Docker & Træfik – Loadbalancer made easy

Today in Docker. A scalable, nginx based, demo environment behind a loadbalancer in 26 lines and 2 commands.

We’ll be using Træfik and the Nginx based “whoami” container.

Get it

First of, let’s start with our Docker compose file:

version: '2'

    image: traefik
    command: --web --docker --docker.domain=docker.localhost --logLevel=DEBUG
      - webgateway
      - "80:80"
      - "8080:8080"
      - /var/run/docker.sock:/var/run/docker.sock
      - /dev/null:/traefik.toml

    image: emilevauge/whoami
      - webgateway
      - "traefik.backend=whoami"
      - "traefik.frontend.rule=Host:whoami.docker.localhost"

    driver: bridge

Now, a little more detail, you create the URL that your server will be reachable with the “label” command on line 20:

      - "traefik.backend=whoami"
      - "traefik.frontend.rule=Host:whoami.docker.localhost"

This will create the service “whoami” in the loadbalancer and will make it accessible trough “whoami.docker.localhost”

Line 7 & 18 create the network and line 24-26 sets the properties.

Run it

Now, up it:

docker-compose up -d

And scale the service whoami:

docker-compose scale whoami=10

Now you can visit the loadbalancer on http://localhost:8080 or docker.localhost:8080 . This will look like:

After that, simply go to http://whoami.docker.localhost and you will get output similar to:

Hostname: 0ba96cbfa379
IP: ::1
IP: fe80::42:acff:fe12:1f
GET / HTTP/1.1
Host: whoami.docker.localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
X-Forwarded-Host: whoami.docker.localhost
X-Forwarded-Proto: http
X-Forwarded-Server: 66978d8364ac

Now, every time you refresh the Hostname and IP should change ( because the loadbalancer is redirecting you to another instance.

And that’s it.

#5985 +(44) [X]

<Foggi> french are good for 2 things
<Foggi> art
<Foggi> and surrendering

This is why can’t have nice things! // Hack the party

Recently we started using Festify at our Student fraternity Gumbo Millennium. Festify is a really cool app that you can use to let your guests choose what songs they want to hear and prevents a lot of discussion about “what to play next”.

Festify is a free Spotify-powered app that lets your guests choose which music should be played using their smartphones.

But democracy doesn’t work when you want to hear your favourite song!

screen-shot-2016-09-13-at-08-45-03Step 1 – Setup and installation

Festify is really easy to install. You just need the software, Spotify and a Spotify Premium account. After that you can invite guests to the party or they can go to and enter the party ID.

Step 2 – Adding that funky jam

After joining a party you can add songs and vote on songs other people have edited. See them rise to the top and hope that your song hits the dance floor! Festify doesn’t require registration to vote and this is where the fun starts! Festify uses cookies to register your vote and prevents you from forcing your music on other people. Cookies? Let’s get started!

Step 3 – Capturing the upvote

After adding a song to the que you can’t vote on it. But thats easily solved. Delete you cookies, hard refresh and then you’re able to up-vote a song you just added. Using Chrome Developer tools you’re able to capture the POST request that up votes the song.


After coping this as a cURL request we get:

curl '' -H 'Origin:' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer:' -H 'Cookie: _ga=GA1.2.1227056308.1473749685; _gat=1; connect.sid=s%3AplGQJeKPXu4gzDbLG4PokrG55TKBtBfF.5xiePNNfCVCO7e2KTQ5DW9meQOy81CRdNd26o%2Bvdyu4' -H 'Connection: keep-alive' --data-binary $'{"name":"I\'m Too Sexy","spotifyID":"2WElktskrNJEwgpp5Vouxk"}' --compressed

Step 4 – Edit the vote and fire the lazer

After capturing it’s easy to remove the cookie in the cURL request

'Cookie: _ga=GA1.2.1227056308.1473749685; _gat=1; connect.sid=s%3AplGQJeKPXu4gzDbLG4PokrG55TKBtBfF.5xiePNNfCVCO7e2KTQ5DW9meQOy81CRdNd26o%2Bvdyu4'

And put it in a script

while [ $x -le 99 ]
  echo "Up-voted $x times"

    curl '' -H 'Origin:' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer:'  -H 'Connection: keep-alive' --data-binary '{"name":"Afro Circus/I Like To Move It","spotifyID":"0qNBowxGCvy2mSbg9kmEua"}' --compressed

  x=$(( $x + 1 ))

echo "AFRO"


Thank you Roelof for making this possible.

#10958 +(9086)- [X]
(morganj): 0 is false and 1 is true, correct?
(alec_eso): 1, morganj
(morganj): bastard.

My first #BruCON — Hackers & B33R


IMG_7764So let’s talk BruCON. After weeks of convincing my friend Floyd finally talked me in to going to BruCON with him. Me never having been to a ‘real’ hackers conference did not know what to expect.


The Journey 

Me and Floyd decided to take it easy. We only had to take the train to Gent. What could go wrong? Well, after finishing How to Train your Dragon 2 on the iPad we quickly discovered we were actually sitting in the wrong train. No biggy just a 1,5 hour delay. A lot of people had it worse:


The Arival After a short discusion on witch train to take we where on the road again. And IMG_6235it did nog take us long to arrive in Gent. The first thing I did when we arrived at our lovely AirBNB adres was of course back-upping my system, applying the latest patches and checking if my VPN was running as well as I hoped. We (of course) weren’t the first arrivals. As I gasped at the building the conference was being held in (lots of photos in this post) we checked in and met some of the arrivals. A few beers and good conversations later we hit the bar, and soon after that our beds.

Tha first day Having had a goodnight of sleep at the AirBNB (btw what’s up with locks in Belgium, nothing had a lock, not the toilet or the shower) we went back to the con. After a quick intro keynote we discovered the hacking challenge hosted by NVISO. Soon every table was filed with hackers trying to solve the different challenges. Floyd also introduced me to my first taste of Club Mate and we became instant BFF’s.

The talks on the first day where a lot of fun. I went to Exploiting the Bells and Whistles: Uncovering OEM Vulnerabilities in Android (part 1). It was all about exploiting android. Just wish I could have run the VM’s (vBox an VM ware images don’t play nice). I also attended the beer workshop where we learned all about making beer (and what not to do unless you want your bottles to explode). After a few ( free ) beers at the worksop it was time to hit the afterparty and bars.



IMG_6282After a ‘successful’ night of consuming various drinks and moving one’s body to strange music we went back to a short night of sleep. After we woke up we soon discovered ( while Floyd was still taking his shower ) that the builders outside thought that this was a perfect time to close the central water supply.


Day 2 time

The second day we attended a few talks. One about Building your own botnet, about Thunderbolt DMA attacks and honeypot’s. Day 2 was over so quick. I’m not sure it was because of the hangover or all the cool talks and workshops I was attending.


Closing and final thoughts

My first BruCON was amazing. There is so much I haven’t written about because you can’t explain it without proper context. There were so many amazing people, and it’s just hilarious to discus your worst IT screwup wile being drunk outside a bar at 5 in the morning. I’ll be going back next year and in the meantime I will be on the lookout for more Cons.

And to close this post, here are some ( as we call them in Holland ) “Sfeer Foto’s” of Gent and the BruCON.

@securitygen: I received a Tor joke from someone. have no idea who they are though.