海运的博客

此内容被密码保护

发布时间:January 23, 2020 // 分类: // No Comments

请输入密码访问

此内容被密码保护

发布时间:January 22, 2020 // 分类: // No Comments

请输入密码访问

dnsmasq修改/设置最小TTL时间min-ttl patch

发布时间:January 13, 2020 // 分类: // No Comments

虽然dnsmasq自带参数min-cache-ttl可修改服务器缓存最小值,但是首次请求返回给客户端的时正常ttl,使用以下patch可修改返回给客户端ttl时间,配合min-cache-ttl保持和dnsmasq缓存ttl时间一致,dnsmasq不开启缓存可单独修改min ttl。
适用于dnsmasq2.80版本,

diff -urN dnsmasq-2.80/src/dnsmasq.h dnsmasq-2.80-bak/src/dnsmasq.h
--- dnsmasq-2.80/src/dnsmasq.h  2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/dnsmasq.h      2020-01-13 10:38:16.940067371 +0800
@@ -1023,7 +1023,7 @@
   int max_logs;  /* queue limit */
   int cachesize, ftabsize;
   int port, query_port, min_port, max_port;
-  unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
+  unsigned long local_ttl, neg_ttl, min_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
   char *dns_client_id;
   struct hostsfile *addn_hosts;
   struct dhcp_context *dhcp, *dhcp6;
diff -urN dnsmasq-2.80/src/option.c dnsmasq-2.80-bak/src/option.c
--- dnsmasq-2.80/src/option.c   2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/option.c       2020-01-13 17:21:13.925164926 +0800
@@ -106,6 +106,7 @@
 #define LOPT_PROXY         295
 #define LOPT_GEN_NAMES     296
 #define LOPT_MAXTTL        297
+#define LOPT_MINTTL        397
 #define LOPT_NO_REBIND     298
 #define LOPT_LOC_REBND     299
 #define LOPT_ADD_MAC       300
@@ -281,6 +282,7 @@
     { "dhcp-broadcast", 2, 0, LOPT_BROADCAST },
     { "neg-ttl", 1, 0, LOPT_NEGTTL },
     { "max-ttl", 1, 0, LOPT_MAXTTL },
+    { "min-ttl", 1, 0, LOPT_MINTTL },
     { "min-cache-ttl", 1, 0, LOPT_MINCTTL },
     { "max-cache-ttl", 1, 0, LOPT_MAXCTTL },
     { "dhcp-alternate-port", 2, 0, LOPT_ALTPORT },
@@ -409,6 +411,7 @@
   { 'T', ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for replies from /etc/hosts."), NULL },
   { LOPT_NEGTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for negative caching."), NULL },
   { LOPT_MAXTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for maximum TTL to send to clients."), NULL },
+  { LOPT_MINTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for minimum TTL to send to clients."), NULL },
   { LOPT_MAXCTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live ceiling for cache."), NULL },
   { LOPT_MINCTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live floor for cache."), NULL },
   { 'u', ARG_ONE, "<username>", gettext_noop("Change to this user after startup. (defaults to %s)."), CHUSER }, 
@@ -2664,6 +2667,7 @@
     case 'T':         /* --local-ttl */
     case LOPT_NEGTTL: /* --neg-ttl */
     case LOPT_MAXTTL: /* --max-ttl */
+    case LOPT_MINTTL: /* --min-ttl */
     case LOPT_MINCTTL: /* --min-cache-ttl */
     case LOPT_MAXCTTL: /* --max-cache-ttl */
     case LOPT_AUTHTTL: /* --auth-ttl */
@@ -2676,6 +2680,8 @@
          daemon->neg_ttl = (unsigned long)ttl;
        else if (option == LOPT_MAXTTL)
          daemon->max_ttl = (unsigned long)ttl;
+       else if (option == LOPT_MINTTL)
+         daemon->min_ttl = (unsigned long)ttl;
        else if (option == LOPT_MINCTTL)
          {
            if (ttl > TTL_FLOOR_LIMIT)
diff -urN dnsmasq-2.80/src/rfc1035.c dnsmasq-2.80-bak/src/rfc1035.c
--- dnsmasq-2.80/src/rfc1035.c  2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/rfc1035.c      2020-01-13 17:12:25.455445871 +0800
@@ -669,11 +669,20 @@
                  GETSHORT(aqtype, p1); 
                  GETSHORT(aqclass, p1);
                  GETLONG(attl, p1);
+                  unsigned long mttl = 0;
                  if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
                    {
-                     (p1) -= 4;
-                     PUTLONG(daemon->max_ttl, p1);
+                      mttl = daemon->max_ttl;
+                   }
+                 if ((daemon->min_ttl != 0) && (attl < daemon->min_ttl) && !is_sign)
+                   {
+                      mttl = daemon->min_ttl;
                    }
+                  if (mttl != 0)
+                  {
+                     (p1) -= 4;
+                     PUTLONG(mttl, p1);
+                  }
                  GETSHORT(ardlen, p1);
                  endrr = p1+ardlen;
                  
@@ -762,11 +771,20 @@
              GETSHORT(aqtype, p1); 
              GETSHORT(aqclass, p1);
              GETLONG(attl, p1);
+              unsigned long mttl = 0;
              if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
-               {
-                 (p1) -= 4;
-                 PUTLONG(daemon->max_ttl, p1);
-               }
+               {
+                  mttl = daemon->max_ttl;
+               }
+             if ((daemon->min_ttl != 0) && (attl < daemon->min_ttl) && !is_sign)
+               {
+                  mttl = daemon->min_ttl;
+               }
+              if (mttl != 0)
+              {
+                 (p1) -= 4;
+                 PUTLONG(mttl, p1);
+              }
              GETSHORT(ardlen, p1);
              endrr = p1+ardlen;
              

openssl验证ocsp及haproxy配置ocsp

发布时间:January 8, 2020 // 分类: // No Comments

获取网站公钥:

openssl s_client -connect www.haiyun.me:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > www.haiyun.me.cer

获取签发者公钥,第一个为网站公钥,和上面获取的一样,等同于acme申请的免费ssl证书www.haiyun.me.cer,第二个为签发者公钥,两者合并等同于acme生成的fullchain.cer文件。

openssl s_client -connect www.haiyun.me:443 -showcerts 2>&1 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){num++}; out="haiyun.me."num".cer"; print > out}'
#openssl s_client -showcerts -connect www.wikipedia.org:443 < /dev/null 2>&1 |  sed -n '/-----BEGIN/,/-----END/p' | sed -n '/^-----END CERTIFICATE-----/,$ p' | sed 1d > chain.pem

查看网站证书验证ocsp的网址:

openssl x509 -noout -ocsp_uri -in haiyun.me.1.cer 

ocsp验证:

openssl ocsp -noverify -no_nonce -issuer haiyun.me.2.cer -cert haiyun.me.1.cer -url http://ocsp.int-x3.letsencrypt.org --text

生成haproxy可用的ocsp文件:

openssl ocsp -noverify -no_nonce -issuer haiyun.me.2.cer -cert haiyun.me.1.cer -url http://ocsp.int-x3.letsencrypt.org -respout haproxy.ocsp

通过haproxy管理sock更新ocsp:

echo "set ssl ocsp-response `base64 -w 0 haproxy.ocsp`"|socat stdio /var/run/haproxy.sock  

如果提示以下错误:

OCSP single response: Certificate ID does not match any certificate or issuer.

因为haproxy有配置多个域名ssl证书,需先让haproxy加载ocsp文件再使用sock更新,将ocsp文件保存到haproxy配置的证书目录,名字更改为证书名ocsp,重新启动haproxy则自动加载ocsp文件。
如haproxy使用acme申请的Let’s Encrypt ecc免费证书:

cat fullchain.cer www.haiyun.me.key > www.haiyun.me.pem
mv haproxy.ocsp www.haiyun.me.pem.ocsp

haproxy配置:

bind :443 allow-0rtt ssl crt www.haiyun.me_ecc/www.haiyun.pem alpn http/1.1,h2

使用openssl验证网站配置的ocsp是否生效:

openssl s_client -connect www.haiyun.me:443 -status -tlsextdebug < /dev/null 2>&1 | sed -n '/OCSP Response Data:/,/======/p'

https://github.com/pierky/haproxy-ocsp-stapling-updater
https://icicimov.github.io/blog/server/HAProxy-OCSP-stapling/
https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html

linux开启tcp fast open/tfo并测试

发布时间:January 6, 2020 // 分类: // No Comments

首先服务器和客户端都开启tcp fast open:

net.ipv4.tcp_fastopen = 3

使用curl开启tfo测试:

curl --tcp-fastopen http://www.haiyun.me/
#httping -F http://www.haiyun.me/

nginx开启tfo:

listen 80 fastopen=256

使用tcpdump监听数据发现:
第一次请求时客户端syn携带cookiereq,服务器如果支持tfo则返回tfo cookie:

Flags [S], options [mss 1460,sackOK,TS val 4250936141 ecr 0,nop,wscale 6,exp-tfo cookiereq], length 0
Flags [S.], options [mss 1460,sackOK,TS val 2764503812 ecr 4250936141,nop,wscale 11,exp-tfo cookie f6aecea49990ea33], length 0

后续再请求时会在syn带上tfo cookie和请求数据:

Flags [S], options [mss 1460,sackOK,TS val 4250944477 ecr 0,nop,wscale 6,exp-tfo cookie f6aecea49990ea33], length 77: HTTP: GET / HTTP/1.1

以上都配置了如果客户端syn数据包未带tfo cookiereq,则可能因为丢包或防火墙原因返回了正常模式,修改以下再测试:

net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0
分类
最新文章
最近回复
  • 海运: 正常情况下编译整个内核执行make menuconfig后就不会出现此提示,当单独编译单个模块...
  • oijq: 就是用的armbian的配置文件哈,按你的教程做的,在执行make LOCALVERSION=...
  • 海运: 使用armbian的配置文件,其它添加或修改自己懂的部分,不懂的就不要碰了。
  • oijq: 编译时这些选项全部选Y吗? Actions Semi Platforms (ARCH_ACTI...
  • 海运: n1编译bbr内核模块参考这个:https://www.haiyun.me/archives/...
  • jiqz: make M=net/ipv4/ CONFIG_TCP_CONG_BBR=m modules ...
  • ruralhunter: 哦,文档里应该是对的,是.config
  • ruralhunter: cp /mnt/boot/config-4.18.7-aml-s9xxx .config 这里...
  • 海运: 你是编译不成功呢?还是编译后不能运行呢?还是运行后不能访问web界面呢?
  • 白墨: 可能不清楚就是编译安装后启动后访问不了web界面