#TIL : Use NGINX as a TCP,UDP load balancer

NGINX is well known as a simple and good web server right now, but not everyone knows that NGINX can act like a TCP-UDP loadbalancer. So you won’t need to install HAProxy when you need a LoadBalancer.

This feature is released on NGINX 1.9+. So you can setup it by this rule

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
stream {
upstream backend1 {
server s1.backend1.com:12345;
server s2.backend1.com:12345;
}
server {
listen 54321;
proxy_pass backend1;
}
upstream backend2 {
server s1.backend2.com:7777;
server s2.backend2.com:7777;
server s3.backend2.com:7777;
}
server {
listen 8888 udp; # add udp keyword if you want UDP server
proxy_pass backend2;
}
}

To learn more, click here : https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/

#TIL : Setup wildcard domains .test for development in MacOS

Too tired of setting your local domain each time you create new virtual development domain, etc helloworld.test, unit.test point to 127.0.0.1

There is a better way to achieve that by using dnsmasq, then set up a wildcard domains for development. In this case I use .test because .dev has been owned by Google and they strictly use HTTPS in mainly browsers.

Install dnsmasq

1
$ brew install dnsmasq

Adding .test wildcard to config file

1
$ echo 'address=/.test/127.0.0.1' > $(brew --prefix)/etc/dnsmasq.conf

Setup dnsmasq as a startup service

1
$ sudo brew services start dnsmasq

Then add 127.0.0.1 (dnsmasq IP) as first DNS resolver

1
System Preferences > Network > Wi-Fi > Advanced... > DNS > add 127.0.0.1 > move it to top of the list.

Checking everything is worked by listing all resolvers

1
$ scutil --dns

Try it out

1
2
$ nslookup -type=a something.test
$ ping helloworld.test

#TIL : Send a file through networking via netcat

If you’re working on 2 machines in same networking and want to send a file from machine A to machine B. But you don’t have USB, floopy disk :lol: or insanse Bluetooth. There is simple way to send a file to another computer without setting up SSH or SMB (althrough these way are safer than it).

On the machine A (with IP address : 192.168.1.2)

1
$ cat data.txt | sudo nc -l 0.0.0.0 6666

On the machine B

1
$ nc 192.168.1.2 6666 > here_the_data.txt

Have fun playing net😼 !! ;)

#TIL : List opening ports or listening UNIX sockets

In Linux, you can use netstat to list all opening ports and listening UNIX sockets

1
$ sudo netstat -npl

Tip to remember command : network statistics - natual languge processing

;)

#TIL : Disable IPv6 to stop getting stuck in network

I know IPv6 will be future for networking, but at this moment “It’s suck !” :(

Some service will be failed when trying to connect IPv6 destination :

  • apt package manager
  • smtp
  • curl

So I decided to disable IPv6 on every production server.

1
2
3
4
5
$ echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
$ echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
$ echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
$
$ sudo sysctl -p

I will re-enable it when everything works perfectly !

#TIL : Set up simple rate limiting on specified port using UFW

Allow unmetrered connections on networking is so risky. Attacker can use the brute-force attacks to comprosise your service (or simple DOS).

Linux has a cool firewall to hanlde this, via ip-tables. But it’s so complicated to remember all the rule and syntax. That’s why UFW was born to save us. :D

You can use simple command to manage your firewall

1
2
3
4
5
6
7
8
9
10
$ ufw default deny incoming # deny any incoming port, should be run before allow any port
$ ufw default allow outgoing # allow any outgoing port
$ ufw allow 80 # allow port 80
$ ufw deny 53/udp # allow udp protocol to port 53
$ ufw disable # disable firewall
$ ufw enable # enable firewall
$ ufw status # check all the rules
$ ufw delete [num] # delete the rule by its order in status result
$ ufw reload # reload all rule
$ ufw limit ssh/tcp # finnaly, limit ssh (port 22 tcp), deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds

#TIL : Using netcat as tiny TCP debug tool

You can use netcat or nc as a debugging TCP tool. It can be a TCP sender and receiver with a short session (auto close when connection is closed)

Examples :

Scan ports

1
$ nc -zv 127.0.0.1 20-80

Check redis status

1
$ echo 'info' | nc 127.0.0.1 6379

Retrieve http response

1
$ printf "GET /xinchao HTTP/1.1\r\n\r\n" | nc 127.0.0.1 8000 | tee xinchao.txt

Change to IPv6 : nc -6

Want more ??

1
$ nc -h