centos 7 cluster

Procedura di setup Centos 7:

yum install epel-release.noarch
yum install net-tools
yum install psmisc
yum install httpd
yum install perl
yum install perl-Digest-MD5
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum install -y kmod-drbd84 drbd84-utils
crm_verify -L -V
/bin/systemctl start  pacemaker.service
crmadmin configure property stonith-enabled=false
service corosync restart
service pacemaker restart
yum install nmap
yum install open-vm-tools
service vmtoolsd start
systemctl enable vmtoolsd
yum install acpid
yum install unzip
yum install mod_ssl.x86_64

Configurazione cluster unicast:

logging {
        fileline: off
        to_logfile: yes
        logfile: /var/log/cluster/corosync.log
        to_stderr: no
        debug: off
        timestamp: on
        to_syslog: yes
        logger_subsys {
                subsys: QUORUM
                debug: off
        }
}
totem {
        version: 2
        token: 3000
        secauth: on
        rrp_mode: active
        interface {
                member {
                        memberaddr: 172.31.252.41
                }
                member {
                        memberaddr: 172.31.252.42
                }
                ringnumber: 0
                bindnetaddr: 172.31.252.0
                mcastport: 694
                ttl: 1
        }
        transport: udpu
}
quorum {
        provider: corosync_votequorum
        expected_votes: 2
}
</code>
Configurazione Apache come reverse proxy:
<code>
<VirtualHost *:80>
        ServerName webmail.xxxx.it
        Redirect    /   https://webmail.xxxx.it/
        #    ProxyRequests Off
        #    <Proxy *>
        #        Order deny,allow
        #        Allow from all
        #    </Proxy>
        #    ProxyPass / http://XX.XX.XX.XX/
        #    ProxyPassReverse / http://XX.XX.XX.XX/
</VirtualHost>
<VirtualHost *:443>
        ServerName webmail.xxxx.it
        RewriteEngine on
        ProxyPass           /        http://XX.XX.XX.XX/          retry=0 ttl=120 timeout=120
        ProxyPassReverse    /        http://XX.XX.XX.XX/
        <IfModule mod_ssl.c>
                SSLEngine On
                SSLProtocol all -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
                #SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
                #SSLSessionCacheTimeout  300
                #128bit
                #SSLProtocol ALL -SSLv2
                #SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DS
                # 40 bit
                #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
                SSLCertificateFile /etc/httpd/ssl/2017/STAR_xxxx_it.crt
                SSLCertificateChainFile /etc/httpd/ssl/2017/COMODORSADomainValidationSecureServerCA.crt
                SSLCertificateKeyFile /etc/httpd/ssl/2017/xxxx.it.key
                ErrorDocument 403 http://www.xxxx.it/
                ErrorDocument 404 http://www.xxxx.it/
        </IfModule>
        ProxyRequests on
        ProxyVia on
        AddOutputFilterByType SUBSTITUTE text/html
</VirtualHost>

Configurazione di sicurezza vari servizi:

https://cipherli.st/

img4

Volendo realizzare un reverse proxy per Exchange 2016 OWA e Outlook Anywhere l’unica possibilità per avere il supporto RPC over HTTP è utilizzare squid come reverse proxy.

Squid pubblica un howto per configurare correttamente il servizio per questo compito, qui un link tuttavia la guia non è esaustiva.

Versione aggiornata 2017 con Centos7 e Squid 3.5 per Exchange 2016 e valutazione A su Qualsys ssl test.

client_persistent_connections off
sslproxy_options NO_SSLv3,NO_SSLv2,SINGLE_DH_USE
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!IDEA
workers 4
buffered_logs on
forwarded_for on
maximum_object_size 512 MB
cache_mem 2 GB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
#cache_replacement_policy GDSF
#memory_replacement_policy lru
memory_pools on
http_port 0.0.0.0:80 accel
https_port 0.0.0.0:443 accel \
        cert=/etc/squid/ssl/<certificate>.cer \
        key=/etc/squid/ssl/<key>.key \
        cafile=/etc/squid/ssl/<ca>.pem \
        options=NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE,CIPHER_SERVER_PREFERENCE \
        cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \
        dhparams=/etc/squid/ssl/dhparam.pem \
        tls-dh=prime256v1:/etc/squid/ssl/dhparam.pem \
        defaultsite=<domain>
cache_peer <IP> parent 443 0 \
        no-query originserver \
        login=PASSTHRU connection-auth=on \
        ssl sslflags=DONT_VERIFY_PEER \
        front-end-https \
        ssloptions=NO_SSLv2 \
        name=exchangeServer
##acl manager proto cache_object (OPTIONAL)
#for squidclient access
#acl localhost src 127.0.0.1/32
#http_access allow manager localhost
http_access deny manager
# ACL to allow your FQDNs
acl MS-OWA dstdomain <domain> autodiscover.<domain>
# Redirect port 80 requests to port 443
acl port80 myport 80
http_access deny port80 MS-OWA
# ecp
acl ecp_eccezione urlpath_regex ^/ecp/MyGroups
http_access allow ecp_eccezione
acl ecp urlpath_regex ^/ecp
deny_info https://<domain>/owa ecp
http_access deny ecp
deny_info https://<domain>/owa MS-OWA
cache_peer_access exchangeServer allow MS-OWA
cache_peer_access exchangeServer deny all
never_direct allow MS-OWA
cache deny all
# Lock down access to just the Exchange Server!
http_access allow MS-OWA
http_access deny all
miss_access allow MS-OWA
miss_access deny all

Disable TLS Compression in /etc/sysconfig/squid add

export OPENSSL_NO_DEFAULT_ZLIB=1

Perfect Forward Secrecy

openssl dhparam -out /etc/squid/ssl/dhparams.pem 2048

CA Chain es.DigiCert SHA2 High Assurance Server CA
Sito: https://www.digicert.com/digicert-root-certificates.htm

wget https://www.digicert.com/CACerts/DigiCertSHA2HighAssuranceServerCA.crt
openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem -outform PEM

Link utili:

<blockquote data-secret="5eVCDR9zto" class="wp-embedded-content"><a href="http://www.rawiriblundell.com/?p=1442">squid reverse proxy: improving your ssllabs score</a></blockquote>
<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" src="http://www.rawiriblundell.com/?p=1442&#038;embed=true#?secret=5eVCDR9zto" data-secret="5eVCDR9zto" width="600" height="338" title="&#8220;squid reverse proxy: improving your ssllabs score&#8221; &#8212; rawiriblundell.com" frameborder="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>

Vecchia versione, lasciata per questione storiche.

Nel configurare e testare questa configurazione abbiamo riscontrato alcuni problemi.

Il primo riguarda l’impossibilità di effettuare upload di dimensioni poco più che minime.
Il tentativo si risolve in un errore 502 sul server.
La spiegazione è data dallo strato SSL, utilizzando uno squid con il supporto per openssl 0.9.8 ad esempio il problema non si manifesta.
Analizzando il traffico abbiamo verificato che deve succedere qualcosa durante il rekey del certificato che fa chiudere la connessione al server Exchange.

Inserendo sslversion=3 nella direttiva cache_peer il problema è scomparso.

cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/server.crt sslversion=3 name=exchangeServer

Allo stesso modo per il supporto di alcune piattaforme OSX abbiamo inserito la direttiva:

client_persistent_connections off

Per finire la gestione dell’autodiscover:

acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com

Ecco qui il file di configurazione completo:

client_persistent_connections off
http_port 80 accel
https_port %SQUID_IP_ADDR%:443 accel cert=/etc/squid/your_ssl.crt defaultsite=webmail.domainname.com
cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/ca01.crt sslversion=3 name=exchangeServer
#acl manager proto cache_object (OPTIONAL)
#for squidclient access
acl localhost src 127.0.0.1/32
http_access allow manager localhost
http_access deny manager
# ACL to allow your FQDNs
acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com
# Redirect port 80 requests to port 443
acl port80 myport 80
http_access deny port80 MS-OWA
deny_info https://webmail.domainname.com/%R MS-OWA
cache_peer_access exchangeServer allow MS-OWA
cache_peer_access exchangeServer deny all
never_direct allow MS-OWA
cache deny all
# Lock down access to just the Exchange Server!
http_access allow MS-OWA
http_access deny all
miss_access allow MS-OWA
miss_access deny all

E una piccola modifica al file /etc/security/limits.conf

# SQUID
squid soft nofile 32768
squid hard nofile 32768

andrea gagliardi

Corosync/Pacemaker in Centos 7 con LCMC

Pacchetti da installare

yum install perl
yum install perl-Digest-MD5
yum install epel-release
rpm -ivh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org
yum update
yum install kmod-drbd90 drbd90-utils
yum install acpid
yum install open-vm-tools

/etc/corosync/corosync.conf

logging {
        fileline: off
        to_logfile: yes
        logfile: /var/log/cluster/corosync.log
        to_stderr: no
        debug: off
        timestamp: on
        to_syslog: yes
        logger_subsys {
                subsys: QUORUM
                debug: off
        }
}
totem {
        version: 2
        token: 3000
        secauth: on
        rrp_mode: active
        transport: udpu
}
nodelist {
  node {
        ring0_addr: 172.21.8.131
        nodeid: 1
       }
  node {
        ring0_addr: 172.21.8.132
        nodeid: 2
       }
}
quorum {
        provider: corosync_votequorum
        two_node: 1
        expected_votes: 2
}

systemctl enable corosync
systemctl enable pacemaker
reboot

andrea

tema vim

.vimrc

#execute pathogen#infect()
syntax on
filetype plugin indent on
set nowrap
set t_Co=256
set background=dark
colorscheme PaperColor

Tema PaperColor
PaperColor-Dark

Wget in /.vim/colors/

wget https://raw.githubusercontent.com/NLKNguyen/papercolor-theme/master/colors/PaperColor.vim

andrea

Esperimenti con multipath e SAN

http://www-01.ibm.com/support/docview.wss?uid=isg3T1011985
http://www.sysadminshare.com/2013/06/multipath-config-status-check-in-linux.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html-single/DM_Multipath/index.html#config_file_multipath

Multipath: Active/Passive, Dual Active, and Active/Active


https://serverfault.com/questions/288087/linux-multipath-not-using-all-paths-and-wont-use-queue-length-path-selector/355151
https://h50146.www5.hpe.com/products/software/oe/linux/mainstream/support/doc/option/fibre/pdfs/c02020121.pdf

grep mpt /sys/class/scsi_host/host?/proc_name

rescan-scsi-bus.sh

echo “- – -” > /sys/class/scsi_host/host1/scan
multipath -l

multipathd -k”fail path sdb”
multipathd -k”del path sdb”
multipathd -k”reinstate path sdb”
multipathd -k”show paths”

dmsetup remove /dev/mapper/MSA_BELLNET
dmsetup ls

echo 1 > /sys/block/sde/device/delete
echo 1 > /sys/block/sda/device/rescan

service multipath-tools restart

partprobe /dev/sdb
sfdisk -R /dev/sdb
partx -u /dev/sdb
blockdev –rereadpt /dev/mapper/MSA_BELLNET
partprobe -s

pvcreate –uuid “DMD39I-rIMF-vVUc-6KaY-li2N-SF4n-v38O5m” –restorefile /root/VG-BELL.vg /dev/disk/by-id/scsi-MSA_BELLNET
vgcfgbackup -f VG-BELL.vg VG-BELL
vgcfgrestore -f VG-BELL.vg VG-BELL

multipath.conf

defaults {
        polling_interval        15
        path_selector           "round-robin 0"
        path_grouping_policy    multibus
        prio                    const
        path_checker            directio
        rr_min_io               100
        flush_on_last_del       no
        max_fds                 8192
        rr_weight               priorities
        failback                immediate
        no_path_retry           fail
        queue_without_daemon    no
        user_friendly_names     yes
        mode                    644
        uid                     0
        gid                     disk
}
blacklist {
        devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
        devnode "^hd[a-z]"
        devnode "^sda"
        devnode "^sda[0-9]"
        wwid    "3600508b1001c1f5b93df16da7e7ab72e"
        wwid    "3600508b1001c81da7e4515d6a1c3a693"
        wwid    "OCZ-VELO_DRIVE_OCZ-938561J47139J405"
        wwid    "OCZ-VELO_DRIVE_OCZ-ADU3LJ4GZL225676"
        wwid    "OCZ-VELO_DRIVE_OCZ-V98FXMA0Q041W67U"
#       wwid 3600c0ff0001432f020c55c5901000000
        device {
                vendor HP
                product "P410i|LOGICAL"
        }
}
devices {
        device {
                vendor                  "HP"
                product                 "P2000 G3*"
                path_grouping_policy    "group_by_prio"
#               uid_attribute           "ID_SERIAL"
                path_checker            "tur"
                path_selector           "round-robin 0"
                features                "0"
                hardware_handler        "0"
                prio                    "alua"
                rr_weight               "uniform"
                failback                "immediate"
                no_path_retry           18
                rr_min_io               100
        }
}
multipaths {
        multipath {
                wwid 3600c0ff00014e4ed9724235801000000
                alias MSA_NETLITE
        }
        multipath {
                wwid 3600c0ff00014e4edfa37695801000000
                alias MSA_NETLITE_BACKUP
        }
        multipath {
#               path_grouping_policy    multibus
                wwid 3600c0ff0001432f020c55c5901000000
                alias MSA_BELLNET
        }
        multipath {
                wwid 3600c0ff0001432f0a80e5a5901000000
                alias MSA_BELLNET_BACKUP
        }
}

andrea

Proxy Squid

squid.conf

http_port 8081
#http_port 10.1.1.5:8082
pid_filename /var/run/squid3-2.pid
cache_mgr [email protected]
visible_hostname NETLITEPROXY
#dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.123 208.67.220.123
dns_nameservers 10.5.1.5
dns_timeout 1 minutes
positive_dns_ttl 1 hours
negative_dns_ttl 10 minutes
fqdncache_size 51200
ipcache_size 51200
#pipeline_prefetch on
cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-small 1024 16 256 max-size=32768
cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-large 4096 16 256
cache_mem 2048 MB
minimum_object_size 0 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
memory_pools on
maximum_object_size 128 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 512 KB
ie_refresh on
cache_access_log /var/log/squid3/access-2.log
#cache_access_log /dev/null
#cache_log /var/log/squid3/cache-2.log
cache_log /dev/null
#cache_store_log /var/log/squid3/store-2.log
cache_store_log /dev/null
logfile_rotate 0
log_mime_hdrs off
log_icp_queries off
buffered_logs on
redirect_rewrites_host_header off
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl SSL_ports port 8080          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
debug_options ALL,1
client_lifetime 12 hour
half_closed_clients off
pconn_timeout 5 minutes
request_timeout 5 minutes
connect_timeout 30 seconds
authenticate_ttl 15 minutes
authenticate_ip_ttl 15 minutes
max_open_disk_fds 32768
acl java_jvm browser Java/1. J/SSL
#acl localhost src 127.0.0.1/32
#acl reti_abilitate src 127.0.0.1/32
acl reti_abilitate src 10.5.1.0/24
acl netlite src 212.29.137.82/32 #netlite office
acl netlite src 87.248.52.82/32 #netlite office
acl no_cache_siti dstdomain "/etc/squid3/no-cache-siti.txt"
acl siti_pubblici dstdomain "/etc/squid3/siti-pubblici.txt"
acl lan-allowed-ip src "/etc/squid3/good-lan-ip.txt"
http_access allow lan-allowed-ip
# MAC Utenti Bovolone
acl MAC arp "/etc/squid3/mac.txt"
acl emerge browser Wget
http_access allow emerge
always_direct allow emerge
acl aptupdate browser APT-HTTP
http_access allow aptupdate
always_direct allow aptupdate
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny connect !SSL_ports
http_access allow netlite
http_access deny !reti_abilitate
http_access allow siti_pubblici
http_access allow java_jvm
no_cache deny no_cache_siti
always_direct allow no_cache_siti
#request_header_access Allow allow all
#request_header_access Authorization allow all
#request_header_access WWW-Authenticate allow all
#request_header_access Proxy-Authorization allow all
#request_header_access Proxy-Authenticate allow all
#request_header_access Cache-Control allow all
#request_header_access Content-Encoding allow all
#request_header_access Content-Length allow all
#request_header_access Content-Type allow all
#request_header_access Date allow all
#request_header_access Expires allow all
#request_header_access Host allow all
#request_header_access If-Modified-Since allow all
#request_header_access Last-Modified allow all
#request_header_access Location allow all
#request_header_access Pragma allow all
#request_header_access Accept allow all
#request_header_access Accept-Charset allow all
#request_header_access Accept-Encoding allow all
#request_header_access Accept-Language allow all
#request_header_access Content-Language allow all
#request_header_access Mime-Version allow all
#request_header_access Retry-After allow all
#request_header_access Title allow all
#request_header_access Connection allow all
#request_header_access Proxy-Connection allow all
#request_header_access User-Agent allow all
#request_header_access From allow all
#request_header_access Referer allow all
#request_header_access Cookie allow all
#request_header_access All deny all
request_header_access All allow all
follow_x_forwarded_for deny all
forwarded_for delete
via off
forwarded_for off
http_reply_access allow all
icp_access allow all
coredump_dir /var/cache
balance_on_multiple_ip off
#http_access deny !MAC
# utilizzati per ftp anonimo
ftp_user [email protected]
ftp_passive on
acl ftp proto FTP
acl ftp_port port 21
http_access allow ftp_port CONNECT
ftp_epsv off
#dns_v4_first on
http_access allow all

andrea