顯示文章

這裡允許您檢視這個會員的所有文章。請注意, 您只能看見您有權限閱讀的文章。


主題 - netman

頁: [1] 2 3 ... 12
1
雜七雜八 / test
« 於: 2017-06-28 10:52 »
please ignore...

2
DevOps 討論版 / docker trouble-shooting tips
« 於: 2017-05-12 17:16 »
Note down before forgetting:

* docker: behind proxy
create /etc/systemd/system/docker.service.d/http-proxy.conf with following contents:
代碼: [選擇]
[Service]

Environment="ALL_PROXY=socks://127.0.0.1:8080/" "FTP_PROXY=ftp://127.0.0.1:8080/" "HTTPS_PROXY=http://127.0.0.1:8080/" "HTTP_PROXY=http://127.0.0.1:8080/" "NO_PROXY=localhost,127.0.0.0/8,127.0.0.1/16,192.168.0.0./16" "all_proxy=socks://127.0.0.1:8080/" "ftp_proxy=ftp://127.0.0.1:8080/" "http_proxy=http://127.0.0.1:8080/" "https_proxy=http://127.0.0.1:8080/" "no_proxy=localhost,127.0.0.0/8,172.16.0.0/16,192.168.0.0./16"


* Dockerfile: run pip with specified proxy:
代碼: [選擇]
RUN https_proxy=http://127.0.0.1:8080/ pip install -r requirements.txt

* Dockerfile: encounter SSL certificate failed while run pip:
Could not fetch URL https://pypi.python.org/simple/flask/: There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
- Solution:
add --trusted-host pypi.python.org in the pip command line:
代碼: [選擇]
RUN pip install --trusted-host pypi.python.org -r requirements.txt

* docker swarp: get folloing error while re-join a re-initiated swarn:
Error response from daemon: rpc error: code = 13 desc = connection error: desc = "transport: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"swarm-ca\")
- Solution:
    rm or mv the file swarm-root-ca.crt  in /var/lib/docker/swarm/certificates/

3
Ref:
https://www.howtoforge.com/tutorial/sync-documents-with-google-drive-on-ubuntu-linux/
http://askubuntu.com/questions/611801/grive-sync-error-possibly-google-api-shift

Env:
# cat /etc/debian_version
8.5

Problems:
The official 'drive' requires go with version 1.5 or above, while the system provides 1.3.3 only.
An alternative 'grive' provided by default has an API bug and gets 400 error.

Solution:
Compile the grive2

Instruction:
代碼: [選擇]
apt-get install git cmake build-essential libgcrypt11-dev libyajl-dev libboost-all-dev libcurl4-openssl-dev libexpat1-dev libcppunit-dev binutils-dev pkg-config
mkdir ~/grive
cd ~/grive
git clone https://github.com/vitalif/grive2.git
mkdir grive2/build
cd grive2/build
cmake ..
make -j4
sudo make install

Then prepare your directory for sync:
代碼: [選擇]
mkdir ~/mydir
cd ~/mydir
/usr/local/bin/grive -a
Copy & Paste the URL in your browser and get the auth code (40 chars), copy the code and paste back to the console...



4
Study-Area 酷學園 2016 群英會

前言

各位熱愛資訊技術的鄉親父老大家好,一年一度的 Study-Area 酷學園群英會又來了!本次會議融合了最近一年討論熱度頗高的議題,如 DevOps、SDN 等等議題。每位演講者皆將業界實務經驗濃縮成五十分鐘的演講,透過講者講述各種經驗後,期盼與會者能於會後能站在巨人的肩膀上往下一個技術高峰前進。

時程
09:00 - 09:05 開場
09:05 - 09:50 ONOS 及實際 SDN Switch 整合使用經驗分享 -- 小飛機
10:10 - 11:00 淺談 DC/OS -- Danial
11:00 - 12:00 epub電子書現場包 -- 雨蒼
12:00 - 13:10 休息(恕不提供午餐)
13:20 - 14:10 Git 導入中小企業經驗分享 -- Haway
14:20 - 15:10 淺談 Ansible 組態管理工具 -- Sakana
15:30 - 16:20 Ansible (Roles, Windows support) -- 凍仁翔
16:20 - 16:30 閉幕

活動時間
2016-07-16 星期六

活動地點
新竹交通大學工程三館 EC122

活動費用
門票: Free
停車卷: 30 元/次

主辦單位
酷學園 (Study-Area)
交通大學資訊工程學系

報名網址: http://studyarea.kktix.cc/events/c6457aff

5
Linux 討論版 / 問一個許功蓋問題
« 於: 2016-06-01 14:19 »
有勞大大審查下面script代碼:
代碼: [選擇]
#!/bin/bash
export LANG=zh_TW.Big5

in_file=1.txt

# case 1
lines=$(cat $in_file | awk -F, '{print$2,$3}')
echo "$lines"

# case 2
awk -F, '{print $2,$3}' $in_file | while read line
do
        echo $line
done
本以為兩個case的輸出會是一樣的...
但實際上會碰到許功蓋的問題:
代碼: [選擇]
[kenny@vmtest-linux tmp]$ locale
LANG=zh_TW.Big5
LC_CTYPE="zh_TW.Big5"
LC_NUMERIC="zh_TW.Big5"
LC_TIME="zh_TW.Big5"
LC_COLLATE="zh_TW.Big5"
LC_MONETARY="zh_TW.Big5"
LC_MESSAGES="zh_TW.Big5"
LC_PAPER="zh_TW.Big5"
LC_NAME="zh_TW.Big5"
LC_ADDRESS="zh_TW.Big5"
LC_TELEPHONE="zh_TW.Big5"
LC_MEASUREMENT="zh_TW.Big5"
LC_IDENTIFICATION="zh_TW.Big5"
LC_ALL=
[kenny@vmtest-linux tmp]$ file 1.txt
1.txt: ISO-8859 text
[kenny@vmtest-linux tmp]$ cat 1.txt
x1230,葉小姐,usa@xxx.com.tw,89,0,16/06/01,
x1978,許小姐,ally@xxx.com.tw,90,0,16/06/01,
x8657,陳先生,cbk@xxx.com.tw,3,0,16/06/01,
x1467,鄭成功,cck@xxx.com.tw,3,0,16/06/01,

[kenny@vmtest-linux tmp]$ ./1.sh
葉小姐 usa@xxx.com.tw
許小姐 ally@xxx.com.tw
陳先生 cbk@xxx.com.tw
鄭成功 cck@xxx.com.tw

葉小姐 usa@xxx.com.tw
酗p姐 ally@xxx.com.tw
陳先生 cbk@xxx.com.tw
鄭成?cck@xxx.com.tw

6
雜七雜八 / 大家新年快樂!
« 於: 2016-02-08 01:22 »
恭祝大家猴年進步!平安快樂!

^_^

7
Ref:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

Purpose: to add Let's Encrypt SSL Cert to gitlab, with auto-renew.

Steps:

sudo su -
gitlab-ctl stop
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt/
./letsencrypt-auto certonly --standalone
cp /etc/letsencrypt/archive/gitlab.example.com/fullchain1.pem /etc/pki/ca-trust/source/anchors/
cp /etc/letsencrypt/archive/gitlab.example.com/chain1.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust
mkdir -p /etc/gitlab/ssl
cp /etc/letsencrypt/archive/gitlab.example.com/chain1.pem /etc/gitlab/ssl/ca.crt
cp /etc/letsencrypt/archive/gitlab.example.com/fullchain1.pem /etc/gitlab/ssl/gitlab.example.com.crt
cp /etc/letsencrypt/archive/gitlab.example.com/privkey1.pem /etc/gitlab/ssl/gitlab.example.com.key
chmod 600 /etc/gitlab/ssl/gitlab.example.com.key
vim /etc/gitlab/gitlab.rb
代碼: [選擇]
external_url 'https://gitlab.example.com'
...
nginx['redirect_http_to_https'] = true
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.example.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
...
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {\n allow all;\n}\n"
...
gitlab-ctl start
gitlab-ctl reconfigure # to make sure everything is OK
gitlab-ctl restart
cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
vim /usr/local/etc/le-renew-webroot.ini
代碼: [選擇]
rsa-key-size = 4096
email = root@example.com
domains = gitlab.example.com
webroot-path = /opt/gitlab/embedded/service/gitlab-rails/public
cd /opt/letsencrypt/
./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini # to make sure it works fine!
curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
vim /usr/local/sbin/le-renew-webroot
代碼: [選擇]
#!/bin/bash

date

web_service='nginx'
config_file="/usr/local/etc/le-renew-webroot.ini"
...
chmod +x /usr/local/sbin/le-renew-webroot
le-renew-webroot # to make sure the result is as expected
vim /etc/cron.d/le-renew-webroot
代碼: [選擇]
30 2 * * 1 root /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log

8
Ref: https://docs.docker.com/registry/insecure/

Prerequisite:
* Docker service installed and running
* Private CA and server key/certs are already on CA server

Steps:

#-- Registry Host --#
mkdir -p /etc/docker/certs
cp /etc/pki/tls/private/dokcerhub.example.com.key /etc/docker/certs
cd /etc/docker/certs
cat /etc/pki/tls/certs/dokcerhub.example.com.crt /etc/pki/CA/cacert.pem > dokcerhub.example.com.crt
docker run -d -p 5000:5000 --restart=always --name registry -v /etc/docker/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dokcerhub.example.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dokcerhub.example.com.key registry:2
docker ps    # to make sure registry is UP

#-- Docker Host --#
mkdir -p /etc/docker/certs.d/dokcerhub.example.com:5000
scp  dokcerhub.example.com:/etc/pki/CA/cacert.pem /etc/docker/certs.d/dokcerhub.example.com:5000/ca.crt
cp /etc/docker/certs.d/dokcerhub.example.com:5000/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
systemctl restart docker
docker pull ubuntu
docker tag ubuntu dokcerhub.example.com:5000/ubuntu
docker push ubuntu dokcerhub.example.com:5000/ubuntu

9
Ref:
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=3
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=4
http://www.server-world.info/en/note?os=CentOS_6&p=samba&f=4
http://www.study-area.org/tips/smbldap/
https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

### Configure LDAP Server ###
yum -y install openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
slappasswd # copy the result
mkdir /root/tmp
cd /root/tmp
vi chrootpw.ldif
代碼: [選擇]
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
for i in /etc/openldap/schema/*.ldif; do ldapadd -Y EXTERNAL -H ldapi:/// -f $i ; done
vi chdomain.ldif
代碼: [選擇]
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
vi basedomain.ldif
代碼: [選擇]
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example dot Com
dc: Example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedomain.ldif

#-- skip this part if you don't want TLS --#
# you MUST build your server key and cert first, the 'easy-ras' package should be a good idea
# Assuming you've installed openvpn and easy-rsa
cd /etc/openvpn/easy-rsa
cp ldap.example.com.key ldap.example.com.crt ca.crt /etc/openldap/certs/
cd /etc/openldap/certs/
chown ldap. ldap.example.com.* ca.crt
cd /root/tmp
vi mod_ssl.ldif
代碼: [選擇]
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.example.com.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.example.com.key
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
vi /etc/sysconfig/slapd
代碼: [選擇]
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"#-- end of TLS configuration --#

systemctl start slapd
systemctl enable slapd

### Configure Client ###
#-- without TLS --#
yum -y install openldap-clients nss-pam-ldapd
authconfig --enableldap --enableldapauth --ldapserver=dlp.server.world --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
systemctl restart nslcd
systemctl enable nslcd
#-- withTLS --#
yum -y install openldap-clients nss-pam-ldapd
echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf
echo "tls_reqcert allow" >> /etc/nslcd.conf
scp ldap.example.com:/etc/openldap/certs/cacert.pem /etc/openldap/cacerts
authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=dlp.server.world --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
systemctl restart nslcd
systemctl enable nslcd


### Configure SAMBA ###
yum -y install samba samba-client
cp /usr/share/doc/samba-4.2.3/LDAP/samba.ldif /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif
vi samba_indexes.ldif
代碼: [選擇]
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
systemctl restart slapd


### Configure openldap-tools ###
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install -y install smbldap-tools
cd /etc/samba
mv smb.conf smb.conf.bak
cp /usr/share/doc/smbldap-tools-*/smb.conf smb.conf
vi /etc/samba/smb.conf
代碼: [選擇]
[global]
workgroup = EXAMPLE
netbios name = ldap
deadtime = 10
log level = 1
log file = /var/log/samba/log.%m
max log size = 5000
debug pid = yes
debug uid = yes
syslog = 0
utmp = yes
security = user
domain logons = yes
os level = 64
logon path =
logon home =
logon drive =
logon script =
passdb backend = ldapsam:"ldap://ldap.example.com/"
ldap ssl = no
ldap admin dn = cn=Manager,dc=example,dc=com
ldap delete dn = no
ldap password sync = yes
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/sbin/smbldap-userdel '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
admin users = domainadmin
[NETLOGON]
path = /var/lib/samba/netlogon
browseable = no
share modes = no
[PROFILES]
path = /var/lib/samba/profiles
browseable = no
writeable = yes
create mask = 0611
directory mask = 0700
profile acls = yes
csc policy = disable
map system = yes
map hidden = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
mkdir /var/lib/samba/{netlogon,profiles}
smbpasswd -W    # type the passwor of ldap manager twice
system start nmb
system start smb
system enable nmb
system enable smb
smbldap-config
    # Answer all the question down to the way
    # You could however press ctrl-c and reload the command if you made a mistake
smbldap-populate
smbldap-groupadd -a domainadmin
smbldap-useradd -am -g domainadmin domainadmin
smbldap-passwd domainadmin

### To add a Win7 client ###
smbldap-useradd -W win7pchttps://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

### Win7 modification ###
# Edit a text file named 'sambafix.reg'
代碼: [選擇]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]

"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
# Double click the file to import the registry
# Reboot and join the 'EXAMPLE' domain using domainadmin or root account

10
Linux 討論版 / [openvpn] Install OpenVPN on CentOS7
« 於: 2016-01-23 21:46 »
Ref:
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7
https://www.howtoforge.com/tutorial/how-to-install-openvpn-on-centos-7/
http://www.study-area.org/tips/openvpn.html

on Server:
yum install openvpn easy-rsa -y
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
vi /etc/openvpn/server.conf
代碼: [選擇]
port 1194
proto udp
dev tap
ca ca.crt
cert vpnserver.example.com.crt
key vpnserver.example.com.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
*note: I don't use tun here, instead of tap for device

mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars
代碼: [選擇]
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="Tainan"
export KEY_ORG="ExampleDotCom"
export KEY_EMAIL="root@example.com"
export KEY_OU="IT"
export KEY_NAME="EasyRSA"
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
cd /etc/openvpn/easy-rsa/
source ./vars
./clean-all
./build-ca
./build-key-server vpnserver.example.com
./build-dh
cd keys/
cp dh2048.pem ca.crt vpnserver.example.com.key vpnserver.example.com.crt /etc/openvpn/
cd ..
./build-key linuxclient
./build-key win7client
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=1194/udp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports

On Linux Client (Ubuntu)
sudo su -
apt-get install openvpn
cd /etc/openvpn/
scp vpnserver.example.com:/etc/openvpn/easy-rsa/keys/linuxclient.* .
scp vpnserver.example.com:/etc/openvpn/easy-rsa/keys/ca.crt
vi client.ovpn
代碼: [選擇]
client
dev tap
proto udp
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /etc/openvpn/ca.crt
cert /etc/openvpn/linuxclient.crt
key /etc/openvpn/linuxclient.key
* Note: 1.2.3.4 is the IP of server
exit
sudo openvpn --config /etc/openvpn/client.ovpn


11
Ref: http://mark.koli.ch/configuring-apache-to-support-ssh-through-an-http-web-proxy-with-proxytunnel

Purpose:
Get ssh connection via HTTP proxy, if corporate firewall doesn't allow SSH.

Steps:

1. Install apache and proxy tunnel on server side. (with RPMforege Repo installed)
yum install httpd proxytunnel

2. vi /etc/httpd/conf.d/proxytunnel.conf
代碼: [選擇]
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
Listen 443
<VirtualHost *:443>
  RequestReadTimeout header=0,MinRate=500 body=0,MinRate=500
  ServerName proxy.example.com:443
  DocumentRoot /var/www/proxytunnel
  ServerAdmin root@example.com
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} !^CONNECT [NC]
  RewriteRule ^/(.*)$ - [F,L]
  ProxyRequests On
  ProxyBadHeader Ignore
  ProxyVia Full
  AllowCONNECT 22
  <Proxy *>
    Order deny,allow
    #Allow from all
    Deny from all
  </Proxy>
  <ProxyMatch (proxy\.example\.com)>
    Order allow,deny
    Allow from all
  </ProxyMatch>
  LogLevel warn
  ErrorLog logs/proxy.example.com-proxy_error_log
  CustomLog logs/proxy.example.com-proxy_request_log combined
</VirtualHost>
cp -a /var/www/html /var/www/proxytunnel

3. enable service
systemctl restart httpd
systemctl enable httpd

4. fix SeLinux:
grep ssh /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

5. Client side settings:
vi .ssh/config
代碼: [選擇]
Host proxy.example.com
  Hostname proxy.example.com
  ProxyCommand /usr/bin/proxytunnel -p localproxy:3128 -r proxy.example.com:443 -d %h:%p -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
  ServerAliveInterval 30
  TCPKeepAlive no
*Note: write the ProxyCommand in a single line, do not use \ to break lines.

6. Test
ssh user@proxy.example.com

For server on ubuntu:
a2enmod proxy_http
a2enmod proxy_connect
a2enmod rewrite
and fix the log path

12
Linux 討論版 / [ADSL] Configure ADSL on CentOS7
« 於: 2016-01-21 22:07 »
Ref:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Using_NetworkManager_with_the_GNOME_Graphical_User_Interface.html#sec-Establishing_a_DSL_Connection

Preparation:
yum install -y rp-pppoe

Configuration:
1. run command
    nm-connection-editor
2.Press Add
3. Select 'DSL' from Connection Type, and Create
4. Enter information in DSL tag:
    Username: 7654321@ip.hinet.net (for Static IP)  or 7654321@hinet.net (for Dynamic IP)
    Service: Hinet
    Password: XXXXXXX
6. Select General tag:
    Check the "Automatically connection to ......"
7. Select Ethernet tag:
    Choose the proper device
8. Save
9. Go to NetworkManager and start the DSL connection

13
Problem Description:
Get https refused while pushing to a private registry.

Symbols:
代碼: [選擇]
docker push 1.2.3.4:5000/test
The push refers to a repository [1.2.3.4:5000/test] (len: 1)
unable to ping registry endpoint https://1.2.3.4:5000/v0/
v2 ping attempt failed with error: Get https://1.2.3.4:5000/v2/: dial tcp 1.2.3.4:5000: connection refused
 v1 ping attempt failed with error: Get https://1.2.3.4:5000/v1/_ping: dial tcp 1.2.3.4:5000: connection refused

Solution:
vi /etc/sysconfig/docker
代碼: [選擇]
OPTIONS='--selinux-enabled --insecure-registry 1.2.3.4:5000systemctl restart docker


14
step1: goto download website:
https://about.gitlab.com/downloads/#centos7

step2: preparation:
代碼: [選擇]
sudo yum install curl openssh-server
sudo systemctl enable sshd
sudo systemctl start sshd
sudo yum install postfix
sudo systemctl enable postfix
sudo systemctl start postfix
sudo firewall-cmd --permanent --add-service=http
sudo systemctl reload firewalld

step3: installation:
代碼: [選擇]
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
sudo yum install gitlab-ce
*note: curl may fails if behide proxy/firewall.
        - setup proxy environment and use wget to download the script.rpm.sh, then run

step4: configuration:
代碼: [選擇]
sudo gitlab-ctl reconfigure*note: you may want to change the URL if your servername is localhost.localdomain.
       - Edit /etc/gitlab/gitlab.rb and change the following:
               external_url "http://your.servername.or.ip.address"

step5: login
use browser to connect to the ip address, login with root  (password: 5iveL!fe)

step6: getting start
GitLab Documentation
連猴子都能懂的Git入門指南


15
雜七雜八 / 大家新年快樂!
« 於: 2016-01-01 09:02 »
我將2016定為學習之年。願所有朋友都能在今年學有所成,學好學滿!
今年臺北的場地應該有着落了,同時也希望各位學員能踊躍分享哦... ^_^

16
為慶祝sakana大大學成歸來還特意南下分享最新最夯技術,我們安排了會後聚餐洗塵接風!
請大家這裏報名,我會更新在本po:

netman : 4
xiang : 1
sakana + Ines : 2
鳥哥 : 1
小飛機 + 女友 : 2
三子 : 1
Jhe : 1
--------------
Total: 12

17
vSphere 5.5

encountered following error while vMotioning RHEL7.1 vms :

To revert to this snapshot, you must change the host pixel format to match that of the guest.  The host's current settings are: depth 24, bits per pixel 32.  The guest's current settings are: depth 24, bits per pixel 32.
Error encountered while trying to restore the virtual machine state from file "".

SOLUTION:
1. login as a normal user
2. go to Settings and change Display to lower resolution, e.g. 1024x768
3. su to root and run:
        cp /home/user/.config/monitors.xml /var/lib/gdm/.config/


18
some tips:

* load module: modprobe drbd
* make a link first: ln -s /sbin/drbdadm /usr/sbin/drbdadm
* there is a warning about drbd-kmp when using Yast, just keep press Ok or Next
* use device name as /dev/drbd_XXX minor XXX (the _ must be presented)
* manually run drbdadm create-md <RES>
* manually run drbdadm up <RES>
* manually run drbdadm -- --overwrite-data-of-peer primay <RES> on 1st node, and drbdadm secondary <RES> on 2nd node
* check status by cat /proc/drbd, to make sure connected and Primary/Secondary on 1st node and Secondary/Primary on 2nd node

Some Errors:
* unknown minor
    - run drbdadm up <RES>

* no resources defined!
   - use Yast to create resource

* ds:Diskless/UpToDate in /proc/drbd
  - drbdadm down <RES>; drbdadm up <RES>

* (104) Can not open backing device
  - delect and re-create partition, ( may needs a reboot)

* staying cs:StandAlone in /proc/drbd on 2nd node
 - drbdadm -- --discard-my-data connect <RES>

19
Tips of creating HA Cluster on OpenSuse 13.2 / 42.1

* Make sure NTP, DNS and firewall are configured properly.
* Avoid to use LVM for ISCSI target device, use raw partition instead.
* It is recommended to use Disk ID(/dev/disk/by-id/xxxxxx) rather than path (/dev/sdaX).
* Initname (iqn) must be unique to all cluster nodes. It could be regenerated by iscsi-iname command.
* No auth for discovery, but login. Incoming should be enough.
* The softdog module must be loaded for SBD (fencing system) before cluster initialization, if no hardware solution is available.
* Run mkfs.ocfs2 with stack and cluster names before using Hawk ocfs2 wizard. (mkfs.ocfs2 --cluster-stack=pcmk --cluster-name=hacluser /dev/disk/by-id/XXXXXX ; mounted.ocfs2 -t)
* Sync configuration files using csync2 -xv before setup a service cluster.
* Don't use 255.255.255.0 mask format in Hawk web server wizard, use 24 instead.
* Set up clone resources for sbd, dlm(base) and ocfs, those must run on all nodes, or put them into a single group & clone.
* Configure constrains after resource creation, set up dependency(colocation) and order. (No need for Leap 42.1)

20
vi /etc/qemu/bridge.conf
代碼: [選擇]
allow virbr0
qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb -no-reboot -append "root=/dev/sda2" -hda xxxxxxxxxxxxxxx.img -net nic -net bridge,br=virbr0

21
database 討論版 / [mssql]remove a db owner login
« 於: 2015-07-29 14:09 »
Ref:
http://coresql.com/2013/10/24/cant-drop-user-the-server-principal-owns-one-or-more-endpoints-and-cannot-be-dropped/

Scenario:
1.   Used user-A to create DB, and assigned to db owner.
2.   Need to remove user-A and to use user-B instead.

Symbols:
1.   Can’t remove user-A and encountering following error 15141:
The server principal owns one or more endpoint(s) and cannot be dropped hence unable to delete a login from SQL Server

Steps:
1.   Open SSMS and add new Login user-B, assign db owner.
2.   Open DB properties then select File Permission, change owner to user-B.
3.   Run query to find all endpoints related to user-A:
代碼: [選擇]
SELECT p.name, e.* FROM sys.endpoints e
inner join sys.server_principals p on e.principal_id = p.principal_id
4.   Run alter to change owner:
代碼: [選擇]
Alter Authorization on endpoint::Mirroring to user-B5.   Go to Security/Login to remove user-A

23
Linux 討論版 / CentOS 7 join AD Domain
« 於: 2015-07-27 14:54 »
Ref:
http://www.hexblot.com/blog/centos-7-active-directory-and-samba

steps:
yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd ntpdate ntp
systemctl enable ntpd.service
vi /etc/ntp.conf    # to add server dc1.mydomain.local on top of other servers
ntpdate dc1.mydomain.local
systemctl start ntpd.service
realm join --user=adminuser@mydomain.local mydomain.local
realm list    # to verify, otherwise redo from beginning

vi /etc/samba/smb.conf
代碼: [選擇]
[global]
workgroup = MYDOMAINLOCAL
server string = Samba Server Version %v

# Add the IPs / subnets allowed acces to the server in general.
# The following allows local and 10.0.*.* access
hosts allow = 127. 10.0.

# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level =3
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Here comes the juicy part!
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = MYDOMAIN.LOCAL

# Not interested in printers
load printers = no
cups options = raw

# This stops an annoying message from appearing in logs
printcap name = /dev/null
systemctl enable smb.service
systemctl start smb.service

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

-----
vi /etc/sssd/sssd.conf:
代碼: [選擇]
...
#use_fully_qualified_names = True
use_fully_qualified_names = False
...
#fallback_homedir = /home/%d/%u
fallback_homedir = /home/%u
...

id username
su - usernamd
chcon -t samba_share_t /home/username

Tips:
if failed on browsing by ip then change to netbiosname instead.

24
Ref:
http://forum.armtc.net/showthread.php?tid=1664&highlight=libproxy

Error:
"Dynamic Module 'libproxy.so' could not be loaded (null)"

Fix:
apt-get install libcurl4-gnutls-dev
ln /usr/lib/arm-linux-gnueabihf/libcurl.so /usr/lib/arm-linux-gnueabihf/libcurl.so.4


25
Ref:
http://www.reddit.com/r/linux/comments/1x2eq1/request_howto_install_citrix_receiver_13_on/
http://www.tecmint.com/install-google-chrome-on-redhat-centos-fedora-linux/

step1, install chrome, this is to fix the problem of 'GLIBCXX_3.4.15' not found!
vi /etc/yum.repos.d/google-chrome.repo
代碼: [選擇]
[google-chrome]
name=google-chrome
baseurl=http://dl.google.com/linux/chrome/rpm/stable/$basearch
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub
wget http://chrome.richardlloyd.org.uk/install_chrome.sh
chmod u+x install_chrome.sh
./install_chrome.sh

step2, install citrix receiver 13.2
#browse to https://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-13-2.html
#download citrix receiver 13.2 tarball
tar -zxvf linuxx64-13.2.0.322243.tar.gz
./setupwfc

step3, run selfservie:
export LD_LIBRARY_PATH=/opt/google/chrome/lib
/opt/Citrix/ICAClient/selfservice
# run yum provides '*/xxxxxx.so' to find out the missing packages and install them


26
Ref:
http://linuxgyd.blogspot.tw/2014/07/set-up-openldap-server-on-centos-65.html
http://jackiechen.org/2014/08/15/setup-ldap-authentication-in-centos-openldapsssd/
http://www.server-world.info/en/note?os=CentOS_6&p=samba&f=4
http://www.linuxtopia.org/online_books/rhel6/rhel_6_deployment/rhel_6_deployment_ch-Authentication_Configuration.html

Keypoint: TLS

Steps:

#
# basic config
#

yum install openldap-clients openldap-servers
cd /etc/openldap/slapd.d/cn\=config
vi 'olcDatabase={1}monitor.ldif' 'olcDatabase={2}bdb.ldif' # to change all 'my-domain' entries
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
wget ftp://fr2.rpmfind.net/linux/centos/6.6/os/x86_64/Packages/migrationtools-47-7.el6.noarch.rpm
rpm -ivh migrationtools-47-7.el6.noarch.rpm
cd /usr/share/migrationtools/
vi migrate_common.ph # to change base dn
\rm /var/lib/ldap/[!D]* ; ./migrate_all_offline.sh # repeat until fix all errors!
chown -R ldap.ldap /var/lib/ldap/
chkconfig slapd on
service slapd start
ldapsearch -x -b "dc=xxxxxxxxxxx,dc=xxxxx"  # to test

#
# enable TLS
#

openssl req -newkey rsa:2048 -x509 -nodes -out /etc/openldap/certs/ldap-pub.pem -keyout /etc/openldap/certs/ldap-pri.pem
chown -R ldap.ldap /etc/openldap/certs/ldap-p*
cd /etc/openldap/slapd.d/cn\=config
vi olcDatabase\=\{0\}config.ldif
代碼: [選擇]
olcTLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pem
vi /etc/sysconfig/ldap
代碼: [選擇]
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
service slapd restart

#
# client config
#

yum install -y openldap-clients sssd
scp xxxx.xxxx.xxxx:/etc/openldap/certs/ldap-pub.pem /etc/openldap/cacerts/
vi /etc/openldap/ldap.conf
代碼: [選擇]
TLS_CACERTDIR /etc/openldap/cacerts
ssl start_tls
TLS_REQCERT allow
BASE dc=xxxxxxxx,dc=xxxx
URI ldaps://xxxx.xxxx.xxxx/
HOST ip.ip.ip.ip
vi  /etc/sssd/sssd.conf
代碼: [選擇]
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = XXXXX.XXX
ldap_search_base = dc=xxxxxx,dc=xxx
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldaps://xxxx.xxxx.xxxx
ldap_chpass_uri = ldaps://xxxx.xxxx.xxxx/
krb5_kdcip = xxxx.xxxx.xxxx
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
krb5_server = xxxx.xxxx.xxxx
authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldaps://xxxx.xxxx.xxxx --ldapbasedn=dc=xxxxxx,dc=xxx --enablelocauthorize --enableldaptls --update
ldapsearch -x -D "cn=Manager,dc=xxxxxxxxx,dc=xxxxx" -W -H ldaps://xxxx.xxxx.xxxx

#
# smbldap-tools & SAMBA config
# (on server side)
#

wget http://download.gna.org/smbldap-tools/packages/el6/smbldap-tools-0.9.10-1.el6.noarch.rpm
wget ftp://rpmfind.net/linux/dag/redhat/el6/en/x86_64/dag/RPMS/perl-Crypt-SmbHash-0.12-1.2.el6.rf.noarch.rpm
yum localinstall perl-Crypt-SmbHash-0.12-1.2.el6.rf.noarch.rpm
yum localinstall smbldap-tools-0.9.10-1.el6.noarch.rpm
vi schema_convert.conf
代碼: [選擇]
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
mkdir ldif_output
slapcat -f schema_convert.conf -F ./ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn\=samba.ldif
vi ./cn\=samba.ldif
代碼: [選擇]
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
....
# and delete these bottum lines:
structuralObjectClass: olcSchemaConfig
entryUUID: 761ed782-e76d-102f-94de-7784c8a781ec
creatorsName: cn=config
createTimestamp: 20110320184149Z
entryCSN: 20110320184149.954974Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110320184149Z


ldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif
vi samba_indexes.ldif
代碼: [選擇]
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
service slapd restart

cd /etc/samba/
mv smb.conf smb.conf.bakup
cp /usr/share/doc/smbldap-tools-0.9.10/smb.conf.example smb.conf
vi smb.conf
代碼: [選擇]
[global]
        workgroup = XXXXXXXXXX
        netbios name = XXX

        deadtime = 10

        log level = 1
        log file = /var/log/samba/log.%m
        max log size = 5000
        debug pid = yes
        debug uid = yes
        syslog = 0
        utmp = yes

        security = user
        domain logons = yes
        os level = 64
        logon path =
        logon home =
        logon drive =
        logon script =

        passdb backend = ldapsam:"ldap://xxxx.xxx.xxxx/"
        ldap ssl = start tls
        ldap admin dn = cn=Manager,dc=xxxxxxxx,dc=xxxxx
        ldap delete dn = no

        ## Sync UNIX password with Samba password
        ## Method 1:
        ldap password sync = yes
        ## Method 2:
        ;ldap password sync = no
        ;unix password sync = yes
        ;passwd program = /usr/sbin/smbldap-passwd -u '%u'
        ;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

        ldap suffix = dc=xxxxxxx,dc=xxxx
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap

        add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
        rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
        add group script = /usr/sbin/smbldap-groupadd -p '%g'
        delete group script = /usr/sbin/smbldap-groupdel '%g'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
        delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
        add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1

        Dos charset = CP932
        Unix charset = UTF-8

        admin users = root administrator domain

[NETLOGON]
        path = /var/lib/samba/netlogon
        browseable = no
        share modes = no

[PROFILES]
        path = /var/lib/samba/profiles
        browseable = no
        writeable = yes
        create mask = 0611
        directory mask = 0700
        profile acls = yes
        csc policy = disable
        map system = yes
        map hidden = yes
mkdir /var/lib/samba/netlogon
mkdir /var/lib/samba/profiles
service smb restart
service nmb restart
chkconfig smb on
chkconfig nmb on
smbpasswd -W
perl /usr/share/doc/smbldap-tools-0.9.10/smbldap-config.pl
cd /etc/smbldap-tools/
vi smbldap.conf
代碼: [選擇]
SID="S-1-5-21-627543661-3216288505-2393536575"
sambaDomain="XXXXXXXXX"
slaveLDAP="xxxx.xxxx.xxxx"
slavePort="389"
masterLDAP="xxxx.xxxx.xxxx"
masterPort="389"
ldapTLS="1"
verify="none"
cafile="/etc/openldap/cacerts/ldap-pub.pem"
clientcert="/etc/openldap/certs/ldap-pub.pem"
clientkey="/etc/openldap/certs/ldap-pri.pem"
suffix="dc=xxxxxxx,dc=xxxxxx"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=XXXXXXXXX,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format=""
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\xxxxx\%U"
userProfile="\\xxxxxx\profiles\%U"
userHomeDrive="H:"
userScript=""
mailDomain="xxxxxxxx.xxxxx"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
smbldap-populate
smbldap-groupmod -a root
smbldap-usermod -a root
smbldap-groupadd -a domu1
smbldap-useradd -am -g domu1 domu1
smbldap-passwd domu1
ldapsearch -x -b "uid=domu1,ou=People,dc=xxxxxxxx,dc=xxxx" -H ldaps://xxxxxxx.xxxxx.xxxxx
id domu1
smbclient -L xxxx.xxxx.xxxx -U domu1
smbldap-useradd -W user-pc

27
Linux 討論版 / [tips] script for Hex To ASCII
« 於: 2015-06-18 13:14 »
Ref:
http://www.linuxquestions.org/questions/programming-9/%5Bbash%5D-ascii-to-hex-and-hex-to-ascii-488357/

代碼: [選擇]
#!/bin/bash
function hex2string () {
  I=0
  while [ $I -lt ${#1} ];
  do
    echo -en "\x"${1:$I:2}
    let "I += 2"
  done
}
hex2string "48656C6C6F2074686572652021"

28
Ref:
https://www.rosehosting.com/blog/install-and-configure-a-simple-mail-server-using-sendmail-and-dovecot-on-a-fedora-20-vps/

/etc/mail/sendmail.mc:
代碼: [選擇]
dnl FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(local_procmail)dnl

/etc/dovecot/conf.d/10-mail.conf:
引用
mail_location = maildir:~/Maildir

29
Ref:
http://stackoverflow.com/questions/11134857/using-sendmail-for-html-body-and-binary-attachment

代碼: [選擇]
#!/usr/local/bin/bash
export MAILFROM="noreply"
export MAILTO="user@domain.name"
export SUBJECT="Test =?UTF-8?B?$(echo 中文| base64)?= for Email"  # using base64
export BODY="test.html"
export ATTACH="attachement.pdf"
export MAILPART=`uuidgen` ## Generates Unique ID
export MAILPART_BODY=`uuidgen` ## Generates Unique ID

(
 echo "From: $MAILFROM"
 echo "To: $MAILTO"
 echo "Subject: $SUBJECT"
 echo "MIME-Version: 1.0"
 echo "Content-Type: multipart/mixed; boundary=\"$MAILPART\""
 echo ""
 echo "--$MAILPART"
 echo "Content-Type: multipart/alternative; boundary=\"$MAILPART_BODY\""
 echo ""
 echo "--$MAILPART_BODY"
 echo "Content-Type: text/plain; charset=utf-8"
 echo "You need to enable HTML option for email"
 echo "--$MAILPART_BODY"
 echo "Content-Type: text/html; charset=utf-8"
 echo "Content-Disposition: inline"
 cat $BODY
 echo "--$MAILPART_BODY--"

 echo "--$MAILPART"
 echo 'Content-Type: application/pdf; name="'$(basename $ATTACH)'"'
 echo "Content-Transfer-Encoding: uuencode"
 echo 'Content-Disposition: attachment; filename="'$(basename $ATTACH)'"'
 echo ""
 #uuencode -m $ATTACH $(basename $ATTACH)
 uuencode $ATTACH $(basename $ATTACH)    # using uuencode
 echo "--$MAILPART--"
) | /usr/sbin/sendmail $MAILTO


30
ref:
http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https
(but it is for x86 32bit only, need some change for x64)

steps:

wget http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.3.8-1.el6.x86_64.rpm
yum install ksh
rpm -ivh squid-3.3.8-1.el6.x86_64.rpm
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R squid.squid /var/lib/ssl_db
vi squid.conf
代碼: [選擇]
...
# Squid normally listens to port 3128
#http_port 3128
http_port 3130

http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

...
mkdir /etc/squid/ssl_cert
chown -R squid.squid /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
openssl x509 -in myca.pem -outform DER -out myca.der
chkconfig squid on
service squid start
iptables -t nat -A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

# client settings:
to import the myca.pem (for linux) or myca.der (for windows) to CA Certs in browser.

頁: [1] 2 3 ... 12