Tag: proxy

Install android studio with proxy

For the sdkmanager use the following extra options:

sdkmanager --list --verbose --no_https --proxy=http --proxy_host=<proxy_host> --proxy_port=<proxy_port>

fatal: unable to access ‘https://github.com/xxx’: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

If you are behind a proxy, try the following:

git config --global --add remote.origin.proxy ""
git config --global http.sslBackend "openssl"

How to get pip to work behind a proxy server

On Ubuntu, you can set proxy by using

export http_proxy=http://username:password@proxy:port
export https_proxy=http://username:password@proxy:port

or if you are having SOCKS error use

export all_proxy=http://username:password@proxy:port

Then run pip

sudo -E pip3 install {packageName}

The pip’s proxy parameter is, according to pip --help, in the form scheme://[user:passwd@]proxy.server:port

You should use the following:

pip install --proxy http://user:password@proxyserver:port TwitterApi

Also, the HTTP_PROXY env var should be respected.

Error : getaddrinfo ENOTFOUND registry.npmjs.org registry.npmjs.org:443

Things to try:

  1. make sure you have internet connection: ping 8.8.8.8
  2. make sure you have DNS resolver working: ping www.google.com
  3. make sure you can access registry.npmjs.org: ping registry.npmjs.org
  4. make sure you can connect via https.

Try in your browser: https://registry.npmjs.org/

Make sure you are trying to connect to:

  • registry.npmjs.org

and not to:

  • "registry.npmjs.org registry.npmjs.org:443"

 

if there is no error,try to clear cache

npm cache clean –force then try npm install

even you have any error

npm config set registry https://registry.npmjs.org/ then try npm install -g @angular/cli

Mid-proxy server installation and configuration

This document is helpful while setting up Jumphost server(mid-proxy) and configuring it with RabbitMQ.

image2016-4-22-12-5-29

  • Each private network is (normally) dedicated to a single tenant. Within that private network, there is a jumphost that can access the other VMs within the private network. No network access is required to the jumphost from outside. This jumphost run an agent (the “AMP Jumphost” product).
  • A clustered message broker (e.g. RabbitMQ) is used send requests to the jumphost, and to receive responses from it.
  • Through this mechanism, commands are executed on VMs within the private network.
    The sequence for command execution (e.g. SSH or WinRM on a VM in the private network) is:
    1. Manual pre-configuration:
    i. The message broker cluster is pre-installed.
    ii. For a new private network, the jumphost is manually set up within private network. On startup it automatically
    subscribes to the message broker to receive the relevant requests.
    2. AMP subscribes to a response queue, ready to receive the result.
    3. AMP publishes a request to the appropriate queue on the message broker; this request describes the command to be
    executed and the response queue to use.
    4. The jumphost picks up the request, validates it, and executes it.
    5. The jumphost publishes the result to a response queue (e.g. exit status, stdout and stderr).
    6. AMP receives the response via the message broker. The AMP instances and the jumphost access the message broker via AMQP.

Step-by-step guide

  • RabbitMQ installation and configuration steps:
    1. RabbitMQ is a message bus that acts as a messaging broker – an intermediary for messaging. It gives your applications a common platform to send and receive messages, and your messages a safe place to live until received.
    2. RabbitMQ runs on the Erlang runtime, so before you can install and run RabbitMQ, you’ll need to install Erlang.
    3. Add the Erlang Solutions YUM repository:

      sudo wget http://packages.erlang-solutions.com/erlang-solutions-1.0-1.noarch.rpm 

      sudo rpm -Uvh erlang-solutions-1.0-1.noarch.rpm

    4. Install Erlang:

      redhat_release=`cat /etc/redhat-release | awk {‘print int($3)’}` 

      sudo yum install -y erlang-18.2-1.el${redhat_release}

    5. Download the signing key for the RabbitMQ YUM repository, and then download and install RabbitMQ 3.6.0 using the rpm utility:

      sudo rpm –import http://www.rabbitmq.com/rabbitmq-signing-key-public.asc

    6. You can update your yum repository to update to the latest version of RabbitMQ
      sudo yum update

    7. You can check the version of RabbitMQ in yum with the following command
      su -c ‘yum list rabbitmq’

    8. Install the rabbitmq with the following command

      yum install rabbitmq

    9. Add the rabbitmq to run on startup and start the rabbitmq service

      sudo chkconfig rabbitmq-server on
      sudo /etc/init.d/rabbitmq-server start

    10. The rabbitmq default administrator username is guest and password is guest.
    11. Nat your rabbitmq for the port 5672 externally. You will need the external IP and port in jumphost properties. This is all the configuration needed for installation of RabbitMQ.
  • Jumphost (mid-proxy) installation and configuration steps:
    1. You will have to edit limits.conf file
      sudo vi /etc/security/limits.conf
      Add the following lines in it.
      amp soft nproc 16384
      amp hard nproc 16384
      amp soft nofile 16384
      amp hard nofile 16384
    2. Reboot the machine after this step.
    3. Download jumphost by the following command:
      wget https://artifactory.cloudsoftcorp.com/artifactory/libs-release-local/io/cloudsoft/amp/jumphost/jumphost/1.0.0-20160121.1603/jumphost-1.0.0-20160121.1603-dist.tar.gz
    4. Install jumphost by unpacking the tar with the following command
      tar -zxvf  jumphost-1.0.0-20160121.1603-dist.tar.gz
    5. Make a file in /home/user/.brooklyn/ named jumphost.propertiesjumphost.id=JUMPHOST_123 
      tenant.id=TENANT_123
      messageManager.rabbitmq.host=<rabbitmq ip> 
      messageManager.rabbitmq.port=<rabbitmq port>
      messageManager.rabbitmq.username=guest
      messageManager.rabbitmq.password=guest
      messageManager.crypto.secretKey=UmFuZG9tRW5jcnlwdEtleQ==
      messageManager.crypto.initVector=UmFuZG9tSW5pdFZlY3Rvcg==
      jumphost.id, tenant.id values can be anything you want.
      messageManager.rabbitmq.host is the external ip of rabbitmqmessageManager.rabbitmq.port is the external port of rabbitmqNo other properties need to be edited.
    6. You will also need to check the value of Entropy on your jumphost server.  An entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. A lack of entropy can have a negative impact on performance and security.
          1. You can check the value of Entropy by the following command cat /proc/sys/kernel/random/entropy_avail
          2.  It is recommended for it to be more than 1000. To increase your entropy execute the following commands.
                sudo yum -y -q install rng-tools
                sudo chmod 666 /etc/sysconfig/rngd (this step to be performed only if you are not logged in as root)
                vi /etc/sysconfig/rngd
                Edit the EXTRAOPTIONS as follows           EXTRAOPTIONS=”-r /dev/urandom”
                sudo chmod 640 /etc/sysconfig/rngd (this step to be performed only if you are not logged in as root)
                sudo chkconfig rngd on
                sudo service rngd start
         3. Now check your Entropy again cat /proc/sys/kernel/random/entropy_avail. It should be increased to more than 1000.
    7. You can now launch jumphost with the following command
      cd cloudsoft-jumphost-1.0.0-20160330.1541
      ./bin/jumphost launch > /dev/null &
    8. This launches the jumphost and this is all you need to install and start your mid-proxy server.
  • Configuring AMP to route through RabbitMQ and Jumphost:
    1. Edit brooklyn.properties in the properties section of any location add the following properties for the location your jumphost is
      brooklyn.location.named.MyPrivateLocation_TAI_Test.requiresSubnetTier=false
      brooklyn.location.named.MyPrivateLocation_TAI_Test.useJcloudsSshInit=false
      brooklyn.location.named.MyPrivateLocation_TAI_Test.pollForFirstReachableAddress=false
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass=io.cloudsoft.amp.jumphost.ssh.client.SshProxiedTool
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.jumphost.id=JUMPHOST_123  ##jumphost.id given in jumphost.properties
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.tenant.id=TENANT_123   ##tenant.id given in jumphost.properties
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.rabbitmq.host=<rabbitmq_ip>   ##internal rabbitmq ip
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.rabbitmq.port=<rabbitmq_port>  ##internal rabbitmq port
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.rabbitmq.username=guest
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.rabbitmq.password=guest
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.crypto.secretKey=UmFuZG9tRW5jcnlwdEtleQ==
      brooklyn.location.named.MyPrivateLocation_TAI_Test.sshToolClass.messageManager.crypto.initVector=UmFuZG9tSW5pdFZlY3Rvcg==

    2. Save the brooklyn.properties and reload properties in console.
    3. Then you can deploy any BP via the location you have just configured. It will use RabbitMQ and jumphost to deploy the BP in the private network.
    4. Following is the list of config keys to pass for respective BPs:
      For JBoss AS 7, use httpMonitoring.enabled: false .
      For JBoss AS 6, use jmx.enabled: false .
      For Tomcat, use jmx.enabled: false .
      For MongoDB, use clientMonitoring.enabled: false (though this will not work for clustered MongoDB).
      For Riak, use httpMonitoring.enabled: false .
      For Cassandra, use thriftMonitoring.enabled: false and jmx.enabled: false .
    5. You can verify that the deployment took place via jumphost by checking if the newly created VM’s IP has been natted in sensors tab. In case of the use of jumphost the IP address will not be natted will show internal IP in sensors tab.

Security hardening for nginx (reverse proxy)

This document can be used when enhancing the security of your nginx server.

Features provided in Security Hardening for nginx server

  • In this security hardening we first update the nginx server. Its advantages are that it has SPDY 3.1 support, authentication via subrequests, SSL session ticket support, IPv6 support for DNS, PROXY protocol support. It also includes following features error logging, cache revalidation directives, SMTP pipelining, buffering options for FastCGI, improved support for MP4 streaming, and extended handling of byte-range requests for streaming and caching.

  • We also remove the SSL support and add TLS support. It used to be believed that TLS v1.0 was marginally more secure than SSL v3.0, its predecessor.  However, SSL v3.0 is getting very old and recent developments, such as the POODLE vulnerability have shown that SSL v3.0 is now completely insecure. Subsequent versions of TLS — v1.1 and v1.2 are significantly more secure and fix many vulnerabilities present in SSL v3.0 and TLS v1.0.  For example, the BEAST attack that can completely break web sites running on older SSL v3.0 and TLS v1.0 protocols. The newer TLS versions, if properly configured, prevent the BEAST and other attack vectors and provide many stronger ciphers and encryption methods.

  • We have also added SPDY support. SPDY is a two-layer HTTP-compatible protocol. The “upper” layer provides HTTP’s request and response semantics, while the “lower” layer manages encoding and sending the data. The lower layer of SPDY provides a number of benefits over standard HTTP. Namely, it sends fewer packets, uses fewer TCP connections and uses the TCP connections it makes more effectively. A single SPDY session allows concurrent HTTP requests to run over a single TCP/IP session. SPDY cuts down on the number of TCP handshakes required, and it cuts down on packet loss and bufferbloat

  • We have also added the HTTP Strict Transport Security (HSTS) support. It prevents sslstrip-like attacks and provides zero tolerance for certification problems.
  • We have also added  Deffie Helman key support. Diffie-Hellman key exchange, also called exponential key exchange, is a method of digital encryption that uses numbers raised to specific powers to produce decryption keys on the basis of components that are never directly transmitted. That makes it a very secure key exchange and prevents man-in-middle attack.
 

Step-by-step guide

Following are the steps for security hardening of nginx server.

  1. Firstly, you will need to update the existing nginx server.
    • Login to your nginx server as root.
    • Check for the existing nginx version with the command nginx -v. The version should be > 1.5.
    • If your version is > 1.5 then goto step 2. If your version < 1.5 then execute the following commands.
    • Check if there is a file names nginx.repo in /etc/yum.repos.d/.
    • cd /etc/yum.repos.d
    • vi nginx.repo
    • Enter the following lines into the file then save it. 
      [nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
    • then execute the following command yum update nginx. This will update your nginx server to the latest version.

2. Following changes need to be done in all of the .conf files of the nginx. The .conf files are  present in /etc/nginx/conf.d/ folder.

    • In the server block for port 443 disable the SSLv2 and SSLv3 protocol. To achieve this replace the line
      ssl_protocols SSLv2 SSLv3 TLSv1 with ssl_protocols TLSv1 TLSv1.1 TLSv1.2.
      SSLv2 and SSLv3 are considered to be insecure so we have to disable them and add TLS in place.
    • Next we have to add the SPDY protocol configurations. SPDY (pronounced speedy) is an open networking protocol developed primarily at 
      Google for transporting web content. SPDY manipulates HTTP traffic, with particular goals of reducing web page load latency and improving web security.
      To achieve this add the following lines before the location block in server tab.
       
      spdy_keepalive_timeout 300;spdy_headers_comp 9;
    • Below the SPDY configuration add the following lines for the HTTP Strict Transport Security (HSTS) is a web security policy mechanism 
      which helps to protect websites against protocol downgrade attacks and cookie hijacking.
       add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    • Now we have to add the Deffie Helman key into our conf files. Diffie Hellman is an algorithm used to establish a shared secret between two parties. 
      It is primarily used as a method of exchanging cryptography keys for use in symmetric encryption algorithms like AES.
      For that check if openssl is installed on the nginx server. If not install it by yum install openssl. 
      1. After that execute the following commands cd /etc/nginx/certs/
      2. Then execute the following command: openssl dhparam -out dhparams.pem 1024. This will generate a dhparams.pem file in your  /etc/nginx/certs/ directory.
      3. Now in your conf file comment the line which says ssl_ciphers and add the following line.ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
        DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
        ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:
        ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
        DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;
      4. After this line ensure you have the following configuration ssl_prefer_server_ciphers on; After this line add the following line ssl_dhparam /etc/nginx/certs/dhparams.pem;

After this save your .conf files and execute the following command-  service nginx restart. The security of your nginx server will have been increased.