lucasart's questions

在协商开始时，Secure Renegotiation IS NOT supported发生。在最后一次Session Ticket（也可能是之前的一次）中，似乎 SSL 连接成功了。你能告诉我这里发生了什么吗？我应该担心这一点，还是可以以任何方式“改善”谈判？

另外，为什么会发生两次Session Ticket？这是正常的吗？

# openssl s_client -connect mail.domainname.com:993

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domainname.com
verify return:1
---
Certificate chain
 0 s:CN = domainname.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFfTCCBGWgAwIBAgISA3ypOrf4bJNOWeDv4Ie2YB9MMA0GCSqGSIb3DQEBCwUA
...
nqq9VzUEakWQsLfHhNVwUe8=
-----END CERTIFICATE-----
subject=CN = domainname.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3148 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2148B9B6ABD8587E0B0975A132BBAFD41F2FD476396BB26433165D3C
    Session-ID-ctx: 
    Resumption PSK: C5ACAAACC034516A9E7868D4666840A9B1DC7ADBD3CBD466B3A7889082677FB995B6013E7FA7CC2BF0757D2D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 35 0c 32 9e 9f 21 39 fc-6c 4d ae 2c c8 cb d3 58   5.2..!9.lM.,...X
    ...
    00d0 - 54 76 45 9a a4 f0 dc e0-6d 2b 7d fa 9a 63 2e 12   TvE.....m+}..c..

    Start Time: 1600415053
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 957C17A0A528F7D53C47CE7C8FDAF0A78E725DBA498D3DF91D39AB54
    Session-ID-ctx: 
    Resumption PSK: 31EDFF053862FD02E7C85973084FA2F26FE8A021F9EDF1DB51100B18B21D2F8A7F5AB7A43899B1A0507DD2E2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 35 0c 32 9e 9f 21 39 fc-6c 4d ae 2c c8 cb d3 58   5.2..!9.lM.,...X
    ...
    00d0 - 55 db 93 6b 34 96 9d 95-13 e1 67 c8 5b 27 1c 60   U..k4.....g.['.`

    Start Time: 1600415053
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.

valid_lft对and的值大于零/永远有什么影响（如果有的话）preferred_lft？我应该担心这个吗，如果是这样，如何forever在启动时自动设置它（最好使用 Netplan）？

root:~# ip a
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether aa:00:11:22:33:44 brd ff:ff:ff:ff:ff:ff
    inet 111.111.111.111/32 scope global ens3
       valid_lft 86154sec preferred_lft 86154sec
    inet 222.222.222.222/32 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::aaa:bbb:ccc:ddd/64 scope link 
       valid_lft forever preferred_lft forever

root:~# ip addr change 111.111.111.111 dev ens3 valid_lft forever preferred_lft forever

root:~# ip a
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether aa:00:11:22:33:44 brd ff:ff:ff:ff:ff:ff
    inet 111.111.111.111/32 scope global ens3
       valid_lft forever preferred_lft forever
    inet 222.222.222.222/32 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::aaa:bbb:ccc:ddd/64 scope link 
       valid_lft forever preferred_lft forever

我问这个问题是因为我意识到服务器默认 IP 地址在没有手动交互的情况下从切换111.111.111.111到222.222.222.222，即ifconfig -a显示为ens3：

root:~# ifconfig -a
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 222.222.222.222  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::aaa:bbb:ccc:ddd  prefixlen 64  scopeid 0x20<link>
        ether aa:00:11:22:33:44  txqueuelen 1000  (Ethernet)
        RX packets 206473  bytes 54232020 (54.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 111121  bytes 19855468 (19.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root:~# cat /etc/netplan/*.yaml 
network:
    version: 2
    ethernets:
        ens3:
            dhcp4: yes
            match:
                macaddress: aa:00:11:22:33:44
            mtu: 1500
            set-name: ens3
            addresses:
               - 111.111.111.111/32
               - 222.222.222.222/32
            nameservers:
                addresses:
                    - 8.8.8.8
                    - 4.4.4.4
                    - 1.1.1.1
                    - 1.0.0.1

可能valid_lft并且preferred_lft是转换的原因吗？

如果不是，如何确保主 IP 地址保留111.111.111.111在此配置中？我正在使用 Virtualmin，它偶尔会闪烁一条消息，说主 IP 地址已更改为222.222.222.222，并提议将其从 修改111.111.111.111为222.222.222.222。此时，ifconfig显示222.222.222.222如上图。

我想在不影响其他网络（ens3、ens3:0- >3)。

问题是我的 VPS 只有一个物理网卡。其他 IP 是别名，如下图所示。如果我桥接ens3，别名不会被取消吗？

我完全按照本指南进行操作，但sshVM (@xx5.5) 连接到主 NIC/主机 (@88.88.88.88)。ssh到本地 IP (@192.168.122.101) 连接到 VM。

我应该如何在 VPS 上配置网络，使其为每个 VM（目前是一个 VM）分配一个可以连接到 Internet 并充当网络服务器的私有 IP？如果 Ubuntu 16.04 无法实现所需的设置，是否可以升级到 18/20.04？

配置：

• OVH VPS
• Ubuntu 16.04
• 虚拟机
• ufw
• virtualmin / webmin

网络（简化）：

Internet
   \
   |
   +------------------------+
   | Ubuntu server          | virbr0 (192.168.122.1/24)
   +------------------------+ NAT
   | ens3: 88.88.88.88      |                    Static IP for VM
   +----------------+-------------+------------+-----------------+
   | ens3:0 x.x.1.1 |             | site1.com  | Virtualmin->www
   +----------------+-------------+------------+-----------------+
   | ens3:1 x.x.2.2 |             | site2.com  | Virtualmin->www
   +----------------+-------------+------------+-----------------+
   | ens3:2 x.x.3.3 |             | site3.com  | Virtualmin->www
   +----------------+-------------+------------+-----------------+
   | ens3:3 x.x.4.4 |             | site4.com  | Virtualmin->www
   +----------------+-------------+------------+-----------------+
   | ens3:4 x.x.5.5 |             | VM1/Ubuntu | 192.168.122.101
   +----------------+-------------+------------+-----------------+

当前IP配置：

root:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:06:3f:2c:05:3b brd ff:ff:ff:ff:ff:ff
    inet 88.88.88.88/32 brd 88.88.88.88 scope global ens3
       valid_lft forever preferred_lft forever
    inet x.x.1.1/32 brd x.x.1.1 scope global ens3:0
       valid_lft forever preferred_lft forever
    inet x.x.2.2/32 brd x.x.2.2 scope global ens3:1
       valid_lft forever preferred_lft forever
    inet x.x.3.3/32 brd x.x.3.3 scope global ens3:2
       valid_lft forever preferred_lft forever
    inet x.x.4.4/32 brd x.x.4.4 scope global ens3:3
       valid_lft forever preferred_lft forever
    inet x.x.5.5/32 brd x.x.5.5 scope global ens3:4
       valid_lft forever preferred_lft forever
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 51:52:00:c9:9b:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 51:52:00:c9:9b:7d brd ff:ff:ff:ff:ff:ff
6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN group default qlen 1000
    link/ether 50:54:00:46:ea:7c brd ff:ff:ff:ff:ff:ff

root:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether fa:06:3f:2c:05:3b brd ff:ff:ff:ff:ff:ff

virsh 配置：

root:~# virsh net-dumpxml default
<network connections='1'>
  <name>default</name>
  <uuid>54b584b8-b2f5-45cb-a8e1-8d75540dc1a8</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='51:52:00:c9:9b:7d'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
  <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

root:~# virsh domifaddr dpcloud
 Name       MAC address          Protocol     Address
-------------------------------------------------------------------------------
 vnet0      50:54:00:46:ea:7c    ipv4         192.168.122.101/24

root:~# ssh [email protected]
...

root:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:46:ea:7c brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.101/24 brd 192.168.122.255 scope global dynamic ens2
       valid_lft 3470sec preferred_lft 3470sec
    inet6 fe80::5054:ff:fe46:ea7c/64 scope link 
       valid_lft forever preferred_lft forever