FortiWeb中配置HTTPS

以FortiWeb 6.3.1导入GoGetSSL颁发的RSA/ECC双证书为例

  1. 导入根证书和OCSP证书:菜单System->Certificates->CA,CA标签页,导入AAA Certificate Services、USERTrust RSA Certification Authority、USERTrust ECC Certification Authority、GoGetSSL RSA DV CA、GoGetSSL ECC DV CA
  2. 导入中级证书:菜单System->Certificates->Intermediate CA,Intermediate CA标签页,导入AAA Certificate Services签发的USERTrust RSA Certification Authority和USERTrust ECC Certification Authority,再导入USERTrust RSA Certification Authority签发的GoGetSSL RSA DV CA和USERTrust ECC Certification Authority签发的GoGetSSL ECC DV CA
  3. 创建中级证书组:菜单System->Certificates->Intermediate CA,Intermediate CA Group标签页,创建证书组GoGedtSSL RSA,先添加GoGetSSL RSA DV CA,再添加USERTrust RSA Certification Authority,ID 1应为签发服务器证书的中级证书,ID 2应为根证书签发的中级证书;同样的创建证书组GoGetSSL ECC,加入中级证书GoGetSSL ECC DV CA和USERTrust ECC Certification Authority;再创建一个证书组GoGetSSL把这四个中级证书都加进去
  4. 导入服务器证书:菜单System->Certificates->Local,分别导入证书颁发机构签发的服务器RSA和ECC证书及其对应的Key
  5. 添加OCSP stapling:菜单System->Certificates->OCSP stapling,为每一个服务器证书创建对应的OCSP,其中CA Certificate和OCSP URL按照服务器证书内容选择和填写,CA要先导入
  6. 创建多证书:菜单System->Certificates->Multi-certificate,创建一个多证书,分别选择RSA和ECDSA两个服务器证书
  7. 在Server里面如果使用多证书,就要选择有RSA和ECC中级证书的证书组,这是因为当前FortiWeb的系统的多证书只能选择一个中级证书组,所以就需要这个中级证书组里面放置所有的中级证书,将这些中级证书全部发送给客户端,让客户端自己选择

用 openssl s_client -showcerts -status -tlsextdebug -connect www.yaoge123.com:443 和 SSL Labs 检查证书链和OCSP

Seafile集成卡巴斯基

防病毒脚本 /opt/kaspersky/kav4fs_scan.sh

#!/bin/bash

VIRUS_FOUND=1
CLEAN=0
UNDEFINED=2
KAV4FS='/opt/kaspersky/kav4fs/bin/kav4fs-control'
if [ ! -x $KAV4FS ]
then
    echo "Binary not executable"
    exit $UNDEFINED
fi

SCAN_OUTPUT=`$KAV4FS --scan-file "$1"`
if [ "$?" -ne 0 ]
then
    echo "Error due to check file '$1'"
    exit 3
fi

while read line
do
	OUT1=`echo $line|cut -d':' -f 1`
	OUT2=`echo $line|cut -d':' -f 2|sed 's/ //g'`
	case "$OUT1" in
        "Threats found" )
                THREATS_C=$OUT2
                ;;
        "Riskware found" )
                RISKWARE_C=$OUT2
                ;;
        "Infected" )
                INFECTED=$OUT2
                ;;
        "Suspicious" )
                SUSPICIOUS=$OUT2
                ;;
        "Scan errors" )
                SCAN_ERRORS_C=$OUT2
                ;;
        "Password protected" )
                PASSWORD_PROTECTED=$OUT2
                ;;
        "Corrupted" )
                CORRUPTED=$OUT2
                ;;
	esac
done <<< "$SCAN_OUTPUT"

if [ $INFECTED -gt 0 ]
then
    exit $VIRUS_FOUND
elif [ $THREATS_C -gt 0 -o $RISKWARE_C -gt 0 -o $SUSPICIOUS -gt 0 -o $SCAN_ERRORS_C -gt 0 -o $CORRUPTED -gt 0 ]
then
    exit $UNDEFINED
else
    exit $CLEAN
fi

/opt/seafile/conf/seafile.conf 添加防病毒配置

[virus_scan]
scan_command = /opt/kaspersky/kav4fs_scan.sh
virus_code = 1
nonvirus_code = 0
scan_interval = 60

每天crontab清除kav4fs的日志/etc/cron.d/kav

30 0 * * * root find /var/log/kaspersky/kav4fs/supervisor_trace.log* -exec rm {} \;
40 0 * * * root /opt/kaspersky/kav4fs/bin/kav4fs-control -S --clean-stat

Ubuntu 16.04 改变 Transmission 运行用户

//先停止服务
sudo systemctl stop transmission-daemon.service

//修改文件
vim /etc/init/transmission-daemon.conf
setuid yaoge123
setgid yaoge123

//添加信息
sudo systemctl edit transmission-daemon.service
[Service]
User=yaoge123

//重启服务
sudo systemctl daemon-reload
sudo systemctl start transmission-daemon.service

 

安装和使用 Drush

apt安装drush版本是5.x,已被官方标记为不支持;采用pear安装虽然版本为6,但是小版本较老,所以:

curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer
composer global require drush/drush:6.*
echo 'export PATH="$HOME/.composer/vendor/bin:$PATH"' >>  ~/.bashrc
//用于升级:
composer global update

下载和启用模块,并且en的时候会自动处理依赖

drush dl views
drush en views

 

Nginx HTTPS配置

配置很简单,但是需要注意的有:

  1. 应使用listen的ssl参数取代ssl on;
  2. cert文件应包含整个证书链,内容顺序必须是证书链的逆序,即cert文件头是本服务器的证书、中间是中间CA、最后是根CA。可以用下述命令检查
    openssl s_client -connect www.example.com:443
  3. ssl_protocols中只能包含TLS
    server {
            listen          [::]:80;
            listen          [::]:443 ssl;
    ……
            ssl_certificate /etc/ssl/microstructures_bundle.crt;
            ssl_certificate_key /etc/ssl/microstructures_org.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_prefer_server_ciphers on;
    ……
    }

 

Linux DHCP 下自定义路由和网关

主机IP必须通过DHCP获得,但是因故需要重新指定网关并做策略路由。例如主机DHCP获取IP段192.168.1.0/24,DHCP获取网关192.168.1.1,拟将默认路由改为192.168.1.2,本地IP仍然走网关192.168.1.1

RHEL(CentOS) 6/7

/etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=dhcp
NM_CONTROLLED="no"
ONBOOT=yes
GATEWAY=192.168.1.2
……

/etc/sysconfig/network-scripts/route-eth0
192.168.0.0/16 via 192.168.1.1

/etc/sysconfig/network
NETWORKING=yes
……

Debian 7

/etc/network/interfaces
……
up route del default dev eth0
up route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0
up route add default gw 192.168.1.2 dev eth0
……

Suse 11

/etc/sysconfig/network/routes
……
192.168.0.0 192.168.1.1 255.255.0.0 eth0
default 192.168.1.2 - -

 

RouterOS PPPoE和L2TP双拨策略路由

ROS 6.0rc12,先拨PPPoE上网,再拨L2TP VPN,上Internet走PPPoE,访问某些IP走VPN

PPP – Interface:增加PPPoE Client和L2TP Client两个Interface
PPPoE Client的MTU/MRU为1492,勾选Add Default Route 和 Use Peer DNS,Name就是pppoe
L2TP Client的MTU/MRU为1452(LT2P over PPPoE),不勾选Add Default Route,Name就是vpn

PPP – Profiles:编辑default,Change TCP MSS选择No

IP – DNS:勾选Allow Remote Requests

IP – Firewall – Address_Lists:增加需要走VPN访问的IP段,Name都取vpnip,Address填写需要走VPN的IP段,格式172.16.0.0/12,有几段就增加几个

IP – Firewall – NAT:
增加一个pppoe的NAT:Chain选srcnat,Out. Interface选pppoe,Action选masquerade
增加一个l2tp的NAT:Chain选srcnat,Out. Interface选l2tp,Dst. Address List选vpnip,Action选masquerade

IP – Firewall – Mangle:
增加对pppoe入TCP包的MSS修改:Chain选forward,Protocol选TCP,In. Interface选pppoe,TCP MSS输入1453-65535,TCP Flags选syn,Action选chang MSS,New TCP MSS输入1452,保持Passthrough选中
增加对pppoe出TCP包的MSS修改:Chain选forward,Protocol选TCP,Out. Interface选pppoe,TCP MSS输入1453-65535,TCP Flags选syn,Action选chang MSS,New TCP MSS输入1452,保持Passthrough选中
增加对l2tp入TCP包的MSS修改:Chain选forward,Protocol选TCP,In. Interface选l2tp,TCP MSS输入1413-65535,TCP Flags选syn,Action选chang MSS,New TCP MSS输入1412,保持Passthrough选中
增加对l2tp出TCP包的MSS修改:Chain选forward,Protocol选TCP,Out. Interface选l2tp,TCP MSS输入1413-65535,TCP Flags选syn,Action选chang MSS,New TCP MSS输入1412,保持Passthrough选中

IP – Routes:增加需要走VPN访问的IP段,Dst. Address填写需要走VPN的IP段,格式172.16.0.0/12,Gateway选择l2tp,有几段就增加几个

IP – Services:限制一下这些ROS服务的访问IP地址段,否则外网也能进行ROS管理

IP – UPnP:可以把UPnP打开,有些程序需要

System – Clock:设置一下时区

System – NTP Client:启用NTP Client以便自动对时