dnsmasq修改/设置最小TTL时间min-ttl patch
发布时间:January 13, 2020 // 分类: // No Comments
虽然dnsmasq自带参数min-cache-ttl可修改服务器缓存最小值,但是首次请求返回给客户端的时正常ttl,使用以下patch可修改返回给客户端ttl时间,配合min-cache-ttl保持和dnsmasq缓存ttl时间一致,dnsmasq不开启缓存可单独修改min ttl。
适用于dnsmasq2.80版本,
diff -urN dnsmasq-2.80/src/dnsmasq.h dnsmasq-2.80-bak/src/dnsmasq.h
--- dnsmasq-2.80/src/dnsmasq.h 2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/dnsmasq.h 2020-01-13 10:38:16.940067371 +0800
@@ -1023,7 +1023,7 @@
int max_logs; /* queue limit */
int cachesize, ftabsize;
int port, query_port, min_port, max_port;
- unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
+ unsigned long local_ttl, neg_ttl, min_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
char *dns_client_id;
struct hostsfile *addn_hosts;
struct dhcp_context *dhcp, *dhcp6;
diff -urN dnsmasq-2.80/src/option.c dnsmasq-2.80-bak/src/option.c
--- dnsmasq-2.80/src/option.c 2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/option.c 2020-01-13 17:21:13.925164926 +0800
@@ -106,6 +106,7 @@
#define LOPT_PROXY 295
#define LOPT_GEN_NAMES 296
#define LOPT_MAXTTL 297
+#define LOPT_MINTTL 397
#define LOPT_NO_REBIND 298
#define LOPT_LOC_REBND 299
#define LOPT_ADD_MAC 300
@@ -281,6 +282,7 @@
{ "dhcp-broadcast", 2, 0, LOPT_BROADCAST },
{ "neg-ttl", 1, 0, LOPT_NEGTTL },
{ "max-ttl", 1, 0, LOPT_MAXTTL },
+ { "min-ttl", 1, 0, LOPT_MINTTL },
{ "min-cache-ttl", 1, 0, LOPT_MINCTTL },
{ "max-cache-ttl", 1, 0, LOPT_MAXCTTL },
{ "dhcp-alternate-port", 2, 0, LOPT_ALTPORT },
@@ -409,6 +411,7 @@
{ 'T', ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for replies from /etc/hosts."), NULL },
{ LOPT_NEGTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for negative caching."), NULL },
{ LOPT_MAXTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for maximum TTL to send to clients."), NULL },
+ { LOPT_MINTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for minimum TTL to send to clients."), NULL },
{ LOPT_MAXCTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live ceiling for cache."), NULL },
{ LOPT_MINCTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live floor for cache."), NULL },
{ 'u', ARG_ONE, "<username>", gettext_noop("Change to this user after startup. (defaults to %s)."), CHUSER },
@@ -2664,6 +2667,7 @@
case 'T': /* --local-ttl */
case LOPT_NEGTTL: /* --neg-ttl */
case LOPT_MAXTTL: /* --max-ttl */
+ case LOPT_MINTTL: /* --min-ttl */
case LOPT_MINCTTL: /* --min-cache-ttl */
case LOPT_MAXCTTL: /* --max-cache-ttl */
case LOPT_AUTHTTL: /* --auth-ttl */
@@ -2676,6 +2680,8 @@
daemon->neg_ttl = (unsigned long)ttl;
else if (option == LOPT_MAXTTL)
daemon->max_ttl = (unsigned long)ttl;
+ else if (option == LOPT_MINTTL)
+ daemon->min_ttl = (unsigned long)ttl;
else if (option == LOPT_MINCTTL)
{
if (ttl > TTL_FLOOR_LIMIT)
diff -urN dnsmasq-2.80/src/rfc1035.c dnsmasq-2.80-bak/src/rfc1035.c
--- dnsmasq-2.80/src/rfc1035.c 2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/rfc1035.c 2020-01-13 17:12:25.455445871 +0800
@@ -669,11 +669,20 @@
GETSHORT(aqtype, p1);
GETSHORT(aqclass, p1);
GETLONG(attl, p1);
+ unsigned long mttl = 0;
if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
{
- (p1) -= 4;
- PUTLONG(daemon->max_ttl, p1);
+ mttl = daemon->max_ttl;
+ }
+ if ((daemon->min_ttl != 0) && (attl < daemon->min_ttl) && !is_sign)
+ {
+ mttl = daemon->min_ttl;
}
+ if (mttl != 0)
+ {
+ (p1) -= 4;
+ PUTLONG(mttl, p1);
+ }
GETSHORT(ardlen, p1);
endrr = p1+ardlen;
@@ -762,11 +771,20 @@
GETSHORT(aqtype, p1);
GETSHORT(aqclass, p1);
GETLONG(attl, p1);
+ unsigned long mttl = 0;
if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
- {
- (p1) -= 4;
- PUTLONG(daemon->max_ttl, p1);
- }
+ {
+ mttl = daemon->max_ttl;
+ }
+ if ((daemon->min_ttl != 0) && (attl < daemon->min_ttl) && !is_sign)
+ {
+ mttl = daemon->min_ttl;
+ }
+ if (mttl != 0)
+ {
+ (p1) -= 4;
+ PUTLONG(mttl, p1);
+ }
GETSHORT(ardlen, p1);
endrr = p1+ardlen;
openssl验证ocsp及haproxy配置ocsp
发布时间:January 8, 2020 // 分类: // No Comments
获取网站公钥:
openssl s_client -connect www.haiyun.me:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > www.haiyun.me.cer
获取签发者公钥,第一个为网站公钥,和上面获取的一样,等同于acme申请的免费ssl证书www.haiyun.me.cer,第二个为签发者公钥,两者合并等同于acme生成的fullchain.cer文件。
openssl s_client -connect www.haiyun.me:443 -showcerts 2>&1 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){num++}; out="haiyun.me."num".cer"; print > out}'
#openssl s_client -showcerts -connect www.wikipedia.org:443 < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' | sed -n '/^-----END CERTIFICATE-----/,$ p' | sed 1d > chain.pem
查看网站证书验证ocsp的网址:
openssl x509 -noout -ocsp_uri -in haiyun.me.1.cer
ocsp验证:
openssl ocsp -noverify -no_nonce -issuer haiyun.me.2.cer -cert haiyun.me.1.cer -url http://ocsp.int-x3.letsencrypt.org --text
生成haproxy可用的ocsp文件:
openssl ocsp -noverify -no_nonce -issuer haiyun.me.2.cer -cert haiyun.me.1.cer -url http://ocsp.int-x3.letsencrypt.org -respout haproxy.ocsp
通过haproxy管理sock更新ocsp:
echo "set ssl ocsp-response `base64 -w 0 haproxy.ocsp`"|socat stdio /var/run/haproxy.sock
如果提示以下错误:
OCSP single response: Certificate ID does not match any certificate or issuer.
因为haproxy有配置多个域名ssl证书,需先让haproxy加载ocsp文件再使用sock更新,将ocsp文件保存到haproxy配置的证书目录,名字更改为证书名ocsp,重新启动haproxy则自动加载ocsp文件。
如haproxy使用acme申请的Let’s Encrypt ecc免费证书:
cat fullchain.cer www.haiyun.me.key > www.haiyun.me.pem
mv haproxy.ocsp www.haiyun.me.pem.ocsp
haproxy配置:
bind :443 allow-0rtt ssl crt www.haiyun.me_ecc/www.haiyun.pem alpn http/1.1,h2
使用openssl验证网站配置的ocsp是否生效:
openssl s_client -connect www.haiyun.me:443 -status -tlsextdebug < /dev/null 2>&1 | sed -n '/OCSP Response Data:/,/======/p'
https://github.com/pierky/haproxy-ocsp-stapling-updater
https://icicimov.github.io/blog/server/HAProxy-OCSP-stapling/
https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
linux开启tcp fast open/tfo并测试
发布时间:January 6, 2020 // 分类: // No Comments
首先服务器和客户端都开启tcp fast open:
net.ipv4.tcp_fastopen = 3
使用curl开启tfo测试:
curl --tcp-fastopen https://www.haiyun.me/
#httping -F https://www.haiyun.me/
nginx开启tfo:
listen 80 fastopen=256
使用tcpdump监听数据发现:
第一次请求时客户端syn携带cookiereq,服务器如果支持tfo则返回tfo cookie:
Flags [S], options [mss 1460,sackOK,TS val 4250936141 ecr 0,nop,wscale 6,exp-tfo cookiereq], length 0
Flags [S.], options [mss 1460,sackOK,TS val 2764503812 ecr 4250936141,nop,wscale 11,exp-tfo cookie f6aecea49990ea33], length 0
后续再请求时会在syn带上tfo cookie和请求数据:
Flags [S], options [mss 1460,sackOK,TS val 4250944477 ecr 0,nop,wscale 6,exp-tfo cookie f6aecea49990ea33], length 77: HTTP: GET / HTTP/1.1
以上都配置了如果客户端syn数据包未带tfo cookiereq,则可能因为丢包或防火墙原因返回了正常模式,修改以下再测试:
net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0
分类
- Apache (13)
- Nginx (45)
- PHP (86)
- IIS (8)
- Mail (17)
- DNS (16)
- Cacti (14)
- Squid (5)
- Nagios (4)
- Puppet (7)
- CentOS (13)
- Iptables (23)
- RADIUS (3)
- OpenWrt (41)
- DD-WRT (1)
- VMware (9)
- 网站程序 (2)
- 备份存储 (11)
- 常用软件 (20)
- 日记分析 (10)
- Linux基础 (18)
- 欧诺代理 (0)
- Linux服务 (18)
- 系统监控 (4)
- 流量监控 (7)
- 虚拟化 (28)
- 伪静态 (2)
- LVM (3)
- Shell (18)
- 高可用 (2)
- 数据库 (16)
- FreeBSD (3)
- 网络安全 (25)
- Windows (35)
- 网络工具 (22)
- 控制面板 (3)
- 系统调优 (10)
- Cisco (3)
- VPN (6)
- ROS (20)
- Vim (14)
- KMS (4)
- PXE (2)
- Mac (1)
- Git (1)
- PE (1)
- LNS (2)
- Xshell (7)
- Firefox (13)
- Cygwin (4)
- OpenSSL (9)
- Sandboxie (3)
- StrokesPlus (1)
- AutoHotKey (4)
- Total Commander (3)
- WordPress (3)
- iMacros (6)
- Typecho (2)
- Ollydbg (1)
- Photoshop (1)
- 正则 (3)
- Debian (3)
- Python (8)
- NoSQL (6)
- 消息队列 (4)
- JS (7)
- Tmux (3)
- GO (7)
- HHVM (2)
- 算法 (1)
- Docker (2)
- PT (15)
- N1 (16)
- K2P (6)
- LUKS (4)
最新文章
- 光猫拨号ImmortalWrt/OpenWRT路由获取ipv6遇到的问题
- php-fpm错误error_log日志配置
- debian-12/bookworm安装mariadb10.3和mysql5.6
- smokeping主从配置及遇到的问题
- openwrt/linux使用tcpdump/nflog ulogd记录iptables日志
- tmux bash shell自动保存history
- ImmortalWrt/OpenWRT为guest wifi网络配置ipv6 nat6
- PVE更新upgrade遇到The following packages have been kept back
- openwrt/immortalwrt修改odhcpd ipv6 preferred_lifetime和valid_lifetime
- golang版本udpxy iptv rtp多播转http单播
最近回复
- liyk: 这个方法获取的IPv6大概20分钟之后就会失效,默认路由先消失,然后Global IPV6再消失
- 海运: 不好意思,没有。
- zongboa: 您好,請問一下有immortalwrt設定guest Wi-Fi的GUI教學嗎?感謝您。
- 海运: 恩山有很多。
- swsend: 大佬可以分享一下固件吗,谢谢。
- Jimmy: 方法一 nghtp3步骤需要改成如下才能编译成功: git clone https://git...
- 海运: 地址格式和udpxy一样,udpxy和msd_lite能用这个就能用。
- 1: 怎么用 编译后的程序在家里路由器内任意一台设备上运行就可以吗?比如笔记本电脑 m参数是笔记本的...
- 孤狼: ups_status_set: seems that UPS [BK650M2-CH] is ...
- 孤狼: 擦。。。。apcupsd会失联 nut在冲到到100的时候会ONBATT进入关机状态,我想想办...