Setup DDNS/DynDNS in OpenWrt

I serving my small homepage stokito.com directly from my router with OpenWrt Linux — thus I don’t have to pay for any hosting because the router is anyway always online. My provider gives to my router some public IP which is changes sometimes: maybe about once per week. That is fine for me but I have to change it manually. Of course I can buy a static public IP from my internet provider but my goal is to have cheapest as possible website. So I need to automatically and periodically update the DNS A record with my current IP. To solve this problem people uses Dynamic DNS (DDNS) which is de facto some pseudo protocol when router itself constantly registers it’s current IP on the DNS server. Most routers already have support of some DDNS providers where most popular are DynDNS.com and NO-IP.com or even manufactures like ASUS may have their own DDNS. Gamers and owners of IP cameras very often using this. Unfortunately my DNS registrar doesn’t support DDNS protocol so I have to use some another. A good news is that OpenWrt already have a package ddns-scripts witch supports a lot of servers. I checked almost all DDNS providers that are supported my and choose DuckDNS.org DynDNS.com looks like one of the first DDNS providers and some other even tries to implement it’s API. But it’s paid and that’s not acceptable for me to because with the same money I just can buy a static IP. NO-IP.com have some strange API problems with refreshing IP so there is even a separate script for OpenWrt `ddns-scripts_no-ip_com`. In the same time DuckDNS looks like was made by programmers for programmers. It allows to quickly register with Google account then they give you a generated random token instead of password and they have a good documentation. So the API is so simple that I even was wondered why it was created the ddns-scripts package. In fact, all what you need to do is to login to your OpenWrt LUCI admin panel, then open System / Scheduled Tasks and add the following line: «` * */4 * * * wget -4 -q -O /dev/null http://www.duckdns.org/update/{YOURDOMAIN}/{YOURTOKEN} «` i.e. each 4 hours you will send a HTTP get request to DuckDNS. Then you can check logs of cron task in syslogs: System / System Logs. For example for my domain stokito.duckdns.org: «` Mon Apr 22 18:52:00 2019 cron.info crond[12903]: USER root pid 14005 cmd wget -4 -q -O /dev/null http://www.duckdns.org/update/stokito/6c5se9d3-5220-440-b46-6873f9a «` or you can do the same with command line: «` ssh root@192.168.1.1 root@OpenWrt:~# crontab -e root@OpenWrt:~# /etc/init.d/cron enable root@OpenWrt:~# /etc/init.d/cron restart «` Here note that I enabled the cron service just to be sure. Then your router will be accessible with the new domain. For example for my domain «` $ dig stokito.duckdns.org ; DiG 9.11.5-P1-1ubuntu2-Ubuntu stokito.duckdns.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<>HEADER<<- opcode: QUERY, status: NOERROR, id: 41868 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;baba.stokito.com. IN A ;; ANSWER SECTION: stokito.com. 24 IN CNAME stokito.duckdns.org. stokito.duckdns.org. 24 IN A 77.122.189.118 ;; Query time: 212 msec ;; SERVER: 176.103.130.131#53(176.103.130.131) ;; WHEN: Mon Apr 22 23:55:45 EEST 2019 ;; MSG SIZE rcvd: 129 «` You can see that stokito.com was firstly resolved to CNAME stokito.duckdns.org. which then was resolved to IP 77.122.189.118.

Реклама

How do I set up Google Talk/Hangout in Pidgin?

Google Talk still works with XMPP so you can use Pidgin and there is an official tutorial Configure Pidgin to connect to Google Talk

But there is missing important part: you’ll get «Not Authorized» error during connect.
The problem is that Google tries to improve security so your Google/Gmail password ideally should never be entered anywere except of Google itself so no any trojan or virus can’t stole your password.
So how can you login into Google Talk without inputting a password from Google Account?
Well, you can generate another password.
Go to My Account, and in the «Sign-in & Security» column, go to Signing in to Google and then App passwords

You’ll see the «Select the app and device you want to generate the app password for.»
Select App: Mail
Select Device: Other
Then input «pidgin»
Press Generate button

Then you’ll see «Your app password for your device»

 

Copy the generated password and input it into Pidgin account and that’s it.

Nginx Plus Docker Image + lua-resty-openidc for OAuth termination

I need a Docker image with Nginx Plus and configured lua-resty-openidc to use Keycloak OAuth provider.
I made it based on this article Deploying NGINX and NGINX Plus with Docker but there was few additional non trivial steps so here is my result.
Create a folder with nginx plus repo keys (nginx-repo.crt and nginx-repo.key)
Then create a Dockerfile with the following content:

FROM ubuntu:artful

# Download certificate and key from the customer portal (https://cs.nginx.com)
# and copy to the build context
COPY nginx-repo.crt /etc/ssl/nginx/
COPY nginx-repo.key /etc/ssl/nginx/

# Install NGINX Plus
RUN set -x \
  && apt-get update && apt-get upgrade -y \
  && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates \
  && apt-get install -y lsb-release wget \
  && wget http://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key \
  && wget -q -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx \
  && printf "deb https://plus-pkgs.nginx.com/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \
  && apt-get update && apt-get install -y nginx-plus nginx-plus-module-lua nginx-plus-module-ndk luarocks libssl1.0-dev git

RUN set -x \
  && apt-get remove --purge --auto-remove -y \
  && rm -rf /var/lib/apt/lists/*

# Forward request logs to Docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
  && ln -sf /dev/stderr /var/log/nginx/error.log

RUN luarocks install lua-resty-openidc
RUN luarocks install lua-cjson
RUN luarocks install lua-resty-string
RUN luarocks install lua-resty-http
RUN luarocks install lua-resty-session
RUN luarocks install lua-resty-jwt

EXPOSE 80

STOPSIGNAL SIGTERM

CMD ["nginx", "-g", "daemon off;"]

Here you can see that we installing not only nginx-plus but also nginx-plus-module-lua and nginx-plus-module-ndk modules which are needed to run lua-resty-openidc.
Since open lua-resty-openidc is distributed via luarocks package manager we need to install it too and then install all needed packages via luarocks. For lua-crypto dependency you need to install libssl1.0-dev package with OpenSSL headers and for some other package we needed git, don't ask me why, I have no idea.
FYI: openidc is installed into file /usr/local/share/lua/5.1/resty/openidc.lua

Then you need to build an image with

docker build --no-cache -t nginxplus .

If you have a Docker Registry inside your company you can publish the image there:

docker tag nginxplus your.docker.registry:5000/nginxplus
docker push your.docker.registry:5000/nginxplus

Not you have an image and you can run it. All you need is to mount you server config into /etc/nginx folder. Consider you have a docker-compose.yml file with the following content:

version: '3'
services:
  gw-nginx:
    image: your.docker.registry:5000/nginxplus
    container_name: gw-nginx
    volumes:
      - ~/gateway/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
      - ~/gateway/etc/nginx/conf.d/:/etc/nginx/conf.d/
      - /etc/localtime:/etc/localtime
    ports:
      - 80:80
  gw-keycloak:
    image: jboss/keycloak
    container_name: gw-keycloak
    volumes:
      - /etc/localtime:/etc/localtime
    ports:
      - 8080:8080
    environment:
      - KEYCLOAK_USER=root
      - KEYCLOAK_PASSWORD=changeMePlease
      - PROXY_ADDRESS_FORWARDING=true

Now create a gateway folder:
mkdir ~/gateway
cd ~/gateway
And plase nginx.conf file into ~/gateway/etc/nginx/nginx.conf. The most important is to place this two lines:

...
http {
  resolver yourdnsip;
  lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
  lua_ssl_verify_depth 5;
  ...
}

For some reason without this lines Lua scripts can’t resolve upstreams.

Create ~/gateway/etc/nginx/conf.d/default.conf file and configure it as descibed in restly-openidc documentation.
Finally you can run it with docker-compose up -d command.

[Linkset] Authorization termination: OAuth reverse proxy

UPDATE Today was released Nginx Plus with a new nginx-openid-connect module.

If you are looking for Authentication Server or OAuth library then OpenID Conect implementations page is a good place to start. I chose Keycloak but also want to look on FreeIPA or https://ipsilon-project.org

Keycloak Security Proxy but I want proxy as Nginx module and I need to implement something non standard.
Also there is some an OpenID/Keycloak Proxy service https://github.com/gambol99/keycloak-proxy

For Apache web server everything is clear:
https://github.com/zmartzone/mod_auth_openidc

But I need something for Nginx .

lua-resty-openidc and it’s intro blog post written in Lua so its easier to extend (so I did for implementing of custom grant flow+ sessions + reference tokens).

https://github.com/tarachandverma/nginx-openidc written fully in C++ and this is interesting because you don’t need to enable Lua on Nginx (believe me, this can be harmful).

What is also interesting is tha module for only one purpose: to use reference tokens (opaque tokens)
https://github.com/curityio/nginx_phantom_token_module it’s written in C so no needs for additional deps.

Authentication Based on Subrequest Result

Actually Nginx already has something that can satisfy 80% of your needs:

https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/

https://www.nginx.com/blog/nginx-plus-authenticate-users/
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

https://github.com/nginxinc/nginx-ldap-auth
https://redbyte.eu/en/blog/using-the-nginx-auth-request-module/
https://news.ycombinator.com/item?id=7641148

But to use the sebrequest auth your auth server should support this or you need to setup another shim proxy:
https://github.com/bitly/oauth2_proxy
and here is docker container which integrates it https://github.com/sinnerschrader/oauth-proxy-nginx

Or you can use this one which is written in Lua
https://github.com/jirutka/ngx-oauth

Bonus:
Important article from Security researcher Egor Homakov who hacked several times GitHub and Facebook:

OAuth1, OAuth2, OAuth…?

[Linkset] Payment System, Payment Gateway and Credit Card Icons

https://github.com/muffinresearch/payment-icons SVG logos in flat, mono,outline and usual variants. Has Verve credit card logo

https://github.com/gilbarbara/logos most bigest collection of logos of popular brands, not only payments systems. SVG. See their demo site https://svgporn.com/

https://github.com/simple-icons/simple-icons collection which has icons for some cryptocurrencies. SVG

https://github.com/orlandotm/payment-webfont payment system logos as font. WOFF format

https://github.com/hiqdev/payment-icons list of payment logos in different dimensions but PNG only

https://github.com/diogomachado/payments-svg SVG and has CSS sprite

https://github.com/gregoiresgt/payment-icons SVG PNG with many variants

https://github.com/goodybag/credit-card-logos
Flexible SVG credit card logo assets and CSS

https://github.com/codefoundries/material-ui-credit-card-icons Library with credit card icons for Material-UI

https://github.com/slaterjohn/payment-logos payment gateway and credit card logo icons. Available in 4 sizes. Has Bitcoin logo and Contactless Payment Logo

Вебинар: Как защитить свой сайт от хакеров если вы ленивый

Всем привет и с праздниками.
Утром проснулся и подумал: «а что ты сделал для человечества?» и вспомнил что у меня есть презентация про то как быстро улучшить безопасность сайтов для таких ламеров каким я был три года назад когда начал вникать в тему.
И я бы хотел замутить небольшой вебинарчик и чтобы закрепить я выдам домашнее задание и тем кто его выполнит подгоню каких нибудь ништячков.
В двух словах:
0. Цель вебинара: дать совсем чуть-чуть самых базовых знаний о том как делать защиту сайта и научить практическим методам защиты при этом упор только на Quick Win приёмы которые можно быстро и ненапряжно внедрить и они закроют большую часть уязвимостей. Никоим образом после этого вебинара у вас не будет понимания того как защищаться, вы будете такими же дебилами в инфо секьюрити как и прежде, но хотя бы совсем лажать не будете. Т.е. советы будут уровня «мойте руки перед едой» но на практике 90% программистов с которыми я работал даже этого не знают потому что «некогда нам, нужно тикеты закрывать и бизнес вэлью делать ведь у нас Аджайл и вообще кому мы нафиг нужны».
1. Для кого: любой веб программист любого уровня на любом языке (но пару примеров будет на PHP). Если вы шарите в теме тем более приходите: дам микрофон, буду рад услышать ваши советы и замечания.
2. Необходимые знания: базовое понимание работы HTTP, опыт вёрстки сайтов минимум год
3. Агенда:
3.0 Покажу как проверить хакнули вас или нет. Ну чтобы запугать хорошенько.
3.1 Почему ваш сайт обязательно должен отдаваться через https, как получить сертификат на халяву через Let’s Encrypt
3.2 В основном я буду рассказывать про то что такое XSS и как защищаться от него с помощью Content Security Headers (CSP). Это очень простой но супер эффективных механизм.
3.3 Как защитить пароли пользователей и как их правильно захешировать (password shadow)
3.4 Возможно подраскужу ещё чего нибудь простенького но эффективного в качестве небольшого офтопа.
4. Когда: не раньше чем через пару месяцев утром в субботу. Я сейчас очень уставший, у меня много работы и ещё я недавно стал отцом и не высыпаюсь. Время буквально краду у семьи.
5. Дисклаймер: я не секьюрити специалист а всего лишь веб программист которому немного пришлось вникнуть в тему. Моя личная цель самому себе закрепить опыт и передать вам потому что я же блин сам вашим софтом и пользуюсь. Вы собственно всё сами можете почитать и изучить просто я вам время сэкономлю.
Короче будет норм, регайтесь друзья тут или следите за бложиком.

Don’t remove folders from your app, just clear all inner files

Dear programmers, if your application uses some folders please never delete the folders and just clear all inner files instead.
Because users may symlink any folder to another disk (e.g. RAM) or chmod them with different privileges.
For example, Maven always removes a target folder when calling mvn clean install and this creates a problem for me because I mapped the target folder to RAM disk.
This is not a rule to follow, but something that you may think about during development.