next set of updates

This commit is contained in:
Charlie Root 2020-05-26 21:15:31 -07:00
parent 2327d9d6c0
commit 7707eb5865
61 changed files with 43942 additions and 122 deletions

View File

@ -20,6 +20,7 @@ vfs.read_max=128
vfs.timestamp_precision=3 vfs.timestamp_precision=3
net.link.tap.up_on_open=1 net.link.tap.up_on_open=1
#net.link.lagg.lacp.default_strict_mode=0 #net.link.lagg.lacp.default_strict_mode=0
net.link.ether.inet.log_arp_movements=0
net.inet.ip.fw.verbose_limit=5 net.inet.ip.fw.verbose_limit=5
dev.igb.0.fc=0 dev.igb.0.fc=0
@ -111,3 +112,7 @@ net.inet.tcp.rack.data_after_close=0
# Verify RACK # Verify RACK
# sysctl net.inet.tcp.functions_available # sysctl net.inet.tcp.functions_available
# sysctl net.inet.tcp.rack. # sysctl net.inet.tcp.rack.
#Cheap Disk Issues
kern.cam.ada.default_timeout=60
kern.cam.da.default_timeout=90

View File

@ -0,0 +1,38 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: cam_tag
# REQUIRE: DAEMON
. /etc/rc.subr
: ${cam_tag_enable="NO"}
name=cam_tag
rcvar=${name}_enable
COMMAND="/root/FreeBSD/scripts/cam_tag.sh"
start_cmd="${name}_start"
restart_cmd="${name}_restart"
cam_tag_start()
{
$COMMAND
}
cam_tag_restart()
{
$COMMAND
}
load_rc_config ${name}
run_rc_command "$1"

View File

@ -1,3 +1,5 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,8 +8,6 @@
# #
# #
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e # the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: gstat_exporter # PROVIDE: gstat_exporter
# REQUIRE: NETWORKING DAEMON # REQUIRE: NETWORKING DAEMON
@ -19,7 +19,7 @@
name=gstat_exporter name=gstat_exporter
rcvar=${name}_enable rcvar=${name}_enable
GSTATEXPORTER="nohup /usr/local/bin/python3.6 /root/FreeBSD/scripts/gstat_exporter.py" GSTATEXPORTER="nohup /usr/local/bin/python3.7 /root/FreeBSD/scripts/gstat_exporter.py"
start_cmd="${name}_start" start_cmd="${name}_start"
stop_cmd="${name}_stop" stop_cmd="${name}_stop"

View File

@ -1,24 +0,0 @@
ZPOOL=""
SERVER=""
PYTHON?=/usr/local/bin/python3.7
depends:
@(pkg -vv | grep -e "url.*/latest") > /dev/null 2>&1 || (echo "It is advised pkg url is using \"latest\" instead of \"quarterly\" in /etc/pkg/FreeBSD.conf.";)
@test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python37"; pkg install -q -y python37)
pkg install -q -y py37-libzfs
${PYTHON} -m ensurepip
${PYTHON} -m pip install -Ur requirements.txt
install: depends
${PYTHON} -m pip install -U .
uninstall:
${PYTHON} -m pip uninstall -y iocage-lib iocage-cli
test:
pytest --zpool $(ZPOOL) --server $(SERVER)
help:
@echo " install"
@echo " Installs iocage"
@echo " uninstall"
@echo " Removes iocage"
@echo " test"
@echo " Run unit tests with pytest"

Binary file not shown.

View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

View File

@ -8,8 +8,12 @@
#! /usr/local/bin/bash #! /usr/local/bin/bash
# smart_host - mail - is the mail server's dns name # smart_host - mail - is the mail server's dns name
# TO_IDENT sets O Timeout.ident=0s - to stop sendmail from making ident connections
echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc
IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1` IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1`
echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confTO_CONNECT', \`1m')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confTO_IDENT', \`0')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confTO_COMMAND', \`2m')" >> /etc/mail/$HOSTNAME.mc

View File

@ -579,7 +579,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

15
jails/config/ibm/create_tuns.sh Executable file
View File

@ -0,0 +1,15 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/bin/sh
#
ifconfig tun181 create
#ifconfig bridge1 addm tap181 up
#ifconfig tap181 up
#ifconfig tap181 inet6 auto_linklocal

17
jails/config/ibm/ibm.sh Executable file
View File

@ -0,0 +1,17 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/usr/local/bin/bash
# ./ibm.sh under tmux
ifconfig tun186 create
ifconfig tun186 inet 172.16.0.186 172.16.0.100
chmod 666 /dev/tun186
cd /data/Z110/CONF
# hercules

140
jails/config/ibm/ipfw.rules Executable file
View File

@ -0,0 +1,140 @@
#!/bin/sh
# https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
# ipfw -vated list
# IPFW configuration
#sysrc firewall_enable="YES"
#sysrc firewall_logif="YES"
#sysrc firewall_script="/mnt/config/ipfw.rules"
# NATd configuration
#sysrc gateway_enable="YES"
#sysrc natd_enable="YES"
#sysrc natd_interface="epair0b"
#sysrc natd_flags="-f /mnt/config/natd.conf"
#natd.conf:
#redirect_port tcp 172.16.0.100:21-23 21-23
# Set rules command prefix
cmd="ipfw -q add"
lif="tun186" # interface name of tunnel attached to Local network
rif="epair0b" # interface name of vnet attached to Remote/external network
skip="skipto 12000"
# Flush out the list before we begin.
ipfw -q -f flush
# gateway_enable already set in rc.conf
# sysctl net.inet.ip.forwarding=1
# Packets passing the stateful NAT may be re-injected into the firewall
# sysctl net.inet.ip.fw.one_pass=0
ipfw disable one_pass
# functionality is included in the divert action
#ipfw -q nat 1 config if $rif same_ports unreg_only reset
$cmd 00050 allow ip from any to any via $lif
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
# The reassemble rule is not needed with userland natd(8)
# because the internal workings of the IPFW divert action
# takes care of reassembling packets before delivery to the socket
#$cmd 01100 reass all from any to any in
$cmd 01200 divert natd ip from any to any in via $rif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 01300 check-state
# Allow access to DNS
$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
#$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state
#$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state
# Allow outbound ping
$cmd 02210 $skip icmp from any to any out via $rif keep-state
# Allow outbound NTP
$cmd 02220 $skip udp from any to any 123 out via $rif keep-state
# Allow outbound TCP traffic
$cmd 02500 $skip tcp from any to any 20,22,25,80,443 out via $rif setup keep-state
# 03720 pasv ftp
# deny and log all other outbound connections
$cmd 02999 deny log all from any to any out via $rif
#### Lockdown incoming traffic
# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif #RFC 1918 private IP
#$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif #RFC 1918 private IP
#$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif #RFC 1918 private IP
$cmd 03113 deny all from 127.0.0.0/8 to any in via $rif #loopback
$cmd 03114 deny all from 0.0.0.0/8 to any in via $rif #loopback
$cmd 03115 deny all from 169.254.0.0/16 to any in via $rif #DHCP auto-config
$cmd 03116 deny all from 192.0.2.0/24 to any in via $rif #reserved for docs
$cmd 03117 deny all from 204.152.64.0/23 to any in via $rif #Sun cluster interconnect
$cmd 03118 deny all from 224.0.0.0/3 to any in via $rif #Class D & E multicast
# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 02120.
#$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state
# Allow public pings
$cmd 03210 allow icmp from any to any in via $rif
# Deny ident
$cmd 03230 deny tcp from any to any 113 in via $rif
# Deny all Netbios services.
$cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif
# Deny fragments
$cmd 03250 deny all from any to any frag in via $rif
# Deny ACK packets that did not match the dynamic rule table
$cmd 03500 deny tcp from any to any established in via $rif
# Allow inbound SSH host connections
$cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2
# Allow HTTP host connections to host web server
$cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2
# Allow inbound Telnet connections to NAT
$cmd 03710 allow tcp from any to me 23,3270 in via $rif setup limit src-addr 2
# Allow inbound FTP connections to NAT
$cmd 03720 allow tcp from any to me 20,21 in via $rif setup limit src-addr 2
# 02500 pasv ftp
# Reject and log all other incoming connections
$cmd 03999 deny log all from any to any in via $rif
#### lockdown in
$cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules
$cmd 65000 allow ip from any to any
#$cmd 65535 deny ip from any to any

View File

@ -0,0 +1,2 @@
redirect_port tcp 172.16.0.100:20-21 20-21
redirect_port tcp 172.16.0.100:23 23

4
jails/config/ibm/setup_jail.sh Executable file
View File

@ -0,0 +1,4 @@
# requrired to run other configured scripts
/bin/sh /etc/rc
# launch tmux with emu
#/mnt/config/startemu.sh

31
jails/config/ibm/startemu.sh Executable file
View File

@ -0,0 +1,31 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/bin/sh
#
session="emu_tmux"
# set up tmux
tmux start-server
# create a new tmux session, naming the window hercules
tmux new-session -d -s $session -n hercules
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./ibm.sh" C-m
# create a new window empty
tmux new-window -t $session:1 -n empty
tmux selectp -t 1
tmux send-keys "cd /mnt/config;clear" C-m
# return to main window
tmux select-window -t $session:0
tmux selectp -t 1
# Finished setup, attach to the tmux session!
#tmux attach-session -t $session

View File

@ -282,7 +282,8 @@ unknown_local_recipient_reject_code = 550
#mynetworks = $config_directory/mynetworks #mynetworks = $config_directory/mynetworks
#mynetworks = hash:$config_directory/network_table #mynetworks = hash:$config_directory/network_table
mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56 #mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56
mynetworks = 127.0.0.1/32 192.168.0.0/24 [::1]/128 [fe80::]/10 [2603:3024:3f6:e1::]/64
smtp_bind_address = 192.168.0.100 smtp_bind_address = 192.168.0.100
smtp_bind_address6 = 2603:3024:3f6:e1::100 smtp_bind_address6 = 2603:3024:3f6:e1::100
@ -680,6 +681,10 @@ sample_directory = /usr/local/etc/postfix
# #
readme_directory = /usr/local/share/doc/postfix readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4, ipv6 inet_protocols = ipv4, ipv6
# sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
smtp_address_preference = ipv4
meta_directory = /usr/local/libexec/postfix meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix shlib_directory = /usr/local/lib/postfix
@ -776,21 +781,21 @@ smtpd_helo_required = yes
# entry and present a valid, FQDN HELO hostname. In addition, they can only # entry and present a valid, FQDN HELO hostname. In addition, they can only
# send mail to valid mailboxes on the server, and the sender's domain must # send mail to valid mailboxes on the server, and the sender's domain must
# actually exist. # actually exist.
smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject_unauth_pipelining smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,reject_unknown_reverse_client_hostname
# you might want to consider: # you might want to consider:
# reject_unknown_client_hostname, # reject_unknown_client_hostname,
# here. This will reject all incoming connections without a reverse DNS # here. This will reject all incoming connections without a reverse DNS
# entry that resolves back to the client's IP address. This is a very # entry that resolves back to the client's IP address. This is a very
# restrictive check and may reject legitimate mail. # restrictive check and may reject legitimate mail.
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname,reject_unauth_pipelining smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_unauth_pipelining,reject_non_fqdn_helo_hostname
# you might want to consider: # you might want to consider:
# reject_unknown_helo_hostname, # reject_unknown_helo_hostname,
# here. This will reject all incoming mail without a HELO hostname that # here. This will reject all incoming mail without a HELO hostname that
# properly resolves in DNS. This is a somewhat restrictive check and may # properly resolves in DNS. This is a somewhat restrictive check and may
# reject legitimate mail. # reject legitimate mail.
smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unauth_pipelining smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unauth_pipelining
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
# !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!! # !!! THE LAST SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
# !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!! # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining
@ -806,7 +811,7 @@ virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-maps.cf
# LDAP query to find a user's email aliases # LDAP query to find a user's email aliases
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-alias-maps.cf, hash:/usr/local/etc/postfix/virtual-maillist-alias-maps virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-alias-maps.cf, hash:/usr/local/etc/postfix/virtual-maillist-alias-maps
# We'll uncomment these when we set up rspamd later: # rspamd specific
milter_protocol = 6 milter_protocol = 6
# if rspamd is down, don't reject mail # if rspamd is down, don't reject mail
milter_default_action = accept milter_default_action = accept

View File

@ -177,6 +177,7 @@ import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LA
in_flow_delay = 1s in_flow_delay = 1s
inet_interfaces = all inet_interfaces = all
inet_protocols = all inet_protocols = all
info_log_address_format = external
initial_destination_concurrency = 5 initial_destination_concurrency = 5
internal_mail_filter_classes = internal_mail_filter_classes =
invalid_hostname_reject_code = 501 invalid_hostname_reject_code = 501
@ -327,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
luser_relay = luser_relay =
mail_name = Postfix mail_name = Postfix
mail_owner = postfix mail_owner = postfix
mail_release_date = 20190921 mail_release_date = 20200316
mail_spool_directory = /var/mail mail_spool_directory = /var/mail
mail_version = 3.4.7 mail_version = 3.5.0
mailbox_command = mailbox_command =
mailbox_command_maps = mailbox_command_maps =
mailbox_delivery_lock = flock, dotlock mailbox_delivery_lock = flock, dotlock
@ -358,7 +359,7 @@ message_size_limit = 10240000
message_strip_characters = message_strip_characters =
meta_directory = /usr/local/libexec/postfix meta_directory = /usr/local/libexec/postfix
milter_command_timeout = 30s milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} {daemon_addr} v milter_connect_macros = j {daemon_name} {daemon_addr} v _
milter_connect_timeout = 30s milter_connect_timeout = 30s
milter_content_timeout = 300s milter_content_timeout = 300s
milter_data_macros = i milter_data_macros = i
@ -733,7 +734,7 @@ smtpd_sasl_response_limit = 12288
smtpd_sasl_security_options = noanonymous smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtp smtpd_sasl_service = smtp
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot smtpd_sasl_type = cyrus
smtpd_sender_login_maps = smtpd_sender_login_maps =
smtpd_sender_restrictions = smtpd_sender_restrictions =
smtpd_service_name = smtpd smtpd_service_name = smtpd

View File

@ -16,9 +16,9 @@ smtp inet n - n - - smtpd
#dnsblog unix - - n - 0 dnsblog #dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy #tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt -o smtpd_tls_security_level=encrypt
-o tls_preempt_cipherlist=yes -o tls_preempt_cipherlist=yes
# -o syslog_name=postfix/submission
# -o smtpd_sasl_auth_enable=yes # -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes # -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no # -o smtpd_reject_unlisted_recipient=no

View File

@ -79,7 +79,7 @@ postlog unix-dgram n - n - 1 postlogd
# Also specify in main.cf: maildrop_destination_recipient_limit=1 # Also specify in main.cf: maildrop_destination_recipient_limit=1
# #
#maildrop unix - n n - - pipe #maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
# #
# ==================================================================== # ====================================================================
# #
@ -98,7 +98,7 @@ postlog unix-dgram n - n - 1 postlogd
# Also specify in main.cf: cyrus_destination_recipient_limit=1 # Also specify in main.cf: cyrus_destination_recipient_limit=1
# #
#cyrus unix - n n - - pipe #cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
# #
# ==================================================================== # ====================================================================
# #
@ -129,5 +129,5 @@ postlog unix-dgram n - n - 1 postlogd
# ${nexthop} ${user} ${extension} # ${nexthop} ${user} ${extension}
# #
#mailman unix - n n - - pipe #mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user} # ${nexthop} ${user}

View File

@ -1,4 +1,6 @@
# Copyright (c) 2018-2020, diyIT.org #!/bin/sh
# Copyright (c) 2018-2019, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -6,8 +8,6 @@
# #
# #
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e # the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: mapsserver # PROVIDE: mapsserver
# REQUIRE: NETWORKING DAEMON # REQUIRE: NETWORKING DAEMON

View File

@ -0,0 +1,58 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://matrix.ahlawat.com",
"server_name": "matrix.ahlawat.com"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"disable_custom_urls": false,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Riot",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
"https://scalar.vector.im/_matrix/integrations/v1",
"https://scalar.vector.im/api",
"https://scalar-staging.vector.im/_matrix/integrations/v1",
"https://scalar-staging.vector.im/api",
"https://scalar-staging.riot.im/scalar/api"
],
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"defaultCountryCode": "US",
"showLabsSettings": false,
"features": {
"feature_pinning": "labs",
"feature_custom_status": "labs",
"feature_custom_tags": "labs",
"feature_state_counters": "labs"
},
"default_federate": true,
"default_theme": "light",
"roomDirectory": {
"servers": [
"matrix.org"
]
},
"welcomeUserId": "@riot-bot:matrix.org",
"piwik": {
"url": "https://piwik.riot.im/",
"whitelistedHSUrls": ["https://matrix.org"],
"whitelistedISUrls": ["https://vector.im", "https://matrix.org"],
"siteId": 1
},
"enable_presence_by_hs_url": {
"https://matrix.org": false,
"https://matrix-client.matrix.org": false
},
"settingDefaults": {
"breadcrumbs": true
},
"jitsi": {
"preferredDomain": "meet.ahlawat.com"
}
}

View File

@ -0,0 +1,161 @@
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# server {
# listen 80;
# server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
# location / {
# root /usr/local/www/nginx;
# index index.html index.htm;
# }
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/local/www/nginx-dist;
# }
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# }
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
server_names_hash_bucket_size 64;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ssl http2;
server_name matrix.ahlawat.com;
ssl_certificate /mnt/certs/fullchain.pem;
ssl_certificate_key /mnt/certs/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#access_log logs/host.access.log main;
#location /favicon.ico { access_log off; log_not_found off; }
root /usr/local/www/riot;
index index.html;
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
}

View File

@ -0,0 +1,9 @@
192.168.0.67 auth.meet.ahlawat.com
2603:3024:3f6:e1::67 auth.meet.ahlawat.com
192.168.0.67 confrence.meet.ahlawat.com
2603:3024:3f6:e1::67 conference.meet.ahlawat.com
192.168.0.67 focus.meet.ahlawat.com
2603:3024:3f6:e1::67 focus.meet.ahlawat.com
192.168.0.67 jistsi-videobridge.meet.ahlawat.com
2603:3024:3f6:e1::67 jitsi-videobridge.meet.ahlawat.com

View File

@ -0,0 +1,9 @@
JVB_XMPP_HOST=localhost
JVB_XMPP_DOMAIN=meet.ahlawat.com
JVB_XMPP_PORT=5347
JVB_XMPP_SECRET=YOURSECRET2-qwertyuiop
JVB_XMPP_USER_DOMAIN=auth.meet.ahlawat.com
JVB_XMPP_USER_NAME=focus
JVB_XMPP_USER_SECRET=YOURSECRET3-qwertyuiop
MAX_MEMORY=3072m

View File

@ -0,0 +1,542 @@
/* eslint-disable no-unused-vars, no-var */
var config = {
// Connection
//
hosts: {
// XMPP domain.
// domain: 'jitsi-meet.example.com',
domain: 'meet.ahlawat.com',
// When using authentication, domain for guest users.
// anonymousdomain: 'guest.example.com',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: 'jitsi-meet.example.com',
// Jirecon recording component domain.
// jirecon: 'jirecon.jitsi-meet.example.com',
// Call control component (Jigasi).
// call_control: 'callcontrol.jitsi-meet.example.com',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.jitsi-meet.example.com',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
// muc: 'conference.jitsi-meet.example.com'
muc: 'conference.meet.ahlawat.com',
bridge: 'jitsi-videobridge.meet.ahlawat.com',
},
useNicks: false,
// BOSH URL. FIXME: use XEP-0156 to discover it.
// bosh: '//jitsi-meet.example.com/http-bind',
bosh: '//meet.ahlawat.com/http-bind',
// Websocket URL
// websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',
// The name of client node advertised in XEP-0115 'c' stanza
clientNode: 'http://jitsi.org/jitsimeet',
// The real JID of focus participant - can be overridden here
// focusUserJid: 'focus@auth.jitsi-meet.example.com',
// Testing / experimental features.
//
testing: {
// P2P test mode disables automatic switching to P2P when there are 2
// participants in the conference.
p2pTestMode: false
// Enables the test specific features consumed by jitsi-meet-torture
// testMode: false
// Disables the auto-play behavior of *all* newly created video element.
// This is useful when the client runs on a host with limited resources.
// noAutoPlayVideo: false
},
// Disables ICE/UDP by filtering out local and remote UDP candidates in
// signalling.
// webrtcIceUdpDisable: false,
// Disables ICE/TCP by filtering out local and remote TCP candidates in
// signalling.
// webrtcIceTcpDisable: false,
// Media
//
// Audio
// Disable measuring of audio levels.
// disableAudioLevels: false,
// audioLevelsInterval: 200,
// Enabling this will run the lib-jitsi-meet no audio detection module which
// will notify the user if the current selected microphone has no audio
// input and will suggest another valid device if one is present.
enableNoAudioDetection: true,
// Enabling this will run the lib-jitsi-meet noise detection module which will
// notify the user if there is noise, other than voice, coming from the current
// selected microphone. The purpose it to let the user know that the input could
// be potentially unpleasant for other meeting participants.
enableNoisyMicDetection: true,
// Start the conference in audio only mode (no video is being received nor
// sent).
// startAudioOnly: false,
// Every participant after the Nth will start audio muted.
// startAudioMuted: 10,
// Start calls with audio muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithAudioMuted: false,
// Enabling it (with #params) will disable local audio output of remote
// participants and to enable it back a reload is needed.
// startSilent: false
// Video
// Sets the preferred resolution (height) for local video. Defaults to 720.
// resolution: 720,
// w3c spec-compliant video constraints to use for video capture. Currently
// used by browsers that return true from lib-jitsi-meet's
// util#browser#usesNewGumFlow. The constraints are independent from
// this config's resolution value. Defaults to requesting an ideal
// resolution of 720p.
// constraints: {
// video: {
// height: {
// ideal: 720,
// max: 720,
// min: 240
// }
// }
// },
// Enable / disable simulcast support.
// disableSimulcast: false,
// Enable / disable layer suspension. If enabled, endpoints whose HD
// layers are not in use will be suspended (no longer sent) until they
// are requested again.
// enableLayerSuspension: false,
// Every participant after the Nth will start video muted.
// startVideoMuted: 10,
// Start calls with video muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithVideoMuted: false,
// If set to true, prefer to use the H.264 video codec (if supported).
// Note that it's not recommended to do this because simulcast is not
// supported when using H.264. For 1-to-1 calls this setting is enabled by
// default and can be toggled in the p2p section.
// preferH264: true,
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// Desktop sharing
// The ID of the jidesha extension for Chrome.
desktopSharingChromeExtId: null,
// Whether desktop sharing should be disabled on Chrome.
// desktopSharingChromeDisabled: false,
// The media sources to use when using screen sharing with the Chrome
// extension.
desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
// Required version of Chrome extension
desktopSharingChromeMinExtVersion: '0.1',
// Whether desktop sharing should be disabled on Firefox.
// desktopSharingFirefoxDisabled: false,
// Optional desktop sharing frame rate options. Default value: min:5, max:5.
// desktopSharingFrameRate: {
// min: 5,
// max: 5
// },
// Try to start calls with screen-sharing instead of camera video.
// startScreenSharing: false,
// Recording
// Whether to enable file recording or not.
// fileRecordingsEnabled: false,
// Enable the dropbox integration.
// dropbox: {
// appKey: '<APP_KEY>' // Specify your app key here.
// // A URL to redirect the user to, after authenticating
// // by default uses:
// // 'https://jitsi-meet.example.com/static/oauth.html'
// redirectURI:
// 'https://jitsi-meet.example.com/subfolder/static/oauth.html'
// },
// When integrations like dropbox are enabled only that will be shown,
// by enabling fileRecordingsServiceEnabled, we show both the integrations
// and the generic recording service (its configuration and storage type
// depends on jibri configuration)
// fileRecordingsServiceEnabled: false,
// Whether to show the possibility to share file recording with other people
// (e.g. meeting participants), based on the actual implementation
// on the backend.
// fileRecordingsServiceSharingEnabled: false,
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
// Enables automatic turning on captions when recording is started
// autoCaptionOnRecord: false,
// Misc
// Default value for the channel "last N" attribute. -1 for unlimited.
channelLastN: -1,
// Disables or enables RTX (RFC 4588) (defaults to false).
// disableRtx: false,
// Disables or enables TCC (the default is in Jicofo and set to true)
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
// affects congestion control, it practically enables send-side bandwidth
// estimations.
// enableTcc: true,
// Disables or enables REMB (the default is in Jicofo and set to false)
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
// control, it practically enables recv-side bandwidth estimations. When
// both TCC and REMB are enabled, TCC takes precedence. When both are
// disabled, then bandwidth estimations are disabled.
// enableRemb: false,
// Defines the minimum number of participants to start a call (the default
// is set in Jicofo and set to 2).
// minParticipants: 2,
// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,
// Enable IPv6 support.
// useIPv6: true,
// Enables / disables a data communication channel with the Videobridge.
// Values can be 'datachannel', 'websocket', true (treat it as
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
// open any channel).
// openBridgeChannel: true,
// UI
//
// Use display name as XMPP nickname.
// useNicks: false,
// Require users to always specify a display name.
// requireDisplayName: true,
// Whether to use a welcome page or not. In case it's false a random room
// will be joined when no room is specified.
enableWelcomePage: true,
// Enabling the close page will ignore the welcome page redirection when
// a call is hangup.
// enableClosePage: false,
// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
// disable1On1Mode: false,
// Default language for the user interface.
// defaultLanguage: 'en',
// If true all users without a token will be considered guests and all users
// with token will be considered non-guests. Only guests will be allowed to
// edit their profile.
enableUserRolesBasedOnToken: false,
// Whether or not some features are checked based on token.
// enableFeaturesBasedOnToken: false,
// Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
// lockRoomGuestEnabled: false,
// When enabled the password used for locking a room is restricted to up to the number of digits specified
// roomPasswordNumberOfDigits: 10,
// default: roomPasswordNumberOfDigits: false,
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// noticeMessage: '',
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID
// enableCalendarIntegration: false,
// Stats
//
// Whether to enable stats collection or not in the TraceablePeerConnection.
// This can be useful for debugging purposes (post-processing/analysis of
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
// estimation tests.
// gatherStats: false,
// The interval at which PeerConnection.getStats() is called. Defaults to 10000
// pcStatsInterval: 10000,
// To enable sending statistics to callstats.io you must provide the
// Application ID and Secret.
// callStatsID: '',
// callStatsSecret: '',
// enables sending participants display name to callstats
// enableDisplayNameInStats: false,
// enables sending participants email if available to callstats and other analytics
// enableEmailInStats: false,
// Privacy
//
// If third party requests are disabled, no other server will be contacted.
// This means avatars will be locally generated and callstats integration
// will not function.
// disableThirdPartyRequests: false,
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
//
p2p: {
// Enables peer to peer mode. When enabled the system will try to
// establish a direct connection when there are exactly 2 participants
// in the room. If that succeeds the conference will stop sending data
// through the JVB and use the peer to peer connection instead. When a
// 3rd participant joins the conference will be moved back to the JVB
// connection.
enabled: true,
// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,
// The STUN servers that will be used in the peer to peer connections
stunServers: [
// { urls: 'stun:jitsi-meet.example.com:4446' },
// { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
{ urls: 'stun:ahlawat.com:3478' }
],
// Sets the ICE transport policy for the p2p connection. At the time
// of this writing the list of possible values are 'all' and 'relay',
// but that is subject to change in the future. The enum is defined in
// the WebRTC standard:
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
// If not set, the effective value is 'all'.
// iceTransportPolicy: 'all',
// If set to true, it will prefer to use H.264 for P2P calls (if H.264
// is supported).
preferH264: true
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// How long we're going to wait, before going back to P2P after the 3rd
// participant has left the conference (to filter out page reload).
// backToP2PDelay: 5
},
analytics: {
// The Google Analytics Tracking ID:
// googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
// The Amplitude APP Key:
// amplitudeAPPKey: '<APP_KEY>'
// Array of script URLs to load as lib-jitsi-meet "analytics handlers".
// scriptURLs: [
// "libs/analytics-ga.min.js", // google-analytics
// "https://example.com/my-custom-analytics.js"
// ],
},
// Information about the jitsi-meet instance we are connecting to, including
// the user region as seen by the server.
deploymentInfo: {
// shard: "shard1",
// region: "europe",
// userRegion: "asia"
},
// Decides whether the start/stop recording audio notifications should play on record.
// disableRecordAudioNotification: false,
// Information for the chrome extension banner
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// },
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// TOOLBAR_BUTTONS in interface_config.js for the Local Recording
// button to show up on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// },
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
//
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// },
// If set, will attempt to use the provided video input device label when
// triggering a screenshare, instead of proceeding through the normal flow
// for obtaining a desktop stream.
// NOTE: This option is experimental and is currently intended for internal
// use only.
// _desktopSharingSourceDevice: 'sample-id-or-label',
// If true, any checks to handoff to another application will be prevented
// and instead the app will continue to display in the current browser.
// disableDeepLinking: false,
// A property to disable the right click context menu for localVideo
// the menu has option to flip the locally seen video for local presentations
// disableLocalVideoFlip: false,
// Mainly privacy related settings
// Disables all invite functions from the app (share, invite, dial out...etc)
// disableInviteFunctions: true,
// Disables storing the room name to the recents list
// doNotStoreRoom: true,
// Deployment specific URLs.
// deploymentUrls: {
// // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
// // user documentation.
// userDocumentationURL: 'https://docs.example.com/video-meetings.html',
// // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
// // to the specified URL for an app download page.
// downloadAppsUrl: 'https://docs.example.com/our-apps.html'
// },
// Options related to the remote participant menu.
// remoteVideoMenu: {
// // If set to true the 'Kick out' button will be disabled.
// disableKick: true
// },
// If set to true all muting operations of remote participants will be disabled.
// disableRemoteMute: true,
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
autoRecord
autoRecordToken
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
displayJids
etherpad_base
externalConnectUrl
firefox_fake_device
googleApiApplicationClientID
iAmRecorder
iAmSipGateway
microsoftApiApplicationClientID
peopleSearchQueryTypes
peopleSearchUrl
requireDisplayName
tokenAuthUrl
*/
// List of undocumented settings used in lib-jitsi-meet
/**
_peerConnStatusOutOfLastNTimeout
_peerConnStatusRtcMuteTimeout
abTesting
avgRtpStatsN
callStatsConfIDNamespace
callStatsCustomScriptUrl
desktopSharingSources
disableAEC
disableAGC
disableAP
disableHPF
disableNS
enableLipSync
enableTalkWhileMuted
forceJVB121Ratio
hiddenDomain
ignoreStartMuted
nick
startBitrate
*/
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
makeJsonParserHappy: 'even if last key had a trailing comma'
// no configuration value should follow this line.
};
/* eslint-enable no-unused-vars, no-var */

View File

@ -0,0 +1,258 @@
/* eslint-disable no-unused-vars, no-var, max-len */
var interfaceConfig = {
// TO FIX: this needs to be handled from SASS variables. There are some
// methods allowing to use variables both in css and js.
DEFAULT_BACKGROUND: '#474747',
/**
* Whether or not the blurred video background for large video should be
* displayed on browsers that can support it.
*/
DISABLE_VIDEO_BACKGROUND: false,
INITIAL_TOOLBAR_TIMEOUT: 20000,
TOOLBAR_TIMEOUT: 4000,
TOOLBAR_ALWAYS_VISIBLE: false,
DEFAULT_REMOTE_DISPLAY_NAME: 'Friend',
DEFAULT_LOCAL_DISPLAY_NAME: 'me',
SHOW_JITSI_WATERMARK: false,
JITSI_WATERMARK_LINK: 'https://meet.ahlawat.com',
// if watermark is disabled by default, it can be shown only for guests
SHOW_WATERMARK_FOR_GUESTS: false,
SHOW_BRAND_WATERMARK: false,
BRAND_WATERMARK_LINK: 'https://meet.ahlawat.com',
SHOW_POWERED_BY: false,
SHOW_DEEP_LINKING_IMAGE: false,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: false,
DISPLAY_WELCOME_PAGE_CONTENT: false,
DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
APP_NAME: 'Ahlawat meet',
NATIVE_APP_NAME: 'Ahlawat meet',
PROVIDER_NAME: 'Ahlawat',
LANG_DETECTION: true, // Allow i18n to detect the system language
INVITATION_POWERED_BY: false,
/**
* If we should show authentication block in profile
*/
AUTHENTICATION_ENABLE: true,
/**
* The name of the toolbar buttons to display in the toolbar. If present,
* the button will display. Exceptions are "livestreaming" and "recording"
* which also require being a moderator and some values in config.js to be
* enabled. Also, the "profile" button will not display for user's with a
* jwt.
*/
TOOLBAR_BUTTONS: [
'microphone', 'camera', 'closedcaptions', 'desktop', 'fullscreen',
'fodeviceselection', 'hangup', 'profile', 'info', 'chat', 'recording',
'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand',
'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone',
'e2ee'
],
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ],
// Determines how the video would fit the screen. 'both' would fit the whole
// screen, 'height' would fit the original video height to the height of the
// screen, 'width' would fit the original video width to the width of the
// screen respecting ratio.
VIDEO_LAYOUT_FIT: 'both',
/**
* Whether to only show the filmstrip (and hide the toolbar).
*/
filmStripOnly: false,
/**
* Whether to show thumbnails in filmstrip as a column instead of as a row.
*/
VERTICAL_FILMSTRIP: true,
// A html text to be shown to guests on the close page, false disables it
CLOSE_PAGE_GUEST_HINT: false,
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
RANDOM_AVATAR_URL_PREFIX: false,
RANDOM_AVATAR_URL_SUFFIX: false,
FILM_STRIP_MAX_HEIGHT: 120,
// Enables feedback star animation.
ENABLE_FEEDBACK_ANIMATION: false,
DISABLE_FOCUS_INDICATOR: false,
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
/**
* Whether the speech to text transcription subtitles panel is disabled.
* If {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_TRANSCRIPTION_SUBTITLES: false,
/**
* Whether the ringing sound in the call/ring overlay is disabled. If
* {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_RINGING: false,
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
POLICY_LOGO: null,
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
// Documentation reference for the live streaming feature.
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
/**
* Whether the mobile app Jitsi Meet is to be promoted to participants
* attempting to join a conference in a mobile Web browser. If
* {@code undefined}, defaults to {@code true}.
*
* @type {boolean}
*/
MOBILE_APP_PROMO: true,
/**
* Maximum coeficient of the ratio of the large video to the visible area
* after the large video is scaled to fit the window.
*
* @type {number}
*/
MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
/*
* If indicated some of the error dialogs may point to the support URL for
* help.
*/
SUPPORT_URL: 'https://ahlawat.com/',
/**
* Whether the connection indicator icon should hide itself based on
* connection strength. If true, the connection indicator will remain
* displayed while the participant has a weak connection and will hide
* itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
* strong.
*
* @type {boolean}
*/
CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
/**
* How long the connection indicator should remain displayed before hiding.
* Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
*
* @type {number}
*/
CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
/**
* If true, hides the connection indicators completely.
*
* @type {boolean}
*/
CONNECTION_INDICATOR_DISABLED: false,
/**
* If true, hides the video quality label indicating the resolution status
* of the current large video.
*
* @type {boolean}
*/
VIDEO_QUALITY_LABEL_DISABLED: false,
/**
* If true, will display recent list
*
* @type {boolean}
*/
RECENT_LIST_ENABLED: true,
// Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are:
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron' ],
// Browsers, in addition to those which do not fully support WebRTC, that
// are not supported and should show the unsupported browser page.
UNSUPPORTED_BROWSERS: [],
/**
* A UX mode where the last screen share participant is automatically
* pinned. Valid values are the string "remote-only" so remote participants
* get pinned but not local, otherwise any truthy value for all participants,
* and any falsy value to disable the feature.
*
* Note: this mode is experimental and subject to breakage.
*/
AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
/**
* If true, presence status: busy, calling, connected etc. is not displayed.
*/
DISABLE_PRESENCE_STATUS: false,
/**
* If true, notifications regarding joining/leaving are no longer displayed.
*/
DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
/**
* Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
* If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
* being already installed is done before rendering.
*/
SHOW_CHROME_EXTENSION_BANNER: false
/**
* When enabled, the kick participant button will not be presented for users without a JWT
*/
// HIDE_KICK_BUTTON_FOR_GUESTS: false
/**
* How many columns the tile view can expand to. The respected range is
* between 1 and 5.
*/
// TILE_VIEW_MAX_COLUMNS: 5,
/**
* Specify custom URL for downloading android mobile app.
*/
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify URL for downloading ios mobile app.
*/
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
/**
* Specify mobile app scheme for opening the app from the mobile browser.
*/
// APP_SCHEME: 'org.jitsi.meet',
/**
* Specify the Android app package name.
*/
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
/**
* Override the behavior of some notifications to remain displayed until
* explicitly dismissed through a user action. The value is how long, in
* milliseconds, those notifications should remain displayed.
*/
// ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
// List of undocumented settings
/**
INDICATOR_FONT_SIZES
MOBILE_DYNAMIC_LINK
PHONE_NUMBER_REGEX
*/
};
/* eslint-enable no-unused-vars, no-var, max-len */

View File

@ -0,0 +1,190 @@
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# server {
# listen 80;
# server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
# location / {
# root /usr/local/www/nginx;
# index index.html index.htm;
# }
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/local/www/nginx-dist;
# }
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# }
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
server_names_hash_bucket_size 64;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ssl http2;
server_name meet.ahlawat.com;
ssl_certificate /mnt/certs/fullchain.pem;
ssl_certificate_key /mnt/certs/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#access_log logs/host.access.log main;
#location /favicon.ico { access_log off; log_not_found off; }
root /usr/local/www/jitsi-meet;
index index.html;
location ~ ^/([a-zA-Z0-9=\?]+)$ {
rewrite ^/(.*)$ / break;
}
location / {
ssi on;
}
# BOSH, Bidirectional-streams Over Synchronous HTTP
# https://en.wikipedia.org/wiki/BOSH_(protocol)
location /http-bind {
proxy_pass http://meet.ahlawat.com:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# external_api.js must be accessible from the root of the
# installation for the electron version of Jitsi Meet to work
# https://github.com/jitsi/jitsi-meet-electron
location /external_api.js {
alias /usr/local/www/jitsi-meet/libs/external_api.min.js;
}
# xmpp websockets
location /xmpp-websocket {
proxy_pass http://meet.ahlawat.com:5280/xmpp-websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
tcp_nodelay on;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
}

View File

@ -0,0 +1,234 @@
-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at https://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running this command:
-- prosodyctl check config
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!
pidfile = "/var/run/prosody/prosody.pid"
-- interfaces = { "192.168.0.67", "2603:3024:3f6:e1::67" }
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see https://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "focus@auth.meet.ahlawat.com" }
-- Enable use of libevent for better performance under high load
-- For more information see: https://prosody.im/doc/libevent
--use_libevent = true
-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
--plugin_paths = {}
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"carbons"; -- Keep multiple clients in sync
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
"private"; -- Private XML storage (for room bookmarks, etc.)
"blocklist"; -- Allow users to block communications with other users
"vcard4"; -- User profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; -- Allow users to register on this server using a client and change passwords
--"mam"; -- Store messages in an archive and allow users to access it
--"csi_simple"; -- Simple Mobile optimizations
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"websocket"; -- XMPP over WebSockets
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
--"limits"; -- Enable bandwidth limiting for XMPP connections
--"groups"; -- Shared roster support
--"server_contact_info"; -- Publish contact information for this service
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
}
-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
}
-- Disable account creation by default, for security
-- For more information see https://prosody.im/doc/creating_accounts
allow_registration = false
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = true
-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.
s2s_require_encryption = true
-- Force certificate authentication for server-to-server connections?
s2s_secure_auth = false
-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.
--s2s_insecure_domains = { "insecure.example" }
-- Even if you disable s2s_secure_auth, you can still require valid
-- certificates for some domains by specifying a list here.
--s2s_secure_domains = { "jabber.org" }
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
authentication = "internal_hashed"
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See https://prosody.im/doc/storage for more info.
--storage = "sql" -- Default is "internal"
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
-- Archiving configuration
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.
archive_expires_after = "1w" -- Remove archived messages after 1 week
-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam
-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
log = {
info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "prosody.err";
-- "*syslog"; -- Uncomment this for logging to syslog
-- "*console"; -- Log to the console, useful for debugging with daemonize=false
}
-- Uncomment to enable statistics
-- For more info see https://prosody.im/doc/statistics
-- statistics = "internal"
-- Certificates
-- Every virtual host and component needs a certificate so that clients and
-- servers can securely verify its identity. Prosody will automatically load
-- certificates/keys from the directory specified here.
-- For more information, including how to use 'prosodyctl' to auto-import certificates
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
-- Location of directory to find certificates in (relative to main config file):
-- certificates = "certs"
certificates = "/mnt/certs"
-- HTTPS currently only supports a single certificate, specify it here:
--https_certificate = "/usr/local/etc/prosody/certs/localhost.crt"
https_certificate = "/mnt/certs/haproxy.pem"
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
-- VirtualHost "localhost"
VirtualHost "meet.ahlawat.com"
ssl = {
key = "/mnt/certs/privkeyr.pem";
certificate = "/mnt/certs/fullchain.pem";
}
authentication = "anonymous"
modules_enabled = {
"bosh";
"pubsub";
}
c2s_require_encryption = false
-- certificate = "/path/to/example.crt"
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see https://prosody.im/doc/components
---Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"
Component "conference.meet.ahlawat.com" "muc"
Component "jitsi-videobridge.meet.ahlawat.com"
component_secret = "YOURSECRET1-qwertyuiop"
Component "focus.meet.ahlawat.com"
component_secret = "YOURSECRET2-qwertyuiop"
--- Store MUC messages in an archive and allow users to access it
--modules_enabled = { "muc_mam" }
---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: https://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
-- component_secret = "password"
VirtualHost "auth.meet.ahlawat.com"
ssl = {
key = "/var/db/prosody/auth.meet.ahlawat.com.key";
certificate = "/var/db/prosody/auth.meet.ahlawat.com.crt";
}
authentication = "internal_hashed"

View File

@ -0,0 +1,7 @@
JVB_XMPP_HOST=localhost
JVB_XMPP_DOMAIN=meet.ahlawat.com
JVB_XMPP_PORT=5347
JVB_XMPP_SECRET=YOURSECRET1-qwertyuiop
VIDEOBRIDGE_MAX_MEMORY=3072m
# VIDEOBRIDGE_DEBUG_OPTIONS="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000"

View File

@ -0,0 +1,7 @@
#org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.meet.ahlawat.com/.*
org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
# The videobridge uses 443 by default with 4443 as a fallback, but since we're already
# running nginx on 443 in this example doc, we specify 4443 manually to avoid a race condition
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.0.67
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=173.167.104.25

View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

View File

@ -0,0 +1,938 @@
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "5.4.3"
},
{
"type": "panel",
"id": "graph",
"name": "Graph",
"version": "5.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "5.0.0"
},
{
"type": "panel",
"id": "singlestat",
"name": "Singlestat",
"version": "5.0.0"
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "${DS_PROMETHEUS}",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"gnetId": 11175,
"graphTooltip": 0,
"id": null,
"iteration": 1573505620144,
"links": [],
"panels": [
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 15,
"panels": [],
"repeat": "targets",
"title": "$targets UP/DOWN Status",
"type": "row"
},
{
"cacheTimeout": null,
"colorBackground": true,
"colorValue": false,
"colors": [
"#d44a3a",
"rgba(237, 129, 40, 0.89)",
"#299c46"
],
"datasource": "${DS_PROMETHEUS}",
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 24,
"x": 0,
"y": 1
},
"id": 2,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"minSpan": 3,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeat": null,
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "probe_success{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "1,1",
"title": "$targets",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
},
{
"op": "=",
"text": "UP",
"value": "1"
},
{
"op": "=",
"text": "DOWN",
"value": "0"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": true,
"colorValue": false,
"colors": [
"#d44a3a",
"rgba(237, 129, 40, 0.89)",
"#299c46"
],
"datasource": "${DS_PROMETHEUS}",
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 3
},
"id": 18,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"minSpan": 3,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "probe_http_ssl{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "0,1",
"title": "SSL",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
},
{
"op": "=",
"text": "YES",
"value": "1"
},
{
"op": "=",
"text": "NO",
"value": "0"
}
],
"valueName": "current"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "${DS_PROMETHEUS}",
"fill": 1,
"gridPos": {
"h": 6,
"w": 9,
"x": 6,
"y": 3
},
"id": 17,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "probe_duration_seconds{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"legendFormat": "seconds",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Probe Duration",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "s",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "${DS_PROMETHEUS}",
"fill": 1,
"gridPos": {
"h": 6,
"w": 9,
"x": 15,
"y": 3
},
"id": 21,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "probe_dns_lookup_time_seconds{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"legendFormat": "seconds",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "DNS Lookup",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "s",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"cacheTimeout": null,
"colorBackground": true,
"colorValue": false,
"colors": [
"#d44a3a",
"rgba(237, 129, 40, 0.89)",
"#299c46"
],
"datasource": "${DS_PROMETHEUS}",
"decimals": 2,
"format": "dtdurations",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 5
},
"id": 19,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"minSpan": 3,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "probe_ssl_earliest_cert_expiry{instance=~\"$targets\"}-time()",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "0,1209600",
"title": "SSL Cert Expiry",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
},
{
"op": "=",
"text": "YES",
"value": "1"
},
{
"op": "=",
"text": "NO",
"value": "0"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "${DS_PROMETHEUS}",
"decimals": 0,
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 7
},
"id": 20,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"minSpan": 3,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "probe_http_status_code{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "200,299,300",
"title": "HTTP Status Code",
"transparent": false,
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
},
{
"op": "=",
"text": "YES",
"value": "1"
},
{
"op": "=",
"text": "NO",
"value": "0"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "${DS_PROMETHEUS}",
"format": "s",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 12,
"x": 0,
"y": 9
},
"id": 23,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "avg(probe_duration_seconds{instance=~\"$targets\"})",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "Average Probe Duration",
"type": "singlestat",
"valueFontSize": "50%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "${DS_PROMETHEUS}",
"format": "s",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 12,
"x": 12,
"y": 9
},
"id": 24,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "avg(probe_dns_lookup_time_seconds{instance=~\"$targets\"})",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "Average DNS Lookup",
"type": "singlestat",
"valueFontSize": "50%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
}
],
"refresh": "1m",
"schemaVersion": 16,
"style": "dark",
"tags": [
"blackbox",
"prometheus"
],
"templating": {
"list": [
{
"auto": true,
"auto_count": 10,
"auto_min": "10s",
"current": {
"text": "auto",
"value": "$__auto_interval_interval"
},
"hide": 0,
"label": "Interval",
"name": "interval",
"options": [
{
"selected": true,
"text": "auto",
"value": "$__auto_interval_interval"
},
{
"selected": false,
"text": "5s",
"value": "5s"
},
{
"selected": false,
"text": "10s",
"value": "10s"
},
{
"selected": false,
"text": "30s",
"value": "30s"
},
{
"selected": false,
"text": "1m",
"value": "1m"
},
{
"selected": false,
"text": "10m",
"value": "10m"
},
{
"selected": false,
"text": "30m",
"value": "30m"
},
{
"selected": false,
"text": "1h",
"value": "1h"
},
{
"selected": false,
"text": "6h",
"value": "6h"
},
{
"selected": false,
"text": "12h",
"value": "12h"
},
{
"selected": false,
"text": "1d",
"value": "1d"
},
{
"selected": false,
"text": "7d",
"value": "7d"
},
{
"selected": false,
"text": "14d",
"value": "14d"
},
{
"selected": false,
"text": "30d",
"value": "30d"
}
],
"query": "5s,10s,30s,1m,10m,30m,1h,6h,12h,1d,7d,14d,30d",
"refresh": 2,
"skipUrlSync": false,
"type": "interval"
},
{
"allValue": null,
"current": {},
"datasource": "${DS_PROMETHEUS}",
"definition": "label_values(probe_success, instance)",
"hide": 0,
"includeAll": true,
"label": null,
"multi": true,
"name": "targets",
"options": [],
"query": "label_values(probe_success, instance)",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"tagValuesQuery": "",
"tags": [],
"tagsQuery": "",
"type": "query",
"useTags": false
}
]
},
"time": {
"from": "now-1h",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "Blackbox Exporter Overview",
"uid": "xtkCtBkiz",
"version": 1,
"description": "Fork of https://grafana.com/grafana/dashboards/5345 which uses 'instance' instead of 'target' label"
}

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,2 +1,3 @@
mount proc mount proc
/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash /usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
ps axww | grep logstash

View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

View File

@ -21,7 +21,7 @@ http {
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Connection ""; proxy_set_header Connection "";
proxy_set_header Host $proxy_host; proxy_set_header Host $host;
server { server {
listen *:80; listen *:80;
@ -95,6 +95,7 @@ http {
proxy_cache_lock on; proxy_cache_lock on;
proxy_next_upstream error timeout invalid_header http_404; proxy_next_upstream error timeout invalid_header http_404;
proxy_pass http://pkg-mirrors; proxy_pass http://pkg-mirrors;
proxy_http_version 1.1;
# add_header X-Proxy-Cache $upstream_cache_status; # add_header X-Proxy-Cache $upstream_cache_status;
} }
} }
@ -118,7 +119,7 @@ http {
listen [::]:8002; listen [::]:8002;
server_name localhost; server_name localhost;
location / { location / {
proxy_pass http://pkg0.cyb.FreeBSD.org; proxy_pass http://pkg0.tuk.FreeBSD.org;
} }
} }
@ -146,6 +147,7 @@ http {
proxy_cache_lock on; proxy_cache_lock on;
proxy_next_upstream error timeout invalid_header http_404; proxy_next_upstream error timeout invalid_header http_404;
proxy_pass http://update-mirrors; proxy_pass http://update-mirrors;
proxy_http_version 1.1;
# add_header X-Proxy-Cache $upstream_cache_status; # add_header X-Proxy-Cache $upstream_cache_status;
} }
} }

View File

@ -36,15 +36,6 @@ defaults
timeout tunnel 3600s timeout tunnel 3600s
timeout tarpit 60s timeout tarpit 60s
#listen stats
# bind :::1936 v4v6
# stats uri /
# stats enable
# stats refresh 10s
# stats show-node
# stats realm Haproxy\ Statistics
# stats auth infra:infra
frontend stats frontend stats
bind :::8404 v4v6 bind :::8404 v4v6
http-request use-service prometheus-exporter if { path /metrics } http-request use-service prometheus-exporter if { path /metrics }
@ -88,6 +79,7 @@ frontend ft
use_backend bk_diyit if { ssl_fc_sni www.diyit.space } use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com } use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com } use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com }
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com } use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com } use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
@ -101,6 +93,8 @@ frontend ft
use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com } use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com }
use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com } use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com }
use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com } use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com }
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com } use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org } use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
@ -108,7 +102,6 @@ frontend ft
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org } use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org } use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
use_backend bk_beyondbell-api if { ssl_fc_sni api.beyondbell.com }
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com } use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com } use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com } use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
@ -118,26 +111,37 @@ frontend ft
backend bk_ahlawat backend bk_ahlawat
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell backend bk_beyondbell
server srv1 192.168.0.74:8000 server srv1 192.168.0.77:8000
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_diyit backend bk_diyit
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-sharad backend bk_ahlawat-sharad
balance roundrobin
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-rachna
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-nivi backend bk_ahlawat-nivi
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-rishabh backend bk_ahlawat-rishabh
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
#backend bk_ahlawat-book #backend bk_ahlawat-book
@ -164,10 +168,12 @@ backend bk_ahlawat-cam
backend bk_ahlawat-cloud backend bk_ahlawat-cloud
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-git backend bk_ahlawat-git
server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspidel X-Frame-Options:* rspidel X-Frame-Options:*
# http-request set-var(txn.src) src # http-request set-var(txn.src) src
# acl mynet var(txn.src) -m sub 192.168.0 # acl mynet var(txn.src) -m sub 192.168.0
@ -178,8 +184,19 @@ backend bk_ahlawat-git
backend bk_ahlawat-hub backend bk_ahlawat-hub
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-matrix
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-meet
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-monitor backend bk_ahlawat-monitor
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # rspadd X-Frame-Options:\ SAMEORIGIN
@ -199,6 +216,7 @@ backend bk_diyit-kibana
backend bk_diyit-maps backend bk_diyit-maps
server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-ci backend bk_ahlawat-ci
@ -208,28 +226,26 @@ backend bk_ahlawat-ci
server srv1 cix.ahlawat.com:8180 check server srv1 cix.ahlawat.com:8180 check
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-api
server srv1 192.168.0.77:8000
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-git backend bk_beyondbell-git
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-ci backend bk_beyondbell-ci
http-request set-header Host cix.beyondbell.com:8111 http-request set-header Host cix.beyondbell.com:8111
reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2 reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2 rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
server srv1 cix.beyondbell.com:8111 check server srv1 cix.beyondbell.com:8111
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-repo backend bk_beyondbell-repo
# http-request set-header Host 192.168.0.75:8080 # http-request set-header Host 192.168.0.75:8080
reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2 reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2 rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
server srv1 192.168.0.75:8080 check server srv1 192.168.0.75:8080
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-gs backend bk_beyondbell-gs
server srv1 192.168.0.81:26900 check server srv1 192.168.0.81:26900 check
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN

View File

@ -0,0 +1,11 @@
Listen 443
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
# SSLUseStapling on
SSLSessionTickets off
SSLOptions +StrictRequire
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
SSLSessionCache shmcb:/usr/local/etc/apache24/ssl_scache(512000)

View File

@ -0,0 +1,610 @@
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"
#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
LoadModule http2_module libexec/apache24/mod_http2.so
LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule php7_module libexec/apache24/libphp7.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www
</IfModule>
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin sharad@ahlawat.com
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
# can't set this if traffic is passing through haproxy and being redirected to ssl already
# RewriteEngine on
# RewriteRule ^/\.well-known/ - [L]
# RewriteRule (.*) https://rachna.ahlawat.com [R,L]
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.php index.html
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog "/var/log/httpd-access.log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog "/var/log/httpd-access.log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock cgisock
</IfModule>
#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
#
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
# backend servers which have lingering "httpoxy" defects.
# 'Proxy' request header is undefined by the IETF, not listed by IANA
#
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig etc/apache24/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on
# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf
# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf
# Language settings
#Include etc/apache24/extra/httpd-languages.conf
# User home directories
#Include etc/apache24/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf
# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf
# Various default settings
#Include etc/apache24/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include etc/apache24/Includes/*.conf
<VirtualHost *:443>
ServerName rachna.ahlawat.com
ServerAlias *.ahlawat.com
ServerAlias rachna
Protocols h2 h2c http/1.1
DocumentRoot "/usr/local/www/apache24/data/"
SSLEngine on
SSLCertificateFile "/mnt/certs/fullchain.pem"
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
#-IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
#AllowOverride controls what directives may be placed in .htaccess files.
#AllowOverride All
#-AllowOverride AuthConfig
#Controls who can get stuff from this server file
#-Require all granted
</Directory>
ErrorLog "/var/log/ssl-error.log"
CustomLog "/var/log/ssl-access_log" combined
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>

1918
jails/config/rachna/php.ini Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,423 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr/local) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www
group = www
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
;listen.owner = www
;listen.group = www
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 10
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/local/share/php/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr/local)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

131
jails/config/vpngw/ipfw.rules Executable file
View File

@ -0,0 +1,131 @@
#!/bin/sh
# https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
# ipfw -vated list
# IPFW configuration
#sysrc firewall_enable="YES"
#sysrc firewall_logif="YES"
#sysrc firewall_script="/mnt/config/ipfw.rules"
# NATd configuration
#sysrc gateway_enable="YES"
#sysrc natd_enable="YES"
#sysrc natd_interface="tun0"
#sysrc natd_flags="-f /mnt/config/natd.conf"
#natd.conf: redirect_port tcp 192.168.0.9:80 80
# Set rules command prefix
cmd="ipfw -q add"
lif="epair0b" # interface name of VNET attached to Local network
rif="tun0" # interface name of Tunnel attached to Remote network
skip="skipto 12000"
# Flush out the list before we begin.
ipfw -q -f flush
# gateway_enable already set in rc.conf
# sysctl net.inet.ip.forwarding=1
# Packets passing the stateful NAT may be re-injected into the firewall
# sysctl net.inet.ip.fw.one_pass=0
ipfw disable one_pass
# functionality is included in the divert action
#ipfw -q nat 1 config if $rif same_ports unreg_only reset
$cmd 00050 allow ip from any to any via $lif
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
# The reassemble rule is not needed with userland natd(8)
# because the internal workings of the IPFW divert action
# takes care of reassembling packets before delivery to the socket
#$cmd 01100 reass all from any to any in
$cmd 01200 divert natd ip from any to any in via $rif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 01300 check-state
# Allow access to DNS
#$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
#$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
#$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
#$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
#$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state
#$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state
# Allow outbound ping
$cmd 02210 $skip icmp from any to any out via $rif keep-state
# Allow outbound NTP
#$cmd 02220 $skip udp from any to any 123 out via $rif keep-state
# Allow outbound TCP traffic
$cmd 02500 $skip tcp from any to any 22,80,443,2024,3389,5904 out via $rif setup keep-state
# deny and log all other outbound connections
$cmd 02999 deny log all from any to any out via $rif
#### Lockdown incoming traffic
# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif #RFC 1918 private IP
#$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif #RFC 1918 private IP
#$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif #RFC 1918 private IP
$cmd 03113 deny all from 127.0.0.0/8 to any in via $rif #loopback
$cmd 03114 deny all from 0.0.0.0/8 to any in via $rif #loopback
$cmd 03115 deny all from 169.254.0.0/16 to any in via $rif #DHCP auto-config
$cmd 03116 deny all from 192.0.2.0/24 to any in via $rif #reserved for docs
$cmd 03117 deny all from 204.152.64.0/23 to any in via $rif #Sun cluster interconnect
$cmd 03118 deny all from 224.0.0.0/3 to any in via $rif #Class D & E multicast
# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 02120.
#$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state
# Deny public pings
#$cmd 03210 deny icmp from any to any in via $rif
# Deny ident
$cmd 03230 deny tcp from any to any 113 in via $rif
# Deny all Netbios services.
$cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif
# Deny fragments
$cmd 03250 deny all from any to any frag in via $rif
# Deny ACK packets that did not match the dynamic rule table
$cmd 03500 deny tcp from any to any established in via $rif
# Allow inbound SSH connections
#$cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2
# Allow HTTP connections to internal web server
#$cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2
# Reject and log all other incoming connections
$cmd 03999 deny log all from any to any in via $rif
#### lockdown in
$cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules
$cmd 65000 allow ip from any to any
#$cmd 65535 deny ip from any to any

View File

@ -0,0 +1 @@
redirect_port tcp 192.168.0.9:80 80

View File

@ -583,7 +583,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

View File

@ -579,7 +579,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,8 +8,6 @@
# #
# #
#!/usr/local/bin/bash
JAIL=$1 JAIL=$1
JAILHOSTNAME=$2 JAILHOSTNAME=$2
JAILDOMAIN=$3 JAILDOMAIN=$3
@ -171,5 +171,5 @@ iocage exec $JAIL "pkg clean -y"
# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0 # iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
# iocage exec $JAIL "rmdir /mnt/common" # iocage exec $JAIL "rmdir /mnt/common"
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v jail-root@$JAILDOMAIN" iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v -t jail-root@$JAILDOMAIN"
# reverse dns should already be configured for the mail server to accept this email # reverse dns should already be configured for the mail server to accept this email

View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,9 +8,7 @@
# #
# #
#!/usr/local/bin/bash web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
for i in ${web_jails[@]}; for i in ${web_jails[@]};
do do
@ -27,7 +27,8 @@ for i in ${web_jails[@]};
do do
echo "restoring httpd.conf in web_jail $i after Apache update" echo "restoring httpd.conf in web_jail $i after Apache update"
iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf" iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf"
iocage exec $i "service apache24 reload" iocage exec $i "service apache24 restart"
done done
echo "check if php.ini or php-fpm need to be restored" echo "check in output above if php.ini or php-fpm need to be restored"
echo "check pkgp jail nginx instance is running"

View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,9 +8,7 @@
# #
# #
#!/bin/bash web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
for i in ${web_jails[@]}; for i in ${web_jails[@]};
do do
@ -40,7 +40,7 @@ iocage exec monitor "service elasticsearch restart"
iocage exec monitor "service kibana restart" iocage exec monitor "service kibana restart"
#iocage exec monitor "service logstash restart" #iocage exec monitor "service logstash restart"
iocage exec monitor "ps axww | grep logstash | cut -f1 -d" " | xargs -n 1 kill -9 " iocage exec monitor 'ps axww | grep logstash | cut -f1 -d" " | xargs -n 1 kill -9 '
iocage exec monitor "/root/start_logstash.sh" iocage exec monitor "/root/start_logstash.sh"
iocage exec monitor "service heartbeat restart" iocage exec monitor "service heartbeat restart"

View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,53 +8,65 @@
# #
# #
#!/bin/bash
pkg_jail="pj121" pkg_jail="pj121"
pkg_repo="pkgp121"
#<<'COMMENT-SKIP-PKG-BUILD' if [[ $1 == "pkgp-skip" ]]; then
iocage exec pkgp "pkg update -f"
iocage exec pkgp "pkg upgrade -y"
iocage exec pkgp "pkg clean -ay"
iocage set securelevel=0 pkgp echo "skipping pkgp update"
iocage exec pkgp "poudriere jail -l"
iocage exec pkgp "poudriere jail -u -j $pkg_jail"
iocage set securelevel=2 pkgp
iocage exec pkgp "portsnap auto" else
iocage exec pkgp "poudriere ports -l" #<<'UNCOMMENT-TO-SKIP-PKG-BUILD'
iocage exec pkgp "poudriere ports -u" iocage exec pkgp "pkg update"
iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail" iocage exec pkgp "pkg upgrade -y"
#COMMENT-SKIP-PKG-BUILD iocage exec pkgp "pkg clean -ay"
cd /mnt/ship/ldap/phpLDAPadmin iocage set securelevel=0 pkgp
pwd iocage exec pkgp "poudriere jail -l"
git pull iocage exec pkgp "poudriere jail -u -j $pkg_jail"
cd /mnt/ship/r-ldap/phpLDAPadmin iocage set securelevel=2 pkgp
pwd
git pull iocage exec pkgp "portsnap auto"
cd /mnt/ship/book/calibre-web
pwd iocage exec pkgp "poudriere ports -l"
git pull iocage exec pkgp "poudriere ports -u"
cd /mnt/ship/plex/PlexConnect iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail"
pwd #UNCOMMENT-TO-SKIP-PKG-BUILD
git pull
cd /mnt/ship/maps/networkmaps cd /mnt/ship/ldap/phpLDAPadmin
pwd pwd
git pull git pull
cd /mnt/ship/r-ldap/phpLDAPadmin
pwd
git pull
cd /mnt/ship/book/calibre-web
pwd
git pull
cd /mnt/ship/plex/PlexConnect
pwd
git pull
cd /mnt/ship/maps/networkmaps
pwd
git pull
fi
if [[ $1 == "pkgp-only" ]]; then
exit
fi
#read -p "Return/Enter to continue, ctrl-c to abort? " RESP #read -p "Return/Enter to continue, ctrl-c to abort? " RESP
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
pkg_repo="pkgp121"
for i in `iocage list -h | cut -f 2`; for i in `iocage list -h | cut -f 2`;
do do
echo "## $i JAIL ##" echo "## $i JAIL ##"
iocage exec $i "pkg update -f" iocage exec $i "pkg update"
if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; then if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; then
iocage exec $i "pkg unlock -y openldap-sasl-server" iocage exec $i "pkg unlock -y openldap-sasl-server"
@ -79,7 +93,8 @@ done
echo "NOTES:" echo "NOTES:"
echo "pkg update -f" echo "update base system by running:"
echo "pkg update"
echo "pkg autoremove -y" echo "pkg autoremove -y"
echo "pkg upgrade -y" echo "pkg upgrade -y"
echo "pkg clean -ay" echo "pkg clean -ay"

View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,8 +8,6 @@
# #
# #
#!/usr/local/bin/bash
update_jail () update_jail ()
{ {
echo "######## ## JAIL:::: $JAIL ##" echo "######## ## JAIL:::: $JAIL ##"
@ -47,7 +47,7 @@ if [ ! -z $RESP ] && [ $RESP == "y" ]; then
update_jail update_jail
fi fi
./jails-update-pkgs.sh ./jails-update-pkgs.sh pkgp-only
read -p "update all jails (y/N)? " RESP read -p "update all jails (y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then if [ ! -z $RESP ] && [ $RESP == "y" ]; then
@ -63,5 +63,7 @@ fi
echo "update base system by running:" echo "update base system by running:"
echo "freebsd-update fetch" echo "freebsd-update fetch"
echo "freebsd-update install" echo "freebsd-update install"
echo "cd /usr/src && make -j8 buildkernel KERNCONF=diyIT && make -j8 installkernel KERNCONF=diyIT"
echo "reboot"
echo "pkg-static upgrade -f" echo "pkg-static upgrade -f"
echo "mergemaster" echo "mergemaster"

804
patches/D24250.patch Normal file
View File

@ -0,0 +1,804 @@
Index: head/sys/net/if_bridge.c
===================================================================
--- head/sys/net/if_bridge.c
+++ head/sys/net/if_bridge.c
@@ -189,41 +189,14 @@
*/
#define BRIDGE_LOCK_INIT(_sc) do { \
mtx_init(&(_sc)->sc_mtx, "if_bridge", NULL, MTX_DEF); \
- cv_init(&(_sc)->sc_cv, "if_bridge_cv"); \
} while (0)
#define BRIDGE_LOCK_DESTROY(_sc) do { \
mtx_destroy(&(_sc)->sc_mtx); \
- cv_destroy(&(_sc)->sc_cv); \
} while (0)
#define BRIDGE_LOCK(_sc) mtx_lock(&(_sc)->sc_mtx)
#define BRIDGE_UNLOCK(_sc) mtx_unlock(&(_sc)->sc_mtx)
#define BRIDGE_LOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_OWNED)
#define BRIDGE_UNLOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_NOTOWNED)
-#define BRIDGE_LOCK2REF(_sc, _err) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- if ((_sc)->sc_iflist_xcnt > 0) \
- (_err) = EBUSY; \
- else \
- (_sc)->sc_iflist_ref++; \
- mtx_unlock(&(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_UNREF(_sc) do { \
- mtx_lock(&(_sc)->sc_mtx); \
- (_sc)->sc_iflist_ref--; \
- if (((_sc)->sc_iflist_xcnt > 0) && ((_sc)->sc_iflist_ref == 0)) \
- cv_broadcast(&(_sc)->sc_cv); \
- mtx_unlock(&(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_XLOCK(_sc) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- (_sc)->sc_iflist_xcnt++; \
- while ((_sc)->sc_iflist_ref > 0) \
- cv_wait(&(_sc)->sc_cv, &(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_XDROP(_sc) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- (_sc)->sc_iflist_xcnt--; \
-} while (0)
/*
* Bridge interface list entry.
@@ -237,6 +210,7 @@
uint32_t bif_addrmax; /* max # of addresses */
uint32_t bif_addrcnt; /* cur. # of addresses */
uint32_t bif_addrexceeded;/* # of address violations */
+ struct epoch_context bif_epoch_ctx;
};
/*
@@ -250,6 +224,8 @@
uint8_t brt_flags; /* address flags */
uint8_t brt_addr[ETHER_ADDR_LEN];
uint16_t brt_vlan; /* vlan id */
+ struct vnet *brt_vnet;
+ struct epoch_context brt_epoch_ctx;
};
#define brt_ifp brt_dst->bif_ifp
@@ -260,13 +236,10 @@
struct ifnet *sc_ifp; /* make this an interface */
LIST_ENTRY(bridge_softc) sc_list;
struct mtx sc_mtx;
- struct cv sc_cv;
uint32_t sc_brtmax; /* max # of addresses */
uint32_t sc_brtcnt; /* cur. # of addresses */
uint32_t sc_brttimeout; /* rt timeout in seconds */
struct callout sc_brcallout; /* bridge callout */
- uint32_t sc_iflist_ref; /* refcount for sc_iflist */
- uint32_t sc_iflist_xcnt; /* refcount for sc_iflist */
CK_LIST_HEAD(, bridge_iflist) sc_iflist; /* member interface list */
CK_LIST_HEAD(, bridge_rtnode) *sc_rthash; /* our forwarding table */
CK_LIST_HEAD(, bridge_rtnode) sc_rtlist; /* list version of above */
@@ -276,6 +249,7 @@
uint32_t sc_brtexceeded; /* # of cache drops */
struct ifnet *sc_ifaddr; /* member mac copied from */
struct ether_addr sc_defaddr; /* Default MAC address */
+ struct epoch_context sc_epoch_ctx;
};
VNET_DEFINE_STATIC(struct mtx, bridge_list_mtx);
@@ -596,6 +570,10 @@
if_clone_detach(V_bridge_cloner);
V_bridge_cloner = NULL;
BRIDGE_LIST_LOCK_DESTROY();
+
+ /* Callbacks may use the UMA zone. */
+ epoch_drain_callbacks(net_epoch_preempt);
+
uma_zdestroy(V_bridge_rtnode_zone);
}
VNET_SYSUNINIT(vnet_bridge_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY,
@@ -722,6 +700,17 @@
return (0);
}
+static void
+bridge_clone_destroy_cb(struct epoch_context *ctx)
+{
+ struct bridge_softc *sc;
+
+ sc = __containerof(ctx, struct bridge_softc, sc_epoch_ctx);
+
+ BRIDGE_LOCK_DESTROY(sc);
+ free(sc, M_DEVBUF);
+}
+
/*
* bridge_clone_destroy:
*
@@ -732,7 +721,9 @@
{
struct bridge_softc *sc = ifp->if_softc;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER(et);
BRIDGE_LOCK(sc);
bridge_stop(ifp, 1);
@@ -757,11 +748,12 @@
BRIDGE_LIST_UNLOCK();
bstp_detach(&sc->sc_stp);
+ NET_EPOCH_EXIT(et);
+
ether_ifdetach(ifp);
if_free(ifp);
- BRIDGE_LOCK_DESTROY(sc);
- free(sc, M_DEVBUF);
+ NET_EPOCH_CALL(bridge_clone_destroy_cb, &sc->sc_epoch_ctx);
}
/*
@@ -787,7 +779,10 @@
struct ifdrv *ifd = (struct ifdrv *) data;
const struct bridge_control *bc;
int error = 0, oldmtu;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER(et);
+
switch (cmd) {
case SIOCADDMULTI:
@@ -908,6 +903,8 @@
break;
}
+ NET_EPOCH_EXIT(et);
+
return (error);
}
@@ -922,6 +919,8 @@
struct bridge_iflist *bif;
int enabled, mask;
+ BRIDGE_LOCK_ASSERT(sc);
+
/* Initial bitmask of capabilities to test */
mask = BRIDGE_IFCAPS_MASK;
@@ -930,7 +929,6 @@
mask &= bif->bif_savedcaps;
}
- BRIDGE_XLOCK(sc);
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
enabled = bif->bif_ifp->if_capenable;
enabled &= ~BRIDGE_IFCAPS_STRIP;
@@ -941,8 +939,6 @@
bridge_set_ifcap(sc, bif, enabled);
BRIDGE_LOCK(sc);
}
- BRIDGE_XDROP(sc);
-
}
static void
@@ -983,7 +979,7 @@
struct bridge_iflist *bif;
struct ifnet *ifp;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
ifp = bif->bif_ifp;
@@ -1004,7 +1000,7 @@
{
struct bridge_iflist *bif;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
if (bif->bif_ifp == member_ifp)
@@ -1014,6 +1010,16 @@
return (NULL);
}
+static void
+bridge_delete_member_cb(struct epoch_context *ctx)
+{
+ struct bridge_iflist *bif;
+
+ bif = __containerof(ctx, struct bridge_iflist, bif_epoch_ctx);
+
+ free(bif, M_DEVBUF);
+}
+
/*
* bridge_delete_member:
*
@@ -1033,9 +1039,7 @@
bstp_disable(&bif->bif_stp);
ifs->if_bridge = NULL;
- BRIDGE_XLOCK(sc);
CK_LIST_REMOVE(bif, bif_next);
- BRIDGE_XDROP(sc);
/*
* If removing the interface that gave the bridge its mac address, set
@@ -1094,7 +1098,8 @@
}
bstp_destroy(&bif->bif_stp); /* prepare to free */
BRIDGE_LOCK(sc);
- free(bif, M_DEVBUF);
+
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
}
/*
@@ -1111,7 +1116,8 @@
("%s: not a span interface", __func__));
CK_LIST_REMOVE(bif, bif_next);
- free(bif, M_DEVBUF);
+
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
}
static int
@@ -1167,7 +1173,6 @@
* If any, remove all inet6 addresses from the member
* interfaces.
*/
- BRIDGE_XLOCK(sc);
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
if (in6ifa_llaonifp(bif->bif_ifp)) {
BRIDGE_UNLOCK(sc);
@@ -1180,7 +1185,6 @@
bif->bif_ifp->if_xname);
}
}
- BRIDGE_XDROP(sc);
if (in6ifa_llaonifp(ifs)) {
BRIDGE_UNLOCK(sc);
in6_ifdetach(ifs);
@@ -1494,12 +1498,17 @@
struct bridge_iflist *bif;
int error;
+ NET_EPOCH_ASSERT();
+
bif = bridge_lookup_member(sc, req->ifba_ifsname);
if (bif == NULL)
return (ENOENT);
+ /* bridge_rtupdate() may acquire the lock. */
+ BRIDGE_UNLOCK(sc);
error = bridge_rtupdate(sc, req->ifba_dst, req->ifba_vlan, bif, 1,
req->ifba_flags);
+ BRIDGE_LOCK(sc);
return (error);
}
@@ -1838,6 +1847,7 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
if (ifp->if_flags & IFF_RENAMING)
return;
@@ -1848,6 +1858,7 @@
*/
return;
}
+ NET_EPOCH_ENTER(et);
/* Check if the interface is a bridge member */
if (sc != NULL) {
BRIDGE_LOCK(sc);
@@ -1857,6 +1868,7 @@
bridge_delete_member(sc, bif, 1);
BRIDGE_UNLOCK(sc);
+ NET_EPOCH_EXIT(et);
return;
}
@@ -1873,6 +1885,7 @@
BRIDGE_UNLOCK(sc);
}
BRIDGE_LIST_UNLOCK();
+ NET_EPOCH_EXIT(et);
}
/*
@@ -1909,6 +1922,7 @@
{
struct bridge_softc *sc = ifp->if_softc;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
@@ -2032,6 +2046,8 @@
struct bridge_softc *sc;
uint16_t vlan;
+ NET_EPOCH_ASSERT();
+
if (m->m_len < ETHER_HDR_LEN) {
m = m_pullup(m, ETHER_HDR_LEN);
if (m == NULL)
@@ -2042,7 +2058,6 @@
sc = ifp->if_bridge;
vlan = VLANTAGOF(m);
- BRIDGE_LOCK(sc);
bifp = sc->sc_ifp;
/*
@@ -2069,16 +2084,10 @@
if (dst_if == NULL) {
struct bridge_iflist *bif;
struct mbuf *mc;
- int error = 0, used = 0;
+ int used = 0;
bridge_span(sc, m);
- BRIDGE_LOCK2REF(sc, error);
- if (error) {
- m_freem(m);
- return (0);
- }
-
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
dst_if = bif->bif_ifp;
@@ -2112,7 +2121,6 @@
}
if (used == 0)
m_freem(m);
- BRIDGE_UNREF(sc);
return (0);
}
@@ -2124,11 +2132,9 @@
bridge_span(sc, m);
if ((dst_if->if_drv_flags & IFF_DRV_RUNNING) == 0) {
m_freem(m);
- BRIDGE_UNLOCK(sc);
return (0);
}
- BRIDGE_UNLOCK(sc);
bridge_enqueue(sc, dst_if, m);
return (0);
}
@@ -2153,10 +2159,8 @@
eh = mtod(m, struct ether_header *);
- BRIDGE_LOCK(sc);
if (((m->m_flags & (M_BCAST|M_MCAST)) == 0) &&
(dst_if = bridge_rtlookup(sc, eh->ether_dhost, 1)) != NULL) {
- BRIDGE_UNLOCK(sc);
error = bridge_enqueue(sc, dst_if, m);
} else
bridge_broadcast(sc, ifp, m, 0);
@@ -2190,6 +2194,8 @@
uint8_t *dst;
int error;
+ NET_EPOCH_ASSERT();
+
src_if = m->m_pkthdr.rcvif;
ifp = sc->sc_ifp;
@@ -2268,12 +2274,10 @@
|| PFIL_HOOKED_IN(V_inet6_pfil_head)
#endif
) {
- BRIDGE_UNLOCK(sc);
if (bridge_pfil(&m, ifp, src_if, PFIL_IN) != 0)
return;
if (m == NULL)
return;
- BRIDGE_LOCK(sc);
}
if (dst_if == NULL) {
@@ -2301,8 +2305,6 @@
dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
goto drop;
- BRIDGE_UNLOCK(sc);
-
if (PFIL_HOOKED_OUT(V_inet_pfil_head)
#ifdef INET6
|| PFIL_HOOKED_OUT(V_inet6_pfil_head)
@@ -2318,7 +2320,6 @@
return;
drop:
- BRIDGE_UNLOCK(sc);
m_freem(m);
}
@@ -2339,6 +2340,8 @@
uint16_t vlan;
int error;
+ NET_EPOCH_ASSERT();
+
if ((sc->sc_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
return (m);
@@ -2359,10 +2362,8 @@
m_freem(m);
return (NULL);
}
- BRIDGE_LOCK(sc);
bif = bridge_lookup_member_if(sc, ifp);
if (bif == NULL) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2375,13 +2376,11 @@
if (memcmp(eh->ether_dhost, bstp_etheraddr,
ETHER_ADDR_LEN) == 0) {
bstp_input(&bif->bif_stp, ifp, m); /* consumes mbuf */
- BRIDGE_UNLOCK(sc);
return (NULL);
}
if ((bif->bif_flags & IFBIF_STP) &&
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2392,7 +2391,6 @@
*/
mc = m_dup(m, M_NOWAIT);
if (mc == NULL) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2424,7 +2422,6 @@
if ((bif->bif_flags & IFBIF_STP) &&
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2458,7 +2455,6 @@
error = bridge_rtupdate(sc, eh->ether_shost, \
vlan, bif, 0, IFBAF_DYNAMIC); \
if (error && bif->bif_addrmax) { \
- BRIDGE_UNLOCK(sc); \
m_freem(m); \
return (NULL); \
} \
@@ -2466,7 +2462,6 @@
m->m_pkthdr.rcvif = iface; \
if ((iface) == ifp) { \
/* Skip bridge processing... src == dest */ \
- BRIDGE_UNLOCK(sc); \
return (m); \
} \
/* It's passing over or to the bridge, locally. */ \
@@ -2478,13 +2473,11 @@
OR_PFIL_HOOKED_INET6)) { \
if (bridge_pfil(&m, NULL, ifp, \
PFIL_IN) != 0 || m == NULL) { \
- BRIDGE_UNLOCK(sc); \
return (NULL); \
} \
} \
if ((iface) != bifp) \
ETHER_BPF_MTAP(iface, m); \
- BRIDGE_UNLOCK(sc); \
return (m); \
} \
\
@@ -2492,7 +2485,6 @@
if (memcmp(IF_LLADDR((iface)), eh->ether_shost, ETHER_ADDR_LEN) == 0 \
OR_CARP_CHECK_WE_ARE_SRC((iface)) \
) { \
- BRIDGE_UNLOCK(sc); \
m_freem(m); \
return (NULL); \
}
@@ -2543,16 +2535,12 @@
struct bridge_iflist *dbif, *sbif;
struct mbuf *mc;
struct ifnet *dst_if;
- int error = 0, used = 0, i;
+ int used = 0, i;
+ NET_EPOCH_ASSERT();
+
sbif = bridge_lookup_member_if(sc, src_if);
- BRIDGE_LOCK2REF(sc, error);
- if (error) {
- m_freem(m);
- return;
- }
-
/* Filter on the bridge interface before broadcasting */
if (runfilt && (PFIL_HOOKED_OUT(V_inet_pfil_head)
#ifdef INET6
@@ -2560,9 +2548,9 @@
#endif
)) {
if (bridge_pfil(&m, sc->sc_ifp, NULL, PFIL_OUT) != 0)
- goto out;
+ return;
if (m == NULL)
- goto out;
+ return;
}
CK_LIST_FOREACH(dbif, &sc->sc_iflist, bif_next) {
@@ -2625,9 +2613,6 @@
}
if (used == 0)
m_freem(m);
-
-out:
- BRIDGE_UNREF(sc);
}
/*
@@ -2643,6 +2628,8 @@
struct ifnet *dst_if;
struct mbuf *mc;
+ NET_EPOCH_ASSERT();
+
if (CK_LIST_EMPTY(&sc->sc_spanlist))
return;
@@ -2674,7 +2661,8 @@
struct bridge_rtnode *brt;
int error;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
+ BRIDGE_UNLOCK_ASSERT(sc);
/* Check the source address is valid and not multicast. */
if (ETHER_IS_MULTICAST(dst) ||
@@ -2691,13 +2679,24 @@
* update it, otherwise create a new one.
*/
if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) == NULL) {
+ BRIDGE_LOCK(sc);
+
+ /* Check again, now that we have the lock. There could have
+ * been a race and we only want to insert this once. */
+ if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) != NULL) {
+ BRIDGE_UNLOCK(sc);
+ return (0);
+ }
+
if (sc->sc_brtcnt >= sc->sc_brtmax) {
sc->sc_brtexceeded++;
+ BRIDGE_UNLOCK(sc);
return (ENOSPC);
}
/* Check per interface address limits (if enabled) */
if (bif->bif_addrmax && bif->bif_addrcnt >= bif->bif_addrmax) {
bif->bif_addrexceeded++;
+ BRIDGE_UNLOCK(sc);
return (ENOSPC);
}
@@ -2707,8 +2706,11 @@
* address.
*/
brt = uma_zalloc(V_bridge_rtnode_zone, M_NOWAIT | M_ZERO);
- if (brt == NULL)
+ if (brt == NULL) {
+ BRIDGE_UNLOCK(sc);
return (ENOMEM);
+ }
+ brt->brt_vnet = curvnet;
if (bif->bif_flags & IFBIF_STICKY)
brt->brt_flags = IFBAF_STICKY;
@@ -2720,17 +2722,22 @@
if ((error = bridge_rtnode_insert(sc, brt)) != 0) {
uma_zfree(V_bridge_rtnode_zone, brt);
+ BRIDGE_UNLOCK(sc);
return (error);
}
brt->brt_dst = bif;
bif->bif_addrcnt++;
+
+ BRIDGE_UNLOCK(sc);
}
if ((brt->brt_flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC &&
brt->brt_dst != bif) {
+ BRIDGE_LOCK(sc);
brt->brt_dst->bif_addrcnt--;
brt->brt_dst = bif;
brt->brt_dst->bif_addrcnt++;
+ BRIDGE_UNLOCK(sc);
}
if ((flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC)
@@ -2751,7 +2758,7 @@
{
struct bridge_rtnode *brt;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
if ((brt = bridge_rtnode_lookup(sc, addr, vlan)) == NULL)
return (NULL);
@@ -2771,6 +2778,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
/* Make sure we actually need to do this. */
@@ -2800,7 +2808,9 @@
bridge_timer(void *arg)
{
struct bridge_softc *sc = arg;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER(et);
BRIDGE_LOCK_ASSERT(sc);
/* Destruction of rtnodes requires a proper vnet context */
@@ -2811,6 +2821,7 @@
callout_reset(&sc->sc_brcallout,
bridge_rtable_prune_period * hz, bridge_timer, sc);
CURVNET_RESTORE();
+ NET_EPOCH_EXIT(et);
}
/*
@@ -2823,6 +2834,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2843,6 +2855,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2862,6 +2875,7 @@
struct bridge_rtnode *brt;
int found = 0;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
/*
@@ -2886,6 +2900,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2990,7 +3005,7 @@
uint32_t hash;
int dir;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
hash = bridge_rthash(sc, addr);
CK_LIST_FOREACH(brt, &sc->sc_rthash[hash], brt_hash) {
@@ -3053,6 +3068,18 @@
return (0);
}
+static void
+bridge_rtnode_destroy_cb(struct epoch_context *ctx)
+{
+ struct bridge_rtnode *brt;
+
+ brt = __containerof(ctx, struct bridge_rtnode, brt_epoch_ctx);
+
+ CURVNET_SET(brt->brt_vnet);
+ uma_zfree(V_bridge_rtnode_zone, brt);
+ CURVNET_RESTORE();
+}
+
/*
* bridge_rtnode_destroy:
*
@@ -3061,6 +3088,7 @@
static void
bridge_rtnode_destroy(struct bridge_softc *sc, struct bridge_rtnode *brt)
{
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
CK_LIST_REMOVE(brt, brt_hash);
@@ -3068,7 +3096,8 @@
CK_LIST_REMOVE(brt, brt_list);
sc->sc_brtcnt--;
brt->brt_dst->bif_addrcnt--;
- uma_zfree(V_bridge_rtnode_zone, brt);
+
+ NET_EPOCH_CALL(bridge_rtnode_destroy_cb, &brt->brt_epoch_ctx);
}
/*
@@ -3081,7 +3110,9 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_rtnode *brt;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER(et);
CURVNET_SET(ifp->if_vnet);
BRIDGE_LOCK(sc);
@@ -3102,6 +3133,7 @@
}
BRIDGE_UNLOCK(sc);
CURVNET_RESTORE();
+ NET_EPOCH_EXIT(et);
}
/*
@@ -3607,17 +3639,20 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
- BRIDGE_LOCK(sc);
+ NET_EPOCH_ENTER(et);
+
bif = bridge_lookup_member_if(sc, ifp);
if (bif == NULL) {
- BRIDGE_UNLOCK(sc);
+ NET_EPOCH_EXIT(et);
return;
}
bridge_linkcheck(sc);
- BRIDGE_UNLOCK(sc);
bstp_linkstate(&bif->bif_stp);
+
+ NET_EPOCH_EXIT(et);
}
static void
@@ -3626,7 +3661,8 @@
struct bridge_iflist *bif;
int new_link, hasls;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
+
new_link = LINK_STATE_DOWN;
hasls = 0;
/* Our link is considered up if at least one of our ports is active */

811
patches/bridge.patch Normal file
View File

@ -0,0 +1,811 @@
Index: sys/net/if_bridge.c
===================================================================
--- sys/net/if_bridge.c (revision 360985)
+++ sys/net/if_bridge.c (working copy)
@@ -165,6 +165,9 @@
#define BRIDGE_RTABLE_PRUNE_PERIOD (5 * 60)
#endif
+#define NET_EPOCH_ASSERT() MPASS(in_epoch(net_epoch_preempt))
+#define NET_EPOCH_CALL(f, c) epoch_call(net_epoch_preempt, (c), (f))
+
/*
* List of capabilities to possibly mask on the member interface.
*/
@@ -188,6 +191,7 @@
uint32_t bif_addrmax; /* max # of addresses */
uint32_t bif_addrcnt; /* cur. # of addresses */
uint32_t bif_addrexceeded;/* # of address violations */
+ struct epoch_context bif_epoch_ctx;
};
/*
@@ -201,6 +205,8 @@
uint8_t brt_flags; /* address flags */
uint8_t brt_addr[ETHER_ADDR_LEN];
uint16_t brt_vlan; /* vlan id */
+ struct vnet *brt_vnet;
+ struct epoch_context brt_epoch_ctx;
};
#define brt_ifp brt_dst->bif_ifp
@@ -211,13 +217,10 @@
struct ifnet *sc_ifp; /* make this an interface */
LIST_ENTRY(bridge_softc) sc_list;
struct mtx sc_mtx;
- struct cv sc_cv;
uint32_t sc_brtmax; /* max # of addresses */
uint32_t sc_brtcnt; /* cur. # of addresses */
uint32_t sc_brttimeout; /* rt timeout in seconds */
struct callout sc_brcallout; /* bridge callout */
- uint32_t sc_iflist_ref; /* refcount for sc_iflist */
- uint32_t sc_iflist_xcnt; /* refcount for sc_iflist */
LIST_HEAD(, bridge_iflist) sc_iflist; /* member interface list */
LIST_HEAD(, bridge_rtnode) *sc_rthash; /* our forwarding table */
LIST_HEAD(, bridge_rtnode) sc_rtlist; /* list version of above */
@@ -227,6 +230,7 @@
uint32_t sc_brtexceeded; /* # of cache drops */
struct ifnet *sc_ifaddr; /* member mac copied from */
struct ether_addr sc_defaddr; /* Default MAC address */
+ struct epoch_context sc_epoch_ctx;
};
VNET_DEFINE_STATIC(struct mtx, bridge_list_mtx);
@@ -546,6 +550,10 @@
if_clone_detach(V_bridge_cloner);
V_bridge_cloner = NULL;
BRIDGE_LIST_LOCK_DESTROY();
+
+ /* Callbacks may use UMA zone. */
+ epoch_drain_callbacks(net_epoch_preempt);
+
uma_zdestroy(V_bridge_rtnode_zone);
}
VNET_SYSUNINIT(vnet_bridge_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY,
@@ -708,6 +716,17 @@
return (0);
}
+static void
+bridge_clone_destroy_cb(struct epoch_context *ctx)
+{
+ struct bridge_softc *sc;
+
+ sc = __containerof(ctx, struct bridge_softc, sc_epoch_ctx);
+
+ BRIDGE_LOCK_DESTROY(sc);
+ free(sc, M_DEVBUF);
+}
+
/*
* bridge_clone_destroy:
*
@@ -718,7 +737,9 @@
{
struct bridge_softc *sc = ifp->if_softc;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER_ET(et);
BRIDGE_LOCK(sc);
bridge_stop(ifp, 1);
@@ -743,11 +764,12 @@
BRIDGE_LIST_UNLOCK();
bstp_detach(&sc->sc_stp);
+ NET_EPOCH_EXIT_ET(et);
+
ether_ifdetach(ifp);
if_free(ifp);
- BRIDGE_LOCK_DESTROY(sc);
- free(sc, M_DEVBUF);
+ NET_EPOCH_CALL(bridge_clone_destroy_cb, &sc->sc_epoch_ctx);
}
/*
@@ -773,7 +795,10 @@
struct ifdrv *ifd = (struct ifdrv *) data;
const struct bridge_control *bc;
int error = 0;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER_ET(et);
+
switch (cmd) {
case SIOCADDMULTI:
@@ -882,6 +907,8 @@
break;
}
+ NET_EPOCH_EXIT_ET(et);
+
return (error);
}
@@ -896,6 +923,8 @@
struct bridge_iflist *bif;
int enabled, mask;
+ BRIDGE_LOCK_ASSERT(sc);
+
/* Initial bitmask of capabilities to test */
mask = BRIDGE_IFCAPS_MASK;
@@ -904,7 +933,6 @@
mask &= bif->bif_savedcaps;
}
- BRIDGE_XLOCK(sc);
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
enabled = bif->bif_ifp->if_capenable;
enabled &= ~BRIDGE_IFCAPS_STRIP;
@@ -915,8 +943,6 @@
bridge_set_ifcap(sc, bif, enabled);
BRIDGE_LOCK(sc);
}
- BRIDGE_XDROP(sc);
-
}
static void
@@ -957,7 +983,7 @@
struct bridge_iflist *bif;
struct ifnet *ifp;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
ifp = bif->bif_ifp;
@@ -978,7 +1004,7 @@
{
struct bridge_iflist *bif;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
if (bif->bif_ifp == member_ifp)
@@ -988,6 +1014,16 @@
return (NULL);
}
+static void
+bridge_delete_member_cb(struct epoch_context *ctx)
+{
+ struct bridge_iflist *bif;
+
+ bif = __containerof(ctx, struct bridge_iflist, bif_epoch_ctx);
+
+ free(bif, M_DEVBUF);
+}
+
/*
* bridge_delete_member:
*
@@ -1006,9 +1042,7 @@
bstp_disable(&bif->bif_stp);
ifs->if_bridge = NULL;
- BRIDGE_XLOCK(sc);
LIST_REMOVE(bif, bif_next);
- BRIDGE_XDROP(sc);
/*
* If removing the interface that gave the bridge its mac address, set
@@ -1066,7 +1100,8 @@
}
bstp_destroy(&bif->bif_stp); /* prepare to free */
BRIDGE_LOCK(sc);
- free(bif, M_DEVBUF);
+
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
}
/*
@@ -1083,7 +1118,8 @@
("%s: not a span interface", __func__));
LIST_REMOVE(bif, bif_next);
- free(bif, M_DEVBUF);
+
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
}
static int
@@ -1139,7 +1175,6 @@
* If any, remove all inet6 addresses from the member
* interfaces.
*/
- BRIDGE_XLOCK(sc);
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
if (in6ifa_llaonifp(bif->bif_ifp)) {
BRIDGE_UNLOCK(sc);
@@ -1152,7 +1187,6 @@
bif->bif_ifp->if_xname);
}
}
- BRIDGE_XDROP(sc);
if (in6ifa_llaonifp(ifs)) {
BRIDGE_UNLOCK(sc);
in6_ifdetach(ifs);
@@ -1466,12 +1500,17 @@
struct bridge_iflist *bif;
int error;
+ NET_EPOCH_ASSERT();
+
bif = bridge_lookup_member(sc, req->ifba_ifsname);
if (bif == NULL)
return (ENOENT);
+ /* bridge_rtupdate() may acquire the lock. */
+ BRIDGE_UNLOCK(sc);
error = bridge_rtupdate(sc, req->ifba_dst, req->ifba_vlan, bif, 1,
req->ifba_flags);
+ BRIDGE_LOCK(sc);
return (error);
}
@@ -1810,6 +1849,7 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
if (ifp->if_flags & IFF_RENAMING)
return;
@@ -1820,6 +1860,7 @@
*/
return;
}
+ NET_EPOCH_ENTER_ET(et);
/* Check if the interface is a bridge member */
if (sc != NULL) {
BRIDGE_LOCK(sc);
@@ -1829,6 +1870,7 @@
bridge_delete_member(sc, bif, 1);
BRIDGE_UNLOCK(sc);
+ NET_EPOCH_EXIT_ET(et);
return;
}
@@ -1845,6 +1887,7 @@
BRIDGE_UNLOCK(sc);
}
BRIDGE_LIST_UNLOCK();
+ NET_EPOCH_EXIT_ET(et);
}
/*
@@ -1881,6 +1924,7 @@
{
struct bridge_softc *sc = ifp->if_softc;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
@@ -2004,6 +2048,8 @@
struct bridge_softc *sc;
uint16_t vlan;
+ NET_EPOCH_ASSERT();
+
if (m->m_len < ETHER_HDR_LEN) {
m = m_pullup(m, ETHER_HDR_LEN);
if (m == NULL)
@@ -2014,8 +2060,6 @@
sc = ifp->if_bridge;
vlan = VLANTAGOF(m);
- BRIDGE_LOCK(sc);
-
/*
* If bridge is down, but the original output interface is up,
* go ahead and send out that interface. Otherwise, the packet
@@ -2037,16 +2081,10 @@
if (dst_if == NULL) {
struct bridge_iflist *bif;
struct mbuf *mc;
- int error = 0, used = 0;
+ int used = 0;
bridge_span(sc, m);
- BRIDGE_LOCK2REF(sc, error);
- if (error) {
- m_freem(m);
- return (0);
- }
-
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
dst_if = bif->bif_ifp;
@@ -2080,7 +2118,6 @@
}
if (used == 0)
m_freem(m);
- BRIDGE_UNREF(sc);
return (0);
}
@@ -2092,11 +2129,9 @@
bridge_span(sc, m);
if ((dst_if->if_drv_flags & IFF_DRV_RUNNING) == 0) {
m_freem(m);
- BRIDGE_UNLOCK(sc);
return (0);
}
- BRIDGE_UNLOCK(sc);
bridge_enqueue(sc, dst_if, m);
return (0);
}
@@ -2121,10 +2156,8 @@
eh = mtod(m, struct ether_header *);
- BRIDGE_LOCK(sc);
if (((m->m_flags & (M_BCAST|M_MCAST)) == 0) &&
(dst_if = bridge_rtlookup(sc, eh->ether_dhost, 1)) != NULL) {
- BRIDGE_UNLOCK(sc);
error = bridge_enqueue(sc, dst_if, m);
} else
bridge_broadcast(sc, ifp, m, 0);
@@ -2158,6 +2191,8 @@
uint8_t *dst;
int error;
+ NET_EPOCH_ASSERT();
+
src_if = m->m_pkthdr.rcvif;
ifp = sc->sc_ifp;
@@ -2236,12 +2271,10 @@
|| PFIL_HOOKED(&V_inet6_pfil_hook)
#endif
) {
- BRIDGE_UNLOCK(sc);
if (bridge_pfil(&m, ifp, src_if, PFIL_IN) != 0)
return;
if (m == NULL)
return;
- BRIDGE_LOCK(sc);
}
if (dst_if == NULL) {
@@ -2269,8 +2302,6 @@
dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
goto drop;
- BRIDGE_UNLOCK(sc);
-
if (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
|| PFIL_HOOKED(&V_inet6_pfil_hook)
@@ -2286,7 +2317,6 @@
return;
drop:
- BRIDGE_UNLOCK(sc);
m_freem(m);
}
@@ -2307,6 +2337,8 @@
uint16_t vlan;
int error;
+ NET_EPOCH_ASSERT();
+
if ((sc->sc_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
return (m);
@@ -2327,10 +2359,8 @@
m_freem(m);
return (NULL);
}
- BRIDGE_LOCK(sc);
bif = bridge_lookup_member_if(sc, ifp);
if (bif == NULL) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2343,13 +2373,11 @@
if (memcmp(eh->ether_dhost, bstp_etheraddr,
ETHER_ADDR_LEN) == 0) {
bstp_input(&bif->bif_stp, ifp, m); /* consumes mbuf */
- BRIDGE_UNLOCK(sc);
return (NULL);
}
if ((bif->bif_flags & IFBIF_STP) &&
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2360,7 +2388,6 @@
*/
mc = m_dup(m, M_NOWAIT);
if (mc == NULL) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2392,7 +2419,6 @@
if ((bif->bif_flags & IFBIF_STP) &&
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2432,7 +2458,6 @@
OR_PFIL_HOOKED_INET6)) { \
if (bridge_pfil(&m, NULL, ifp, \
PFIL_IN) != 0 || m == NULL) { \
- BRIDGE_UNLOCK(sc); \
return (NULL); \
} \
eh = mtod(m, struct ether_header *); \
@@ -2442,13 +2467,11 @@
error = bridge_rtupdate(sc, eh->ether_shost, \
vlan, bif, 0, IFBAF_DYNAMIC); \
if (error && bif->bif_addrmax) { \
- BRIDGE_UNLOCK(sc); \
m_freem(m); \
return (NULL); \
} \
} \
m->m_pkthdr.rcvif = iface; \
- BRIDGE_UNLOCK(sc); \
return (m); \
} \
\
@@ -2456,7 +2479,6 @@
if (memcmp(IF_LLADDR((iface)), eh->ether_shost, ETHER_ADDR_LEN) == 0 \
OR_CARP_CHECK_WE_ARE_SRC((iface)) \
) { \
- BRIDGE_UNLOCK(sc); \
m_freem(m); \
return (NULL); \
}
@@ -2507,16 +2529,12 @@
struct bridge_iflist *dbif, *sbif;
struct mbuf *mc;
struct ifnet *dst_if;
- int error = 0, used = 0, i;
+ int used = 0, i;
+ NET_EPOCH_ASSERT();
+
sbif = bridge_lookup_member_if(sc, src_if);
- BRIDGE_LOCK2REF(sc, error);
- if (error) {
- m_freem(m);
- return;
- }
-
/* Filter on the bridge interface before broadcasting */
if (runfilt && (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
@@ -2524,9 +2542,9 @@
#endif
)) {
if (bridge_pfil(&m, sc->sc_ifp, NULL, PFIL_OUT) != 0)
- goto out;
+ return;
if (m == NULL)
- goto out;
+ return;
}
LIST_FOREACH(dbif, &sc->sc_iflist, bif_next) {
@@ -2589,9 +2607,6 @@
}
if (used == 0)
m_freem(m);
-
-out:
- BRIDGE_UNREF(sc);
}
/*
@@ -2607,6 +2622,8 @@
struct ifnet *dst_if;
struct mbuf *mc;
+ NET_EPOCH_ASSERT();
+
if (LIST_EMPTY(&sc->sc_spanlist))
return;
@@ -2638,7 +2655,8 @@
struct bridge_rtnode *brt;
int error;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
+ BRIDGE_UNLOCK_ASSERT(sc);
/* Check the source address is valid and not multicast. */
if (ETHER_IS_MULTICAST(dst) ||
@@ -2655,13 +2673,24 @@
* update it, otherwise create a new one.
*/
if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) == NULL) {
+ BRIDGE_LOCK(sc);
+
+ /* Check again, now that we have the lock. There could have
+ * been a race and we only want to insert this once. */
+ if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) != NULL) {
+ BRIDGE_UNLOCK(sc);
+ return (0);
+ }
+
if (sc->sc_brtcnt >= sc->sc_brtmax) {
sc->sc_brtexceeded++;
+ BRIDGE_UNLOCK(sc);
return (ENOSPC);
}
/* Check per interface address limits (if enabled) */
if (bif->bif_addrmax && bif->bif_addrcnt >= bif->bif_addrmax) {
bif->bif_addrexceeded++;
+ BRIDGE_UNLOCK(sc);
return (ENOSPC);
}
@@ -2671,8 +2700,11 @@
* address.
*/
brt = uma_zalloc(V_bridge_rtnode_zone, M_NOWAIT | M_ZERO);
- if (brt == NULL)
+ if (brt == NULL) {
+ BRIDGE_UNLOCK(sc);
return (ENOMEM);
+ }
+ brt->brt_vnet = curvnet;
if (bif->bif_flags & IFBIF_STICKY)
brt->brt_flags = IFBAF_STICKY;
@@ -2684,17 +2716,22 @@
if ((error = bridge_rtnode_insert(sc, brt)) != 0) {
uma_zfree(V_bridge_rtnode_zone, brt);
+ BRIDGE_UNLOCK(sc);
return (error);
}
brt->brt_dst = bif;
bif->bif_addrcnt++;
+
+ BRIDGE_UNLOCK(sc);
}
if ((brt->brt_flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC &&
brt->brt_dst != bif) {
+ BRIDGE_LOCK(sc);
brt->brt_dst->bif_addrcnt--;
brt->brt_dst = bif;
brt->brt_dst->bif_addrcnt++;
+ BRIDGE_UNLOCK(sc);
}
if ((flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC)
@@ -2715,7 +2752,7 @@
{
struct bridge_rtnode *brt;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
if ((brt = bridge_rtnode_lookup(sc, addr, vlan)) == NULL)
return (NULL);
@@ -2735,6 +2772,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
/* Make sure we actually need to do this. */
@@ -2764,7 +2802,9 @@
bridge_timer(void *arg)
{
struct bridge_softc *sc = arg;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER_ET(et);
BRIDGE_LOCK_ASSERT(sc);
/* Destruction of rtnodes requires a proper vnet context */
@@ -2775,6 +2815,7 @@
callout_reset(&sc->sc_brcallout,
bridge_rtable_prune_period * hz, bridge_timer, sc);
CURVNET_RESTORE();
+ NET_EPOCH_EXIT_ET(et);
}
/*
@@ -2787,6 +2828,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2807,6 +2849,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2826,6 +2869,7 @@
struct bridge_rtnode *brt;
int found = 0;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
/*
@@ -2850,6 +2894,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2954,7 +2999,7 @@
uint32_t hash;
int dir;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
hash = bridge_rthash(sc, addr);
LIST_FOREACH(brt, &sc->sc_rthash[hash], brt_hash) {
@@ -3017,6 +3062,18 @@
return (0);
}
+static void
+bridge_rtnode_destroy_cb(struct epoch_context *ctx)
+{
+ struct bridge_rtnode *brt;
+
+ brt = __containerof(ctx, struct bridge_rtnode, brt_epoch_ctx);
+
+ CURVNET_SET(brt->brt_vnet);
+ uma_zfree(V_bridge_rtnode_zone, brt);
+ CURVNET_RESTORE();
+}
+
/*
* bridge_rtnode_destroy:
*
@@ -3025,6 +3082,7 @@
static void
bridge_rtnode_destroy(struct bridge_softc *sc, struct bridge_rtnode *brt)
{
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
LIST_REMOVE(brt, brt_hash);
@@ -3032,7 +3090,8 @@
LIST_REMOVE(brt, brt_list);
sc->sc_brtcnt--;
brt->brt_dst->bif_addrcnt--;
- uma_zfree(V_bridge_rtnode_zone, brt);
+
+ NET_EPOCH_CALL(bridge_rtnode_destroy_cb, &brt->brt_epoch_ctx);
}
/*
@@ -3045,7 +3104,9 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_rtnode *brt;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER_ET(et);
CURVNET_SET(ifp->if_vnet);
BRIDGE_LOCK(sc);
@@ -3066,6 +3127,7 @@
}
BRIDGE_UNLOCK(sc);
CURVNET_RESTORE();
+ NET_EPOCH_EXIT_ET(et);
}
/*
@@ -3577,17 +3639,20 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
- BRIDGE_LOCK(sc);
+ NET_EPOCH_ENTER_ET(et);
+
bif = bridge_lookup_member_if(sc, ifp);
if (bif == NULL) {
- BRIDGE_UNLOCK(sc);
+ NET_EPOCH_EXIT_ET(et);
return;
}
bridge_linkcheck(sc);
- BRIDGE_UNLOCK(sc);
bstp_linkstate(&bif->bif_stp);
+
+ NET_EPOCH_EXIT_ET(et);
}
static void
@@ -3596,7 +3661,8 @@
struct bridge_iflist *bif;
int new_link, hasls;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
+
new_link = LINK_STATE_DOWN;
hasls = 0;
/* Our link is considered up if at least one of our ports is active */
Index: sys/net/if_bridgevar.h
===================================================================
--- sys/net/if_bridgevar.h (revision 360985)
+++ sys/net/if_bridgevar.h (working copy)
@@ -273,41 +273,14 @@
#define BRIDGE_LOCK_INIT(_sc) do { \
mtx_init(&(_sc)->sc_mtx, "if_bridge", NULL, MTX_DEF); \
- cv_init(&(_sc)->sc_cv, "if_bridge_cv"); \
} while (0)
#define BRIDGE_LOCK_DESTROY(_sc) do { \
mtx_destroy(&(_sc)->sc_mtx); \
- cv_destroy(&(_sc)->sc_cv); \
} while (0)
#define BRIDGE_LOCK(_sc) mtx_lock(&(_sc)->sc_mtx)
#define BRIDGE_UNLOCK(_sc) mtx_unlock(&(_sc)->sc_mtx)
#define BRIDGE_LOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_OWNED)
#define BRIDGE_UNLOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_NOTOWNED)
-#define BRIDGE_LOCK2REF(_sc, _err) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- if ((_sc)->sc_iflist_xcnt > 0) \
- (_err) = EBUSY; \
- else \
- (_sc)->sc_iflist_ref++; \
- mtx_unlock(&(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_UNREF(_sc) do { \
- mtx_lock(&(_sc)->sc_mtx); \
- (_sc)->sc_iflist_ref--; \
- if (((_sc)->sc_iflist_xcnt > 0) && ((_sc)->sc_iflist_ref == 0)) \
- cv_broadcast(&(_sc)->sc_cv); \
- mtx_unlock(&(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_XLOCK(_sc) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- (_sc)->sc_iflist_xcnt++; \
- while ((_sc)->sc_iflist_ref > 0) \
- cv_wait(&(_sc)->sc_cv, &(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_XDROP(_sc) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- (_sc)->sc_iflist_xcnt--; \
-} while (0)
#define BRIDGE_INPUT(_ifp, _m) do { \
KASSERT((_ifp)->if_bridge_input != NULL, \

7
scripts/cam_tag.sh Executable file
View File

@ -0,0 +1,7 @@
#!/usr/local/bin/bash
#shrinking the command Native Command Queue down to 1 effectively disabling queuing
for Disk in `camcontrol devlist | grep "ST8000DM" | cut -d"," -f2 | cut -d")" -f1`;
do
camcontrol tags $Disk -N 1 ;
camcontrol tags $Disk -v
done