Hurricane Electric IPv6 Certification Program

Print PDF

My IPv6 Certification Scorecard


I just got my certificate from Hurricane Electric, if you are a system administrator you should check it at Hurricane Electric IPv6 Certification Program its useful and entertaining :) They even send you a cool t-shirt with ipv6 stuff on it for free!!!


Here is the list of the IPv6 Sages by their countries IPv6 Sages By Countries


As you can see there is only 5 IPv6 Sages in Turkey for now. Turkish Sysadmins, what are you waiting for ?


IPv6 Sages In ASIA

Nginx proxy_cache_bypass fastcgi_cache_bypass proxy_no_cache dont cache logged in users

Print PDF





Content caching, its the most used way to speed up the dynamic or static pages on a website but what happens if you want to have your visitors see the cached content and logged in users (Members) to have the content from the backend server (Non cached), here comes the fastcgi_cache_bypass - fastcgi_no_cache or proxy_cache_bypass - proxy_no_cache.


in order to apply this, you need to find out which cookies your script sets when a user logs in, in my case the cookie was "mnm_key" so i used this location block to seperate guests and members from caching.



location / {

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_pass              http://here-comes-the-ip-or-domain;

proxy_no_cache $cookie_mnm_key;
proxy_cache_bypass $cookie_mnm_key;
proxy_pass_header "Set-Cookie";
proxy_pass_header "Cookie";

proxy_ignore_headers "Cache-Control" "Expires";

proxy_cache_key         $uri$is_args$args;

proxy_cache  proxy_buzz;
proxy_cache_use_stale updating error timeout invalid_header http_500;
proxy_cache_valid 200 5m;
proxy_cache_valid 303 302  1s;

error_page              502 503 /usr/local/www/nginx-dist/50x.html;


Notice that i used only 5 minutes for the cache refresh interval, thats because my site gets updated oftenly and frontpage needs to be recent. If your site is getting updated daily you can use 1d for the valid 200 response.


Now, for guests the site is cached for 5 minutes and members see no cached content as they are being served directly from the backend.

Squid in front of apache or nginx password protection problem .htpasswd not working

Print PDF

I have been using squid to cache everything from Nginx so that i can reduce the heavy load on the server but there has been an important problem regarding authentication.


When someone go to a password protected page ( server prompts for user name and password but even you enter correct information it does not accept and re-prompt same authentication screen.


This problem is because squid is not trusting the upstream user/password authentication therefore it does not accept it and loop goes on.




Add following to your cache_peer line in your squid.conf




And then reload squid


squid -k reconfigure


That is it, no more problems with user/password, also applies to Apache.

Haproxy To Squid, Squid To Nginx Getting Real Ip X-Forwarded-For

Print PDF

I have haproxy on port 82, squid on port 83 and nginx on port 81 (All on same Ip). Haproxy is sending x-forwarded-for (We have talked about this earlier), Squid is getting correct ip and logging it and sending x-forwarded-for to nginx.


Now all sounds good ?


No, not really. Nginx cant read the correct ip from squid, instead it gets the squid`s ip. According to squid manual it says to enable forwarded_for on to pass the header to backends but the problem is we now have multiple headers coming from different ports on same ip.


So i thought that i could just get the header from haproxy not from squid so squid must not touch the header in any way.


I found the solution at the documentation


Changes in 3.1 forwarded_for

New setting options. transparent, truncate, delete.

        If set to "transparent", Squid will not alter the
X-Forwarded-For header in any way.

If set to "delete", Squid will delete the entire
X-Forwarded-For header.

If set to "truncate", Squid will remove all existing
X-Forwarded-For entries, and place itself as the sole entry.

I have just put the "forwarded_for transparent"  in my squid.conf and now nginx reads and logs correct ips via its realip module.

According to manual it says this is only available in squid 3.1 and later versions but i tested this on Squid Cache: Version 2.7.STABLE3 and it worked fine.


Upgrading openssl and openssh to the latest version on cpanel server

Print PDF

Around 1 year ago, one of my cpanel servers got hacked via ssh, actually the intruder installed a rootkit on it and created a backdoored ssh binary also infected almost all /usr/bin and /usr/sbin binaries. I have checked everything he has done on the server and found that he used an ssl vulnerability on centos 4, since cpanel uses builtin openssl version which was way too old so i decided to remove infected ssh binaries, close all backdoors and install openssh and openssl with latest versions.

Here is the short tutorial and rpm packages for the centos 4.8 built on x86


Install openssl


tar -xvzf openssl-0.9.8q.tar.gz
cd openssl-0.9.8q
./config --prefix=/opt/openssl shared
make;make test;make install


Recompile apache and php with the new openssl



Finally installing openssh

yum install gcc

yum install openssl-devel
yum install pam-devel
yum install rpm-build

You may need to install additional libraries, if  compilation fails use yum search "packagename" to find the required package and install it.




wget -O- | gpg –-import

gpg openssh-5.6p1.tar.gz.asc

tar zxvf openssh-5.6p1.tar.gz

cp openssh-5.6p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/

cp openssh-5.6p1.tar.gz /usr/src/redhat/SOURCES/

cd /usr/src/redhat/SPECS

perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec

The above line removes x11_askpass to be build with openssh package, we dont need it, if this command fails use vi editor and open openssh.spec and find

define no_(gnome|x11)_askpass) 0 and change it to define no_(gnome|x11)_askpass) 1

rpmbuild -bb openssh.spec

cd /usr/src/redhat/RPMS/i386

rpm -Uvh openssh*rpm

If everything goes well, you should have the latest openssh and openssl on your cpanel server now, if it asks for a dependency use nodeps (check if the dependency is important or not first)

rpm -Uvh --nodeps openssh*rpm

service sshd restart


Important note: After upgrading and restarting ssh on the server, do not exit from the shell, open another shell prompt and try to login if you can login without any issues then you are ready to go.

Here is the openssh packages for the centos 4.8 x86 (sorry i dont have 64bit)


Thats it!