# SA 期末筆記 ## ZFS ### HW3 ``` zpool create sa_pool raidz da0 da1 da2 zfs create -o compression=lz4 -o copies=2 -o atime=off sa_pool/data zfs set mountpoint=/sa_data sa_pool/data chmod 755 /sa_data root:wheel /sa_data ``` ### 常用指令 ``` ``` ## NFS ## Service 建立一個service的步驟 1. 用 ```sysrc``` 將環境變數寫入 ```/etc/rc.conf ``` 2. 將 rc script 放入 ```/usr/local/etc/rc.d``` rc script 範例 (HW4) ```= #!/bin/sh # PROVIDE: hw4 # REQUIRE: NETWORKING # KEYWORD: shutdown . /etc/rc.subr name="hw4" rcvar="hw4_enable" command="/usr/local/bin/poetry" pidfile="/var/run/${name}.pid" logfile="/var/log/${name}.log" start_cmd="hw4_start" stop_cmd="hw4_stop" restart_cmd="hw4_restart" status_cmd="hw4_status" # command_interpreter="/usr/local/bin/python3.9" hw4_start() { echo "Starting ${name}." str1=`cat /etc/rc.conf | grep NUM_DISKS` str2=`cat /root/web/.env | grep NUM_DISKS` sed "s/${str2}/${str1}/g" /root/web/.env > /root/web/tmp.out cat /root/web/tmp.out > /root/web/.env str1=`cat /etc/rc.conf | grep MAX_SIZE` str2=`cat /root/web/.env | grep MAX_SIZE` sed "s/${str2}/${str1}/g" /root/web/.env > /root/web/tmp.out cat /root/web/tmp.out > /root/web/.env sleep 1 rm /root/web/tmp.out cd /root/web/api su root -c '/usr/local/bin/poetry run uvicorn app:APP --reload --host 0.0.0.0' >${logfile} 2>&1 & sleep 1 cat ${logfile} | grep "reloader process" | awk '{print $5}' | cut -d '[' -f2 | cut -d ']' -f1 > ${pidfile} } hw4_stop() { echo "Stopping ${name}." kill `cat ${pidfile}` rm ${pidfile} rm ${logfile} rm -r /var/raid/* rm -r /tmp/filename_list } hw4_restart() { hw4_stop sleep 1 hw4_start } hw4_status() { if [ -f "${pidfile}" ]; then pid=$(cat ${pidfile}) if [ -n "$(pgrep -F ${pidfile})" ]; then echo "${name} is running as pid ${pid}." else echo "${name} is not running." fi else echo "${name} is not running." fi } load_rc_config $name run_rc_command "$1" ``` ## SSL [reference](https://hackmd.io/wIKBTth5TpOTDgp42L99Mg) 自簽憑證 ``` openssl genrsa -out <private key file> <key length general we used 2048> openssl req -new -key <private file> -out <request file> -addext 'subjectAltName=<Alternative Name>' ``` Init environment ```= mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private touch demoCA/index.txt touch demoCA/serial echo 01 > demoCA/crlnumber cp <CA certificate> demoCA/cacert.pem cp <CA private key> demoCA/private/cakey.pem ``` Sign Certificate ``` openssl ca -in <request file> -out <sub CA certificate file> -days <Validity period (day)> -batch -rand_serial -extfile <extensions file> ``` ca.ext ``` # ca extensions file basicConstraints = CA:false subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage = serverAuth keyUsage = digitalSignature,keyEncipherment ``` ``` cat web.crt ca.crt > server.crt cat web.key > server.key ``` ## nginx (reverse proxy setting) Example ```/usr/local/etc/nginx/nginx.conf``` ```= events { worker_connections 1024; } http { # Redirect HTTP to HTTPS server { listen 80; server_name <username>.sa; location / { return 301 https://$host$request_uri; } } # Configure SSL with the provided certificate server { listen 443 ssl; server_name <username>.sa; ssl_certificate /root/crt/webserver.crt; ssl_certificate_key /root/crt/webserver.key; # Disable request size limit client_max_body_size 0; location / { proxy_pass http://localhost:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } } ``` ## Firewall 初始設定 ```shell= sysrc pf_enable=YES sysrc pflog_enable=YES sysrc pfsync_enable=YES service pf start pfctl -e ``` 常用指令 ```shell= pfctl -nf /etc/pf.conf # 確認pf.conf的語法是否正確。 pfctl -f /etc/pf.conf # 啟用pf.conf的規則 pfctl -e / -d # Enable/Disable ``` ```/etc/pf.conf```範例 在```/usr/share/examples/pf/*```也可以找到 ``` # $FreeBSD$ # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Remember to set gateway_enable="YES" and/or ipv6_gateway_enable="YES" # in /etc/rc.conf if packets are to be forwarded between interfaces. #ext_if="ext0" #int_if="int0" #table <spamd-white> persist #set skip on lo #scrub in #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" #nat on $ext_if inet from !($ext_if) -> ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # -> 127.0.0.1 port spamd #anchor "ftp-proxy/*" #block in #pass out #pass quick on $int_if no state #antispoof quick for { lo $int_if } #pass in on $ext_if proto tcp to ($ext_if) port ssh #pass in log on $ext_if proto tcp to ($ext_if) port smtp #pass out log on $ext_if proto tcp from ($ext_if) to port smtp #pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex } ``` ## 常見問題 ## Reference [FreeBSD about firewall](https://docs.freebsd.org/zh-tw/books/handbook/firewalls/) [FreeBSD 5.3 Release PF](https://chrissim.pixnet.net/blog/post/34886143)