ejohansson.se » computers

Transparent HTTP proxy in python

Erik Johansson — Tue, 06 Mar 2012 09:02:05 +0000

I recently wanted to modify a web resource that a device on my local network loads when starting. To avoid having a static local modified copy of the resource I wrote a simple transparent HTTP proxy in python using the Twisted networking engine (which btw was a joy to use) which does the modification when the resource is loaded. The code is not modular (e.g. the resource modification is hard coded in the processResponse() function) and the logging is very verbose, but if anyone is interested the code is available on github: transparent-proxy.git.

The proxy is now running on my local server which sits behind the real gateway. Besides making the device use the server as gateway and enable NAT on the server this single iptables rule is all that is needed:

iptables -t nat -A PREROUTING -s $CLIENT_IP -p tcp --dport 80 -j REDIRECT --to-port 8080

SFTP only access to server

Erik Johansson — Tue, 29 Nov 2011 10:17:16 +0000

I recently installed a NAS server in my home and wanted to give my family and relatives access to it so that they could use it as a remote backup server for photos and stuff. To keep it as secure as possible I only wanted to give them SFTP access.

(All commands below are executed as root.)

First I created a group to group them together and then added the users to that group. I choose to disable their password as I only allow logins using SSH keys.

addgroup sftponly
# Repeat the line below for each user
adduser --disabled-password --ingroup sftponly ausername

As for the upload directory I wanted them to upload their data to my raid1 volume mounted under /data/pool1. Since OpenSSH has some requirements for the permission on the directories used as chroot I created the following directory layout.

cd /data/pool1
mkdir -m 751 sftp
ln -s . sftp/home
# Repeat the lines below for each user
mkdir -m 700 sftp/ausername
chmod ausername.root sftp/ausername

The home symlink is there to make the initial SFTP directory /ausername and the sftp directory is created with 751 to disallow directory listing in the top directory.

Then, as “all components of the pathname must be root-owned directories that are not writable by any other user or group” and /data/pool1 is not root owned I created a bind mount by adding the following to /etc/fstab.

/data/pool1/sftp  /srv/sftp  bind  bind  0  0

Before the initial mount, the directory must be created.

mkdir /srv/sftp
mount /srv/sftp

Then, the final part was to configure OpenSSH by adding the following lines at the end of /etc/ssh/sshd_config.

Match Group sftponly
  ChrootDirectory /srv/sftp
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Remember to restart the server afterwards.

Handelsbanken login now works on Linux

Erik Johansson — Wed, 02 Nov 2011 08:32:59 +0000

Thanks to the hard work done by the FriBID project I was today able to login to Handelsbanken (my bank) using the card reader connected to the computer. This by following the instructions on the FriBID wiki. Good stuff!

I’m using Ubuntu 11.10 on amd64.

Faster resume with (k)ubuntu Natty

Erik Johansson — Sun, 03 Apr 2011 09:53:47 +0000

After upgrading to Kubuntu Natty beta 1 the time for resuming (from RAM) my HP ProBook 6450b has improved significant. Previously I had to wait up to a minute until the wireless card was up and running and I had Internet access. Now it’s only a matter of seconds. My Linux laptop is now fully on par with my old Apple iBook when it comes to suspend/resume (the only area where it was previously lagging).

I can’t say for sure why it’s better now, but I like to think that it’s due to Broadcom’s full-source release of their wireless drivers. Thank you Broadcom!

ELF Auxiliary Vectors

Erik Johansson — Sat, 30 Oct 2010 08:09:30 +0000

Interesting article about ELF Auxiliary Vectors. Found it after reading a comment mentioning AT_SECURE in the LWN article about glibc vulnerabilities.

Getting Licq to build with pbuilder

Erik Johansson — Sun, 26 Sep 2010 18:44:53 +0000

I wanted to test that I had specified the correct Build-Depends in my Debian package of Licq 1.5.0-rc2. It seemed like the simplest way to do this was to create a personal builder installation and build the package in that chroot.

So I did:

sudo pbuilder create --debootstrapopts --variant=buildd

Building should then be as simple as executing:

git-buildpackage --git-builder=/usr/share/doc/git-buildpackage/examples/gbp-pbuilder --git-cleaner="fakeroot debian/rules clean"

Or it should have been that simple. Unfortunately the build failed with:

Fatal: no entropy gathering module detected

After some googling and testing; the fix was to add two random devices to the chroot:

sudo pbuilder login --save-after-login
mknod -m 666 /dev/random c 1 8
mknod -m 666 /dev/urandom c 1 9
chmod 666 /dev/null
exit

(The change of permission for /dev/null was needed to avoid getting errors later in the build process.)

Git is not always better than subversion

Erik Johansson — Sat, 25 Sep 2010 08:14:53 +0000

Yesterday I wished I had used svn instead of git as VCS for Licq’s debian package, when I accidentally deleted my local git clone with lots of commits that I hadn’t pushed…

Luckily I had all the changes in a different format so I didn’t have to redo all the work, but I had to spend time trying to commit the changes in a somewhat logical way.

New GPG key

Erik Johansson — Tue, 14 Sep 2010 19:07:09 +0000

Following the instructions on how to create a new GPG key I have now created a new, more secure, GPG key. The new key’s id is 7E28522C, it’s signed with my old key and available on a key server near you.

debian/licq.git mirror on Gitorious

Erik Johansson — Sun, 18 Apr 2010 20:23:14 +0000

To get better speed and a backup I’ve set up a mirror of debian/licq.git on Gitorious.org.

I don’t really know the best way to do this, but I did it by adding the following line to hooks/post-update:

git push --mirror git@gitorious.org:licq/debian.git

This way the mirror will always be updated when I push to the “real” repository.

Get it by running

% gbp-clone --pristine-tar git://gitorious.org/licq/debian.git

or clone it on Gitorious and send me merge requests

/me is the new Debian maintainer for Licq

Erik Johansson — Thu, 14 Jan 2010 23:01:01 +0000

Update 2010-10-30: Changed the initial setup to use gbp-clone.

I’m now officially the maintainer of Licq’s Debian packages. Since I’m not a real Debian maintainer, I’m very grateful to Joel Rosdahl who is my sponsor.

Version 1.3.8-1 is coming to a mirror near you as I write this.

The package source is kept in my git repository. To build the package from the git repository, install git-buildpackage and pristine-tar then follow the instructions below.

Initial setup:

% gbp-clone --pristine-tar git://git.ejohansson.se/debian/licq.git

~~% git clone git://git.ejohansson.se/debian/licq.git licq % cd licq licq % git checkout -b pristine-tar origin/pristine-tar licq % git co master~~

To build the latest version:

licq % git-buildpackage --git-export-dir=../build-area

To build a specific version:

licq % git-buildpackage --git-export-dir=../build-area --git-export=debian/1.3.8-1

The final packages will be available in ../build-area.

Later on when you wish to update:

licq % git pull
licq % git-buildpackage ...

The next version will have qt4-gui.