centos 7 cluster

Procedura di setup Centos 7:

yum install epel-release.noarch
yum install net-tools
yum install psmisc
yum install httpd
yum install perl
yum install perl-Digest-MD5
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum install -y kmod-drbd84 drbd84-utils
crm_verify -L -V
/bin/systemctl start  pacemaker.service
crmadmin configure property stonith-enabled=false
service corosync restart
service pacemaker restart
yum install nmap
yum install open-vm-tools
service vmtoolsd start
systemctl enable vmtoolsd
yum install acpid
yum install unzip
yum install mod_ssl.x86_64

Configurazione cluster unicast:

logging {
        fileline: off
        to_logfile: yes
        logfile: /var/log/cluster/corosync.log
        to_stderr: no
        debug: off
        timestamp: on
        to_syslog: yes
        logger_subsys {
                subsys: QUORUM
                debug: off
        }
}
totem {
        version: 2
        token: 3000
        secauth: on
        rrp_mode: active
        interface {
                member {
                        memberaddr: 172.31.252.41
                }
                member {
                        memberaddr: 172.31.252.42
                }
                ringnumber: 0
                bindnetaddr: 172.31.252.0
                mcastport: 694
                ttl: 1
        }
        transport: udpu
}
quorum {
        provider: corosync_votequorum
        expected_votes: 2
}
</code>
Configurazione Apache come reverse proxy:
<code>
<VirtualHost *:80>
        ServerName webmail.xxxx.it
        Redirect    /   https://webmail.xxxx.it/
        #    ProxyRequests Off
        #    <Proxy *>
        #        Order deny,allow
        #        Allow from all
        #    </Proxy>
        #    ProxyPass / http://XX.XX.XX.XX/
        #    ProxyPassReverse / http://XX.XX.XX.XX/
</VirtualHost>
<VirtualHost *:443>
        ServerName webmail.xxxx.it
        RewriteEngine on
        ProxyPass           /        http://XX.XX.XX.XX/          retry=0 ttl=120 timeout=120
        ProxyPassReverse    /        http://XX.XX.XX.XX/
        <IfModule mod_ssl.c>
                SSLEngine On
                SSLProtocol all -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
                #SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
                #SSLSessionCacheTimeout  300
                #128bit
                #SSLProtocol ALL -SSLv2
                #SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DS
                # 40 bit
                #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
                SSLCertificateFile /etc/httpd/ssl/2017/STAR_xxxx_it.crt
                SSLCertificateChainFile /etc/httpd/ssl/2017/COMODORSADomainValidationSecureServerCA.crt
                SSLCertificateKeyFile /etc/httpd/ssl/2017/xxxx.it.key
                ErrorDocument 403 http://www.xxxx.it/
                ErrorDocument 404 http://www.xxxx.it/
        </IfModule>
        ProxyRequests on
        ProxyVia on
        AddOutputFilterByType SUBSTITUTE text/html
</VirtualHost>

Configurazione di sicurezza vari servizi:

https://cipherli.st/

img4

Volendo realizzare un reverse proxy per Exchange 2016 OWA e Outlook Anywhere l’unica possibilità per avere il supporto RPC over HTTP è utilizzare squid come reverse proxy.

Squid pubblica un howto per configurare correttamente il servizio per questo compito, qui un link tuttavia la guia non è esaustiva.

Versione aggiornata 2017 con Centos7 e Squid 3.5 per Exchange 2016 e valutazione A su Qualsys ssl test.

client_persistent_connections off
sslproxy_options NO_SSLv3,NO_SSLv2,SINGLE_DH_USE
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!IDEA
workers 4
buffered_logs on
forwarded_for on
maximum_object_size 512 MB
cache_mem 2 GB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
#cache_replacement_policy GDSF
#memory_replacement_policy lru
memory_pools on
http_port 0.0.0.0:80 accel
https_port 0.0.0.0:443 accel \
        cert=/etc/squid/ssl/<certificate>.cer \
        key=/etc/squid/ssl/<key>.key \
        cafile=/etc/squid/ssl/<ca>.pem \
        options=NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE,CIPHER_SERVER_PREFERENCE \
        cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \
        dhparams=/etc/squid/ssl/dhparam.pem \
        tls-dh=prime256v1:/etc/squid/ssl/dhparam.pem \
        defaultsite=<domain>
cache_peer <IP> parent 443 0 \
        no-query originserver \
        login=PASSTHRU connection-auth=on \
        ssl sslflags=DONT_VERIFY_PEER \
        front-end-https \
        ssloptions=NO_SSLv2 \
        name=exchangeServer
##acl manager proto cache_object (OPTIONAL)
#for squidclient access
#acl localhost src 127.0.0.1/32
#http_access allow manager localhost
http_access deny manager
# ACL to allow your FQDNs
acl MS-OWA dstdomain <domain> autodiscover.<domain>
# Redirect port 80 requests to port 443
acl port80 myport 80
http_access deny port80 MS-OWA
# ecp
acl ecp_eccezione urlpath_regex ^/ecp/MyGroups
http_access allow ecp_eccezione
acl ecp urlpath_regex ^/ecp
deny_info https://<domain>/owa ecp
http_access deny ecp
deny_info https://<domain>/owa MS-OWA
cache_peer_access exchangeServer allow MS-OWA
cache_peer_access exchangeServer deny all
never_direct allow MS-OWA
cache deny all
# Lock down access to just the Exchange Server!
http_access allow MS-OWA
http_access deny all
miss_access allow MS-OWA
miss_access deny all

Disable TLS Compression in /etc/sysconfig/squid add

export OPENSSL_NO_DEFAULT_ZLIB=1

Perfect Forward Secrecy

openssl dhparam -out /etc/squid/ssl/dhparams.pem 2048

CA Chain es.DigiCert SHA2 High Assurance Server CA
Sito: https://www.digicert.com/digicert-root-certificates.htm

wget https://www.digicert.com/CACerts/DigiCertSHA2HighAssuranceServerCA.crt
openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem -outform PEM

Link utili:

<blockquote data-secret="5eVCDR9zto" class="wp-embedded-content"><a href="http://www.rawiriblundell.com/?p=1442">squid reverse proxy: improving your ssllabs score</a></blockquote>
<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" src="http://www.rawiriblundell.com/?p=1442&#038;embed=true#?secret=5eVCDR9zto" data-secret="5eVCDR9zto" width="600" height="338" title="&#8220;squid reverse proxy: improving your ssllabs score&#8221; &#8212; rawiriblundell.com" frameborder="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>

Vecchia versione, lasciata per questione storiche.

Nel configurare e testare questa configurazione abbiamo riscontrato alcuni problemi.

Il primo riguarda l’impossibilità di effettuare upload di dimensioni poco più che minime.
Il tentativo si risolve in un errore 502 sul server.
La spiegazione è data dallo strato SSL, utilizzando uno squid con il supporto per openssl 0.9.8 ad esempio il problema non si manifesta.
Analizzando il traffico abbiamo verificato che deve succedere qualcosa durante il rekey del certificato che fa chiudere la connessione al server Exchange.

Inserendo sslversion=3 nella direttiva cache_peer il problema è scomparso.

cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/server.crt sslversion=3 name=exchangeServer

Allo stesso modo per il supporto di alcune piattaforme OSX abbiamo inserito la direttiva:

client_persistent_connections off

Per finire la gestione dell’autodiscover:

acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com

Ecco qui il file di configurazione completo:

client_persistent_connections off
http_port 80 accel
https_port %SQUID_IP_ADDR%:443 accel cert=/etc/squid/your_ssl.crt defaultsite=webmail.domainname.com
cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/ca01.crt sslversion=3 name=exchangeServer
#acl manager proto cache_object (OPTIONAL)
#for squidclient access
acl localhost src 127.0.0.1/32
http_access allow manager localhost
http_access deny manager
# ACL to allow your FQDNs
acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com
# Redirect port 80 requests to port 443
acl port80 myport 80
http_access deny port80 MS-OWA
deny_info https://webmail.domainname.com/%R MS-OWA
cache_peer_access exchangeServer allow MS-OWA
cache_peer_access exchangeServer deny all
never_direct allow MS-OWA
cache deny all
# Lock down access to just the Exchange Server!
http_access allow MS-OWA
http_access deny all
miss_access allow MS-OWA
miss_access deny all

E una piccola modifica al file /etc/security/limits.conf

# SQUID
squid soft nofile 32768
squid hard nofile 32768

andrea gagliardi