分类目录归档:系统管理

Windows\Linux\*nix系统管理

How to Install Windows on RAID 5 with Drives Larger than 2TB

Setting Up the PERC with the DISKPART Tool for Windows Install

This type of RAID array requires a partition using a GUID (Globally Unique Identifier) Partition Table (GPT) to work properly for Windows in UEFI BIOS mode. Windows Setup, however, does not support making a GPT partition in the standard setup dialogue. Diskpart from the Command Prompt must be used to create a GPT partition to allow setup to see the RAID partition and continue setup.


Figure 1

  1. Start the install, and load the PERC H310 drivers via the OS “Load Diver” function. After the driver is loaded the RAID volume will appear in the install to device list (Figure 1).
  2. Press Shift+F10 to bring up a Command Prompt window.
  3. Type DISKPART and press Enter to enter the DISKPART tool. Enter the commands in the following steps as shown in bold and press enter.
  4. DETAIL DISK – This shows a list of volumes seen by the system. Make note of the Volume number for the RAID array.
  5. SELECT DISK=X – X will be the Volume number of the RAID shown in the detail disk report.
  6. CLEAN – Clears the partition information.
  7. CONVERT GPT – Sets the partition to GPT.
  8. EXIT – Exits DISKPART.
  9. Exit the Command Prompt window.
  10. The full RAID volume should show in the device list.
  11. Complete the remainder of the installation process normally. The RAID volume should show as “Windows Boot Manager” in UEFI.

If this was completed correctly, the system should boot normally in UEFI BIOS mode, and allow Windows to install.

Configure IIS to listen on specific IPs

By default IIS will listen for connections on port 80 for any IP bound to the server. This happens even if there are no host headers or bindings set for a specific IP. This can be a problem when trying to run multiple web servers on port 80.

To set IIS to listen on specific IPs follow the instructions below.

Windows Server 2003/IIS 6:

1. This requires the Server 2003 support tools. If this is not already installed it can be downloaded here.

2. Once installed open a command prompt and navigate to the support tools installation folder (default is C:\Program Files\Support Tools).
cd C:\Program Files\Support Tools

3. Stop http.
net stop http /y

4. Use this command to display the current list of IPs:
httpcfg query iplisten

5. By default it will listen on all IPs (0.0.0.0) so we can remove this.
httpcfg delete iplisten -i 0.0.0.0

6. Specify the IP(s) that IIS should listen on. Make sure to update 127.0.0.1 to the desired IP and run the command for each IP IIS should listen on.
httpcfg set iplisten -i 127.0.0.1

7. Start http and test out your sites.
net start http

Windows Server 2008/IIS 7:

1. Open a command prompt and type “netsh”.
netsh

2. Type “http”.
http

3. Enter the following command to display the current list of IPs to listen on. Note if no IPs are displayed like in the below image, IIS will listen on all IPs (default).
show iplisten

4. Use the command below to set IIS to listen on a specific IP. Make sure to replace 127.0.0.1 with the correct IP and run the command again for any additional addresses.
add iplisten ipaddress=127.0.0.1

5. In case you need to delete an IP from this list, use the following command.
delete iplisten ipaddress=127.0.0.1

6. Restart IIS to apply these changes.
iisreset

IIS listening 127.0.0.1 instead 0.0.0.0

I use command:

netsh http show iplisten

and saw 127.0.0.1 in listening list. (But I didn’t add it manually). So I delete it and add 0.0.0.0 instead.

netsh http delete iplisten ipaddress=127.0.0.1

netsh http add iplisten ipaddress=0.0.0.0

Then I restarted iis server.

SSL certificates on Sites with Host Headers

Source:https://blogs.iis.net/thomad/ssl-certificates-on-sites-with-host-headers

Today I got the following question:

“I have two sites (siteV1.mysite.com and sitev2.mysite.com). They listen on the same IP address and port. We generated a certificate for siteV1.mysite.com and SSL is working properly. The problem is that some of our customers use siteV2.mysite.com and they are getting certificate errors. What’s the problem?”

Here is the issue:

There are three pieces of data to uniquely identify an IIS site:

  • The IP address
  • The Port
  • The Host name which HTTP 1.1 clients send as an HTTP request header. 

This IP:Port:Hostname triplet is called a binding. The binding “192.168.1.192:80:myserver” for example represents a site that listens on IP address 192.168.1.192, port 80, host-header myserver

The very first things IIS (HTTP.SYS to be more precise) does when a request comes in is to read the site’s configuration. Connection limits and timeouts are examples of site configuration. The site binding is used to find the right site configuration. The SSL certificate seems to be another great example of site configuration – the SSL certificate is needed to decrypt the encrypted SSL data coming from the client.

And the IIS User Interface certainly makes it appear as if the SSL certificate would be site configuration, too – doesn’t it? In reality however you can’t bind a SSL certificate to a site. The IIS UI is fooling you. But why? 

It’s a chicken and egg problem: The host name is encrypted in the SSL blob that the client sends. Because the host name is part of the binding IIS needs the host name to lookup the right certificate. Without the host name IIS can’t lookup the right site because the binding is incomplete. Without the certificate IIS can’t decrypt the SSL blob that contains the host name. Game over – we are turning in circles. 

What IIS does under the covers is to ignore the host name. IIS binds the certificate to IP:Port and warns you when you try to bind a certificate to the same IP:Port combo with different host names. 

But there is a way if you need two different sites on the same IP:Port. You can accomplish this by getting a certificate that contains both common names, i.e. sitev1.mysite.com and sitev2.mysitem.com. Cert Authorities usually allow more than one so called “common names” in a certificate. By binding the certificate to one of the two sites you won’t not get certificate errors anymore. The client is happy if one of the names in the certificate matches. 

But there is another caveat: you can’t use the IIS7 User Interface to add a host header to an SSL site binding. You have to use command-line tools, do it programmatically or edit applicationhost.config directly. Here is an example and a link how you can it via command-line:

appcmd set site /site.name:”MySite V2″ /+bindings.[protocol=’https’,bindingInformation=’*:443:sitev2.mysite.com’]

And last but not least: with IIS7 you can use the following command to figure out what certificate is bound to a particular IP:Port combination:  
netsh http show sslcert

This command will show the IP:Port binding but also some other SSL settings.

Windows Process Activation Service error 5 – Access Denied

解决办法:C:\INETPUB\HISTORY. Under here you will see several folders with a prefix of CFGHISTORY. The folder with the highest revision number will be your latest backup. Copy this file and overwrite the existing file at C:\WINDOWS\SYSTEM32\INETSRV\CONFIG.

I ran into a strange error recently on an Exchange 2013 server. The WWW Publishing Service was stopped. When I tried to start the service it failed on a dependency. A quick check revealed the Windows Process Activation Service (WAS) was stopped. When I tried to start WAS, I received the following error.

Windows could not start the Windows Process Activation Service service on Local Computer Error 13 The data is invalid

Windows could not start the Windows Process Activation Service service on Local Computer. Error 13: The data is invalid.

The Event Viewer was littered with equally cryptic Event IDs, such as WAS 5005 and WAS 5036. 继续阅读

SSL证书格式详解与转换

一般来说,主流的 Web 服务软件,通常都基于 OpenSSL 和 Java 两种基础密码库。

  • Tomcat、Weblogic、JBoss 等 Web 服务软件,一般使用 Java 提供的密码库。通过 Java Development Kit (JDK)工具包中的 Keytool 工具,生成 Java Keystore(JKS)格式的证书文件。
  • Apache、Nginx 等 Web 服务软件,一般使用 OpenSSL 工具提供的密码库,生成 PEM、KEY、CRT 等格式的证书文件。
  • IBM 的 Web 服务产品,如 Websphere、IBM Http Server(IHS)等,一般使用 IBM 产品自带的 iKeyman 工具,生成 KDB 格式的证书文件。
  • 微软 Windows Server 中的 Internet Information Services(IIS)服务,使用 Windows 自带的证书库生成 PFX 格式的证书文件。

继续阅读

Optimizing Nginx for serving files bigger than 1GB

Yesterday I faced a strange issue, I realize that nginx was not serving files larger than 1GB. After investigation I found that it was due to the proxy_max_temp_file_size variable, that is configured by default to serve up to 1024 MB max.

This variable indicates the max size of a temporary file when the data served is bigger than the proxy buffer. If it is indeed bigger than the buffer, it will be served synchronously from the upstream server, avoiding the disk buffering.
If you configure proxy_max_temp_file_size to 0, then your temporary files will be disabled.

In this fix it was enough to locate this variable inside the location block, although you can use it inside server and httpd blocks. With this configuration you will optimize nginx for serving more than 1GB of data.

location / {
...
proxy_max_temp_file_size 1924m;
...
}

Restart nginx to take the changes:

service nginx restart

Smart and Efficient Byte-Range Caching with NGINX & NGINX Plus

When correctly deployed, caching is one of the quickest ways to accelerate web content. Not only does caching place content closer to the end user (thus reducing latency), it also reduces the number of requests to the upstream origin server, resulting in greater capacity and lower bandwidth costs.

The availability of globally distributed cloud platforms like AWS and DNS‑based global load balancing systems such as Route 53 make it possible to create your own global content delivery network (CDN).

In this article, we’ll look at how NGINX and NGINX Plus can cache and deliver traffic that is accessed using byte‑range requests. A common use case is HTML5 MP4 video, where requests use byte ranges to implement trick‑play (skip and seek) video playback. Our goal is to implement a caching solution for video delivery that supports byte ranges, and minimizes user latency and upstream network traffic.

Editor – The cache‑slice method discussed in Filling the Cache Slice‑by‑Slice was introduced in NGINX Plus R8. For an overview of all the new features in that release, see Announcing NGINX Plus R8 on our blog. 继续阅读

使用Nginx反向代理做cache缓存-实现CDN功能

目标

使用Nginx反向代理做cache缓存-实现CDN功能

环境

192.168.56.11是CDN节点
192.168.56.12是资源源站

源站nginx配置

源站nginx配置:
yum install -y nginx
hostnamectl set-hostname linux-node2
echo "This is linux-node2" >/usr/share/nginx/html/index.html
端口修改为8080
nginx -t
systemctl status nginx

要求:能正常使用curl请求访问资源。
curl -H "Host:www.exmail.com" http://192.168.56.12:8080

CDN节点-配置

继续阅读

Remove IIS Server version HTTP Response Header

How to remove HTTP response headers in IIS 7, 7.5, 8.0, 8.5, and ASP.NET. Windows Server IIS loves to tell the world that a website runs on IIS, it does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

Normal HTTP Response headers

Even though I’m not a big fan of security by obscurity (are you?), removing common server response headers is often advised by security experts. Attackers might gain a lot of information about your server and network, just by looking at the response headers a web server returns.

Therefore it’s advised you remove at least some of them. 继续阅读

Packet Sender

 

Packet Sender is an open source utility to allow sending and receiving TCP, UDP, and SSL (encrypted TCP) packets. The mainline branch officially supports Windows, Mac, and Desktop Linux (with Qt). Other places may recompile and redistribute Packet Sender. Packet Sender is free and licensed GPL v2 or later. It can be used for both commercial and personal use.

Uses

  • Controlling network-based devices in ways beyond their original apps
  • Test automation (using its command line tool and/or hotkeys)
  • Testing network APIs (using the built-in TCP, UDP, SSL clients)
  • Malware analysis (using the built-in UDP, TCP, SSL servers)
  • Troubleshooting secure connections (using SSL ).
  • Testing network connectivity/firewalls (by having 2 Packet Senders talk to each other)
  • Tech support (by sending customers a portable Packet Sender with pre-defined settings and packets)
  • Sharing/Saving/Collaboration using the Packet Sender Cloud service.

继续阅读