serverfault.com

I recently set up a fedora 44 server in a home lab. I started Apache on it and installed php and php-fpm. I put in /var/www/html a PHP website (SPIP). All the files and folders of the website are owned by the apache user and have the security context system_u:object_r:httpd_sys_content:s0, except a few folders that have the system_u:object_r:httpd_sys_rw_content:s0 context. I wanted to check if SELinux was indeed limiting the actions of an intruder should the worst happen. In order to test this, I put a simple webshell at the base of the /var/www/html folder. It calls the PHP function system with whatever you sent to the webshell as an argument. The webshell has the same security context as the other files. To my surprise, the webshell runs smoothly, I can call binaries like sleep or touch. I had a look at the process tree and noticed that, when a command is

User Identity: [email protected] (and [email protected]) Source Project: sbr-coach-prod (Project Number: 8943596778866) Destination Org: beaconsfield-enterprises.com (Org ID: 13164570922) The Issue Attempting to migrate the project sbr-coach-prod from a "No Organization" (standalone) state into the Beaconsfield Organization. Despite having all required IAM roles and modifying Organization Policies, the move fails with Permission Denied (error: resourcemanager.projects.update). Steps Already Taken IAM Roles Assigned (Destination Org Level) The following roles were granted to the Beaconsfield identity at the Organization level: Organization Administrator Project Creator Project Mover Folder Admin Project Billing Manager IAM Roles Assigned (Project Level) To satisfy the "handshake," the Beaconsfield identity was invited to the sbr-coach-prod pro

I face the following error while trying to pull an image error pulling image configuration: Get "https://docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com/registry-v2/docker/registry/v2/blobs/sha256/e1/e1ace0ff02a53cac14dcec3a648b8b36e7212da8bdfc152442efbde66b70bc36/data?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=f1baa2dd9b876aeb89efebbfc9e5d5f4%2F20260501%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20260501T152452Z&X-Amz-Expires=1200&X-Amz-SignedHeaders=host&X-Amz-Signature=e95252d07f6684c971f1d9706232fda6279a02fd0efacf7268d6393ff604c66a": net/http: TLS handshake timeout

I spent a lot of time defining these rules but they are not working. Something is wonky. I have 2 a records on my first host (which is not hostinger) that point www.automation.MYDOMAIN.com as well as automation.MYDOMAIN.com to the IP of my VPS on Hostinger. I verified that the DNS for both A records all point properly to hostinger and are resolved properly. Pinging works and all is good. I am not using directories because i am just connecting my n8n interface running on port 5678 to the outside. What i want is very simple and i thought i had achieved it but it's not working properly. I want all my none secure requests whether with or without WWW to be redirected to the secure version of that url so that is why i configured this block: <VirtualHost *:80> ServerName automation.MYDOMAIN.com ServerAlias www.automation.MYDOMAIN.com Redirec

I'm trying to start up a productionised Keycloak on Azure Container Apps. As far as I can tell, its starting up fine but being shut down because of health probes thinking it isn't healthy. Here are the logs for the application which show it starting then being terminated ... Connecting to stream... 2026-04-30T10:26:06.64790 Connecting to the container 's175d01-ca-keycloak'... 2026-04-30T10:26:06.70026 Successfully Connected to container: 's175d01-ca-keycloak' [Revision: 's175d01-ca-keycloak--0000004', Replica: 's175d01-ca-keycloak--0000004-d95459d4b-7wfph'] 2026-04-30T10:25:58.6577656Z stdout F 2026-04-30 10:25:58,636 INFO [org.infinispan.CONTAINER] (main) ISPN000974: Virtual threads support: enabled 2026-04-30T10:25:59.7978463Z stdout F 2026-04-30 10:25:59,797 INFO [org.hibernate.orm.jdbc.batch] (JPA Startup Thread) HHH100501: Automatic JDBC statement batching enabled (maximum batch size 32) 2026-04-30T10:25:59.8935145Z stdout F 2026-04-30 10:25:59,893 WARN [io.

Goal: To bypass China's Great Firewall. Use Hysteria for all UDP traffic to increase speed for streaming videos and games. Then use VLESS for everything else (TCP). I got VLESS + Reality set up and working with help mostly from Gemini AI: 3X-UI on Ubuntu 24 on a Hong Kong server with CN2 GIA (optimized connection) to China No firewalls or security groups on the server v2rayN on Windows 11 But I want to take it the next step and also add Hysteria 2, but it's hard to get the correct info from AI and unfortunately there is very little info on setup guides (there are some Chinese videos, but no auto-translation). So far what I got for Hysteria 2 Inbound on 3X-UI: Port 4443 (3X-UI won't let me use 443 since VLESS is using that) I clicked "Set Cert from Panel" to fill in the public/private keys Everything else blank or default like blank SNI, uTLS=chrome, ALPN=h3, etc.

I have a Palo Alto PA-VM in AWS set up for a "bump-in-the-wire" firewall for traffic in the same region but different VPC and different account with a Gateway Load-Balancer (GWLB) in between. The short version of this question: does a proper GWLB setup (same region, different accounts) for a "hairpin", "bump-on-the-wire", "north-south" traffic inspection require extra pieces (such as a TGW or other intermediary step) for packets to actually reach the firewall? Is there another technical limitation I'm overlooking? I tried this same setup in my test environment first (all in the same region using different VPCs, main difference was everything on the same account) and it worked fine. I'm cheap, so I swapped the PA-VM for a Linux EC2 at that time. The current setup will have traffic moving as follows: random internet client --> IGW (data vpc) --> VPCendpoint (data vpc, for GWLB) --> GWLB (fw vpc) -->

I am trying to update resource records on a primary DNS bind9 server from a client using nsupdate. There is no issue when using the default 53 port. An issue appears when using DoT (DNS over TLS) over the port 853. The primary DNS bind9 server configuration includes: # named.conf.options tls tls-configuration { cert-file "/path/to/full_chain_cert_file"; cipher-suites "list_of_cipher_suites"; key-file "/path/to/key_file"; prefer-server-ciphers yes; protocols { TLSv1.3; }; session-tickets no; }; options { ... listen-on port 853 tls tls-configuration { !172.16.0.0/12; any; }; listen-on-v6 port 853 tls tls-configuration { !fe80::/10; any; }; ... }; Verifying the DNS server certificate from the client: $ openssl s_client -conne

I’m troubleshooting a sudden and inconsistent failure of client certificate prompts across multiple Java web applications running in a test/development environment. These applications run on two Tomcat servers, versions 9 and 11 using JDK 17 and 25, respectively. The servers are configured to request a client certificate during the initial TLS handshake (not via post-handshake authentication). For months, browsers consistently prompted users to select their CAC card certificate and enter their PIN immediately upon navigating to the application. Then, without any changes to the servers or user configurations, the certificate-selection prompt stopped appearing — but only for some users and only in certain browsers. Here’s what makes the issue confusing: The failure is inconsistent across team members: One teammate still gets the prompt in all browsers. (This teammate is a contractor and is not in our same network but can access

I have an ASP.NET Core 10 MVC application, MyCompanyApp, registered in my company's tenant. The application must remain multi-tenant, because manufacturers from many different tenants will need to sign in directly with their own credentials. A manufacturer (who has already consented) can invite a distributor from an external tenant as a B2B guest user into their own manufacturer tenant. The manufacturer can then assign the distributor user the "Distributor" application role, which would allow them to access the application. I want things to work this way, because then manufacturers can be in charge of who gets to access the application. Distributors won't be able to just sign in and give themselves application roles, and manufacturers will fully be in charge. This way, I'll o