网络技术 – Linux Cache

CentOS 8 tinc安装信息和示例配置文件

4月 122021

包信息

[root@tinc ~]# dnf info tinc
Last metadata expiration check: 0:01:55 ago on Mon 12 Apr 2021 01:44:09 AM UTC.
Installed Packages
Name         : tinc
Version      : 1.0.36
Release      : 2.el8
Architecture : x86_64
Size         : 629 k
Source       : tinc-1.0.36-2.el8.src.rpm
Repository   : @System
From repo    : epel
Summary      : A virtual private network daemon
URL          : http://www.tinc-vpn.org/
License      : GPLv2+
Description  : tinc is a Virtual Private Network (VPN) daemon that uses tunnelling
             : and encryption to create a secure private network between hosts on
             : the Internet. Because the tunnel appears to the IP level network
             : code as a normal network device, there is no need to adapt any
             : existing software. This tunnelling allows VPN sites to share
             : information with each other over the Internet without exposing any
             : information to others.

[root@tinc ~]#

安装路径

[root@tinc ~]# rpm -lq tinc
/usr/lib/.build-id
/usr/lib/.build-id/ec
/usr/lib/.build-id/ec/f0a564e8d20e169bed52480a235992928751ed
/usr/lib/systemd/system/tinc.service
/usr/lib/systemd/system/tinc@.service
/usr/sbin/tincd
/usr/share/doc/tinc
/usr/share/doc/tinc/AUTHORS
/usr/share/doc/tinc/COPYING.README
/usr/share/doc/tinc/NEWS
/usr/share/doc/tinc/README
/usr/share/doc/tinc/THANKS
/usr/share/doc/tinc/sample-config
/usr/share/doc/tinc/sample-config/hosts
/usr/share/doc/tinc/sample-config/hosts/alpha
/usr/share/doc/tinc/sample-config/hosts/beta
/usr/share/doc/tinc/sample-config/rsa_key.priv
/usr/share/doc/tinc/sample-config/tinc-down
/usr/share/doc/tinc/sample-config/tinc-up
/usr/share/doc/tinc/sample-config/tinc.conf
/usr/share/doc/tinc/texinfo.tex
/usr/share/info/tinc.info.gz
/usr/share/licenses/tinc
/usr/share/licenses/tinc/COPYING
/usr/share/man/man5/tinc.conf.5.gz
/usr/share/man/man8/tincd.8.gz
[root@tinc ~]#

服务配置文件示例

https://www.tinc-vpn.org/documentation/Main-configuration-variables.html#Main-configuration-variables

[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc.conf
# Sample tinc configuration file

# This is a comment.
# Spaces and tabs are eliminated.
# The = sign isn't strictly necessary any longer, though you may want
# to leave it in as it improves readability :)
# Variable names are treated case insensitive.

# The name of this tinc host. Required.
Name = alpha

# The internet host to connect with.
# Comment these out to make yourself a listen-only connection
# You must use the name of another tinc host.
# May be used multiple times for redundance.
ConnectTo = beta

# The tap device tinc will use.
# /dev/tap0 for ethertap, FreeBSD or OpenBSD
# /dev/tun0 for Solaris
# /dev/net/tun for Linux tun/tap
Device = /dev/net/tun
[root@tinc ~]#

主机配置文件示例

https://www.tinc-vpn.org/documentation/Host-configuration-variables.html#Host-configuration-variables

[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/hosts/alpha
# Sample host configuration file

# The real IP address of this tinc host. Can be used by other tinc hosts.
Address = 123.234.35.67

# Portnumber for incoming connections. Default is 655.
Port = 655

# Subnet on the virtual private network that is local for this host.
Subnet = 192.168.1.0/24

# The public key generated by `tincd -n example -K' is stored here
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
[root@tinc ~]#

[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/hosts/beta
# Sample host configuration file
# This file was generated by host beta.

# The real IP address of this tinc host. Can be used by other tinc hosts.
Address = 123.45.67.189

# Portnumber for incoming connections. Default is 655.
Port = 6500

# Subnet on the virtual private network that is local for this host.
Subnet = 192.168.2.0/24

# The public key generated by `tincd -n example -K' is stored here
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
[root@tinc ~]#

启动和停止脚本示例（使用ifconfig命令依赖net-tools包）

[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc-up
#!/bin/sh
# This file sets up the tap device.
# It gives you the freedom to do anything you want with it.
# Use the correct name for the tap device:
# The environment variable $INTERFACE is set to the right name
# on most platforms, but if it doesn't work try to set it manually.

# Give it the right ip and netmask. Remember, the subnet of the
# tap device must be larger than that of the individual Subnets
# as defined in the host configuration file!
ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
[root@tinc ~]#

[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc-down
#!/bin/sh
# This file closes down the tap device.

ifconfig $INTERFACE down
[root@tinc ~]#

使用ip命令示例

#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.1/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE

#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.1/32 dev $INTERFACE
ip link set $INTERFACE down

LiteSpeed Web Server PHP版本选配

网络技术 No Responses »

8月 272020

高性能Web Server LiteSpeed基本部署

网络技术 No Responses »

8月 242020

禁用SELinux配置

[root@lsws ~]# sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config;
[root@lsws ~]# setenforce 0
[root@lsws ~]#

配置仓库

[root@lsws ~]# dnf install http://rpms.litespeedtech.com/centos/litespeed-repo-1.1-1.el8.noarch.rpm

查看仓库配置文件

[root@lsws ~]# cat /etc/yum.repos.d/litespeed.repo
[litespeed]
name=LiteSpeed Tech Repository for CentOS $releasever - $basearch
baseurl=http://rpms.litespeedtech.com/centos/$releasever/$basearch/
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-litespeed

[litespeed-update]
name=LiteSpeed Tech Update Repository for CentOS $releasever - $basearch
baseurl=http://rpms.litespeedtech.com/centos/$releasever/update/$basearch/
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-litespeed

[litespeed-edge]
name=LiteSpeed Tech Edge Repository for CentOS $releasever - $basearch
baseurl=http://rpms.litespeedtech.com/edge/centos/$releasever/$basearch/
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-litespeed

[litespeed-edge-update]
name=LiteSpeed Tech Edge Update Repository for CentOS $releasever - $basearch
baseurl=http://rpms.litespeedtech.com/edge/centos/$releasever/update/$basearch/
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-litespeed
[root@lsws ~]#

更新dnf工具缓存

[root@lsws ~]# dnf makecache
CentOS-8 - AppStream                             12 kB/s | 4.3 kB     00:00
CentOS-8 - Base                                 7.8 kB/s | 3.9 kB     00:00
CentOS-8 - Extras                               2.9 kB/s | 1.5 kB     00:00
LiteSpeed Tech Repository for CentOS 8 - x86_64 2.1 MB/s | 490 kB     00:00
LiteSpeed Tech Update Repository for CentOS 8 - 1.0 MB/s | 227 kB     00:00
Metadata cache created.
[root@lsws ~]#

查看openlitespeed包信息

[root@lsws ~]# dnf info openlitespeed
Last metadata expiration check: 0:00:36 ago on Mon 24 Aug 2020 02:48:52 AM UTC.
Available Packages
Name         : openlitespeed
Version      : 1.6.15
Release      : 2.el8
Architecture : x86_64
Size         : 37 M
Source       : openlitespeed-1.6.15-2.el8.src.rpm
Repository   : litespeed-update
Summary      : OpenLiteSpeed
URL          : http://www.litespeedtech.com
License      : GPLv3
Description  : OpenLiteSpeed is a high-performance, lightweight, open source
             : HTTP server developed and copyrighted by LiteSpeed Technologies.
             : Users are free to download, use, distribute, and modify
             : OpenLiteSpeed and its source code in accordance with the precepts
             : of the GPLv3 license.

[root@lsws ~]#

安装litespeed及php环境包

问题

[root@lsws ~]# dnf install openlitespeed
Last metadata expiration check: 0:00:13 ago on Mon 24 Aug 2020 02:43:32 AM UTC.
Error:
Problem: package openlitespeed-1.6.15-2.el8.x86_64 requires lsphp73-mcrypt, but none of the providers can be installed
- cannot install the best candidate for the job
- nothing provides libmcrypt.so.4()(64bit) needed by lsphp73-pecl-mcrypt-1.0.3-1.el8.7.3.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
[root@lsws ~]#

解决

[root@lsws ~]# dnf install epel-release

再次安装

[root@lsws ~]# dnf install openlitespeed

================================================================================
 Package                Arch      Version             Repository           Size
================================================================================
Installing:
 openlitespeed          x86_64    1.6.15-2.el8        litespeed-update     37 M
Installing dependencies:
 libXpm                 x86_64    3.5.12-8.el8        AppStream            58 k
 libargon2              x86_64    20171227-3.el8      epel                 29 k
 libc-client            x86_64    2007f-24.el8        epel                564 k
 libjpeg-turbo          x86_64    1.5.3-10.el8        AppStream           156 k
 libmcrypt              x86_64    2.5.8-26.el8        epel                109 k
 libnsl                 x86_64    2.28-101.el8        BaseOS               97 k
 libwebp                x86_64    1.0.0-1.el8         AppStream           273 k
 libxslt                x86_64    1.1.32-4.el8        BaseOS              249 k
 lsphp73                x86_64    7.3.21-1.el8        litespeed           4.7 M
 lsphp73-common         x86_64    7.3.21-1.el8        litespeed           677 k
 lsphp73-gd             x86_64    7.3.21-1.el8        litespeed           122 k
 lsphp73-imap           x86_64    7.3.21-1.el8        litespeed            39 k
 lsphp73-mbstring       x86_64    7.3.21-1.el8        litespeed           571 k
 lsphp73-mysqlnd        x86_64    7.3.21-1.el8        litespeed           142 k
 lsphp73-opcache        x86_64    7.3.21-1.el8        litespeed           203 k
 lsphp73-pdo            x86_64    7.3.21-1.el8        litespeed            75 k
 lsphp73-pecl-mcrypt    x86_64    1.0.3-1.el8.7.3     litespeed            27 k
 lsphp73-process        x86_64    7.3.21-1.el8        litespeed            37 k
 lsphp73-xml            x86_64    7.3.21-1.el8        litespeed           140 k

Transaction Summary
================================================================================
Install  20 Packages

查看openlitespeed安装路径

[root@lsws ~]# ls /usr/local/lsws/
add-ons      backup     conf      gdata    lsphp73      phpbuild  VERSION
admin        bin        docs      GPL.txt  lsrecaptcha  PLAT
adminpasswd  cachedata  Example   lib      modules      share
autoupdate   cgid       fcgi-bin  logs     php          tmp
[root@lsws ~]#

[root@lsws ~]# rpm -lq openlitespeed
/etc/init.d/lsws
/usr/lib/.build-id
/usr/lib/.build-id/01
/usr/lib/.build-id/01/1fe5f65c8015eff89a7061cf3cd705df56b14d
/usr/lib/.build-id/0e
/usr/lib/.build-id/0e/0ad48b16e05134408b5ba7fda33a78ff494487
/usr/lib/.build-id/2c
/usr/lib/.build-id/2c/01b36791441d4ea4d211f1568e03a4ad6717eb
/usr/lib/.build-id/7d
/usr/lib/.build-id/7d/19ffa9101ece0920acec1aa7a41befdf870147
/usr/lib/.build-id/7d/3455969230e2d6f0ee22db5931293343d19d11
/usr/lib/.build-id/7d/3455969230e2d6f0ee22db5931293343d19d11.1
/usr/lib/.build-id/92
/usr/lib/.build-id/92/57016074c47d5ea7e6939c5bf92678f8bf07fd
/usr/lib/.build-id/9a
/usr/lib/.build-id/9a/54a5da0375a7bee6dfa1cec7ec3c95b51da417
/usr/lib/.build-id/c2
/usr/lib/.build-id/c2/16322f9066a8510f3f5a666bb8af7694727b4b
/usr/lib/.build-id/c5
/usr/lib/.build-id/c5/4953e950479bd6c50a614e5d37e8fcc170b91a
/usr/lib/.build-id/cd
/usr/lib/.build-id/cd/71ea0ab4fcdd0c7976dfe74c8e7333f547fa83
/usr/lib/.build-id/e8
/usr/lib/.build-id/e8/0ec2ee684e24336fb76439c1a1afc48787cdf7
/usr/lib/.build-id/f6
/usr/lib/.build-id/f6/4cc59833a8b1b9b1320b431830b6cf377e8684
/usr/local/lsws
/usr/local/lsws/Example
/usr/local/lsws/Example/cgi-bin
/usr/local/lsws/Example/cgi-bin/helloworld
/usr/local/lsws/Example/fcgi-bin
/usr/local/lsws/Example/html
/usr/local/lsws/Example/html/.htaccess
/usr/local/lsws/Example/html/blocked
/usr/local/lsws/Example/html/blocked/index.html
/usr/local/lsws/Example/html/css
/usr/local/lsws/Example/html/css/bootstrap.min.css
/usr/local/lsws/Example/html/css/custom.css
/usr/local/lsws/Example/html/error404.html
/usr/local/lsws/Example/html/img
/usr/local/lsws/Example/html/img/404-icon.png
/usr/local/lsws/Example/html/img/blocked_content-icon.png
/usr/local/lsws/Example/html/img/cgi-icon.png
/usr/local/lsws/Example/html/img/file_upload-icon.png
/usr/local/lsws/Example/html/img/olsws_logo.png
/usr/local/lsws/Example/html/img/php-icon.png
/usr/local/lsws/Example/html/img/powered_by_ols-new.png
/usr/local/lsws/Example/html/img/pwd_protect-icon.png
/usr/local/lsws/Example/html/index.html
/usr/local/lsws/Example/html/phpinfo.php
/usr/local/lsws/Example/html/protected
/usr/local/lsws/Example/html/protected/index.html
/usr/local/lsws/Example/html/upload.html
/usr/local/lsws/Example/html/upload.php
/usr/local/lsws/Example/logs
/usr/local/lsws/GPL.txt
/usr/local/lsws/PLAT
/usr/local/lsws/VERSION
/usr/local/lsws/add-ons
/usr/local/lsws/add-ons/snmp_monitoring
/usr/local/lsws/add-ons/snmp_monitoring/README
/usr/local/lsws/add-ons/snmp_monitoring/class.litespeed_snmp_bridge.php
/usr/local/lsws/add-ons/snmp_monitoring/class.litespeed_stats.php
/usr/local/lsws/add-ons/snmp_monitoring/litespeed_cacti_template.xml
/usr/local/lsws/add-ons/snmp_monitoring/litespeed_extapp.xml
/usr/local/lsws/add-ons/snmp_monitoring/litespeed_general.xml
/usr/local/lsws/add-ons/snmp_monitoring/litespeed_vhost.xml
/usr/local/lsws/add-ons/snmp_monitoring/sample.php
/usr/local/lsws/add-ons/webcachemgr
/usr/local/lsws/add-ons/webcachemgr/VERSION
/usr/local/lsws/add-ons/webcachemgr/autoloader.php
/usr/local/lsws/add-ons/webcachemgr/bootstrap.php
/usr/local/lsws/add-ons/webcachemgr/bootstrap_cli.php
/usr/local/lsws/add-ons/webcachemgr/src
/usr/local/lsws/add-ons/webcachemgr/src/AjaxResponse.php
/usr/local/lsws/add-ons/webcachemgr/src/CliController.php
/usr/local/lsws/add-ons/webcachemgr/src/Context
/usr/local/lsws/add-ons/webcachemgr/src/Context/Context.php
/usr/local/lsws/add-ons/webcachemgr/src/Context/ContextOption.php
/usr/local/lsws/add-ons/webcachemgr/src/Context/RootCLIContextOption.php
/usr/local/lsws/add-ons/webcachemgr/src/Context/RootPanelContextOption.php
/usr/local/lsws/add-ons/webcachemgr/src/Context/UserCLIContextOption.php
/usr/local/lsws/add-ons/webcachemgr/src/DashNotifier.php
/usr/local/lsws/add-ons/webcachemgr/src/LSCMException.php
/usr/local/lsws/add-ons/webcachemgr/src/LogEntry.php
/usr/local/lsws/add-ons/webcachemgr/src/Logger.php
/usr/local/lsws/add-ons/webcachemgr/src/Panel
/usr/local/lsws/add-ons/webcachemgr/src/Panel/CPanel.php
/usr/local/lsws/add-ons/webcachemgr/src/Panel/ControlPanel.php
/usr/local/lsws/add-ons/webcachemgr/src/Panel/CustomPanel.php
/usr/local/lsws/add-ons/webcachemgr/src/Panel/CustomPanelBase.php
/usr/local/lsws/add-ons/webcachemgr/src/Panel/DirectAdmin.php
/usr/local/lsws/add-ons/webcachemgr/src/Panel/Plesk.php
/usr/local/lsws/add-ons/webcachemgr/src/PanelController.php
/usr/local/lsws/add-ons/webcachemgr/src/PluginVersion.php
/usr/local/lsws/add-ons/webcachemgr/src/UserCommand.php
/usr/local/lsws/add-ons/webcachemgr/src/Util.php
/usr/local/lsws/add-ons/webcachemgr/src/View
/usr/local/lsws/add-ons/webcachemgr/src/View/AjaxView.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/Ajax
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/Ajax/CacheMgrRowViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/CacheRootNotSetViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/DashNotifierViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/DataFileMsgViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/ManageViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/MassDashDisableProgressViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/MassDashNotifyProgressViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/MassEnableDisableProgressViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/MassEnableDisableViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/MissingTplViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/RefreshStatusProgressViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/ScanProgressViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/UnflagAllProgressViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/VersionChangeViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Model/VersionManageViewModel.php
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/Ajax
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/Ajax/CacheMgrActionsCol.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/Ajax/CacheMgrFlagCol.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/Ajax/CacheMgrStatusCol.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/Blocks
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/Blocks/InputSubmitBtn.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/CacheRootNotSet.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/DashNotifier.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/DataFileMsg.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/Manage.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/MassDashDisableProgress.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/MassDashNotifyProgress.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/MassEnableDisable.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/MassEnableDisableProgress.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/MissingTpl.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/RefreshStatusProgress.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/ScanProgress.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/UnflagAllProgress.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/VersionChange.tpl
/usr/local/lsws/add-ons/webcachemgr/src/View/Tpl/VersionManage.tpl
/usr/local/lsws/add-ons/webcachemgr/src/WPCaller.php
/usr/local/lsws/add-ons/webcachemgr/src/WPDashMsgs.php
/usr/local/lsws/add-ons/webcachemgr/src/WPInstall.php
/usr/local/lsws/add-ons/webcachemgr/src/WPInstallStorage.php
/usr/local/lsws/admin
/usr/local/lsws/admin/cgid
/usr/local/lsws/admin/cgid/secret
/usr/local/lsws/admin/conf
/usr/local/lsws/admin/conf/admin_config.conf
/usr/local/lsws/admin/conf/htpasswd
/usr/local/lsws/admin/conf/jcryption_keypair
/usr/local/lsws/admin/conf/php.ini
/usr/local/lsws/admin/fcgi-bin
/usr/local/lsws/admin/fcgi-bin/admin_php
/usr/local/lsws/admin/html
/usr/local/lsws/admin/html.open
/usr/local/lsws/admin/html.open/favicon.ico
/usr/local/lsws/admin/html.open/index.php
/usr/local/lsws/admin/html.open/lib
/usr/local/lsws/admin/html.open/lib/CAuthorizer.php
/usr/local/lsws/admin/html.open/lib/CData.php
/usr/local/lsws/admin/html.open/lib/CNode.php
/usr/local/lsws/admin/html.open/lib/CValidation.php
/usr/local/lsws/admin/html.open/lib/ControllerBase.php
/usr/local/lsws/admin/html.open/lib/DAttrBase.php
/usr/local/lsws/admin/html.open/lib/DAttrHelp.php
/usr/local/lsws/admin/html.open/lib/DInfo.php
/usr/local/lsws/admin/html.open/lib/DKeywordAlias.php
/usr/local/lsws/admin/html.open/lib/DMsg.php
/usr/local/lsws/admin/html.open/lib/DPage.php
/usr/local/lsws/admin/html.open/lib/DTbl.php
/usr/local/lsws/admin/html.open/lib/DTblDefBase.php
/usr/local/lsws/admin/html.open/lib/DTblMap.php
/usr/local/lsws/admin/html.open/lib/LogViewer.php
/usr/local/lsws/admin/html.open/lib/PathTool.php
/usr/local/lsws/admin/html.open/lib/PlainConfParser.php
/usr/local/lsws/admin/html.open/lib/SInfo.php
/usr/local/lsws/admin/html.open/lib/XmlParser.php
/usr/local/lsws/admin/html.open/lib/blowfish.php
/usr/local/lsws/admin/html.open/lib/jCryption.php
/usr/local/lsws/admin/html.open/lib/ows
/usr/local/lsws/admin/html.open/lib/ows/ConfValidation.php
/usr/local/lsws/admin/html.open/lib/ows/DAttr.php
/usr/local/lsws/admin/html.open/lib/ows/DPageDef.php
/usr/local/lsws/admin/html.open/lib/ows/DTblDef.php
/usr/local/lsws/admin/html.open/lib/ows/Product.php
/usr/local/lsws/admin/html.open/lib/ows/RealTimeStats.php
/usr/local/lsws/admin/html.open/lib/ows/Service.php
/usr/local/lsws/admin/html.open/lib/ows/UI.php
/usr/local/lsws/admin/html.open/lib/util
/usr/local/lsws/admin/html.open/lib/util/build_php
/usr/local/lsws/admin/html.open/lib/util/build_php/BuildConfig.php
/usr/local/lsws/admin/html.open/lib/util/build_php/build_common.template
/usr/local/lsws/admin/html.open/lib/util/build_php/build_install.template
/usr/local/lsws/admin/html.open/lib/util/build_php/build_install_ext.template
/usr/local/lsws/admin/html.open/lib/util/build_php/build_manual_run.template
/usr/local/lsws/admin/html.open/lib/util/build_php/build_prepare.template
/usr/local/lsws/admin/html.open/lib/util/build_php/build_prepare_ext.template
/usr/local/lsws/admin/html.open/lib/util/build_php/buildfunc.inc.php
/usr/local/lsws/admin/html.open/login.php
/usr/local/lsws/admin/html.open/res
/usr/local/lsws/admin/html.open/res/css
/usr/local/lsws/admin/html.open/res/css/bootstrap.min.css
/usr/local/lsws/admin/html.open/res/css/font-awesome.min.css
/usr/local/lsws/admin/html.open/res/css/googlefonts.css
/usr/local/lsws/admin/html.open/res/css/lockscreen.min.css
/usr/local/lsws/admin/html.open/res/css/lst-webadmin.min.css
/usr/local/lsws/admin/html.open/res/css/smartadmin-production.min.css
/usr/local/lsws/admin/html.open/res/fonts
/usr/local/lsws/admin/html.open/res/fonts/FontAwesome.otf
/usr/local/lsws/admin/html.open/res/fonts/fontawesome-webfont.eot
/usr/local/lsws/admin/html.open/res/fonts/fontawesome-webfont.svg
/usr/local/lsws/admin/html.open/res/fonts/fontawesome-webfont.ttf
/usr/local/lsws/admin/html.open/res/fonts/fontawesome-webfont.woff
/usr/local/lsws/admin/html.open/res/fonts/glyphicons-halflings-regular.eot
/usr/local/lsws/admin/html.open/res/fonts/glyphicons-halflings-regular.svg
/usr/local/lsws/admin/html.open/res/fonts/glyphicons-halflings-regular.ttf
/usr/local/lsws/admin/html.open/res/fonts/glyphicons-halflings-regular.woff
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-300.woff
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-300.woff2
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-700.woff
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-700.woff2
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-700italic.woff
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-700italic.woff2
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-italic.woff
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-italic.woff2
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-regular.woff
/usr/local/lsws/admin/html.open/res/fonts/open-sans-v17-latin-regular.woff2
/usr/local/lsws/admin/html.open/res/img
/usr/local/lsws/admin/html.open/res/img/ajax-loader.gif
/usr/local/lsws/admin/html.open/res/img/alpha.png
/usr/local/lsws/admin/html.open/res/img/blank.gif
/usr/local/lsws/admin/html.open/res/img/clear.png
/usr/local/lsws/admin/html.open/res/img/favicon
/usr/local/lsws/admin/html.open/res/img/favicon/favicon.ico
/usr/local/lsws/admin/html.open/res/img/hue.png
/usr/local/lsws/admin/html.open/res/img/icons
/usr/local/lsws/admin/html.open/res/img/icons/adminconfig.gif
/usr/local/lsws/admin/html.open/res/img/icons/administrator.gif
/usr/local/lsws/admin/html.open/res/img/icons/application.gif
/usr/local/lsws/admin/html.open/res/img/icons/cgi.gif
/usr/local/lsws/admin/html.open/res/img/icons/controlpanel.gif
/usr/local/lsws/admin/html.open/res/img/icons/database.gif
/usr/local/lsws/admin/html.open/res/img/icons/debug.gif
/usr/local/lsws/admin/html.open/res/img/icons/down.gif
/usr/local/lsws/admin/html.open/res/img/icons/edit.gif
/usr/local/lsws/admin/html.open/res/img/icons/fast_cgi.gif
/usr/local/lsws/admin/html.open/res/img/icons/favicon.ico
/usr/local/lsws/admin/html.open/res/img/icons/file.gif
/usr/local/lsws/admin/html.open/res/img/icons/filter.gif
/usr/local/lsws/admin/html.open/res/img/icons/form.gif
/usr/local/lsws/admin/html.open/res/img/icons/graph.gif
/usr/local/lsws/admin/html.open/res/img/icons/help.png
/usr/local/lsws/admin/html.open/res/img/icons/info.gif
/usr/local/lsws/admin/html.open/res/img/icons/link.gif
/usr/local/lsws/admin/html.open/res/img/icons/load_balancer.gif
/usr/local/lsws/admin/html.open/res/img/icons/lock.gif
/usr/local/lsws/admin/html.open/res/img/icons/ls_sapi.gif
/usr/local/lsws/admin/html.open/res/img/icons/module.gif
/usr/local/lsws/admin/html.open/res/img/icons/module_handler.gif
/usr/local/lsws/admin/html.open/res/img/icons/network.gif
/usr/local/lsws/admin/html.open/res/img/icons/play.gif
/usr/local/lsws/admin/html.open/res/img/icons/record.gif
/usr/local/lsws/admin/html.open/res/img/icons/redirect.gif
/usr/local/lsws/admin/html.open/res/img/icons/refresh.gif
/usr/local/lsws/admin/html.open/res/img/icons/report.gif
/usr/local/lsws/admin/html.open/res/img/icons/script.gif
/usr/local/lsws/admin/html.open/res/img/icons/search.gif
/usr/local/lsws/admin/html.open/res/img/icons/serverconfig.gif
/usr/local/lsws/admin/html.open/res/img/icons/servlet_engine.gif
/usr/local/lsws/admin/html.open/res/img/icons/shield.gif
/usr/local/lsws/admin/html.open/res/img/icons/stop.gif
/usr/local/lsws/admin/html.open/res/img/icons/trash.gif
/usr/local/lsws/admin/html.open/res/img/icons/up.gif
/usr/local/lsws/admin/html.open/res/img/icons/web.gif
/usr/local/lsws/admin/html.open/res/img/icons/web_link.gif
/usr/local/lsws/admin/html.open/res/img/icons/web_server.gif
/usr/local/lsws/admin/html.open/res/img/loading.gif
/usr/local/lsws/admin/html.open/res/img/lsws_bolt.png
/usr/local/lsws/admin/html.open/res/img/lsws_bolt.svg
/usr/local/lsws/admin/html.open/res/img/mappin-default.png
/usr/local/lsws/admin/html.open/res/img/minus.png
/usr/local/lsws/admin/html.open/res/img/mybg.png
/usr/local/lsws/admin/html.open/res/img/plus.png
/usr/local/lsws/admin/html.open/res/img/product_logo.gif
/usr/local/lsws/admin/html.open/res/img/product_logo.svg
/usr/local/lsws/admin/html.open/res/img/ribbon.png
/usr/local/lsws/admin/html.open/res/img/sa-dark.png
/usr/local/lsws/admin/html.open/res/img/sa-default.png
/usr/local/lsws/admin/html.open/res/img/sort_asc.png
/usr/local/lsws/admin/html.open/res/img/sort_asc_disabled.png
/usr/local/lsws/admin/html.open/res/img/sort_both.png
/usr/local/lsws/admin/html.open/res/img/sort_desc.png
/usr/local/lsws/admin/html.open/res/img/sort_desc_disabled.png
/usr/local/lsws/admin/html.open/res/img/vt-menu.png
/usr/local/lsws/admin/html.open/res/js
/usr/local/lsws/admin/html.open/res/js/app.config.min.js
/usr/local/lsws/admin/html.open/res/js/bootstrap
/usr/local/lsws/admin/html.open/res/js/bootstrap/bootstrap.min.js
/usr/local/lsws/admin/html.open/res/js/jcryption
/usr/local/lsws/admin/html.open/res/js/jcryption/jquery.jcryption.min.js
/usr/local/lsws/admin/html.open/res/js/libs
/usr/local/lsws/admin/html.open/res/js/libs/jquery-2.2.4.min.js
/usr/local/lsws/admin/html.open/res/js/libs/jquery-ui-1.12.1.min.js
/usr/local/lsws/admin/html.open/res/js/lst-app.min.js
/usr/local/lsws/admin/html.open/res/js/notification
/usr/local/lsws/admin/html.open/res/js/notification/SmartNotification.js
/usr/local/lsws/admin/html.open/res/js/notification/SmartNotification.min.js
/usr/local/lsws/admin/html.open/res/js/plugin
/usr/local/lsws/admin/html.open/res/js/plugin/datatable-responsive
/usr/local/lsws/admin/html.open/res/js/plugin/datatable-responsive/datatables.responsive.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/datatables
/usr/local/lsws/admin/html.open/res/js/plugin/datatables/dataTables.bootstrap.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/datatables/dataTables.colReorder.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/datatables/dataTables.colVis.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/datatables/dataTables.tableTools.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/datatables/jquery.dataTables.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/datatables/swf
/usr/local/lsws/admin/html.open/res/js/plugin/datatables/swf/copy_csv_xls.swf
/usr/local/lsws/admin/html.open/res/js/plugin/datatables/swf/copy_csv_xls_pdf.swf
/usr/local/lsws/admin/html.open/res/js/plugin/flot
/usr/local/lsws/admin/html.open/res/js/plugin/flot/jquery.flot.cust.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/flot/jquery.flot.fillbetween.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/flot/jquery.flot.orderBar.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/flot/jquery.flot.pie.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/flot/jquery.flot.resize.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/flot/jquery.flot.tooltip.min.js
/usr/local/lsws/admin/html.open/res/js/plugin/msie-fix
/usr/local/lsws/admin/html.open/res/js/plugin/msie-fix/jquery.mb.browser.min.js
/usr/local/lsws/admin/html.open/res/lang
/usr/local/lsws/admin/html.open/res/lang/en-US_msg.php
/usr/local/lsws/admin/html.open/res/lang/en-US_tips.php
/usr/local/lsws/admin/html.open/res/lang/ja-JP_msg.php
/usr/local/lsws/admin/html.open/res/lang/ja-JP_tips.php
/usr/local/lsws/admin/html.open/res/lang/util_sortlang.php
/usr/local/lsws/admin/html.open/res/lang/zh-CN_msg.php
/usr/local/lsws/admin/html.open/res/lang/zh-CN_tips.php
/usr/local/lsws/admin/html.open/view
/usr/local/lsws/admin/html.open/view/UIBase.php
/usr/local/lsws/admin/html.open/view/UIProperty.php
/usr/local/lsws/admin/html.open/view/ajax_data.php
/usr/local/lsws/admin/html.open/view/compilePHP.php
/usr/local/lsws/admin/html.open/view/confMgr.php
/usr/local/lsws/admin/html.open/view/dashboard.php
/usr/local/lsws/admin/html.open/view/inc
/usr/local/lsws/admin/html.open/view/inc/auth.php
/usr/local/lsws/admin/html.open/view/inc/configui.php
/usr/local/lsws/admin/html.open/view/inc/global.php
/usr/local/lsws/admin/html.open/view/inc/header.php
/usr/local/lsws/admin/html.open/view/inc/nav.php
/usr/local/lsws/admin/html.open/view/inc/scripts.php
/usr/local/lsws/admin/html.open/view/logviewer.php
/usr/local/lsws/admin/html.open/view/realtimestats.php
/usr/local/lsws/admin/html.open/view/serviceMgr.php
/usr/local/lsws/admin/logs
/usr/local/lsws/admin/misc
/usr/local/lsws/admin/misc/admpass.sh
/usr/local/lsws/admin/misc/build_admin_php.sh
/usr/local/lsws/admin/misc/convertxml.php
/usr/local/lsws/admin/misc/convertxml.sh
/usr/local/lsws/admin/misc/create_admin_keypair.sh
/usr/local/lsws/admin/misc/enable_phpa.sh
/usr/local/lsws/admin/misc/gdb-bt
/usr/local/lsws/admin/misc/genjCryptionKeyPair.php
/usr/local/lsws/admin/misc/gzipStatic.sh
/usr/local/lsws/admin/misc/htpasswd.php
/usr/local/lsws/admin/misc/lscmctl
/usr/local/lsws/admin/misc/lshttpd.service
/usr/local/lsws/admin/misc/lsup.sh
/usr/local/lsws/admin/misc/lsws.rc
/usr/local/lsws/admin/misc/lsws.rc.gentoo
/usr/local/lsws/admin/misc/php.ini
/usr/local/lsws/admin/misc/rc-inst.sh
/usr/local/lsws/admin/misc/rc-uninst.sh
/usr/local/lsws/admin/misc/testbeta.sh
/usr/local/lsws/admin/misc/uninstall.sh
/usr/local/lsws/admin/tmp
/usr/local/lsws/adminpasswd
/usr/local/lsws/autoupdate
/usr/local/lsws/backup
/usr/local/lsws/bin
/usr/local/lsws/bin/litespeed
/usr/local/lsws/bin/lshttpd
/usr/local/lsws/bin/lsws_env
/usr/local/lsws/bin/lswsctrl
/usr/local/lsws/bin/lswsctrl.open
/usr/local/lsws/bin/openlitespeed
/usr/local/lsws/bin/openlitespeed.asan
/usr/local/lsws/bin/openlitespeed.dbg
/usr/local/lsws/bin/openlitespeed.prof
/usr/local/lsws/cachedata
/usr/local/lsws/cgid
/usr/local/lsws/conf
/usr/local/lsws/conf/cert
/usr/local/lsws/conf/httpd_config.conf
/usr/local/lsws/conf/mime.properties
/usr/local/lsws/conf/templates
/usr/local/lsws/conf/templates/ccl.conf
/usr/local/lsws/conf/templates/rails.conf
/usr/local/lsws/conf/vhosts
/usr/local/lsws/conf/vhosts/Example
/usr/local/lsws/conf/vhosts/Example/htgroup
/usr/local/lsws/conf/vhosts/Example/htpasswd
/usr/local/lsws/conf/vhosts/Example/vhconf.conf
/usr/local/lsws/docs
/usr/local/lsws/docs/AdminGeneral_Help.html
/usr/local/lsws/docs/AdminListeners_General_Help.html
/usr/local/lsws/docs/AdminListeners_SSL_Help.html
/usr/local/lsws/docs/AdminSecurity_Help.html
/usr/local/lsws/docs/App_Server_Context.html
/usr/local/lsws/docs/App_Server_Help.html
/usr/local/lsws/docs/CGI_Context.html
/usr/local/lsws/docs/CompilePHP_Help.html
/usr/local/lsws/docs/Context_Help.html
/usr/local/lsws/docs/ExtApp_Help.html
/usr/local/lsws/docs/External_FCGI.html
/usr/local/lsws/docs/External_FCGI_Auth.html
/usr/local/lsws/docs/External_LB.html
/usr/local/lsws/docs/External_LSAPI.html
/usr/local/lsws/docs/External_PL.html
/usr/local/lsws/docs/External_Servlet.html
/usr/local/lsws/docs/External_WS.html
/usr/local/lsws/docs/FCGI_Context.html
/usr/local/lsws/docs/Java_Web_App_Context.html
/usr/local/lsws/docs/LB_Context.html
/usr/local/lsws/docs/LSAPI_Context.html
/usr/local/lsws/docs/Listeners_General_Help.html
/usr/local/lsws/docs/Listeners_SSL_Help.html
/usr/local/lsws/docs/Module_Context.html
/usr/local/lsws/docs/Module_Help.html
/usr/local/lsws/docs/Proxy_Context.html
/usr/local/lsws/docs/Redirect_Context.html
/usr/local/lsws/docs/Rewrite_Help.html
/usr/local/lsws/docs/ScriptHandler_Help.html
/usr/local/lsws/docs/ServGeneral_Help.html
/usr/local/lsws/docs/ServLog_Help.html
/usr/local/lsws/docs/ServSecurity_Help.html
/usr/local/lsws/docs/ServTuning_Help.html
/usr/local/lsws/docs/ServerStat_Help.html
/usr/local/lsws/docs/Servlet_Context.html
/usr/local/lsws/docs/Static_Context.html
/usr/local/lsws/docs/Templates_Help.html
/usr/local/lsws/docs/VHGeneral_Help.html
/usr/local/lsws/docs/VHSSL_Help.html
/usr/local/lsws/docs/VHSecurity_Help.html
/usr/local/lsws/docs/VHWebSocket_Help.html
/usr/local/lsws/docs/VirtualHosts_Help.html
/usr/local/lsws/docs/admin.html
/usr/local/lsws/docs/config.html
/usr/local/lsws/docs/css
/usr/local/lsws/docs/css/hdoc.css
/usr/local/lsws/docs/img
/usr/local/lsws/docs/img/attention.svg
/usr/local/lsws/docs/img/info.svg
/usr/local/lsws/docs/img/lightning-bolt.svg
/usr/local/lsws/docs/img/lsws_logo.svg
/usr/local/lsws/docs/img/ols_logo.svg
/usr/local/lsws/docs/img/shield.svg
/usr/local/lsws/docs/img/web-adc_logo.svg
/usr/local/lsws/docs/index.html
/usr/local/lsws/docs/install.html
/usr/local/lsws/docs/intro.html
/usr/local/lsws/docs/ja-JP
/usr/local/lsws/docs/ja-JP/AdminGeneral_Help.html
/usr/local/lsws/docs/ja-JP/AdminListeners_General_Help.html
/usr/local/lsws/docs/ja-JP/AdminListeners_SSL_Help.html
/usr/local/lsws/docs/ja-JP/AdminSecurity_Help.html
/usr/local/lsws/docs/ja-JP/App_Server_Context.html
/usr/local/lsws/docs/ja-JP/App_Server_Help.html
/usr/local/lsws/docs/ja-JP/CGI_Context.html
/usr/local/lsws/docs/ja-JP/CompilePHP_Help.html
/usr/local/lsws/docs/ja-JP/Context_Help.html
/usr/local/lsws/docs/ja-JP/ExtApp_Help.html
/usr/local/lsws/docs/ja-JP/External_FCGI.html
/usr/local/lsws/docs/ja-JP/External_FCGI_Auth.html
/usr/local/lsws/docs/ja-JP/External_LB.html
/usr/local/lsws/docs/ja-JP/External_LSAPI.html
/usr/local/lsws/docs/ja-JP/External_PL.html
/usr/local/lsws/docs/ja-JP/External_Servlet.html
/usr/local/lsws/docs/ja-JP/External_WS.html
/usr/local/lsws/docs/ja-JP/FCGI_Context.html
/usr/local/lsws/docs/ja-JP/Java_Web_App_Context.html
/usr/local/lsws/docs/ja-JP/LB_Context.html
/usr/local/lsws/docs/ja-JP/LSAPI_Context.html
/usr/local/lsws/docs/ja-JP/Listeners_General_Help.html
/usr/local/lsws/docs/ja-JP/Listeners_SSL_Help.html
/usr/local/lsws/docs/ja-JP/Module_Context.html
/usr/local/lsws/docs/ja-JP/Module_Help.html
/usr/local/lsws/docs/ja-JP/Proxy_Context.html
/usr/local/lsws/docs/ja-JP/Redirect_Context.html
/usr/local/lsws/docs/ja-JP/Rewrite_Help.html
/usr/local/lsws/docs/ja-JP/ScriptHandler_Help.html
/usr/local/lsws/docs/ja-JP/ServGeneral_Help.html
/usr/local/lsws/docs/ja-JP/ServLog_Help.html
/usr/local/lsws/docs/ja-JP/ServSecurity_Help.html
/usr/local/lsws/docs/ja-JP/ServTuning_Help.html
/usr/local/lsws/docs/ja-JP/ServerStat_Help.html
/usr/local/lsws/docs/ja-JP/Servlet_Context.html
/usr/local/lsws/docs/ja-JP/Static_Context.html
/usr/local/lsws/docs/ja-JP/Templates_Help.html
/usr/local/lsws/docs/ja-JP/VHGeneral_Help.html
/usr/local/lsws/docs/ja-JP/VHSSL_Help.html
/usr/local/lsws/docs/ja-JP/VHSecurity_Help.html
/usr/local/lsws/docs/ja-JP/VHWebSocket_Help.html
/usr/local/lsws/docs/ja-JP/VirtualHosts_Help.html
/usr/local/lsws/docs/ja-JP/admin.html
/usr/local/lsws/docs/ja-JP/config.html
/usr/local/lsws/docs/ja-JP/index.html
/usr/local/lsws/docs/ja-JP/install.html
/usr/local/lsws/docs/ja-JP/intro.html
/usr/local/lsws/docs/ja-JP/license.html
/usr/local/lsws/docs/ja-JP/security.html
/usr/local/lsws/docs/ja-JP/webconsole.html
/usr/local/lsws/docs/license.html
/usr/local/lsws/docs/security.html
/usr/local/lsws/docs/webconsole.html
/usr/local/lsws/docs/zh-CN
/usr/local/lsws/docs/zh-CN/AdminGeneral_Help.html
/usr/local/lsws/docs/zh-CN/AdminListeners_General_Help.html
/usr/local/lsws/docs/zh-CN/AdminListeners_SSL_Help.html
/usr/local/lsws/docs/zh-CN/AdminSecurity_Help.html
/usr/local/lsws/docs/zh-CN/App_Server_Context.html
/usr/local/lsws/docs/zh-CN/App_Server_Help.html
/usr/local/lsws/docs/zh-CN/CGI_Context.html
/usr/local/lsws/docs/zh-CN/CompilePHP_Help.html
/usr/local/lsws/docs/zh-CN/Context_Help.html
/usr/local/lsws/docs/zh-CN/ExtApp_Help.html
/usr/local/lsws/docs/zh-CN/External_FCGI.html
/usr/local/lsws/docs/zh-CN/External_FCGI_Auth.html
/usr/local/lsws/docs/zh-CN/External_LB.html
/usr/local/lsws/docs/zh-CN/External_LSAPI.html
/usr/local/lsws/docs/zh-CN/External_PL.html
/usr/local/lsws/docs/zh-CN/External_Servlet.html
/usr/local/lsws/docs/zh-CN/External_WS.html
/usr/local/lsws/docs/zh-CN/FCGI_Context.html
/usr/local/lsws/docs/zh-CN/Java_Web_App_Context.html
/usr/local/lsws/docs/zh-CN/LB_Context.html
/usr/local/lsws/docs/zh-CN/LSAPI_Context.html
/usr/local/lsws/docs/zh-CN/Listeners_General_Help.html
/usr/local/lsws/docs/zh-CN/Listeners_SSL_Help.html
/usr/local/lsws/docs/zh-CN/Module_Context.html
/usr/local/lsws/docs/zh-CN/Module_Help.html
/usr/local/lsws/docs/zh-CN/Proxy_Context.html
/usr/local/lsws/docs/zh-CN/Redirect_Context.html
/usr/local/lsws/docs/zh-CN/Rewrite_Help.html
/usr/local/lsws/docs/zh-CN/ScriptHandler_Help.html
/usr/local/lsws/docs/zh-CN/ServGeneral_Help.html
/usr/local/lsws/docs/zh-CN/ServLog_Help.html
/usr/local/lsws/docs/zh-CN/ServSecurity_Help.html
/usr/local/lsws/docs/zh-CN/ServTuning_Help.html
/usr/local/lsws/docs/zh-CN/ServerStat_Help.html
/usr/local/lsws/docs/zh-CN/Servlet_Context.html
/usr/local/lsws/docs/zh-CN/Static_Context.html
/usr/local/lsws/docs/zh-CN/Templates_Help.html
/usr/local/lsws/docs/zh-CN/VHGeneral_Help.html
/usr/local/lsws/docs/zh-CN/VHSSL_Help.html
/usr/local/lsws/docs/zh-CN/VHSecurity_Help.html
/usr/local/lsws/docs/zh-CN/VHWebSocket_Help.html
/usr/local/lsws/docs/zh-CN/VirtualHosts_Help.html
/usr/local/lsws/docs/zh-CN/admin.html
/usr/local/lsws/docs/zh-CN/config.html
/usr/local/lsws/docs/zh-CN/index.html
/usr/local/lsws/docs/zh-CN/install.html
/usr/local/lsws/docs/zh-CN/intro.html
/usr/local/lsws/docs/zh-CN/license.html
/usr/local/lsws/docs/zh-CN/security.html
/usr/local/lsws/docs/zh-CN/webconsole.html
/usr/local/lsws/fcgi-bin
/usr/local/lsws/fcgi-bin/RackRunner.rb
/usr/local/lsws/fcgi-bin/lsnode.js
/usr/local/lsws/fcgi-bin/lsperld.fpl
/usr/local/lsws/fcgi-bin/lsphp
/usr/local/lsws/fcgi-bin/lsphp5
/usr/local/lsws/gdata
/usr/local/lsws/lib
/usr/local/lsws/logs
/usr/local/lsws/lsrecaptcha
/usr/local/lsws/lsrecaptcha/_recaptcha
/usr/local/lsws/lsrecaptcha/_recaptcha.shtml
/usr/local/lsws/modules
/usr/local/lsws/modules/mod_js.so
/usr/local/lsws/modules/mod_security.so
/usr/local/lsws/modules/modinspector.so
/usr/local/lsws/modules/modpagespeed.so
/usr/local/lsws/modules/modreqparser.so
/usr/local/lsws/modules/uploadprogress.so
/usr/local/lsws/php
/usr/local/lsws/phpbuild
/usr/local/lsws/share
/usr/local/lsws/share/autoindex
/usr/local/lsws/share/autoindex/bwlimit.html
/usr/local/lsws/share/autoindex/default.php
/usr/local/lsws/share/autoindex/icons
/usr/local/lsws/share/autoindex/icons/binary.png
/usr/local/lsws/share/autoindex/icons/blank.png
/usr/local/lsws/share/autoindex/icons/compress.png
/usr/local/lsws/share/autoindex/icons/folder.png
/usr/local/lsws/share/autoindex/icons/html.png
/usr/local/lsws/share/autoindex/icons/image.png
/usr/local/lsws/share/autoindex/icons/movie.png
/usr/local/lsws/share/autoindex/icons/sound.png
/usr/local/lsws/share/autoindex/icons/text.png
/usr/local/lsws/share/autoindex/icons/unknown.png
/usr/local/lsws/share/autoindex/icons/up.png
/usr/local/lsws/tmp
/usr/local/lsws/tmp/ocspcache
[root@lsws ~]#

服务控制命令

[root@lsws ~]# /usr/local/lsws/bin/lswsctrl
Usage: /usr/local/lsws/bin/lswsctrl {start|stop|restart|reload|condrestrt|try-restart|status|help}

start       - start web server
stop        - stop web server
restart     - gracefully restart web server with zero down time
reload      - same as restart
condrestart - gracefully restart web server if server is running
try-restart - same as condrestart
status      - show service status
help        - this screen

[root@lsws ~]#

查看端口监听

[root@lsws ~]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8088            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:7080            0.0.0.0:*               LISTEN
tcp6       0      0 :::111                  :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
[root@lsws ~]#

使用Web控制台

默认首页

默认Web管理控制台

pfSense配置IPSEC site-to-site隧道服务

云计算, 网络技术, 路由与交换技术 No Responses »

7月 242020

……

构建基于GRE协议的主机点对点隧道

网络技术 No Responses »

3月 052020

Generic Routing Encapsulation 通用路由封装协议

主机列表

18.163.50.194/172.31.44.248
18.162.60.60/172.31.37.49

查找系统可用的内核模块

[centos@ip-172-31-44-248 ~]$ ls -alRUv /lib/modules/$(uname -r)/kernel |grep ip_gre
-rw-r--r--. 1 root root 9396 Nov 29 2018 ip_gre.ko.xz
[centos@ip-172-31-44-248 ~]$

加载ip_gre模块

[root@ip-172-31-44-248 ~]# modprobe ip_gre
[root@ip-172-31-44-248 ~]#

[root@ip-172-31-37-49 ~]# modprobe ip_gre
[root@ip-172-31-37-49 ~]#

新增tun0网卡配置

本端隧道地址192.168.192.1
对端隧道地址192.168.192.2

[root@ip-172-31-44-248 ~]# vi /etc/sysconfig/network-scripts/ifcfg-tun0
DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
DEVICETYPE=tunnel
TYPE=GRE
PEER_INNER_IPADDR=192.168.192.2
PEER_OUTER_IPADDR=18.162.60.60
MY_INNER_IPADDR=192.168.192.1

启用tun0网卡

[root@ip-172-31-44-248 ~]# ifup tun0

查看接口信息

[root@ip-172-31-44-248 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:84:f5:b0:db:f6 brd ff:ff:ff:ff:ff:ff
    inet 172.31.44.248/20 brd 172.31.47.255 scope global dynamic ens5
       valid_lft 2667sec preferred_lft 2667sec
    inet6 fe80::c84:f5ff:feb0:dbf6/64 scope link 
       valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: tun0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8977 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 0.0.0.0 peer 18.162.60.60
    inet 192.168.192.1 peer 192.168.192.2/32 scope global tun0
       valid_lft forever preferred_lft forever
[root@ip-172-31-44-248 ~]#

新增tun0网卡配置

本端隧道地址192.168.192.2
对端隧道地址192.168.192.1

[root@ip-172-31-37-49 ~]# vi /etc/sysconfig/network-scripts/ifcfg-tun0
DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
DEVICETYPE=tunnel
TYPE=GRE
PEER_INNER_IPADDR=192.168.192.1
PEER_OUTER_IPADDR=18.163.50.194
MY_INNER_IPADDR=192.168.192.2

启用tun0网卡

[root@ip-172-31-37-49 ~]# ifup tun0

查看接口信息

[root@ip-172-31-37-49 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:4a:2b:48:b8:aa brd ff:ff:ff:ff:ff:ff
    inet 172.31.37.49/20 brd 172.31.47.255 scope global dynamic ens5
       valid_lft 2692sec preferred_lft 2692sec
    inet6 fe80::c4a:2bff:fe48:b8aa/64 scope link 
       valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: tun0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8977 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 0.0.0.0 peer 18.163.50.194
    inet 192.168.192.2 peer 192.168.192.1/32 scope global tun0
       valid_lft forever preferred_lft forever
[root@ip-172-31-37-49 ~]#

分别使用对端IP地址进行ping测试

[root@ip-172-31-37-49 ~]# ping -c 4 192.168.192.1
PING 192.168.192.1 (192.168.192.1) 56(84) bytes of data.
64 bytes from 192.168.192.1: icmp_seq=1 ttl=64 time=0.297 ms
64 bytes from 192.168.192.1: icmp_seq=2 ttl=64 time=0.283 ms
64 bytes from 192.168.192.1: icmp_seq=3 ttl=64 time=0.237 ms
64 bytes from 192.168.192.1: icmp_seq=4 ttl=64 time=0.268 ms

--- 192.168.192.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.237/0.271/0.297/0.025 ms
[root@ip-172-31-37-49 ~]#


[root@ip-172-31-44-248 ~]# ping -c 4 192.168.192.2
PING 192.168.192.2 (192.168.192.2) 56(84) bytes of data.
64 bytes from 192.168.192.2: icmp_seq=1 ttl=64 time=0.249 ms
64 bytes from 192.168.192.2: icmp_seq=2 ttl=64 time=0.279 ms
64 bytes from 192.168.192.2: icmp_seq=3 ttl=64 time=0.196 ms
64 bytes from 192.168.192.2: icmp_seq=4 ttl=64 time=0.214 ms

--- 192.168.192.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.196/0.234/0.279/0.035 ms
[root@ip-172-31-44-248 ~]#

使用Softether构建VPN Gate公共节点

网络技术 No Responses »

3月 022020

安装向导欢迎页面

选择要安装的组件

同意最终用户许可协议

重要声明

选择安装目录

准备安装

安装进行中

完成安装并启动服务器管理器

选择要连接的服务器并点击连接

首次连接设置管理员密码

提示管理员密码设置成功

关闭弹出的简单设置窗口

选择是否设置开启IPsec功能

在管理器主界面进入VPN Gate设置

选择启用VPN Gate中继服务并加入研究志愿者队伍

VPN Gate服务设置选项界面

请勿在禁止使用VPN通信技术的国家使用VPN Gate服务

在管理器主界面进入动态域名设置

查看或修改该服务器的动态域名

在管理器主界面查看当前的动态域名解析主机名

查看当前已连接客户端会话信息

使用Ansible进行批量主机SSH公钥导入

网络技术 No Responses »

2月 272020

主机列表

ansible 167.179.84.153 }Z5c,jM-?bQec#z-
server1 149.28.24.11 A7f{v#PAB8$!-K8q
server2 45.76.216.130 7]Mf%YKRFP[9H!*K
server3 108.160.137.54 _Rr3%[2rg,JJQpwQ

在ansible主机上配置hosts文件

[root@ansible ~]# vi /etc/hosts
149.28.24.11 server1
45.76.216.130 server2
108.160.137.54 server3

确认主机名及IP对应关系

[root@ansible ~]# ping -c 1 server1
PING server1 (149.28.24.11) 56(84) bytes of data.
64 bytes from server1 (149.28.24.11): icmp_seq=1 ttl=61 time=0.360 ms

--- server1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.360/0.360/0.360/0.000 ms
[root@ansible ~]# ping -c 1 server2
PING server2 (45.76.216.130) 56(84) bytes of data.
64 bytes from server2 (45.76.216.130): icmp_seq=1 ttl=57 time=0.933 ms

--- server2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.933/0.933/0.933/0.000 ms
[root@ansible ~]# ping -c 1 server3
PING server3 (108.160.137.54) 56(84) bytes of data.
64 bytes from server3 (108.160.137.54): icmp_seq=1 ttl=57 time=0.982 ms

--- server3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.982/0.982/0.982/0.000 ms
[root@ansible ~]#

解决首次登录远程系统的严格主机密钥检查交互（保存远程主机公钥）

[root@ansible ~]# ssh root@server1
The authenticity of host 'server1 (149.28.24.11)' can't be established.
ECDSA key fingerprint is SHA256:NUM9LGuAESXFeEyluk7GqoY3vC7rmLvzyf4Fr5p0tWs.
ECDSA key fingerprint is MD5:36:02:b3:0c:d0:33:db:a5:a5:68:21:4f:ce:87:01:aa.
Are you sure you want to continue connecting (yes/no)? ^C
[root@ansible ~]#

[root@ansible ~]# ls .ssh/
[root@ansible ~]#

修改本机ssh客户端配置文件

[root@ansible ~]# vi /etc/ssh/ssh_config
# StrictHostKeyChecking ask
StrictHostKeyChecking no

查看ansible版本信息

[root@ansible ~]# ansible --version
ansible 2.9.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
[root@ansible ~]#

编辑ansible主机配置文件（注意server1密码的转义字符）

[root@ansible ~]# vi /etc/ansible/hosts
[servers]
server1 ansible_user=root ansible_password=A7f{v\#PAB8$!-K8q
server2 ansible_user=root ansible_password=7]Mf%YKRFP[9H!*K
server3 ansible_user=root ansible_password=_Rr3%[2rg,JJQpwQ

连接测试

[root@ansible ~]# ansible servers -m ping
server2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
server3 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
server1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
[root@ansible ~]#

本地已保存的远程主机公钥信息

[root@ansible ~]# ls .ssh/
known_hosts
[root@ansible ~]# cat .ssh/known_hosts
server1,149.28.24.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCv/uWIj+5gWiri6BdEYw+QQYuE3wIfdW0FhgdCIY92UXf1P9rhRI9q5FQMQ1sJuKfzSihEsU2uwnQ8P45zE3Yc=
server2,45.76.216.130 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+LjHvPrUcao6A5zNJwPgjRUOQAtxPCzMoEUOl21jMKiTPpDe87feCz2S/k6bo0Paf3G9lKdJg5B+r9dCZMBOU=
server3,108.160.137.54 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL+8jA1/3alAX2YtrLVUfJGvyCeCcpsJFG7WGwTgB5y4i0pBxPum0AYSw/G5ehaM8KPLCjEbCwUYS+XW83XYY10=
[root@ansible ~]#

创建密钥对

[root@ansible ~]# ssh-keygen -b 4096 -t rsa -C "harvey.mei@linuxcache.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):/root/.ssh/id_rsa_ansible
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_ansible.
Your public key has been saved in id_rsa_ansible.pub.
The key fingerprint is:
SHA256:Cv6UZ+/72ZTeeeuYP5ePrKmr7YhcZG6DVwwzXqXmLuU harvey.mei@linuxcache.com
The key's randomart image is:
+---[RSA 4096]----+
|            .    |
|           o     |
|        + +      |
|       . O       |
|    .   S =      |
|   . . B =     . |
|    . = X E   o .|
|     + B *   Bo=+|
|      + o+O==+B=O|
+----[SHA256]-----+
[root@ansible ~]#

查看公钥信息

[root@ansible ~]# cat .ssh/id_rsa_ansible.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
[root@ansible ~]#

将公钥信息复制给一个变量

[root@ansible ~]# pubkey=`cat .ssh/id_rsa_ansible.pub`
[root@ansible ~]# echo $pubkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
[root@ansible ~]#

使用Ansible的shell模块，对目的主机组执行公钥的导入操作

[root@ansible ~]# ansible servers -m shell -a "cd /root/; umask 077; test -d .ssh || mkdir .ssh; echo -e ${pubkey} >> .ssh/authorized_keys"
server1 | CHANGED | rc=0 >>

server3 | CHANGED | rc=0 >>

server2 | CHANGED | rc=0 >>

[root@ansible ~]#

通过Ansible远程执行查看目的主机已导入的公钥信息

[root@ansible ~]# ansible servers -m shell -a "cat .ssh/authorized_keys"
server3 | CHANGED | rc=0 >>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
server1 | CHANGED | rc=0 >>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
server2 | CHANGED | rc=0 >>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
[root@ansible ~]#

修改Ansible主机配置文件以启用私钥登录验证

[root@ansible ~]# vi /etc/ansible/hosts
[servers]
server1 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible
server2 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible
server3 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible

测试成功

[root@ansible ~]# ansible servers -m ping
server3 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
server2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
server1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
[root@ansible ~]#

在执行ansible命令时指定私钥参数

[root@ansible ~]# vi /etc/ansible/hosts
[servers]
server1 ansible_user=root
server2 ansible_user=root
server3 ansible_user=root

测试成功

[root@ansible ~]# ansible servers --private-key=.ssh/id_rsa_ansible -m command -a hostname
server1 | CHANGED | rc=0 >>
server1
server2 | CHANGED | rc=0 >>
server2
server3 | CHANGED | rc=0 >>
server3
[root@ansible ~]#

FreeRADIUS及控制台daloRADIUS配置

网络技术 No Responses »

2月 202020

禁用防火墙

[root@radius ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
[root@radius ~]# systemctl stop firewalld
[root@radius ~]#

安装AMP环境

[root@radius ~]# yum install php php-pdo php-mysql php-gd php-pear httpd mariadb-server mariadb

创建数据库

MariaDB [(none)]> create database radius;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on radius.* to radius@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> set password for radius@localhost=password('radiuspassword');
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

设置系统及PHP时区

[root@radius ~]# cp /usr/share/zoneinfo/Asia/Hong_Kong /etc/localtime
cp: overwrite ‘/etc/localtime’? y
[root@radius ~]#
[root@radius ~]# vi /etc/php.ini
;date.timezone =
date.timezone = Asia/Hong_Kong

安装Free RADIUS及相关组件软件包

[root@radius html]# yum install freeradius freeradius-utils freeradius-mysql

查看FreeRADIUS安装包路径

[root@radius html]# rpm -lq freeradius
/etc/logrotate.d/radiusd
/etc/pam.d/radiusd
/etc/raddb
/etc/raddb/README.rst
/etc/raddb/certs
/etc/raddb/certs/Makefile
/etc/raddb/certs/README
/etc/raddb/certs/bootstrap
/etc/raddb/certs/ca.cnf
/etc/raddb/certs/client.cnf
/etc/raddb/certs/passwords.mk
/etc/raddb/certs/server.cnf
/etc/raddb/certs/xpextensions
/etc/raddb/clients.conf
/etc/raddb/dictionary
/etc/raddb/hints
/etc/raddb/huntgroups
/etc/raddb/mods-available
/etc/raddb/mods-available/README.rst
/etc/raddb/mods-available/always
/etc/raddb/mods-available/attr_filter
/etc/raddb/mods-available/cache
/etc/raddb/mods-available/cache_eap
/etc/raddb/mods-available/chap
/etc/raddb/mods-available/counter
/etc/raddb/mods-available/cui
/etc/raddb/mods-available/date
/etc/raddb/mods-available/detail
/etc/raddb/mods-available/detail.example.com
/etc/raddb/mods-available/detail.log
/etc/raddb/mods-available/dhcp
/etc/raddb/mods-available/dhcp_sqlippool
/etc/raddb/mods-available/digest
/etc/raddb/mods-available/dynamic_clients
/etc/raddb/mods-available/eap
/etc/raddb/mods-available/echo
/etc/raddb/mods-available/etc_group
/etc/raddb/mods-available/exec
/etc/raddb/mods-available/expiration
/etc/raddb/mods-available/expr
/etc/raddb/mods-available/files
/etc/raddb/mods-available/idn
/etc/raddb/mods-available/inner-eap
/etc/raddb/mods-available/ippool
/etc/raddb/mods-available/linelog
/etc/raddb/mods-available/logintime
/etc/raddb/mods-available/mac2ip
/etc/raddb/mods-available/mac2vlan
/etc/raddb/mods-available/mschap
/etc/raddb/mods-available/ntlm_auth
/etc/raddb/mods-available/opendirectory
/etc/raddb/mods-available/otp
/etc/raddb/mods-available/pam
/etc/raddb/mods-available/pap
/etc/raddb/mods-available/passwd
/etc/raddb/mods-available/preprocess
/etc/raddb/mods-available/python
/etc/raddb/mods-available/radutmp
/etc/raddb/mods-available/realm
/etc/raddb/mods-available/redis
/etc/raddb/mods-available/rediswho
/etc/raddb/mods-available/replicate
/etc/raddb/mods-available/rest
/etc/raddb/mods-available/smbpasswd
/etc/raddb/mods-available/smsotp
/etc/raddb/mods-available/soh
/etc/raddb/mods-available/sometimes
/etc/raddb/mods-available/sql
/etc/raddb/mods-available/sqlcounter
/etc/raddb/mods-available/sqlippool
/etc/raddb/mods-available/sradutmp
/etc/raddb/mods-available/unix
/etc/raddb/mods-available/unpack
/etc/raddb/mods-available/utf8
/etc/raddb/mods-available/wimax
/etc/raddb/mods-available/yubikey
/etc/raddb/mods-config
/etc/raddb/mods-config/README.rst
/etc/raddb/mods-config/attr_filter
/etc/raddb/mods-config/attr_filter/access_challenge
/etc/raddb/mods-config/attr_filter/access_reject
/etc/raddb/mods-config/attr_filter/accounting_response
/etc/raddb/mods-config/attr_filter/post-proxy
/etc/raddb/mods-config/attr_filter/pre-proxy
/etc/raddb/mods-config/files
/etc/raddb/mods-config/files/accounting
/etc/raddb/mods-config/files/authorize
/etc/raddb/mods-config/files/pre-proxy
/etc/raddb/mods-config/preprocess
/etc/raddb/mods-config/preprocess/hints
/etc/raddb/mods-config/preprocess/huntgroups
/etc/raddb/mods-config/sql
/etc/raddb/mods-config/sql/counter
/etc/raddb/mods-config/sql/cui
/etc/raddb/mods-config/sql/ippool
/etc/raddb/mods-config/sql/ippool-dhcp
/etc/raddb/mods-config/sql/main
/etc/raddb/mods-enabled
/etc/raddb/mods-enabled/always
/etc/raddb/mods-enabled/attr_filter
/etc/raddb/mods-enabled/cache_eap
/etc/raddb/mods-enabled/chap
/etc/raddb/mods-enabled/date
/etc/raddb/mods-enabled/detail
/etc/raddb/mods-enabled/detail.log
/etc/raddb/mods-enabled/dhcp
/etc/raddb/mods-enabled/digest
/etc/raddb/mods-enabled/dynamic_clients
/etc/raddb/mods-enabled/eap
/etc/raddb/mods-enabled/echo
/etc/raddb/mods-enabled/exec
/etc/raddb/mods-enabled/expiration
/etc/raddb/mods-enabled/expr
/etc/raddb/mods-enabled/files
/etc/raddb/mods-enabled/linelog
/etc/raddb/mods-enabled/logintime
/etc/raddb/mods-enabled/mschap
/etc/raddb/mods-enabled/ntlm_auth
/etc/raddb/mods-enabled/pap
/etc/raddb/mods-enabled/passwd
/etc/raddb/mods-enabled/preprocess
/etc/raddb/mods-enabled/radutmp
/etc/raddb/mods-enabled/realm
/etc/raddb/mods-enabled/replicate
/etc/raddb/mods-enabled/soh
/etc/raddb/mods-enabled/sradutmp
/etc/raddb/mods-enabled/unix
/etc/raddb/mods-enabled/unpack
/etc/raddb/mods-enabled/utf8
/etc/raddb/panic.gdb
/etc/raddb/policy.d
/etc/raddb/policy.d/accounting
/etc/raddb/policy.d/canonicalization
/etc/raddb/policy.d/control
/etc/raddb/policy.d/cui
/etc/raddb/policy.d/debug
/etc/raddb/policy.d/dhcp
/etc/raddb/policy.d/eap
/etc/raddb/policy.d/filter
/etc/raddb/policy.d/operator-name
/etc/raddb/proxy.conf
/etc/raddb/radiusd.conf
/etc/raddb/sites-available
/etc/raddb/sites-available/README
/etc/raddb/sites-available/buffered-sql
/etc/raddb/sites-available/challenge
/etc/raddb/sites-available/channel_bindings
/etc/raddb/sites-available/check-eap-tls
/etc/raddb/sites-available/coa
/etc/raddb/sites-available/control-socket
/etc/raddb/sites-available/copy-acct-to-home-server
/etc/raddb/sites-available/decoupled-accounting
/etc/raddb/sites-available/default
/etc/raddb/sites-available/dhcp
/etc/raddb/sites-available/dhcp.relay
/etc/raddb/sites-available/dynamic-clients
/etc/raddb/sites-available/example
/etc/raddb/sites-available/inner-tunnel
/etc/raddb/sites-available/originate-coa
/etc/raddb/sites-available/proxy-inner-tunnel
/etc/raddb/sites-available/robust-proxy-accounting
/etc/raddb/sites-available/soh
/etc/raddb/sites-available/status
/etc/raddb/sites-available/tls
/etc/raddb/sites-available/virtual.example.com
/etc/raddb/sites-available/vmps
/etc/raddb/sites-enabled
/etc/raddb/sites-enabled/default
/etc/raddb/sites-enabled/inner-tunnel
/etc/raddb/templates.conf
/etc/raddb/trigger.conf
/etc/raddb/users
/usr/lib/systemd/system/radiusd.service
/usr/lib/tmpfiles.d/radiusd.conf
/usr/lib64/freeradius
/usr/lib64/freeradius/libfreeradius-dhcp.so
/usr/lib64/freeradius/libfreeradius-eap.so
/usr/lib64/freeradius/libfreeradius-radius.so
/usr/lib64/freeradius/libfreeradius-server.so
/usr/lib64/freeradius/proto_dhcp.so
/usr/lib64/freeradius/proto_vmps.so
/usr/lib64/freeradius/rlm_always.so
/usr/lib64/freeradius/rlm_attr_filter.so
/usr/lib64/freeradius/rlm_cache.so
/usr/lib64/freeradius/rlm_cache_rbtree.so
/usr/lib64/freeradius/rlm_chap.so
/usr/lib64/freeradius/rlm_counter.so
/usr/lib64/freeradius/rlm_cram.so
/usr/lib64/freeradius/rlm_date.so
/usr/lib64/freeradius/rlm_detail.so
/usr/lib64/freeradius/rlm_dhcp.so
/usr/lib64/freeradius/rlm_digest.so
/usr/lib64/freeradius/rlm_dynamic_clients.so
/usr/lib64/freeradius/rlm_eap.so
/usr/lib64/freeradius/rlm_eap_fast.so
/usr/lib64/freeradius/rlm_eap_gtc.so
/usr/lib64/freeradius/rlm_eap_leap.so
/usr/lib64/freeradius/rlm_eap_md5.so
/usr/lib64/freeradius/rlm_eap_mschapv2.so
/usr/lib64/freeradius/rlm_eap_peap.so
/usr/lib64/freeradius/rlm_eap_pwd.so
/usr/lib64/freeradius/rlm_eap_sim.so
/usr/lib64/freeradius/rlm_eap_tls.so
/usr/lib64/freeradius/rlm_eap_tnc.so
/usr/lib64/freeradius/rlm_eap_ttls.so
/usr/lib64/freeradius/rlm_exec.so
/usr/lib64/freeradius/rlm_expiration.so
/usr/lib64/freeradius/rlm_expr.so
/usr/lib64/freeradius/rlm_files.so
/usr/lib64/freeradius/rlm_ippool.so
/usr/lib64/freeradius/rlm_linelog.so
/usr/lib64/freeradius/rlm_logintime.so
/usr/lib64/freeradius/rlm_mschap.so
/usr/lib64/freeradius/rlm_otp.so
/usr/lib64/freeradius/rlm_pam.so
/usr/lib64/freeradius/rlm_pap.so
/usr/lib64/freeradius/rlm_passwd.so
/usr/lib64/freeradius/rlm_preprocess.so
/usr/lib64/freeradius/rlm_radutmp.so
/usr/lib64/freeradius/rlm_realm.so
/usr/lib64/freeradius/rlm_replicate.so
/usr/lib64/freeradius/rlm_soh.so
/usr/lib64/freeradius/rlm_sometimes.so
/usr/lib64/freeradius/rlm_sql.so
/usr/lib64/freeradius/rlm_sql_null.so
/usr/lib64/freeradius/rlm_sqlcounter.so
/usr/lib64/freeradius/rlm_sqlippool.so
/usr/lib64/freeradius/rlm_unix.so
/usr/lib64/freeradius/rlm_unpack.so
/usr/lib64/freeradius/rlm_utf8.so
/usr/lib64/freeradius/rlm_wimax.so
/usr/lib64/freeradius/rlm_yubikey.so
/usr/sbin/checkrad
/usr/sbin/raddebug
/usr/sbin/radiusd
/usr/sbin/radmin
/usr/share/doc/freeradius-3.0.13/LICENSE.gpl
/usr/share/doc/freeradius-3.0.13/LICENSE.lgpl
/usr/share/doc/freeradius-3.0.13/LICENSE.openssl
/usr/share/doc/freeradius-3.0.13/REDHAT
/usr/share/freeradius
/usr/share/freeradius/dictionary
/usr/share/freeradius/dictionary.3com
/usr/share/freeradius/dictionary.3gpp
/usr/share/freeradius/dictionary.3gpp2
/usr/share/freeradius/dictionary.acc
/usr/share/freeradius/dictionary.acme
/usr/share/freeradius/dictionary.actelis
/usr/share/freeradius/dictionary.adtran
/usr/share/freeradius/dictionary.aerohive
/usr/share/freeradius/dictionary.airespace
/usr/share/freeradius/dictionary.alcatel
/usr/share/freeradius/dictionary.alcatel-lucent.aaa
/usr/share/freeradius/dictionary.alcatel.esam
/usr/share/freeradius/dictionary.alcatel.sr
/usr/share/freeradius/dictionary.alteon
/usr/share/freeradius/dictionary.altiga
/usr/share/freeradius/dictionary.alvarion
/usr/share/freeradius/dictionary.alvarion.wimax.v2_2
/usr/share/freeradius/dictionary.apc
/usr/share/freeradius/dictionary.aptilo
/usr/share/freeradius/dictionary.aptis
/usr/share/freeradius/dictionary.arbor
/usr/share/freeradius/dictionary.arista
/usr/share/freeradius/dictionary.aruba
/usr/share/freeradius/dictionary.ascend
/usr/share/freeradius/dictionary.ascend.illegal
/usr/share/freeradius/dictionary.asn
/usr/share/freeradius/dictionary.audiocodes
/usr/share/freeradius/dictionary.avaya
/usr/share/freeradius/dictionary.azaire
/usr/share/freeradius/dictionary.bay
/usr/share/freeradius/dictionary.bintec
/usr/share/freeradius/dictionary.bluecoat
/usr/share/freeradius/dictionary.boingo
/usr/share/freeradius/dictionary.bristol
/usr/share/freeradius/dictionary.broadsoft
/usr/share/freeradius/dictionary.brocade
/usr/share/freeradius/dictionary.bskyb
/usr/share/freeradius/dictionary.bt
/usr/share/freeradius/dictionary.cablelabs
/usr/share/freeradius/dictionary.cabletron
/usr/share/freeradius/dictionary.camiant
/usr/share/freeradius/dictionary.checkpoint
/usr/share/freeradius/dictionary.chillispot
/usr/share/freeradius/dictionary.cisco
/usr/share/freeradius/dictionary.cisco.asa
/usr/share/freeradius/dictionary.cisco.bbsm
/usr/share/freeradius/dictionary.cisco.vpn3000
/usr/share/freeradius/dictionary.cisco.vpn5000
/usr/share/freeradius/dictionary.citrix
/usr/share/freeradius/dictionary.clavister
/usr/share/freeradius/dictionary.cnergee
/usr/share/freeradius/dictionary.colubris
/usr/share/freeradius/dictionary.columbia_university
/usr/share/freeradius/dictionary.compat
/usr/share/freeradius/dictionary.compatible
/usr/share/freeradius/dictionary.cosine
/usr/share/freeradius/dictionary.dante
/usr/share/freeradius/dictionary.dhcp
/usr/share/freeradius/dictionary.digium
/usr/share/freeradius/dictionary.dlink
/usr/share/freeradius/dictionary.dragonwave
/usr/share/freeradius/dictionary.efficientip
/usr/share/freeradius/dictionary.eltex
/usr/share/freeradius/dictionary.epygi
/usr/share/freeradius/dictionary.equallogic
/usr/share/freeradius/dictionary.ericsson
/usr/share/freeradius/dictionary.ericsson.ab
/usr/share/freeradius/dictionary.ericsson.packet.core.networks
/usr/share/freeradius/dictionary.erx
/usr/share/freeradius/dictionary.extreme
/usr/share/freeradius/dictionary.f5
/usr/share/freeradius/dictionary.fdxtended
/usr/share/freeradius/dictionary.fortinet
/usr/share/freeradius/dictionary.foundry
/usr/share/freeradius/dictionary.freedhcp
/usr/share/freeradius/dictionary.freeradius
/usr/share/freeradius/dictionary.freeradius.internal
/usr/share/freeradius/dictionary.freeswitch
/usr/share/freeradius/dictionary.gandalf
/usr/share/freeradius/dictionary.garderos
/usr/share/freeradius/dictionary.gemtek
/usr/share/freeradius/dictionary.h3c
/usr/share/freeradius/dictionary.hillstone
/usr/share/freeradius/dictionary.hp
/usr/share/freeradius/dictionary.huawei
/usr/share/freeradius/dictionary.iana
/usr/share/freeradius/dictionary.iea
/usr/share/freeradius/dictionary.infoblox
/usr/share/freeradius/dictionary.infonet
/usr/share/freeradius/dictionary.ipunplugged
/usr/share/freeradius/dictionary.issanni
/usr/share/freeradius/dictionary.itk
/usr/share/freeradius/dictionary.juniper
/usr/share/freeradius/dictionary.karlnet
/usr/share/freeradius/dictionary.kineto
/usr/share/freeradius/dictionary.lancom
/usr/share/freeradius/dictionary.lantronix
/usr/share/freeradius/dictionary.livingston
/usr/share/freeradius/dictionary.localweb
/usr/share/freeradius/dictionary.lucent
/usr/share/freeradius/dictionary.manzara
/usr/share/freeradius/dictionary.meinberg
/usr/share/freeradius/dictionary.meraki
/usr/share/freeradius/dictionary.merit
/usr/share/freeradius/dictionary.meru
/usr/share/freeradius/dictionary.microsemi
/usr/share/freeradius/dictionary.microsoft
/usr/share/freeradius/dictionary.mikrotik
/usr/share/freeradius/dictionary.motorola
/usr/share/freeradius/dictionary.motorola.illegal
/usr/share/freeradius/dictionary.motorola.wimax
/usr/share/freeradius/dictionary.navini
/usr/share/freeradius/dictionary.netscreen
/usr/share/freeradius/dictionary.networkphysics
/usr/share/freeradius/dictionary.nexans
/usr/share/freeradius/dictionary.nokia
/usr/share/freeradius/dictionary.nokia.conflict
/usr/share/freeradius/dictionary.nomadix
/usr/share/freeradius/dictionary.nortel
/usr/share/freeradius/dictionary.ntua
/usr/share/freeradius/dictionary.openser
/usr/share/freeradius/dictionary.packeteer
/usr/share/freeradius/dictionary.paloalto
/usr/share/freeradius/dictionary.patton
/usr/share/freeradius/dictionary.perle
/usr/share/freeradius/dictionary.propel
/usr/share/freeradius/dictionary.prosoft
/usr/share/freeradius/dictionary.proxim
/usr/share/freeradius/dictionary.purewave
/usr/share/freeradius/dictionary.quiconnect
/usr/share/freeradius/dictionary.quintum
/usr/share/freeradius/dictionary.redcreek
/usr/share/freeradius/dictionary.rfc2865
/usr/share/freeradius/dictionary.rfc2866
/usr/share/freeradius/dictionary.rfc2867
/usr/share/freeradius/dictionary.rfc2868
/usr/share/freeradius/dictionary.rfc2869
/usr/share/freeradius/dictionary.rfc3162
/usr/share/freeradius/dictionary.rfc3576
/usr/share/freeradius/dictionary.rfc3580
/usr/share/freeradius/dictionary.rfc4072
/usr/share/freeradius/dictionary.rfc4372
/usr/share/freeradius/dictionary.rfc4603
/usr/share/freeradius/dictionary.rfc4675
/usr/share/freeradius/dictionary.rfc4679
/usr/share/freeradius/dictionary.rfc4818
/usr/share/freeradius/dictionary.rfc4849
/usr/share/freeradius/dictionary.rfc5090
/usr/share/freeradius/dictionary.rfc5176
/usr/share/freeradius/dictionary.rfc5447
/usr/share/freeradius/dictionary.rfc5580
/usr/share/freeradius/dictionary.rfc5607
/usr/share/freeradius/dictionary.rfc5904
/usr/share/freeradius/dictionary.rfc6519
/usr/share/freeradius/dictionary.rfc6572
/usr/share/freeradius/dictionary.rfc6677
/usr/share/freeradius/dictionary.rfc6911
/usr/share/freeradius/dictionary.rfc6929
/usr/share/freeradius/dictionary.rfc6930
/usr/share/freeradius/dictionary.rfc7055
/usr/share/freeradius/dictionary.rfc7155
/usr/share/freeradius/dictionary.rfc7268
/usr/share/freeradius/dictionary.rfc7499
/usr/share/freeradius/dictionary.rfc7930
/usr/share/freeradius/dictionary.riverbed
/usr/share/freeradius/dictionary.riverstone
/usr/share/freeradius/dictionary.roaringpenguin
/usr/share/freeradius/dictionary.ruckus
/usr/share/freeradius/dictionary.ruggedcom
/usr/share/freeradius/dictionary.sangoma
/usr/share/freeradius/dictionary.sg
/usr/share/freeradius/dictionary.shasta
/usr/share/freeradius/dictionary.shiva
/usr/share/freeradius/dictionary.siemens
/usr/share/freeradius/dictionary.slipstream
/usr/share/freeradius/dictionary.sofaware
/usr/share/freeradius/dictionary.sonicwall
/usr/share/freeradius/dictionary.springtide
/usr/share/freeradius/dictionary.starent
/usr/share/freeradius/dictionary.starent.vsa1
/usr/share/freeradius/dictionary.surfnet
/usr/share/freeradius/dictionary.symbol
/usr/share/freeradius/dictionary.t_systems_nova
/usr/share/freeradius/dictionary.telebit
/usr/share/freeradius/dictionary.telkom
/usr/share/freeradius/dictionary.terena
/usr/share/freeradius/dictionary.trapeze
/usr/share/freeradius/dictionary.travelping
/usr/share/freeradius/dictionary.tropos
/usr/share/freeradius/dictionary.ukerna
/usr/share/freeradius/dictionary.unix
/usr/share/freeradius/dictionary.usr
/usr/share/freeradius/dictionary.usr.illegal
/usr/share/freeradius/dictionary.utstarcom
/usr/share/freeradius/dictionary.valemount
/usr/share/freeradius/dictionary.versanet
/usr/share/freeradius/dictionary.vqp
/usr/share/freeradius/dictionary.walabi
/usr/share/freeradius/dictionary.waverider
/usr/share/freeradius/dictionary.wichorus
/usr/share/freeradius/dictionary.wifialliance
/usr/share/freeradius/dictionary.wimax
/usr/share/freeradius/dictionary.wimax.alvarion
/usr/share/freeradius/dictionary.wimax.wichorus
/usr/share/freeradius/dictionary.wispr
/usr/share/freeradius/dictionary.xedia
/usr/share/freeradius/dictionary.xylan
/usr/share/freeradius/dictionary.yubico
/usr/share/freeradius/dictionary.zeus
/usr/share/freeradius/dictionary.zte
/usr/share/freeradius/dictionary.zyxel
/usr/share/man/man5/clients.conf.5.gz
/usr/share/man/man5/dictionary.5.gz
/usr/share/man/man5/radiusd.conf.5.gz
/usr/share/man/man5/radrelay.conf.5.gz
/usr/share/man/man5/rlm_always.5.gz
/usr/share/man/man5/rlm_attr_filter.5.gz
/usr/share/man/man5/rlm_chap.5.gz
/usr/share/man/man5/rlm_counter.5.gz
/usr/share/man/man5/rlm_detail.5.gz
/usr/share/man/man5/rlm_digest.5.gz
/usr/share/man/man5/rlm_expr.5.gz
/usr/share/man/man5/rlm_files.5.gz
/usr/share/man/man5/rlm_idn.5.gz
/usr/share/man/man5/rlm_mschap.5.gz
/usr/share/man/man5/rlm_pap.5.gz
/usr/share/man/man5/rlm_passwd.5.gz
/usr/share/man/man5/rlm_realm.5.gz
/usr/share/man/man5/rlm_sql.5.gz
/usr/share/man/man5/rlm_unix.5.gz
/usr/share/man/man5/unlang.5.gz
/usr/share/man/man5/users.5.gz
/usr/share/man/man8/raddebug.8.gz
/usr/share/man/man8/radiusd.8.gz
/usr/share/man/man8/radmin.8.gz
/usr/share/man/man8/radrelay.8.gz
/usr/share/snmp/mibs/FREERADIUS-MGMT-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-NOTIFICATION-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-PRODUCT-RADIUSD-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-SMI.mib
/usr/share/snmp/mibs/RADIUS-ACC-CLIENT-MIB.mib
/usr/share/snmp/mibs/RADIUS-ACC-SERVER-MIB.mib
/usr/share/snmp/mibs/RADIUS-AUTH-CLIENT-MIB.mib
/usr/share/snmp/mibs/RADIUS-AUTH-SERVER-MIB.mib
/usr/share/snmp/mibs/RADIUS-STAT-MIB.mib
/var/lib/radiusd
/var/log/radius
/var/log/radius/radacct
/var/log/radius/radius.log
/var/log/radius/radutmp
/var/run/radiusd
/var/run/radiusd/tmp
[root@radius html]#

查看FreeRADIUS工具包安装路径

[root@radius html]# rpm -lq freeradius-utils
/usr/bin/dhcpclient
/usr/bin/map_unit
/usr/bin/rad_counter
/usr/bin/radattr
/usr/bin/radclient
/usr/bin/radcrypt
/usr/bin/radeapclient
/usr/bin/radlast
/usr/bin/radsniff
/usr/bin/radsqlrelay
/usr/bin/radtest
/usr/bin/radwho
/usr/bin/radzap
/usr/bin/rlm_ippool_tool
/usr/bin/smbencrypt
/usr/share/man/man1/dhcpclient.1.gz
/usr/share/man/man1/rad_counter.1.gz
/usr/share/man/man1/radclient.1.gz
/usr/share/man/man1/radeapclient.1.gz
/usr/share/man/man1/radlast.1.gz
/usr/share/man/man1/radtest.1.gz
/usr/share/man/man1/radwho.1.gz
/usr/share/man/man1/radzap.1.gz
/usr/share/man/man1/smbencrypt.1.gz
/usr/share/man/man5/checkrad.5.gz
/usr/share/man/man8/radcrypt.8.gz
/usr/share/man/man8/radsniff.8.gz
/usr/share/man/man8/radsqlrelay.8.gz
/usr/share/man/man8/rlm_ippool_tool.8.gz
[root@radius html]#

查看FreeRADIUS MySQL数据库扩展包安装路

[root@radius html]# rpm -lq freeradius-mysql
/etc/raddb/mods-config/sql/counter/mysql
/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
/etc/raddb/mods-config/sql/cui/mysql
/etc/raddb/mods-config/sql/cui/mysql/queries.conf
/etc/raddb/mods-config/sql/cui/mysql/schema.sql
/etc/raddb/mods-config/sql/ippool-dhcp/mysql
/etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
/etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
/etc/raddb/mods-config/sql/ippool/mysql
/etc/raddb/mods-config/sql/ippool/mysql/queries.conf
/etc/raddb/mods-config/sql/ippool/mysql/schema.sql
/etc/raddb/mods-config/sql/main/mysql
/etc/raddb/mods-config/sql/main/mysql/extras
/etc/raddb/mods-config/sql/main/mysql/extras/wimax
/etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf
/etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql
/etc/raddb/mods-config/sql/main/mysql/queries.conf
/etc/raddb/mods-config/sql/main/mysql/schema.sql
/etc/raddb/mods-config/sql/main/mysql/setup.sql
/etc/raddb/mods-config/sql/main/ndb
/etc/raddb/mods-config/sql/main/ndb/README
/etc/raddb/mods-config/sql/main/ndb/schema.sql
/etc/raddb/mods-config/sql/main/ndb/setup.sql
/usr/lib64/freeradius/rlm_sql_mysql.so
[root@radius html]#

注册并启动服务

[root@radius ~]# systemctl enable radiusd
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.
[root@radius ~]# systemctl start radiusd
[root@radius ~]#

查看端口监听（UDP1812/UDP1813）

[root@radius ~]# netstat -ltun
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 127.0.0.1:323           0.0.0.0:*
udp        0      0 0.0.0.0:68              0.0.0.0:*
udp        0      0 127.0.0.1:18120         0.0.0.0:*
udp        0      0 0.0.0.0:56569           0.0.0.0:*
udp        0      0 0.0.0.0:1812            0.0.0.0:*
udp        0      0 0.0.0.0:1813            0.0.0.0:*
udp6       0      0 ::1:323                 :::*
udp6       0      0 :::54657                :::*
udp6       0      0 :::1812                 :::*
udp6       0      0 :::1813                 :::*
[root@radius ~]#

导入数据库

[root@radius ~]# mysql -uroot -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
Enter password:
[root@radius ~]#

启用数据库模块

[root@radius ~]# cd /etc/raddb/mods-enabled/
[root@radius mods-enabled]# ln -s ../mods-available/sql sql
[root@radius mods-enabled]#

修改数据库连接配置文件

[root@radius mods-enabled]# vi sql

driver = "rlm_sql_null"
driver = "rlm_sql_mysql"

dialect = "sqlite"
dialect = "mysql"

#       server = "localhost"
#       port = 3306
#       login = "radius"
#       password = "radpass"

        server = "localhost"
        port = 3306
        login = "radius"
        password = "radiuspassword"

#       read_clients = yes
        read_clients = yes

修改数据库连接配置文件属组

[root@radius mods-enabled]# ll sql
lrwxrwxrwx 1 root root 21 Feb 20 05:58 sql -> ../mods-available/sql
[root@radius mods-enabled]# chgrp -h radiusd sql
[root@radius mods-enabled]# ll sql
lrwxrwxrwx 1 root radiusd 21 Feb 20 05:58 sql -> ../mods-available/sql
[root@radius mods-enabled]#

下载daloRADIUS安装包并解压缩

[root@radius ~]# wget https://github.com/lirantal/daloradius/archive/master.zip
[root@radius ~]# cp -R daloradius-master/ /var/www/html/daloradius

导入数据库

[root@radius ~]# cd /var/www/html/
[root@radius html]# mysql -uroot -p radius < daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
Enter password:
[root@radius html]# mysql -uroot -p radius < daloradius/contrib/db/mysql-daloradius.sql
Enter password:
[root@radius html]#

修改目录及配置文件属性

[root@radius html]# chown -R apache.apache daloradius/
[root@radius html]# chmod 664 daloradius/library/daloradius.conf.php
[root@radius html]#

修改daloRADIUS配置文件

[root@radius html]# vi daloradius/library/daloradius.conf.php
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radiuspassword';
$configValues['CONFIG_DB_NAME'] = 'radius';

安装PEAR扩展

更新频道

[root@radius ~]# pear channel-update pear.php.net
Updating channel "pear.php.net"
Update of Channel "pear.php.net" succeeded
[root@radius ~]#

升级pear/PEAR版本

错误提示

[root@radius ~]# pear install DB
WARNING: "pear/DB" is deprecated in favor of "pear/MDB2"
pear/DB requires package "pear/PEAR" (version >= 1.10.0), installed version is 1.9.4
No valid packages found
install failed
[root@radius ~]#

升级操作

[root@radius ~]# pear install PEAR
WARNING: "pear/Console_Getopt" is deprecated in favor of "pear/Console_GetoptPlus"
downloading PEAR-1.10.10.tgz ...
Starting to download PEAR-1.10.10.tgz (293,388 bytes)
.............................................................done: 293,388 bytes
downloading Archive_Tar-1.4.9.tgz ...
Starting to download Archive_Tar-1.4.9.tgz (21,343 bytes)
...done: 21,343 bytes
downloading Structures_Graph-1.1.1.tgz ...
Starting to download Structures_Graph-1.1.1.tgz (12,579 bytes)
...done: 12,579 bytes
downloading Console_Getopt-1.4.3.tgz ...
Starting to download Console_Getopt-1.4.3.tgz (5,789 bytes)
...done: 5,789 bytes
downloading XML_Util-1.4.3.tgz ...
Starting to download XML_Util-1.4.3.tgz (18,842 bytes)
...done: 18,842 bytes
install ok: channel://pear.php.net/Archive_Tar-1.4.9
install ok: channel://pear.php.net/Structures_Graph-1.1.1
install ok: channel://pear.php.net/Console_Getopt-1.4.3
install ok: channel://pear.php.net/XML_Util-1.4.3
install ok: channel://pear.php.net/PEAR-1.10.10
PEAR: Optional feature webinstaller available (PEAR's web-based installer)
PEAR: Optional feature gtkinstaller available (PEAR's PHP-GTK-based installer)
PEAR: Optional feature gtk2installer available (PEAR's PHP-GTK2-based installer)
PEAR: To install optional features use "pear install pear/PEAR#featurename"
[root@radius ~]#

安装pear/DB扩展

[root@radius ~]# pear install DB
WARNING: "pear/DB" is deprecated in favor of "pear/MDB2"
downloading DB-1.9.3.tgz ...
Starting to download DB-1.9.3.tgz (132,290 bytes)
.............................done: 132,290 bytes
install ok: channel://pear.php.net/DB-1.9.3
[root@radius ~]#

安装pear/MDB2扩展

[root@radius ~]# pear install MDB2
downloading MDB2-2.4.1.tgz ...
Starting to download MDB2-2.4.1.tgz (121,557 bytes)
..........................done: 121,557 bytes
install ok: channel://pear.php.net/MDB2-2.4.1
MDB2: Optional feature fbsql available (Frontbase SQL driver for MDB2)
MDB2: Optional feature ibase available (Interbase/Firebird driver for MDB2)
MDB2: Optional feature mysql available (MySQL driver for MDB2)
MDB2: Optional feature mysqli available (MySQLi driver for MDB2)
MDB2: Optional feature mssql available (MS SQL Server driver for MDB2)
MDB2: Optional feature oci8 available (Oracle driver for MDB2)
MDB2: Optional feature pgsql available (PostgreSQL driver for MDB2)
MDB2: Optional feature querysim available (Querysim driver for MDB2)
MDB2: Optional feature sqlite available (SQLite2 driver for MDB2)
MDB2: To install optional features use "pear install pear/MDB2#featurename"
[root@radius ~]#

重启服务

[root@radius ~]# systemctl restart radiusd

使用浏览器访问daloRADIUS控制台

Windows 10下配置密码认证IKEv2 VPN

网络技术 No Responses »

2月 012020

自签根证书导入客户端计算机

正确的自签CA证书导入路径（证书-本地计算机-受信任的根证书颁发机构）

查看已导入的CA证书详情

错误的自签CA证书导入路径（证书-当前用户-受信任的根证书颁发机构）

证书导入位置错误时的连接错误提示：IKE身份验证凭证不可接受

拨号连接属性设置详情

常规选项卡

安全选项卡

网络选项卡

建立连接后的状态信息

使用strongSwan构建IPsec IKEv2 VPN

网络技术 No Responses »

2月 012020

安装EPEL仓库源

[root@host1 ~]# yum -y install epel-release

更新缓存并安装StrongSwan及net-tools工具

[root@host1 ~]# yum makecache
[root@host1 ~]# yum -y install strongswan net-tools

查看StrongSwan版本信息

[root@host1 ~]# yum info strongswan
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: repos-lax.psychz.net
 * epel: mirror.lax.genesisadaptive.com
 * extras: mirror.hostduplex.com
 * updates: repos-lax.psychz.net
Installed Packages
Name        : strongswan
Arch        : x86_64
Version     : 5.7.2
Release     : 1.el7
Size        : 4.0 M
Repo        : installed
From repo   : epel
Summary     : An OpenSource IPsec-based VPN and TNC solution
URL         : http://www.strongswan.org/
License     : GPLv2+
Description : The strongSwan IPsec implementation supports both the IKEv1 and
            : IKEv2 key exchange protocols in conjunction with the native NETKEY
            : IPsec stack of the Linux kernel.

[root@host1 ~]#

准备证书生成脚本

服务器证书脚本

[root@host1 ipsec.d]# cat server_key.sh
#!/bin/bash
if [ $1 ];      then
        CN=$1
        echo "generating keys for $CN ..."
else
        echo -e "usage:\n sh server_key.sh YOUR EXACT HOST NAME or SERVER IP\n Run this script in directory to store your keys"
        exit 1
fi

mkdir -p private && mkdir -p cacerts && mkdir -p certs

strongswan pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
strongswan pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" --outform pem > cacerts/strongswanCert.pem
echo 'CA certs at cacerts/strongswanCert.pem'
strongswan pki --print --in cacerts/strongswanCert.pem

sleep 1
echo "generating server keys ..."
strongswan pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
strongswan pki --pub --in private/vpnHostKey.pem --type rsa | \
        strongswan pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" \
        --san $CN \
        --flag serverAuth --flag ikeIntermediate \
        --outform pem > certs/vpnHostCert.pem
echo "vpn server cert at certs/vpnHostCert.pem"
strongswan pki --print --in certs/vpnHostCert.pem
[root@host1 ipsec.d]#

客户端证书脚本

[root@host1 ipsec.d]# cat client_key.sh
#!/bin/bash
info="usage:\n sh client_key.sh USER_NAME EMAIL \n Run this script in directory to store your keys"

if [ $1 ];      then
        if [ $2 ]; then
                NAME=$1
                MAIL=$2
                echo "generating keys for $NAME $MAIL ..."
        else
                echo -e $info
                exit 1
        fi
else
        echo -e $info
        exit 1
fi

mkdir -p private && mkdir -p cacerts && mkdir -p certs

keyfile="private/"$NAME"Key.pem"

certfile="certs/"$NAME"Cert.pem"

p12file=$NAME".p12"

strongswan pki --gen --type rsa --size 2048 \
        --outform pem \
        > $keyfile

strongswan pki --pub --in $keyfile --type rsa | \
        strongswan pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=HK, O=LINUXCACHE.COM, CN=$MAIL" \
        --san $MAIL \
        --outform pem > $certfile

strongswan pki --print --in $certfile

echo "Enter password to protect p12 cert for $NAME"
openssl pkcs12 -export -inkey $keyfile \
        -in $certfile -name "$NAME's VPN Certificate" \
        -certfile cacerts/strongswanCert.pem \
        -caname "strongSwan Root CA" \
        -out $p12file

if [ $? -eq 0 ]; then
        echo "cert for $NAME at $p12file"
fi
[root@host1 ipsec.d]#

生成服务器证书

[root@host1 ipsec.d]# ./server_key.sh 144.202.116.133
generating keys for 144.202.116.133 ...
CA certs at cacerts/strongswanCert.pem
  subject:  "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:02:11 2020, ok
             not after  Jan 29 02:02:11 2030, ok (expires in 3650 days)
  serial:    1d:40:6a:e0:af:56:64:33
  flags:     CA CRLSign self-signed
  subjkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  pubkey:    RSA 4096 bits
  keyid:     7e:1e:66:62:f0:cc:d9:51:9e:ea:c0:97:37:d5:84:1c:b9:27:97:c2
  subjkey:   91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
generating server keys ...
vpn server cert at certs/vpnHostCert.pem
  subject:  "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:02:13 2020, ok
             not after  Jan 31 02:02:13 2022, ok (expires in 730 days)
  serial:    1d:ff:d1:51:97:c9:46:72
  altNames:  144.202.116.133
  flags:     serverAuth ikeIntermediate
  authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  subjkeyId: c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe
  pubkey:    RSA 2048 bits
  keyid:     15:7d:c7:47:3e:07:7b:66:92:d0:2e:75:8e:78:0e:6b:72:8e:5e:b2
  subjkey:   c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe
[root@host1 ipsec.d]#

生成客户端证书并为密钥对设置密码

[root@host1 ipsec.d]# ./client_key.sh harveymei harvey.mei@msn.com
generating keys for harveymei harvey.mei@msn.com ...
  subject:  "C=HK, O=LINUXCACHE.COM, CN=harvey.mei@msn.com"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:03:46 2020, ok
             not after  Jan 31 02:03:46 2022, ok (expires in 730 days)
  serial:    60:f7:02:c5:33:21:3a:13
  altNames:  harvey.mei@msn.com
  flags:
  authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  subjkeyId: ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40
  pubkey:    RSA 2048 bits
  keyid:     1a:8d:12:09:54:a6:a6:d4:f9:d4:7a:6c:75:0a:85:6d:90:b6:0d:fe
  subjkey:   ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40
Enter password to protect p12 cert for harveymei
Enter Export Password:
Verifying - Enter Export Password:
cert for harveymei at harveymei.p12
[root@host1 ipsec.d]#

复制客户端需要用到的证书

修改配置文件

修改ipsec.conf配置文件

初始配置文件

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=HK, O=Linux strongSwan CN=peer name"
#      auto=start

修改为

config setup
    uniqueids=never
    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightsourceip=172.16.1.100/16

conn CiscoIPSec
    keyexchange=ikev1
    fragmentation=yes
    rightauth=pubkey
    rightauth2=xauth
    leftsendcert=always
    rekey=no
    auto=add

conn XauthPsk
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add

conn IpsecIKEv2
    keyexchange=ikev2
    leftauth=pubkey
    rightauth=pubkey
    leftsendcert=always
    auto=add

conn IpsecIKEv2-EAP
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    leftauth=pubkey
    leftsendcert=always
    rightauth=eap-mschapv2
    eap_identity=%any
    auto=add

修改strongswan.conf配置文件

初始配置文件

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

修改为

charon {
    load_modular = yes
    duplicheck.enable = no
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

语法变化/错误的处理

Feb 01 02:41:00 host1 strongswan[4598]: /etc/strongswan/strongswan.conf:3: syntax error, unexpected ., expecting : or '{' or '=' [.]

charon {
    load_modular = yes
    duplicheck{
	enable = no
	}
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

修改ipsec.secrets配置文件（账号密码）

初始配置文件

# ipsec.secrets - strongSwan IPsec secrets file

修改为

# ipsec.secrets - strongSwan IPsec secrets file
: RSA vpnHostKey.pem
: PSK "PSK_KEY"
harveymei %any : EAP "harvey#pwd2020"
harveymei %any : XAUTH "harvey#pwd2020"

开启内核及防火墙包转发设置

内核

[root@host1 strongswan]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@host1 strongswan]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@host1 strongswan]#

防火墙

[root@host1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@host1 ~]# firewall-cmd --permanent --add-service=ipsec
success
[root@host1 ~]# firewall-cmd --permanent --add-port=4500/udp
success
[root@host1 ~]# firewall-cmd --permanent --add-masquerade
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ipsec ssh
ports: 4500/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@host1 ~]#

启动服务

[root@host1 ~]# systemctl enable strongswan
Created symlink from /etc/systemd/system/multi-user.target.wants/strongswan.service to /usr/lib/systemd/system/strongswan.service.
[root@host1 ~]# systemctl start strongswan

查看端口监听

Older Entries

2021年4月
一	二	三	四	五	六	日
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30