Timeline
Apr 15, 2011:
- 9:28 PM Changeset [1804] by
- Added mock configuration for Fedora 15, edited make file to use fc15-dev
- 9:18 PM Changeset [1803] by
- Creating a branch for Fedora 15 development.
Apr 13, 2011:
- 2:37 AM Changeset [1802] by
- New certs for bc and asa
Apr 11, 2011:
- 4:07 AM Changeset [1801] by
- Revert part of r1800
- 4:05 AM Changeset [1800] by
- Set permissions properly on Apache log files
Apr 4, 2011:
- 3:22 PM Changeset [1799] by
- Lower s-a's (the current primary) priority This isn't actually right, because it should track the current primary, but it's close enough for now.
Apr 3, 2011:
- 3:38 AM Ticket #198 (svn doesn't deal with unknown vhosts or repos well) created by
- While working on #166 (git doesn't handle unknown vhosts), I looked …
Apr 2, 2011:
- 3:58 AM Ticket #197 (Making setting up the git smart HTTP server easy) created by
- At the moment, we support read/write SVN repos and read-only git …
- 3:50 AM Changeset [1798] by
- Useful error with unknown git vhost (Trac: #166)
Mar 27, 2011:
- 8:41 PM Changeset [1797] by
- New cert for tibetforum
Mar 26, 2011:
- 9:53 AM Changeset [1796] by
- New mod_original_dst - makes Apache use original destination IP In a setup where requests have passed through a transparent proxy, or an iptables REDIRECT rule, the destination address of the traffic changes. The netfilter code provides an option (SO_ORIGINAL_DST) to find out the original destination address. In an Apache vhost that is IP-based instead of name-based, you may need the original address in order to match the vhost. This module causes Apache to always see the original, instead of the redirected, destination. Apache module written by Anders Kaseorg Method for obtaining the original address pointed out by Quentin Smith Trivial packaging updates for Scripts by Mitch Berger
Mar 25, 2011:
- 8:21 PM Changeset [1795] by
- Bump krb5 release number and rebuild for upstream update
- 7:06 PM Changeset [1794] by
- Update version in Postfix's documentation directories Because postfix seems to think it's okay to declare things like your config files as... well... config files, and then go and edit them anyway.
Mar 21, 2011:
- 8:30 AM Changeset [1793] by
- Pristine upstream copy of iptables-config
- 7:39 AM Changeset [1792] by
- LVS configuration for scripts-primary.mit.edu
Mar 19, 2011:
- 12:57 AM Ticket #103 (Logging into Trac takes you back to the main page) closed by
- fixed
- 12:48 AM Changeset [1791] by
- trac: Mangle HTTP_REFERER to let the login link keep you on the same page. (Merge of r1526:1528 from branches/locker-dev to trunk, from andersk)
Mar 18, 2011:
- 11:38 PM Changeset [1790] by
- trac.fcgi: Stop relying on fcgi_frontend details that Trac 0.12 will break In Trac 0.12, trac.web.fcgi_frontend does ‘from _fcgi import WSGIServer’ instead of ‘import _fcgi’, and also conditionally wraps dispatch_request in FlupMiddleware.
- 10:49 AM Changeset [1789] by
- Add missing backend route to not-backward You know, because we were sending it traffic... backward.
- 10:30 AM Changeset [1788] by
- Switch from "strict" to "loose" reverse-path filtering Reverse-path filtering controls what happens when you receive traffic on an interface directly claiming to be from an IP address that your routing rules indicate shouldn't be part of the network(s) directly attached to that interface. It's meant to help guard against IP spoofing. There are three legal values: 0 - "off" - does not block anything 1 - "strict" - blocks any traffic that "shouldn't" have arrived on this interface according to your routing rules 2 - "loose" - blocks any traffic that "shouldn't" have arrived on any of your interfaces according to your routing rules (but allows traffic from addresses that should be on directly attached networks and arrive on the "wrong" interface); recommended for sites with asymmetric routing configurations where traffic to a given address is expected to return through a different interface than it leaves on A normal non-multihomed machine should usually use "strict" mode, and in fact this was a simple boolean between "off" and "strict" in older kernels throguh somewhere in the 2.6.20s. Back then, the kernel ANDed the value of net.ipv4.conf.all.rp_filter and net.ipv4.conf.${iface}.rp_filter, so to enable it, you needed to turn it on under both "all" and the interface hierarchy. When it became a trinary value, this logic was overlooked, so the only (undocumented) way to use "loose" mode on some interfaces and "strict" mode on others was to set rp_filter in the "all" hierarchy to the undocumented value "3". At some point in 2.6.31, the rp_filter behavior was corrected to use the max() of the "all" and interface value. Until now, we've been setting net.ipv4.conf.default.rp_filter to "1", which causes the interface values to be "1". The "all" value defaults to "0" on Fedora. Since the last kernel in Fedora 11 was 2.6.30.10, this means that we never actually used reverse-path filtering until we upgraded to Fedora 13, at which point we began using strict filtering without intending to have changed anything. This behavior is incorrect for us because we do have asymmetric routing scenarious and intend to add more. The specific example where we want this is to allow a Scripts LVS realserver to also be an LVS client. It will send traffic to the Scripts LVS-balanced IP addresses on the frontend network (eth0) because those addresses only exist on the frontend, where LVS will assign it to a given realserver to handle and forward it along. That realserver will try to respond to the requesting realserver on the backend network (eth1) because of the static routes we have installed to prefer servers talking to each other over the non-public segment. If rp_filter is in "strict" mode, this traffic will be dropped, and the scripts servers on the backend can never talk to the balanced addresses. We also want non-realserver machines on our backend network (such as not-backward) to be able to be LVS clients.
Note: See TracTimeline
        for information about the timeline view.
    
