Rabbitmq standalone and cluster installation

  • Install rabbitMQ in the VM. Following are the installations steps.
    ·         Verify if the earlang package is installed
  • rpm -q erlang-solutions-1.0-1.nonarch.rpm
  • wget http://packages.erlang-solutions.com/erlang-solutions-1.0-1.noarch.rpm
  • sudo wget http://packages.erlang-solutions.com/erlang-solutions-1.0-1.noarch.rpm
  • sudo yum update NOTE : use command “yum –releasever=6.7 update” if you want a specific version.
  • su -c ‘yum list rabbitmq’   Or use
  • yum install rabbitmq-server
  • sudo rpm -Uvh http://www.rabbitmq.com/releases/rabbitmq-server/v3.6.0/rabbitmq-server-3.6.0-1.noarch.rpm
  • sudo /etc/init.d/rabbitmq-server start·
  • Uncomment the loopback line in security section of rabbitMq.config :  {loopback_users, []}ss
  • rabbitmq-plugins enable rabbitmq_management·
  • Configure port firewall rule should be in place to accept the tcp connection.
  • Use following command : lokkit –p <rabbitMQ port>:tcp , lokkit –p <rabbitMQ management port>:tcp·
  • Default guest/guest account should be disabled. Change the user and user permissions using following commands :
  • Note : password should be 16 characters , no special characters allowed and should be generated by keypass.
  • rabbitmqctl set_user_tags <username> administrator      rabbitmqctl change_password guest guest123
  • Disable the guest user by changing the password once the created user is tested.
  • rabbitmqctl add_user <username> <password>
  • Avoid use of RabbitMQ default port and configure to use our own choice. Edit the port in rabbitMq.config file. uncomment following line and edit the port : {tcp_listeners, [<rabbitMQ port>]} and {listener, [{port,    <rabbitMQ management port>}.
  • Install management console of rabbitmq using following command :
  • Copy  /usr/share/doc/rabbitmq-server/ rabbitmq.config.example in /etc/rabbitmq folder and rename it as rabbitmq.config. Edit the permissions for the file to: 666
  • sudo chkconfig rabbitmq-server on
  • sudo rpm –import http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
    for rabbitmq 3.6.*  ,require socat dependency:
    steps : sudo yum install epel-release
    sudo yum install socat
  • sudo yum install -y erlang-18.2-1.el6
  • sudo rpm -Uvh erlang-solutions-1.0-1.noarch.rpm
  • Install erlang package:
  • dowload the erlang package from web site:
  • Restart the rabbitmq server using commnad : sudo service rabbitmq_server restart.
  • Make the following changes on rabbitmq console:  Got to Admin > click on user and click on set permissions. Check the permissions of the user. It should be same as user guest.
  • Try to create new queue to check it is working fine.

 

Create RabbitMQ High Availability Cluster:

1) Stop RabbitMQ in Master and slave nodes. Ensure service is stopped properly.

/etc/init.d/rabbitmq-server stop

2) Copy the file below to all nodes from the master. This cookie file needs to be the same across all nodes.

$ sudo cat /var/lib/rabbitmq/.erlang.cookie

3) Make sure you start all nodes after copying the cookie file from the master.

Start RabbitMQ in master and all nodes.

$ /etc/init.d/rabbitmq-server start

4) Then run the following commands in all the nodes, except the master node:

$ rabbitmqctl stop_app$ rabbitmqctl reset$ rabbitmqctl start_app

5) Now, run the following commands in the master node:

$ rabbitmqctl stop_app$ rabbitmqctl reset

6) Do not start the app yet.

Open port 4369 and 25672: lokkit -p 4369:tcp -p 25672:tcp

Stop the iptables on both master and slaves.

The following command is executed to join the slaves to the cluster:

$ rabbitmqctl join_cluster rabbit@slave1 rabbit@slave2

Update slave1 and slave2 with the hostnames/IP address of the slave nodes. You can add as many slave nodes as needed in the cluster.

7) Start master app in master machine

$ rabbitmqctl start_app

8) Check the cluster status from any node in the cluster:

$ rabbitmqctl cluster_status

9) In rabbitmq management console check if you can login with previous user and have all the previous settings in place.

If not create users by following command:

rabbitmqctl add_user <username> <password>

give admin rights:

rabbitmqctl set_user_tags <username> administrator

rabbitmqctl add_vhost /

Give vhost rights by:

rabbitmqctl set_permissions -p / <username> “.*” “.*” “.*”

10) Create ha mirroring by:

rabbitmqctl set_policy ha-all “” ‘{“ha-mode”:”all”,”ha-sync-mode”:”automatic”}’This will mirror all queues.

11) Now start iptables. You will have created rabbitmq HA cluster.

pyDash – A Web Based Linux Performance Monitoring Tool

pydash is a lightweight web-based monitoring tool for Linux written in Python and Django plus Chart.js. It has been tested and can run on the following mainstream Linux distributions: CentOS, Fedora, Ubuntu, Debian, Arch Linux, Raspbian as well as Pidora.

You can use it to keep an eye on your Linux PC/server resources such as CPUs, RAM, network stats, processes including online users and more. The dashboard is developed entirely using Python libraries provided in the main Python distribution, therefore it has a few dependencies; you don’t need to install many packages or libraries to run it.

In this article, we will show you how to install pydash to monitor Linux server performance.

How to Install pyDash in Linux System

1. First install required packages: git and Python pip as follows:

-------------- On Debian/Ubuntu -------------- 
$ sudo apt-get install git python-pip
-------------- On CentOS/RHEL -------------- 
# yum install epel-release
# yum install git python-pip
-------------- On Fedora 22+ --------------
# dnf install git python-pip

2. If you have git and Python pip installed, next, install virtualenv which helps to deal with dependency issues for Python projects, as below:

# pip install virtualenv
OR
$ sudo pip install virtualenv

3. Now using git command, clone the pydash directory into your home directory like so:

# git clone https://github.com/k3oni/pydash.git
# cd pydash

4. Next, create a virtual environment for your project called pydashtest using the virtualenv command below.

$ virtualenv pydashtest #give a name for your virtual environment like pydashtest

Create Virtual Environment

Important: Take note the virtual environment’s bin directory path highlighted in the screenshot above, yours could be different depending on where you cloned the pydash folder.

5. Once you have created the virtual environment (pydashtest), you must activate it before using it as follows.

$ source /home/aaronkilik/pydash/pydashtest/bin/activate

Active Virtual Environment

From the screenshot above, you’ll note that the PS1 prompt changes indicating that your virtual environment has been activated and is ready for use.

6. Now install the pydash project requirements; if you are curious enough, view the contents of requirements.txt using the cat command and the install them using as shown below.

$ cat requirements.txt
$ pip install -r requirements.txt

7. Now move into the pydash directory containing settings.py or simple run the command below to open this file to change the SECRET_KEY to a custom value.

$ vi pydash/settings.py

Set Secret Key

Save the file and exit.

8. Afterward, run the django command below to create the project database and install Django’s auth system and create a project super user.

$ python manage.py syncdb

Answer the questions below according to your scenario:

Would you like to create one now? (yes/no): yes
Username (leave blank to use 'root'): admin
Email address: aaronkilik@gmail.com
Password: ###########
Password (again): ############

Create Project Database

9. At this point, all should be set, now run the following command to start the Django development server.

$ python manage.py runserver

10. Next, open your web browser and type the URL: http://127.0.0.1:8000/ to get the web dashboard login interface. Enter the super user name and password you created while creating the database and installing Django’s auth system in step 8 and click Sign In.

pyDash Login Interface

11. Once you login into pydash main interface, you will get a section for monitoring general system info, CPU, memory and disk usage together with system load average.

Simply scroll down to view more sections.

pyDash Server Performance Overview

12. Next, screenshot of the pydash showing a section for keeping track of interfaces, IP addresses, Internet traffic, disk read/writes, online users and netstats.

pyDash Network Overview

13. Next is a screenshot of the pydash main interface showing a section to keep an eye on active processes on the system.

pyDash Active Linux Processes

fswatch – Monitors Files and Directory Changes or Modifications in Linux

fswatch is a cross-platform, file change monitor that gets notification alerts when the contents of the specified files or directories are altered or modified.

It executes four types of monitors on different operating systems such as:

  1. A monitor build on the File System Events API of Apple OS X.
  2. A monitor based on kqueue, a notification interface present in FreeBSD 4.1 also supported on many *BSD systems, OS X inclusive.
  3. A monitor based on File Events Notification API of the Solaris kernel plus its spin-offs.
  4. A monitor based on inotify, a kernel subsystem that shows file system modifications to apps.
  5. A monitor based on ReadDirectoryChangesW, a Windows API that records alters to a directory.
  6. A monitor that regularly check that status of file system, keeps file modification times in memory, and manually determine file system changes (which works anywhere, where stat can be used).

Features of fswatch

  1. Supports several OS-specific APIs
  2. Allows recursive directory monitoring
  3. Performs path filtering using including and excluding regular expressions
  4. Supports customizable record format
  5. Additionally, it supports periodic idle events

How To Install fswatch in Linux Systems

Unfortunately, fswatch package is not available to install from the default system repositories in any Linux distributions. The only way to install the latest version of fswatch is to build from source tarball as show in the following installation instructions.

First grab the latest fswatch tarball using following wget command and install it as shown:

$ wget https://github.com/emcrisostomo/fswatch/releases/download/1.9.3/fswatch-1.9.3.tar.gz
$ tar -xvzf fswatch-1.9.3.tar.gz
$ cd fswatch-1.9.3
$ ./configure
$ make
$ sudo make install 

Important: Make sure you’ve GNU GCC (C and C++ Compiler) and Development Tools (build-essential on Debian/Ubuntu) installed on the system, before you compile fswatch from source. If not, install it using following command on your respective Linux distributions..

# yum group install 'Development Tools'		[On CentOS/RHEL]
# dnf group install 'Development Tools'		[On Fedora 22+ Versions]
$ sudo apt-get install build-essential          [On Debian/Ubuntu Versions]

On Debian/Ubuntu distributions, you might get following error while executing fswatch command..

fswatch: error while loading shared libraries: libfswatch.so.6: cannot open shared object file: No such file or directory

To fix it, you need to execute the command below, this will help refresh the links and cache to the dynamic libraries before you can start using fswatch.

$ sudo ldconfig

How do I use fswatch on Linux?

The general syntax for running fswatch is:

$ fswatch [option] [path]

On Linux, it is recommended that you use the default inotify monitor, you can list available monitors by employing the -M or - list-monitors option:

$ fswatch -M
$ fswatch --list-monitors

fswatch - List Monitors

The command below enables you to watch the changes in the current directory (/home/tecmint), with events being delivered to standard output every 4 seconds.

The -l or –-latency option allows you to set the latency in seconds, the default being 1 second.

$ fswatch -l 4 .

fswatch - Monitor Home Directory Changes

The next command monitors changes to the /var/log/auth.log file every 5 seconds:

$ fswatch -l 5 /var/log/auth.log

Using -t or --timestamp option prints the time stamp for every event, to print the time in UTC format, employ -u or --utf-time option. You can as well format time using -f or --format-time format option:

$ fswatch --timestamp /var/log/auth.log

Next, -x or --event-flags tells fswatch to print the event flags along side the event path. You can use –event-field-seperator option to print events using the particular separator.

$ fswatch --events-flags ~ /var/log/auth.log

To print the numeric value of an event indicating changes in your home directory and /var/log/auth.log file, use -n or --numeric option as below:

$ fswatch --numeric ~ /var/log/auth.log 

Perhaps you can look through the fswatch man page for detailed usage options and information:

$ man fswatch

Cloud Foundry

cloud foundry: automatic deployment of applications.

It has BOSH which communicates with the infrastructure and ensures that the systems are up aand running, health monitoring.

docker hit memory for some accounting bu can be disab

Mid-proxy server installation and configuration

This document is helpful while setting up Jumphost server(mid-proxy) and configuring it with RabbitMQ.

image2016-4-22-12-5-29

  • Each private network is (normally) dedicated to a single tenant. Within that private network, there is a jumphost that can access the other VMs within the private network. No network access is required to the jumphost from outside. This jumphost run an agent (the “AMP Jumphost” product).
  • A clustered message broker (e.g. RabbitMQ) is used send requests to the jumphost, and to receive responses from it.
  • Through this mechanism, commands are executed on VMs within the private network.
    The sequence for command execution (e.g. SSH or WinRM on a VM in the private network) is:
    1. Manual pre-configuration:
    i. The message broker cluster is pre-installed.
    ii. For a new private network, the jumphost is manually set up within private network. On startup it automatically
    subscribes to the message broker to receive the relevant requests.
    2. AMP subscribes to a response queue, ready to receive the result.
    3. AMP publishes a request to the appropriate queue on the message broker; this request describes the command to be
    executed and the response queue to use.
    4. The jumphost picks up the request, validates it, and executes it.
    5. The jumphost publishes the result to a response queue (e.g. exit status, stdout and stderr).
    6. AMP receives the response via the message broker. The AMP instances and the jumphost access the message broker via AMQP.

Step-by-step guide

  • RabbitMQ installation and configuration steps:
    1. RabbitMQ is a message bus that acts as a messaging broker – an intermediary for messaging. It gives your applications a common platform to send and receive messages, and your messages a safe place to live until received.
    2. RabbitMQ runs on the Erlang runtime, so before you can install and run RabbitMQ, you’ll need to install Erlang.
    3. Add the Erlang Solutions YUM repository:

      sudo wget http://packages.erlang-solutions.com/erlang-solutions-1.0-1.noarch.rpm 

      sudo rpm -Uvh erlang-solutions-1.0-1.noarch.rpm

    4. Install Erlang:

      redhat_release=`cat /etc/redhat-release | awk {‘print int($3)’}` 

      sudo yum install -y erlang-18.2-1.el${redhat_release}

    5. Download the signing key for the RabbitMQ YUM repository, and then download and install RabbitMQ 3.6.0 using the rpm utility:

      sudo rpm –import http://www.rabbitmq.com/rabbitmq-signing-key-public.asc

    6. You can update your yum repository to update to the latest version of RabbitMQ
      sudo yum update

    7. You can check the version of RabbitMQ in yum with the following command
      su -c ‘yum list rabbitmq’

    8. Install the rabbitmq with the following command

      yum install rabbitmq

    9. Add the rabbitmq to run on startup and start the rabbitmq service

      sudo chkconfig rabbitmq-server on
      sudo /etc/init.d/rabbitmq-server start

    10. The rabbitmq default administrator username is guest and password is guest.
    11. Nat your rabbitmq for the port 5672 externally. You will need the external IP and port in jumphost properties. This is all the configuration needed for installation of RabbitMQ.
  • Jumphost (mid-proxy) installation and configuration steps:
    1. You will have to edit limits.conf file
      sudo vi /etc/security/limits.conf
      Add the following lines in it.
      amp soft nproc 16384
      amp hard nproc 16384
      amp soft nofile 16384
      amp hard nofile 16384
    2. Reboot the machine after this step.
    3. Download jumphost by the following command:
      wget https://artifactory.cloudsoftcorp.com/artifactory/libs-release-local/io/cloudsoft/amp/jumphost/jumphost/1.0.0-20160121.1603/jumphost-1.0.0-20160121.1603-dist.tar.gz
    4. Install jumphost by unpacking the tar with the following command
      tar -zxvf  jumphost-1.0.0-20160121.1603-dist.tar.gz
    5. Make a file in /home/user/.brooklyn/ named jumphost.propertiesjumphost.id=JUMPHOST_123 
      tenant.id=TENANT_123
      messageManager.rabbitmq.host=<rabbitmq ip> 
      messageManager.rabbitmq.port=<rabbitmq port>
      messageManager.rabbitmq.username=guest
      messageManager.rabbitmq.password=guest
      messageManager.crypto.secretKey=UmFuZG9tRW5jcnlwdEtleQ==
      messageManager.crypto.initVector=UmFuZG9tSW5pdFZlY3Rvcg==
      jumphost.id, tenant.id values can be anything you want.
      messageManager.rabbitmq.host is the external ip of rabbitmqmessageManager.rabbitmq.port is the external port of rabbitmqNo other properties need to be edited.
    6. You will also need to check the value of Entropy on your jumphost server.  An entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. A lack of entropy can have a negative impact on performance and security.
          1. You can check the value of Entropy by the following command cat /proc/sys/kernel/random/entropy_avail
          2.  It is recommended for it to be more than 1000. To increase your entropy execute the following commands.
                sudo yum -y -q install rng-tools

                sudo chmod 666 /etc/sysconfig/rngd (this step to be performed only if you are not logged in as root)
                vi /etc/sysconfig/rngd
                Edit the EXTRAOPTIONS as follows           EXTRAOPTIONS=”-r /dev/urandom”
                sudo chmod 640 /etc/sysconfig/rngd (this step to be performed only if you are not logged in as root)
                sudo chkconfig rngd on
                sudo service rngd start
         3. Now check your Entropy again cat /proc/sys/kernel/random/entropy_avail. It should be increased to more than 1000.
    7. You can now launch jumphost with the following command
      cd cloudsoft-jumphost-1.0.0-20160330.1541
      ./bin/jumphost launch > /dev/null &
    8. This launches the jumphost and this is all you need to install and start your mid-proxy server.
  • Configuring AMP to route through RabbitMQ and Jumphost:
    1. Edit brooklyn.properties in the properties section of any location add the following properties for the location your jumphost is
      brooklyn.location.named.MyPrivateLocation_TAI_Test.requiresSubnetTier=false
      brooklyn.location.named.MyPrivateLocation_TAI_Test.useJcloudsSshInit=false
      brooklyn.location.named.MyPrivateLocation_TAI_Test.pollForFirstReachableAddress=false
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass=io.cloudsoft.amp.jumphost.ssh.client.SshProxiedTool
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.jumphost.id=JUMPHOST_123  ##jumphost.id given in jumphost.properties
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.tenant.id=TENANT_123   ##tenant.id given in jumphost.properties
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.rabbitmq.host=<rabbitmq_ip>   ##internal rabbitmq ip
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.rabbitmq.port=<rabbitmq_port>  ##internal rabbitmq port
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.rabbitmq.username=guest
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.rabbitmq.password=guest
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.crypto.secretKey=UmFuZG9tRW5jcnlwdEtleQ==
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.crypto.initVector=UmFuZG9tSW5pdFZlY3Rvcg==

    2. Save the brooklyn.properties and reload properties in console.
    3. Then you can deploy any BP via the location you have just configured. It will use RabbitMQ and jumphost to deploy the BP in the private network.
    4. Following is the list of config keys to pass for respective BPs:
      For JBoss AS 7, use httpMonitoring.enabled: false .
      For JBoss AS 6, use jmx.enabled: false .
      For Tomcat, use jmx.enabled: false .
      For MongoDB, use clientMonitoring.enabled: false (though this will not work for clustered MongoDB).
      For Riak, use httpMonitoring.enabled: false .
      For Cassandra, use thriftMonitoring.enabled: false and jmx.enabled: false .
    5. You can verify that the deployment took place via jumphost by checking if the newly created VM’s IP has been natted in sensors tab. In case of the use of jumphost the IP address will not be natted will show internal IP in sensors tab.

Security hardening for nginx (reverse proxy)

This document can be used when enhancing the security of your nginx server.

Features provided in Security Hardening for nginx server

  • In this security hardening we first update the nginx server. Its advantages are that it has SPDY 3.1 support, authentication via subrequests, SSL session ticket support, IPv6 support for DNS, PROXY protocol support. It also includes following features error logging, cache revalidation directives, SMTP pipelining, buffering options for FastCGI, improved support for MP4 streaming, and extended handling of byte-range requests for streaming and caching.

  • We also remove the SSL support and add TLS support. It used to be believed that TLS v1.0 was marginally more secure than SSL v3.0, its predecessor.  However, SSL v3.0 is getting very old and recent developments, such as the POODLE vulnerability have shown that SSL v3.0 is now completely insecure. Subsequent versions of TLS — v1.1 and v1.2 are significantly more secure and fix many vulnerabilities present in SSL v3.0 and TLS v1.0.  For example, the BEAST attack that can completely break web sites running on older SSL v3.0 and TLS v1.0 protocols. The newer TLS versions, if properly configured, prevent the BEAST and other attack vectors and provide many stronger ciphers and encryption methods.

  • We have also added SPDY support. SPDY is a two-layer HTTP-compatible protocol. The “upper” layer provides HTTP’s request and response semantics, while the “lower” layer manages encoding and sending the data. The lower layer of SPDY provides a number of benefits over standard HTTP. Namely, it sends fewer packets, uses fewer TCP connections and uses the TCP connections it makes more effectively. A single SPDY session allows concurrent HTTP requests to run over a single TCP/IP session. SPDY cuts down on the number of TCP handshakes required, and it cuts down on packet loss and bufferbloat

  • We have also added the HTTP Strict Transport Security (HSTS) support. It prevents sslstrip-like attacks and provides zero tolerance for certification problems.
  • We have also added  Deffie Helman key support. Diffie-Hellman key exchange, also called exponential key exchange, is a method of digital encryption that uses numbers raised to specific powers to produce decryption keys on the basis of components that are never directly transmitted. That makes it a very secure key exchange and prevents man-in-middle attack.
 

Step-by-step guide

Following are the steps for security hardening of nginx server.

  1. Firstly, you will need to update the existing nginx server.
    • Login to your nginx server as root.
    • Check for the existing nginx version with the command nginx -v. The version should be > 1.5.
    • If your version is > 1.5 then goto step 2. If your version < 1.5 then execute the following commands.
    • Check if there is a file names nginx.repo in /etc/yum.repos.d/.
    • cd /etc/yum.repos.d
    • vi nginx.repo
    • Enter the following lines into the file then save it.
      [nginx]
      name=nginx repo
      baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
      gpgcheck=0
      enabled=1
    • then execute the following command yum update nginx. This will update your nginx server to the latest version.

2. Following changes need to be done in all of the .conf files of the nginx. The .conf files are  present in /etc/nginx/conf.d/ folder.

    • In the server block for port 443 disable the SSLv2 and SSLv3 protocol. To achieve this replace the line
      ssl_protocols SSLv2 SSLv3 TLSv1 with ssl_protocols TLSv1 TLSv1.1 TLSv1.2.
      SSLv2 and SSLv3 are considered to be insecure so we have to disable them and add TLS in place.
    • Next we have to add the SPDY protocol configurations. SPDY (pronounced speedy) is an open networking protocol developed primarily at 
      Google for transporting web content. SPDY manipulates HTTP traffic, with particular goals of reducing web page load latency and improving web security.
      To achieve this add the following lines before the location block in server tab.
       
      spdy_keepalive_timeout 300;spdy_headers_comp 9;
    • Below the SPDY configuration add the following lines for the HTTP Strict Transport Security (HSTS) is a web security policy mechanism 
      which helps to protect websites against protocol downgrade attacks and cookie hijacking.
       add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    • Now we have to add the Deffie Helman key into our conf files. Diffie Hellman is an algorithm used to establish a shared secret between two parties. 
      It is primarily used as a method of exchanging cryptography keys for use in symmetric encryption algorithms like AES.
      For that check if openssl is installed on the nginx server. If not install it by yum install openssl. 
      1. After that execute the following commands cd /etc/nginx/certs/
      2. Then execute the following command: openssl dhparam -out dhparams.pem 1024. This will generate a dhparams.pem file in your  /etc/nginx/certs/ directory.
      3. Now in your conf file comment the line which says ssl_ciphers and add the following line.ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
        DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
        ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:
        ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
        DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;
      4. After this line ensure you have the following configuration ssl_prefer_server_ciphers on; After this line add the following line ssl_dhparam /etc/nginx/certs/dhparams.pem;

After this save your .conf files and execute the following command-  service nginx restart. The security of your nginx server will have been increased.

Creating custom YUM repo

This page will be useful when creating your own/ custom yum repo and using it for your yum installations.

The standard RPM package management tool in Fedora, Red Hat Enterprise Linux, and CentOS is the yum package manager. Yum works quite well, if a little bit slower than other RPM package managers like apt4rpm and urpmi, but it is solid and handles dependencies extremely well. Using it with official and third-party repositories is a breeze to set up, but what if you want to use your own repository? Perhaps you manage a large computer lab or network and need to have — or want to have — certain packages available to these systems that you maintain in-house. Or perhaps you simply want to set up your own repository to share a few RPM packages.

The following are the steps to create your own repo.

Step-by-step guide

Follow these steps on server machine.

  1. Creating your own yum repository is very simple, and very straightforward. In order to do it, you need the createrepo tool, which can be found in the createrepo package, so to install it, execute as root:yum install createrepo
  2. Install Apache HTTPD. Apache will act as a server to your clients where you want to install the packages.You may need to respond to some prompts to confirm you want to complete the installation.

    yum install httpd

  3. Creating a custom repository requires RPM or DEB files. If you already have these files, proceed to the next step. Otherwise, download the appropriate versions of the rpms and their dependencies.

  4. Move your files to the web server directory and modify file permissions. For example, you might use the following commands:

    mv /tmp/repo/* /var/www/html/repos/centos/6/7

  5. After moving files, visit http://:80/repos/centos/6/7
  6. Add a user and password to your apache directory. Execute the following command.
    htpasswd -c /etc/repo repouser
    where repouser is your username and you will be prompted for the password. /etc/repo can be any location where you want to store your password file which will be created after this command.
  7. Add authentication to your apache to add security. Add the following in your /etc/httpd/conf/httpd.conf file

    AuthType Basic
    AuthName “Password Required”
    AuthUserFile /etc/repo
    Require valid-user

    /var/www/html/repos is the path of your repo where you have your rpms stored. /etc/repo is the path of your password file.

  8. Execute the following command to create your repo.
    createrepo  /var/www/html/repos/centos/6/7
  9. Add the port 80 in firewall to accept incoming requests to Apache.
    sudo lokkit -p 80:tcp
  10. Start your apache server service httpd start
    visit http://:80/repos/centos/6/7 in browser to verify that you see an index of files

Follow these steps on client machine.

  1. Rename/ delete the .repo files present in  /etc/yum.repos.d/ to xyz.repo.bak
  2. Create files on client systems with the following information and format, where hostname is the name of the web server you created in the previous step.
    vi /etc/yum.repos.d/custom.repo
    the file name can be anything you want. Your repo will be refered to from this file.
  3. Add the following data in the newly created file or you can add it in /etc/yum.conf
    [custom]
    name=CentOS-$releasever – Base
    baseurl=http://:@/repos/centos/6/7/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    enabled = 1#released updates
    [custom-updates]
    name=CentOS-$releasever – Updates
    baseurl=http://:@/repos/centos/6/7/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

    #additional packages that may be useful
    [custom-extras]
    name=CentOS-$releasever – Extras
    baseurl=http://:@/repos/centos/6/7/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

    #additional packages that extend functionality of existing packages
    [custom-centosplus]
    name=CentOS-$releasever – Plus
    baseurl=http://:@/repos/centos/6/7/
    gpgcheck=1
    enabled=0
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

    #contrib – packages by Centos Users
    [custom-contrib]
    name=CentOS-$releasever – Contrib
    baseurl=http://:@/repos/centos/6/7/
    gpgcheck=1
    enabled=0
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    Here will be repouser or the user you added, is the password you entered. For ex: repouser@PassW0rd@172.16.120.50

  4. Execute the following commands to update yum.
    yum clean all
    yum update
  5. To use your custom repo execute the following command:
    yum install packagename
    For ex. yum install tomcat6
    It will look for the packages in the newly created repo and install from there.

In case you want to add custom group to your yum repo, use the following steps:

  1. Change directory to where your repo is(i.e where your rpms are stored).Ex. if the repo is at /var/www/html/repos/centos/6/7 then

    cd  /var/www/html/repos/centos/6/7
  2. Suppose your groupinstall command is as sudo yum groupinstall test-package and the mandatory packages required are yum and glibc and optional package is rpm

    yum-groups-manager -n “test-package” –id=test-package –save=test-package.xml –mandatory yum glibc –optional rpm

  3. A file named test-package.xml will be created in your current working directory. Execute the following command.
    sudo createrepo -g /path/to/xml/file /path/to/repo
    Example: sudo createrepo -g /var/www/html/repos/centos/6/7/test-package.xml /var/www/html/repos/centos/6/7