#TIL : Use NGINX as a TCP,UDP load balancer

NGINX is well known as a simple and good web server right now, but not everyone knows that NGINX can act like a TCP-UDP loadbalancer. So you won’t need to install HAProxy when you need a LoadBalancer.

This feature is released on NGINX 1.9+. So you can setup it by this rule

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
stream {
upstream backend1 {
server s1.backend1.com:12345;
server s2.backend1.com:12345;
}
server {
listen 54321;
proxy_pass backend1;
}
upstream backend2 {
server s1.backend2.com:7777;
server s2.backend2.com:7777;
server s3.backend2.com:7777;
}
server {
listen 8888 udp; # add udp keyword if you want UDP server
proxy_pass backend2;
}
}

To learn more, click here : https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/

#TIL : Setup wildcard domains .test for development in MacOS

Too tired of setting your local domain each time you create new virtual development domain, etc helloworld.test, unit.test point to 127.0.0.1

There is a better way to achieve that by using dnsmasq, then set up a wildcard domains for development. In this case I use .test because .dev has been owned by Google and they strictly use HTTPS in mainly browsers.

Install dnsmasq

1
$ brew install dnsmasq

Adding .test wildcard to config file

1
$ echo 'address=/.test/127.0.0.1' > $(brew --prefix)/etc/dnsmasq.conf

Setup dnsmasq as a startup service

1
$ sudo brew services start dnsmasq

Then add 127.0.0.1 (dnsmasq IP) as first DNS resolver

1
System Preferences > Network > Wi-Fi > Advanced... > DNS > add 127.0.0.1 > move it to top of the list.

Checking everything is worked by listing all resolvers

1
$ scutil --dns

Try it out

1
2
$ nslookup -type=a something.test
$ ping helloworld.test

#TIL : List opening ports or listening UNIX sockets

In Linux, you can use netstat to list all opening ports and listening UNIX sockets

1
$ sudo netstat -npl

Tip to remember command : network statistics - natual languge processing

;)

#TIL : Set up simple rate limiting on specified port using UFW

Allow unmetrered connections on networking is so risky. Attacker can use the brute-force attacks to comprosise your service (or simple DOS).

Linux has a cool firewall to hanlde this, via ip-tables. But it’s so complicated to remember all the rule and syntax. That’s why UFW was born to save us. :D

You can use simple command to manage your firewall

1
2
3
4
5
6
7
8
9
10
$ ufw default deny incoming # deny any incoming port, should be run before allow any port
$ ufw default allow outgoing # allow any outgoing port
$ ufw allow 80 # allow port 80
$ ufw deny 53/udp # allow udp protocol to port 53
$ ufw disable # disable firewall
$ ufw enable # enable firewall
$ ufw status # check all the rules
$ ufw delete [num] # delete the rule by its order in status result
$ ufw reload # reload all rule
$ ufw limit ssh/tcp # finnaly, limit ssh (port 22 tcp), deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds

#TIL : How SMTP works

When a email send through an SMTP (with authentication), every SMTP server is a hop in mail routing. So it will transfer to localmail or forward the email to next hop (shortest distance via DNS MX record).

And standard port of SMTP is 25 (unsecured, but can upgrade to TLS via STARTTLS command).

1
2
3
4
5
6
7
8
9
10
11
12
$ nslookup -type=mx gmail.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com.

Authoritative answers can be found from:

So shortest SMTP of gmail.com domain is gmail-smtp-in.l.google.com

1
$ telnet gmail-smtp-in.l.google.com 25

#TIL : TCP FIN timeout

The TCP FIN timeout belays the amount of time a port must be inactive before it can reused for another connection. The default is often 60 seconds, but can normally be safely reduced to 30 or even 15 seconds:

1
net.ipv4.tcp_fin_timeout = 15

Ref : https://www.linode.com/docs/web-servers/nginx/configure-nginx-for-optimized-performance