A live demo of FlashMQ’s performance compared to other MQTT servers:
Download at www.flashmq.org and get started right away.
Smokes your problems, coughs fresh air.
Halfgaar is Wiebe. Wiebe is a contributing author on this weblog. He also has a lot of stuff (such as long, in-depth articles) on his personal website.
Wiebe's day job is as a senior software developer and system administrator at YTEC.
In his free time, he built the free, open-source FlashMQ software. Together with Jeroen and Rowan, he is now building a managed MQTT hosting business around his open masterpiece.
A live demo of FlashMQ’s performance compared to other MQTT servers:
Download at www.flashmq.org and get started right away.
Because a hacked website can easily replace GPG keys, I wanted to write down for myself what the verified fingerprints of the Salt archive keyring are:
# sha256sum /usr/share/keyrings/salt-archive-keyring.gpg ea38e0cdbd8dc53e1af154a8d711a2a321a69f81188062dc5cde9d54df2b8c47 /usr/share/keyrings/salt-archive-keyring.gpg # gpg /usr/share/keyrings/salt-archive-keyring.gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa2048 2014-06-24 [SC] 754A1A7AE731F165D5E6D4BD0E08A149DE57BFBE uid SaltStack Packaging Team <packaging@saltstack.com> sub rsa2048 2014-06-24 [E]
Watch this demoscene style benchmark of HiveMQ, VerneMQ, Mosquitto and FlashMQ:
Just released FlashMQ version 0.8.0, a multi-threaded (multi-core) lightweight MQTT server. The latest new feature is a native authentication plugin interface for easy implementation of custom authentication and authorization.
I just fixed a very obscure error in Gitlab of ‘Your password expired. Please access GitLab from a web browser to update your password.’ This error would appear during SSH operations, and in various log files in /var/log/gitlab. Also XHR requests to the server got that response.
Nowhere in the GUI was it visible that anything expired. It’s about a gitlab that linked to a Windows Active Directory.
It turned out that in Postgres table ‘users’, of hundreds of users, 5 had ‘password_expires_at’ set to somewhere in 2014. I guess in a recent update they started checking that field.
To fix it, I did:
sudo -u gitlab-psql /opt/gitlab/embedded/bin/psql -h /var/opt/gitlab/postgresql -d gitlabhq_production update users set password_expires_at = null where password_expires_at is not null;
Introducing my the MQTT server that I’ve been working on, FlashMQ. I’m starting with test version 0.5.0. It’s ready for some testing and benchmarks, and of course development will continue.
Sometimes you want to mix users with and without a roaming profile. As found here, you can use Samba’s pdbedit to set the “Profile Path” to empty:
pdbedit -p= leo
Then view the results with:
pdbedit -L -v leo
I logged off the user, performed that change, renamed the directory on the server just in case, and then logged on again. It worked like a charm.
I keep forgetting which package to install in Ubuntu to get the DTDs for html, to stop xsltproc from hanging forever. So, for posterity: w3c-sgml-lib. I think it was w3c-dtd-xhtml in Ubuntu 16 and older.
On March 18th, Synacor posted about a critical Zimbra security vulnerability (CVE 2019 9670), which was quick to be exploited in the wild, and subsequently evolved to be harder to erradicate.
I’ve always had a weariness of authentication implementations by hosted applications, so I decided to block the Zimbra web mail interface using iptables (firewall), and only allow access through a separately hosted HTTP proxy which requires authentication. This way, no stray requests to API endpoints accidentally left open will be allowed. That is, almost none: I had to add exceptions to allow webdav traffic for contact and calendar synchronization. If you don’t use that, the exceptions can be left out.
Below is an example Apache configuration. Apache requires several modules to be enabled, which is an exercise left to the reader. Also, a similar proxy is easily implemented in Nginx; I just happened to have a spare Apache server.
Note that it’s best to not make the proxy the default virtual host on the web server. This avoids it being seen by IP probes. If set up properly, there is no trace visible from the outside that you’re using this proxy, and if you make it such that access to it requires the actual domain name (like mywebmail.example.net), it’s very hard for bots to see it (especially if you make the domain name a bit more unguessable).
When you access the web mail page, first you have to authenticate using old style HTTP authentication:
Anyway, here’s the proxy config:
<VirtualHost *:80> RewriteEngine on RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R] ServerName webmail.example.net </VirtualHost> <VirtualHost *:443> ServerName webmail.example.net ServerAdmin webmaster@localhost SSLEngine on SSLCertificateFile /etc/letsencrypt/live/webmail.example.net/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/webmail.example.net/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/webmail.example.net/chain.pem SSLProxyEngine On ProxyPass / https://mail.example.net/ ProxyPassReverse / https://mail.example.net/ # For Webdav/carddav/caldav <Location /dav> Satisfy any Require all granted </Location> # For Let's Encrypt <Location /.well-known/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /principals/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /SOGo/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /groupdav.php> Satisfy any Require all granted </Location> <Location /> AuthType Basic AuthName "Zimbra webmail pre-login" AuthUserFile /etc/apache2/htpasswd/webmail Require valid-user # Exception IPs: no auth needed (for monitoring for instance) Require ip 1.2.3.4 </Location> ErrorLog ${APACHE_LOG_DIR}/webmail.example.net/error.log CustomLog ${APACHE_LOG_DIR}/webmail.example.net/access.log combined </VirtualHost>
© 2023 BigSmoke
Theme by Anders Noren — Up ↑
Recent Comments