Solid-State Society

Month: March 2018

  • HTTPS on UniFi Cloud Key, with Remote Access Support, the Easy Way

    You can try this method if you meet one of the following situation:

    Requirements

    • A public IP to the internet (to access Unifi Security Gateway remotely)
    • A server running Nginx on public internet
    • A CA issued certificate

    Set port forwarding for your Cloud Key

    In general, you can access your Unifi Secuiry Gateway (USG) via your public IP (USG_IP), so in my method you need to forward your UCK management dashboard (UCK_IP:8443 by default) traffic to your public IP. it’s under Settings – Routing & Firewall – Port Forwarding. Enter your Cloud Key address IP as Forward IP, use default 8443 as Port and Forward Port. You can also limit from destination to your server IP for security best practice.

    Setup Nginx proxy

    Use the following Nginx configuration, please note that this is a simplified version.

    server {
  listen                  80;
  listen                  [::]:80;

  server_name             unifi.example.com;

  return                  301 https://$server_name$request_uri;
}

server {
  listen                  443       ssl http2;
  listen                  [::]:443  ssl http2;

  # To avoid unreachable port error when launching dashboard from unifi.ubnt.com
  listen                  8443       ssl http2;
  listen                  [::]:8443  ssl http2;

  server_name             unifi.example.com;

  # Certificate
  ssl_certificate         /etc/nginx/ssl/unifi.example.com.crt;
  ssl_certificate_key     /etc/nginx/ssl/unifi.example.com.key;

  location /wss {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_read_timeout 86400;
    proxy_pass https://USG_IP:8443;
  }

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_read_timeout 180;
    proxy_pass https://USG_IP:8443;
  }
}

    Update DNS records

    Point your unifi.example.com to your public IP. Access it in your browser and everything now should works!

    References

  • UniFi – Cloud Key Emergency Recovery UI – Ubiquiti Networks Support and Help Center

    This article describes how to access the emergency recovery UI and recover a Cloud Key. From this UI you can reset it to factory defaults, reboot, shutoff and upgrade the firmware. To upgrade the firmware you will need a firmware binary for the UniFi Cloud Key.

    Source: UniFi – Cloud Key Emergency Recovery UI – Ubiquiti Networks Support and Help Center

  • S/MIME for Apple Mail, The Right Way (DigiCert Version)

    Install it on macOS:

    • Download cert bundle (.p7b) or individual certs (zipped) from DigiCert
    • Double click to install them on macOS Keychain Access

    Install it on iOS:

    • Open Keychain Access, select category My Certificates
    • Right click and choose Export, select format .p12 (Make sure to export your cert into .p12, this will contain private key for iOS to send encrypted emails)
    • Email it with your individual certs (root CAs from DigiCert) and install them on iOS
    • Select this cert under email account settings

  • shadowsocks-libev: “/usr/bin/ss-server: error while loading shared libraries: libmbedcrypto.so.0: cannot open shared object file: No such file or directory”

    Related issue on GitHub

    Temporary solution:

    $ ln -sf /usr/lib64/libmbedcrypto.so.2.7.0  /usr/lib64/libmbedcrypto.so.0

  • How can I get the size of an Amazon S3 bucket? – Server Fault

    The AWS CLI now supports the –query parameter which takes a JMESPath expressions.

    This means you can sum the size values given by list-objects using sum(Contents[].Size) and count like length(Contents[]).

    This can be be run using the official AWS CLI as below and was introduced in Feb 2014

    aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]"

    Source: How can I get the size of an Amazon S3 bucket? – Server Fault

  • Remove Aliyun Aegis (`aliyundun`) and `aliyun-service`

    cd /tmp/
wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh

wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
chmod +x quartz_uninstall.sh
./quartz_uninstall.sh

    Remove leftovers

    pkill aliyun-service
systemctl disable aliyun
rm -fr /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis
rm /usr/sbin/aliyun-service
rm /usr/sbin/aliyun-service.backup
rm /usr/sbin/aliyun_installer
rm /etc/systemd/system/aliyun.service
rm /lib/systemd/system/aliyun.service

    Block aliyundun IPs (IP update list from Aliyun)

    iptables -I INPUT -s 140.205.201.0/28 -j DROP
iptables -I INPUT -s 140.205.201.16/29 -j DROP
iptables -I INPUT -s 140.205.201.32/28 -j DROP
iptables -I INPUT -s 140.205.225.192/29 -j DROP
iptables -I INPUT -s 140.205.225.200/30 -j DROP
iptables -I INPUT -s 140.205.225.184/29 -j DROP
iptables -I INPUT -s 140.205.225.183/32 -j DROP
iptables -I INPUT -s 140.205.225.206/32 -j DROP
iptables -I INPUT -s 140.205.225.205/32 -j DROP
iptables -I INPUT -s 140.205.225.195/32 -j DROP
iptables -I INPUT -s 140.205.225.204/32 -j DROP
iptables -I INPUT -s 106.11.224.0/26 -j DROP
iptables -I INPUT -s 106.11.224.64/26 -j DROP
iptables -I INPUT -s 106.11.224.128/26 -j DROP
iptables -I INPUT -s 106.11.224.192/26 -j DROP
iptables -I INPUT -s 106.11.222.64/26 -j DROP
iptables -I INPUT -s 106.11.222.128/26 -j DROP
iptables -I INPUT -s 106.11.222.192/26 -j DROP
iptables -I INPUT -s 106.11.223.0/26 -j DROP

    firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.201.0/28' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.201.16/29' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.201.32/28' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.225.192/29' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.225.200/30' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.225.184/29' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.225.183/32' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.225.206/32' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.225.205/32' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.225.195/32' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='140.205.225.204/32' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='106.11.224.0/26' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='106.11.224.64/26' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='106.11.224.128/26' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='106.11.224.192/26' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='106.11.222.64/26' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='106.11.222.128/26' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='106.11.222.192/26' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='106.11.223.0/26' reject"