Certificate order in Haproxy PEM file

For SSL in Haproxy you need to create PEM-file and put cert plus private key. But in right order

-----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

Java8 in Debian

For starting we need install add-apt-repository

apt-get install software-properties-common python-software-properties

Then install java8

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

To automatically set up the Java 8 environment variables:

sudo apt-get install oracle-java8-set-default

or

echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

avconv: simple video converter in Linux

If you want convert video from big size to smartphone size use this Libav tool
Ubuntu:

apt-get install libav-tools

or Gentoo

USE="mp3 speex threads v4l jpeg2k aac amr cpudetection faac opus vdpau x264 webp  x265 xvid " CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 sse4_1"  emerge -av libav

and command for convert

avconv -i original_video.mkv -b:v 600k -s 576x432 -strict experimental small_size.mp4

Path MTU Discovery Black Hole

Эта проблема совсем не нова. Она описана в RFC 2923 в 2000 году. Но тем не менее, продолжает встречаться с завидным упорством у многих провайдеров. А ведь именно провайдер виноват в данной ситуации: не нужно блокировать ICMP тип 3 код 4. Причем слушаться «голоса разума» ( т. е. клиентов, понимающих в чем проблема) они обычно не хотят.

Решение проблемы с PMTU

Не будем звонить в техподдержку, а попробуем решить проблему, исходя из собственных средств.
Разработчики Linux, тоже знающие о ней, предусмотрели специальную опцию в iptables. Цитата из man iptables:

TCPMSS
This target allows to alter the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface’s MTU minus 40 for IPv4 or 60 for IPv6, respectively). Of course, it can only be used in conjunction with -p tcp. It is only valid in the mangle table. This target is used to overcome criminally braindead ISPs or servers which block «ICMP Fragmentation Needed» or «ICMPv6 Packet Too Big» packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
Workaround: activate this option and add a rule to your firewall configuration like:

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Читать далее Path MTU Discovery Black Hole

Bind9: balancing by client ip (even/odd)

For some reason i need balancing client’s 50/50 for 2 datacenter’s
But, if client send GET request to datacenter1 (DC1) all following request need redirect to the same DC1. Only if DC1 is down — send to DC2
Simplest way — is share client’s by their ip (odd/even)
So we need two Bind9 services on one server.
First Bind9 will be answered that www.example.org is in DC1, second — in DC2
For example first named.conf:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};
....

Zone:
Читать далее Bind9: balancing by client ip (even/odd)