serverfault.com

'm running Debian 13 (stable) on an AMD64 system. I'm using wildcard Let's Encrypt certificates on my server for some services I'm running on it (e.g. nextcloud). This part works. However, I also have a Home Assistant VW running it. Currently I'm using my router to redirect a specific port to that VM's IP address but this only works for http and not https. I can't get a certificate from Let's Encrypt certbot because it wants port 80 to go to the host. I could, I suppose, temporarily redirect all port 80 traffic to the VM to get the certificate then continue use the specific port to access the VM. However, that's clumsy and also probably means I have to keep doing it every time I want to renew the certificate. I found an answer to a similar problem HTTP & HTTPS Apache redirect to internal IP Virtual Machine but it's 10 years old. While it looks lik

I have the following scenario: User logs onto a Windows machine, gets authenticated against AD, opens a browser and hits Apache HTTP on RHEL8 server. What i’m supposed to do is validate this user using Kerberos (i’ve created a keytab for this already) and if all good - i need to rewrite the user id into a Request header for the downstream TomEE server to pick it up (via Proxy). I’ve installed mod_auth_gssapi and mod_session. The way i understand it is i configure GSSAPI directives under a Location (my app server’s context root?) What i’m having trouble with is figuring out how to grab the AD UserID that’s coming in from the browser and write it back to the Header. Appreciate any help!

I am facing a networking issue in my Kubernetes cluster involving an external F5 Load Balancer, NodePort services, and Network Policies. Here is my current setup: The Infrastructure: Ingress: External F5 Load Balancer distributes traffic to all worker nodes via NodePort. Service Configuration: The services are running with externalTrafficPolicy: Cluster (default). Network Policy (NetPol): I have a deny-all default policy with an allow-list for specific Client IPs (via F5) and the internal Pod CIDR (10.x.0.0/16). The Problem: Since the service uses externalTrafficPolicy: Cluster, when F5 sends a request to a Node that does not host the target Pod, Kubernetes forwards the traffic to the correct Node. During this process, Kubernetes applies SNAT, changing the Source IP to the Node's internal IP. Consequently

Trying to drag and drop onto a Python script does not work. Dragging over it does not show anything and ('consequently') dropping is not working. Dropping a file on a bat file works. Also dragging over it shows 'Open with script.bat', and when dropped it passes file name to the script, which means it works as one would intend. argv2.py: #! python import sys print(sys.argv) sys.stdin.read(1) argv2.py.bat: C:\dev\python\python.exe argv2.py %* Windows fixes such as sfc /scannow didn't work. I tried to mimic this behaviour by adding all relevant entries to registry exactly like in bat section but it

I have an Apache serving a SVN. I want to limit access to SVN using LDAP (indeed I want to limit it to a LDAP group, but it is the same issue with LDAP user. For simplification I used ldap-user here). I configured the Apache in a conf file in conf-enabled dir. Here is my configuration LDAPCacheEntries 0 LDAPCacheTTL 0 LDAPOpCacheEntries 0 LDAPOpCacheTTL 0 <Location /repository> DAV svn SVNPath "/svn/repository" SVNAutoversioning on AuthType Basic AuthName "Subversion repository" AuthBasicProvider ldap AuthLDAPBindAuthoritative on AuthLDAPURL "ldaps://...(objectclass=user)" AuthLDAPBindDN "CN=..." AuthLDAPBindPassword "mypassword" AuthLDAPGroupAttribute memberOf AuthLDAPGroupAttributeIsDN on <RequireAll> Require ldap-user "Alice&

I have a site-to-site VPN created and connected, I have a local network gateway configured with my datacentre public IP along with the require local subnets at that datacentre listed. All public access is disabled on the vnet (Private subnet), but this is not set on the gateway subnet. Currently have a single vnet that is a 10.100.0.0/16. There are two subnets in that, one is the gateway subnet for the VPN gateway 10.100.0.0/26 and a vm subnet 10.100.1.0/24. From our datacentre I can see the tunnel is established, routes locally are working (packets forwarded to VPN tunnel and correct zones identified), traffic appears in the logs but there is no reply, or sometimes works for a moment and then stops again shortly after. For testing in the network security group I've permitted any local datacentre IP 10.50.0.0/16, to any port, for any protocol in my Azure address space 10.100.0.0/16. I've created a route table and added the datacentre subnet of 10.50.0.0/1

The Hawser I'm using is NOT the git Hawser. That's a different project altogether. The Dockerhand docs state I should be able to connect my Hawser host to my existing Dockerhand host as a "standard mode" environment using HTTPS+TLS. I generated a certificate and key file on the Hawser system and left them in /etc/hawser on the Hawser host. According to the official docs and counterintuitively, Hawser acts as a server in that it listens for incoming connections and Dockerhand acts as the client. I copy+pasted the server.crt from the Hawser host into the CA Certificate (self-signed) field and clicked save. Here's how I ran Hawser: docker run -d \ --name hawser \ -v /var/run/docker.sock:/var/run/docker.sock \ -v hawser_stacks:/data/stacks \ -v /etc/hawser:/certs:ro \ -p 2376:2376 \ -e TLS_CERT=/certs/server.crt \ -e TLS_KEY=/certs/server.key \ -e TOKEN=4cee0df54g46efae8fc02cef6715d78d50837e6253400vddb38fe67e64d593e2 \ ghcr

I have a postfix mail server and one customer does not receive my emails. A test at https://mxtoolbox.com/ shows me no errors. Everything green and OK. Looking at my logs, I see a lot of entries like the following. 2026-01-20T15:47:16.213158+01:00 mx postfix/smtp[95123]: 248081FD2CF: [email protected], relay=mx2.europeanmx.eu[149.13.75.27]:25, delay=261698, delays=261695/0.04/2.4/0.46, dsn=4.0.0, status=deferred (host mx2.europeanmx.eu[149.13.75.27] said: 451-95.179.160.246 is not yet authorized to deliver mail from 451 <[email protected] to [email protected]. Please try later. (in reply to RCPT TO command)) The customer has Microsoft 365 products. I receive E-Mails from the customer, but replies or new e-mails to the customers are deferred. What can I do? Thanks for any hint concerning this topic.

Postfix version 3.5.25 Postfix had had a header_check added to main.cf . Postfix was stopped with # postfix stop. Restarting then failed to start: [root@server ~]# sudo postfix start<br> postfix/postfix-script: starting the Postfix mail system<br> postfix/postfix-script: fatal: mail system startup failed But there is no feedback what the fatal error actually is. Postfix status says: [root@server ~]# sudo service postfix status Redirecting to /bin/systemctl status postfix.service ● postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/postfix.service.d └─respawn.conf, rw-usr-dir.conf Active: activating (auto-restart) (Result: exit-code) since Tue 2026-01-20 14:00:51 UTC; 4s ago Process: 877074 ExecStart

I would like to use the NGINX SPNEGO module to enable Kerberos authentication. For that, I compile the SPNEGO module using SPNEGO's git repository and NGINX version 1.28.1 in a builder docker image, and transfer the ngx_http_auth_spnego_module.so file from the builder's objs/ folder to /usr/lib/nginx/modules/. The compilation works because the file ngx_http_auth_spnego_module.so is created. And it looks like the integration of the module is working because if I omit the --with-compat flag, I get a compatibility error. I have this nginx default.conf file. server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; # Location that requires Kerberos authentication location /secure { auth_gss on; auth_gss_keytab /etc/nginx/nginx.keytab; auth_gss_realm EXAMPLE.COM;