Docker container for Nginx with Naxsi based on Ubuntu 16.04

This is an upgrade of my proxy container from Building a small server for photography website. I wanted to get latest versions of Nginx and Naxsi. Unfortunately there is no nginx-naxsi package available like it was in Ubuntu 14.04. And even though Nginx now allows dynamically loaded modules, Naxsi hasn’t been converted to a loadable module yet and needs to be compiled. Luckily the process is not complicated. I will replicate method 1 from this article and adapt it for Docker container. Continue reading


How to generate iptables rules for

I wanted to add firewall rules to my router that would let my server email me via a gmail account using msmtp. But servers can live on many different addresses, and they do change from time to time, as this Google support article explains. To keep the job of updating all possible relevant firewall rules simple, I wrote a little Bash script that will generate them for me.

Continue reading

Generate missing photo sizes in Piwigo

Having deployed Piwigo behind Naxsi web application firewall, I am not able to generate multiple photo sizes (Administration > Photos > Batch Manager > Generate multiple size images) for very many photos at a time. I want to keep Naxsi as tight as possible so I decided to generate the missing photo sizes with a workaround: Calling web services manually from shell. First of all I need to login and save session cookie:

wget --keep-session-cookies --save-cookies cookies.txt --delete-after --post-data="username=Admin&password=*****" ""

You should see in your current directory a new file cookies.txt created. Once logged in, let’s fetch missing derivatives, extract the URLs from the resulting JSON file and access them – this will get them generated on the webserver. Since the web service call returns only a limited number of URLs, we will loop until we generate all missing derivatives (photo sizes):

wget --load-cookies cookies.txt -nv -O missing.json ""
while [ `wc -c missing.json | cut -f 1 -d ' '` -gt 50 ]
  sed -e 's/[\\\"]//g' \
  -e 's/{stat:ok,result:{next_page:[0-9]*,urls:\[//' \
  -e 's/{stat:ok,result:{urls:\[//' \
  -e 's/\]}}/\n/' \
  -e 's/,/\n/g' \
  -e 's/\&b=[0-9]*//g' missing.json | \
  while read line ; do
    wget -nv -O /dev/null $line
  wget --load-cookies cookies.txt -nv -O missing.json ""


DMZ setup with router Asus RT-N56U

I am working on a home web server setup. I would like to minimize potential damage in the event that this server gets compromised. The solution is to put it into a separate network with minimal access to the rest of my home network. This is usually referred to as DMZ, demilitarized zone.

To follow this tutorial you need to be comfortable with using ssh, vi, and iptables. I also assume that you have a static IP address from your Internet provider. My workstation is running Linux so if you use different platform, you might need to adjust some steps a little bit.

Here is what I intend to achieve with my setup:

Home router DMZ setup

Most home routers don’t have such functionality available by default. However some devices are supported by free software projects like OpenWrt, DD-WRT, pfSense, or Tomato, that can be configured that way.

My router Asus RT-N56U is supposedly supported by OpenWrt (which I never tested myself). The other alternative firmware I found that supports it is called Padavan. I will describe how to setup DMZ using the latter.

Continue reading

Fail2ban configuration for Piwigo failed logins

Building a new server for my hobby website I fell in love with Fail2ban. It provides an automated way to reduce abuse of your infrastructure. Here is a brief tutorial how to use it to protect login page of photo gallery application Piwigo from brute force attacks. Start by downloading a small Piwigo plugin Log Failed Logins. It writes all failed login attempts into a text file. This can be easily used as an input logfile for Fail2ban. The format looks like this:

2015/06/14 22:32:33 ip= username=Admin

Continue reading