centos 7 cluster
martedì, 29 Agosto 2017
Procedura di setup Centos 7:
yum install epel-release.noarch yum install net-tools yum install psmisc yum install httpd yum install perl yum install perl-Digest-MD5 rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm yum install -y kmod-drbd84 drbd84-utils crm_verify -L -V /bin/systemctl start pacemaker.service crmadmin configure property stonith-enabled=false service corosync restart service pacemaker restart yum install nmap yum install open-vm-tools service vmtoolsd start systemctl enable vmtoolsd yum install acpid yum install unzip yum install mod_ssl.x86_64
Configurazione cluster unicast:
logging {
fileline: off
to_logfile: yes
logfile: /var/log/cluster/corosync.log
to_stderr: no
debug: off
timestamp: on
to_syslog: yes
logger_subsys {
subsys: QUORUM
debug: off
}
}
totem {
version: 2
token: 3000
secauth: on
rrp_mode: active
interface {
member {
memberaddr: 172.31.252.41
}
member {
memberaddr: 172.31.252.42
}
ringnumber: 0
bindnetaddr: 172.31.252.0
mcastport: 694
ttl: 1
}
transport: udpu
}
quorum {
provider: corosync_votequorum
expected_votes: 2
}
</code>
Configurazione Apache come reverse proxy:
<code>
<VirtualHost *:80>
ServerName webmail.xxxx.it
Redirect / https://webmail.xxxx.it/
# ProxyRequests Off
# <Proxy *>
# Order deny,allow
# Allow from all
# </Proxy>
# ProxyPass / http://XX.XX.XX.XX/
# ProxyPassReverse / http://XX.XX.XX.XX/
</VirtualHost>
<VirtualHost *:443>
ServerName webmail.xxxx.it
RewriteEngine on
ProxyPass / http://XX.XX.XX.XX/ retry=0 ttl=120 timeout=120
ProxyPassReverse / http://XX.XX.XX.XX/
<IfModule mod_ssl.c>
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
#SSLSessionCacheTimeout 300
#128bit
#SSLProtocol ALL -SSLv2
#SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DS
# 40 bit
#SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
SSLCertificateFile /etc/httpd/ssl/2017/STAR_xxxx_it.crt
SSLCertificateChainFile /etc/httpd/ssl/2017/COMODORSADomainValidationSecureServerCA.crt
SSLCertificateKeyFile /etc/httpd/ssl/2017/xxxx.it.key
ErrorDocument 403 http://www.xxxx.it/
ErrorDocument 404 http://www.xxxx.it/
</IfModule>
ProxyRequests on
ProxyVia on
AddOutputFilterByType SUBSTITUTE text/html
</VirtualHost>
Configurazione di sicurezza vari servizi:
https://cipherli.st/
- Pubblicato il Cluster, Sistemistica, Tips & Tricks
Non ci sono commenti
Microsoft Exchange OWA e Outlook Anywhere con Reverse Proxy Squid
domenica, 06 Agosto 2017
Volendo realizzare un reverse proxy per Exchange 2016 OWA e Outlook Anywhere l’unica possibilità per avere il supporto RPC over HTTP è utilizzare squid come reverse proxy.
Squid pubblica un howto per configurare correttamente il servizio per questo compito, qui un link tuttavia la guia non è esaustiva.
Versione aggiornata 2017 con Centos7 e Squid 3.5 per Exchange 2016 e valutazione A su Qualsys ssl test.
client_persistent_connections off
sslproxy_options NO_SSLv3,NO_SSLv2,SINGLE_DH_USE
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!IDEA
workers 4
buffered_logs on
forwarded_for on
maximum_object_size 512 MB
cache_mem 2 GB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
#cache_replacement_policy GDSF
#memory_replacement_policy lru
memory_pools on
http_port 0.0.0.0:80 accel
https_port 0.0.0.0:443 accel \
cert=/etc/squid/ssl/<certificate>.cer \
key=/etc/squid/ssl/<key>.key \
cafile=/etc/squid/ssl/<ca>.pem \
options=NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE,CIPHER_SERVER_PREFERENCE \
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \
dhparams=/etc/squid/ssl/dhparam.pem \
tls-dh=prime256v1:/etc/squid/ssl/dhparam.pem \
defaultsite=<domain>
cache_peer <IP> parent 443 0 \
no-query originserver \
login=PASSTHRU connection-auth=on \
ssl sslflags=DONT_VERIFY_PEER \
front-end-https \
ssloptions=NO_SSLv2 \
name=exchangeServer
##acl manager proto cache_object (OPTIONAL)
#for squidclient access
#acl localhost src 127.0.0.1/32
#http_access allow manager localhost
http_access deny manager
# ACL to allow your FQDNs
acl MS-OWA dstdomain <domain> autodiscover.<domain>
# Redirect port 80 requests to port 443
acl port80 myport 80
http_access deny port80 MS-OWA
# ecp
acl ecp_eccezione urlpath_regex ^/ecp/MyGroups
http_access allow ecp_eccezione
acl ecp urlpath_regex ^/ecp
deny_info https://<domain>/owa ecp
http_access deny ecp
deny_info https://<domain>/owa MS-OWA
cache_peer_access exchangeServer allow MS-OWA
cache_peer_access exchangeServer deny all
never_direct allow MS-OWA
cache deny all
# Lock down access to just the Exchange Server!
http_access allow MS-OWA
http_access deny all
miss_access allow MS-OWA
miss_access deny all
Disable TLS Compression in /etc/sysconfig/squid add
export OPENSSL_NO_DEFAULT_ZLIB=1
Perfect Forward Secrecy
openssl dhparam -out /etc/squid/ssl/dhparams.pem 2048
CA Chain es.DigiCert SHA2 High Assurance Server CA
Sito: https://www.digicert.com/digicert-root-certificates.htm
wget https://www.digicert.com/CACerts/DigiCertSHA2HighAssuranceServerCA.crt openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem -outform PEM
Link utili:
<blockquote data-secret="5eVCDR9zto" class="wp-embedded-content"><a href="http://www.rawiriblundell.com/?p=1442">squid reverse proxy: improving your ssllabs score</a></blockquote> <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" src="http://www.rawiriblundell.com/?p=1442&embed=true#?secret=5eVCDR9zto" data-secret="5eVCDR9zto" width="600" height="338" title="“squid reverse proxy: improving your ssllabs score” — rawiriblundell.com" frameborder="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>
Vecchia versione, lasciata per questione storiche.
Nel configurare e testare questa configurazione abbiamo riscontrato alcuni problemi.
Il primo riguarda l’impossibilità di effettuare upload di dimensioni poco più che minime.
Il tentativo si risolve in un errore 502 sul server.
La spiegazione è data dallo strato SSL, utilizzando uno squid con il supporto per openssl 0.9.8 ad esempio il problema non si manifesta.
Analizzando il traffico abbiamo verificato che deve succedere qualcosa durante il rekey del certificato che fa chiudere la connessione al server Exchange.
Inserendo sslversion=3 nella direttiva cache_peer il problema è scomparso.
cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/server.crt sslversion=3 name=exchangeServer
Allo stesso modo per il supporto di alcune piattaforme OSX abbiamo inserito la direttiva:
client_persistent_connections off
Per finire la gestione dell’autodiscover:
acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com
Ecco qui il file di configurazione completo:
client_persistent_connections off http_port 80 accel https_port %SQUID_IP_ADDR%:443 accel cert=/etc/squid/your_ssl.crt defaultsite=webmail.domainname.com cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/ca01.crt sslversion=3 name=exchangeServer #acl manager proto cache_object (OPTIONAL) #for squidclient access acl localhost src 127.0.0.1/32 http_access allow manager localhost http_access deny manager # ACL to allow your FQDNs acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com # Redirect port 80 requests to port 443 acl port80 myport 80 http_access deny port80 MS-OWA deny_info https://webmail.domainname.com/%R MS-OWA cache_peer_access exchangeServer allow MS-OWA cache_peer_access exchangeServer deny all never_direct allow MS-OWA cache deny all # Lock down access to just the Exchange Server! http_access allow MS-OWA http_access deny all miss_access allow MS-OWA miss_access deny all
E una piccola modifica al file /etc/security/limits.conf
# SQUID squid soft nofile 32768 squid hard nofile 32768
andrea gagliardi
- Pubblicato il Sistemistica, Tips & Tricks, Windows
Corosync/Pacemaker in Centos 7 con LCMC
martedì, 25 Luglio 2017
Corosync/Pacemaker in Centos 7 con LCMC
Pacchetti da installare
yum install perl yum install perl-Digest-MD5 yum install epel-release rpm -ivh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org yum update yum install kmod-drbd90 drbd90-utils yum install acpid yum install open-vm-tools
/etc/corosync/corosync.conf
logging {
fileline: off
to_logfile: yes
logfile: /var/log/cluster/corosync.log
to_stderr: no
debug: off
timestamp: on
to_syslog: yes
logger_subsys {
subsys: QUORUM
debug: off
}
}
totem {
version: 2
token: 3000
secauth: on
rrp_mode: active
transport: udpu
}
nodelist {
node {
ring0_addr: 172.21.8.131
nodeid: 1
}
node {
ring0_addr: 172.21.8.132
nodeid: 2
}
}
quorum {
provider: corosync_votequorum
two_node: 1
expected_votes: 2
}
systemctl enable corosync
systemctl enable pacemaker
reboot
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn
tema vim
mercoledì, 12 Luglio 2017
.vimrc
#execute pathogen#infect() syntax on filetype plugin indent on set nowrap set t_Co=256 set background=dark colorscheme PaperColor
Tema PaperColor
PaperColor-Dark
Wget in /.vim/colors/
wget https://raw.githubusercontent.com/NLKNguyen/papercolor-theme/master/colors/PaperColor.vim
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn
Esperimenti con multipath e SAN
venerdì, 07 Luglio 2017
http://www-01.ibm.com/support/docview.wss?uid=isg3T1011985
http://www.sysadminshare.com/2013/06/multipath-config-status-check-in-linux.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html-single/DM_Multipath/index.html#config_file_multipath
https://serverfault.com/questions/288087/linux-multipath-not-using-all-paths-and-wont-use-queue-length-path-selector/355151
https://h50146.www5.hpe.com/products/software/oe/linux/mainstream/support/doc/option/fibre/pdfs/c02020121.pdf
grep mpt /sys/class/scsi_host/host?/proc_name
rescan-scsi-bus.sh
echo “- – -” > /sys/class/scsi_host/host1/scan
multipath -l
multipathd -k”fail path sdb”
multipathd -k”del path sdb”
multipathd -k”reinstate path sdb”
multipathd -k”show paths”
dmsetup remove /dev/mapper/MSA_BELLNET
dmsetup ls
echo 1 > /sys/block/sde/device/delete
echo 1 > /sys/block/sda/device/rescan
service multipath-tools restart
partprobe /dev/sdb
sfdisk -R /dev/sdb
partx -u /dev/sdb
blockdev –rereadpt /dev/mapper/MSA_BELLNET
partprobe -s
pvcreate –uuid “DMD39I-rIMF-vVUc-6KaY-li2N-SF4n-v38O5m” –restorefile /root/VG-BELL.vg /dev/disk/by-id/scsi-MSA_BELLNET
vgcfgbackup -f VG-BELL.vg VG-BELL
vgcfgrestore -f VG-BELL.vg VG-BELL
multipath.conf
defaults {
polling_interval 15
path_selector "round-robin 0"
path_grouping_policy multibus
prio const
path_checker directio
rr_min_io 100
flush_on_last_del no
max_fds 8192
rr_weight priorities
failback immediate
no_path_retry fail
queue_without_daemon no
user_friendly_names yes
mode 644
uid 0
gid disk
}
blacklist {
devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
devnode "^hd[a-z]"
devnode "^sda"
devnode "^sda[0-9]"
wwid "3600508b1001c1f5b93df16da7e7ab72e"
wwid "3600508b1001c81da7e4515d6a1c3a693"
wwid "OCZ-VELO_DRIVE_OCZ-938561J47139J405"
wwid "OCZ-VELO_DRIVE_OCZ-ADU3LJ4GZL225676"
wwid "OCZ-VELO_DRIVE_OCZ-V98FXMA0Q041W67U"
# wwid 3600c0ff0001432f020c55c5901000000
device {
vendor HP
product "P410i|LOGICAL"
}
}
devices {
device {
vendor "HP"
product "P2000 G3*"
path_grouping_policy "group_by_prio"
# uid_attribute "ID_SERIAL"
path_checker "tur"
path_selector "round-robin 0"
features "0"
hardware_handler "0"
prio "alua"
rr_weight "uniform"
failback "immediate"
no_path_retry 18
rr_min_io 100
}
}
multipaths {
multipath {
wwid 3600c0ff00014e4ed9724235801000000
alias MSA_NETLITE
}
multipath {
wwid 3600c0ff00014e4edfa37695801000000
alias MSA_NETLITE_BACKUP
}
multipath {
# path_grouping_policy multibus
wwid 3600c0ff0001432f020c55c5901000000
alias MSA_BELLNET
}
multipath {
wwid 3600c0ff0001432f0a80e5a5901000000
alias MSA_BELLNET_BACKUP
}
}
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn
Proxy Squid
lunedì, 19 Giugno 2017
squid.conf
http_port 8081 #http_port 10.1.1.5:8082 pid_filename /var/run/squid3-2.pid cache_mgr [email protected] visible_hostname NETLITEPROXY #dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.123 208.67.220.123 dns_nameservers 10.5.1.5 dns_timeout 1 minutes positive_dns_ttl 1 hours negative_dns_ttl 10 minutes fqdncache_size 51200 ipcache_size 51200 #pipeline_prefetch on cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-small 1024 16 256 max-size=32768 cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-large 4096 16 256 cache_mem 2048 MB minimum_object_size 0 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF memory_pools on maximum_object_size 128 MB minimum_object_size 0 KB maximum_object_size_in_memory 512 KB ie_refresh on cache_access_log /var/log/squid3/access-2.log #cache_access_log /dev/null #cache_log /var/log/squid3/cache-2.log cache_log /dev/null #cache_store_log /var/log/squid3/store-2.log cache_store_log /dev/null logfile_rotate 0 log_mime_hdrs off log_icp_queries off buffered_logs on redirect_rewrites_host_header off acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl SSL_ports port 8080 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports debug_options ALL,1 client_lifetime 12 hour half_closed_clients off pconn_timeout 5 minutes request_timeout 5 minutes connect_timeout 30 seconds authenticate_ttl 15 minutes authenticate_ip_ttl 15 minutes max_open_disk_fds 32768 acl java_jvm browser Java/1. J/SSL #acl localhost src 127.0.0.1/32 #acl reti_abilitate src 127.0.0.1/32 acl reti_abilitate src 10.5.1.0/24 acl netlite src 212.29.137.82/32 #netlite office acl netlite src 87.248.52.82/32 #netlite office acl no_cache_siti dstdomain "/etc/squid3/no-cache-siti.txt" acl siti_pubblici dstdomain "/etc/squid3/siti-pubblici.txt" acl lan-allowed-ip src "/etc/squid3/good-lan-ip.txt" http_access allow lan-allowed-ip # MAC Utenti Bovolone acl MAC arp "/etc/squid3/mac.txt" acl emerge browser Wget http_access allow emerge always_direct allow emerge acl aptupdate browser APT-HTTP http_access allow aptupdate always_direct allow aptupdate http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny connect !SSL_ports http_access allow netlite http_access deny !reti_abilitate http_access allow siti_pubblici http_access allow java_jvm no_cache deny no_cache_siti always_direct allow no_cache_siti #request_header_access Allow allow all #request_header_access Authorization allow all #request_header_access WWW-Authenticate allow all #request_header_access Proxy-Authorization allow all #request_header_access Proxy-Authenticate allow all #request_header_access Cache-Control allow all #request_header_access Content-Encoding allow all #request_header_access Content-Length allow all #request_header_access Content-Type allow all #request_header_access Date allow all #request_header_access Expires allow all #request_header_access Host allow all #request_header_access If-Modified-Since allow all #request_header_access Last-Modified allow all #request_header_access Location allow all #request_header_access Pragma allow all #request_header_access Accept allow all #request_header_access Accept-Charset allow all #request_header_access Accept-Encoding allow all #request_header_access Accept-Language allow all #request_header_access Content-Language allow all #request_header_access Mime-Version allow all #request_header_access Retry-After allow all #request_header_access Title allow all #request_header_access Connection allow all #request_header_access Proxy-Connection allow all #request_header_access User-Agent allow all #request_header_access From allow all #request_header_access Referer allow all #request_header_access Cookie allow all #request_header_access All deny all request_header_access All allow all follow_x_forwarded_for deny all forwarded_for delete via off forwarded_for off http_reply_access allow all icp_access allow all coredump_dir /var/cache balance_on_multiple_ip off #http_access deny !MAC # utilizzati per ftp anonimo ftp_user [email protected] ftp_passive on acl ftp proto FTP acl ftp_port port 21 http_access allow ftp_port CONNECT ftp_epsv off #dns_v4_first on http_access allow all
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn