HP Tools per il controller SAS [SSACLI]
venerdì, 19 ottobre 2018
Crea un file hp.list in /etc/apt/sources.list.d contenente
deb http://downloads.linux.hpe.com/SDR/repo/mcp stretch/current non-free
Importa le chiavi:
curl http://downloads.linux.hpe.com/SDR/hpPublicKey1024.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | apt-key add -
Aggiorna i repository:
apt-get update apt dist-upgrade
Installa i pacchetti del controller:
apt install ssacli ssaducli amsd hponcfg
Attivare rc.local Rc.local in Debian stretch
Inserire in rc.local:
echo 655360 > /proc/sys/vm/min_free_kbytes
echo 0 > /proc/sys/kernel/hung_task_timeout_secs
echo 1 > /proc/sys/vm/swappiness
echo 50 > /proc/sys/vm/vfs_cache_pressure
echo 1 > /proc/sys/kernel/dmesg_restrict
ssacli controller slot=0 modify cacheratio=70/30
ssacli controller slot=0 modify dwc=enable
HBA=( sda sdb )
for DISK in "${HBA[@]}"
do
echo noop > /sys/block/$DISK/queue/scheduler
echo 1024 > /sys/block/$DISK/queue/nr_requests
echo 1024 > /sys/block/$DISK/queue/read_ahead_kb
sdparm --set WCE=1 /dev/$DISK 2>/dev/null
done
Inserire in .bashrc:
ssacli ctrl all show status ssacli ctrl slot=0 pd all show status ssacli ctrl slot=0 ld all show
In cron.hourly:
#!/bin/bash
# Check for HP Smart Array Controller
ssacli ctrl all show config | grep "Smart Array" &>/dev/null
# If Smart Array Controller exists continue with script if not exit script
if [ $? -eq 0 ]; then
# Check HP Smart Array disk status for string "OK"
ssacli ctrl slot=0 pd all show status | grep physicaldrive | grep -vi "OK" &>/dev/null
# If all disks do not report "OK" then continue with script otherwise exit.
if [ $? -eq 1 ]; then
exit 0
else
# Display hostname, HP serial number, disks and RAID configuration of disks
# that failed
ALERT="ALERT-$(date +%Y%m%d-%H%M%S)"
echo "Hostname: $(hostname)" > /root/$ALERT
echo "HP Serial Number: $(dmidecode -t 1 | grep "Serial" | awk '{print $3}')" >> /root/$ALERT
echo "----------------------------------------------------------------------------" >> /root/$ALERT
ssacli ctrl all show config >> /root/$ALERT
cat /root/$ALERT | mail -s "$(hostname)-$ALERT" <..> -c<..>
ssacli ctrl slot=0 pd all show detail >> /root/$ALERT
exit 1
fi
else
echo "HP Smart Array Card not installed"
exit 0
fi
andrea
- Pubblicato il Sistemistica, Tips & Tricks
Non ci sono commenti
Reverse Proxy Apache HTTPS High Security and Mod_Security
venerdì, 14 settembre 2018
Listen 443
# security
ServerTokens Prod
ServerSignature Off
# modules
LoadModule allowmethods_module modules/mod_allowmethods.so
<Proxy "balancer://cluster443">
BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=1
BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=2
ProxySet stickysession=ROUTEID
</Proxy>
<VirtualHost <FQDN>:443>
ServerName <FQDN>
# Status manager bilanciamento
ProxyPass /balancer-manager !
ProxyPass "/" "balancer://cluster443/"
ProxyPassReverse "/" "balancer://cluster443/"
#ProxyPreserveHost On
ProxyRequests On
ProxyVia off
# autenticazione server ------------------------------------------
<IfModule mod_ssl.c>
SSLEngine On
#SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
SSLCertificateFile <CRT>
SSLCertificateChainFile <PEM>
SSLCertificateKeyFile <KEY>
SSLCACertificateFile <PEM>
SSLProxyEngine On
SSLProxyCheckPeerName off
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
# Cipher Suite e Protocolli
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
</IfModule>
RewriteEngine On
RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$
RewriteRule ^.*$ http://<SERVER>/SSLv3/ [L,R=302]
# No HTTP1.0
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
# - direttive generali -------------------------------------------
DocumentRoot <ROOT>
# sicurezza
RequestReadTimeout header=20-40,MinRate=500 body=20-60,MinRate=500
RequestHeader set X-Forwarded-Proto "https" env=HTTPS
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "upgrade-insecure-requests; default-src https:"
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options "nosniff"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
FileETag None
TraceEnable off
<Location "/">
AllowMethods GET POST OPTIONS
</Location>
# cache
ExpiresActive On
Header unset Etag
Header unset Cache-Control
Header unset Expires
Header unset Pragma
Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
Header set Pragma "no-cache"
# mod_security
SecRuleEngine DetectionOnly
#SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_23_request_limits.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_42_tight_security.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_50_outbound.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_45_trojans.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_59_outbound_blocking.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_49_inbound_blocking.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_35_bad_robots.conf
IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
#IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf
#IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf
#IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf
IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf
#IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf
IncludeOptional /etc/modsecurity/git/crs-setup.conf
IncludeOptional /etc/modsecurity/git/REQUEST-901-INITIALIZATION.conf
IncludeOptional /etc/modsecurity/git/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
IncludeOptional /etc/modsecurity/git/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
IncludeOptional /etc/modsecurity/git/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
IncludeOptional /etc/modsecurity/git/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
IncludeOptional /etc/modsecurity/git/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
IncludeOptional /etc/modsecurity/git/REQUEST-905-COMMON-EXCEPTIONS.conf
IncludeOptional /etc/modsecurity/git/REQUEST-910-IP-REPUTATION.conf
IncludeOptional /etc/modsecurity/git/REQUEST-911-METHOD-ENFORCEMENT.conf
IncludeOptional /etc/modsecurity/git/REQUEST-912-DOS-PROTECTION.conf
IncludeOptional /etc/modsecurity/git/REQUEST-913-SCANNER-DETECTION.conf
IncludeOptional /etc/modsecurity/git/REQUEST-914-FILE-DETECTION.conf
IncludeOptional /etc/modsecurity/git/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
IncludeOptional /etc/modsecurity/git/REQUEST-921-PROTOCOL-ATTACK.conf
IncludeOptional /etc/modsecurity/git/REQUEST-930-APPLICATION-ATTACK-LFI.conf
IncludeOptional /etc/modsecurity/git/REQUEST-931-APPLICATION-ATTACK-RFI.conf
IncludeOptional /etc/modsecurity/git/REQUEST-932-APPLICATION-ATTACK-RCE.conf
IncludeOptional /etc/modsecurity/git/REQUEST-933-APPLICATION-ATTACK-PHP.conf
IncludeOptional /etc/modsecurity/git/REQUEST-941-APPLICATION-ATTACK-XSS.conf
IncludeOptional /etc/modsecurity/git/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
IncludeOptional /etc/modsecurity/git/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
IncludeOptional /etc/modsecurity/git/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
IncludeOptional /etc/modsecurity/git/REQUEST-949-BLOCKING-EVALUATION.conf
IncludeOptional /etc/modsecurity/git/RESPONSE-950-DATA-LEAKAGES.conf
IncludeOptional /etc/modsecurity/git/RESPONSE-951-DATA-LEAKAGES-SQL.conf
IncludeOptional /etc/modsecurity/git/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
IncludeOptional /etc/modsecurity/git/RESPONSE-953-DATA-LEAKAGES-PHP.conf
IncludeOptional /etc/modsecurity/git/RESPONSE-954-DATA-LEAKAGES-IIS.conf
IncludeOptional /etc/modsecurity/git/RESPONSE-959-BLOCKING-EVALUATION.conf
IncludeOptional /etc/modsecurity/git/RESPONSE-980-CORRELATION.conf
SecAuditEngine On
# SecAuditEngine RelevantOnly
# SecAuditLogRelevantStatus ^1-5
# SecAuditLogParts ABCIFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
</VirtualHost>
andrea
- Pubblicato il Networking, Sistemistica, Tips & Tricks
Debian Bonding LACP con Switch HP 1820-24G
martedì, 10 aprile 2018
Una volta configurato lo switch HP 1820-24G Switch J9980A per avere il port trunking tra le porte selezionate ed eventualmente aver assegnato il trunk alla VLAN si passa alla configurazione del sistema.
Attenzione che HP chiama Trunk dinamico la modalità LACP.
Ho trovato in alcuni howto questa specifica.
Male non dovrebbe fare.
echo "mii" >> /etc/modules
Si passa alla configurazione dell file /etc/network/interfaces in questo modo.
auto lo
iface lo inet loopback
iface enp2s0f0 inet manual
post-up ifconfig enp2s0f0 txqueuelen 5000 && ifconfig enp2s0f0 mtu 9000
iface enp2s0f1 inet manual
post-up ifconfig enp2s0f1 txqueuelen 5000 && ifconfig enp2s0f1 mtu 9000
auto bond0
iface bond0 inet manual
bond-slaves enp2s0f0 enp2s0f1
bond-mode 802.3ad
bond-miimon 100
bond-downdelay 200
bond-updelay 200
bond-lacp-rate 1
bond-xmit-hash-policy layer2+3
post-up ifconfig bond0 mtu 9000 && ifconfig bond0 txqueuelen 5000
auto vmbr0
iface vmbr0 inet static
address 172.16.5.10
netmask 255.255.255.0
bridge_ports bond0
bridge_stp off
bridge_fd 0
post-up ifconfig vmbr0 mtu 9000 && ifconfig vmbr0 txqueuelen 5000
A questo punto dopo il riavvio il Bond/Trunk risulterà attivo.
# dmesg
igb 0000:02:00.0 enp2s0f0: igb: enp2s0f0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None bond0: link status up for interface enp2s0f0, enabling it in 0 ms bond0: link status definitely up for interface enp2s0f0, 1000 Mbps full duplex bond0: Warning: No 802.3ad response from the link partner for any adapters in the bond bond0: first active interface up! vmbr0: port 1(bond0) entered blocking state vmbr0: port 1(bond0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): vmbr0: link becomes ready igb 0000:02:00.1 enp2s0f1: igb: enp2s0f1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None bond0: link status up for interface enp2s0f1, enabling it in 200 ms bond0: link status definitely up for interface enp2s0f1, 1000 Mbps full duplex
# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
Bonding Mode: IEEE 802.3ad Dynamic link aggregation
Transmit Hash Policy: layer2+3 (2)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 200
Down Delay (ms): 200
802.3ad info
LACP rate: fast
Min links: 0
Aggregator selection policy (ad_select): stable
System priority: 65535
System MAC address: 90:e2:ba:74:28:f8
Active Aggregator Info:
Aggregator ID: 1
Number of ports: 2
Actor Key: 9
Partner Key: 54
Partner Mac Address: 70:10:6f:71:3a:80
Slave Interface: enp2s0f0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 90:e2:ba:74:28:f8
Slave queue ID: 0
Aggregator ID: 1
Actor Churn State: none
Partner Churn State: none
Actor Churned Count: 0
Partner Churned Count: 0
details actor lacp pdu:
system priority: 65535
system mac address: 90:e2:ba:74:28:f8
port key: 9
port priority: 255
port number: 1
port state: 63
details partner lacp pdu:
system priority: 32768
system mac address: 70:10:6f:71:3a:80
oper key: 54
port priority: 128
port number: 12
port state: 61
Slave Interface: enp2s0f1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 90:e2:ba:74:28:f9
Slave queue ID: 0
Aggregator ID: 1
Actor Churn State: none
Partner Churn State: none
Actor Churned Count: 0
Partner Churned Count: 0
details actor lacp pdu:
system priority: 65535
system mac address: 90:e2:ba:74:28:f8
port key: 9
port priority: 255
port number: 2
port state: 63
details partner lacp pdu:
system priority: 32768
system mac address: 70:10:6f:71:3a:80
oper key: 54
port priority: 128
port number: 10
port state: 61
andrea
- Pubblicato il Networking, Sistemistica, Tips & Tricks
Centos 7 Cluster PCS
martedì, 03 aprile 2018
Installo due VM in VirtualBox identiche (4C, 4Gb RAM, 32Gb HDD) con una versione minimale di Centos 7 aggiornata.
Aggiorno il kernel a 4.16 dal repository elrepo.
# rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org # rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm # yum --disablerepo="*" --enablerepo="elrepo-kernel" list available # yum --enablerepo=elrepo-kernel install kernel-ml kernel-ml-devel
Edito il file /etc/default/grub
GRUB_TIMEOUT=5 GRUB_DEFAULT=0 GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap crashkernel=auto rhgb quiet" GRUB_DISABLE_RECOVERY="true"
Ed eseguo per attivare la modifica precedente.
# grub2-mkconfig -o /boot/grub2/grub.cfg
Aggiungo qualche pacchetto.
# yum install epel-release.noarch # yum update # yum group install "Development Tools" # yum install bzip2 net-tools psmisc nmap acpid unzip
Modifico /etc/hosts sui due nodi.
192.168.254.83 nodeA.netlite.it nodeA 192.168.254.84 nodeB.netlite.it nodeB
Installo i numerosi pacchetti necessari al cluster.
# yum install pcs fence-agents-all -y
Aggiungo le regole di firewalling.
# firewall-cmd --permanent --add-service=high-availability # firewall-cmd --add-service=high-availability # firewall-cmd --list-service dhcpv6-client ssh high-availability
Modifico la password dell’utente hacluster.
# passwd hacluster Changing password for user hacluster. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully.
Avvio i servizi.
# systemctl start pcsd.service # systemctl enable pcsd.service
Autorizzo i nodi del cluster.
# pcs cluster auth nodeA.netlite.it nodeB.netlite.it Username: hacluster Password: nodeA.netlite.it: Authorized nodeB.netlite.it: Authorized
Inizializzo il cluster.
# pcs cluster setup --start --name ClusterTest nodeA.netlite.it nodeB.netlite.it Destroying cluster on nodes: nodeA.netlite.it, nodeB.netlite.it... nodeA.netlite.it: Stopping Cluster (pacemaker)... nodeB.netlite.it: Stopping Cluster (pacemaker)... nodeB.netlite.it: Successfully destroyed cluster nodeA.netlite.it: Successfully destroyed cluster Sending 'pacemaker_remote authkey' to 'nodeA.netlite.it', 'nodeB.netlite.it' nodeA.netlite.it: successful distribution of the file 'pacemaker_remote authkey' nodeB.netlite.it: successful distribution of the file 'pacemaker_remote authkey' Sending cluster config files to the nodes... nodeA.netlite.it: Succeeded nodeB.netlite.it: Succeeded Starting cluster on nodes: nodeA.netlite.it, nodeB.netlite.it... nodeB.netlite.it: Starting Cluster... nodeA.netlite.it: Starting Cluster... Synchronizing pcsd certificates on nodes nodeA.netlite.it, nodeB.netlite.it... nodeA.netlite.it: Success nodeB.netlite.it: Success Restarting pcsd on the nodes in order to reload the certificates... nodeA.netlite.it: Success nodeB.netlite.it: Success
Abilito il cluster.
# pcs cluster enable --all
Visualizzo lo stato.
# pcs cluster status Cluster Status: Stack: corosync Current DC: nodeA.netlite.it (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum Last updated: Tue Apr 3 13:02:21 2018 Last change: Tue Apr 3 13:00:43 2018 by hacluster via crmd on nodeA.netlite.it 2 nodes configured 0 resources configured PCSD Status: nodeA.netlite.it: Online nodeB.netlite.it: Online
Status dettagliati.
# pcs status Cluster name: ClusterTest WARNING: no stonith devices and stonith-enabled is not false Stack: corosync Current DC: nodeA.netlite.it (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum Last updated: Tue Apr 3 13:02:53 2018 Last change: Tue Apr 3 13:00:43 2018 by hacluster via crmd on nodeA.netlite.it 2 nodes configured 0 resources configured Online: [ nodeA.netlite.it nodeB.netlite.it ] No resources Daemon Status: corosync: active/enabled pacemaker: active/enabled pcsd: active/enabled
Disabilito i device stonith (meglio non farlo ma per test è ok).
# pcs property set stonith-enabled=falseIn caso sia necessario attivare i devices qui c’è un buon punto di partenza STONITH.
Configuro un FS.
# pcs resource create httpd_fs Filesystem device="/dev/mapper/vg_apache-lv_apache" directory="/var/www" fstype="ext4" --group apache
Configuro un VIP.
# pcs resource create httpd_vip IPaddr2 ip=192.168.12.100 cidr_netmask=24 --group apache
Configuro un servizio.
# firewall-cmd --add-service=http # firewall-cmd --permanent --add-service=http # pcs resource create httpd_ser apache configfile="/etc/httpd/conf/httpd.conf" statusurl="http://127.0.0.1/server-status" --group apache
Disabilita un nodo.
# pcs cluster stop nodeA.netlite.it
Comandi utili.
# pcs resource move apache nodeA.netlite.it # pcs resource stop apache nodeB.netlite.it # pcs resource disable apache nodeB.netlite.it # pcs resource enable apache nodeB.netlite.it # pcs resource restart apache
andrea
- Pubblicato il Non categorizzato, Sistemistica, Tips & Tricks, Virtualizzazione
centos 7 cluster
martedì, 29 agosto 2017
Procedura di setup Centos 7:
yum install epel-release.noarch yum install net-tools yum install psmisc yum install httpd yum install perl yum install perl-Digest-MD5 rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm yum install -y kmod-drbd84 drbd84-utils crm_verify -L -V /bin/systemctl start pacemaker.service crmadmin configure property stonith-enabled=false service corosync restart service pacemaker restart yum install nmap yum install open-vm-tools service vmtoolsd start systemctl enable vmtoolsd yum install acpid yum install unzip yum install mod_ssl.x86_64
Configurazione cluster unicast:
logging {
fileline: off
to_logfile: yes
logfile: /var/log/cluster/corosync.log
to_stderr: no
debug: off
timestamp: on
to_syslog: yes
logger_subsys {
subsys: QUORUM
debug: off
}
}
totem {
version: 2
token: 3000
secauth: on
rrp_mode: active
interface {
member {
memberaddr: 172.31.252.41
}
member {
memberaddr: 172.31.252.42
}
ringnumber: 0
bindnetaddr: 172.31.252.0
mcastport: 694
ttl: 1
}
transport: udpu
}
quorum {
provider: corosync_votequorum
expected_votes: 2
}
</code>
Configurazione Apache come reverse proxy:
<code>
<VirtualHost *:80>
ServerName webmail.xxxx.it
Redirect / https://webmail.xxxx.it/
# ProxyRequests Off
# <Proxy *>
# Order deny,allow
# Allow from all
# </Proxy>
# ProxyPass / http://XX.XX.XX.XX/
# ProxyPassReverse / http://XX.XX.XX.XX/
</VirtualHost>
<VirtualHost *:443>
ServerName webmail.xxxx.it
RewriteEngine on
ProxyPass / http://XX.XX.XX.XX/ retry=0 ttl=120 timeout=120
ProxyPassReverse / http://XX.XX.XX.XX/
<IfModule mod_ssl.c>
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
#SSLSessionCacheTimeout 300
#128bit
#SSLProtocol ALL -SSLv2
#SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DS
# 40 bit
#SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
SSLCertificateFile /etc/httpd/ssl/2017/STAR_xxxx_it.crt
SSLCertificateChainFile /etc/httpd/ssl/2017/COMODORSADomainValidationSecureServerCA.crt
SSLCertificateKeyFile /etc/httpd/ssl/2017/xxxx.it.key
ErrorDocument 403 http://www.xxxx.it/
ErrorDocument 404 http://www.xxxx.it/
</IfModule>
ProxyRequests on
ProxyVia on
AddOutputFilterByType SUBSTITUTE text/html
</VirtualHost>
Configurazione di sicurezza vari servizi:
https://cipherli.st/
- Pubblicato il Cluster, Sistemistica, Tips & Tricks
Microsoft Exchange OWA e Outlook Anywhere con Reverse Proxy Squid
domenica, 06 agosto 2017
Volendo realizzare un reverse proxy per Exchange 2016 OWA e Outlook Anywhere l’unica possibilità per avere il supporto RPC over HTTP è utilizzare squid come reverse proxy.
Squid pubblica un howto per configurare correttamente il servizio per questo compito, qui un link tuttavia la guia non è esaustiva.
Versione aggiornata 2017 con Centos7 e Squid 3.5 per Exchange 2016 e valutazione A su Qualsys ssl test.
client_persistent_connections off
sslproxy_options NO_SSLv3,NO_SSLv2,SINGLE_DH_USE
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!IDEA
workers 4
buffered_logs on
forwarded_for on
maximum_object_size 512 MB
cache_mem 2 GB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
#cache_replacement_policy GDSF
#memory_replacement_policy lru
memory_pools on
http_port 0.0.0.0:80 accel
https_port 0.0.0.0:443 accel \
cert=/etc/squid/ssl/<certificate>.cer \
key=/etc/squid/ssl/<key>.key \
cafile=/etc/squid/ssl/<ca>.pem \
options=NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE,CIPHER_SERVER_PREFERENCE \
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \
dhparams=/etc/squid/ssl/dhparam.pem \
tls-dh=prime256v1:/etc/squid/ssl/dhparam.pem \
defaultsite=<domain>
cache_peer <IP> parent 443 0 \
no-query originserver \
login=PASSTHRU connection-auth=on \
ssl sslflags=DONT_VERIFY_PEER \
front-end-https \
ssloptions=NO_SSLv2 \
name=exchangeServer
##acl manager proto cache_object (OPTIONAL)
#for squidclient access
#acl localhost src 127.0.0.1/32
#http_access allow manager localhost
http_access deny manager
# ACL to allow your FQDNs
acl MS-OWA dstdomain <domain> autodiscover.<domain>
# Redirect port 80 requests to port 443
acl port80 myport 80
http_access deny port80 MS-OWA
# ecp
acl ecp_eccezione urlpath_regex ^/ecp/MyGroups
http_access allow ecp_eccezione
acl ecp urlpath_regex ^/ecp
deny_info https://<domain>/owa ecp
http_access deny ecp
deny_info https://<domain>/owa MS-OWA
cache_peer_access exchangeServer allow MS-OWA
cache_peer_access exchangeServer deny all
never_direct allow MS-OWA
cache deny all
# Lock down access to just the Exchange Server!
http_access allow MS-OWA
http_access deny all
miss_access allow MS-OWA
miss_access deny all
Disable TLS Compression in /etc/sysconfig/squid add
export OPENSSL_NO_DEFAULT_ZLIB=1
Perfect Forward Secrecy
openssl dhparam -out /etc/squid/ssl/dhparams.pem 2048
CA Chain es.DigiCert SHA2 High Assurance Server CA
Sito: https://www.digicert.com/digicert-root-certificates.htm
wget https://www.digicert.com/CACerts/DigiCertSHA2HighAssuranceServerCA.crt openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem -outform PEM
Link utili:
<blockquote data-secret="5eVCDR9zto" class="wp-embedded-content"><a href="http://www.rawiriblundell.com/?p=1442">squid reverse proxy: improving your ssllabs score</a></blockquote> <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" src="http://www.rawiriblundell.com/?p=1442&embed=true#?secret=5eVCDR9zto" data-secret="5eVCDR9zto" width="600" height="338" title="“squid reverse proxy: improving your ssllabs score” — rawiriblundell.com" frameborder="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>
Vecchia versione, lasciata per questione storiche.
Nel configurare e testare questa configurazione abbiamo riscontrato alcuni problemi.
Il primo riguarda l’impossibilità di effettuare upload di dimensioni poco più che minime.
Il tentativo si risolve in un errore 502 sul server.
La spiegazione è data dallo strato SSL, utilizzando uno squid con il supporto per openssl 0.9.8 ad esempio il problema non si manifesta.
Analizzando il traffico abbiamo verificato che deve succedere qualcosa durante il rekey del certificato che fa chiudere la connessione al server Exchange.
Inserendo sslversion=3 nella direttiva cache_peer il problema è scomparso.
cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/server.crt sslversion=3 name=exchangeServer
Allo stesso modo per il supporto di alcune piattaforme OSX abbiamo inserito la direttiva:
client_persistent_connections off
Per finire la gestione dell’autodiscover:
acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com
Ecco qui il file di configurazione completo:
client_persistent_connections off http_port 80 accel https_port %SQUID_IP_ADDR%:443 accel cert=/etc/squid/your_ssl.crt defaultsite=webmail.domainname.com cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/ca01.crt sslversion=3 name=exchangeServer #acl manager proto cache_object (OPTIONAL) #for squidclient access acl localhost src 127.0.0.1/32 http_access allow manager localhost http_access deny manager # ACL to allow your FQDNs acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com # Redirect port 80 requests to port 443 acl port80 myport 80 http_access deny port80 MS-OWA deny_info https://webmail.domainname.com/%R MS-OWA cache_peer_access exchangeServer allow MS-OWA cache_peer_access exchangeServer deny all never_direct allow MS-OWA cache deny all # Lock down access to just the Exchange Server! http_access allow MS-OWA http_access deny all miss_access allow MS-OWA miss_access deny all
E una piccola modifica al file /etc/security/limits.conf
# SQUID squid soft nofile 32768 squid hard nofile 32768
andrea gagliardi
- Pubblicato il Sistemistica, Tips & Tricks, Windows
Corosync/Pacemaker in Centos 7 con LCMC
martedì, 25 luglio 2017
Corosync/Pacemaker in Centos 7 con LCMC
Pacchetti da installare
yum install perl yum install perl-Digest-MD5 yum install epel-release rpm -ivh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org yum update yum install kmod-drbd90 drbd90-utils yum install acpid yum install open-vm-tools
/etc/corosync/corosync.conf
logging {
fileline: off
to_logfile: yes
logfile: /var/log/cluster/corosync.log
to_stderr: no
debug: off
timestamp: on
to_syslog: yes
logger_subsys {
subsys: QUORUM
debug: off
}
}
totem {
version: 2
token: 3000
secauth: on
rrp_mode: active
transport: udpu
}
nodelist {
node {
ring0_addr: 172.21.8.131
nodeid: 1
}
node {
ring0_addr: 172.21.8.132
nodeid: 2
}
}
quorum {
provider: corosync_votequorum
two_node: 1
expected_votes: 2
}
systemctl enable corosync
systemctl enable pacemaker
reboot
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn
tema vim
mercoledì, 12 luglio 2017
.vimrc
execute pathogen#infect() syntax on filetype plugin indent on set nowrap set t_Co=256 set background=dark colorscheme PaperColor
Tema PaperColor
PaperColor-Dark
Wget in /.vim/colors/
wget https://raw.githubusercontent.com/NLKNguyen/papercolor-theme/master/colors/PaperColor.vim
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn
Esperimenti con multipath e SAN
venerdì, 07 luglio 2017
http://www-01.ibm.com/support/docview.wss?uid=isg3T1011985
http://www.sysadminshare.com/2013/06/multipath-config-status-check-in-linux.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html-single/DM_Multipath/index.html#config_file_multipath
https://serverfault.com/questions/288087/linux-multipath-not-using-all-paths-and-wont-use-queue-length-path-selector/355151
https://h50146.www5.hpe.com/products/software/oe/linux/mainstream/support/doc/option/fibre/pdfs/c02020121.pdf
grep mpt /sys/class/scsi_host/host?/proc_name
rescan-scsi-bus.sh
echo “- – -” > /sys/class/scsi_host/host1/scan
multipath -l
multipathd -k”fail path sdb”
multipathd -k”del path sdb”
multipathd -k”reinstate path sdb”
multipathd -k”show paths”
dmsetup remove /dev/mapper/MSA_BELLNET
dmsetup ls
echo 1 > /sys/block/sde/device/delete
echo 1 > /sys/block/sda/device/rescan
service multipath-tools restart
partprobe /dev/sdb
sfdisk -R /dev/sdb
partx -u /dev/sdb
blockdev –rereadpt /dev/mapper/MSA_BELLNET
partprobe -s
pvcreate –uuid “DMD39I-rIMF-vVUc-6KaY-li2N-SF4n-v38O5m” –restorefile /root/VG-BELL.vg /dev/disk/by-id/scsi-MSA_BELLNET
vgcfgbackup -f VG-BELL.vg VG-BELL
vgcfgrestore -f VG-BELL.vg VG-BELL
multipath.conf
defaults {
polling_interval 15
path_selector "round-robin 0"
path_grouping_policy multibus
prio const
path_checker directio
rr_min_io 100
flush_on_last_del no
max_fds 8192
rr_weight priorities
failback immediate
no_path_retry fail
queue_without_daemon no
user_friendly_names yes
mode 644
uid 0
gid disk
}
blacklist {
devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
devnode "^hd[a-z]"
devnode "^sda"
devnode "^sda[0-9]"
wwid "3600508b1001c1f5b93df16da7e7ab72e"
wwid "3600508b1001c81da7e4515d6a1c3a693"
wwid "OCZ-VELO_DRIVE_OCZ-938561J47139J405"
wwid "OCZ-VELO_DRIVE_OCZ-ADU3LJ4GZL225676"
wwid "OCZ-VELO_DRIVE_OCZ-V98FXMA0Q041W67U"
# wwid 3600c0ff0001432f020c55c5901000000
device {
vendor HP
product "P410i|LOGICAL"
}
}
devices {
device {
vendor "HP"
product "P2000 G3*"
path_grouping_policy "group_by_prio"
# uid_attribute "ID_SERIAL"
path_checker "tur"
path_selector "round-robin 0"
features "0"
hardware_handler "0"
prio "alua"
rr_weight "uniform"
failback "immediate"
no_path_retry 18
rr_min_io 100
}
}
multipaths {
multipath {
wwid 3600c0ff00014e4ed9724235801000000
alias MSA_NETLITE
}
multipath {
wwid 3600c0ff00014e4edfa37695801000000
alias MSA_NETLITE_BACKUP
}
multipath {
# path_grouping_policy multibus
wwid 3600c0ff0001432f020c55c5901000000
alias MSA_BELLNET
}
multipath {
wwid 3600c0ff0001432f0a80e5a5901000000
alias MSA_BELLNET_BACKUP
}
}
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn
Proxy Squid
lunedì, 19 giugno 2017
squid.conf
http_port 8081 #http_port 10.1.1.5:8082 pid_filename /var/run/squid3-2.pid cache_mgr [email protected] visible_hostname NETLITEPROXY #dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.123 208.67.220.123 dns_nameservers 10.5.1.5 dns_timeout 1 minutes positive_dns_ttl 1 hours negative_dns_ttl 10 minutes fqdncache_size 51200 ipcache_size 51200 #pipeline_prefetch on cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-small 1024 16 256 max-size=32768 cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-large 4096 16 256 cache_mem 2048 MB minimum_object_size 0 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF memory_pools on maximum_object_size 128 MB minimum_object_size 0 KB maximum_object_size_in_memory 512 KB ie_refresh on cache_access_log /var/log/squid3/access-2.log #cache_access_log /dev/null #cache_log /var/log/squid3/cache-2.log cache_log /dev/null #cache_store_log /var/log/squid3/store-2.log cache_store_log /dev/null logfile_rotate 0 log_mime_hdrs off log_icp_queries off buffered_logs on redirect_rewrites_host_header off acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl SSL_ports port 8080 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports debug_options ALL,1 client_lifetime 12 hour half_closed_clients off pconn_timeout 5 minutes request_timeout 5 minutes connect_timeout 30 seconds authenticate_ttl 15 minutes authenticate_ip_ttl 15 minutes max_open_disk_fds 32768 acl java_jvm browser Java/1. J/SSL #acl localhost src 127.0.0.1/32 #acl reti_abilitate src 127.0.0.1/32 acl reti_abilitate src 10.5.1.0/24 acl netlite src 212.29.137.82/32 #netlite office acl netlite src 87.248.52.82/32 #netlite office acl no_cache_siti dstdomain "/etc/squid3/no-cache-siti.txt" acl siti_pubblici dstdomain "/etc/squid3/siti-pubblici.txt" acl lan-allowed-ip src "/etc/squid3/good-lan-ip.txt" http_access allow lan-allowed-ip # MAC Utenti Bovolone acl MAC arp "/etc/squid3/mac.txt" acl emerge browser Wget http_access allow emerge always_direct allow emerge acl aptupdate browser APT-HTTP http_access allow aptupdate always_direct allow aptupdate http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny connect !SSL_ports http_access allow netlite http_access deny !reti_abilitate http_access allow siti_pubblici http_access allow java_jvm no_cache deny no_cache_siti always_direct allow no_cache_siti #request_header_access Allow allow all #request_header_access Authorization allow all #request_header_access WWW-Authenticate allow all #request_header_access Proxy-Authorization allow all #request_header_access Proxy-Authenticate allow all #request_header_access Cache-Control allow all #request_header_access Content-Encoding allow all #request_header_access Content-Length allow all #request_header_access Content-Type allow all #request_header_access Date allow all #request_header_access Expires allow all #request_header_access Host allow all #request_header_access If-Modified-Since allow all #request_header_access Last-Modified allow all #request_header_access Location allow all #request_header_access Pragma allow all #request_header_access Accept allow all #request_header_access Accept-Charset allow all #request_header_access Accept-Encoding allow all #request_header_access Accept-Language allow all #request_header_access Content-Language allow all #request_header_access Mime-Version allow all #request_header_access Retry-After allow all #request_header_access Title allow all #request_header_access Connection allow all #request_header_access Proxy-Connection allow all #request_header_access User-Agent allow all #request_header_access From allow all #request_header_access Referer allow all #request_header_access Cookie allow all #request_header_access All deny all request_header_access All allow all follow_x_forwarded_for deny all forwarded_for delete via off forwarded_for off http_reply_access allow all icp_access allow all coredump_dir /var/cache balance_on_multiple_ip off #http_access deny !MAC # utilizzati per ftp anonimo ftp_user [email protected] ftp_passive on acl ftp proto FTP acl ftp_port port 21 http_access allow ftp_port CONNECT ftp_epsv off #dns_v4_first on http_access allow all
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn