Configure phpmyadmin for connect to RDS AWS MariaDB

30 03 2017

Ensure that “/etc/phpmyadmin/config-db.php” doesn’t haven any configured values:

$dbuser='';
$dbpass='';
$basepath='';
$dbname='';
$dbserver='';
$dbport='';
$dbtype='';

Create a new file with for your particular values in “/etc/phpmyadmin/conf.d/myconf.php”

<?phpConfigure phpmyadmin for connect to RDS AWS MariaDB
$cfg['Servers'][$i]['extension'] = 'mysql';
$cfg['Servers'][$i]['host'] = 'name.of.rds.amazonaws.com';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = TRUE;

Go to the phpmyadmin website and log with the administrative account.

More info: http://stackoverflow.com/questions/4402482/using-phpmyadmin-to-administer-amazon-rds

Advertisements




Multiple network interfaces with multiple public IPs in an EC2 instance with different outbound source using network namespaces

14 02 2017

In this scenario we will have an ec2 instance with:

* 3 network interfaces
* 3 public IPs (one for each interface)
* 3 different process with different public outbound address running in separate network namespaces

As starting point, we have a simple ec2 instance with one interface and a public IP assigned to it. The steps are:

– Allocate two new elastic IPs

– Create two new network interfaces in the same subnet in which resides the instance.

– Associate the new elastic IPs to these new network interfaces.

– Associate the new network interfaces to the instance. Now, it have the default eth0 and two more, eth1 and eth2.

– Create a pair of network namespaces for the new interfaces:

ip netns add blue
ip link set eth1 netns blue
ip netns add green
ip link set eth2 netns green

– Request the IPs for the interfaces:

ip netns exec blue dhclient eth1ip netns exec green dhclient eth2

– And test it:

curl ipinfo.io/ip
ip netns exec blue curl ipinfo.io/ip
ip netns exec green curl ipinfo.io/ip

Take into account that:

– You need to launch the proces with the “ip netns exec xxxx” due that systemd don’t support the network namespace assignement.
https://github.com/systemd/systemd/issues/2741

– Look the limits of AWS, by default, only 5 EIPs are allowed and each type of instance have a network limit.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html





VPN between PFSense in a LAN and Amazon AWS VPC with IPSec

18 10 2015

This manual cover the case of creating a IPSec VPN between a PFSense located inside a local network (in an office for example) and a VPC inside Amazon AWS, allowing the access of the resources in both sides transparently.

 

 

Base scenario

The following address are only for this manual, substitute them for your particular case:

Office LAN:         192.168.0.0/16
Office public IP:   203.0.113.1
Amazon VPC Net:     172.16.0.0/16 | my_vpc

 

 

Create Customer Gateway

CustomerGateway0

Start in AWS by creating a Customer Gateway. The routing can be dynamic, but as BGP is not going to be used, routing static must be select. For that reason, its neccesary to add a custom route to the Route Tables directly (later covered):

Name Tag:    test5
Routing:     Static
IP Address:  203.0.113.1

CustomerGateway1

CustomerGateway2

 

 

Create Virtual Private Gateways

VirtualPrivateGateway0
Simply create a Virtual Private Gateway, VPG, and attach it to the target VPC.

Name Tag:     test5
Attached to:  172.16.0.0/16 | my_vpc

VirtualPrivateGateway1

VirtualPrivateGateway2

VirtualPrivateGateway3

VirtualPrivateGateway4

 

 

Create VPN Connection

VPNConn00
Now, create the VPN Connection joining all the things that were created before. After that, under Tunnel Details tab, there is two tunnels, we only use the first one, it have the Amazon AWS public IP for connect the IPSec VPN. Under Static Routes tab there is a route for our office network.

Name Tag:                 test5
Virtual Private Gateway:  vgw-xxxx | test5
Customer Gateway:         Existing
                          cgw-xxxx (203.0.113.1) | test5
Routing Options:          Static
Static IP Prefixes:       192.168.0.0/16

VPNConn1

VPNConn2

VPNConn3

VPNConn4

Download the configuration. Mainly for know the Pre-Shared Key, the other parameters for PFsense are usually the same for all.

Vendor:    Generic
Platform:  Generic
Software:  Vendor Agnostic

VPNConn5

VPNConn6

Open the file and copy the Pre-Shared Key for later use:
...
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : AoLmjz_XLnktHkZxfSdm_69wJN11OqIuf9
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
...

 

 

Add custom route to Route Tables

This step is more dependent of your particular VPC subnets and route tables configuration, but essentially, its neccesary to add a route entry for send the traffic from your AWS subnet to your Office LAN trought the Virtual Gateway.

Destination:  192.168.0.0/16
Target:       vgw-xxxxx | test5

RouteTables1

 

 

PFSense configuration
Our office PFSense have two networks, one WAN interface, in this case behind a NAT but can be directly connected to internet with a public routable IP, and an other interface connected to the LAN.

Interfaces
WAN:        10.0.0.1
LAN:        192.168.0.1

Start with creating a IPSec VPN
pf1

Bring up the Phase 1 with the particular values, from the screen capture, usually only change the Remote Gateway and the Pre-Shared Key.

Key Exchange Version:  V1
Internet Protocol:     IPv4
Interface:             WAN
Remote Gateway:        52.17.26.84
Description:           VPC VPN
Authentication Method: Mutual PSK
Negotiation Mode:      Main
My identifier:         My IP address
Peer identifier:       Peer IP address
Pre-Shared Key:        AoLmjz_XLnktHkZxfSdm_69wJN11OqIuf9
Encryptation algorithm: AES 128 bits
Hash algorithm:        SHA1
DH key group:          2 (1024 bit)
Lifetime:              28800 seconds
Nat Transversal:       Auto
Dead Peer Detection:   Enable DPD
                       10 seconds
                       2 retries

pf2

Continue bringing up the Phase 2 with the particular values, from the screen capture, usually only change the Remote Network. For keep the tunnel up when there aren’t any traffic, add the IP of a AWS host in the “Automatically ping host” section.
Change Local Network to other different than “LAN subnet” if your local network is different, or greater, than the LAN connected to the interface.

Mode:                  Tunnel IPv4
Local Network:         LAN subnet
Remote Network:        172.16.0.0/16
Protocol:              ESP
Encryption algorithms: AES 128 bits
Hash algorithms:       SHA1
PFS key group:         2 (1024 bit)
Lifetime:              3600
Automatically ping host: ?

pf3

Define in VPN: IPsec: Settings “Maximum MSS” for avoid inexplicable failures. Tick “Enable MSS clamping on VPN traffic” and set 1387 in the box.

Finally, if all went well, must be something like this:

pf4

and this:

pf5

It’s necessary a firewall rule for allow IPSec traffic.
In case of your local network is different, or greater, than the LAN connected to the interface, add an other rule to allow all traffic under LAN tab.

Proto:       IPv4
Source:      *
Port:        *
Destination: *
Port:        *
Gateway:     *
Queue:       *

pf6

In the Amazon AWS side, the Status of VPN Connection must be changed from DOWN to UP:

VPNConn7

Try to ping host from one side to the other, with the VPN stablished and if there aren’t any other particular network configuration, there sould not be any issue.

I hope it has been helpful…

 

Notes:

  • You can configure the Tunnel 2 in the same PFSense, but don’t use the same public IP. For each IPSec tunnel, use a different public IP.

 

 

 

Other resources:
http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/