作者归档:flyinweb

SSL证书格式详解与转换

发表评论

一般来说,主流的 Web 服务软件,通常都基于 OpenSSL 和 Java 两种基础密码库。

  • Tomcat、Weblogic、JBoss 等 Web 服务软件,一般使用 Java 提供的密码库。通过 Java Development Kit (JDK)工具包中的 Keytool 工具,生成 Java Keystore(JKS)格式的证书文件。
  • Apache、Nginx 等 Web 服务软件,一般使用 OpenSSL 工具提供的密码库,生成 PEM、KEY、CRT 等格式的证书文件。
  • IBM 的 Web 服务产品,如 Websphere、IBM Http Server(IHS)等,一般使用 IBM 产品自带的 iKeyman 工具,生成 KDB 格式的证书文件。
  • 微软 Windows Server 中的 Internet Information Services(IIS)服务,使用 Windows 自带的证书库生成 PFX 格式的证书文件。

继续阅读

puppet-external_ip

发表评论

External IP fact(s)

Sage Imel sage@sagenite.net

Provides an external_ip4 fact that shows your ipv4 IP address as returned by http://ipv4.icanhazip.com. Provides and an external_ip6 fact that shows your ipv6 IP address as returned by http://ipv6.icanhazip.com.

Useful if you have a host with a dynamic IP address.

Limitations

Ruby doesn’t seem to let you specify which interface Web::HTTP uses, so on a box with multiple interfaces your milage may very.

https://raw.githubusercontent.com/nightfly19/puppet-external_ip/master/lib/facter/external_ip4.rb

require 'net/http'

Facter.add("external_ip4") do
  setcode do
    begin
      target = URI.parse('http://ipv4.icanhazip.com/')
      Net::HTTP.get_response(target.host, target.path).body.chomp
    rescue
      nil
    end
  end
end

require 'net/http'

https://raw.githubusercontent.com/nightfly19/puppet-external_ip/master/lib/facter/external_ip6.rb
Facter.add("external_ip6") do
  setcode do
    begin
      target = URI.parse('http://ipv6.icanhazip.com/')
      Net::HTTP.get_response(target.host, target.path).body.chomp
    rescue
      nil
    end
  end
end

Optimizing Nginx for serving files bigger than 1GB

发表评论

Yesterday I faced a strange issue, I realize that nginx was not serving files larger than 1GB. After investigation I found that it was due to the proxy_max_temp_file_size variable, that is configured by default to serve up to 1024 MB max.

This variable indicates the max size of a temporary file when the data served is bigger than the proxy buffer. If it is indeed bigger than the buffer, it will be served synchronously from the upstream server, avoiding the disk buffering.
If you configure proxy_max_temp_file_size to 0, then your temporary files will be disabled.

In this fix it was enough to locate this variable inside the location block, although you can use it inside server and httpd blocks. With this configuration you will optimize nginx for serving more than 1GB of data.

location / {
...
proxy_max_temp_file_size 1924m;
...
}

Restart nginx to take the changes:

service nginx restart

Smart and Efficient Byte-Range Caching with NGINX & NGINX Plus

发表评论

When correctly deployed, caching is one of the quickest ways to accelerate web content. Not only does caching place content closer to the end user (thus reducing latency), it also reduces the number of requests to the upstream origin server, resulting in greater capacity and lower bandwidth costs.

The availability of globally distributed cloud platforms like AWS and DNS‑based global load balancing systems such as Route 53 make it possible to create your own global content delivery network (CDN).

In this article, we’ll look at how NGINX and NGINX Plus can cache and deliver traffic that is accessed using byte‑range requests. A common use case is HTML5 MP4 video, where requests use byte ranges to implement trick‑play (skip and seek) video playback. Our goal is to implement a caching solution for video delivery that supports byte ranges, and minimizes user latency and upstream network traffic.

Editor – The cache‑slice method discussed in Filling the Cache Slice‑by‑Slice was introduced in NGINX Plus R8. For an overview of all the new features in that release, see Announcing NGINX Plus R8 on our blog. 继续阅读

使用Nginx反向代理做cache缓存-实现CDN功能

发表评论

目标

使用Nginx反向代理做cache缓存-实现CDN功能

环境

192.168.56.11是CDN节点
192.168.56.12是资源源站

源站nginx配置

源站nginx配置:
yum install -y nginx
hostnamectl set-hostname linux-node2
echo "This is linux-node2" >/usr/share/nginx/html/index.html
端口修改为8080
nginx -t
systemctl status nginx

要求:能正常使用curl请求访问资源。
curl -H "Host:www.exmail.com" http://192.168.56.12:8080

CDN节点-配置

继续阅读

Remove IIS Server version HTTP Response Header

发表评论

How to remove HTTP response headers in IIS 7, 7.5, 8.0, 8.5, and ASP.NET. Windows Server IIS loves to tell the world that a website runs on IIS, it does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

Normal HTTP Response headers

Even though I’m not a big fan of security by obscurity (are you?), removing common server response headers is often advised by security experts. Attackers might gain a lot of information about your server and network, just by looking at the response headers a web server returns.

Therefore it’s advised you remove at least some of them. 继续阅读

Packet Sender

发表评论

 

Packet Sender is an open source utility to allow sending and receiving TCP, UDP, and SSL (encrypted TCP) packets. The mainline branch officially supports Windows, Mac, and Desktop Linux (with Qt). Other places may recompile and redistribute Packet Sender. Packet Sender is free and licensed GPL v2 or later. It can be used for both commercial and personal use.

Uses

  • Controlling network-based devices in ways beyond their original apps
  • Test automation (using its command line tool and/or hotkeys)
  • Testing network APIs (using the built-in TCP, UDP, SSL clients)
  • Malware analysis (using the built-in UDP, TCP, SSL servers)
  • Troubleshooting secure connections (using SSL ).
  • Testing network connectivity/firewalls (by having 2 Packet Senders talk to each other)
  • Tech support (by sending customers a portable Packet Sender with pre-defined settings and packets)
  • Sharing/Saving/Collaboration using the Packet Sender Cloud service.

继续阅读

PowerShell 下载文件

发表评论

最早在一个自动化脚本中需要从微软官网上下载一个Office365 的 PowerShell Module 安装包,使用的是WebClient下载文件,但是在PowerShell 3.0 中,有一条非常有用的命令,Invoke-WebRequest,我们可以使用它从互联网上下载文件。其实内部实现极有可能也是调用WebClient。

作为用户,我们只需要像Copy-item一样,指定原路径和目标路径。实例如下:

1
2
3
4
$src = 'https://www.2mysite.net/index.php'
$des = "$env:temp\index.php"
Invoke-WebRequest -uri $src -OutFile $des
Unblock-File $des

因为下载的文件会被Windows锁定,PowerShell 3.0 同时还有一个新命令可以给文件解锁。如何你要访问的文件需要身份验证,或者代理服务器。请继续参考Invoke-WebRequest的其他参数。
还有一点也是值得惊喜的,就是在下载文件时,PowerShell控制台会以进度条的形式显示文件传输的当前状态!

SeMF安全平台部署

发表评论

项目介绍

SEMF是一款适用于企业内网安全管理平台,包含资产管理,漏洞管理,账号管理,知识库管、安全扫描自动化功能模块,可用于企业内部的安全管理

本平台旨在帮助安全人员少,业务线繁杂,周期巡检困难,自动化程度低的甲方,更好的实现企业内部的安全管理。本软件只用作企业内部IT资产管理,无攻击性行为。请使用者遵守《中华人民共和国网络安全法》,勿将SEMF用于非授权测试,作者不负任何连带法律责任。

本项目原地址:https://gitee.com/gy071089/SecurityManageFramwork

作者:残源

软件架构

后端系统 python3 + django2 + rabbitmq 实现。
前端显示 layui + bootstarp,使用开源模板 X-admin:http://x.xuebingsi.com/

项目特点

  • 可自定义用户类型及权限信息,初始化中生成安全人员,运维人员,网络人员和业务人员四种类型
  • 企业IT资产类型和资产属性可在后台自定义,根据需要进行扩展
  • 内网资产发现和端口扫描可自动化进行
  • 完整的漏洞跟进和扫描器漏洞过滤
  • 网络映射,针对大型企业内外网之间映射管理复杂,预留功能
  • 知识库管理,针对安全信息共享,分为通告类和科普类
  • 漏洞库管理,此模块对接cnvd漏洞库
  • 基于插件的漏洞扫描功能,可自行添加
  • 多种协议的弱口令检测
  • AWVS(Acunetix Web Vulnerability Scanner) 接口调用
  • Nessus(6/7) 接口调用

安装教程

安装指南

使用指南

截图

  • 登录注册页 登录注册页
  • 系统首页 系统首页
  • 资产管理 资产管理
  • 资产详情 资产详情
  • 漏洞管理 漏洞管理
  • 报表中心 报表中心

安全管控平台SeMF部署——基础环境准备

企业内网安全管理平台(SeMF),包含资产管理,漏洞管理,账号管理,知识库管、安全扫描自动化功能模块,可用于企业内部的安全管理。 本平台旨在帮助安全人员少,业务线繁杂,周期巡检困难,自动化程度低的甲方,更好的实现企业内部的安全管理。

    项目特点:

  1. 可自定义用户类型及权限信息,初始化中生成安全人员,运维人员,网络人员和业务人员四种类型
  2. 资产类型和资产属性可在后台自定义,根据需要进行扩展
  3. 内网资产发现和端口扫描可自动化进行
  4. 完整的漏洞跟进和扫描器漏洞过滤

    项目地址:https://gitee.com/gy071089/SecurityManageFramwork

该项目需要安装 python3、rabbitmq、以及nmap 继续阅读

Windows远程管理

发表评论

1、启用WinRM时,使用enable-psremoting -force命令时出现的一些错误处理:

PS C:\Users\Administrator> enable-psremoting -force
在此计算机上,WinRM 已设置为接收请求。
Set-WSManQuickConfig : 拒绝访问。
所在位置 行:50 字符: 33
+             Set-WSManQuickConfig <<<<  -force
    + CategoryInfo          : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand

PS C:\Users\Administrator> Enable-PSRemoting -Force
在此计算机上设置了 WinRM 以接收请求。
Set-WSManQuickConfig : <f:WSManFault xmlns:f=”http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=”2″ Machine=”l
ocalhost”><f:Message><f:ProviderFault provider=”Config provider” path=”%systemroot%\system32\WsmSvc.dll”><f:WSManFault
xmlns:f=”http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=”2″ Machine=”web79-62.xm.vh.cnolnic.org”><f:Message
>无法检查防火墙的状态。 </f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault>
所在位置 行:69 字符: 17
+                 Set-WSManQuickConfig -force
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Set-WSManQuickConfig],InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand

处理方法:

gpedit.msc

计算机管理->管理模板->Windows组件->Windows远程管理(WinRM)->WinRM服务中

启用“允许通过WinRM进行远程服务器管理”

说明:

  1. 一般出现上述错误之后,虽然WinRM是启动的,但没有监控端口(5985);
  2. 启用策略之后要重启WinRM服务,正常情况下,监控端口5985有存在;
  3. 由于enable-psremoting -force没有正常运行,所以防火墙规则中要手工添加允许对5985的入站规则。如:netsh advfirewall firewall add rule name=”Windows Remote Management” dir=in action=allow profile=public,private,d
    omain protocol=tcp localport=5985 remoteip=<your ipaddress> description=”Windows Remote Management”

2、远程连接服务器进行管理(WinRM)时,出现如下错误:

[ipaddress] 连接到远程服务器 ipaddress失败,并显示以下错误消息: WS-Management 服务无法处理该请求。在 ipaddress计算机上的 WSMan: 驱动器中找不到 Microsoft.PowerShell 会话配置。有关详细信息,请参阅 about_Remote_Troubles
hooting 帮助主题。
    + CategoryInfo          : OpenError: (ipaddress:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : InvalidResourceUri,PSSessionStateBroken

解决办法:在要进行远程管理服务器上运行如下命令,然后重启WinRM服务

Get-PSSessionConfiguration | Enable-PSSessionConfiguration