向ASA导入证书

准备一个私钥(.pem)和对应的证书(.crt)文件。注意证书里面只能有私钥对应的那个证书,不应该有证书链。

先用OpenSSL把它转成PKCS#12格式。

openssl pkcs12 -export -out asa.example.com.pfx -inkey asa.example.com.pem -in asa.example.com.crt

然后Base64一下。

openssl base64 -in asa.example.com.pfx -out asa.example.com.pfx.base64

导入ASA:

Type help or '?' for a list of available commands.
asa> enable
Password: 
asa# configure terminal
asa(config)# crypto ca import 证书名 pkcs12 密码
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
<粘贴 base64 过的文件>
quit
INFO: Import PKCS12 operation completed successfully

换上新的证书:

asa(config)# ssl trust-point newcert inside 
asa(config)# ssl trust-point newcert outside
asa(config)# no crypto ikev2 remote-access trustpoint oldcert
asa(config)# crypto ikev2 remote-access trustpoint newcert

删掉原来的证书:

asa(config)# no crypto ca trustpoint oldcert

 

在systemd unit里执行需要TTY的程序

总有那么几个程序一定要用ncurses在终端画窗口,即使它完全可以在后台运行。这时候我们就需要欺骗它一下,假装它在一个TTY里面运行。有两点需要设置:

  • 设置环境变量TERM=linux
  • 用script程序来假装外面有个TTY

例如一个简单的rtorrent (<0.9.7) systemd unit设置:

# cat [email protected] 
[Unit]
Description=rTorrent
After=network-online.target

[Service]
User=%i
Environment=TERM=linux
ExecStartPre=/bin/sh -c "/usr/bin/mkdir -p \"$HOME/.local/share/rtorrent/session\""
ExecStart=/usr/bin/script -qefc '/usr/bin/rtorrent -s $HOME/.local/share/rtorrent/session -o session=$HOME/.local/share/rtorrent/session' /dev/null
WorkingDirectory=~
Restart=on-failure

[Install]
WantedBy=multi-user.target

注:rtorrent 0.9.7开始可以用-o system.daemon.set=true,所以不需要这么麻烦:

# cat [email protected] 
[Unit]
Description=rTorrent
After=network-online.target

[Service]
User=%i
ExecStartPre=/bin/sh -c "/usr/bin/mkdir -p \"$HOME/.local/share/rtorrent/session\""
ExecStart=/bin/sh -c "/usr/bin/rtorrent -s $HOME/.local/share/rtorrent/session -o session=$HOME/.local/share/rtorrent/session -o system.daemon.set=true"
WorkingDirectory=~
Restart=on-failure

[Install]
WantedBy=multi-user.target

Nginx在反向代理连接失败时回退到本地文件的配置

需求:用户连接时,默认显示反向代理的内容,如果后端服务器无法连接,则显示预先渲染好的本地文件。

实现:

server {
    # ... #

    # define a named location block for static files
    location @local_static_files {
        root /var/www/html;
        index index.html;
        try_files $uri $uri/index.html =404;
        break;
    }

    location / {
        # try proxy first
        proxy_pass http://backend-server:8080/;
        
        # set a relative smaller timeout to minimize user wait time
        client_max_body_size    16m;
        client_body_buffer_size 128k;
        proxy_connect_timeout   2s;
        proxy_send_timeout      1s;
        proxy_read_timeout      1s;
        proxy_buffers           32 4k;

        # see https://github.com/Jamesits/oh-my-nginx/blob/master/conf.d/templates/transparent-proxy.conf
        include conf.d/templates/transparent-proxy.conf;

        # if the backend is down (502), we fallback to our local static files
        error_page 502 = @local_static_files;

        # if you need to mask more proxy failures: 
        # proxy_intercept_errors on; # intercept all >300 return code if you need
    }

    # ... #
}