This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.
Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.
| ## | |
| ## Dovecot SSL settings with Intermediate compatibility | |
| ## Follows Mozilla's Security/Server Side TLS guidelines | |
| ## https://wiki.mozilla.org/Security/Server_Side_TLS | |
| ## | |
| ## | |
| ## Optionial: | |
| ## Disable 3DES ciphersuites to prevent CVE-2016-2183 | |
| ## by appending ":!3DES" to the ssl_cipher_list |
| yum -y install patch dkms kernel-devel | |
| wget https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz | |
| tar zxvf ena_linux_1.1.3.tar.gz -C /usr/src/ | |
| mv /usr/src/amzn-drivers-ena_linux_1.1.3 /usr/src/ena-1.1.3 | |
| cat <<EOF > /usr/src/ena-1.1.3/dkms.conf | |
| PACKAGE_NAME="ena" | |
| PACKAGE_VERSION="1.1.3" | |
| AUTOINSTALL="yes" |
| """ | |
| A simple watchdog for long running processes which may stall for some reason or | |
| another. | |
| If the main thread hasn't logged progress (by updating | |
| ``self.last_progress_time``) in WATCHDOG_HARD_KILL_TIMEOUT, the watchdog | |
| thread will log an error containing the stack trace of all currently running | |
| threads then use ``kill -9`` to kill the main process. | |
| Assumes that a process monitor like supervisor or systemd will then restart |
The following documents a trial of using etcd, and confd to automatically configure a haproxy load balancer.
It is built using a combination of blogs, resources and experimentation, but provides a rough template of the approach that would allow a fully featured balancer to be configured from etcd keyvalues.
| # Example: | |
| # $ python argparse_dict_argument.py --env a=b --env aa=bb | |
| # Namespace(env={'a': 'b', 'aa': 'bb'}) | |
| import argparse | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument('--env', action = type('', (argparse.Action, ), dict(__call__ = lambda a, p, n, v, o: getattr(n, a.dest).update(dict([v.split('=')])))), default = {}) # anonymously subclassing argparse.Action | |
| print(parser.parse_args()) |
| frontend www-http | |
| bind :80 | |
| bind *:443 ssl crt /etc/haproxy/certs no-sslv3 | |
| capture request header X-Forwarded-For len 50 | |
| acl is_cf req.hdr(cf-connecting-ip) -m found | |
| http-request set-header X-Client-IP %[src] if !is_cf | |
| http-request set-header X-Client-IP %[hdr(cf-connecting-ip)] if is_cf |
| # These examples assume you have a container currently running. | |
| # 1 Pipe from a file | |
| sudo docker exec --interactive CONTAINER_NAME /bin/bash < the_beginning.sh | tee the_beginning_output.txt` | |
| #2a Pipe by piping | |
| echo "echo This is how we pipe to docker exec" | sudo docker exec --interactive CONTAINER_NAME /bin/bash - |
| # Backup | |
| docker exec CONTAINER /usr/bin/mysqldump -u root --password=root DATABASE > backup.sql | |
| # Restore | |
| cat backup.sql | docker exec -i CONTAINER /usr/bin/mysql -u root --password=root DATABASE | |
| import socket | |
| import struct | |
| import sys | |
| from httplib import HTTPResponse | |
| from BaseHTTPServer import BaseHTTPRequestHandler | |
| from StringIO import StringIO | |
| import gtk | |
| import gobject |