server configs – SantaBarbaraDataSystems

setup Firewalld

Posted on January 18, 2017 - April 12, 2017 by elijah

install firewalld:

yum install firewalld
systemctl start firewalld.service
systemctl enable firewalld.service

create zones, add rules, and attach to interfaces:

firewall-cmd --permanent --new-zone=pci-web
firewall-cmd --reload
firewall-cmd --permanent --zone=pci-web --add-service=https
firewall-cmd --permanent --zone=pci-web --add-service=ntp
firewall-cmd --zone=pci-web --permanent --change-interface=eno1

firewall-cmd --permanent --new-zone=lcl-mgt
firewall-cmd --reload
firewall-cmd --permanent --zone=lcl-mgt --add-rich-rule 'rule family="ipv4" source address="172.16.0.0/12" service name="ssh" log prefix="ssh" level="info" limit value="1/m" accept'
firewall-cmd --permanent --zone=lcl-mgt --change-interface=eno2

confirm:

firewall-cmd --state
firewall-cmd --zone=pci-web --list-all
firewall-cmd --zone=lcl-mgt --list-all
firewall-cmd --get-active-zones

Apache security settings

Posted on January 16, 2017 - April 12, 2017 by elijah

Relax settings for web frame:

<Location "/ipa">
. . .
# Header always append X-Frame-Options DENY
# Header always append Content-Security-Policy "frame-ancestors 'none'"
Header append X-Frame-Options ALLOWALL
Header always set Content-Security-Policy: "frame-src 'self' *.SantaBarbaraDataSystems.com;"
Header always set Content-Security-Policy: "frame-ancestores 'all';"
</Location>

add a new IP address to a Centos7 server without network restart

Posted on August 1, 2016 - March 7, 2017 by elijah

Here’s how to add a secondary IP address to an existing network interface of a CentOS7 server. Don’t forget the config files — this won’t survive a reboot.

ip addr add 172.26.7.80/24 brd 172.26.7.255 dev team1
ip addr show team1

ip rule add from 172.26.7.80/32 table rt1
ip rule show

If you gotta roll it back:

ip addr del 172.26.7.80/24 dev team1
ip rule del from 172.26.7.80/32 table rt1