Based on fluentd docs, it's possible to authenticate clients. How could the resulting authenticated identity be used in controlling logging behavior. Some goals I'm trying to achieve are:
Filtering log records so that user1 can only send records with tags user1.**
Inject user's username into log records
How about following?
<source>
#type dummy
tag dummy
#label #INPUT
</source>
<label #INPUT>
<filter>
#type record_transformer
<record>
username user1
</record>
</filter>
<match>
#type rewrite_tag_filter
<rule>
key username
pattern /^(.*)/
tag $1.${tag}
</rule>
#label #OUTPUT
</match>
</label>
<label #OUTPUT>
<match>
#type forward
<security>
self_hostname output.testing.local
shared_key secure_communication_is_awesome
</security>
<server>
host 127.0.0.1
port 24224
username user1
password yes_this_is_user1
</server>
</match>
</label>
Related
I'm trying to get a docker image to run our on-premise Service Fabric cluster.
We've setup a service fabric cluster on our on-premise network, which seems to run fine (it already runs 2 docker images). I'm looking for one of my containers to run under a domain user (Service Account), so I can reach SMB shares in my network (which have been granted permission to the service account).
I'm getting the following error:
Error event: SourceId='System.Hosting', Property='Activation:1.0'.
There was an error during activation.Failed to setup ApplicationPrincipals. Error:ApplicationPrincipalAbortableError
Also shown as image:
The container I'm trying to run: https://hub.docker.com/r/stefanscherer/registry-windows/
ApplicationManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest ApplicationTypeName="[REMOVED].ServiceFabric.WindowsContainerRegistryType"
ApplicationTypeVersion="1.0.0"
xmlns="http://schemas.microsoft.com/2011/01/fabric"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Parameters>
<Parameter Name="WindowsContainerRegistry_InstanceCount" DefaultValue="-1" />
</Parameters>
<!-- Import the ServiceManifest from the ServicePackage. The ServiceManifestName and ServiceManifestVersion
should match the Name and Version attributes of the ServiceManifest element defined in the
ServiceManifest.xml file. -->
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="WindowsContainerRegistryPkg" ServiceManifestVersion="1.0.0" />
<ConfigOverrides />
<Policies>
<ContainerHostPolicies CodePackageRef="Code">
<!-- See https://aka.ms/I7z0p9 for how to encrypt your repository password -->
<RepositoryCredentials AccountName="" Password="" PasswordEncrypted="false" />
<PortBinding ContainerPort="5000" EndpointRef="WindowsContainerRegistryTypeEndpoint" />
<Volume Source="\\[REMOVED]\ServiceFabricShare" Destination="C:\registry" IsReadOnly="false"></Volume>
</ContainerHostPolicies>
</Policies>
</ServiceManifestImport>
<DefaultServices>
<!-- The section below creates instances of service types, when an instance of this
application type is created. You can also create one or more instances of service type using the
ServiceFabric PowerShell module.
The attribute ServiceTypeName below must match the name defined in the imported ServiceManifest.xml file. -->
<Service Name="WindowsContainerRegistry" ServicePackageActivationMode="ExclusiveProcess">
<StatelessService ServiceTypeName="WindowsContainerRegistryType" InstanceCount="[WindowsContainerRegistry_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
</DefaultServices>
<Principals>
<Users>
<User Name="ServiceFabricAppl" AccountType="DomainUser" AccountName="[REMOVED]\appl_ServiceFabric" Password="[REMOVED]" PasswordEncrypted="false" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="ServiceFabricAppl" />
</Policies>
</ApplicationManifest>
P. S. I'm working with an unencrypted password just for testing purposes to make sure this isn't the problem right now.
ServiceManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<ServiceManifest Name="WindowsContainerRegistryPkg"
Version="1.0.0"
xmlns="http://schemas.microsoft.com/2011/01/fabric"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ServiceTypes>
<!-- This is the name of your ServiceType.
The UseImplicitHost attribute indicates this is a guest service. -->
<StatelessServiceType ServiceTypeName="WindowsContainerRegistryType" UseImplicitHost="true">
<Extensions>
<Extension Name="Traefik">
<Labels xmlns="http://schemas.microsoft.com/2015/03/fabact-no-schema">
<Label Key="traefik.frontend.rule">Host:registry.windows.containers.[REMOVED].com</Label>
<Label Key="traefik.enable">true</Label>
<Label Key="traefik.frontend.passHostHeader">true</Label>
<!--<Label Key="traefik.port">5000</Label>
<Label Key="traefik.protocol">http</Label>
<Label Key="traefik.frontend.entryPoints">http,https</Label>
<Label Key="traefik.frontend.headers.referrerPolicy">no-referrer</Label>-->
</Labels>
</Extension>
</Extensions>
</StatelessServiceType>
</ServiceTypes>
<!-- Code package is your service executable. -->
<CodePackage Name="Code" Version="1.0.0">
<EntryPoint>
<!-- Follow this link for more information about deploying Windows containers to Service Fabric: https://aka.ms/sfguestcontainers -->
<ContainerHost>
<ImageName>stefanscherer/registry-windows:2.6.2-2016</ImageName>
</ContainerHost>
</EntryPoint>
<!-- Pass environment variables to your container: -->
<!--
<EnvironmentVariables>
<EnvironmentVariable Name="VariableName" Value="VariableValue"/>
</EnvironmentVariables>
-->
</CodePackage>
<!-- Config package is the contents of the Config directoy under PackageRoot that contains an
independently-updateable and versioned set of custom configuration settings for your service. -->
<ConfigPackage Name="Config" Version="1.0.0" />
<Resources>
<Endpoints>
<!-- This endpoint is used by the communication listener to obtain the port on which to
listen. Please note that if your service is partitioned, this port is shared with
replicas of different partitions that are placed in your code. -->
<Endpoint Name="WindowsContainerRegistryTypeEndpoint" Port="5000" />
</Endpoints>
</Resources>
</ServiceManifest>
Sources:
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-run-service-as-ad-user-or-group
Service fabric local cluster error (this one didn't offer any solution for me unfortunately)
I currently started to work on an web app, in ASP.NET MVC, hosted in azure as an web app. I created a deployment slot (staging, not a production slot) and i would like to know what should i do to block access on that slot from all IP addresses, excepting white listed ones.
I tried from web config by adding this part of code there.
<rules>
<rule name="Block unauthorized traffic to staging sites" stopProcessing="true">
<match url=".*" />
<conditions>
<!-- Enter your staging site host name here as the pattern-->
<add input="{HTTP_HOST}" pattern="^mysite\-staging\." />
<!-- Enter your white listed IP addresses -->
<add input="{REMOTE_ADDR}" pattern="123\.123\.123\.1" negate="true"/>
<!-- Add the white listed IP addresses with a new condition as seen below -->
<!-- <add input="{REMOTE_ADDR}" pattern="192\.255\.42\.2" negate="true"/> -->
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden"
statusDescription="Site is not accessible" />
</rule>
</rules>
But on deployment it returns this error from the server:
Module IIS Web Core
Notification Unknown
Handler Not yet determined
Error Code 0x80070032
Config Error The configuration section 'rules' cannot be read because it is missing a section declaration
IIS Version 10.0.
Do you know how should i do to restrict access as mentioned above (maybe something similar that you tried and worked)
Thanks!
Not sure if it was a typo when you pasted the config into your questions, but you are not closing <rules> correctly. Change the final <rules> to </rules>
I have two sites running on a Server 2012 R2 web server:
firstSite, port 80
secondSite, port 1234
Right now, users have to type in the host name, port number, and sub folder in order to view the 'Second Site' http://webServer:1234/subFolder.
I'm trying to simplify the URL so that all users can just type in the URL site.myDomain.com and have it (permanently) redirected to site.mydomain.com:1234/subFolder.
I've tried applying the following rule on my secondSite:
<rewrite>
<rules>
<rule name="Redirect" stopProcessing="true">
<match url=".*" />
<action type="Redirect" url="http://site.mydomain.com:1234/subFolder" />
</rule>
</rules>
</rewrite>
But doesn't seem to do anything.
A CNAME record has already been configured in DNS for site.myDomain.com to resolve to http://webServer.
I just need help with getting the redirection to 'secondSite' at port 1234.
I assume the first site is hosted on IIS and the rule is running within the context of the first site. If so, it should work...to validate your setup, I'd start with this article and the augment with your use case:
http://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
<configuration>
<system.webServer>
<httpRedirect enabled="true" exactDestination="true" httpResponseStatus="Found">
<add wildcard="/some/folder/path/" destination="/new/folder/" />
</httpRedirect>
</system.webServer>
</configuration>
On Server2008 systems, ARR/URL rewrite installed. Incoming traffic to ARR server ('pirate.mydomain.com'), that server in DMZ. Internal IIS servers (Server 2008/URL rewrite), single IIS site ('static.mydomain.com') containing dept sub-sites (static.mydomain.com/deptone, static.mydomain.com/depttwo, etc).
At server level on ARR server, ARR server proxy settings: 'enable proxy' enabled, 'useurl rewrite to inspect incoming requests' enabled, 'reverse proxy' set to 'pirate.mydomain.com'.
Intent is to have deptone.mydomain.com rewritten (not redirected) to static.mydomain.com/deptone .... and depttwo.mydomain.com rewritten to static.mydomain.com/depttwo .
URL should not change in the visitors' browser.
At IIS site level for 'pirate.mydomain.com', URL rewrite rule as follows:
<rule name="deptone redirect" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^(www.)?pirate.mydomain.com/(deptone)(.*)" />
</conditions>
<action type="Rewrite" url="http://static.mydomain.com/deptone{C:3}" appendQueryString="false" />
</rule>
THis is not working; I am getting 400.0 error ('max forwards limit').
Need guidance for URL rewrite rule for this process. Have been to the IIS forums/help, but still cannot get this working.
Thanks.
Is there a way to get individual ant tasks to run quietly? I know of the -q switch, but that applies globally.
You could try implementing your own Ant logger.
One idea, using the existing listeners, would be to pipe all output to log4j and then implement a logging message filter that suppresses certain log messages
ant -listener org.apache.tools.ant.listener.Log4jListener
The log4j appender configuration would look something like:
<appender name=".." class="..">
..
..
<filter class="org.apache.log4j.varia.StringMatchFilter">
<param name="StringToMatch" value="ANT output to suppress" />
<param name="AcceptOnMatch" value="false" />
</filter>
</appender>