Parsing .ssh/config for proxy information - regex

I would like to parse the .ssh/config file for proxy information contained therein and display each host that has related proxy information with the proxy information. Hosts that do not have any proxy information should be filtered out. Man page for .ssh/config: http://man-wiki.net/index.php/5:ssh_config
This should be done from a Unix shell script under Bash, so a standard tool like Perl, awk or sed is preferred.
Example input file:
Host ssh.foo.com
User ssh
HostName ssh.foo.com
Port 443
ProxyCommand /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth
Host ci
HostName 127.0.0.2
User ci
Host nightly
HostName 192.168.1.1
User goodnight
Host foobar.org
User git
HostName foobar.org
Port 443
ProxyCommand /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth
Host integration
HostName 192.168.1.2
User int
The expected output should look like this:
Host: ssh.foo.com - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth
Host: foobar.org - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth
The difficulty here is that the search has to cover multiple lines.


Try following awk command:
awk '
$1 == "Host" {
host = $1 ": " $2;
next;
}
$1 == "ProxyCommand" {
$1 = "";
sub( /^[[:space:]]*/, "" );
printf "%s - Proxy: %s\n", host, $0;
}
' .ssh/config
It yields:
Host: ssh.foo.com - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth
Host: foobar.org - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth


an awk oneliner may work for your requirement:
awk -v RS="" '/Proxy/{gsub(/\n/,"");gsub(/\s*User.*ProxyCommand/,"- Proxy:");print}'file
test (a.txt is your input file)
kent$ awk -v RS="" '/Proxy/{gsub(/\n/,"");gsub(/\s*User.*ProxyCommand/,"- Proxy:");print}' a.txt
Host ssh.foo.com - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth
Host foobar.org - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth


Just for kicks, here is a nasty sed command that seems to accomplish this.
sed -n '/^[Hh]ost/{:r;h;:l;n;/^[Hh]ost/!{/[Pp]roxy/H;bl};/^[Hh]ost/{x;/[Pp]roxy/{s/\n\s*/ - /;s/[Cc]ommand/:/;s/[Hh]ost/\0:/;p};x;br}}' ~/.ssh/config
This is more for demonstration purposes anyway since the other solutions are much easier to grasp. A commented view of this:
/^[Hh]ost/ { # Begin on a Host line
:restart # Label to jump back to
h # Copy the pattern space to the save space
:loop # Label to jump to when we don't want to wipe out the save space
n # Read in the next line
/^[Hh]ost/!{ # For lines that aren't host definitions
/[Pp]roxy/H # If they are proxy configurations, append the line to the save space
b loop # Go to :loop
}
/^[Hh]ost/{ # If they are *not* host definitions
x # Exchange the pattern and save spaces
/[Pp]roxy/{ # If the new pattern space contains a proxy configuration
s/\n\s*/ - / # Insert the required separator
s/[Cc]ommand/:/ # Change "ProxyCommand" to "Proxy:"
s/[Hh]ost/\0:/ # Change "Host" to "Host:"
p # Print the pattern space
}
x # Exchange the pattern and save spaces
b restart # Go to :restart
}
}
Example output:
Host: ssh.foo.com - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth
Host: foobar.org - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth


Have you checked out the Net::SSH::Perl::Config module ? It claims to read configs in the standard ssh format - albeit with a subset of keywords.
The configuration files should be in the same format used for the ssh
command line program; see the ssh manpage for information on this
format. Net::SSH::Perl::Config understands a subset of the
configuration directives that can live in these files; this subset
matches up with the functionality that Net::SSH::Perl can support.
Unknown keywords will simply be skipped.


One way using GNU sed:
sed -nre '/^Host/h;/ProxyCommand/{H;x;s/(Host)(.*)\n +[^ ]+ /\1:\2 - Proxy: /p}' file.txt
Results:
Host: ssh.foo.com - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth
Host: foobar.org - Proxy: /usr/local/bin/corkscrew proxy 8080 %h %p ~/.ssh/proxyauth


try this:
#! /usr/bin/perl
use strict;
use warnings;
open FD, "DATA" || die $!;
my $line = do {local $/; <FD>};
my #a = split /Host\b/, $line;
foreach (#a) {
if (defined $_ and /^\s*(\S+).*ProxyCommand\s+([^\n]+)/s) {
print "$1 - Proxy: $2\n";
}
}

Related

Updating letsencrypt cert-manager ClusterIssuer server url (with kubectl patch)

A ClustrerIssuer is running. It is configured with the lestencrypt staging url. How do I change the server url to production? Is it possible to patch or is replacing the complete issuer mandatory?
I tried:
kubectl patch ClusterIssuer letsencrypt --type json -p '[{"op": "replace", "path": "/spec/acme/sever", "value":"https://acme-v02.api.letsencrypt.org/directory"}]'
The result is:
clusterissuer.cert-manager.io/letsencrypt patched (no change)
kubectl describe ClusterIssuer letsencrypt | grep letsencrypt.org
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/xyz
*** This works, but I am trying to make the path work:
cat ../include/letsencypt.yaml | sed -E "s/acme-staging-v02/acme-v02/g" | kubectl apply -n cert-manager -f -

How to get certificate for "www.*.example.org" with Traefik's dnsChallange?

With the config below the issued certificate works for www.example.org and abc.example.org.but doesn't work for www.abc.example.org.
http:
routers:
web-router:
rule: "Host(`example.org`) ||
Host(`www.example.org`) ||
HostRegexp(`{subdomain:[a-z-]+}.example.org`) ||
HostRegexp(`www.{subdomain:[a-z-]+}.example.org`)"
entryPoints:
- web
middlewares:
- redirect
- csrf
service: django
web-secure-router:
rule: "Host(`example.org`) ||
Host(`www.example.org`) ||
HostRegexp(`{subdomain:[a-z-]+}.example.org`) ||
HostRegexp(`www.{subdomain:[a-z-]+}.example.org`)"
entryPoints:
- web-secure
middlewares:
- csrf
service: django
tls:
certResolver: letsencrypt
domains:
- main: "*.example.org"
sans:
- "example.org"
certificatesResolvers:
letsencrypt:
acme:
email: "email#example.com"
storage: /etc/traefik/acme/acme.json
dnsChallenge:
provider: route53
delayBeforeCheck: 0
In the DNS I have A records for example.org and *.example.org.
Is it possible to get a certificate that works for www.*.example.org and *.example.org in the same time?

LetsEncrypt doesn't do nested wildcards. You can get a certificate for *.example.org or for *.sub.example.org, but *.example.org doesn't include . in the definition of *.
Furthermore, DNS itself doesn't support nested or embedded wildcards.
You can see this if you create a record for www.*.example.com and then query for something like www.foo.example.com. You'll get an NXDOMAIN response. If you query for www.\*.example.com (or wrap the FQDN in single quotes to avoid shell expansion), then you'll get the A record you created. The asterisk becomes a literal character when not at the beginning of the record.
➤ host www.sub.productionwebsite.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
Host www.sub.productionwebsite.com not found: 3(NXDOMAIN)
~
➤ host 'www.*.productionwebsite.com' 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
www.*.productionwebsite.com has address 10.68.0.73

detect www. using sed

I am new to sed and almost confused.
Here is what I have in the nginx folder of my project:
files:
"/tmp/45_nginx_https_rw.sh":
owner: root
group: root
mode: "000644"
content: |
#! /bin/bash
CONFIGURED=`grep -c "return 301 https" /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf`
if [ $CONFIGURED = 0 ]
then
sed -i '/listen 8080;/a \ if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
logger -t nginx_rw "https rewrite rules added"
exit 0
else
logger -t nginx_rw "https rewrite rules already set"
exit 0
fi
The above code works like a charm and basically redirects all the request to https if they are http request.
However I need to add a piece to check if the url has www and redirect to non www.
so for example www.test.com will be redirected to test.com.
How can I achieve this?

The AWS recommended solution was to completely rewrite "/etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf"
You can do this by adding this file in .ebextensions: https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/security-configuration/https-redirect/docker-sc/https-redirect-docker-sc.config
I made one extra tweak for www redirect:
location / {
set $redirect 0;
if ($http_x_forwarded_proto != "https") {
set $redirect 1;
}
if ($host ~ ^www\.(?<domain>.+)$) {
set $redirect 1;
}
if ($http_user_agent ~* "ELB-HealthChecker") {
set $redirect 0;
}
if ($redirect = 1) {
return 301 https://ADDYOURDOMAINREDIRECTHERE$request_uri;
}
*One more note, your ec2 instance may already have a bunch of config files that you tried while finding a solution. I suggest deploying your app with NO config in .ebextensions, and then Rebuild Environment from the ELB console. This should give you a blank slate. Then simply add the file above to .ebextensions and redeploy.
*another note, you can ssh into your ec2 instance and verify that the file looks correct

What is the purpose of this sidecar-injector-configmap.yaml file?and how to config the IPRanges for network control?

Source: istio/templates/sidecar-injector-configmap.yaml ,
What is the purpose of this sidecar-injector-configmap.yaml file?
Can I configure the part related to accessing the external network in this file?
please focus on how to add IP ranges into below sections?
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]"
[[ else -]]
- "*"
[[ end -]]
- "-x"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]"
[[ else -]]
- ""
[[ end -]]
- "-b"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]"

I am not that experienced with Istio, but it seems like you are not looking into right direction. Purpose of sidecar-injector-configmap is:
Manual and automatic injection both use the configuration from the
istio-sidecar-injector and istio ConfigMaps in the istio-system
namespace. Manual injection can also optionally load configuration
from local files.
You can find more information about the sidecar injector here.
By default, Istio-enabled services are unable to access URLs outside
of the cluster because the pod uses iptables to transparently redirect
all outbound traffic to the sidecar proxy, which only handles
intra-cluster destinations.
From what I was able to find the IP ranges should be configured in Ingress or Egress depending what exactly you want to do. You can find more about configuring network access in this sections - Ingress, Egress.

Print a block of text until the first blank line using awk

here is my sample file:
Host dns2
HostName 172.20.4.80
User root
Port 22
Host dns1
HostName 172.20.4.75
User root
Port 22
Host dns3
HostName 172.20.4.76
User root
Port 22
Host dns4
HostName 172.20.4.77
User root
Port 22
Host dns5
HostName 172.20.4.78
User root
Port 22
Host dns6
HostName 172.20.4.79
User root
Port 22
i want to print only one block means for example
Host dns1
HostName 172.20.4.75
User root
Port 22
output :
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
but in this example all blocks have 4 lines maybe they reach to 5 or more lines later so i want to print from Host to first blank line or remove from Host to first blank line
im really bad at regex and need this to complete my script
thank you

I think that you basically want this:
awk -v RS='' '/dns1/' file
Unset the record separator so that each block is treated as a record, then print whichever record matches the pattern.
Or to use a shell variable:
host=dns1
awk -v host="$host" -v RS='' '$0 ~ host' file
In both of these examples, I'm using the fact that the default action is { print }. As you will likely be changing the output by using { printf ... } you may want to consider adding an exit statement to avoid processing the rest of the file unnecessarily.

a similar awk
$ awk -v RS= -v OFS=' ' '{for(i=1;i<NF;i+=2) $i=$i":"}1' hosts
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
Host: dns1 HostName: 172.20.4.75 User: root Port: 22
Host: dns3 HostName: 172.20.4.76 User: root Port: 22
Host: dns4 HostName: 172.20.4.77 User: root Port: 22
Host: dns5 HostName: 172.20.4.78 User: root Port: 22
Host: dns6 HostName: 172.20.4.79 User: root Port: 22
will give you all records in the desired output format. You can filter either this output further or add a pattern such as
$ awk -v RS= -v OFS=' ' '{for(i=1;i<NF;i+=2) $i=$i":"} /dns2/' hosts
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
if want to exit after processing the selected record, you need to slightly change the script
$ awk -v RS= -v OFS=' ' '/dns2/{for(i=1;i<NF;i+=2) $i=$i":"; print; exit}' hosts
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
If you want to select everything except one record you can negate the pattern (and remove exit)
$ awk -v RS= -v OFS=' ' '!/dns2/{for(i=1;i<NF;i+=2) $i=$i":"; print}' hosts
Host: dns1 HostName: 172.20.4.75 User: root Port: 22
Host: dns3 HostName: 172.20.4.76 User: root Port: 22
Host: dns4 HostName: 172.20.4.77 User: root Port: 22
Host: dns5 HostName: 172.20.4.78 User: root Port: 22
Host: dns6 HostName: 172.20.4.79 User: root Port: 22
Note that sed inplace replacement needs an intermediary file. If you want to replace the original file with the formatted one sans one record, you can use this command pattern on the last awk statement
$ awk ... > temp && mv temp original
UPDATE:
setting OFS will change all the separators between fields. You want to logically group them by name: value, so change the script as such
$ awk -v RS= '{for(i=1;i<NF;i++) $i=$i (i%2?":":"\t")}1' hosts
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
Host: dns1 HostName: 172.20.4.75 User: root Port: 22
Host: dns3 HostName: 172.20.4.76 User: root Port: 22
Host: dns4 HostName: 172.20.4.77 User: root Port: 22
Host: dns5 HostName: 172.20.4.78 User: root Port: 22
Host: dns6 HostName: 172.20.4.79 User: root Port: 22
which sets a tab delimiter after even positioned fields.

To print the 3rd record:
$ awk -v RS= -F'\n[[:blank:]]+' -v OFS='\t' 'NR==3{$1=$1; gsub(/ +/,": "); print}' file
Host: dns3 HostName: 172.20.4.76 User: root Port: 22
To print the records that contains dns4:
$ awk -v RS= -F'\n[[:blank:]]+' -v OFS='\t' '/dns4/{$1=$1; gsub(/ +/,": "); print}' file
Host: dns4 HostName: 172.20.4.77 User: root Port: 22
To print all records except those that contain dns3, dns4, or dns5:
$ awk -v RS= -F'\n[[:blank:]]+' -v OFS='\t' '!/dns[345]/{$1=$1; gsub(/ +/,": "); print}' file
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
Host: dns1 HostName: 172.20.4.75 User: root Port: 22
Host: dns6 HostName: 172.20.4.79 User: root Port: 22

Not different than Tom Fenech approach, since it uses the record separator, but it plays with the field separator too to obtain the desired output:
awk -v RS='' -F'\n[\t ]*' -v OFS=' ' '/dns1/{$1=$1;print}' file
When you change the output field separator, you need to use $1=$1 (or $0=$0 or with any other field) to force awk to re-evaluate the record and to take in account the new field separator.
Notes: you can exit awk when a matching block is found with the exit command. This avoids to process all the end of the file.
You can also only test the pattern /dns1/ with the first field.
awk -v RS='' -F'\n[\t ]*' -v OFS=' ' '$1~/dns1/{$1=$1;print;exit}' file
If you add semi-colons to the result, since you modify the fields, the $1=$1 trick becomes useless. You can write:
awk -v RS='' -F'\n[\t ]*' -v OFS=' ' '$1~/dns1/{for(i=1;i<=NF;i++){sub(" ", ": ", $i)};print;exit}' file

This might work for you (GNU sed):
sed -n '/Host dns1/{:a;N;/^\s*$/M!ba;s/\n\s*/ /g;s/\s*$//p}' file
This focuses in on the required string, then appends following lines until a blank one and finally manipulates the new string that is gathered into the required output.