haproxy?
Mina
22 March 2015, 19:32
I think I might agree with you Hugo.

I just realised I yet again ended up debugging all day, issues with drupal and wordpress missing themes (just to test). I just now confirmed it was the haproxy doing it. If I aliased into the localhostname, it again works.

Hmm, it certainly seems like haproxy might be buggy.. or perhaps hiawatha has some stuff too which is buggy? ;p haha

Anyway.. yes I was thinking of using Hiawatha as a rev proxy, but I wasn't sure it has as many features as haproxy say.

eg. does hiawatha support only http mode, or also tcp mode (e.g. for smtp load-balancing)?

SNI _ out-of-band-checks?

If I can load-balance tcp through hiawatha, I am more than happy to cut out the haproxy (or perhaps try pound...).
Mina
22 March 2015, 19:47
ps. Another reason I chose haproxy was that it seemed to be the most viable option for eebsockets as I intended to test it with some chess interface. Although I don't think it works.
Mina
22 March 2015, 20:01
https://wordpress.org/support/topic/wordpress-reverse-proxy-and-wp-admin-login-issues same thing. I do recall the need to properly define some syntax when usung ssl offloading. haproxy is pretty much used and oriven after all. I wouldn't so quickly dismiss it without properly understanding proper configuration. That such cinfiguration scenarios might be obscure however, might very well be true. I'll see in week if I can solve it and let you know. I was otherwise quite happy with haproxy <-> hiawatha.

pps. with apache and cherokee, hiawatha makes sense but yet I feel a Dutch name closer to home likr vlaamshead or vrieslander or boerenkees haha would be fun name.
(joking xD)
Mina
22 March 2015, 20:14
sorry for the many posts..but my guesd is this has to do with the ssl endpoint. Layer 4 tcp offloading would be best possibly as I think it has to do with 'mis-matched http/https requests via client - haproxy redirect dchene - backend (drupal/wp...etc). So thus I wonder if hiawatha does tcp proxying/sni. but am onphone noe..willl watch a rare tv thing today so can't test.
mina
23 March 2015, 09:42
Morgen, Ok Hugo. I figured some out. not fair to blame HAProxy quite but I had made a mistake.

I used something like this:

redirect scheme https code 301 if !{ ssl_fc }
http-request add-header X-Proto https if { ssl_fc }


Instead, the correct header seems to be:

"reqadd X-Forwarded-Proto:\ https"


I used: debug on in wp (I just am testing these big beefy front ends, but prolly will dust off my old one, or continue with banshee, now that I have figured out these redirect issues).

debug: Notice: Undefined index: HTTP_X_FORWARDED_PROTO in /path/to/wordpress/wp-config.php on line ..
*when I used the incorrect header all this time*
I added this to wp-config.php:

"if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';"

I did make a mental note to change that header definition in haproxy but forgot about it till last night. I am very sorry for any extra work I caused.

Case closed I think (drupal, banshee, and so on probably also need some logic to check for that X header).

This topic has been closed.