Remove Domain on Windows Server and IIS doesn’t work

I recently took down the domain from a server, and an application running on the same server’s IIS failed afterwards. One possible cause of this is due to the application running as a domain user. The solution:

In application pools of IIS manager, change domain\user to a local account.

Here, identity would have been one of Domain\user.

AutoSSH – a Reverse Proxy Alternative

This document is best read printed out on paper.
1
Overview
I recently added another apache server to an existing infrastructure, and
I wanted it to be accessible under a similar IP as another server. Due
to the complexity of the website, it was not possible to simply do a reverse
proxy without knowing the correct settings (e.g. X-Forwarded for). Instead,
AutoSSH was used. In the end, I accessed a new port on the existing IP.
2
Work Log
Ok, I’m going to get right to the configs that I used. You want the tool, you
don’t need to know all the details.
2.1
Crontab
Here is the crontab script I used. I put this in /etc/crontab, so it has root
after the times. I only use /etc/crontab, as it’s easier to manage.

* * * * * root pgrep autossh > /dev/null || \
/usr/local/bin/autosshzm/autosshzm.sh

A few notes about this. Pgrep will search for autossh. If it doesn’t find it,
then it will try the next command. (—— is an OR). Put the bash script
wherever you want.
2.2
Bash Script
This script is obviously what the crontab calls.

#!/bin/bash
logger ” /usr/local/bin/autosshzm script started.”
#source $HOME/.bash_profile #not needed.
source $HOME/.keychain/$HOSTNAME-sh
logger ” /usr/local/bin/autosshzm sourced.”
autossh
-L 0.0.0.0:2:localhost:80 -f user@ipaddress sleep 31536000
&> /var/log/autosshzm/autosshzm.log
1#autossh -M 0 -o “ServerAliveInterval 30” -o “ServerAliveCountMax 3”
-L 0.0.0.0:2:localhost:80 user@ipaddress &>
/var/log/autosshzm/autosshzm.log
logger “auto ssh ran”

Note that the second autossh does not work, as it’s missing the sleep and
the -f command. 1 In order for this to work, you’ll also need the following
commands:

apt-get install keychain autossh

There were some more setup steps required for keychain… From stackex-
change:

25
keychain
solves this in a painless way. It’s in the repos for Debian/Ubuntu:
sudo apt-get install keychain
and perhaps for many other distros (it looks like it originated
from Gentoo).
This program will start an ssh-agent if none is running, and
provide shell scripts that can be sourced and connect the current
shell to this particular ssh-agent.
For bash, with a private key named id_rsa, add the following to
your .profile:
keychain –nogui id_rsa
This will start an ssh-agent and add the id_rsa key on the first
login after reboot. If the key is passphrase-protected, it will
also ask for the passphrase. No need to use unprotected keys
anymore! For subsequent logins, it will recognize the agent
and not ask for a passphrase again.
Also, add the following as a last line of your .bashrc:
1
Figuring this kind of stuff out can take about an hour.
2. ~/.keychain/$HOSTNAME-sh
This will let the shell know where to reach the SSH agent managed
by keychain. Make sure that .bashrc is sourced from .profile.
However, it seems that cron jobs still don’t see this. As a
remedy, include the line above in the crontab, just before
your actual command:
* * * * * . ~/.keychain/$HOSTNAME-sh; your-actual-command

The only thing that I needed to do here was
keychain –nogui id rsa
The rest of it (notes about crontab) was not required.

3
What Did NOT Work
Here’s some things I tried that did not work.

  • https://github.com/obfusk/autossh-init – This init script, didn’t do
    much for me. Remember, I’m stuck with systemd in Ubuntu 19.04… 2
  • Reverse proxy with Apache – As I said, my website 3 was too complex,
    and I didn’t want to go down that rabbit hole.
  • Starting AutoSSH in rc.local. Didn’t work.

2
The scourge of deleting software history. Keep backwards compatibility at ALL COSTS, developers.
3
Some people might call it a web application. I will not.
3

How to Factory Reset Polycom VVX 300 VOIP Phones

This is from memory and my notes, and may be incomplete, or have errors, but regardless…

Power Cycle the phone.

Hit Cancel on Boot screen (you will see an option to cancel by hitting one of the menu buttons while it’s booting).

Press 1+3+5, hold them down. NOTE: there is also a function where you can hit 3+5+7. One of these is the right one. I think it’s 1+3+5, but if that doesn’t bring you to a password prompt, try 3+5+7.

A password prompt should appear.

The password is the mac address. That is the easy part. The mac is on the phone on a sticker. The hard part is that you must enter letters in lower case. You can’t preview the letters, and since you have only a number pad, you have to understand how these interfaces typically work.

What there is, is a small icon on the menu that lets you change from numbers to upper case letters, to lower case letter, then back to numbers. So in order to change from number to lower case, you have to hit that button on the screen. And also, if you change back to numbers, you must hit the button again. So sometimes you might have to blindly hit a few keys. E.g. cat would be 1+1+1 (for c), a short pause, then 1 (for a), then whatever t is. But you can’t see the a going from a to b to c. It’s all hidden behind hashmarks for “security”. So you are blind and must press the buttons in the correct sequence. Horrible design, but the idea must be that only IT guys will ever work with the interface. They should be used to getting the short end of the administration stick, so will not be surprised. I was not be surprised, to be honest, just disappointed.

Configuration for Verizon VOIP

After you put the password in, you can factory reset, or possibly it does a factory reset automatically. Now the VOIP phone is back to its base mode. When it reboots you can now access the admin section, with the password “456”. For Verizon’s voip, the settings are:
Go somewhere in the network menus (I didn’t note where).

Enable ZTP
Server type - HTTPS
Server address - https://tlcm.sipflash.com
https://plcm.sipflash.com

Then I believe a reboot.

PrestaShop, Docker, SSL, Nginx Reverse Proxy

This is a common problem for Prestashop as viewed on the https://github.com/PrestaShop/docker and Prestashop forums. Here’s some configurations I found necessary to handle this. I was able to get it working. First off, there are a few files you need to keep in mind: The DB has two tables: ps_shop_url, ps_ssl_enabled, which must be edited manually. The nginx.conf must have the right settings (they can be the same as a wordpress reverse proxy, so start there). And it was necessary to set $_SERVER[‘HTTPS’] = ‘on’; in the prestashop_root/config/ folder under one of the defines. I used defines_custom.inc.php. I understand this is not best practice, but I got it to work. Interested users should research where it’s best to put custom edits for Prestashop. Here’s quickly some more notes:

nginx.conf:
# shopping site redirect
server {
#server tokens hides the nginx identifying itself
server_tokens off;
server_name shop.mysite.com;
listen 80;

 

location ^~ /.well-known {
alias /var/www/html/.well-known/;
#autoindex on;
}
location / {
##** nginx redirect ALL http requests to https ** ##
return 301 https://$server_name$request_uri;
#from gist mentioned below
#rewrite ^ https://$host$request_uri? permanent;

}
}

server {
#server tokens hides the nginx identifying itself
server_tokens off;
server_name shop.mysite.com;
#listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;

location / {
proxy_redirect off;
proxy_pass http://prestashop;

#these were from wp, but not usable here, according to:
#https://gist.github.com/chroriginal/8d8ea7d284bcc42055a6ba18c04aeccf
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;

#this was from gist, but doesn't work.
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $http_host;
#proxy_set_header X-Forwarded-Proto https;




#from git issues tracker
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;

}

}


Here is the docker-compose.yml:

version: '3'


services:
  nginx:
    image: nginx:latest
    container_name: production_nginx
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - /etc/letsencrypt/:/etc/letsencrypt/
      - ./webroot/:/var/www/html/
    ports:
#be careful with these. Port 80 on container side must match nginx listen port. the host side port, is only for the docker proxy.
      - 80:80
      - 443:443

    restart: always
#    command: [nginx-debug, '-g', 'daemon off;']

  db_prestashop:
    image: mysql:5.7
    environment:
      - MYSQL_ROOT_PASSWORD=xxxxxx
      - MYSQL_USER=xxxxxx
      - MYSQL_PASSWORD=xxxxxx
      - MYSQL_DATABASE=prestashop
    volumes:
      - ./db_data_presta:/var/lib/mysql
      - ./db_conf_presta:/etc/mysql/
    restart: always

  prestashop:
    depends_on:
        - db_prestashop
    image: 'prestashop/prestashop'
    volumes:
       - ./presta_root:/var/www/html/
    environment:
      - DB_SERVER=db_prestashop
      - ADMIN_MAIL=xxxxxx
      - ADMIN_PASSWD=xxxxxx
      - VIRTUAL_HOST=https://URLHERE
      - VIRTUAL_PORT=80
      - PS_DOMAIN=https://URLHERE
      - DB_NAME=prestashop
      - DB_USER=xxxxxx
      - DB_PASSWD=xxxxxx
      restart=always

I don’t believe the DB_NAME or DB_USER variable is used in docker for prestashop. DB config is done at installation. Virtual host likewise, may not be necessary.

use prestashop
SELECT NAME, VALUE FROM ps_configuration WHERE NAME IN ('PS_SSL_ENABLED', 'PS_SSL_ENABLED_EVERYWHERE');
UPDATE ps_configuration SET VALUE = '1' WHERE NAME IN ('PS_SSL_ENABLED', 'PS_SSL_ENABLED_EVERYWHERE');
SELECT NAME, VALUE FROM ps_configuration WHERE NAME IN ('PS_SSL_ENABLED', 'PS_SSL_ENABLED_EVERYWHERE');

Also, one other change on the DB. You should ensure that your shop URL is set to be something like URL.com
You do NOT want https://URL.com in either domain or domain\_ssl in ps\_shop\_url

mysql> select * from ps_shop_url;
+-------------+---------+--------------------------+--------------------------+--------------+-------------+------+--------+
| id_shop_url | id_shop | domain                   | domain_ssl               | physical_uri | virtual_uri | main | active |
+-------------+---------+--------------------------+--------------------------+--------------+-------------+------+--------+
|           1 |       1 | shop.steaky.com | shop.steaky.com | /            |             |    1 |      1 |
+-------------+---------+--------------------------+--------------------------+--------------+-------------+------+--------+
1 row in set (0.00 sec)

Firejail and MuPDF permissions error: “X Error of failed request: GLXBadContext”

Was setting up Firejail and MuPDF on Funtoo 1.3…

$ firejail mupdf sample.pdf

Reading profile /etc/firejail/mupdf.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31753, child pid 31754
Private /etc installed in 82.08 ms
Blacklist violations are logged to syslog
Child process initialized in 235.06 ms
libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: i965
libGL error: unable to load driver: swrast_dri.so
libGL error: failed to load driver: swrast
X Error of failed request: GLXBadContext
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 6 (X_GLXIsDirect)
Serial number of failed request: 36
Current serial number in output stream: 35

Parent is shutting down, bye...

After searching around online with other MuPDF issues (issues tracker, etc. I had some other ideas.

$strace firejail mupdf sample.pdf



setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
unlink("/run/firejail/bandwidth/31761-bandwidth") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/network/31761-netmap") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/name/31761") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/x11/31761") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/profile/31761") = -1 ENOENT (No such file or directory)
setresuid(-1, 1000, -1) = 0
setresgid(-1, 1000, -1) = 0
getppid() = 31759
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
openat(AT_FDCWD, "/proc/31759/comm", O_RDONLY) = 3
read(3, "strace\n", 4095) = 7
close(3) = 0
setresuid(-1, 1000, -1) = 0
setresgid(-1, 1000, -1) = 0
getuid() = 1000
geteuid() = 1000
getuid() = 1000
geteuid() = 1000
getuid() = 1000
geteuid() = 1000
openat(AT_FDCWD, "/etc/firejail/firejail.config", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=4395, ...}) = 0
read(3, "# This is Firejail system-wide c"..., 4096) = 4096
read(3, " third dimension is\n# color dept"..., 4096) = 299
read(3, "", 4096) = 0
close(3) = 0
getuid() = 1000
geteuid() = 1000
getuid() = 1000
geteuid() = 1000
getuid() = 1000
geteuid() = 1000
getuid() = 1000
stat("/bin/bash/", 0x7ffe9b611270) = -1 ENOTDIR (Not a directory)
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=926688, ...}) = 0
access("/bin/bash", X_OK) = 0
getuid() = 1000
geteuid() = 1000
openat(AT_FDCWD, "/home/farm/.config/firejail", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such
file or directory)
getuid() = 1000
geteuid() = 1000
openat(AT_FDCWD, "/etc/firejail", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=32768, ...}) = 0
getdents(3, /* 566 entries */, 32768) = 22808
getuid() = 1000
geteuid() = 1000
stat("/etc/firejail/mupdf.profile/", 0x7ffe9b60f0d0) = -1 ENOTDIR (Not a directory)
access("/etc/firejail/mupdf.profile", R_OK) = 0
openat(AT_FDCWD, "/etc/firejail/mupdf.profile", O_RDONLY) = 4
getpid() = 31761
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
openat(AT_FDCWD, "/run/firejail/profile/31761", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
write(2, "Error: cannot create /run/fireja"..., 49Error: cannot create /run/firejail/profile/31761
) = 49
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
getpid() = 31761
unlink("/run/firejail/bandwidth/31761-bandwidth") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/network/31761-netmap") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/name/31761") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/x11/31761") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/profile/31761") = -1 ENOENT (No such file or directory)
exit_group(1) = ?
+++ exited with 1 +++

It looks like the error is:
write(2, “Error: cannot create /run/fireja”…, 49Error: cannot create /run/firejail/profile/31761
) = 49

Solution

In gentoo, the mupdf profile  in /etc/firejail/has

# Firejail profile for mupdf
# Description: Lightweight PDF viewer
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/mupdf.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${DOCUMENTS}

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

include /etc/firejail/whitelist-var-common.inc

caps.drop all
machine-id
net none
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
# seccomp.keep
access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsock$
shell none
tracelog

# private-bin mupdf,sh,tempfile,rm
private-dev
private-etc fonts
private-tmp

# mupdf will never write anything
read-only ${HOME}

However, the private-etc fonts will cause this error. This was found by brute force troubleshooting (delete entries from profile, until it works).

Comment it out, and MuPDF should display correctly.

now you will get:

$ firejail mupdf sample.pdf
Reading profile /etc/firejail/mupdf.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31763, child pid 31764
Blacklist violations are logged to syslog
Child process initialized in 130.35 ms
libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: i965

and the PDF opens.