Topic
You should consider using this procedure under the following conditions:
You want to use Layer 3 (L3) nPath load balancing (also known as Direct Server Return or Asymmetric Routing).
You want to monitor the origin web servers from the BIG-IP system.
You have L3 client requests that need to be load balanced on the BIG-IP system, with server responses returning directly to the client.
Note: The recommendations included in this article are only valid for BIG-IP 11.1.0. Beginning in BIG-IP 11.2.0, the way you create network tunnels changed. To locate the options for creating network tunnels in BIG-IP 11.2.0 and later, access the Configuration utility and then navigate to Network > Tunnels.
Description
L3 nPath routing enables traffic to be load balanced over a routed topology. In this deployment, the server sends its responses directly back to the client instead of the BIG-IP system, even when the servers and any intermediate routers are on different networks. This load balancing method uses IP encapsulation to create a uni-directional outbound tunnel from the server pool to the server. The origin web server unencapsulates the original client IP information, which is then used to route the return traffic directly to the client.
The available encapsulation protocols are GRE and IPIP. The protocol you choose for building the encapsulation tunnel may depend on the requirements of your environment.
GRE supports unicast and multicast traffic, IPv4, and IPv6.
IPIP supports unicast traffic and IPv4.
Prerequisites
You must meet the following prerequisites to use this procedure:
You have a properly configured network path from the origin web servers to clients that does not traverse the BIG-IP system.
You have a system user account with Traffic Management Shell (tmsh) utility access; you cannot perform certain steps in the process from the Configuration utility.
You are conversant in the following configurations for the operating system of your origin web servers:
IPIP and GRE tunnel configuration
Loopback interface configuration
Web services configuration
Procedures
To use this topology, perform the following procedures and create the following objects:
Configuring BIG-IP
Enabling the monitor encapsulation variable
Creating a load balancing pool with an encapsulation profile
Creating a transparent monitor
Creating a FastL4 profile
Creating a virtual server
Configuring an origin web server configuration
Configuring a loop back IP address
Configuring an encapsulation tunnel
Configuring the web service
Enable the monitor encapsulation variable
To monitor the pool member over an encapsulated tunnel, enable the tm.monitorencap variable by performing the following procedure:
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Log in to the tmsh utility by entering the following command:
tmsh
Note: For the remainder of this article, you must be logged in to the tmsh utility. Subsequent procedures in this article assume you are logged in to the tmsh utility from this step onward.
Enable the tm.monitorencap variable by entering the following command:
modify sys db tm.monitorencap value enable
Create a load balancing pool
Create a load balancing pool that references the desired encapsulation profile and the origin web servers as pool members.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
To perform this procedure, enter the following command syntax:
create ltm pool profiles add { } members add { :any }
Use the following examples to help you perform this procedure:
To create a pool named ipip_pool, referencing an IPIP profile, and using the server 10.104.5.1 as the pool member, you enter a command similar to following example:
create ltm pool ipip_pool profiles add { ipip } members add { 10.104.5.1:any }
Note: The pool member is the physical IP address of the server that is hosting the virtual IP that must be load balanced.
To create a pool that includes multiple pool members, you enter a command similar to following example:
create ltm pool ipip.pool profiles add { ipip } members add { 10.104.5.1:any 10.104.5.2:any 10.104.5.3:any }
Create a transparent monitor
You use a transparent monitor to monitor the virtual IP and service hosted on the loopback interface of the physical origin web server. You create the loopback server later in this article.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Use the following command syntax to perform this operation:
create ltm monitor defaults-from destination : send recv transparent enabled interval timeout
For example, to create a monitor named ipip.mon to monitor the service at 10.200.1.100:80, you enter the following command:
create ltm monitor tcp ipip.mon defaults-from tcp destination 10.200.1.100:80 send 'GET / HTTP1.1\r\nHost: \r \nConnection: Close\r\n' recv 'It works!' transparent enabled interval 5 timeout 16
Notes:
This example monitor expects a receive string that contains the following example value in the HTTP response from the virtual service: "It Works!" You must change this value to match a valid string appropriate to your environment. For more information about send and receive strings, and monitor time out values, refer to the Supplemental Information section of this article.
The following destination is the IP address and port for the virtual server that resides on the loopback of the origin web server: :.
Create a FastL4 profile
Create a FastL4 profile to disable hardware acceleration for the virtual server.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Create the FastL4 profile by using the following command syntax:
create ltm profile fastl4 pva-acceleration none
For example, to create a profile named ipip.fastl4, you enter the following command:
create ltm profile fastl4 ipip.fastl4 pva-acceleration none
Create a virtual server
Create a virtual server to answer client requests and forward the requests to the pool members.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Create the virtual server using the following command syntax:
create ltm virtual destination :any pool profiles add { } translate-address disabled ip-protocol
For example, to create a virtual server with the name ipip.vip and the address 10.200.1.100:any, which references the load balancing pool and FastL4 profile created in the previous steps, you enter the following command:
create ltm virtual ipip.vip destination 10.200.1.100:any pool ipip.pool profiles add { ipip.fastl4 } translate- address disabled ip-protocol tcp
Note: The destination IP address of the virtual server must be the same as that of the virtual service hosted on the loopback interface of the origin web server.
After you complete all the steps on the BIG-IP system, save the configuration by entering the following command:
tmsh save sys config
Configure a loopback IP
Configure the origin web server with an IP address on the loopback interface that matches the destination IP address on the BIG-IP virtual server and the one in the BIG-IP transparent monitor.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Note: The following command examples are for a web server running a generic GNU/Linux operating system. They are provided for guidance only. For more information about configuring your specific operating system, refer to your documentation.
To assign the IP address 10.200.1.100 to the loopback interface, use a command similar to the following example:
ip addr add 10.200.1.100 label lo:0 dev lo scope global
Note: Scope must be set to global to ensure this IP address is routable.
Configure an encapsulation tunnel
Configure the origin web server to listen for encapsulated packets destined for the loopback IP address.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Note: The following command examples are for a web server running a generic GNU/Linux operating system. They are provided for guidance only. For more information about configuring your specific operating system, refer to your documentation.
To configure the origin web server for an IPIP tunnel, use a series of commands similar to the following example:
sysctl -w net.ipv4.conf.all.arp_ignore=3
sysctl -w net.ipv4.conf.all.arp_announce=2
modprobe ipip
ip link set tunl0 up
ip addr add 10.200.1.100 scope host dev tunl0
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.tunl0.rp_filter=0
To configure the origin web server for a GRE tunnel, use a series of commands similar to the following example:
sysctl -w net.ipv4.conf.all.arp_ignore=3
sysctl -w net.ipv4.conf.all.arp_announce=2
modprobe ipgre
ip link set gre0 up
ip addr add 10.200.1.100 scope host dev gre0
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.gre0.rp_filter=0
Configure the web service
Configure the web service running on the origin web server to listen on the IP address that you just configured on the loopback interface, in the previous steps of this article.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
To maintain consistency with the example configuration in this article, you create the web service at: 10.200.1.100:80.
For information about configuring the web service on the loopback interface of the origin web server, refer to your web server documentation.
Read More
Thứ Năm, 19 tháng 12, 2024
Thứ Năm, 3 tháng 10, 2024
Chrome browser version (129) in headless mode produces a blank white window
Looks like this is a bug in Chrome Browser 129, which was released on September 17th, 2024.
https://developer.chrome.com/docs/chromedriver/
Found related issues on github.
https://github.com/SeleniumHQ/selenium/issues/14514
Solution 1. work with Chrome 128.
Solution 2. hide the window by:
var co = new ChromeOptions();
co.AddArgument("--window-position=-10000,-10000")
Solution 3.
options.AddArgument("--headless=old")
https://developer.chrome.com/docs/chromium/headless
Read More
Thứ Tư, 25 tháng 9, 2024
Activate Office 2021 for FREE using KMS client key
Step 1.1: Open cmd program with administrator rights.
First, you need to open cmd in the admin mode, then run all commands below one by one.
Step 1.2: Get into the Office directory in cmd.
cd /d %ProgramFiles(x86)%\Microsoft Office\Office16
cd /d %ProgramFiles%\Microsoft Office\Office16
If you install your Office in the ProgramFiles folder, the Office directory depends on the architecture of your OS. If you are not sure of this issue, just run both of the commands above. One of them will be not executed and an error message will be printed on the screen.
Step 1.3: Install Office 2021 volume license.
for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x"
This step is required. You can not install the KMS client product key of Office without a volume license.
Step 1.4: Activate your Office using the KMS key.
Make sure your device is connected to the internet, then run the following commands.
cscript ospp.vbs /setprt:1688
cscript ospp.vbs /unpkey:6F7TH >nul
cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH
cscript ospp.vbs /sethst:kms8.msguides.com
cscript ospp.vbs /act
Read More
Thứ Ba, 10 tháng 9, 2024
[ MongoDB ] What to do if you accidentally drop a MongoDB table?
In fact, many people when encountering this situation think that it is impossible to save MongoDB data. And very few people share about this case. This is a very real situation and has many difficulties when faced.
If the database is Oracle, we can easily do it. However, what about MongoDB?
The answer is yes. However, the way to save data will be more complicated.
In this article, I will share with you a method that can save data when deleting or dropping the wrong table. A useful method for those who accidentally impact the database
Step 1: Immediately backup oplog after detecting the wrong data deletion behavior
The command is as follows:
mongodump -u username --authenticationDatabase admin -p password -d local -c oplog.rs --out /backup/mongo
Step 2: Determine the timestamp on the oplog.rs table to restore the point in time before the drop time
db.getCollection("oplog.rs").find({"o.drop" : "collection_name"})
Step 3: Recover the point in time of the dropped data to save the data
mongorestore --port 27017 -u username -p password --authenticationDatabase admin --oplogReplay --oplogLimit=1725939063:1 /backup/mongo/local/oplog.rs.bson
Read More
Thứ Hai, 26 tháng 8, 2024
How to add a custom PHP version in Plesk for Linux?
Question
How to add a custom PHP version in Plesk for Linux?
Answer
Warning: All the instructions below are to be performed at own will and risk. These steps are provided for demonstration purposes only and not supported by Plesk. Depending on the operating system and the desired configuration, installation steps might differ significantly. When installing an additional PHP version on the server, read the official PHP documentation on installation. It's recommended to perform the installation on a test environment before modifying the production environment.
On Linux systems, you can install any PHP version you need and then make it available in Plesk by registering it with the plesk bin php_handler command-line utility.
1- Install the custom PHP version
Install the desired PHP version on the server. For installation guidelines, refer to the official PHP documentation available at http://php.net/manual/en/install.php. In brief, the installation includes the following main steps.
Connect to the server via SSH
Install C compiler and XML library with the following commands:
RHEL based OSes:
# yum install gcc -y && yum install libxml2-devel -y
Debian based OSes:
# apt-get install build-essential && apt-get install libxml2-dev
Download the PHP source you need from the official website (http://php.net/downloads.php or http://php.net/releases/) to the server and unpack it:
# gunzip php-NN.tar.gz
# tar -xf php-NN.tar
Configure and build PHP:
Note: In this step, it's possible to customize PHP with various options, such as specifying which extensions will be enabled in the compiled PHP version. Run
./configure --helpto see a list of the available options.# cd ../php-NN
# ./configure --prefix=/usr/local/phpNN --enable-fpm --with-fpm-group=www-data
# make
# make install
Set up the
php.ini:Note: Edit the
.inifile to set the desired PHP options. If it's required to configure thephp.inifile in another location, run theconfigureutility with the option--with-config-file-path=/some/pathin the previous step.# cp php.ini-development /usr/local/lib/php.ini
2- Register the custom PHP version in PleskConnect to the server via SSH
Register the new PHP version in Plesk:
Note: More information can be found with the following command:
plesk bin php_handler --help2.1- CGI/FastCGI example:
# plesk bin php_handler --add -displayname <NN> -path <path to php-cgi binary> -phpini <path to php.ini> -type <php handler> -id <NN-custom> -clipath <path to php cli>
Where:
-displayname<NN>: It's the PHP version name that will be shown in the Plesk UI. It's recommended to include the version number in thedisplayname, for example:7.4.5-custom-path<path to php-cgi binary>: It's the location of the PHP CGI binary file. The location is shown in the output shown by the commandmake installin the line Installing PHP CGI binary. For example, if the output contains the line Installing PHP CGI binary: /usr/local/bin/, the location to specify is /usr/local/bin/php-cgi. Learn more at: http://php.net/manual/en/install.unix.commandline.php-clipath<path to php cli>: It's the location of the PHP CLI binary file. The location is shown in the output of the commandmake installin the line Installing PHP CLI binary. For example, if the output contains the line Installing PHP CLI binary: /usr/local/bin/, the location to specify is /usr/local/bin/php. Learn more at: http://php.net/manual/en/install.unix.commandline.php-phpini<path to php.ini>: It's the location of thephp.inifile, for example:/usr/local/lib/php.ini-type<php handler>: It's the type of the PHP handler associated with the installed PHP version. This example is for cgi , fpm or fastcgi PHP handlers and the mod_php is not supported- (Optional)
-id<NN-custom>: It's the identifier that will be used for referring to this PHP version when adjusting or removing it viaplesk bin php_handlersutility
2.2- FPM example (Notes: systemctl unit should also be created manually, if it specific for OS distribution; To add the PHP handler as a dedicated application, append '-fpm-dedicated' to the hander ID when registering; To add PHP as a 'usual' FPM application, add the handler second time, without the '-fpm-dedicated' ):
# plesk bin php_handler --add -displayname <NN> -path <path to php-fpm binary> -phpini <path to php.ini> -type fpm -id <NN-custom> -clipath <path to php cli> -service <PHP_FPM_service_name> -poold <path to php-fpm.d pool folder>
Where:
-path<path to php-fpm binary>: It's the location of the PHP FPM binary file. The location is shown in the output shown by the commandmake installin the line Installing PHP-FPM binary-service<PHP FPM service name>: It's the PHP FPM service name-poold<path to php-fpm.d pool folder>: It's the location containing the pool configuration files- 3- Assign the custom PHP version (Plesk GUI)
Once the custom PHP versions are registered after applying the steps above, the custom PHP versions will be available:
Assign the custom PHP version:
Service Plan level: Go to Service Plans > Service Plan Name > PHP Settings
Domain level: Go to Domains > example.com > PHP Settings
Thứ Tư, 14 tháng 8, 2024
Cwrsync Invalid UID Nobody solution
The following error occurred while using the Rsync/cwrsync tool for file synchronization:
C:Program Filescwrsyncbin>rsync.exe-av Rsync://192.168.0.211:52326/test/cygdrive/e/www.01314.cn/rsync @ Error:invalid UID Nobody
Workaround: Add the following two lines to the rsyncd.conf file to resolve the problem
UID = 0
GID = 0
Full rsyncd.conf file
UID = 0 gid = 0 Use chroot = False Strict modes = False hosts allow = * log file = Rsyncd.log pid FILE = rsyncd.pid port = 52326 Max connections = 4 # Module Definitions # Remember Cygwin naming Conve Ntions:c:work becomes/cygwin/c/work # [Test] path =/cygdrive/e/rsync/res Read Only = yes Transfer logging = yes lock file = Rsyncd.lock
Cwrsync the permissions configuration and invalid UID Nobody of client password files
Cwrsync the client password file's permissions configuration disposition method.
Windows uses chmod under Cygwin
After creating the document, change the authority to 600.
chmod 600/rsyncd.passwd
Invalid UID Nobody disposal method.
Fix config file: rsyncd.conf
Add at the beginning of the file
UID = 0
GID = 0
Technical Note: Policy IDs column in FortiMail History Log
Description
This article describes that an additional column called 'Policy IDs' was added to the History Log in FortiMail firmware v5.0. This is very useful in troubleshooting which policies or access controls are generating the log entries.
Scope
FortiMail v5.0 onwards.
Solution
The Policy ID value is separated into 3 different columns:
<Access Control> : <IP Policies> : <Recipient Policies>
For example: Policy IDs 9:1:3
This means it is hitting Access Control ID 9, IP Policy 1 and Recipient Policy 3. If no access control policies were created, Fortimail will use the default access control policy which has the number '0' to relay inbound emails.
<Access Control> : <IP Policies> : <Recipient Policies>
For example: Policy IDs 9:1:3
This means it is hitting Access Control ID 9, IP Policy 1 and Recipient Policy 3. If no access control policies were created, Fortimail will use the default access control policy which has the number '0' to relay inbound emails.
Thứ Tư, 19 tháng 6, 2024
List of Top Public Time Servers
## Google Public NTP [AS15169]:
time.google.com time1.google.com time2.google.com time3.google.com time4.google.com ## Cloudflare NTP [AS13335]: time.cloudflare.com ## Facebook NTP [AS32934]: time.facebook.com time1.facebook.com time2.facebook.com time3.facebook.com time4.facebook.com time5.facebook.com ## Microsoft NTP server [AS8075]: time.windows.com ## Apple NTP server [AS714, AS6185]: time.apple.com time1.apple.com time2.apple.com time3.apple.com time4.apple.com time5.apple.com time6.apple.com time7.apple.com time.euro.apple.com ## DEC/Compaq/HP: clepsydra.dec.com/clepsydra.labs.hp.com/clepsydra.hpl.hp.com/usno.labs.hp.com ## NIST Internet Time Service (ITS) [AS49, AS104]: time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov time-d-g.nist.gov time-a-wwv.nist.gov time-b-wwv.nist.gov time-c-wwv.nist.gov time-d-wwv.nist.gov time-a-b.nist.gov time-b-b.nist.gov time-c-b.nist.gov time-d-b.nist.gov time.nist.gov time-e-b.nist.gov time-e-g.nist.gov time-e-wwv.nist.gov utcnist.colorado.edu utcnist2.colorado.edu ## VNIIFTRI: ### Stratum 1: ntp1.vniiftri.ru ntp2.vniiftri.ru ntp3.vniiftri.ru ntp4.vniiftri.ru ntp.sstf.nsk.ru ntp1.niiftri.irkutsk.ru ntp2.niiftri.irkutsk.ru vniiftri.khv.ru vniiftri2.khv.ru ### Stratum 2: ntp21.vniiftri.ru ## Mobatime: ### Stratum 1: ntp.mobatime.ru ## NTP SERVERS: ntp0.ntp-servers.net ntp1.ntp-servers.net ntp2.ntp-servers.net ntp3.ntp-servers.net ntp4.ntp-servers.net ntp5.ntp-servers.net ntp6.ntp-servers.net ntp7.ntp-servers.net ### Stratum 1: ntp1.stratum1.ru ntp2.stratum1.ru ntp3.stratum1.ru ntp4.stratum1.ru ntp5.stratum1.ru ### Stratum 2: ntp1.stratum2.ru Москва ntp2.stratum2.ru ntp3.stratum2.ru ntp4.stratum2.ru ntp5.stratum2.ru ## Stratum1: ### Stratum 1: stratum1.net ## time.in.ua: ### Stratum 1: ntp.time.in.ua ntp2.time.in.ua ### Stratum 2: ntp3.time.in.ua ## Company Delfa Co. Ltd. [AS8915]: ntp.ru ## ACO.net [AS1853]: ts1.aco.net ts2.aco.net ## Berkeley [AS25]: ### Stratum 1: ntp1.net.berkeley.edu ntp2.net.berkeley.edu ## Georgia State University [AS10631]: ntp.gsu.edu ## University of Saskatchewan [AS22950]: tick.usask.ca tock.usask.ca ## NSU [AS3335]: ### Stratum 2: ntp.nsu.ru ## ITAEC [AS41783]: ntp.psn.ru ## RSU [AS47124]: ### Stratum 1: ntp.rsu.edu.ru ## National Institute of Information and Communications Technology [AS9355]: ntp.nict.jp ## NTT [AS2914]: x.ns.gin.ntt.net y.ns.gin.ntt.net ## HE.net [AS6939]: clock.nyc.he.net clock.sjc.he.net ## TRC Fiord [AS28917]: ntp.fiord.ru ## Netnod NTP service [AS57021]: ### Stratum 1: Göteborg: gbg1.ntp.se gbg2.ntp.se Malmö: mmo1.ntp.se mmo2.ntp.se Stockholm: sth1.ntp.se sth2.ntp.se Sundsvall: svl1.ntp.se svl2.ntp.se Anycast address for nearest NTP server of the above: ntp.se ## QiX NTP [AS14086]: ntp.qix.ca ntp1.qix.ca ntp2.qix.ca ## YYCIX NTP [AS396515]: ntp.yycix.ca ## MSK-IX NTP [AS43832]: ### Stratum 1: ntp.ix.ru ## Hetzner Online [AS24940]: ntp1.hetzner.de ntp2.hetzner.de ntp3.hetzner.de ## Trabia-Network [AS43289]: time-a.as43289.net time-b.as43289.net time-c.as43289.net ## RIPE [AS3333]: ntp.ripe.net ## Internet Systems Consortium [AS1280]: clock.isc.org (prev ntp.isc.org) ## TimeNL/SIDN Labs [AS1140]: ntp.time.nl (ntp1.time.nl) ## Kantonsschule Zug [AS34288]: ntp0.as34288.net ntp1.as34288.net ## INTERNET MULTIFEED CO. [AS7521]: ntp1.jst.mfeed.ad.jp ntp2.jst.mfeed.ad.jp ntp3.jst.mfeed.ad.jp ## Chinese Academy of Sciences Nation Time Service Center [AS4808, AS9808, AS23724]: ntp.ntsc.ac.cn ## Nat Morris [AS30746]: ### Stratum 1: ntp.nat.ms ## NTP Pool: pool.ntp.org 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org europe.pool.ntp.org 0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org asia.pool.ntp.org 0.asia.pool.ntp.org 1.asia.pool.ntp.org 2.asia.pool.ntp.org 3.asia.pool.ntp.org ru.pool.ntp.org 0.ru.pool.ntp.org 1.ru.pool.ntp.org 2.ru.pool.ntp.org 3.ru.pool.ntp.org north-america.pool.ntp.org 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org 3.north-america.pool.ntp.org 0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org 0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org 0.fedora.pool.ntp.org 1.fedora.pool.ntp.org 2.fedora.pool.ntp.org 3.fedora.pool.ntp.org 0.opensuse.pool.ntp.org 1.opensuse.pool.ntp.org 2.opensuse.pool.ntp.org 3.opensuse.pool.ntp.org 0.centos.pool.ntp.org 1.centos.pool.ntp.org 2.centos.pool.ntp.org 3.centos.pool.ntp.org 0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org 0.askozia.pool.ntp.org 1.askozia.pool.ntp.org 2.askozia.pool.ntp.org 3.askozia.pool.ntp.org 0.freebsd.pool.ntp.org 1.freebsd.pool.ntp.org 2.freebsd.pool.ntp.org 3.freebsd.pool.ntp.org 0.netbsd.pool.ntp.org 1.netbsd.pool.ntp.org 2.netbsd.pool.ntp.org 3.netbsd.pool.ntp.org 0.openbsd.pool.ntp.org 1.openbsd.pool.ntp.org 2.openbsd.pool.ntp.org 3.openbsd.pool.ntp.org 0.dragonfly.pool.ntp.org 1.dragonfly.pool.ntp.org 2.dragonfly.pool.ntp.org 3.dragonfly.pool.ntp.org 0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org 3.pfsense.pool.ntp.org 0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org 0.smartos.pool.ntp.org 1.smartos.pool.ntp.org 2.smartos.pool.ntp.org 3.smartos.pool.ntp.org 0.android.pool.ntp.org 1.android.pool.ntp.org 2.android.pool.ntp.org 3.android.pool.ntp.org 0.amazon.pool.ntp.org 1.amazon.pool.ntp.org 2.amazon.pool.ntp.org 3.amazon.pool.ntp.org # Other: ## .mil: tick.usno.navy.mil tock.usno.navy.mil ntp2.usno.navy.mil ## .edu: utcnist.colorado.edu utcnist2.colorado.edu timekeeper.isi.edu rackety.udel.edu mizbeaver.udel.edu otc1.psu.edu gnomon.cc.columbia.edu navobs1.gatech.edu navobs1.wustl.edu now.okstate.edu ntp.colby.edu ntp-s1.cise.ufl.edu bonehed.lcs.mit.edu level1e.cs.unc.edu tick.ucla.edu tick.uh.edu ## .com: ntpstm.netbone-digital.com nist1.symmetricom.com ntp.quintex.com ntp1.conectiv.com tock.usshc.com ## .net: t2.timegps.net gps.layer42.net ntp-ca.stygium.net sesku.planeacion.net ntp0.nl.uu.net ntp1.nl.uu.net navobs1.oar.net ntp-galway.hea.net ## .org: ntp1.ona.org ntp.your.org ntp.mrow.org ## .de: time.fu-berlin.de ntps1-0.cs.tu-berlin.de ntps1-1.cs.tu-berlin.de ntps1-0.uni-erlangen.de ntps1-1.uni-erlangen.de ntp1.fau.de ntp2.fau.de ntp.dianacht.de zeit.fu-berlin.de ptbtime1.ptb.de ptbtime2.ptb.de rustime01.rus.uni-stuttgart.de rustime02.rus.uni-stuttgart.de ## .nl: chime1.surfnet.nl ntp.vsl.nl ## .at: asynchronos.iiss.at ## .cz: ntp.nic.cz time.ufe.cz ## .pl: ntp.fizyka.umk.pl tempus1.gum.gov.pl tempus2.gum.gov.pl ## .ro: ntp1.usv.ro ntp3.usv.ro ## .se: timehost.lysator.liu.se time1.stupi.se ## .ca: time.nrc.ca clock.uregina.ca ## .mx: cronos.cenam.mx ntp.lcf.mx ## .es: hora.roa.es minuto.roa.es ## .it: ntp1.inrim.it ntp2.inrim.it ## .be: ntp1.oma.be ntp2.oma.be ## .hu: ntp.atomki.mta.hu ## .eus: ntp.i2t.ehu.eus ## .ch: ntp.neel.ch ## .cn: ntp.neu.edu.cn ## .jp: ntp.nict.jp ## .br: ntps1.pads.ufrj.br ## .cl: ntp.shoa.cl ## .int: time.esa.int time1.esa.int http://support.ntp.org/bin/view/Servers/StratumOneTimeServers http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers http://support.ntp.org/bin/view/Servers/NTPPoolServers http://www.pool.ntp.org/zone/@ http://www.pool.ntp.org/zone/asia http://www.pool.ntp.org/zone/europe http://www.pool.ntp.org/zone/north-america http://www.pool.ntp.org/zone/oceania http://www.pool.ntp.org/zone/south-america https://time.nl/ https://time.nl/index_en.html http://time.in.ua/ https://www.chrony.eu/status https://www.ntp-server.de/ntp-server-deutschland/ https://www.ntp-server.de/ntp-server-oesterreich/ https://www.ntp-server.de/ntp-server-schweiz/
Thứ Tư, 12 tháng 6, 2024
Tích hợp Freeipa, vCenter (netbox, graylog, checkmk .....) và kích hoạt xác thực có OPT (2FA)
Tích hợp Freeipa, vCenter (netbox, graylog, checkmk .....) và kích hoạt xác thực có OPT (2FA)
Table of contents generated with markdown-toc
Với tình hình các rủi ro an ninh hiện nay và các khuyến cáo từ háng, các team security là bật được xác thực gì bật hết, càng nhiều lớp càng tốt.
Do vậy nhu cầu OTP cho các ứng dụng đang rất cần thiết, một số ứng dụng thì có sẵn tính năng OTP, một số thì chưa có, một số thì lại cần đầu tư hoặc bản free thì hạn chế user, cần kết nối internet.
Trong bài viết này HCD team giới thiệu phương án sử dụng FreeIPA để cung cấp cơ chế LDAP/LDAPS cho việc xác thực với các ứng dụng hỗ trợ tích hợp LDAP với các ứng dụng cho phép. Ngoài ra, trên freeipa có cơ chế cung cấp OTP cho user được tạo bởi nó nên giải pháp này khả quan để ae sử dụng cho nhu cầu xác thực cần OTP.
- Chỉ cần một máy linux cấu hình vừa phải, 4CPU, 8GB RAM, 100GB disk.
- Không cần kết nối ra Internet để nhận OPT.
- Không bị limit user sử dụng khi tích hợp
- Free
- Có thể tích hợp với các sản phẩm hỗ trợ LDAP/LDAPS (vcenter, netbox, graylog, checkmk ....)
- Phương án không thấy vlware công bố hỗ trợ nên phải tự vọc, tự xử lý.
Centos 8, RHEL8, Centos 9 hoặc RHEL 9
Lab này sử dụng RHEL8
Lưu ý trong lab này dùng freeipa làm dns cho domain conglab.local luôn mặc dù trước đó với vcenter đã có dns server khác.
Vcenter 7.0.3, domain vcenter.labhtv.local (10.10.240.245)
Freeipa 4.9.11, domain ipa.conglab.local (10.10.240.186)
Setup ip tĩnh nếu cần, giả sử ip là 10.10.240.186
Cấu hình hostname
hostnamectl set-hostname ipa.conglab.local
echo "10.10.240.186 ipa.conglab.local ipa" >> /etc/hosts
Cấu hình timezone
Cấu hình firewalld, selinux với centos, rhel
Cài đặt module hỗ trợ bổ sung gói freeipa
dnf module enable idm:DL1
Cài đặt gói freeipa
dnf install ipa-server ipa-server-dns -y
Cấu hình freeipa có tích hợp DNS (DNS server là máy cài freeipa luôn)
ipa-server-install --setup-dns
Trong các màn hình khai báo, nhập các tham số cần thiết.
Server host name [ipa.conglab.local]: ipa.conglab.local
Please confirm the domain name [conglab.local]: conglab.local
Please provide a realm name [CONGLAB.LOCAL]: CONGLAB.LOCAL
Directory Manager password:
Password (confirm):
IPA admin password:
Password (confirm):
Do you want to configure DNS forwarders? [yes]: yes
Do you want to configure these servers as DNS forwarders? [yes]:yes
Enter an IP address for a DNS forwarder, or press Enter to skip:
Do you want to search for missing reverse zones? [yes]: no
NetBIOS domain name [CONGLAB]: CONGLAB
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip:
Enter a NTP source pool address, or press Enter to skip:
Continue to configure the system with these values? [no]: yes
Chờ màn hình cài đặt thực hiện các bước
Sau khi cài xong sẽ có màn hình sau
Trường hợp có dùng firewalld thì cần allow các port ở trên
firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=ldap
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-service=kpasswd
firewall-cmd --reload
Kiểm tra xem freeipa hoạt động chưa bằng lệnh ipactl status kết quả như sau là ok
[root@ipa ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Cần thiết khởi động lại máy sau khi cài và kiểm tra status lại cho chắc.
Xác nhận lại token admin bằng lệnh kinit admin và klist , nếu đăng nhập thành công và in ra kết quả token thì freeipa đã hoạt động.
[root@ipa ~]# kinit admin
Password for admin@CONGLAB.LOCAL:
[root@ipa ~]# klist
Ticket cache: KCM:0
Default principal: admin@CONGLAB.LOCAL
Valid starting Expires Service principal
06/07/2024 14:06:30 06/08/2024 13:57:22 krbtgt/CONGLAB.LOCAL@CONGLAB.LOCAL
Truy cập vào web bằng URL https://ipa.conglab.local/ipa/ui/
Nhập tài khoản admin và mật khẩu ở bước cài đặt trước đó.
Đăng nhập
Tới bước này đã hoàn thành việc cài đặt freeipa, chuyển sang các bước tích hợp với các nền tảng như vcenter, netbox và kích hoạt OTP
Mặc định và háng vlware không tuyên bố hỗ trợ freeipa nên trước khi tích hợp freeipa với vcenter và sử dụng được OPT thì cần điều chỉnh lại schema cho freeipa tương thích với openldap (cái mà vlware hỗ trợ).
Cấu hình điều chỉnh schemal của freeipa để tương thích với vcenter.
Tạo file vsphere_usermod.ldif trên máy chủ freeipa
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: sn=%{sn}
-
Tạo file vsphere_groupmod.ldif trên máy chủ freeipa
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2")
-
Thực hiện lệnh sau để apply thay đổi các điều chỉnh trên
ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W -v
ldapmodify -x -D "cn=Directory Manager" -f vsphere_usermod.ldif -W -v
Sau khi cấu hình xong, truy cập vào giao diện freeipa khai báo thêm các user để sử dụng đăng nhập vào vcenter sau này.
Tạo một vài user để kiểm tra
Ta có 2 user
Mở các phiên đăng nhập khác để login vào các user vừa tạo để đổi mật khẩu lần đầu và xác nhận việc truy cập thành công.
Tới bước này ta đã có user trên freeipa để sử dụng
Trước khi vào vcenter, ssh vào máy freeipa hoặc dùng winscp down file CA của freeipa về để dùng cho bước sau.
Tải file /etc/ipa/ca.crt về máy tính
Khai báo file host trong vcenter để trỏ được dns của máy freeipa vì trong lab này sử dụng 2 domain khác nhau.
root@vcenter [ ~ ]# cat /etc/hosts
# Begin /etc/hosts (network card version)
# VAMI_EDIT_BEGIN
# Generated by Studio VAMI service. Do not modify manually.
127.0.0.1 vcenter.labhtv.local vcenter localhost
::1 vcenter.labhtv.local vcenter localhost ipv6-localhost ipv6-loopback
# VAMI_EDIT_END
10.10.240.186 ipa.conglab.local
Đăng nhập vào web vcenter và chọn theo hương dẫn
Chọn tab administrator ⇒ Single Sign On ⇒ Configuration ⇒ Add
Ở cửa sổ khai báo ADD, chọn Identity Source Type là “Open LDAP”
Và khai báo các tham số nhử bên dưới, lưu ý bước chọn Certificate ta brower tới file ca.crt đã tải về trước đó.
Sau khi add thành công, ta thiết lập mặc định cơ chế đăng nhập cho domain trên freeipa.
Chuyển sang tab User and Group để kiểm tra xem user đã đồng bộ sang hay chưa.
Tới đây đã đồng bộ user từ freeipa sang nhưng chưa được phân quyền. Tiếp tục bước phân quyền trên vcenter để có thể sử dụng user của freeipa để đăng nhập vào vcenter.
Chọn cluster trên vcenter, sau đó vào tab permision
Chọn add thêm usre với domain của freeipa
Sau đó mở một trình duyệt khác để đăng nhập thử.
Ta sẽ thấy màn hình đăng nhập của user hcd1@conglab.local. Tới bước này tôi chưa kích hoạt OTP để kiểm tra việc tích hợp trước.
Đăng nhập vào user admin của freeipa để kích hoạt OTP đối với các user cần thiết, tại đây ta chọn chế độ đăng nhập sử dụng bằng cách xác thực nào cho user
Sau đó save lại
Tiếp tục chọn tab Action để tạo QR code cho user hcd1
Ở màn hình khai báo dưới, có thể nhập thêm tham số, nếu không cần thì chọn ADD
Sau khi add sẽ có QR code để gửi cho user và user cần dùng các tool quản lý QR code như google authen để quét và dùng sau này.
Lúc này user hcd1 đã có qr code và nhận được các chuỗi số random.
User hcd1 bắt đầu mở trình duyệt đăng nhập của freeipa hoặc vcenter để nhập mật khẩu + chuối số trên công cụ quản lý code ở điện thoại theo dạng `Mật khẩu và nối tiếp chuỗi OPT sinh ra ở ứng dụng điện thoại"
Giả sử mật khẩu là “Hocchud0ng” và OPT là 231234 thì nhập vào khung mật khẩu là Hocchud0ng231234
Tới đây đã hoàn thành bước cấu hình.
https://github.com/hocchudong/freeipa-vcenter-netbox-graylog-OTP
Đăng ký:
Bài đăng (Atom)