Engineering professional with a Bachelor focused in Computer Science from KTH Royal Institute of Technology. On my free time i play Tennis, Padel, Football, Floorball, Cross-country and Downhill skiing.

Visit my KTH programming school

Portfolio

Pucón (Mapudungun: "entrance to the cordillera") is a Chilean city and commune administered by the municipality of Pucón. It is located in the Province of Cautín, Araucanía Region, 100 km to the southeast of Temuco and 780 km to the south of Santiago. It is on the eastern shore of Lake Villarrica, and Villarrica volcano is located roughly 17 km to the south. Pucón's location by a lake and volcano, along with its relatively stable climate, especially in summer,[4] make it a popular destination for tourists. It offers a variety of sports and activities for tourists, including water skiing, snow skiing, backpacking, white water rafting and kayaking, horse back riding, natural hot springs, zip line rides, skydiving and guided ascents of Villarrica volcano.

Ipsum Feugiat - Chile Pucón

Rhoncus Semper - Bolivia

Magna Nullam - The Inca Trail to Machu Picchu

Natoque Vitae - The Atacama Desert

Dolor Penatibus - Peru Andes Mountains

Orci Convallis - Norrtälje

A curriculum vitae

Avida Finans AB -

Infrastructure Architech / Head Of Infrastructure / DevOps
Dates Employed: Feb 2018 – Present Location: Stockholm, Sverige
I work with the following techniques; ELK, Graylog, Grafana, Zabbix, Sensu, Jira, Confluence, Gitlab, Sonarqube, Terraform, Saltstack, Ansible, HAproxy, Letsencrypt, Squid, AWS - Cloudwatch, EKS, Route53/DNSSEC, Azure. Hardware like Palo Alto FW, Juniper/HP switches, F5, HP servers/storage, Veeam Backup. Also building the network between On-prem services and Cloud environments with PA, Juniper and HP Aruba switches with Layer 2 Rapid Spanning Tree Protocol(RSTP) / Layer 3 BGP routing connections for secure network infrastructure.

Hjorthagen Tennis Club -

Chairman - Mar 2010 – Present

B3 Consulting Group -

DevOps consultant - Dates Employed Mar 2017 – Jun 2020 Location Stockholm, Sweden

SVT -

DevOps Consultant Dates Employed Oct 2013 – Oct 2017 Location Stockholm, Sweden
http://blogg.svt.se/testbild/2015/02/the-soundtrack-of-svt-devsysnooops-track-1-warm-it-up/
http://blogg.svt.se/testbild/2015/03/the-soundtrack-of-svt-devsysnooops-track-2-stayin-alive/

Init AB -

Linux Consultant Dates Employed Feb 2015 – Feb 2017 Location Stockholm County, Sweden
http://theinitblog.init.se/2015/09/riv-murarna.html

Lexher IT -

Open Source Consultant, IO virtualization engineer Dates Employed Sep 2012 – Feb 2015 Location Stockholm, Sweden

Bahnhof -

Linux Consultant Managed Services Consultant Dates Employed May 2013 – Oct 2013 Location Stockholm

H&M -

GWMS project, Linux/RedPrairie Consultant Dates Employed Feb 2013 – May 2013 Location Stockholm Liljeholmen Work: Linux and RedPrairie (Java) project, implementation in production.

Mid Sweden University -

Teacher in Networkmonitoring 7.5 hp Dates Employed Jan 2010 – Jan 2013 Location Anywhere
Work: Distance teacher/designer Networkmonitoring 7.5hp Mid Sweden University (Mittuniversitetet) Responsible and creator of the material, labs, exam. This course learn Network monitoring with hands on excersise on tools like Nagios/OP5, Sensu, Zabbix, Pingdom, ELK, SCOM, Wireshark, SNMP and MRTG.

Fujitsu -

Infrastructure Engineer Dates Employed Apr 2007 – Aug 2012 Location Stockholm, Sweden

IK Wasa -

Chairman Dates Employed Mar 2005 – Mar 2010 Location Stockholm, Sweden Chairman of sportsclub IK Wasa (www.ikwasa.com)

Unicorn -

Technican, designer, developer, Engineer Dates Employed Jan 2004 – Dec 2006 Location Stockholm, Sweden Worked with the Linux Slackware plattform and programming in php,python,perl and databases in Mysql, MSSQL and oracle.

TechDoc

AWS - Configuring DNSSEC using Route 53 and change domainregistator



If you’re like me, you’ve been itching to turn on DNSSEC for your primary domain. At Avida, we use Route 53 as our authoritative DNS provider. The problem with making changes to DNS is that, by default, it’s got a TTL associated with it that can make changes tough to roll-back once they’re cached. There are several stories of folks monkeying with DNS records that had a high TTL and being offline until those records expired. Obviously, this wasn’t an appealing prospect for our production domain. In any case, I was amazed at the lack of documentation on how to enable DNSSEC using Route 53. So, after successfully enabling DNSSEC on our primary domain, I thought I would let you all know the correct settings for Route 53. Log into your Route 53 console and click on the domain you wish to edit On that page, then click DNSSEC Signing
From there, click ‘Enable DNSSEC Signing’ on the right-hand side Enter the name from your Key-Signing Key (KSK). Make sure you select ‘Create Customer Managed CMK.’ Then, enter a name for your Customer Managed Key (CMK). Tip: the KSK can’t have any spaces or special characters, the CMK can’t have any spaces.
After that, you’ll wait for about 30 seconds or so while the domain is being DNSSEC enabled. After that, you’ll see the following: I’ve redacted my domain info to prevent folks from trying to copy it and screwing up their DNSSEC config.
After that create an DS record in your domain registator in Route53...

Configuring Cloudwatch to send AD logs



.......

Configuring PALO Alto VPN tunnel to AWS


how to configure site-to-site VPN between AWS VPC and Palo Alto Firewall. AWS offers two VPN tunnels between a virtual private gateway or a transit gateway on the AWS side, and a customer gateway on the remote side (Palo Alto in our case) Logical Diagram

As you can see in the above diagram, there are two logical tunnels between AWS and PA. Each tunnel terminates on different AZ on AWS for redundancy. Assumptions

PA public IP - 83.145.42.60/29 AWS VPN end point public IPs - 1.1.1.1 & 2.2.2.2 Using the minimum requirement of AES128, SHA1, and DH Group 2. AWS Configuration

First create a virtual private gateway (see above) and attach it to your VPC network. NEXT - To create a new VPN connection, go to VPC and choose Site-to-Site VPN connection in the navigation pane. 192.168.201.0/24 192.168.196.0/24 192.168.197.0/24 172.27.1.0/25 172.16.201.0/24

----------

Palo Alto Configuration IKE Crypto Profile Create supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, and key parameters. Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ike crypto profile IPSec Crypto Profile The IPSec profile defines the encryption, authentication, and IPSec mode parameters. ipsec profile IKE Gateways Two Security devices or Firewalls that initiate and terminate VPN connections across the two networks are called the IKE Gateways. Each peer must have an IP address assigned. PA and AWS use pre-shared keys to mutually authenticate each other. The peers must also negotiate the mode, in our case main mode. We also need to select the IKE profile created in the first step. Create 2 X Gateways for both Tunnels.

ike gateway 1ike gateway 2 Tunnel Interface Create 2 x Tunnel interfaces and set the MTU to 1427. You can also assign the interface to the appropriate Virtual Router and Zone. tunnel interface IPSec Tunnel The IPSec tunnel configuration allows you to authenticate and encrypt the data as it traverses the tunnel. Create 2 x IPSec tunnels.

ipsec tunnel Monitor profile Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the tunnels, we would want to failover the traffic to the second tunnel. This is done by creating a tunnel monitor profile in Palo Alto networks device. A monitor profile is used to monitor IPSec tunnels and to monitor a next-hop device for policy-based forwarding (PBF) rules. In both cases, the monitor profile is used to specify an action to take when a resource (IPSec tunnel or next-hop device) becomes unavailable. monitor profile Policy Based Forwarding (PBF)

To allow for failover between tunnels, we use PBF. We bind the tunnel monitor profile to this policy. When the tunnel monitor reaches its threshold, the policy is removed , and the backup policy becomes active. Policy-Based Forwarding (PBF) allows you to override the routing table, and specify the outgoing or egress interface based on specific parameters such as source or destination IP address, or type of traffic. Please create 2 x PBF policies and adjust zone/interface accordingly. Tunnel-2 configuration shown below Source Zone- Inside Source Address - 192.168.10.0/24 Destination Address - 10.200.0.0/24 Now one of the Tunnel should come up. In case the Availability Zone associated with the Tunnel goes down, PA will remove the policy from PBF and the traffic will be sent out via the second tunnel.

pbf Reference https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/policy-based-forwarding Getting started - AWS Site-to-Site VPN Use the following procedures to manually set up the AWS Site-to-Site VPN connection. You can create a Site-to-Site VPN connection with either a virtual private gateway or a transit gateway as the target gateway. AWS Site-to-Site VPN Dont forget static routing in Palo And in AWS: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html

Use HAProxy as a gatekeeper


HA proxy is designed to mainly receive all WEB traffic. Its logging traffic, load balance, access list and terminal SSL traffic. The solution consists of two servers with a keepalived daemon that monitors the state of the master node and, in case of an fail, switches the slave to an active state. For transparent access via DNS, ElasticIPs are organized on both sides(from Internet and from local net), allowing HAProxy to be accessed from both sides as one entity. Both instances are protected with SELinux.

Links https://www.haproxy.com/blog/haproxy-on-aws-best-practices-part-3/ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/load_balancer_administration/index Design
DMZ PROD Service Service Service HTTP HTTPS Internet


Implementation info Official CentOS7 repository has old version of haproxy(1.5.18-9.el7), the new one can be found in epel repository, but package name, service name, config files named with word "haproxy18". AWS user config: user: haproxy_set_IP permission policy: HAProxy_AssociateEIP NB: do not yum install awscli on CentOS 7 >>>>> !!!! in official centos/epel7 repo ver is aws-cli/1.14.28 - but there is ver2 on AWS repository curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

Interfaces: x.x.x.x External Elastic IP 172.17.x.123/24(master) and 172.17.x.223/24(slave) Private IPs for haproxy instances 172.17.x.x/24 LoadBalanced local Network IP

SELinux does not allow haproxy to make "name_connect" when ElasticIP changes on the network interface, so we need to say selinux that we allow this: setsebool -P haproxy_connect_any on Commands systemctl reload haproxy18 haproxy18 -d -V -c -f /etc/haproxy18/haproxy.cfg

Certificate Certificates is updated by certificate server/certbot renew. To generate certificate for new sites and read about certificat server: Certificate Server Letsencrypt Certificate is stored at: /etc/haproxy18/ssl on both haproxy instances.