scripting | foxpa.ws

Once your hosting clients are all settled in you may find one day that you need to change their MySQL server address or other configuration parameters. Naturally it’s not going to look good on you or be a very good use of your time to contact every webmaster and have them update their settings. Worse, juggling two active database servers would be a nightmare. Fortunately Oracle came up with mysql-proxy, a lightweight app that sits between your clients and MySQL server(s) which acts as a drop-in replacement for mysqld. Users connect to the proxy like they would the actual server and it transports data to and fro. You can do all sorts of neat things to the data while it’s in motion with lua scripts but that goes beyond the focus of this article.

By default mysql-proxy listens on port tcp/4040 and mysqld listens on tcp/3306. In my experience most users who come from other ISPs are already wired to use localhost as their default SQL host and I don’t want to make them have to remember the port number, which is typically defaulted in most webapps. If you’re running mysqld on the same host you’re serving web from you’ll need to change the port it listens on in /etc/mysql/my.cnf.

MySQL has a contentious age-old convention of changing “localhost” to “use the local socket” rather than resolving localhost to 127.0.0.1 and connecting via TCP. That’s because at the time the decision was made local sockets were far more efficient than using TCP, now it’s not so much an issue. We need to configure mysql-proxy to listen to a socket too or our users will have to use the numeric address, lest they encounter this error:

ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)

This can be specified – not all too intuitively – by replacing the proxy-address value in /etc/mysql/mysql-proxy.cnf with the default path to the local socket, thus:

proxy-address = /var/run/mysqld/mysqld.sock

Configure the proxy-backend-address variable to reflect the actual server’s location and port number. Restart mysql-proxy and you now have a working, default-looking configuration that can be redirected anywhere. Thanks to the lua capability of the proxy you can even implement fast and easy load balancing and failover, but that will be the topic of another article!

In my last post I shared a scriptlet that could be used to remote block access to your network with apache, sudo and iptables. This script suffers from the major flaw that appended iptables rules are read last and anywhere a universal ACCEPT rule preceded the script’s additions they would be ignored. Another major drawback is in the rules disappearing if the firewall is reloaded, the host is rebooted and so on. Fortunately ClearOS has an easy to use API that lets you directly manipulate its firewall properties the same way as webconfig. This script doesn’t require sudo rules or apache to be running. It DOES require ClearOS, and this is how to install it:

wget http://foxpa.ws/dist/rcleartables.php.bz2
bunzip2 rcleartables.php.bz2
mv rcleartables.php /var/webconfig/htdocs
chown webconfig: /var/webconfig/htdocs/rcleartables.php

The SSL certificate webconfig provides will probably cause problems, so call the script like this if you use wget:

wget -O - 'https://192.168.8.1:81/rcleartables.php?action=deny&name=$name&ip=$ip' --no-check-certificate >/dev/null 2>&1

Note that this script requires a name variable, it should be a unique identifier containing letters and numbers (no spaces). I keep the name and other data associated with the blocks on the client end of things so the blocks can be removed by a button that executes the script with action=remove and also take care of cleaning stale blocks by way of recorded timestamps. How you choose to extend the functionality is up to you.

<?php
/*
           # Remote Controlled iptables ClearOS API
           # June 2010 http://foxpa.ws
           # WTFPL v.2 http://foxpa.ws/wtfpl/

/// DOCUMENTATION

DANGER: Improperly configured, this script could be used by an attacker to
        block legitimate traffic.

This script adds or removes a name/IP pair pssed to it through the GET
variables "ip", "name" and "action" to or from the ClearOS Incoming Block
firewall ruleset. Valid action values are deny, and remove.
The script will exit with a 0 on error or a 1 upon successful execution.
Place the script in /var/webconfig/htdocs and chown it to webconfig.

To block an IP, one would GET request it thus:

https://address:81/rcleartables.php?action=block&ip=222.222.222.222&name=

On a successful block you would receive HTTP headers and a single 1 in the
body, or a 0 if the block was unsuccessful.

$whitelist is an array of IP addresses that should never be blocked
$allowed_clients should be an array of IP addresses allowed to have access to
this script. leave it blank to allow any host (not recommended).
$shared_secret is an optional key that can be passed to the script as an MD5
hash via GET var "key" to authenticate your application. Blank to disable.
$log_path should be the path to the specific file you would like to log actions
to. Blank to disable logging. Remember to update your log rotater's config.
*/

// CONFIGURATION
$whitelist = array();
$allowed_clients = array('');
$shared_secret = '';
$log_path = '/var/log/riptables.log';

// FUNCTIONS
function log_action($line)
{
	global $log_path, $remote_addr;
	if(!empty($log_path))
	{
		$fh = fopen($log_path, 'a');
		$date = date("Y-m-d H:i:s", time());
		fwrite($fh, "$date $remote_addr - $line\n");
		fclose($fh);
	}
}

// SANITY CHECKING
if(empty($_GET['ip']))
{
	log_action("IP not specified");
	die('0');
}
if($_GET['action'] == 'deny' and empty($_GET['name']))
{
	log_action('Rule name not specified');
	die('0');
}
$ip = $_GET['ip'];
$name = $_GET['name'];
$remote_addr = $_SERVER['REMOTE_ADDR'];
$octets = explode('.', $ip);
foreach($octets as $octet)
{
	if($octet > 255 or $octet < 0)
	{
		log_action("Invalid IP Address $ip");
		die('0');
	}
}
$ip = escapeshellcmd($ip);
if(!empty($shared_secret) and $_GET['key'] != md5($shared_secret))
{
	log_action("DANGER Invalid shared secret. Remember to encrypt your key variable with MD5.");
	die('0');
}
if(!empty($allowed_clients[0]))
{
	$valid = false;
	foreach($allowed_clients as $allowed)
	{
		if($allowed = $remote_addr)
			$valid = true;
	}
	if(!$valid)
	{
		log_action("DANGER Client is not in \$allowed_hosts array. This could be a sign of exposure.");
		die('0');
	}
}

// THE BRAINS
require_once("/var/webconfig/api/FirewallIncoming.class.php");
$fw = new FirewallIncoming();

if($_GET['action'] == 'deny')
{
	$fw->AddBlockHost($name, $ip);
	$fw->Restart();
	log_action("$ip was blocked");
	print('1');
}
elseif($_GET['action'] == 'remove')
{
	$fw->DeleteBlockHost($ip);
	$fw->Restart();
	log_action("$ip was removed");
	print('1');
}
else
{
	log_action('Invalid action parameter.');
	die('0');
}

?>

<?php
/*
# Remote Controlled iptables ClearOS API
# June 2010 http://foxpa.ws
# WTFPL v.2 http://foxpa.ws/wtfpl/

/// DOCUMENTATION

DANGER: Improperly configured, this script could be used by an attacker to
block legitimate traffic.

This script adds or removes a name/IP pair pssed to it through the GET
variables “ip”, “name” and “action” to or from the ClearOS Incoming Block
firewall ruleset. Valid action values are block, and remove.
The script will exit with a 0 on error or a 1 upon successful execution.
Place the script in /var/webconfig/htdocs and chown it to webconfig.

To block an IP, one would GET request it thus:

https://address:81/rcleartables.php?action=block&ip=222.222.222.222&name=

On a successful block you would receive HTTP headers and a single 1 in the
body, or a 0 if the block was unsuccessful.

$whitelist is an array of IP addresses that should never be blocked
$allowed_clients should be an array of IP addresses allowed to have access to
this script. leave it blank to allow any host (not recommended).
$shared_secret is an optional key that can be passed to the script as an MD5
hash via GET var “key” to authenticate your application. Blank to disable.
$log_path should be the path to the specific file you would like to log actions
to. Blank to disable logging. Remember to update your log rotater’s config.
*/

// CONFIGURATION
$whitelist = array();
$allowed_clients = array(”);
$shared_secret = ”;
$log_path = ‘/var/log/riptables.log’;

// FUNCTIONS
function log_action($line)
{
global $log_path, $remote_addr;
if(!empty($log_path))
{
$fh = fopen($log_path, ‘a’);
$date = date(“Y-m-d H:i:s”, time());
fwrite($fh, “$date $remote_addr – $line\n”);
fclose($fh);
}
}

// SANITY CHECKING
if(empty($_GET['ip']))
{
log_action(“IP not specified”);
die(’0′);
}
if($_GET['action'] == ‘block’ and empty($_GET['name']))
{
log_action(‘Rule name not specified’);
die(’0′);
}
$ip = $_GET['ip'];
$name = $_GET['name'];
$remote_addr = $_SERVER['REMOTE_ADDR'];
$octets = explode(‘.’, $ip);
foreach($octets as $octet)
{
if($octet > 255 or $octet < 0)
{
log_action(“Invalid IP Address $ip”);
die(’0′);
}
}
$ip = escapeshellcmd($ip);
if(!empty($shared_secret) and $_GET['key'] != md5($shared_secret))
{
log_action(“DANGER Invalid shared secret. Remember to encrypt your key variable with MD5.”);
die(’0′);
}
if(!empty($allowed_clients[0]))
{
$valid = false;
foreach($allowed_clients as $allowed)
{
if($allowed = $remote_addr)
$valid = true;
}
if(!$valid)
{
log_action(“DANGER Client is not in \$allowed_hosts array. This could be a sign of exposure.”);
die(’0′);
}
}

// THE BRAINS
require_once(“/var/webconfig/api/FirewallIncoming.class.php”);
$fw = new FirewallIncoming();

if($_GET['action'] == ‘deny’)
{
$fw->AddBlockHost($name, $ip);
$fw->Restart();
log_action(“$ip was blocked”);
print(’1′);
}
elseif($_GET['action'] == ‘remove’)
{
$fw->DeleteBlockHost($ip);
$fw->Restart();
log_action(“$ip was removed”);
print(’1′);
}
else
{
log_action(‘Invalid action parameter.’);
die(’0′);
}