Category Archives: Linux

The Linux Category actually encompasses *BSD, RH, Fedora, Ubuntu, and the like.

Linux

Cloudflare Apache access_log 127.0.0.1

Leave a comment

Running a standard Apache2 website behind a Cloudflare tunnel and I see that any access attempts are logged with:

127.0.0.1 - - [19/May/2026:18:40:18 +0000] "GET / HTTP/1.1" 304 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"

We’ll need to enable apache’s remoteip module, configure our apache site’s conf to include the required cloudflare header, change our apache logformat syntax, and then define the trusted cloudflare proxy IP’s. Sounds harder than it really is, so here are the commands.

Enable the Apache remoteip Module
sudo a2enmod remoteip

Update your apache site conf file
nano /etc/apache2/sites-available/000-default.conf

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName my.awesome.server
RemoteIPHeader CF-Connecting-IP
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Update the Apache LogFormat Syntax
nano /etc/apache2/apache2.conf
Search for LogFormat “%h %l %u %t “%r” %>s %O “%{Referer}i” “%{User-Agent}i”” combined
Replace with LogFormat “%a %l %u %t “%r” %>s %O “%{Referer}i” “%{User-Agent}i”” combined

Create Remote IP Trusted Proxy File
nano /etc/apache2/conf-available/remoteip.conf

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22

You can grab the updated list from https://www.cloudflare.com/ips-v4/# or https://cloudflare.com/ips/

Test Apache Configuration
sudo apache2ctl configtest

Restart Apache Services
sudo apache2ctl restart

Linux

Add swap drive to linux

Leave a comment

My tiny lightsail ubuntu server is running a java-based application along with a MySQL/MariaDB database backend with a small 2GB of RAM allotment. Every 30 or so days the system would lock up and I’d have to force a stop and start from the Lightsail AWS interface.

My workaround was to schedule a monthly reboot. Then it started happening more frequently, so I changed the scheduled reboot to be weekly. But now we’re down to an almost 8 hour maximum uptime before it locks up. Great.

Running free I see that there’s no swap. Probably a RAM usage issue from the database side, so I need to run the following:

fallocate -l 2G /swapfile && chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile && sed -i '$ a\/swapfile swap swap defaults 0 0' /etc/fstab

Linux, Microsoft, Miscellaneous

Schedule WinSCP Folder Sync

Leave a comment

WinSCP is one of those tools that makes my Windows-life much more useful. I was originally planning on using syncthing, but for my purposes this was proving to be not a great match.

I needed to copy files from our Windows/Samba shares over to the paperless-ngx server I recently spun up (side note, this is amazing for saving shipping docs, customer PO’s, and other pdfs the org creates). Unfortunately, paperless-ngx will delete the uploaded PDF (located in the consume directory) once it’s been ingested into the system. This tells syncthing “hey, the file is missing, so re-upload it”. Repeat. The good thing is that paperless will NOT keep adding the files as duplicates. The bad thing is that the files now live in several places, eating up precious disk space.

I also did not want non-PDF’s to appear in paperless. Since this was a new project, I also didn’t want to copy any documents older than 30 days (we have 8+ years of archival data). Enter winscp.com – not the URL, but the CLI application.

I created a batch file with the following – obviously change to fit your needs. I should note that SCP requires the hostkey to be setup; this can be found by using the WinSCP GUI, connecting to the paperless-ngx server, and then right-click on the connection tab and select “Generate session URL/code” (it also provides the basis for the script below).

@echo off

"C:\Program Files (x86)\WinSCP\WinSCP.com" ^
/log="C:\temp\Winscp_ShippingComputer_Sync.log" /ini=nul ^
/command ^
"open scp://USERNAME:PASSWORD@10.101.110.16/ -hostkey=""ssh-ed25519 255 03rzYT4K2ufZ2yY3cG4Z5/thG8/dB3UbTi9F7ja9uHY""" ^
"synchronize remote "Y:\Shipping_Scans" "/home/linuxuser/paperless-ngx/consume" -rawtransfersettings ExcludeHiddenFiles=1 -filemask=""*.pdf>=30D""" ^
"exit"

set WINSCP_RESULT=%ERRORLEVEL%
if %WINSCP_RESULT% equ 0 (
echo Success
) else (
echo Error
)

exit /b %WINSCP_RESULT%

Linux

Add Disk Space Ubuntu Server

Leave a comment

Using Ubuntu 22.04LTS on my proxmox system.

Added 70GB to my 30GB partition for a total of 100GB – used the Proxmox GUI to handle this change.

Logged into the Ubuntu VM (CLI Only)
Verify my disk (sda) shows 100GB and my partition (sda3) shows 30GB
lsblk

Verify /dev/mapper with df -h (needed for lvextend below, see example)

FDISK
fdisk /dev/sda
p
d
3
n
3
w

p to verify the partitions, although this also shows in lsblk. d to delete, selecting 3. n for new partition, 3, start and end are defaults to fill the disk. w to write the changes. MAKE SURE YOU DON’T SELECT TO DELETE THE LVM SIGNATURE OTHERWISE YOUR DATA MAY BE LOST.

Resize the partition table in LVM
pvresize /dev/sda3

Extend the logical volume in LVM
lvextend -l +100%FREE /dev/mapper/ubuntu–vg-ubuntu–lv

Resize the filesystem for Ubuntu
resize2fs /dev/mapper/ubuntu–vg-ubuntu–lv

Linux, Networking

U6 Pro Unifi Not Updating

Leave a comment

I’ve had many access points from Unifi over the years. Updating from the controller is generally a painless operation, and only rarely have I ever needed to utilize the CLI to make any changes (mostly set-inform related).

However, when attempting to update the firmware of my Unifi systems (U6-Pro, US-24-250W, US-8-60W, UAP-nanoHD, and U6-Pro), I got stuck on the U6-Pro. I would click on upgrade the firmware and then the access point would get stuck on the blue/white blinking LED for hours. I even let it sit there overnight just to see. For the record, I was attempting to upgrade from 6.0.14 to 6.0.15 at the time, and it was not happy. Unplugging from power and then plugging back in would get me back to the 6.0.14 version, so no harm no foul.

I figured it would get fixed with a new release of the controller as well as a firmware release to 6.0.18. Wrong. Same issue. I even attempted to CLI it by logging in via SSH and running the “upgrade https://dl.ui.com/unifi/firmware/UAP6MP/6.0.18.13660/BZ.ipq50xx_6.0.18+13660.220413.1958.bin” command. No dice. Hard reboot and it’s back on 6.0.14.

Swannman had the same issue posted on the unifi forms, and UI-Glenn gave an updated command for me to try:

curl https://dl.ui.com/unifi/firmware/UAP6MP/6.0.18.13660/BZ.ipq50xx_6.0.18+13660.220413.1958.bin -o /tmp/fwupdate.bin && fwupdate.real -m &

Magically this worked and the controller reads it just fine. Posting for future sake of my sanity.

Linux

OPNSense Booting.. Stuck

Leave a comment

Trying to install OPNSense on an older Alibaba system I had laying around, and I noticed that I couldn’t install due to the system freezing at the “Booting…” prompt (post kernel loading).

When booting, press “3” to Escape to loader prompt.

  • Type set kern.vty=sc
  • Press enter
  • Type boot
  • Press enter

Assuming the system boots and you can install, you’ll have to edit a file in the /boot directory to get the system to boot with future restarts.

  • cd /boot; press enter
  • vi loader.conf.local; press enter
  • i
  • kern.vty=sc
  • Press esc
  • :wq!; press enter

I should note that this fix was permanent between reboots and updates until just recently; patched a remote system of similar specs and it required the creation of the loader.conf.local file again.

Linux, Miscellaneous

HAProxy and Kace SMA

Leave a comment

Running Kace SMA (K1000) version 11.0.273. Wanted to run it behind a reverse proxy so it wasn’t directly exposed to the internet. Generally speaking, you really don’t want things like webservers directly exposed to the internet for obvious reasons, but KACE has been really adamant about security and running it in a DMZ and it hasn’t had any known intrusions to date.

In any case, I decided to move it out of the DMZ and run HAProxy in its place. I have my outside-of-this-documents-scope reasons. However, KACE SMA 10.x didn’t play nicely with reverse proxies even with legit SSL’s installed (you can read about konea certificates vs web ones on the kace support pages).

Upgraded to version 11 and from there it splits into two – konea certificates are unpublished but necessary, and then our web certificates for all other traffic. And yes, all traffic does terminate to port 443, but the konea side changes to a new port.

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        lua-load        /etc/haproxy/acme-http01-webroot.lua

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE>
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
        bind *:80
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01


frontend sma
#       bind *:443 ssl crt /etc/letsencrypt/live/pem/
        bind *:443
        tcp-request inspect-delay 5s
#       tcp-request content capture req.ssl_sni len 25
        tcp-request content accept if { req_ssl_hello_type 1 }


        use_backend sma_agent if { req_ssl_sni konea }
        use_backend sma_webui if { req_ssl_sni mykacesite.domain.tld }
        default_backend sma_webui

backend sma_webui
        server sma_apache 10.130.20.6:443

backend sma_agent
        server sma_koneas 10.130.20.6:52230

I should point out that I also am utilizing letsencrypt for the web portion, however, by switching to tcp mode instead of http it bypasses that requirement. TCP mode is REQUIRED for the konea portion to actually function.