Skip to content

Blog

Reverse Proxying ADFS with Nginx

In my recent trials and tribulations with ADFS 3.0, I came up against an issue where we were unable to host ADFS 3.0 with Nginx as one of the layers of reverse proxy (the closest layer to ADFS).

When a direct connection, or a cURL request, was made to the ADFS 3.0 endpoints from the machine running Nginx, all seemed well, but as soon as you actually tried to ferry requests through a proxy_pass statement, users were greeted with HTTP 502 or 503 errors.

The machine running ADFS was offering up no other web services — there was no IIS instance running, or anything like that. It had been configured correctly with a valid TLS certificate for the domain that was trusted by the certificate store on the Nginx machine.

It turns out that despite being the only HTTPS service offered on that machine through HTTP.sys, you need to explicitly configure which certificate to present by default. Apparently, requests that come via Nginx proxy_pass are missing something (the SNI negotiation?) that allows HTTP.sys to choose the correct certificate to present.

So, if and only if you are sure that ADFS is the only HTTPS service you are serving up on the inner machine, you can force the correct certificate to be presented by default, which resolves this issue and allows the Nginx reverse proxied requests to get through.

With that warning given, let’s jump in to what we need to do:

Retrieve the correct certificate hash and Application ID

netsh http show sslcert

You’ll need to note the appid and the certificate hash for your ADFS 3.0 service.

Set the certificate as the default for HTTP.sys

We’ll use netsh‘s interactive mode, as I wasn’t in the mood to figure out how to escape curly brackets on Windows’ command line!

You want the curly brackets literally around the appid, but not the certhash.

netsh
netsh> http
netsh http> add sslcert ipport=0.0.0.0:443 appid={appid-from-earlier} certhash=certhash-from-earlier

Verify the proxy_pass settings

Among other configuration parameters, we have the following in our Nginx server stanza for this service:

proxy_redirect off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header X-MS-Proxy the-nginx-machine;
proxy_set_header Host the-hostname-in-question

And, with that, we were successfully reverse proxying ADFS 3.0 with Nginx. 🙂

Pushing System Center Operations Manager Alerts to iOS and Android

I’m a huge fan of the Pushover Simple Notification Service for receiving critical alerts about the servers for which I am responsible. It’s beautifully simple — in short, it takes the ‘walled garden’ of Google or Apple’s push notification system and extends it, so that you can push any text notification you want through their API, and it’ll get to your phone.

In this post, I will share how I get critical alerts from a Microsoft System Center Operations Manager instance to Pushover.

» Read the rest of this post…

Cleaning up the IP.Board url4short mess

XDebug to the rescue…

The condensed, I-just-want-to-fix-my-site version:

On your server, try:

grep ‐ri \$mds /wherever/your/website/folder/is

to locate the injected code, and while file it resides in. You can then go into that file and remove it.

Also try re-caching all the skins and languages in the Admin Control Panel. Make sure all IP.Board updates and patches are applied to prevent the compromise happening again.

Reset your passwords and keys. Take measures to detect and continue detecting other infiltrations.

My friend Niall Brady dropped me an email, saying that some of the users of his Windows-Noob forums were reporting getting redirected to a spammy-looking site (url4short dot info) when clicking on search results to the site.

The forums run the Invision Power Board (IP.Board) software. There had been some reports of vBulletin boards being hit with this kind of spammy redirect, but fewer suggestions that this was an IPB problem. There had been a patch for a critical IPB issue released in December, but that had, obviously, been applied to the site as part of normal good practice.

Nevertheless, I was concerned. Clicking on a search engine result should definitely not be redirect somewhere other than the result page!

Without evidence that the issue was not limited to one machine, or one connection, however, it could not be ruled out that it was just malware on that visitor’s machine.

» Read the rest of this post…

Three Years of Self-Hosting

Three years ago, I made the slightly crazy decision to run this website from my own server. This page is brought to you by a four-year-old generic PC that sits under my desk and dutifully hands out the web pages of my site to anyone from anywhere on the internet that asks for them.

Over the last three years, running my own server has taught me a lot. It has given me complete freedom and control, as well as complete responsibility over my own website. The hardware, software and configuration are all my own thing — if I get it wrong, I have to fix it.

» Read the rest of this post…

Scheduled Downtime

Due to some work that is happening to our house (hot water here we come), the electricity supply will need to be turned off at some point. This means that there will be some downtime for this server during the period of Monday 11th – Wednesday 13th.

Unfortunately, I will not actually be here at the time and it is not yet clear when or for how long the downtime needs to occur. It should, however, be a relatively short downtime period; I am not expecting the server to be down the whole three days.

In any case, the machine will be safely powered down before the supply is turned off and will come back up as soon as possible.

UPDATE: In the end, it didn’t need to go down at all! Everything is still running smoothly.

One year of self-hosting!

One year ago today I announced that I would be moving my site here over to a new hosting provider. Me.

Therefore, today marks the one year anniversary of this hosting arrangement! I’m very happy I’ve had an opportunity to do this. I have learnt a lot about running a server and all the different things involved with it and doing everything myself gave me complete freedom and control over every aspect of my personal site.

There have been issues along the way, but most of those minor. A brief security scare (which I now am pretty sure was nothing, but it was all reinstalled just to be sure), a hard drive failure and one occasion where my database backups failed for a couple of months without me noticing, to mention a few!

Overall though, I’m really glad I did take the step to self-host. It is undoubtedly more work, but it is rewarding as you get complete control and I have gained very useful experience of doing things on the server end with Linux (or Unix in general).

Sadly, it’s not 365 days uptime, but as of writing the server reports “up 49 days, 3:41” which I think is pretty good.

Here’s to the server. Hopefully much more service from it to come.

Also before I go, I’d like to thank everyone back last year who updated their links over to the new domain at the time. Your prompt action in taking that step allowed me to climb back up Google with formidable pace!

Scheduled maintenance

My server (and subsequently this site) is going to be down tomorrow between 10:00 AM and 1:00 PM GMT, for scheduled maintenance. Basically a clear out the cobwebs (which is scarily literal) job, and the opportunity to double-check that everything hardware-wise is hunky-dory. Also I’ll be doing a couple of special backups so I have even higher levels of redundancy, while I get the opportunity of the server being down.

See you on the other side.

UPDATE: Completed successfully, and I didn’t break anything.

Upgraded to WordPress 2.3

It’s taken me a little while to do some testing and making sure everything is all good – but my personal blog is now upgraded to WordPress 2.3.

WPGet is also upgraded to 0.7 as well – so I’m now actually using the latest version of my own software too!

Attack of the mainstream social networks

I always sort of didn’t like mainstream social networks, to put it lightly, and never really wanted to consider using them. As it happens, I need have only had that attitude about MySpace, not the rest of them. 😉

What is my point here? Why has it been so long since the last blog post here? I’ll take those questions in the wrong order. Stuff has been pretty crazy recently – trying to fit in (literally) full-time Vaveo development, trying to keep up a post a day on FOSSwire and lots of other things has been pretty difficult. So this blog kind of comes at the bottom of the stack and never gets all that much attention. I’m sorry – a week between posts isn’t a nice place to be, but it’s all I’ve been able to do recently.

I’m still here though and doing well.

Now, to the point of this post. Well it all started when Chris decided that we may have plans to do a Facebook application for Vaveo. I have no idea whether I’m allowed to say that, but well, I just did. Sorry, Chris. 🙂

» Read the rest of this post…

Server trouble

The main 40 GB hard drive that powers this server has apparently given up the ghost. Yesterday, I woke up to check the server as normal and it had decided to remount the filesystem read-only, which is never a good sign. After rebooting (and losing my >25 days of uptime 😛 ) into my recovery environment, I was able to repair the filesystem, reboot and it worked fine.

Until about 2am this morning, when the same thing apparently happened again.

Unfortunately, that probably means the main drive is dead. There are actually two drives in this server, that 40 GB one and a 160 GB drive which important web server data is mirrored to each night (although which has question marks about stability for running a boot drive).

For now, I’ve copied everything over to the 160 GB drive until I can get a replacement main drive. Thanks to the flexibility of Linux, I simply copied the data over, rebooted off a GRUB CD-ROM, entered the boot commands for the second drive and it booted as if nothing had happened. 😉

Now, I don’t know whether to just get another drive and continue with the current setup or get two SATA drives and try doing some form of RAID. Or do that later. I don’t know.