我必须管理一个事件的访问控制,它与连接到现有 Wi-Fi 基础设施的几个 pda 设备一起工作。
在活动前的测试中,连接似乎很好,所有 pda 都有良好的信号,并且可以协同工作并具有良好的响应时间。
正如您想象的那样,活动期间的事情发生了一些不同。
我们经历过网络层故障、Wi-Fi 信号中断(设备断开连接几秒钟)、tcp 连接超时、信号较弱以及一些其他第 7 层相关问题,例如 DNS 响应失败。
设备和AP的数量和位置均未改变。
所以我想知道,大量未连接到同一 Wifi的其他 Wifi 设备是否是导致这种降级的原因。我的意思是,所有智能手机进行的 Wifi 研究是否可能导致 AP 降级?
有什么解决办法吗?例如使用隐藏的 SSID?
我的 nginx 平衡器中有一个缓存指令,没有任何特殊设置。
我发现当我在浏览器中按 CTRL-F5 时,所有资源都使用Cache-Control:no-cache标头进行请求,但 nginx 仍然使用缓存内容进行回复。
nginx 的设计是否只尊重后端服务器缓存标头而不尊重客户端缓存标头?
这是 nginx 缓存配置的相关部分:
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mycache:100m max_size=500m inactive=60m use_temp_path=off;
proxy_cache_key $host$request_uri;
proxy_cache mycache;
add_header X-Cache-Status $upstream_cache_status;
即使客户端的 Cache-Control 为 no-cache,X-Cache-Status 值也是 HIT
这是完整配置:
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
client_max_body_size 100M;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
log_format cache_st '$remote_addr - $upstream_cache_status [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log cache_st;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
#
## Cache
#
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mycache:100m max_size=500m inactive=60m use_temp_path=off;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-cache-purge.conf:
load_module modules/ngx_http_cache_purge_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-fancyindex.conf:
load_module modules/ngx_http_fancyindex_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-headers-more-filter.conf:
load_module modules/ngx_http_headers_more_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-perl.conf:
load_module modules/ngx_http_perl_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-uploadprogress.conf:
load_module modules/ngx_http_uploadprogress_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-nchan.conf:
load_module modules/ngx_nchan_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip.conf:
load_module modules/ngx_stream_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/010-mysiteb:
# HTTP
server {
server_name mysite2 mysiteb mysite3 mysiteb;
listen 80;
include commons/http-location.inc;
}
# BALANCED HAPROXY2 - TCP 81
server {
server_name mysiteb;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysiteb/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysiteb/privkey.pem;
include commons/ha-location-2.inc;
}
# BALANCED HAPROXY WEB - TCP 82
server {
server_name mysite3 mysiteb;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysite3/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite3/privkey.pem;
include commons/ha-location-web.inc;
}
server {
server_name mysite2;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysite2/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite2/privkey.pem;
include commons/ha-location-web.inc;
}
# configuration file /etc/nginx/commons/http-location.inc:
location /.well-known {
alias /var/www/html/.well-known;
}
location / {
return 301 https://$host$request_uri;
}
# configuration file /etc/nginx/commons/ha-location-2.inc:
location / {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
error_page 502 /502error.html;
}
location /ws {
proxy_pass http://127.0.0.1:81;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 120;
}
location = /502error.html {
root /usr/share/nginx/html;
internal;
}
# configuration file /etc/nginx/commons/ha-location-web.inc:
location / {
proxy_pass http://127.0.0.1:82;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
error_page 502 /502error.html;
proxy_cache mycache;
add_header X-Cache-Status $upstream_cache_status;
}
location = /502error.html {
root /usr/share/nginx/html;
internal;
}
# configuration file /etc/nginx/commons/srvap1-location.inc:
location / {
proxy_pass http://srvap1/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
error_page 502 /502error.html;
}
location /ws {
proxy_pass http://srvap1;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 120;
}
location = /502error.html {
root /usr/share/nginx/html;
internal;
}
# configuration file /etc/nginx/commons/srvap2-location.inc:
location / {
proxy_pass http://srvap2/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
error_page 502 /502error.html;
}
location /ws {
proxy_pass http://srvap2;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 120;
}
location = /502error.html {
root /usr/share/nginx/html;
internal;
}
# configuration file /etc/nginx/sites-enabled/030-mysitea:
# HTTP
server {
server_name mysite1 mysite4 mysite5;
listen 80;
include commons/http-location.inc;
}
# BALANCED HAPROXY - TCP 81
server {
server_name mysite4;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysite4/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite4/privkey.pem;
include commons/ha-location-2.inc;
}
server {
server_name mysite5 mysitea;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysite5/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite5/privkey.pem;
include commons/ha-location-web.inc;
}
server {
server_name mysite1;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysite1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite1/privkey.pem;
include commons/ha-location-web.inc;
}
# AP1 - TCP 10001
server {
server_name mysite4;
listen 10001 ssl;
ssl_certificate /etc/letsencrypt/live/mysite4/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite4/privkey.pem;
include commons/srvap1-location.inc;
}
server {
server_name mysite5 mysitea;
listen 10001 ssl;
ssl_certificate /etc/letsencrypt/live/mysite5/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite5/privkey.pem;
include commons/srvap1-location.inc;
}
server {
server_name mysite1;
listen 10001 ssl;
ssl_certificate /etc/letsencrypt/live/mysite1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite1/privkey.pem;
include commons/srvap1-location.inc;
}
# AP2 - TCP 10002
server {
server_name mysite4;
listen 10002 ssl;
ssl_certificate /etc/letsencrypt/live/mysite4/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite4/privkey.pem;
include commons/srvap2-location.inc;
}
server {
server_name mysite5 mysitea;
listen 10002 ssl;
ssl_certificate /etc/letsencrypt/live/mysite5/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite5/privkey.pem;
include commons/srvap2-location.inc;
}
server {
server_name mysite1;
listen 10002 ssl;
ssl_certificate /etc/letsencrypt/live/mysite1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite1/privkey.pem;
include commons/srvap2-location.inc;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
server {
listen 127.0.0.1:1935;
root /var/www/html;
location / {
stub_status;
}
}
我正在开发一个新的 nas 来存储一些虚拟机的 veeam 备份。
我将使用一些磁盘,我的疑问是关于可选的 SSD 缓存磁盘。
我想知道缓存层是否重要,通常我知道几个缓存磁盘不是一个坏主意,但在这种情况下我想知道是否推荐它或不是很有用。
据我所知,缓存用于吸收少量小操作或同一扇区中的重复操作。在虚拟机备份场景中,我预计大量写入操作和缓存层将很快被填满并变得几乎无用。
我是对还是错?
我正在配置MS 365 混合部署,MX 将保留在 Exchange 本地服务器上。
我有一个我不想删除的本地反垃圾邮件 (LibraEsva)。
这是实际配置:
按照 MS 指南,Exchange On Premise 和 Cloud 之间的连接必须是直接的,没有任何过滤器。
如您所见,有一个从公共互联网到 MX 接口的 SMTP 25 已被反垃圾邮件过滤。此外,Exchange On Premise 和 Cloude 之间还有另一个 SMTP 25 连接,用于本地和云邮箱之间的内部路由。
我做了2个NAT
这有效,公共电子邮件被过滤,Exchange 服务器之间的电子邮件未被过滤......
但
由 MS365 主机名创建的 NAT 正在接收来自 MS 365 的所有公共电子邮件,而不仅仅是内部电子邮件,如果 365 的任何用户向我发送电子邮件,它不再被过滤。
我该如何解决这个脑筋急转弯?我认为应该有一个解决方案。
我找到了两种使用 apache 将 http 重定向到 https 的方法。使用重定向
Redirect / https://mydomain/
或重写
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://mydomain/$1 [R,L]
有什么区别?
有一次,Exchange 允许通过“Microsoft Connector for POP3 Mailboxes”将外部邮箱下载到本地邮箱。然后我可以将我的外部/流行邮件阅读到本地交换邮箱。2013有可能吗?我再也找不到连接器了。
几周前,我为三级域启动了 powerdns 权威服务器。2 周后,我仍然有一些公共 dns 没有解析我的记录,例如 google (8.8.8.8) 正在解析,但 opendns (208.67.222.220) 没有解析。我已经在线尝试了一些 DNS 检查工具,我可以说只有 50% 的公共 dns 可以与我的记录一起使用。
我怎么能理解为什么?它可以连接到 DNSSEC(我没有启用它)吗?
我的 Apache 服务器有一个虚拟主机配置:
<VirtualHost *:80>
DocumentRoot "/app/www"
ServerName myhostname
<Directory "/app/www">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
我想只允许访问myhostname作为主机名的请求。但我想拒绝主机名或服务器 IP 发出的所有其他请求:
http://myhostiname/ ALLOW
http://1.2.3.4/ (this is one of the server ip addresses) DENY
我的虚拟主机配置按预期工作。
现在我必须编辑配置以让用户通过 ip 访问一个特定路径,因为客户端无法解析本地主机名。
这是一个例子:
http://myhostiname ALLOW
http://1.2.3.4/ DENY
http://1.2.3.4/any/path DENY
http://1.2.3.4/allowed/path ALLOW
http://1.2.3.4/allowed/path/subpath ALLOW
我在新的虚拟主机中尝试了该<Location>元素:
<VirtualHost 0.0.0.0:80>
DocumentRoot "/app/www"
<Directory "/app/www">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Location "/">
AllowOverride None
Order Deny,Allow
Deny from all
</Location>
<Location "^/allowed">
Allow from all
</Location>
</VirtualHost>
但这拒绝了除了主机名请求之外的所有内容。我错过了什么?
我想使用 ActiveSync 协议而不是 IMAP将个人邮箱和共享邮箱 Exchange 2013 添加到 Android 设备。有可能吗?如何使用个人使用来验证共享邮箱?
我在某处找到了这些信息:
但对我不起作用。
我必须在我的 IBM DS3512 SAN 中更换驱动器,我是按型号(希捷型号)而不是按 IBM FRU 代码购买的。我试图放置驱动器,但失败并出现错误“驱动器不兼容”。我看到其他驱动器的型号确实相同,但固件版本和制造商名称不同。
可能我必须归还驱动器并寻找 FRU 部分,但首先我想知道是否有任何方法可以解决这个问题,也许是在驱动器中刷新 IBM 固件。
此 SAN 不在生产环境中,仅用于测试
我可以在 Ubuntu 机器上向 PureFtpD 添加多个绑定端口吗?我可以更改绑定端口,编辑 /etc/pure-ftpd/Bind 文件。但我不明白如何设置额外的端口。我试图在 Bind 文件中添加一个新行,但它不起作用。
我想更新安装 Microsoft Sql Server 2014 的机器的 so 版本,这是否经过 Windows Server 2016 认证?我不希望 MS 协助出现问题...
我正在尝试为我的 ubuntu 服务器 VPS 的 Apache HTTPD 和 TOMCAT 服务使用 let's encrypt 证书。
我发现在哪里有letsencrypt存储的证书来查看apache配置,它是由certboot脚本编写的,Apache可以很好地使用这个证书。
我对 tomcat server.xml 配置使用相同的链接,但在其日志中出现权限被拒绝错误:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"]
java.lang.Exception: Unable to load certificate key /etc/letsencrypt/live/mysite.org/privkey.pem (error:0200100D:system library:fopen:Permission denied)
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:657)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Oct 11, 2017 9:40:07 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:964)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.lang.Exception: Unable to load certificate key /etc/letsencrypt/live/mysite.org/privkey.pem (error:0200100D:system library:fopen:Permission denied)
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:657)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
... 13 more
Oct 11, 2017 9:40:07 AM org.apache.catalina.startup.Catalina load
调查许可我发现了这个:
root@myvps:~# ls -la /etc/letsencrypt/live/mysite.org/
total 12
drwxr-xr-x 2 root root 4096 Sep 20 06:30 .
drwx------ 4 root root 4096 May 23 07:27 ..
lrwxrwxrwx 1 root root 39 Sep 20 06:30 cert.pem -> ../../archive/mysite.org/cert3.pem
lrwxrwxrwx 1 root root 40 Sep 20 06:30 chain.pem -> ../../archive/mysite.org/chain3.pem
lrwxrwxrwx 1 root root 44 Sep 20 06:30 fullchain.pem -> ../../archive/mysite.org/fullchain3.pem
lrwxrwxrwx 1 root root 42 Sep 20 06:30 privkey.pem -> ../../archive/mysite.org/privkey3.pem
-rw-r--r-- 1 root root 543 May 23 07:27 README
root@myvps:~# ls -la /etc/letsencrypt/archive/mysite.org/
total 56
drwxr-xr-x 2 root root 4096 Sep 20 06:30 .
drwx------ 4 root root 4096 May 23 07:27 ..
-rw-r--r-- 1 root root 1818 May 23 07:27 cert1.pem
-rw-r--r-- 1 root root 1814 Jul 22 06:30 cert2.pem
-rw-r--r-- 1 root root 1814 Sep 20 06:30 cert3.pem
-rw-r--r-- 1 root root 1647 May 23 07:27 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 22 06:30 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 20 06:30 chain3.pem
-rw-r--r-- 1 root root 3465 May 23 07:27 fullchain1.pem
-rw-r--r-- 1 root root 3461 Jul 22 06:30 fullchain2.pem
-rw-r--r-- 1 root root 3461 Sep 20 06:30 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 23 07:27 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 22 06:30 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 20 06:30 privkey3.pem
据我所知,这个对 ls 命令的回答表明每个人都有符号链接和真实文件的 READ 权限。我对吗?那么,如果我将其证书指向,为什么 tomcat 会抱怨权限/etc/letsencrypt/live/mysite.org/cert.pem?
如何使用一对 crt/key 文件为 Tomcat 启用 SSL?
我试过这个:
我在 server.xml 配置中启用了 APR 连接器:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="my.crt"
SSLCertificateKeyFile="my.key" />
我不得不使用 APR 而不是 Http11NioProtocol,因为 crt 和密钥文件是由外部进程自动更新/更新的。似乎 Http11NioProtocol 只能使用密钥库。
然后我尝试安装 APR:
sudo apt-get install libapr1 libapr1-dev
我重新加载了 Tomcat,但没有找到 APR:
org.apache.catalina.LifecycleException: The configured protocol [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library which is not available
我的 exim4 邮件服务器使用错误的扩展名发送通知,我的意思是:
Mail Delivery System <[email protected]>
此服务器是多域服务器,mydomain.err 是托管域之一,但不是主要域。我想设置主域和守护进程地址,但我在配置中找不到它,我在所有 exim 配置中做了一个 grep 来寻找 mydomain.err,我只在这里找到它:
dc_other_hostnames='maindomain.com;mydomain.err;otherdomain.com'
我在哪里可以更改守护程序地址和主域?
我有一个小型服务器 Dell PowerEdge T100,它带有一个 RAID1 阵列,该阵列由带有 Debian 5 的戴尔 RAID SAS 控制器构建,因此有什么方法可以监控它,和/或接收有关 RAID 错误的通知?似乎目前唯一的方法是重新启动,进入 SAS 实用程序,然后检查阵列状态。
今天我的邮箱收到了很多垃圾邮件,我查看了 exim4 日志,发现了一些可疑活动。
我想了解这种攻击的服务器性,如果我收到垃圾邮件,我可以删除它们并添加一些规则,但是我想确定我不是垃圾邮件发送者。
我阅读了许多这样的日志:
2016-03-09 07:53:12 1adXzZ-0007sb-Pz <= [email protected] H=([127.0.0.1]) [129.137.152.170] P=esmtpa A=plain: S=1298 [email protected]
2016-03-09 07:53:12 1adXzZ-0007sb-Pz no immediate delivery: more than 10 messages received in one connection
2016-03-09 08:16:57 1adXzZ-0007sb-Pz => kamikaze_****@hotmail.co.uk R=dnslookup T=remote_smtp H=mx3.hotmail.com [207.46.8.167] X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256 CV=no DN="CN=*.hotmail.com" C="250 <[email protected]> Queued mail for delivery"
2016-03-09 08:16:57 1adXzZ-0007sb-Pz Completed
请考虑:
所以,我是垃圾邮件发送者?我的服务器是否在未经身份验证的情况下发送邮件?
这是我的配置:
accept_8bitmime
acl_smtp_data = acl_check_data
acl_smtp_data_prdr = accept
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
admin_groups =
no_allow_domain_literals
no_allow_mx_to_ip
no_allow_utf8_domains
auth_advertise_hosts = *
auto_thaw = 0s
av_scanner = sophie:/var/run/sophie
bounce_return_body
bounce_return_message
bounce_return_size_limit = 100K
callout_domain_negative_expire = 3h
callout_domain_positive_expire = 1w
callout_negative_expire = 2h
callout_positive_expire = 1d
callout_random_local_part = $primary_hostname-$tod_epoch-testing
check_log_inodes = 0
check_log_space = 0
check_rfc2047_length
check_spool_inodes = 0
check_spool_space = 0
daemon_smtp_ports = smtp
daemon_startup_retries = 9
daemon_startup_sleep = 30s
delay_warning = 1d
delay_warning_condition = ${if or {{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{ match{$h_precedence:}{(?i)bulk|list|junk} }{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}}
no_deliver_drop_privilege
deliver_queue_load_max =
delivery_date_remove
no_disable_ipv6
dkim_verify_signers = $dkim_signers
dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$
dns_csa_search_limit = 5
dns_csa_use_reverse
dns_dnssec_ok = -1
dns_retrans = 0s
dns_retry = 0
dns_use_edns0 = -1
no_drop_cr
dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain>
envelope_to_remove
exim_group = Debian-exim
exim_path = /usr/sbin/exim4
exim_user = Debian-exim
extract_addresses_remove_arguments
finduser_retries = 0
freeze_tell = postmaster
gecos_name = $1
gecos_pattern = ^([^,:]*)
no_gnutls_allow_auto_pkcs11
no_gnutls_compat_mode
header_line_maxsize = 0
header_maxsize = 1048576
headers_charset = UTF-8
helo_allow_chars = _
helo_lookup_domains = @ : @[]
host_lookup = *
host_lookup_order = bydns:byaddr
ignore_bounce_errors_after = 2d
no_ignore_fromline_local
keep_malformed = 4d
no_ldap_start_tls
ldap_version = -1
no_local_from_check
local_interfaces = <; ::0 ; 0.0.0.0
local_scan_timeout = 5m
local_sender_retain
log_file_path = /var/log/exim4/%slog
log_selector = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
no_log_timezone
lookup_open_max = 25
max_username_length = 0
no_message_body_newlines
message_body_visible = 500
message_logs
message_size_limit = 50M
no_move_frozen_messages
no_mua_wrapper
mysql_servers = localhost/system/exim/mypassw
never_users =
no_perl_at_start
pid_file_path = /var/run/exim4/exim.pid
pipelining_advertise_hosts = *
prdr_enable
no_preserve_message_logs
primary_hostname = srv1.mydomain.com
no_print_topbitchars
process_log_path = /var/spool/exim4/exim-process.info
prod_requires_admin
qualify_domain = mydomain.com
qualify_recipient = mydomain.com
queue_list_requires_admin
no_queue_only
queue_only_load =
queue_only_load_latch
queue_only_override
no_queue_run_in_order
queue_run_max = 5
receive_timeout = 0s
received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}}
received_headers_max = 30
recipients_max = 0
no_recipients_max_reject
remote_max_parallel = 2
retry_data_expire = 1w
retry_interval_max = 1d
return_path_remove
rfc1413_hosts = @[]
rfc1413_query_timeout = 0s
slow_lookup_log = 0
smtp_accept_keepalive
smtp_accept_max = 20
smtp_accept_max_nonmail = 10
smtp_accept_max_nonmail_hosts = *
smtp_accept_max_per_connection = 1000
smtp_accept_queue = 0
smtp_accept_queue_per_connection = 10
smtp_accept_reserve = 0
smtp_banner = $smtp_active_hostname ESMTP Exim $version_number Ubuntu $tod_full
smtp_check_spool_space
smtp_connect_backlog = 20
smtp_enforce_sync
smtp_etrn_serialize
smtp_load_reserve =
smtp_max_synprot_errors = 3
smtp_max_unknown_commands = 3
no_smtp_return_error_details
spamd_address = 127.0.0.1 783
no_split_spool_directory
spool_directory = /var/spool/exim4
sqlite_lock_timeout = 5
no_strict_acl_vars
no_strip_excess_angle_brackets
no_strip_trailing_dot
syslog_duplication
syslog_processname = exim
syslog_timestamp
tcp_nodelay
timeout_frozen_after = 1w
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_dh_max_bits = 2236
tls_eccurve = prime256v1
tls_on_connect_ports = 465
tls_privatekey = /etc/exim4/exim.key
no_tls_remember_esmtp
tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
trusted_groups =
trusted_users = uucp
untrusted_set_sender = *
uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
uucp_from_sender = $1
write_rejectlog
这是 PLAIN 验证器:
plain:
driver = plaintext
public_name = PLAIN
server_advertise_condition = yes
server_condition = ${if eq{$3}{${lookup mysql{ SELECT password FROM users WHERE CONCAT(username,'@',domain)='${quote_mysql:$2}' AND smtp>0 }}}{yes}{no}}
server_set_id = $2
这是今天的 exim 拒绝日志:
2016-01-07 13:48:44 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 15:32:09 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 15:41:35 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 15:49:01 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 15:56:50 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:04:58 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:12:28 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:20:19 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:28:08 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:35:50 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:43:28 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:51:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:58:51 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:06:25 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:13:58 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:21:29 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:28:52 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:36:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:43:43 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:51:46 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:59:08 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:06:44 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:14:10 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:21:39 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:29:02 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:36:36 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:44:00 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:51:21 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:58:40 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:05:59 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:13:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:20:42 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:28:03 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:35:48 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:43:11 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:50:35 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:57:59 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:05:25 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:12:51 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:20:17 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:27:41 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:35:06 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
我不想等待,什么也不做,是否可以为 exim 创建一个黑名单,在 1 小时内填充超过 10 次登录尝试的 IP 地址?
请注意,我想为 smtp 登录尝试创建一个黑名单,而不是为电子邮件发件人创建一个黑名单。
我必须向外部程序发送从 Exim 服务器接收到的每个消息主题。
这是我的acl_smtp_data配置:
warn condition = ${lookup mysql{ INSERT INTO maillog ( subject ) VALUES ( '${quote_mysql:$message_headers}'}{$value}fail}
这可行,但我只想保存“主题”标题而不是所有标题。我找不到仅适用于主题的变量,也许我可以从 $message_headers var 的所有标题中提取它。
这是一个关于 MX 协议优先级的问题。如果我有两个具有不同优先级的 MX 服务器:
协议是否保证首选 MX 10?提交者是否可以出于除主要可用性之外的任何其他原因选择次要的?
换句话说:如果我的 serverA MX 运行良好并且具有(理论上的)无限连接容量,我可以确定没有人会尝试连接到 serverB 吗?