diyIT/FreeBSD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

next set of updates

Browse Source
This commit is contained in:
Charlie Root 2020-05-26 21:15:31 -07:00
parent 2327d9d6c0
commit 7707eb5865
61 changed files with 43942 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configs/etc/sysctl.conf
View File

@ -20,6 +20,7 @@ vfs.read_max=128
vfs.timestamp_precision=3 vfs.timestamp_precision=3
net.link.tap.up_on_open=1 net.link.tap.up_on_open=1
#net.link.lagg.lacp.default_strict_mode=0 #net.link.lagg.lacp.default_strict_mode=0
net.link.ether.inet.log_arp_movements=0
net.inet.ip.fw.verbose_limit=5 net.inet.ip.fw.verbose_limit=5
dev.igb.0.fc=0 dev.igb.0.fc=0
@ -111,3 +112,7 @@ net.inet.tcp.rack.data_after_close=0
# Verify RACK # Verify RACK
# sysctl net.inet.tcp.functions_available # sysctl net.inet.tcp.functions_available
# sysctl net.inet.tcp.rack. # sysctl net.inet.tcp.rack.
#Cheap Disk Issues
kern.cam.ada.default_timeout=60
kern.cam.da.default_timeout=90

38
configs/usr/local/etc/rc.d/cam_tag Executable file
View File

@ -0,0 +1,38 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: cam_tag
# REQUIRE: DAEMON
. /etc/rc.subr
: ${cam_tag_enable="NO"}
name=cam_tag
rcvar=${name}_enable
COMMAND="/root/FreeBSD/scripts/cam_tag.sh"
start_cmd="${name}_start"
restart_cmd="${name}_restart"
cam_tag_start()
{
$COMMAND
}
cam_tag_restart()
{
$COMMAND
}
load_rc_config ${name}
run_rc_command "$1"

6
configs/usr/local/etc/rc.d/gstat_exporter
View File

@ -1,3 +1,5 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,8 +8,6 @@
# #
# #
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e # the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: gstat_exporter # PROVIDE: gstat_exporter
# REQUIRE: NETWORKING DAEMON # REQUIRE: NETWORKING DAEMON
@ -19,7 +19,7 @@
name=gstat_exporter name=gstat_exporter
rcvar=${name}_enable rcvar=${name}_enable
GSTATEXPORTER="nohup /usr/local/bin/python3.6 /root/FreeBSD/scripts/gstat_exporter.py" GSTATEXPORTER="nohup /usr/local/bin/python3.7 /root/FreeBSD/scripts/gstat_exporter.py"
start_cmd="${name}_start" start_cmd="${name}_start"
stop_cmd="${name}_stop" stop_cmd="${name}_stop"

24
iocage/Makefile
View File

@ -1,24 +0,0 @@
ZPOOL=""
SERVER=""
PYTHON?=/usr/local/bin/python3.7
depends:
@(pkg -vv | grep -e "url.*/latest") > /dev/null 2>&1 || (echo "It is advised pkg url is using \"latest\" instead of \"quarterly\" in /etc/pkg/FreeBSD.conf.";)
@test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python37"; pkg install -q -y python37)
pkg install -q -y py37-libzfs
${PYTHON} -m ensurepip
${PYTHON} -m pip install -Ur requirements.txt
install: depends
${PYTHON} -m pip install -U .
uninstall:
${PYTHON} -m pip uninstall -y iocage-lib iocage-cli
test:
pytest --zpool $(ZPOOL) --server $(SERVER)
help:
@echo " install"
@echo " Installs iocage"
@echo " uninstall"
@echo " Removes iocage"
@echo " test"
@echo " Run unit tests with pytest"

BIN
jails/config/calibre/Find Duplicates-beta-py3.zip Normal file
View File

Binary file not shown.

2
jails/config/cloud/httpd.conf
View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

4
jails/config/common/snip-sendmail.sh
View File

@ -8,8 +8,12 @@
#! /usr/local/bin/bash #! /usr/local/bin/bash
# smart_host - mail - is the mail server's dns name # smart_host - mail - is the mail server's dns name
# TO_IDENT sets O Timeout.ident=0s - to stop sendmail from making ident connections
echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc
IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1` IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1`
echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confTO_CONNECT', \`1m')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confTO_IDENT', \`0')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confTO_COMMAND', \`2m')" >> /etc/mail/$HOSTNAME.mc

2
jails/config/hub/httpd.conf
View File

@ -579,7 +579,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

15
jails/config/ibm/create_tuns.sh Executable file
View File

@ -0,0 +1,15 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/bin/sh
#
ifconfig tun181 create
#ifconfig bridge1 addm tap181 up
#ifconfig tap181 up
#ifconfig tap181 inet6 auto_linklocal

17
jails/config/ibm/ibm.sh Executable file
View File

@ -0,0 +1,17 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/usr/local/bin/bash
# ./ibm.sh under tmux
ifconfig tun186 create
ifconfig tun186 inet 172.16.0.186 172.16.0.100
chmod 666 /dev/tun186
cd /data/Z110/CONF
# hercules

140
jails/config/ibm/ipfw.rules Executable file
View File

@ -0,0 +1,140 @@
#!/bin/sh
# https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
# ipfw -vated list
# IPFW configuration
#sysrc firewall_enable="YES"
#sysrc firewall_logif="YES"
#sysrc firewall_script="/mnt/config/ipfw.rules"
# NATd configuration
#sysrc gateway_enable="YES"
#sysrc natd_enable="YES"
#sysrc natd_interface="epair0b"
#sysrc natd_flags="-f /mnt/config/natd.conf"
#natd.conf:
#redirect_port tcp 172.16.0.100:21-23 21-23
# Set rules command prefix
cmd="ipfw -q add"
lif="tun186" # interface name of tunnel attached to Local network
rif="epair0b" # interface name of vnet attached to Remote/external network
skip="skipto 12000"
# Flush out the list before we begin.
ipfw -q -f flush
# gateway_enable already set in rc.conf
# sysctl net.inet.ip.forwarding=1
# Packets passing the stateful NAT may be re-injected into the firewall
# sysctl net.inet.ip.fw.one_pass=0
ipfw disable one_pass
# functionality is included in the divert action
#ipfw -q nat 1 config if $rif same_ports unreg_only reset
$cmd 00050 allow ip from any to any via $lif
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
# The reassemble rule is not needed with userland natd(8)
# because the internal workings of the IPFW divert action
# takes care of reassembling packets before delivery to the socket
#$cmd 01100 reass all from any to any in
$cmd 01200 divert natd ip from any to any in via $rif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 01300 check-state
# Allow access to DNS
$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
#$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state
#$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state
# Allow outbound ping
$cmd 02210 $skip icmp from any to any out via $rif keep-state
# Allow outbound NTP
$cmd 02220 $skip udp from any to any 123 out via $rif keep-state
# Allow outbound TCP traffic
$cmd 02500 $skip tcp from any to any 20,22,25,80,443 out via $rif setup keep-state
# 03720 pasv ftp
# deny and log all other outbound connections
$cmd 02999 deny log all from any to any out via $rif
#### Lockdown incoming traffic
# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif #RFC 1918 private IP
#$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif #RFC 1918 private IP
#$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif #RFC 1918 private IP
$cmd 03113 deny all from 127.0.0.0/8 to any in via $rif #loopback
$cmd 03114 deny all from 0.0.0.0/8 to any in via $rif #loopback
$cmd 03115 deny all from 169.254.0.0/16 to any in via $rif #DHCP auto-config
$cmd 03116 deny all from 192.0.2.0/24 to any in via $rif #reserved for docs
$cmd 03117 deny all from 204.152.64.0/23 to any in via $rif #Sun cluster interconnect
$cmd 03118 deny all from 224.0.0.0/3 to any in via $rif #Class D & E multicast
# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 02120.
#$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state
# Allow public pings
$cmd 03210 allow icmp from any to any in via $rif
# Deny ident
$cmd 03230 deny tcp from any to any 113 in via $rif
# Deny all Netbios services.
$cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif
# Deny fragments
$cmd 03250 deny all from any to any frag in via $rif
# Deny ACK packets that did not match the dynamic rule table
$cmd 03500 deny tcp from any to any established in via $rif
# Allow inbound SSH host connections
$cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2
# Allow HTTP host connections to host web server
$cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2
# Allow inbound Telnet connections to NAT
$cmd 03710 allow tcp from any to me 23,3270 in via $rif setup limit src-addr 2
# Allow inbound FTP connections to NAT
$cmd 03720 allow tcp from any to me 20,21 in via $rif setup limit src-addr 2
# 02500 pasv ftp
# Reject and log all other incoming connections
$cmd 03999 deny log all from any to any in via $rif
#### lockdown in
$cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules
$cmd 65000 allow ip from any to any
#$cmd 65535 deny ip from any to any

2
jails/config/ibm/natd.conf Normal file
View File

@ -0,0 +1,2 @@
redirect_port tcp 172.16.0.100:20-21 20-21
redirect_port tcp 172.16.0.100:23 23

4
jails/config/ibm/setup_jail.sh Executable file
View File

@ -0,0 +1,4 @@
# requrired to run other configured scripts
/bin/sh /etc/rc
# launch tmux with emu
#/mnt/config/startemu.sh

31
jails/config/ibm/startemu.sh Executable file
View File

@ -0,0 +1,31 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/bin/sh
#
session="emu_tmux"
# set up tmux
tmux start-server
# create a new tmux session, naming the window hercules
tmux new-session -d -s $session -n hercules
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./ibm.sh" C-m
# create a new window empty
tmux new-window -t $session:1 -n empty
tmux selectp -t 1
tmux send-keys "cd /mnt/config;clear" C-m
# return to main window
tmux select-window -t $session:0
tmux selectp -t 1
# Finished setup, attach to the tmux session!
#tmux attach-session -t $session

17
jails/config/mail/postfix/main.cf
View File

@ -282,7 +282,8 @@ unknown_local_recipient_reject_code = 550
#mynetworks = $config_directory/mynetworks #mynetworks = $config_directory/mynetworks
#mynetworks = hash:$config_directory/network_table #mynetworks = hash:$config_directory/network_table
mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56 #mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56
mynetworks = 127.0.0.1/32 192.168.0.0/24 [::1]/128 [fe80::]/10 [2603:3024:3f6:e1::]/64
smtp_bind_address = 192.168.0.100 smtp_bind_address = 192.168.0.100
smtp_bind_address6 = 2603:3024:3f6:e1::100 smtp_bind_address6 = 2603:3024:3f6:e1::100
@ -680,6 +681,10 @@ sample_directory = /usr/local/etc/postfix
# #
readme_directory = /usr/local/share/doc/postfix readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4, ipv6 inet_protocols = ipv4, ipv6
# sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
smtp_address_preference = ipv4
meta_directory = /usr/local/libexec/postfix meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix shlib_directory = /usr/local/lib/postfix
@ -776,21 +781,21 @@ smtpd_helo_required = yes
# entry and present a valid, FQDN HELO hostname. In addition, they can only # entry and present a valid, FQDN HELO hostname. In addition, they can only
# send mail to valid mailboxes on the server, and the sender's domain must # send mail to valid mailboxes on the server, and the sender's domain must
# actually exist. # actually exist.
smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject_unauth_pipelining smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,reject_unknown_reverse_client_hostname
# you might want to consider: # you might want to consider:
# reject_unknown_client_hostname, # reject_unknown_client_hostname,
# here. This will reject all incoming connections without a reverse DNS # here. This will reject all incoming connections without a reverse DNS
# entry that resolves back to the client's IP address. This is a very # entry that resolves back to the client's IP address. This is a very
# restrictive check and may reject legitimate mail. # restrictive check and may reject legitimate mail.
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname,reject_unauth_pipelining smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_unauth_pipelining,reject_non_fqdn_helo_hostname
# you might want to consider: # you might want to consider:
# reject_unknown_helo_hostname, # reject_unknown_helo_hostname,
# here. This will reject all incoming mail without a HELO hostname that # here. This will reject all incoming mail without a HELO hostname that
# properly resolves in DNS. This is a somewhat restrictive check and may # properly resolves in DNS. This is a somewhat restrictive check and may
# reject legitimate mail. # reject legitimate mail.
smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unauth_pipelining smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unauth_pipelining
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
# !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!! # !!! THE LAST SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
# !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!! # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining
@ -806,7 +811,7 @@ virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-maps.cf
# LDAP query to find a user's email aliases # LDAP query to find a user's email aliases
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-alias-maps.cf, hash:/usr/local/etc/postfix/virtual-maillist-alias-maps virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-alias-maps.cf, hash:/usr/local/etc/postfix/virtual-maillist-alias-maps
# We'll uncomment these when we set up rspamd later: # rspamd specific
milter_protocol = 6 milter_protocol = 6
# if rspamd is down, don't reject mail # if rspamd is down, don't reject mail
milter_default_action = accept milter_default_action = accept

9
jails/config/mail/postfix/main.cf.default
View File

@ -177,6 +177,7 @@ import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LA
in_flow_delay = 1s in_flow_delay = 1s
inet_interfaces = all inet_interfaces = all
inet_protocols = all inet_protocols = all
info_log_address_format = external
initial_destination_concurrency = 5 initial_destination_concurrency = 5
internal_mail_filter_classes = internal_mail_filter_classes =
invalid_hostname_reject_code = 501 invalid_hostname_reject_code = 501
@ -327,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
luser_relay = luser_relay =
mail_name = Postfix mail_name = Postfix
mail_owner = postfix mail_owner = postfix
mail_release_date = 20190921 mail_release_date = 20200316
mail_spool_directory = /var/mail mail_spool_directory = /var/mail
mail_version = 3.4.7 mail_version = 3.5.0
mailbox_command = mailbox_command =
mailbox_command_maps = mailbox_command_maps =
mailbox_delivery_lock = flock, dotlock mailbox_delivery_lock = flock, dotlock
@ -358,7 +359,7 @@ message_size_limit = 10240000
message_strip_characters = message_strip_characters =
meta_directory = /usr/local/libexec/postfix meta_directory = /usr/local/libexec/postfix
milter_command_timeout = 30s milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} {daemon_addr} v milter_connect_macros = j {daemon_name} {daemon_addr} v _
milter_connect_timeout = 30s milter_connect_timeout = 30s
milter_content_timeout = 300s milter_content_timeout = 300s
milter_data_macros = i milter_data_macros = i
@ -733,7 +734,7 @@ smtpd_sasl_response_limit = 12288
smtpd_sasl_security_options = noanonymous smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtp smtpd_sasl_service = smtp
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot smtpd_sasl_type = cyrus
smtpd_sender_login_maps = smtpd_sender_login_maps =
smtpd_sender_restrictions = smtpd_sender_restrictions =
smtpd_service_name = smtpd smtpd_service_name = smtpd

4
jails/config/mail/postfix/master.cf
View File

@ -16,9 +16,9 @@ smtp inet n - n - - smtpd
#dnsblog unix - - n - 0 dnsblog #dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy #tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd submission inet n - n - - smtpd
# -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt
-o smtpd_tls_security_level=encrypt
-o tls_preempt_cipherlist=yes -o tls_preempt_cipherlist=yes
# -o syslog_name=postfix/submission
# -o smtpd_sasl_auth_enable=yes # -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes # -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no # -o smtpd_reject_unlisted_recipient=no

6
jails/config/mail/postfix/master.cf.sample
View File

@ -79,7 +79,7 @@ postlog unix-dgram n - n - 1 postlogd
# Also specify in main.cf: maildrop_destination_recipient_limit=1 # Also specify in main.cf: maildrop_destination_recipient_limit=1
# #
#maildrop unix - n n - - pipe #maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
# #
# ==================================================================== # ====================================================================
# #
@ -98,7 +98,7 @@ postlog unix-dgram n - n - 1 postlogd
# Also specify in main.cf: cyrus_destination_recipient_limit=1 # Also specify in main.cf: cyrus_destination_recipient_limit=1
# #
#cyrus unix - n n - - pipe #cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
# #
# ==================================================================== # ====================================================================
# #
@ -129,5 +129,5 @@ postlog unix-dgram n - n - 1 postlogd
# ${nexthop} ${user} ${extension} # ${nexthop} ${user} ${extension}
# #
#mailman unix - n n - - pipe #mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user} # ${nexthop} ${user}

6
jails/config/maps/maps
View File

@ -1,4 +1,6 @@
# Copyright (c) 2018-2020, diyIT.org #!/bin/sh
# Copyright (c) 2018-2019, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -6,8 +8,6 @@
# #
# #
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e # the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: mapsserver # PROVIDE: mapsserver
# REQUIRE: NETWORKING DAEMON # REQUIRE: NETWORKING DAEMON

58
jails/config/matrix/config.json Normal file
View File

@ -0,0 +1,58 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://matrix.ahlawat.com",
"server_name": "matrix.ahlawat.com"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"disable_custom_urls": false,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Riot",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
"https://scalar.vector.im/_matrix/integrations/v1",
"https://scalar.vector.im/api",
"https://scalar-staging.vector.im/_matrix/integrations/v1",
"https://scalar-staging.vector.im/api",
"https://scalar-staging.riot.im/scalar/api"
],
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"defaultCountryCode": "US",
"showLabsSettings": false,
"features": {
"feature_pinning": "labs",
"feature_custom_status": "labs",
"feature_custom_tags": "labs",
"feature_state_counters": "labs"
},
"default_federate": true,
"default_theme": "light",
"roomDirectory": {
"servers": [
"matrix.org"
]
},
"welcomeUserId": "@riot-bot:matrix.org",
"piwik": {
"url": "https://piwik.riot.im/",
"whitelistedHSUrls": ["https://matrix.org"],
"whitelistedISUrls": ["https://vector.im", "https://matrix.org"],
"siteId": 1
},
"enable_presence_by_hs_url": {
"https://matrix.org": false,
"https://matrix-client.matrix.org": false
},
"settingDefaults": {
"breadcrumbs": true
},
"jitsi": {
"preferredDomain": "meet.ahlawat.com"
}
}

161
jails/config/matrix/nginx.conf Normal file
View File

@ -0,0 +1,161 @@
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# server {
# listen 80;
# server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
# location / {
# root /usr/local/www/nginx;
# index index.html index.htm;
# }
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/local/www/nginx-dist;
# }
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# }
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
server_names_hash_bucket_size 64;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ssl http2;
server_name matrix.ahlawat.com;
ssl_certificate /mnt/certs/fullchain.pem;
ssl_certificate_key /mnt/certs/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#access_log logs/host.access.log main;
#location /favicon.ico { access_log off; log_not_found off; }
root /usr/local/www/riot;
index index.html;
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
}

9
jails/config/meet/hosts.txt Normal file
View File

@ -0,0 +1,9 @@
192.168.0.67 auth.meet.ahlawat.com
2603:3024:3f6:e1::67 auth.meet.ahlawat.com
192.168.0.67 confrence.meet.ahlawat.com
2603:3024:3f6:e1::67 conference.meet.ahlawat.com
192.168.0.67 focus.meet.ahlawat.com
2603:3024:3f6:e1::67 focus.meet.ahlawat.com
192.168.0.67 jistsi-videobridge.meet.ahlawat.com
2603:3024:3f6:e1::67 jitsi-videobridge.meet.ahlawat.com

9
jails/config/meet/jicofo.conf Normal file
View File

@ -0,0 +1,9 @@
JVB_XMPP_HOST=localhost
JVB_XMPP_DOMAIN=meet.ahlawat.com
JVB_XMPP_PORT=5347
JVB_XMPP_SECRET=YOURSECRET2-qwertyuiop
JVB_XMPP_USER_DOMAIN=auth.meet.ahlawat.com
JVB_XMPP_USER_NAME=focus
JVB_XMPP_USER_SECRET=YOURSECRET3-qwertyuiop
MAX_MEMORY=3072m

542
jails/config/meet/jitsi-meet/config.js Normal file
View File

@ -0,0 +1,542 @@
/* eslint-disable no-unused-vars, no-var */
var config = {
// Connection
//
hosts: {
// XMPP domain.
// domain: 'jitsi-meet.example.com',
domain: 'meet.ahlawat.com',
// When using authentication, domain for guest users.
// anonymousdomain: 'guest.example.com',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: 'jitsi-meet.example.com',
// Jirecon recording component domain.
// jirecon: 'jirecon.jitsi-meet.example.com',
// Call control component (Jigasi).
// call_control: 'callcontrol.jitsi-meet.example.com',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.jitsi-meet.example.com',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
// muc: 'conference.jitsi-meet.example.com'
muc: 'conference.meet.ahlawat.com',
bridge: 'jitsi-videobridge.meet.ahlawat.com',
},
useNicks: false,
// BOSH URL. FIXME: use XEP-0156 to discover it.
// bosh: '//jitsi-meet.example.com/http-bind',
bosh: '//meet.ahlawat.com/http-bind',
// Websocket URL
// websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',
// The name of client node advertised in XEP-0115 'c' stanza
clientNode: 'http://jitsi.org/jitsimeet',
// The real JID of focus participant - can be overridden here
// focusUserJid: 'focus@auth.jitsi-meet.example.com',
// Testing / experimental features.
//
testing: {
// P2P test mode disables automatic switching to P2P when there are 2
// participants in the conference.
p2pTestMode: false
// Enables the test specific features consumed by jitsi-meet-torture
// testMode: false
// Disables the auto-play behavior of *all* newly created video element.
// This is useful when the client runs on a host with limited resources.
// noAutoPlayVideo: false
},
// Disables ICE/UDP by filtering out local and remote UDP candidates in
// signalling.
// webrtcIceUdpDisable: false,
// Disables ICE/TCP by filtering out local and remote TCP candidates in
// signalling.
// webrtcIceTcpDisable: false,
// Media
//
// Audio
// Disable measuring of audio levels.
// disableAudioLevels: false,
// audioLevelsInterval: 200,
// Enabling this will run the lib-jitsi-meet no audio detection module which
// will notify the user if the current selected microphone has no audio
// input and will suggest another valid device if one is present.
enableNoAudioDetection: true,
// Enabling this will run the lib-jitsi-meet noise detection module which will
// notify the user if there is noise, other than voice, coming from the current
// selected microphone. The purpose it to let the user know that the input could
// be potentially unpleasant for other meeting participants.
enableNoisyMicDetection: true,
// Start the conference in audio only mode (no video is being received nor
// sent).
// startAudioOnly: false,
// Every participant after the Nth will start audio muted.
// startAudioMuted: 10,
// Start calls with audio muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithAudioMuted: false,
// Enabling it (with #params) will disable local audio output of remote
// participants and to enable it back a reload is needed.
// startSilent: false
// Video
// Sets the preferred resolution (height) for local video. Defaults to 720.
// resolution: 720,
// w3c spec-compliant video constraints to use for video capture. Currently
// used by browsers that return true from lib-jitsi-meet's
// util#browser#usesNewGumFlow. The constraints are independent from
// this config's resolution value. Defaults to requesting an ideal
// resolution of 720p.
// constraints: {
// video: {
// height: {
// ideal: 720,
// max: 720,
// min: 240
// }
// }
// },
// Enable / disable simulcast support.
// disableSimulcast: false,
// Enable / disable layer suspension. If enabled, endpoints whose HD
// layers are not in use will be suspended (no longer sent) until they
// are requested again.
// enableLayerSuspension: false,
// Every participant after the Nth will start video muted.
// startVideoMuted: 10,
// Start calls with video muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithVideoMuted: false,
// If set to true, prefer to use the H.264 video codec (if supported).
// Note that it's not recommended to do this because simulcast is not
// supported when using H.264. For 1-to-1 calls this setting is enabled by
// default and can be toggled in the p2p section.
// preferH264: true,
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// Desktop sharing
// The ID of the jidesha extension for Chrome.
desktopSharingChromeExtId: null,
// Whether desktop sharing should be disabled on Chrome.
// desktopSharingChromeDisabled: false,
// The media sources to use when using screen sharing with the Chrome
// extension.
desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
// Required version of Chrome extension
desktopSharingChromeMinExtVersion: '0.1',
// Whether desktop sharing should be disabled on Firefox.
// desktopSharingFirefoxDisabled: false,
// Optional desktop sharing frame rate options. Default value: min:5, max:5.
// desktopSharingFrameRate: {
// min: 5,
// max: 5
// },
// Try to start calls with screen-sharing instead of camera video.
// startScreenSharing: false,
// Recording
// Whether to enable file recording or not.
// fileRecordingsEnabled: false,
// Enable the dropbox integration.
// dropbox: {
// appKey: '<APP_KEY>' // Specify your app key here.
// // A URL to redirect the user to, after authenticating
// // by default uses:
// // 'https://jitsi-meet.example.com/static/oauth.html'
// redirectURI:
// 'https://jitsi-meet.example.com/subfolder/static/oauth.html'
// },
// When integrations like dropbox are enabled only that will be shown,
// by enabling fileRecordingsServiceEnabled, we show both the integrations
// and the generic recording service (its configuration and storage type
// depends on jibri configuration)
// fileRecordingsServiceEnabled: false,
// Whether to show the possibility to share file recording with other people
// (e.g. meeting participants), based on the actual implementation
// on the backend.
// fileRecordingsServiceSharingEnabled: false,
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
// Enables automatic turning on captions when recording is started
// autoCaptionOnRecord: false,
// Misc
// Default value for the channel "last N" attribute. -1 for unlimited.
channelLastN: -1,
// Disables or enables RTX (RFC 4588) (defaults to false).
// disableRtx: false,
// Disables or enables TCC (the default is in Jicofo and set to true)
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
// affects congestion control, it practically enables send-side bandwidth
// estimations.
// enableTcc: true,
// Disables or enables REMB (the default is in Jicofo and set to false)
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
// control, it practically enables recv-side bandwidth estimations. When
// both TCC and REMB are enabled, TCC takes precedence. When both are
// disabled, then bandwidth estimations are disabled.
// enableRemb: false,
// Defines the minimum number of participants to start a call (the default
// is set in Jicofo and set to 2).
// minParticipants: 2,
// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,
// Enable IPv6 support.
// useIPv6: true,
// Enables / disables a data communication channel with the Videobridge.
// Values can be 'datachannel', 'websocket', true (treat it as
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
// open any channel).
// openBridgeChannel: true,
// UI
//
// Use display name as XMPP nickname.
// useNicks: false,
// Require users to always specify a display name.
// requireDisplayName: true,
// Whether to use a welcome page or not. In case it's false a random room
// will be joined when no room is specified.
enableWelcomePage: true,
// Enabling the close page will ignore the welcome page redirection when
// a call is hangup.
// enableClosePage: false,
// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
// disable1On1Mode: false,
// Default language for the user interface.
// defaultLanguage: 'en',
// If true all users without a token will be considered guests and all users
// with token will be considered non-guests. Only guests will be allowed to
// edit their profile.
enableUserRolesBasedOnToken: false,
// Whether or not some features are checked based on token.
// enableFeaturesBasedOnToken: false,
// Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
// lockRoomGuestEnabled: false,
// When enabled the password used for locking a room is restricted to up to the number of digits specified
// roomPasswordNumberOfDigits: 10,
// default: roomPasswordNumberOfDigits: false,
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// noticeMessage: '',
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID
// enableCalendarIntegration: false,
// Stats
//
// Whether to enable stats collection or not in the TraceablePeerConnection.
// This can be useful for debugging purposes (post-processing/analysis of
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
// estimation tests.
// gatherStats: false,
// The interval at which PeerConnection.getStats() is called. Defaults to 10000
// pcStatsInterval: 10000,
// To enable sending statistics to callstats.io you must provide the
// Application ID and Secret.
// callStatsID: '',
// callStatsSecret: '',
// enables sending participants display name to callstats
// enableDisplayNameInStats: false,
// enables sending participants email if available to callstats and other analytics
// enableEmailInStats: false,
// Privacy
//
// If third party requests are disabled, no other server will be contacted.
// This means avatars will be locally generated and callstats integration
// will not function.
// disableThirdPartyRequests: false,
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
//
p2p: {
// Enables peer to peer mode. When enabled the system will try to
// establish a direct connection when there are exactly 2 participants
// in the room. If that succeeds the conference will stop sending data
// through the JVB and use the peer to peer connection instead. When a
// 3rd participant joins the conference will be moved back to the JVB
// connection.
enabled: true,
// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,
// The STUN servers that will be used in the peer to peer connections
stunServers: [
// { urls: 'stun:jitsi-meet.example.com:4446' },
// { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
{ urls: 'stun:ahlawat.com:3478' }
],
// Sets the ICE transport policy for the p2p connection. At the time
// of this writing the list of possible values are 'all' and 'relay',
// but that is subject to change in the future. The enum is defined in
// the WebRTC standard:
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
// If not set, the effective value is 'all'.
// iceTransportPolicy: 'all',
// If set to true, it will prefer to use H.264 for P2P calls (if H.264
// is supported).
preferH264: true
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// How long we're going to wait, before going back to P2P after the 3rd
// participant has left the conference (to filter out page reload).
// backToP2PDelay: 5
},
analytics: {
// The Google Analytics Tracking ID:
// googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
// The Amplitude APP Key:
// amplitudeAPPKey: '<APP_KEY>'
// Array of script URLs to load as lib-jitsi-meet "analytics handlers".
// scriptURLs: [
// "libs/analytics-ga.min.js", // google-analytics
// "https://example.com/my-custom-analytics.js"
// ],
},
// Information about the jitsi-meet instance we are connecting to, including
// the user region as seen by the server.
deploymentInfo: {
// shard: "shard1",
// region: "europe",
// userRegion: "asia"
},
// Decides whether the start/stop recording audio notifications should play on record.
// disableRecordAudioNotification: false,
// Information for the chrome extension banner
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// },
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// TOOLBAR_BUTTONS in interface_config.js for the Local Recording
// button to show up on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// },
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
//
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// },
// If set, will attempt to use the provided video input device label when
// triggering a screenshare, instead of proceeding through the normal flow
// for obtaining a desktop stream.
// NOTE: This option is experimental and is currently intended for internal
// use only.
// _desktopSharingSourceDevice: 'sample-id-or-label',
// If true, any checks to handoff to another application will be prevented
// and instead the app will continue to display in the current browser.
// disableDeepLinking: false,
// A property to disable the right click context menu for localVideo
// the menu has option to flip the locally seen video for local presentations
// disableLocalVideoFlip: false,
// Mainly privacy related settings
// Disables all invite functions from the app (share, invite, dial out...etc)
// disableInviteFunctions: true,
// Disables storing the room name to the recents list
// doNotStoreRoom: true,
// Deployment specific URLs.
// deploymentUrls: {
// // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
// // user documentation.
// userDocumentationURL: 'https://docs.example.com/video-meetings.html',
// // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
// // to the specified URL for an app download page.
// downloadAppsUrl: 'https://docs.example.com/our-apps.html'
// },
// Options related to the remote participant menu.
// remoteVideoMenu: {
// // If set to true the 'Kick out' button will be disabled.
// disableKick: true
// },
// If set to true all muting operations of remote participants will be disabled.
// disableRemoteMute: true,
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
autoRecord
autoRecordToken
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
displayJids
etherpad_base
externalConnectUrl
firefox_fake_device
googleApiApplicationClientID
iAmRecorder
iAmSipGateway
microsoftApiApplicationClientID
peopleSearchQueryTypes
peopleSearchUrl
requireDisplayName
tokenAuthUrl
*/
// List of undocumented settings used in lib-jitsi-meet
/**
_peerConnStatusOutOfLastNTimeout
_peerConnStatusRtcMuteTimeout
abTesting
avgRtpStatsN
callStatsConfIDNamespace
callStatsCustomScriptUrl
desktopSharingSources
disableAEC
disableAGC
disableAP
disableHPF
disableNS
enableLipSync
enableTalkWhileMuted
forceJVB121Ratio
hiddenDomain
ignoreStartMuted
nick
startBitrate
*/
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
makeJsonParserHappy: 'even if last key had a trailing comma'
// no configuration value should follow this line.
};
/* eslint-enable no-unused-vars, no-var */

258
jails/config/meet/jitsi-meet/interface_config.js Normal file
View File

@ -0,0 +1,258 @@
/* eslint-disable no-unused-vars, no-var, max-len */
var interfaceConfig = {
// TO FIX: this needs to be handled from SASS variables. There are some
// methods allowing to use variables both in css and js.
DEFAULT_BACKGROUND: '#474747',
/**
* Whether or not the blurred video background for large video should be
* displayed on browsers that can support it.
*/
DISABLE_VIDEO_BACKGROUND: false,
INITIAL_TOOLBAR_TIMEOUT: 20000,
TOOLBAR_TIMEOUT: 4000,
TOOLBAR_ALWAYS_VISIBLE: false,
DEFAULT_REMOTE_DISPLAY_NAME: 'Friend',
DEFAULT_LOCAL_DISPLAY_NAME: 'me',
SHOW_JITSI_WATERMARK: false,
JITSI_WATERMARK_LINK: 'https://meet.ahlawat.com',
// if watermark is disabled by default, it can be shown only for guests
SHOW_WATERMARK_FOR_GUESTS: false,
SHOW_BRAND_WATERMARK: false,
BRAND_WATERMARK_LINK: 'https://meet.ahlawat.com',
SHOW_POWERED_BY: false,
SHOW_DEEP_LINKING_IMAGE: false,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: false,
DISPLAY_WELCOME_PAGE_CONTENT: false,
DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
APP_NAME: 'Ahlawat meet',
NATIVE_APP_NAME: 'Ahlawat meet',
PROVIDER_NAME: 'Ahlawat',
LANG_DETECTION: true, // Allow i18n to detect the system language
INVITATION_POWERED_BY: false,
/**
* If we should show authentication block in profile
*/
AUTHENTICATION_ENABLE: true,
/**
* The name of the toolbar buttons to display in the toolbar. If present,
* the button will display. Exceptions are "livestreaming" and "recording"
* which also require being a moderator and some values in config.js to be
* enabled. Also, the "profile" button will not display for user's with a
* jwt.
*/
TOOLBAR_BUTTONS: [
'microphone', 'camera', 'closedcaptions', 'desktop', 'fullscreen',
'fodeviceselection', 'hangup', 'profile', 'info', 'chat', 'recording',
'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand',
'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone',
'e2ee'
],
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ],
// Determines how the video would fit the screen. 'both' would fit the whole
// screen, 'height' would fit the original video height to the height of the
// screen, 'width' would fit the original video width to the width of the
// screen respecting ratio.
VIDEO_LAYOUT_FIT: 'both',
/**
* Whether to only show the filmstrip (and hide the toolbar).
*/
filmStripOnly: false,
/**
* Whether to show thumbnails in filmstrip as a column instead of as a row.
*/
VERTICAL_FILMSTRIP: true,
// A html text to be shown to guests on the close page, false disables it
CLOSE_PAGE_GUEST_HINT: false,
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
RANDOM_AVATAR_URL_PREFIX: false,
RANDOM_AVATAR_URL_SUFFIX: false,
FILM_STRIP_MAX_HEIGHT: 120,
// Enables feedback star animation.
ENABLE_FEEDBACK_ANIMATION: false,
DISABLE_FOCUS_INDICATOR: false,
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
/**
* Whether the speech to text transcription subtitles panel is disabled.
* If {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_TRANSCRIPTION_SUBTITLES: false,
/**
* Whether the ringing sound in the call/ring overlay is disabled. If
* {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_RINGING: false,
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
POLICY_LOGO: null,
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
// Documentation reference for the live streaming feature.
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
/**
* Whether the mobile app Jitsi Meet is to be promoted to participants
* attempting to join a conference in a mobile Web browser. If
* {@code undefined}, defaults to {@code true}.
*
* @type {boolean}
*/
MOBILE_APP_PROMO: true,
/**
* Maximum coeficient of the ratio of the large video to the visible area
* after the large video is scaled to fit the window.
*
* @type {number}
*/
MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
/*
* If indicated some of the error dialogs may point to the support URL for
* help.
*/
SUPPORT_URL: 'https://ahlawat.com/',
/**
* Whether the connection indicator icon should hide itself based on
* connection strength. If true, the connection indicator will remain
* displayed while the participant has a weak connection and will hide
* itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
* strong.
*
* @type {boolean}
*/
CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
/**
* How long the connection indicator should remain displayed before hiding.
* Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
*
* @type {number}
*/
CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
/**
* If true, hides the connection indicators completely.
*
* @type {boolean}
*/
CONNECTION_INDICATOR_DISABLED: false,
/**
* If true, hides the video quality label indicating the resolution status
* of the current large video.
*
* @type {boolean}
*/
VIDEO_QUALITY_LABEL_DISABLED: false,
/**
* If true, will display recent list
*
* @type {boolean}
*/
RECENT_LIST_ENABLED: true,
// Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are:
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron' ],
// Browsers, in addition to those which do not fully support WebRTC, that
// are not supported and should show the unsupported browser page.
UNSUPPORTED_BROWSERS: [],
/**
* A UX mode where the last screen share participant is automatically
* pinned. Valid values are the string "remote-only" so remote participants
* get pinned but not local, otherwise any truthy value for all participants,
* and any falsy value to disable the feature.
*
* Note: this mode is experimental and subject to breakage.
*/
AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
/**
* If true, presence status: busy, calling, connected etc. is not displayed.
*/
DISABLE_PRESENCE_STATUS: false,
/**
* If true, notifications regarding joining/leaving are no longer displayed.
*/
DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
/**
* Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
* If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
* being already installed is done before rendering.
*/
SHOW_CHROME_EXTENSION_BANNER: false
/**
* When enabled, the kick participant button will not be presented for users without a JWT
*/
// HIDE_KICK_BUTTON_FOR_GUESTS: false
/**
* How many columns the tile view can expand to. The respected range is
* between 1 and 5.
*/
// TILE_VIEW_MAX_COLUMNS: 5,
/**
* Specify custom URL for downloading android mobile app.
*/
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify URL for downloading ios mobile app.
*/
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
/**
* Specify mobile app scheme for opening the app from the mobile browser.
*/
// APP_SCHEME: 'org.jitsi.meet',
/**
* Specify the Android app package name.
*/
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
/**
* Override the behavior of some notifications to remain displayed until
* explicitly dismissed through a user action. The value is how long, in
* milliseconds, those notifications should remain displayed.
*/
// ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
// List of undocumented settings
/**
INDICATOR_FONT_SIZES
MOBILE_DYNAMIC_LINK
PHONE_NUMBER_REGEX
*/
};
/* eslint-enable no-unused-vars, no-var, max-len */

190
jails/config/meet/nginx.conf Normal file
View File

@ -0,0 +1,190 @@
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# server {
# listen 80;
# server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
# location / {
# root /usr/local/www/nginx;
# index index.html index.htm;
# }
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/local/www/nginx-dist;
# }
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# }
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
server_names_hash_bucket_size 64;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ssl http2;
server_name meet.ahlawat.com;
ssl_certificate /mnt/certs/fullchain.pem;
ssl_certificate_key /mnt/certs/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#access_log logs/host.access.log main;
#location /favicon.ico { access_log off; log_not_found off; }
root /usr/local/www/jitsi-meet;
index index.html;
location ~ ^/([a-zA-Z0-9=\?]+)$ {
rewrite ^/(.*)$ / break;
}
location / {
ssi on;
}
# BOSH, Bidirectional-streams Over Synchronous HTTP
# https://en.wikipedia.org/wiki/BOSH_(protocol)
location /http-bind {
proxy_pass http://meet.ahlawat.com:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# external_api.js must be accessible from the root of the
# installation for the electron version of Jitsi Meet to work
# https://github.com/jitsi/jitsi-meet-electron
location /external_api.js {
alias /usr/local/www/jitsi-meet/libs/external_api.min.js;
}
# xmpp websockets
location /xmpp-websocket {
proxy_pass http://meet.ahlawat.com:5280/xmpp-websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
tcp_nodelay on;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
}

234
jails/config/meet/prosody.cfg.lua Normal file
View File

@ -0,0 +1,234 @@
-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at https://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running this command:
-- prosodyctl check config
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!
pidfile = "/var/run/prosody/prosody.pid"
-- interfaces = { "192.168.0.67", "2603:3024:3f6:e1::67" }
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see https://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "focus@auth.meet.ahlawat.com" }
-- Enable use of libevent for better performance under high load
-- For more information see: https://prosody.im/doc/libevent
--use_libevent = true
-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
--plugin_paths = {}
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"carbons"; -- Keep multiple clients in sync
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
"private"; -- Private XML storage (for room bookmarks, etc.)
"blocklist"; -- Allow users to block communications with other users
"vcard4"; -- User profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; -- Allow users to register on this server using a client and change passwords
--"mam"; -- Store messages in an archive and allow users to access it
--"csi_simple"; -- Simple Mobile optimizations
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"websocket"; -- XMPP over WebSockets
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
--"limits"; -- Enable bandwidth limiting for XMPP connections
--"groups"; -- Shared roster support
--"server_contact_info"; -- Publish contact information for this service
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
}
-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
}
-- Disable account creation by default, for security
-- For more information see https://prosody.im/doc/creating_accounts
allow_registration = false
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = true
-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.
s2s_require_encryption = true
-- Force certificate authentication for server-to-server connections?
s2s_secure_auth = false
-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.
--s2s_insecure_domains = { "insecure.example" }
-- Even if you disable s2s_secure_auth, you can still require valid
-- certificates for some domains by specifying a list here.
--s2s_secure_domains = { "jabber.org" }
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
authentication = "internal_hashed"
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See https://prosody.im/doc/storage for more info.
--storage = "sql" -- Default is "internal"
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
-- Archiving configuration
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.
archive_expires_after = "1w" -- Remove archived messages after 1 week
-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam
-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
log = {
info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "prosody.err";
-- "*syslog"; -- Uncomment this for logging to syslog
-- "*console"; -- Log to the console, useful for debugging with daemonize=false
}
-- Uncomment to enable statistics
-- For more info see https://prosody.im/doc/statistics
-- statistics = "internal"
-- Certificates
-- Every virtual host and component needs a certificate so that clients and
-- servers can securely verify its identity. Prosody will automatically load
-- certificates/keys from the directory specified here.
-- For more information, including how to use 'prosodyctl' to auto-import certificates
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
-- Location of directory to find certificates in (relative to main config file):
-- certificates = "certs"
certificates = "/mnt/certs"
-- HTTPS currently only supports a single certificate, specify it here:
--https_certificate = "/usr/local/etc/prosody/certs/localhost.crt"
https_certificate = "/mnt/certs/haproxy.pem"
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
-- VirtualHost "localhost"
VirtualHost "meet.ahlawat.com"
ssl = {
key = "/mnt/certs/privkeyr.pem";
certificate = "/mnt/certs/fullchain.pem";
}
authentication = "anonymous"
modules_enabled = {
"bosh";
"pubsub";
}
c2s_require_encryption = false
-- certificate = "/path/to/example.crt"
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see https://prosody.im/doc/components
---Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"
Component "conference.meet.ahlawat.com" "muc"
Component "jitsi-videobridge.meet.ahlawat.com"
component_secret = "YOURSECRET1-qwertyuiop"
Component "focus.meet.ahlawat.com"
component_secret = "YOURSECRET2-qwertyuiop"
--- Store MUC messages in an archive and allow users to access it
--modules_enabled = { "muc_mam" }
---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: https://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
-- component_secret = "password"
VirtualHost "auth.meet.ahlawat.com"
ssl = {
key = "/var/db/prosody/auth.meet.ahlawat.com.key";
certificate = "/var/db/prosody/auth.meet.ahlawat.com.crt";
}
authentication = "internal_hashed"

7
jails/config/meet/videobridge/jitsi-videobridge.conf Normal file
View File

@ -0,0 +1,7 @@
JVB_XMPP_HOST=localhost
JVB_XMPP_DOMAIN=meet.ahlawat.com
JVB_XMPP_PORT=5347
JVB_XMPP_SECRET=YOURSECRET1-qwertyuiop
VIDEOBRIDGE_MAX_MEMORY=3072m
# VIDEOBRIDGE_DEBUG_OPTIONS="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000"

7
jails/config/meet/videobridge/sip-communicator.properties Normal file
View File

@ -0,0 +1,7 @@
#org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.meet.ahlawat.com/.*
org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
# The videobridge uses 443 by default with 4443 as a fallback, but since we're already
# running nginx on 443 in this example doc, we specify 4443 manually to avoid a race condition
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.0.67
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=173.167.104.25

2
jails/config/monitor/httpd.conf
View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

938
jails/config/monitor/json/blackbox-exporter-overview_rev1.json Normal file
View File

@ -0,0 +1,938 @@
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "5.4.3"
},
{
"type": "panel",
"id": "graph",
"name": "Graph",
"version": "5.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "5.0.0"
},
{
"type": "panel",
"id": "singlestat",
"name": "Singlestat",
"version": "5.0.0"
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "${DS_PROMETHEUS}",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"gnetId": 11175,
"graphTooltip": 0,
"id": null,
"iteration": 1573505620144,
"links": [],
"panels": [
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 15,
"panels": [],
"repeat": "targets",
"title": "$targets UP/DOWN Status",
"type": "row"
},
{
"cacheTimeout": null,
"colorBackground": true,
"colorValue": false,
"colors": [
"#d44a3a",
"rgba(237, 129, 40, 0.89)",
"#299c46"
],
"datasource": "${DS_PROMETHEUS}",
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 24,
"x": 0,
"y": 1
},
"id": 2,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"minSpan": 3,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeat": null,
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "probe_success{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "1,1",
"title": "$targets",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
},
{
"op": "=",
"text": "UP",
"value": "1"
},
{
"op": "=",
"text": "DOWN",
"value": "0"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": true,
"colorValue": false,
"colors": [
"#d44a3a",
"rgba(237, 129, 40, 0.89)",
"#299c46"
],
"datasource": "${DS_PROMETHEUS}",
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 3
},
"id": 18,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"minSpan": 3,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "probe_http_ssl{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "0,1",
"title": "SSL",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
},
{
"op": "=",
"text": "YES",
"value": "1"
},
{
"op": "=",
"text": "NO",
"value": "0"
}
],
"valueName": "current"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "${DS_PROMETHEUS}",
"fill": 1,
"gridPos": {
"h": 6,
"w": 9,
"x": 6,
"y": 3
},
"id": 17,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "probe_duration_seconds{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"legendFormat": "seconds",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Probe Duration",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "s",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "${DS_PROMETHEUS}",
"fill": 1,
"gridPos": {
"h": 6,
"w": 9,
"x": 15,
"y": 3
},
"id": 21,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "probe_dns_lookup_time_seconds{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"legendFormat": "seconds",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "DNS Lookup",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "s",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"cacheTimeout": null,
"colorBackground": true,
"colorValue": false,
"colors": [
"#d44a3a",
"rgba(237, 129, 40, 0.89)",
"#299c46"
],
"datasource": "${DS_PROMETHEUS}",
"decimals": 2,
"format": "dtdurations",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 5
},
"id": 19,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"minSpan": 3,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "probe_ssl_earliest_cert_expiry{instance=~\"$targets\"}-time()",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "0,1209600",
"title": "SSL Cert Expiry",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
},
{
"op": "=",
"text": "YES",
"value": "1"
},
{
"op": "=",
"text": "NO",
"value": "0"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "${DS_PROMETHEUS}",
"decimals": 0,
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 7
},
"id": 20,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"minSpan": 3,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "probe_http_status_code{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "200,299,300",
"title": "HTTP Status Code",
"transparent": false,
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
},
{
"op": "=",
"text": "YES",
"value": "1"
},
{
"op": "=",
"text": "NO",
"value": "0"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "${DS_PROMETHEUS}",
"format": "s",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 12,
"x": 0,
"y": 9
},
"id": 23,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "avg(probe_duration_seconds{instance=~\"$targets\"})",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "Average Probe Duration",
"type": "singlestat",
"valueFontSize": "50%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "${DS_PROMETHEUS}",
"format": "s",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 2,
"w": 12,
"x": 12,
"y": 9
},
"id": 24,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "avg(probe_dns_lookup_time_seconds{instance=~\"$targets\"})",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "Average DNS Lookup",
"type": "singlestat",
"valueFontSize": "50%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
}
],
"refresh": "1m",
"schemaVersion": 16,
"style": "dark",
"tags": [
"blackbox",
"prometheus"
],
"templating": {
"list": [
{
"auto": true,
"auto_count": 10,
"auto_min": "10s",
"current": {
"text": "auto",
"value": "$__auto_interval_interval"
},
"hide": 0,
"label": "Interval",
"name": "interval",
"options": [
{
"selected": true,
"text": "auto",
"value": "$__auto_interval_interval"
},
{
"selected": false,
"text": "5s",
"value": "5s"
},
{
"selected": false,
"text": "10s",
"value": "10s"
},
{
"selected": false,
"text": "30s",
"value": "30s"
},
{
"selected": false,
"text": "1m",
"value": "1m"
},
{
"selected": false,
"text": "10m",
"value": "10m"
},
{
"selected": false,
"text": "30m",
"value": "30m"
},
{
"selected": false,
"text": "1h",
"value": "1h"
},
{
"selected": false,
"text": "6h",
"value": "6h"
},
{
"selected": false,
"text": "12h",
"value": "12h"
},
{
"selected": false,
"text": "1d",
"value": "1d"
},
{
"selected": false,
"text": "7d",
"value": "7d"
},
{
"selected": false,
"text": "14d",
"value": "14d"
},
{
"selected": false,
"text": "30d",
"value": "30d"
}
],
"query": "5s,10s,30s,1m,10m,30m,1h,6h,12h,1d,7d,14d,30d",
"refresh": 2,
"skipUrlSync": false,
"type": "interval"
},
{
"allValue": null,
"current": {},
"datasource": "${DS_PROMETHEUS}",
"definition": "label_values(probe_success, instance)",
"hide": 0,
"includeAll": true,
"label": null,
"multi": true,
"name": "targets",
"options": [],
"query": "label_values(probe_success, instance)",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"tagValuesQuery": "",
"tags": [],
"tagsQuery": "",
"type": "query",
"useTags": false
}
]
},
"time": {
"from": "now-1h",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "Blackbox Exporter Overview",
"uid": "xtkCtBkiz",
"version": 1,
"description": "Fork of https://grafana.com/grafana/dashboards/5345 which uses 'instance' instead of 'target' label"
}

1374
jails/config/monitor/json/freebsd-gstat-exporter_rev1.json Normal file
View File

File diff suppressed because it is too large Load Diff

2711
jails/config/monitor/json/pfsense-firewall-dashboard_rev1.json Normal file
View File

File diff suppressed because it is too large Load Diff

2846
jails/config/monitor/json/pfsense_rev1.json Normal file
View File

File diff suppressed because it is too large Load Diff

2941
jails/config/monitor/json/router-stats_rev1.json Normal file
View File

File diff suppressed because it is too large Load Diff

26544
jails/config/monitor/json/switch-overview_rev1.json Normal file
View File

File diff suppressed because it is too large Load Diff

1
jails/config/monitor/start_logstash.sh
View File

@ -1,2 +1,3 @@
mount proc mount proc
/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash /usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
ps axww | grep logstash

2
jails/config/nivi/httpd.conf
View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

6
jails/config/pkgp/nginx.conf
View File

@ -21,7 +21,7 @@ http {
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Connection ""; proxy_set_header Connection "";
proxy_set_header Host $proxy_host; proxy_set_header Host $host;
server { server {
listen *:80; listen *:80;
@ -95,6 +95,7 @@ http {
proxy_cache_lock on; proxy_cache_lock on;
proxy_next_upstream error timeout invalid_header http_404; proxy_next_upstream error timeout invalid_header http_404;
proxy_pass http://pkg-mirrors; proxy_pass http://pkg-mirrors;
proxy_http_version 1.1;
# add_header X-Proxy-Cache $upstream_cache_status; # add_header X-Proxy-Cache $upstream_cache_status;
} }
} }
@ -118,7 +119,7 @@ http {
listen [::]:8002; listen [::]:8002;
server_name localhost; server_name localhost;
location / { location / {
proxy_pass http://pkg0.cyb.FreeBSD.org; proxy_pass http://pkg0.tuk.FreeBSD.org;
} }
} }
@ -146,6 +147,7 @@ http {
proxy_cache_lock on; proxy_cache_lock on;
proxy_next_upstream error timeout invalid_header http_404; proxy_next_upstream error timeout invalid_header http_404;
proxy_pass http://update-mirrors; proxy_pass http://update-mirrors;
proxy_http_version 1.1;
# add_header X-Proxy-Cache $upstream_cache_status; # add_header X-Proxy-Cache $upstream_cache_status;
} }
} }

50
jails/config/proxy/haproxy.conf
View File

@ -36,15 +36,6 @@ defaults
timeout tunnel 3600s timeout tunnel 3600s
timeout tarpit 60s timeout tarpit 60s
#listen stats
# bind :::1936 v4v6
# stats uri /
# stats enable
# stats refresh 10s
# stats show-node
# stats realm Haproxy\ Statistics
# stats auth infra:infra
frontend stats frontend stats
bind :::8404 v4v6 bind :::8404 v4v6
http-request use-service prometheus-exporter if { path /metrics } http-request use-service prometheus-exporter if { path /metrics }
@ -88,6 +79,7 @@ frontend ft
use_backend bk_diyit if { ssl_fc_sni www.diyit.space } use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com } use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com } use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com }
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com } use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com } use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
@ -101,6 +93,8 @@ frontend ft
use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com } use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com }
use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com } use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com }
use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com } use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com }
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com } use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org } use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
@ -108,7 +102,6 @@ frontend ft
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org } use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org } use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
use_backend bk_beyondbell-api if { ssl_fc_sni api.beyondbell.com }
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com } use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com } use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com } use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
@ -118,26 +111,37 @@ frontend ft
backend bk_ahlawat backend bk_ahlawat
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell backend bk_beyondbell
server srv1 192.168.0.74:8000 server srv1 192.168.0.77:8000
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_diyit backend bk_diyit
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-sharad backend bk_ahlawat-sharad
balance roundrobin
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-rachna
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-nivi backend bk_ahlawat-nivi
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-rishabh backend bk_ahlawat-rishabh
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
#backend bk_ahlawat-book #backend bk_ahlawat-book
@ -164,10 +168,12 @@ backend bk_ahlawat-cam
backend bk_ahlawat-cloud backend bk_ahlawat-cloud
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-git backend bk_ahlawat-git
server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspidel X-Frame-Options:* rspidel X-Frame-Options:*
# http-request set-var(txn.src) src # http-request set-var(txn.src) src
# acl mynet var(txn.src) -m sub 192.168.0 # acl mynet var(txn.src) -m sub 192.168.0
@ -178,8 +184,19 @@ backend bk_ahlawat-git
backend bk_ahlawat-hub backend bk_ahlawat-hub
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-matrix
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-meet
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-monitor backend bk_ahlawat-monitor
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # rspadd X-Frame-Options:\ SAMEORIGIN
@ -199,6 +216,7 @@ backend bk_diyit-kibana
backend bk_diyit-maps backend bk_diyit-maps
server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-ci backend bk_ahlawat-ci
@ -208,28 +226,26 @@ backend bk_ahlawat-ci
server srv1 cix.ahlawat.com:8180 check server srv1 cix.ahlawat.com:8180 check
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-api
server srv1 192.168.0.77:8000
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-git backend bk_beyondbell-git
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-ci backend bk_beyondbell-ci
http-request set-header Host cix.beyondbell.com:8111 http-request set-header Host cix.beyondbell.com:8111
reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2 reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2 rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
server srv1 cix.beyondbell.com:8111 check server srv1 cix.beyondbell.com:8111
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-repo backend bk_beyondbell-repo
# http-request set-header Host 192.168.0.75:8080 # http-request set-header Host 192.168.0.75:8080
reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2 reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2 rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
server srv1 192.168.0.75:8080 check server srv1 192.168.0.75:8080
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-gs backend bk_beyondbell-gs
server srv1 192.168.0.81:26900 check server srv1 192.168.0.81:26900 check
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-Frame-Options:\ SAMEORIGIN

11
jails/config/rachna/020_mod_ssl.conf Normal file
View File

@ -0,0 +1,11 @@
Listen 443
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
# SSLUseStapling on
SSLSessionTickets off
SSLOptions +StrictRequire
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
SSLSessionCache shmcb:/usr/local/etc/apache24/ssl_scache(512000)

610
jails/config/rachna/httpd.conf Normal file
View File

@ -0,0 +1,610 @@
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"
#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
LoadModule http2_module libexec/apache24/mod_http2.so
LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule php7_module libexec/apache24/libphp7.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www
</IfModule>
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin sharad@ahlawat.com
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
# can't set this if traffic is passing through haproxy and being redirected to ssl already
# RewriteEngine on
# RewriteRule ^/\.well-known/ - [L]
# RewriteRule (.*) https://rachna.ahlawat.com [R,L]
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.php index.html
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog "/var/log/httpd-access.log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog "/var/log/httpd-access.log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock cgisock
</IfModule>
#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
#
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
# backend servers which have lingering "httpoxy" defects.
# 'Proxy' request header is undefined by the IETF, not listed by IANA
#
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig etc/apache24/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on
# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf
# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf
# Language settings
#Include etc/apache24/extra/httpd-languages.conf
# User home directories
#Include etc/apache24/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf
# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf
# Various default settings
#Include etc/apache24/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include etc/apache24/Includes/*.conf
<VirtualHost *:443>
ServerName rachna.ahlawat.com
ServerAlias *.ahlawat.com
ServerAlias rachna
Protocols h2 h2c http/1.1
DocumentRoot "/usr/local/www/apache24/data/"
SSLEngine on
SSLCertificateFile "/mnt/certs/fullchain.pem"
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
#-IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
#AllowOverride controls what directives may be placed in .htaccess files.
#AllowOverride All
#-AllowOverride AuthConfig
#Controls who can get stuff from this server file
#-Require all granted
</Directory>
ErrorLog "/var/log/ssl-error.log"
CustomLog "/var/log/ssl-access_log" combined
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>

1918
jails/config/rachna/php.ini Normal file
View File

File diff suppressed because it is too large Load Diff

423
jails/config/rachna/www.conf Normal file
View File

@ -0,0 +1,423 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr/local) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www
group = www
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
;listen.owner = www
;listen.group = www
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 10
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/local/share/php/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr/local)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

2
jails/config/rishabh/httpd.conf
View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

2
jails/config/sharad/httpd.conf
View File

@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

0
jails/config/test/devfs_rules → jails/config/vpngw/devfs_rules
View File

0
jails/config/test/devfs_rules.raw → jails/config/vpngw/devfs_rules.raw
View File

0
jails/config/test/devfs_rules.txt → jails/config/vpngw/devfs_rules.txt
View File

131
jails/config/vpngw/ipfw.rules Executable file
View File

@ -0,0 +1,131 @@
#!/bin/sh
# https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
# ipfw -vated list
# IPFW configuration
#sysrc firewall_enable="YES"
#sysrc firewall_logif="YES"
#sysrc firewall_script="/mnt/config/ipfw.rules"
# NATd configuration
#sysrc gateway_enable="YES"
#sysrc natd_enable="YES"
#sysrc natd_interface="tun0"
#sysrc natd_flags="-f /mnt/config/natd.conf"
#natd.conf: redirect_port tcp 192.168.0.9:80 80
# Set rules command prefix
cmd="ipfw -q add"
lif="epair0b" # interface name of VNET attached to Local network
rif="tun0" # interface name of Tunnel attached to Remote network
skip="skipto 12000"
# Flush out the list before we begin.
ipfw -q -f flush
# gateway_enable already set in rc.conf
# sysctl net.inet.ip.forwarding=1
# Packets passing the stateful NAT may be re-injected into the firewall
# sysctl net.inet.ip.fw.one_pass=0
ipfw disable one_pass
# functionality is included in the divert action
#ipfw -q nat 1 config if $rif same_ports unreg_only reset
$cmd 00050 allow ip from any to any via $lif
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
# The reassemble rule is not needed with userland natd(8)
# because the internal workings of the IPFW divert action
# takes care of reassembling packets before delivery to the socket
#$cmd 01100 reass all from any to any in
$cmd 01200 divert natd ip from any to any in via $rif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 01300 check-state
# Allow access to DNS
#$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
#$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
#$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
#$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
#$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state
#$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state
# Allow outbound ping
$cmd 02210 $skip icmp from any to any out via $rif keep-state
# Allow outbound NTP
#$cmd 02220 $skip udp from any to any 123 out via $rif keep-state
# Allow outbound TCP traffic
$cmd 02500 $skip tcp from any to any 22,80,443,2024,3389,5904 out via $rif setup keep-state
# deny and log all other outbound connections
$cmd 02999 deny log all from any to any out via $rif
#### Lockdown incoming traffic
# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif #RFC 1918 private IP
#$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif #RFC 1918 private IP
#$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif #RFC 1918 private IP
$cmd 03113 deny all from 127.0.0.0/8 to any in via $rif #loopback
$cmd 03114 deny all from 0.0.0.0/8 to any in via $rif #loopback
$cmd 03115 deny all from 169.254.0.0/16 to any in via $rif #DHCP auto-config
$cmd 03116 deny all from 192.0.2.0/24 to any in via $rif #reserved for docs
$cmd 03117 deny all from 204.152.64.0/23 to any in via $rif #Sun cluster interconnect
$cmd 03118 deny all from 224.0.0.0/3 to any in via $rif #Class D & E multicast
# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 02120.
#$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state
# Deny public pings
#$cmd 03210 deny icmp from any to any in via $rif
# Deny ident
$cmd 03230 deny tcp from any to any 113 in via $rif
# Deny all Netbios services.
$cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif
# Deny fragments
$cmd 03250 deny all from any to any frag in via $rif
# Deny ACK packets that did not match the dynamic rule table
$cmd 03500 deny tcp from any to any established in via $rif
# Allow inbound SSH connections
#$cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2
# Allow HTTP connections to internal web server
#$cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2
# Reject and log all other incoming connections
$cmd 03999 deny log all from any to any in via $rif
#### lockdown in
$cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules
$cmd 65000 allow ip from any to any
#$cmd 65535 deny ip from any to any

1
jails/config/vpngw/natd.conf Normal file
View File

@ -0,0 +1 @@
redirect_port tcp 192.168.0.9:80 80

2
jails/config/web-diyit/httpd.conf
View File

@ -583,7 +583,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

2
jails/config/web/httpd.conf
View File

@ -579,7 +579,7 @@ Include etc/apache24/Includes/*.conf
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://localhost:9000" SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>

6
jails/create.sh
View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,8 +8,6 @@
# #
# #
#!/usr/local/bin/bash
JAIL=$1 JAIL=$1
JAILHOSTNAME=$2 JAILHOSTNAME=$2
JAILDOMAIN=$3 JAILDOMAIN=$3
@ -171,5 +171,5 @@ iocage exec $JAIL "pkg clean -y"
# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0 # iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
# iocage exec $JAIL "rmdir /mnt/common" # iocage exec $JAIL "rmdir /mnt/common"
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v jail-root@$JAILDOMAIN" iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v -t jail-root@$JAILDOMAIN"
# reverse dns should already be configured for the mail server to accept this email # reverse dns should already be configured for the mail server to accept this email

11
jails/jails-restore-httpd.sh
View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,9 +8,7 @@
# #
# #
#!/usr/local/bin/bash web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
for i in ${web_jails[@]}; for i in ${web_jails[@]};
do do
@ -27,7 +27,8 @@ for i in ${web_jails[@]};
do do
echo "restoring httpd.conf in web_jail $i after Apache update" echo "restoring httpd.conf in web_jail $i after Apache update"
iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf" iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf"
iocage exec $i "service apache24 reload" iocage exec $i "service apache24 restart"
done done
echo "check if php.ini or php-fpm need to be restored" echo "check in output above if php.ini or php-fpm need to be restored"
echo "check pkgp jail nginx instance is running"

8
jails/jails-update-cert.sh
View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,9 +8,7 @@
# #
# #
#!/bin/bash web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
for i in ${web_jails[@]}; for i in ${web_jails[@]};
do do
@ -40,7 +40,7 @@ iocage exec monitor "service elasticsearch restart"
iocage exec monitor "service kibana restart" iocage exec monitor "service kibana restart"
#iocage exec monitor "service logstash restart" #iocage exec monitor "service logstash restart"
iocage exec monitor "ps axww | grep logstash | cut -f1 -d" " | xargs -n 1 kill -9 " iocage exec monitor 'ps axww | grep logstash | cut -f1 -d" " | xargs -n 1 kill -9 '
iocage exec monitor "/root/start_logstash.sh" iocage exec monitor "/root/start_logstash.sh"
iocage exec monitor "service heartbeat restart" iocage exec monitor "service heartbeat restart"

85
jails/jails-update-pkgs.sh
View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,53 +8,65 @@
# #
# #
#!/bin/bash
pkg_jail="pj121" pkg_jail="pj121"
pkg_repo="pkgp121"
#<<'COMMENT-SKIP-PKG-BUILD' if [[ $1 == "pkgp-skip" ]]; then
iocage exec pkgp "pkg update -f"
iocage exec pkgp "pkg upgrade -y"
iocage exec pkgp "pkg clean -ay"
iocage set securelevel=0 pkgp echo "skipping pkgp update"
iocage exec pkgp "poudriere jail -l"
iocage exec pkgp "poudriere jail -u -j $pkg_jail"
iocage set securelevel=2 pkgp
iocage exec pkgp "portsnap auto" else
iocage exec pkgp "poudriere ports -l" #<<'UNCOMMENT-TO-SKIP-PKG-BUILD'
iocage exec pkgp "poudriere ports -u" iocage exec pkgp "pkg update"
iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail" iocage exec pkgp "pkg upgrade -y"
#COMMENT-SKIP-PKG-BUILD iocage exec pkgp "pkg clean -ay"
cd /mnt/ship/ldap/phpLDAPadmin iocage set securelevel=0 pkgp
pwd iocage exec pkgp "poudriere jail -l"
git pull iocage exec pkgp "poudriere jail -u -j $pkg_jail"
cd /mnt/ship/r-ldap/phpLDAPadmin iocage set securelevel=2 pkgp
pwd
git pull iocage exec pkgp "portsnap auto"
cd /mnt/ship/book/calibre-web
pwd iocage exec pkgp "poudriere ports -l"
git pull iocage exec pkgp "poudriere ports -u"
cd /mnt/ship/plex/PlexConnect iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail"
pwd #UNCOMMENT-TO-SKIP-PKG-BUILD
git pull
cd /mnt/ship/maps/networkmaps cd /mnt/ship/ldap/phpLDAPadmin
pwd pwd
git pull git pull
cd /mnt/ship/r-ldap/phpLDAPadmin
pwd
git pull
cd /mnt/ship/book/calibre-web
pwd
git pull
cd /mnt/ship/plex/PlexConnect
pwd
git pull
cd /mnt/ship/maps/networkmaps
pwd
git pull
fi
if [[ $1 == "pkgp-only" ]]; then
exit
fi
#read -p "Return/Enter to continue, ctrl-c to abort? " RESP #read -p "Return/Enter to continue, ctrl-c to abort? " RESP
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
pkg_repo="pkgp121"
for i in `iocage list -h | cut -f 2`; for i in `iocage list -h | cut -f 2`;
do do
echo "## $i JAIL ##" echo "## $i JAIL ##"
iocage exec $i "pkg update -f" iocage exec $i "pkg update"
if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; then if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; then
iocage exec $i "pkg unlock -y openldap-sasl-server" iocage exec $i "pkg unlock -y openldap-sasl-server"
@ -79,7 +93,8 @@ done
echo "NOTES:" echo "NOTES:"
echo "pkg update -f" echo "update base system by running:"
echo "pkg update"
echo "pkg autoremove -y" echo "pkg autoremove -y"
echo "pkg upgrade -y" echo "pkg upgrade -y"
echo "pkg clean -ay" echo "pkg clean -ay"

8
jails/update.sh
View File

@ -1,3 +1,5 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
@ -6,8 +8,6 @@
# #
# #
#!/usr/local/bin/bash
update_jail () update_jail ()
{ {
echo "######## ## JAIL:::: $JAIL ##" echo "######## ## JAIL:::: $JAIL ##"
@ -47,7 +47,7 @@ if [ ! -z $RESP ] && [ $RESP == "y" ]; then
update_jail update_jail
fi fi
./jails-update-pkgs.sh ./jails-update-pkgs.sh pkgp-only
read -p "update all jails (y/N)? " RESP read -p "update all jails (y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then if [ ! -z $RESP ] && [ $RESP == "y" ]; then
@ -63,5 +63,7 @@ fi
echo "update base system by running:" echo "update base system by running:"
echo "freebsd-update fetch" echo "freebsd-update fetch"
echo "freebsd-update install" echo "freebsd-update install"
echo "cd /usr/src && make -j8 buildkernel KERNCONF=diyIT && make -j8 installkernel KERNCONF=diyIT"
echo "reboot"
echo "pkg-static upgrade -f" echo "pkg-static upgrade -f"
echo "mergemaster" echo "mergemaster"

804
patches/D24250.patch Normal file
View File

@ -0,0 +1,804 @@
Index: head/sys/net/if_bridge.c
===================================================================
--- head/sys/net/if_bridge.c
+++ head/sys/net/if_bridge.c
@@ -189,41 +189,14 @@
*/
#define BRIDGE_LOCK_INIT(_sc) do { \
mtx_init(&(_sc)->sc_mtx, "if_bridge", NULL, MTX_DEF); \
- cv_init(&(_sc)->sc_cv, "if_bridge_cv"); \
} while (0)
#define BRIDGE_LOCK_DESTROY(_sc) do { \
mtx_destroy(&(_sc)->sc_mtx); \
- cv_destroy(&(_sc)->sc_cv); \
} while (0)
#define BRIDGE_LOCK(_sc) mtx_lock(&(_sc)->sc_mtx)
#define BRIDGE_UNLOCK(_sc) mtx_unlock(&(_sc)->sc_mtx)
#define BRIDGE_LOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_OWNED)
#define BRIDGE_UNLOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_NOTOWNED)
-#define BRIDGE_LOCK2REF(_sc, _err) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- if ((_sc)->sc_iflist_xcnt > 0) \
- (_err) = EBUSY; \
- else \
- (_sc)->sc_iflist_ref++; \
- mtx_unlock(&(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_UNREF(_sc) do { \
- mtx_lock(&(_sc)->sc_mtx); \
- (_sc)->sc_iflist_ref--; \
- if (((_sc)->sc_iflist_xcnt > 0) && ((_sc)->sc_iflist_ref == 0)) \
- cv_broadcast(&(_sc)->sc_cv); \
- mtx_unlock(&(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_XLOCK(_sc) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- (_sc)->sc_iflist_xcnt++; \
- while ((_sc)->sc_iflist_ref > 0) \
- cv_wait(&(_sc)->sc_cv, &(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_XDROP(_sc) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- (_sc)->sc_iflist_xcnt--; \
-} while (0)
/*
* Bridge interface list entry.
@@ -237,6 +210,7 @@
uint32_t bif_addrmax; /* max # of addresses */
uint32_t bif_addrcnt; /* cur. # of addresses */
uint32_t bif_addrexceeded;/* # of address violations */
+ struct epoch_context bif_epoch_ctx;
};
/*
@@ -250,6 +224,8 @@
uint8_t brt_flags; /* address flags */
uint8_t brt_addr[ETHER_ADDR_LEN];
uint16_t brt_vlan; /* vlan id */
+ struct vnet *brt_vnet;
+ struct epoch_context brt_epoch_ctx;
};
#define brt_ifp brt_dst->bif_ifp
@@ -260,13 +236,10 @@
struct ifnet *sc_ifp; /* make this an interface */
LIST_ENTRY(bridge_softc) sc_list;
struct mtx sc_mtx;
- struct cv sc_cv;
uint32_t sc_brtmax; /* max # of addresses */
uint32_t sc_brtcnt; /* cur. # of addresses */
uint32_t sc_brttimeout; /* rt timeout in seconds */
struct callout sc_brcallout; /* bridge callout */
- uint32_t sc_iflist_ref; /* refcount for sc_iflist */
- uint32_t sc_iflist_xcnt; /* refcount for sc_iflist */
CK_LIST_HEAD(, bridge_iflist) sc_iflist; /* member interface list */
CK_LIST_HEAD(, bridge_rtnode) *sc_rthash; /* our forwarding table */
CK_LIST_HEAD(, bridge_rtnode) sc_rtlist; /* list version of above */
@@ -276,6 +249,7 @@
uint32_t sc_brtexceeded; /* # of cache drops */
struct ifnet *sc_ifaddr; /* member mac copied from */
struct ether_addr sc_defaddr; /* Default MAC address */
+ struct epoch_context sc_epoch_ctx;
};
VNET_DEFINE_STATIC(struct mtx, bridge_list_mtx);
@@ -596,6 +570,10 @@
if_clone_detach(V_bridge_cloner);
V_bridge_cloner = NULL;
BRIDGE_LIST_LOCK_DESTROY();
+
+ /* Callbacks may use the UMA zone. */
+ epoch_drain_callbacks(net_epoch_preempt);
+
uma_zdestroy(V_bridge_rtnode_zone);
}
VNET_SYSUNINIT(vnet_bridge_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY,
@@ -722,6 +700,17 @@
return (0);
}
+static void
+bridge_clone_destroy_cb(struct epoch_context *ctx)
+{
+ struct bridge_softc *sc;
+
+ sc = __containerof(ctx, struct bridge_softc, sc_epoch_ctx);
+
+ BRIDGE_LOCK_DESTROY(sc);
+ free(sc, M_DEVBUF);
+}
+
/*
* bridge_clone_destroy:
*
@@ -732,7 +721,9 @@
{
struct bridge_softc *sc = ifp->if_softc;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER(et);
BRIDGE_LOCK(sc);
bridge_stop(ifp, 1);
@@ -757,11 +748,12 @@
BRIDGE_LIST_UNLOCK();
bstp_detach(&sc->sc_stp);
+ NET_EPOCH_EXIT(et);
+
ether_ifdetach(ifp);
if_free(ifp);
- BRIDGE_LOCK_DESTROY(sc);
- free(sc, M_DEVBUF);
+ NET_EPOCH_CALL(bridge_clone_destroy_cb, &sc->sc_epoch_ctx);
}
/*
@@ -787,7 +779,10 @@
struct ifdrv *ifd = (struct ifdrv *) data;
const struct bridge_control *bc;
int error = 0, oldmtu;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER(et);
+
switch (cmd) {
case SIOCADDMULTI:
@@ -908,6 +903,8 @@
break;
}
+ NET_EPOCH_EXIT(et);
+
return (error);
}
@@ -922,6 +919,8 @@
struct bridge_iflist *bif;
int enabled, mask;
+ BRIDGE_LOCK_ASSERT(sc);
+
/* Initial bitmask of capabilities to test */
mask = BRIDGE_IFCAPS_MASK;
@@ -930,7 +929,6 @@
mask &= bif->bif_savedcaps;
}
- BRIDGE_XLOCK(sc);
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
enabled = bif->bif_ifp->if_capenable;
enabled &= ~BRIDGE_IFCAPS_STRIP;
@@ -941,8 +939,6 @@
bridge_set_ifcap(sc, bif, enabled);
BRIDGE_LOCK(sc);
}
- BRIDGE_XDROP(sc);
-
}
static void
@@ -983,7 +979,7 @@
struct bridge_iflist *bif;
struct ifnet *ifp;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
ifp = bif->bif_ifp;
@@ -1004,7 +1000,7 @@
{
struct bridge_iflist *bif;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
if (bif->bif_ifp == member_ifp)
@@ -1014,6 +1010,16 @@
return (NULL);
}
+static void
+bridge_delete_member_cb(struct epoch_context *ctx)
+{
+ struct bridge_iflist *bif;
+
+ bif = __containerof(ctx, struct bridge_iflist, bif_epoch_ctx);
+
+ free(bif, M_DEVBUF);
+}
+
/*
* bridge_delete_member:
*
@@ -1033,9 +1039,7 @@
bstp_disable(&bif->bif_stp);
ifs->if_bridge = NULL;
- BRIDGE_XLOCK(sc);
CK_LIST_REMOVE(bif, bif_next);
- BRIDGE_XDROP(sc);
/*
* If removing the interface that gave the bridge its mac address, set
@@ -1094,7 +1098,8 @@
}
bstp_destroy(&bif->bif_stp); /* prepare to free */
BRIDGE_LOCK(sc);
- free(bif, M_DEVBUF);
+
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
}
/*
@@ -1111,7 +1116,8 @@
("%s: not a span interface", __func__));
CK_LIST_REMOVE(bif, bif_next);
- free(bif, M_DEVBUF);
+
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
}
static int
@@ -1167,7 +1173,6 @@
* If any, remove all inet6 addresses from the member
* interfaces.
*/
- BRIDGE_XLOCK(sc);
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
if (in6ifa_llaonifp(bif->bif_ifp)) {
BRIDGE_UNLOCK(sc);
@@ -1180,7 +1185,6 @@
bif->bif_ifp->if_xname);
}
}
- BRIDGE_XDROP(sc);
if (in6ifa_llaonifp(ifs)) {
BRIDGE_UNLOCK(sc);
in6_ifdetach(ifs);
@@ -1494,12 +1498,17 @@
struct bridge_iflist *bif;
int error;
+ NET_EPOCH_ASSERT();
+
bif = bridge_lookup_member(sc, req->ifba_ifsname);
if (bif == NULL)
return (ENOENT);
+ /* bridge_rtupdate() may acquire the lock. */
+ BRIDGE_UNLOCK(sc);
error = bridge_rtupdate(sc, req->ifba_dst, req->ifba_vlan, bif, 1,
req->ifba_flags);
+ BRIDGE_LOCK(sc);
return (error);
}
@@ -1838,6 +1847,7 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
if (ifp->if_flags & IFF_RENAMING)
return;
@@ -1848,6 +1858,7 @@
*/
return;
}
+ NET_EPOCH_ENTER(et);
/* Check if the interface is a bridge member */
if (sc != NULL) {
BRIDGE_LOCK(sc);
@@ -1857,6 +1868,7 @@
bridge_delete_member(sc, bif, 1);
BRIDGE_UNLOCK(sc);
+ NET_EPOCH_EXIT(et);
return;
}
@@ -1873,6 +1885,7 @@
BRIDGE_UNLOCK(sc);
}
BRIDGE_LIST_UNLOCK();
+ NET_EPOCH_EXIT(et);
}
/*
@@ -1909,6 +1922,7 @@
{
struct bridge_softc *sc = ifp->if_softc;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
@@ -2032,6 +2046,8 @@
struct bridge_softc *sc;
uint16_t vlan;
+ NET_EPOCH_ASSERT();
+
if (m->m_len < ETHER_HDR_LEN) {
m = m_pullup(m, ETHER_HDR_LEN);
if (m == NULL)
@@ -2042,7 +2058,6 @@
sc = ifp->if_bridge;
vlan = VLANTAGOF(m);
- BRIDGE_LOCK(sc);
bifp = sc->sc_ifp;
/*
@@ -2069,16 +2084,10 @@
if (dst_if == NULL) {
struct bridge_iflist *bif;
struct mbuf *mc;
- int error = 0, used = 0;
+ int used = 0;
bridge_span(sc, m);
- BRIDGE_LOCK2REF(sc, error);
- if (error) {
- m_freem(m);
- return (0);
- }
-
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
dst_if = bif->bif_ifp;
@@ -2112,7 +2121,6 @@
}
if (used == 0)
m_freem(m);
- BRIDGE_UNREF(sc);
return (0);
}
@@ -2124,11 +2132,9 @@
bridge_span(sc, m);
if ((dst_if->if_drv_flags & IFF_DRV_RUNNING) == 0) {
m_freem(m);
- BRIDGE_UNLOCK(sc);
return (0);
}
- BRIDGE_UNLOCK(sc);
bridge_enqueue(sc, dst_if, m);
return (0);
}
@@ -2153,10 +2159,8 @@
eh = mtod(m, struct ether_header *);
- BRIDGE_LOCK(sc);
if (((m->m_flags & (M_BCAST|M_MCAST)) == 0) &&
(dst_if = bridge_rtlookup(sc, eh->ether_dhost, 1)) != NULL) {
- BRIDGE_UNLOCK(sc);
error = bridge_enqueue(sc, dst_if, m);
} else
bridge_broadcast(sc, ifp, m, 0);
@@ -2190,6 +2194,8 @@
uint8_t *dst;
int error;
+ NET_EPOCH_ASSERT();
+
src_if = m->m_pkthdr.rcvif;
ifp = sc->sc_ifp;
@@ -2268,12 +2274,10 @@
|| PFIL_HOOKED_IN(V_inet6_pfil_head)
#endif
) {
- BRIDGE_UNLOCK(sc);
if (bridge_pfil(&m, ifp, src_if, PFIL_IN) != 0)
return;
if (m == NULL)
return;
- BRIDGE_LOCK(sc);
}
if (dst_if == NULL) {
@@ -2301,8 +2305,6 @@
dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
goto drop;
- BRIDGE_UNLOCK(sc);
-
if (PFIL_HOOKED_OUT(V_inet_pfil_head)
#ifdef INET6
|| PFIL_HOOKED_OUT(V_inet6_pfil_head)
@@ -2318,7 +2320,6 @@
return;
drop:
- BRIDGE_UNLOCK(sc);
m_freem(m);
}
@@ -2339,6 +2340,8 @@
uint16_t vlan;
int error;
+ NET_EPOCH_ASSERT();
+
if ((sc->sc_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
return (m);
@@ -2359,10 +2362,8 @@
m_freem(m);
return (NULL);
}
- BRIDGE_LOCK(sc);
bif = bridge_lookup_member_if(sc, ifp);
if (bif == NULL) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2375,13 +2376,11 @@
if (memcmp(eh->ether_dhost, bstp_etheraddr,
ETHER_ADDR_LEN) == 0) {
bstp_input(&bif->bif_stp, ifp, m); /* consumes mbuf */
- BRIDGE_UNLOCK(sc);
return (NULL);
}
if ((bif->bif_flags & IFBIF_STP) &&
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2392,7 +2391,6 @@
*/
mc = m_dup(m, M_NOWAIT);
if (mc == NULL) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2424,7 +2422,6 @@
if ((bif->bif_flags & IFBIF_STP) &&
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2458,7 +2455,6 @@
error = bridge_rtupdate(sc, eh->ether_shost, \
vlan, bif, 0, IFBAF_DYNAMIC); \
if (error && bif->bif_addrmax) { \
- BRIDGE_UNLOCK(sc); \
m_freem(m); \
return (NULL); \
} \
@@ -2466,7 +2462,6 @@
m->m_pkthdr.rcvif = iface; \
if ((iface) == ifp) { \
/* Skip bridge processing... src == dest */ \
- BRIDGE_UNLOCK(sc); \
return (m); \
} \
/* It's passing over or to the bridge, locally. */ \
@@ -2478,13 +2473,11 @@
OR_PFIL_HOOKED_INET6)) { \
if (bridge_pfil(&m, NULL, ifp, \
PFIL_IN) != 0 || m == NULL) { \
- BRIDGE_UNLOCK(sc); \
return (NULL); \
} \
} \
if ((iface) != bifp) \
ETHER_BPF_MTAP(iface, m); \
- BRIDGE_UNLOCK(sc); \
return (m); \
} \
\
@@ -2492,7 +2485,6 @@
if (memcmp(IF_LLADDR((iface)), eh->ether_shost, ETHER_ADDR_LEN) == 0 \
OR_CARP_CHECK_WE_ARE_SRC((iface)) \
) { \
- BRIDGE_UNLOCK(sc); \
m_freem(m); \
return (NULL); \
}
@@ -2543,16 +2535,12 @@
struct bridge_iflist *dbif, *sbif;
struct mbuf *mc;
struct ifnet *dst_if;
- int error = 0, used = 0, i;
+ int used = 0, i;
+ NET_EPOCH_ASSERT();
+
sbif = bridge_lookup_member_if(sc, src_if);
- BRIDGE_LOCK2REF(sc, error);
- if (error) {
- m_freem(m);
- return;
- }
-
/* Filter on the bridge interface before broadcasting */
if (runfilt && (PFIL_HOOKED_OUT(V_inet_pfil_head)
#ifdef INET6
@@ -2560,9 +2548,9 @@
#endif
)) {
if (bridge_pfil(&m, sc->sc_ifp, NULL, PFIL_OUT) != 0)
- goto out;
+ return;
if (m == NULL)
- goto out;
+ return;
}
CK_LIST_FOREACH(dbif, &sc->sc_iflist, bif_next) {
@@ -2625,9 +2613,6 @@
}
if (used == 0)
m_freem(m);
-
-out:
- BRIDGE_UNREF(sc);
}
/*
@@ -2643,6 +2628,8 @@
struct ifnet *dst_if;
struct mbuf *mc;
+ NET_EPOCH_ASSERT();
+
if (CK_LIST_EMPTY(&sc->sc_spanlist))
return;
@@ -2674,7 +2661,8 @@
struct bridge_rtnode *brt;
int error;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
+ BRIDGE_UNLOCK_ASSERT(sc);
/* Check the source address is valid and not multicast. */
if (ETHER_IS_MULTICAST(dst) ||
@@ -2691,13 +2679,24 @@
* update it, otherwise create a new one.
*/
if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) == NULL) {
+ BRIDGE_LOCK(sc);
+
+ /* Check again, now that we have the lock. There could have
+ * been a race and we only want to insert this once. */
+ if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) != NULL) {
+ BRIDGE_UNLOCK(sc);
+ return (0);
+ }
+
if (sc->sc_brtcnt >= sc->sc_brtmax) {
sc->sc_brtexceeded++;
+ BRIDGE_UNLOCK(sc);
return (ENOSPC);
}
/* Check per interface address limits (if enabled) */
if (bif->bif_addrmax && bif->bif_addrcnt >= bif->bif_addrmax) {
bif->bif_addrexceeded++;
+ BRIDGE_UNLOCK(sc);
return (ENOSPC);
}
@@ -2707,8 +2706,11 @@
* address.
*/
brt = uma_zalloc(V_bridge_rtnode_zone, M_NOWAIT | M_ZERO);
- if (brt == NULL)
+ if (brt == NULL) {
+ BRIDGE_UNLOCK(sc);
return (ENOMEM);
+ }
+ brt->brt_vnet = curvnet;
if (bif->bif_flags & IFBIF_STICKY)
brt->brt_flags = IFBAF_STICKY;
@@ -2720,17 +2722,22 @@
if ((error = bridge_rtnode_insert(sc, brt)) != 0) {
uma_zfree(V_bridge_rtnode_zone, brt);
+ BRIDGE_UNLOCK(sc);
return (error);
}
brt->brt_dst = bif;
bif->bif_addrcnt++;
+
+ BRIDGE_UNLOCK(sc);
}
if ((brt->brt_flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC &&
brt->brt_dst != bif) {
+ BRIDGE_LOCK(sc);
brt->brt_dst->bif_addrcnt--;
brt->brt_dst = bif;
brt->brt_dst->bif_addrcnt++;
+ BRIDGE_UNLOCK(sc);
}
if ((flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC)
@@ -2751,7 +2758,7 @@
{
struct bridge_rtnode *brt;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
if ((brt = bridge_rtnode_lookup(sc, addr, vlan)) == NULL)
return (NULL);
@@ -2771,6 +2778,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
/* Make sure we actually need to do this. */
@@ -2800,7 +2808,9 @@
bridge_timer(void *arg)
{
struct bridge_softc *sc = arg;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER(et);
BRIDGE_LOCK_ASSERT(sc);
/* Destruction of rtnodes requires a proper vnet context */
@@ -2811,6 +2821,7 @@
callout_reset(&sc->sc_brcallout,
bridge_rtable_prune_period * hz, bridge_timer, sc);
CURVNET_RESTORE();
+ NET_EPOCH_EXIT(et);
}
/*
@@ -2823,6 +2834,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2843,6 +2855,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2862,6 +2875,7 @@
struct bridge_rtnode *brt;
int found = 0;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
/*
@@ -2886,6 +2900,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2990,7 +3005,7 @@
uint32_t hash;
int dir;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
hash = bridge_rthash(sc, addr);
CK_LIST_FOREACH(brt, &sc->sc_rthash[hash], brt_hash) {
@@ -3053,6 +3068,18 @@
return (0);
}
+static void
+bridge_rtnode_destroy_cb(struct epoch_context *ctx)
+{
+ struct bridge_rtnode *brt;
+
+ brt = __containerof(ctx, struct bridge_rtnode, brt_epoch_ctx);
+
+ CURVNET_SET(brt->brt_vnet);
+ uma_zfree(V_bridge_rtnode_zone, brt);
+ CURVNET_RESTORE();
+}
+
/*
* bridge_rtnode_destroy:
*
@@ -3061,6 +3088,7 @@
static void
bridge_rtnode_destroy(struct bridge_softc *sc, struct bridge_rtnode *brt)
{
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
CK_LIST_REMOVE(brt, brt_hash);
@@ -3068,7 +3096,8 @@
CK_LIST_REMOVE(brt, brt_list);
sc->sc_brtcnt--;
brt->brt_dst->bif_addrcnt--;
- uma_zfree(V_bridge_rtnode_zone, brt);
+
+ NET_EPOCH_CALL(bridge_rtnode_destroy_cb, &brt->brt_epoch_ctx);
}
/*
@@ -3081,7 +3110,9 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_rtnode *brt;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER(et);
CURVNET_SET(ifp->if_vnet);
BRIDGE_LOCK(sc);
@@ -3102,6 +3133,7 @@
}
BRIDGE_UNLOCK(sc);
CURVNET_RESTORE();
+ NET_EPOCH_EXIT(et);
}
/*
@@ -3607,17 +3639,20 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
- BRIDGE_LOCK(sc);
+ NET_EPOCH_ENTER(et);
+
bif = bridge_lookup_member_if(sc, ifp);
if (bif == NULL) {
- BRIDGE_UNLOCK(sc);
+ NET_EPOCH_EXIT(et);
return;
}
bridge_linkcheck(sc);
- BRIDGE_UNLOCK(sc);
bstp_linkstate(&bif->bif_stp);
+
+ NET_EPOCH_EXIT(et);
}
static void
@@ -3626,7 +3661,8 @@
struct bridge_iflist *bif;
int new_link, hasls;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
+
new_link = LINK_STATE_DOWN;
hasls = 0;
/* Our link is considered up if at least one of our ports is active */

811
patches/bridge.patch Normal file
View File

@ -0,0 +1,811 @@
Index: sys/net/if_bridge.c
===================================================================
--- sys/net/if_bridge.c (revision 360985)
+++ sys/net/if_bridge.c (working copy)
@@ -165,6 +165,9 @@
#define BRIDGE_RTABLE_PRUNE_PERIOD (5 * 60)
#endif
+#define NET_EPOCH_ASSERT() MPASS(in_epoch(net_epoch_preempt))
+#define NET_EPOCH_CALL(f, c) epoch_call(net_epoch_preempt, (c), (f))
+
/*
* List of capabilities to possibly mask on the member interface.
*/
@@ -188,6 +191,7 @@
uint32_t bif_addrmax; /* max # of addresses */
uint32_t bif_addrcnt; /* cur. # of addresses */
uint32_t bif_addrexceeded;/* # of address violations */
+ struct epoch_context bif_epoch_ctx;
};
/*
@@ -201,6 +205,8 @@
uint8_t brt_flags; /* address flags */
uint8_t brt_addr[ETHER_ADDR_LEN];
uint16_t brt_vlan; /* vlan id */
+ struct vnet *brt_vnet;
+ struct epoch_context brt_epoch_ctx;
};
#define brt_ifp brt_dst->bif_ifp
@@ -211,13 +217,10 @@
struct ifnet *sc_ifp; /* make this an interface */
LIST_ENTRY(bridge_softc) sc_list;
struct mtx sc_mtx;
- struct cv sc_cv;
uint32_t sc_brtmax; /* max # of addresses */
uint32_t sc_brtcnt; /* cur. # of addresses */
uint32_t sc_brttimeout; /* rt timeout in seconds */
struct callout sc_brcallout; /* bridge callout */
- uint32_t sc_iflist_ref; /* refcount for sc_iflist */
- uint32_t sc_iflist_xcnt; /* refcount for sc_iflist */
LIST_HEAD(, bridge_iflist) sc_iflist; /* member interface list */
LIST_HEAD(, bridge_rtnode) *sc_rthash; /* our forwarding table */
LIST_HEAD(, bridge_rtnode) sc_rtlist; /* list version of above */
@@ -227,6 +230,7 @@
uint32_t sc_brtexceeded; /* # of cache drops */
struct ifnet *sc_ifaddr; /* member mac copied from */
struct ether_addr sc_defaddr; /* Default MAC address */
+ struct epoch_context sc_epoch_ctx;
};
VNET_DEFINE_STATIC(struct mtx, bridge_list_mtx);
@@ -546,6 +550,10 @@
if_clone_detach(V_bridge_cloner);
V_bridge_cloner = NULL;
BRIDGE_LIST_LOCK_DESTROY();
+
+ /* Callbacks may use UMA zone. */
+ epoch_drain_callbacks(net_epoch_preempt);
+
uma_zdestroy(V_bridge_rtnode_zone);
}
VNET_SYSUNINIT(vnet_bridge_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY,
@@ -708,6 +716,17 @@
return (0);
}
+static void
+bridge_clone_destroy_cb(struct epoch_context *ctx)
+{
+ struct bridge_softc *sc;
+
+ sc = __containerof(ctx, struct bridge_softc, sc_epoch_ctx);
+
+ BRIDGE_LOCK_DESTROY(sc);
+ free(sc, M_DEVBUF);
+}
+
/*
* bridge_clone_destroy:
*
@@ -718,7 +737,9 @@
{
struct bridge_softc *sc = ifp->if_softc;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER_ET(et);
BRIDGE_LOCK(sc);
bridge_stop(ifp, 1);
@@ -743,11 +764,12 @@
BRIDGE_LIST_UNLOCK();
bstp_detach(&sc->sc_stp);
+ NET_EPOCH_EXIT_ET(et);
+
ether_ifdetach(ifp);
if_free(ifp);
- BRIDGE_LOCK_DESTROY(sc);
- free(sc, M_DEVBUF);
+ NET_EPOCH_CALL(bridge_clone_destroy_cb, &sc->sc_epoch_ctx);
}
/*
@@ -773,7 +795,10 @@
struct ifdrv *ifd = (struct ifdrv *) data;
const struct bridge_control *bc;
int error = 0;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER_ET(et);
+
switch (cmd) {
case SIOCADDMULTI:
@@ -882,6 +907,8 @@
break;
}
+ NET_EPOCH_EXIT_ET(et);
+
return (error);
}
@@ -896,6 +923,8 @@
struct bridge_iflist *bif;
int enabled, mask;
+ BRIDGE_LOCK_ASSERT(sc);
+
/* Initial bitmask of capabilities to test */
mask = BRIDGE_IFCAPS_MASK;
@@ -904,7 +933,6 @@
mask &= bif->bif_savedcaps;
}
- BRIDGE_XLOCK(sc);
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
enabled = bif->bif_ifp->if_capenable;
enabled &= ~BRIDGE_IFCAPS_STRIP;
@@ -915,8 +943,6 @@
bridge_set_ifcap(sc, bif, enabled);
BRIDGE_LOCK(sc);
}
- BRIDGE_XDROP(sc);
-
}
static void
@@ -957,7 +983,7 @@
struct bridge_iflist *bif;
struct ifnet *ifp;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
ifp = bif->bif_ifp;
@@ -978,7 +1004,7 @@
{
struct bridge_iflist *bif;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
if (bif->bif_ifp == member_ifp)
@@ -988,6 +1014,16 @@
return (NULL);
}
+static void
+bridge_delete_member_cb(struct epoch_context *ctx)
+{
+ struct bridge_iflist *bif;
+
+ bif = __containerof(ctx, struct bridge_iflist, bif_epoch_ctx);
+
+ free(bif, M_DEVBUF);
+}
+
/*
* bridge_delete_member:
*
@@ -1006,9 +1042,7 @@
bstp_disable(&bif->bif_stp);
ifs->if_bridge = NULL;
- BRIDGE_XLOCK(sc);
LIST_REMOVE(bif, bif_next);
- BRIDGE_XDROP(sc);
/*
* If removing the interface that gave the bridge its mac address, set
@@ -1066,7 +1100,8 @@
}
bstp_destroy(&bif->bif_stp); /* prepare to free */
BRIDGE_LOCK(sc);
- free(bif, M_DEVBUF);
+
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
}
/*
@@ -1083,7 +1118,8 @@
("%s: not a span interface", __func__));
LIST_REMOVE(bif, bif_next);
- free(bif, M_DEVBUF);
+
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
}
static int
@@ -1139,7 +1175,6 @@
* If any, remove all inet6 addresses from the member
* interfaces.
*/
- BRIDGE_XLOCK(sc);
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
if (in6ifa_llaonifp(bif->bif_ifp)) {
BRIDGE_UNLOCK(sc);
@@ -1152,7 +1187,6 @@
bif->bif_ifp->if_xname);
}
}
- BRIDGE_XDROP(sc);
if (in6ifa_llaonifp(ifs)) {
BRIDGE_UNLOCK(sc);
in6_ifdetach(ifs);
@@ -1466,12 +1500,17 @@
struct bridge_iflist *bif;
int error;
+ NET_EPOCH_ASSERT();
+
bif = bridge_lookup_member(sc, req->ifba_ifsname);
if (bif == NULL)
return (ENOENT);
+ /* bridge_rtupdate() may acquire the lock. */
+ BRIDGE_UNLOCK(sc);
error = bridge_rtupdate(sc, req->ifba_dst, req->ifba_vlan, bif, 1,
req->ifba_flags);
+ BRIDGE_LOCK(sc);
return (error);
}
@@ -1810,6 +1849,7 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
if (ifp->if_flags & IFF_RENAMING)
return;
@@ -1820,6 +1860,7 @@
*/
return;
}
+ NET_EPOCH_ENTER_ET(et);
/* Check if the interface is a bridge member */
if (sc != NULL) {
BRIDGE_LOCK(sc);
@@ -1829,6 +1870,7 @@
bridge_delete_member(sc, bif, 1);
BRIDGE_UNLOCK(sc);
+ NET_EPOCH_EXIT_ET(et);
return;
}
@@ -1845,6 +1887,7 @@
BRIDGE_UNLOCK(sc);
}
BRIDGE_LIST_UNLOCK();
+ NET_EPOCH_EXIT_ET(et);
}
/*
@@ -1881,6 +1924,7 @@
{
struct bridge_softc *sc = ifp->if_softc;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
@@ -2004,6 +2048,8 @@
struct bridge_softc *sc;
uint16_t vlan;
+ NET_EPOCH_ASSERT();
+
if (m->m_len < ETHER_HDR_LEN) {
m = m_pullup(m, ETHER_HDR_LEN);
if (m == NULL)
@@ -2014,8 +2060,6 @@
sc = ifp->if_bridge;
vlan = VLANTAGOF(m);
- BRIDGE_LOCK(sc);
-
/*
* If bridge is down, but the original output interface is up,
* go ahead and send out that interface. Otherwise, the packet
@@ -2037,16 +2081,10 @@
if (dst_if == NULL) {
struct bridge_iflist *bif;
struct mbuf *mc;
- int error = 0, used = 0;
+ int used = 0;
bridge_span(sc, m);
- BRIDGE_LOCK2REF(sc, error);
- if (error) {
- m_freem(m);
- return (0);
- }
-
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
dst_if = bif->bif_ifp;
@@ -2080,7 +2118,6 @@
}
if (used == 0)
m_freem(m);
- BRIDGE_UNREF(sc);
return (0);
}
@@ -2092,11 +2129,9 @@
bridge_span(sc, m);
if ((dst_if->if_drv_flags & IFF_DRV_RUNNING) == 0) {
m_freem(m);
- BRIDGE_UNLOCK(sc);
return (0);
}
- BRIDGE_UNLOCK(sc);
bridge_enqueue(sc, dst_if, m);
return (0);
}
@@ -2121,10 +2156,8 @@
eh = mtod(m, struct ether_header *);
- BRIDGE_LOCK(sc);
if (((m->m_flags & (M_BCAST|M_MCAST)) == 0) &&
(dst_if = bridge_rtlookup(sc, eh->ether_dhost, 1)) != NULL) {
- BRIDGE_UNLOCK(sc);
error = bridge_enqueue(sc, dst_if, m);
} else
bridge_broadcast(sc, ifp, m, 0);
@@ -2158,6 +2191,8 @@
uint8_t *dst;
int error;
+ NET_EPOCH_ASSERT();
+
src_if = m->m_pkthdr.rcvif;
ifp = sc->sc_ifp;
@@ -2236,12 +2271,10 @@
|| PFIL_HOOKED(&V_inet6_pfil_hook)
#endif
) {
- BRIDGE_UNLOCK(sc);
if (bridge_pfil(&m, ifp, src_if, PFIL_IN) != 0)
return;
if (m == NULL)
return;
- BRIDGE_LOCK(sc);
}
if (dst_if == NULL) {
@@ -2269,8 +2302,6 @@
dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
goto drop;
- BRIDGE_UNLOCK(sc);
-
if (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
|| PFIL_HOOKED(&V_inet6_pfil_hook)
@@ -2286,7 +2317,6 @@
return;
drop:
- BRIDGE_UNLOCK(sc);
m_freem(m);
}
@@ -2307,6 +2337,8 @@
uint16_t vlan;
int error;
+ NET_EPOCH_ASSERT();
+
if ((sc->sc_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
return (m);
@@ -2327,10 +2359,8 @@
m_freem(m);
return (NULL);
}
- BRIDGE_LOCK(sc);
bif = bridge_lookup_member_if(sc, ifp);
if (bif == NULL) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2343,13 +2373,11 @@
if (memcmp(eh->ether_dhost, bstp_etheraddr,
ETHER_ADDR_LEN) == 0) {
bstp_input(&bif->bif_stp, ifp, m); /* consumes mbuf */
- BRIDGE_UNLOCK(sc);
return (NULL);
}
if ((bif->bif_flags & IFBIF_STP) &&
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2360,7 +2388,6 @@
*/
mc = m_dup(m, M_NOWAIT);
if (mc == NULL) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2392,7 +2419,6 @@
if ((bif->bif_flags & IFBIF_STP) &&
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
- BRIDGE_UNLOCK(sc);
return (m);
}
@@ -2432,7 +2458,6 @@
OR_PFIL_HOOKED_INET6)) { \
if (bridge_pfil(&m, NULL, ifp, \
PFIL_IN) != 0 || m == NULL) { \
- BRIDGE_UNLOCK(sc); \
return (NULL); \
} \
eh = mtod(m, struct ether_header *); \
@@ -2442,13 +2467,11 @@
error = bridge_rtupdate(sc, eh->ether_shost, \
vlan, bif, 0, IFBAF_DYNAMIC); \
if (error && bif->bif_addrmax) { \
- BRIDGE_UNLOCK(sc); \
m_freem(m); \
return (NULL); \
} \
} \
m->m_pkthdr.rcvif = iface; \
- BRIDGE_UNLOCK(sc); \
return (m); \
} \
\
@@ -2456,7 +2479,6 @@
if (memcmp(IF_LLADDR((iface)), eh->ether_shost, ETHER_ADDR_LEN) == 0 \
OR_CARP_CHECK_WE_ARE_SRC((iface)) \
) { \
- BRIDGE_UNLOCK(sc); \
m_freem(m); \
return (NULL); \
}
@@ -2507,16 +2529,12 @@
struct bridge_iflist *dbif, *sbif;
struct mbuf *mc;
struct ifnet *dst_if;
- int error = 0, used = 0, i;
+ int used = 0, i;
+ NET_EPOCH_ASSERT();
+
sbif = bridge_lookup_member_if(sc, src_if);
- BRIDGE_LOCK2REF(sc, error);
- if (error) {
- m_freem(m);
- return;
- }
-
/* Filter on the bridge interface before broadcasting */
if (runfilt && (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
@@ -2524,9 +2542,9 @@
#endif
)) {
if (bridge_pfil(&m, sc->sc_ifp, NULL, PFIL_OUT) != 0)
- goto out;
+ return;
if (m == NULL)
- goto out;
+ return;
}
LIST_FOREACH(dbif, &sc->sc_iflist, bif_next) {
@@ -2589,9 +2607,6 @@
}
if (used == 0)
m_freem(m);
-
-out:
- BRIDGE_UNREF(sc);
}
/*
@@ -2607,6 +2622,8 @@
struct ifnet *dst_if;
struct mbuf *mc;
+ NET_EPOCH_ASSERT();
+
if (LIST_EMPTY(&sc->sc_spanlist))
return;
@@ -2638,7 +2655,8 @@
struct bridge_rtnode *brt;
int error;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
+ BRIDGE_UNLOCK_ASSERT(sc);
/* Check the source address is valid and not multicast. */
if (ETHER_IS_MULTICAST(dst) ||
@@ -2655,13 +2673,24 @@
* update it, otherwise create a new one.
*/
if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) == NULL) {
+ BRIDGE_LOCK(sc);
+
+ /* Check again, now that we have the lock. There could have
+ * been a race and we only want to insert this once. */
+ if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) != NULL) {
+ BRIDGE_UNLOCK(sc);
+ return (0);
+ }
+
if (sc->sc_brtcnt >= sc->sc_brtmax) {
sc->sc_brtexceeded++;
+ BRIDGE_UNLOCK(sc);
return (ENOSPC);
}
/* Check per interface address limits (if enabled) */
if (bif->bif_addrmax && bif->bif_addrcnt >= bif->bif_addrmax) {
bif->bif_addrexceeded++;
+ BRIDGE_UNLOCK(sc);
return (ENOSPC);
}
@@ -2671,8 +2700,11 @@
* address.
*/
brt = uma_zalloc(V_bridge_rtnode_zone, M_NOWAIT | M_ZERO);
- if (brt == NULL)
+ if (brt == NULL) {
+ BRIDGE_UNLOCK(sc);
return (ENOMEM);
+ }
+ brt->brt_vnet = curvnet;
if (bif->bif_flags & IFBIF_STICKY)
brt->brt_flags = IFBAF_STICKY;
@@ -2684,17 +2716,22 @@
if ((error = bridge_rtnode_insert(sc, brt)) != 0) {
uma_zfree(V_bridge_rtnode_zone, brt);
+ BRIDGE_UNLOCK(sc);
return (error);
}
brt->brt_dst = bif;
bif->bif_addrcnt++;
+
+ BRIDGE_UNLOCK(sc);
}
if ((brt->brt_flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC &&
brt->brt_dst != bif) {
+ BRIDGE_LOCK(sc);
brt->brt_dst->bif_addrcnt--;
brt->brt_dst = bif;
brt->brt_dst->bif_addrcnt++;
+ BRIDGE_UNLOCK(sc);
}
if ((flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC)
@@ -2715,7 +2752,7 @@
{
struct bridge_rtnode *brt;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
if ((brt = bridge_rtnode_lookup(sc, addr, vlan)) == NULL)
return (NULL);
@@ -2735,6 +2772,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
/* Make sure we actually need to do this. */
@@ -2764,7 +2802,9 @@
bridge_timer(void *arg)
{
struct bridge_softc *sc = arg;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER_ET(et);
BRIDGE_LOCK_ASSERT(sc);
/* Destruction of rtnodes requires a proper vnet context */
@@ -2775,6 +2815,7 @@
callout_reset(&sc->sc_brcallout,
bridge_rtable_prune_period * hz, bridge_timer, sc);
CURVNET_RESTORE();
+ NET_EPOCH_EXIT_ET(et);
}
/*
@@ -2787,6 +2828,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2807,6 +2849,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2826,6 +2869,7 @@
struct bridge_rtnode *brt;
int found = 0;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
/*
@@ -2850,6 +2894,7 @@
{
struct bridge_rtnode *brt, *nbrt;
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
@@ -2954,7 +2999,7 @@
uint32_t hash;
int dir;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
hash = bridge_rthash(sc, addr);
LIST_FOREACH(brt, &sc->sc_rthash[hash], brt_hash) {
@@ -3017,6 +3062,18 @@
return (0);
}
+static void
+bridge_rtnode_destroy_cb(struct epoch_context *ctx)
+{
+ struct bridge_rtnode *brt;
+
+ brt = __containerof(ctx, struct bridge_rtnode, brt_epoch_ctx);
+
+ CURVNET_SET(brt->brt_vnet);
+ uma_zfree(V_bridge_rtnode_zone, brt);
+ CURVNET_RESTORE();
+}
+
/*
* bridge_rtnode_destroy:
*
@@ -3025,6 +3082,7 @@
static void
bridge_rtnode_destroy(struct bridge_softc *sc, struct bridge_rtnode *brt)
{
+ NET_EPOCH_ASSERT();
BRIDGE_LOCK_ASSERT(sc);
LIST_REMOVE(brt, brt_hash);
@@ -3032,7 +3090,8 @@
LIST_REMOVE(brt, brt_list);
sc->sc_brtcnt--;
brt->brt_dst->bif_addrcnt--;
- uma_zfree(V_bridge_rtnode_zone, brt);
+
+ NET_EPOCH_CALL(bridge_rtnode_destroy_cb, &brt->brt_epoch_ctx);
}
/*
@@ -3045,7 +3104,9 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_rtnode *brt;
+ struct epoch_tracker et;
+ NET_EPOCH_ENTER_ET(et);
CURVNET_SET(ifp->if_vnet);
BRIDGE_LOCK(sc);
@@ -3066,6 +3127,7 @@
}
BRIDGE_UNLOCK(sc);
CURVNET_RESTORE();
+ NET_EPOCH_EXIT_ET(et);
}
/*
@@ -3577,17 +3639,20 @@
{
struct bridge_softc *sc = ifp->if_bridge;
struct bridge_iflist *bif;
+ struct epoch_tracker et;
- BRIDGE_LOCK(sc);
+ NET_EPOCH_ENTER_ET(et);
+
bif = bridge_lookup_member_if(sc, ifp);
if (bif == NULL) {
- BRIDGE_UNLOCK(sc);
+ NET_EPOCH_EXIT_ET(et);
return;
}
bridge_linkcheck(sc);
- BRIDGE_UNLOCK(sc);
bstp_linkstate(&bif->bif_stp);
+
+ NET_EPOCH_EXIT_ET(et);
}
static void
@@ -3596,7 +3661,8 @@
struct bridge_iflist *bif;
int new_link, hasls;
- BRIDGE_LOCK_ASSERT(sc);
+ NET_EPOCH_ASSERT();
+
new_link = LINK_STATE_DOWN;
hasls = 0;
/* Our link is considered up if at least one of our ports is active */
Index: sys/net/if_bridgevar.h
===================================================================
--- sys/net/if_bridgevar.h (revision 360985)
+++ sys/net/if_bridgevar.h (working copy)
@@ -273,41 +273,14 @@
#define BRIDGE_LOCK_INIT(_sc) do { \
mtx_init(&(_sc)->sc_mtx, "if_bridge", NULL, MTX_DEF); \
- cv_init(&(_sc)->sc_cv, "if_bridge_cv"); \
} while (0)
#define BRIDGE_LOCK_DESTROY(_sc) do { \
mtx_destroy(&(_sc)->sc_mtx); \
- cv_destroy(&(_sc)->sc_cv); \
} while (0)
#define BRIDGE_LOCK(_sc) mtx_lock(&(_sc)->sc_mtx)
#define BRIDGE_UNLOCK(_sc) mtx_unlock(&(_sc)->sc_mtx)
#define BRIDGE_LOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_OWNED)
#define BRIDGE_UNLOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_NOTOWNED)
-#define BRIDGE_LOCK2REF(_sc, _err) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- if ((_sc)->sc_iflist_xcnt > 0) \
- (_err) = EBUSY; \
- else \
- (_sc)->sc_iflist_ref++; \
- mtx_unlock(&(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_UNREF(_sc) do { \
- mtx_lock(&(_sc)->sc_mtx); \
- (_sc)->sc_iflist_ref--; \
- if (((_sc)->sc_iflist_xcnt > 0) && ((_sc)->sc_iflist_ref == 0)) \
- cv_broadcast(&(_sc)->sc_cv); \
- mtx_unlock(&(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_XLOCK(_sc) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- (_sc)->sc_iflist_xcnt++; \
- while ((_sc)->sc_iflist_ref > 0) \
- cv_wait(&(_sc)->sc_cv, &(_sc)->sc_mtx); \
-} while (0)
-#define BRIDGE_XDROP(_sc) do { \
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
- (_sc)->sc_iflist_xcnt--; \
-} while (0)
#define BRIDGE_INPUT(_ifp, _m) do { \
KASSERT((_ifp)->if_bridge_input != NULL, \

7
scripts/cam_tag.sh Executable file
View File

@ -0,0 +1,7 @@
#!/usr/local/bin/bash
#shrinking the command Native Command Queue down to 1 effectively disabling queuing
for Disk in `camcontrol devlist | grep "ST8000DM" | cut -d"," -f2 | cut -d")" -f1`;
do
camcontrol tags $Disk -N 1 ;
camcontrol tags $Disk -v
done