分类目录归档：Software

AD DS允许外部用户访问本域Users and Computers的方法

近日给一个Forest级别Trust的Domain设置了Selective Trust，然后跨域访问开始爆炸。AD Administrative Center（dsac.exe）打开就报错（ System.Security.Authentication.AuthenticationException ）退出；几个MMC Snap-in则不是报告莫名其妙的local error就是提示 Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. 。用Delegation of Control Wizard给外部用户分配所有权限也没有用。

继续阅读 →

在HiDPI Windows系统下正确运行Cisco ASDM（以及其它Java 8图形界面程序）

发表评论

2020-06-02更新：ASDM 7.12以后用这种方法会导致加载进度条出现后死机；此时请把 javaw.exe 的HiDPI兼容模式改成“系统（增强）”。

创建注册表项来允许外部manifest文件覆盖exe程序内的设置：

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide]
"PreferExternalManifest"=dword:00000001

1 2	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide] "PreferExternalManifest"=dword:00000001

然后对每个需要patch的可执行程序，创建一个对应的文件名.exe.manifest 放在同一目录下。对于Java 8的默认安装，需要patch的是 C:\Program Files\Java\jre1.8.0_181\bin 下的 java.exe 和 javaw.exe 。

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">

<dependency>
  <dependentAssembly>
    <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*">
    </assemblyIdentity>
  </dependentAssembly>
</dependency>

<dependency>
  <dependentAssembly>
    <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="amd64" publicKeyToken="1fc8b3b9a1e18e3b">
    </assemblyIdentity>
  </dependentAssembly>
</dependency>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
  <security>
    <requestedPrivileges>
      <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
    </requestedPrivileges>
  </security>
</trustInfo>

<asmv3:application>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
    <ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings">false</ms_windowsSettings:dpiAware>
  </asmv3:windowsSettings>
</asmv3:application>

</assembly>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

</assemblyIdentity>

</dependentAssembly>

</dependency>

</assemblyIdentity>

</dependentAssembly>

</dependency>

</requestedPrivileges>

</security>

</trustInfo>

<asmv3:application>

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

<ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings">false</ms_windowsSettings:dpiAware>

</asmv3:windowsSettings>

</asmv3:application>

</assembly>

对于Cisco ASDM，如果你的系统里还安装了Java 10或者其它版本，它是没法正确运行的。打开 C:\Program Files (x86)\Cisco Systems\ASDM\run.bat ，在最后一行 start javaw.exe... 前面添加一行：

set PATH=C:\Program Files\Java\jre1.8.0_181\bin\;%PATH%

1	set PATH=C:\Program Files\Java\jre1.8.0_181\bin\;%PATH%

参考：

How to set the DPI of Java Swing apps on Windows/Linux?

Galera Cluster搭建与维护入门

发表评论

Galera Cluster是一个MySQL的Multi Master插件。简而言之，在多台服务器上配置好Galera Cluster以后，它们表现得像是同一个数据库，可同时读写，数据会自动同步。而且同步不需要低延迟的网络通信；它可以跨WAN工作。

继续阅读 →

用Nginx作为ZNC的SSL终结点

发表评论

本来打算配HAProxy的，HAProxy要求证书和私钥写在一个文件里面，certbot默认又不带这个功能，所以就换Nginx了，感觉配置写起来更方便一些。

需要编译进 ngx_stream_core_module 模块（Nginx官网apt源那个包是有的）。

stream {
    upstream znc {
        server 127.0.1.1:6697;
    }

    server {
        listen 6697 ssl;
        listen [::]:6697 ssl;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        proxy_pass znc;

        proxy_connect_timeout 10s;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL-TCP:50m;
        ssl_session_tickets off;

        # https://mozilla.github.io/server-side-tls/ssl-config-generator/
        ssl_protocols TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_prefer_server_ciphers on;

        # run `openssl dhparam -out /etc/ssl/dhparam.pem 4096` to generate dhparam
        ssl_dhparam /etc/ssl/dhparam.pem;
    }
}

stream {

upstream znc {

server 127.0.1.1:6697;

}

server {

listen 6697 ssl;

listen [::]:6697 ssl;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

proxy_pass znc;

proxy_connect_timeout 10s;

ssl_session_timeout 1d;

ssl_session_cache shared:SSL-TCP:50m;

ssl_session_tickets off;

# https://mozilla.github.io/server-side-tls/ssl-config-generator/

ssl_protocols TLSv1.2;

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

ssl_prefer_server_ciphers on;

# run `openssl dhparam -out /etc/ssl/dhparam.pem 4096` to generate dhparam

ssl_dhparam /etc/ssl/dhparam.pem;

}

注意 stream 和 http 是并列的块，不要写到 http 里边了。

用Wget下载HTTP目录

1条回复

我自己用的一个alias：

alias download-all="wget -r -nH --no-parent --reject=\"index.html*\" -nc -np --restrict-file-names=nocontrol -e robots=off"

1	alias download-all="wget -r -nH --no-parent --reject=\"index.html*\" -nc -np --restrict-file-names=nocontrol -e robots=off"

继续阅读 →

Drown in Codes

I was sixteen with an open heart…

分类目录归档：Software

AD DS允许外部用户访问本域Users and Computers的方法

在HiDPI Windows系统下正确运行Cisco ASDM（以及其它Java 8图形界面程序）

Galera Cluster搭建与维护入门

用Nginx作为ZNC的SSL终结点

用Wget下载HTTP目录