next set of updates
This commit is contained in:
parent
2327d9d6c0
commit
7707eb5865
@ -20,6 +20,7 @@ vfs.read_max=128
|
||||
vfs.timestamp_precision=3
|
||||
net.link.tap.up_on_open=1
|
||||
#net.link.lagg.lacp.default_strict_mode=0
|
||||
net.link.ether.inet.log_arp_movements=0
|
||||
net.inet.ip.fw.verbose_limit=5
|
||||
|
||||
dev.igb.0.fc=0
|
||||
@ -111,3 +112,7 @@ net.inet.tcp.rack.data_after_close=0
|
||||
# Verify RACK
|
||||
# sysctl net.inet.tcp.functions_available
|
||||
# sysctl net.inet.tcp.rack.
|
||||
|
||||
#Cheap Disk Issues
|
||||
kern.cam.ada.default_timeout=60
|
||||
kern.cam.da.default_timeout=90
|
||||
|
38
configs/usr/local/etc/rc.d/cam_tag
Executable file
38
configs/usr/local/etc/rc.d/cam_tag
Executable file
@ -0,0 +1,38 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
# the two lines below are not just comments but required by rcorder; service -e
|
||||
# PROVIDE: cam_tag
|
||||
# REQUIRE: DAEMON
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
: ${cam_tag_enable="NO"}
|
||||
|
||||
name=cam_tag
|
||||
rcvar=${name}_enable
|
||||
|
||||
COMMAND="/root/FreeBSD/scripts/cam_tag.sh"
|
||||
|
||||
start_cmd="${name}_start"
|
||||
restart_cmd="${name}_restart"
|
||||
|
||||
cam_tag_start()
|
||||
{
|
||||
$COMMAND
|
||||
}
|
||||
|
||||
cam_tag_restart()
|
||||
{
|
||||
$COMMAND
|
||||
}
|
||||
|
||||
load_rc_config ${name}
|
||||
run_rc_command "$1"
|
@ -1,3 +1,5 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
@ -6,8 +8,6 @@
|
||||
#
|
||||
#
|
||||
|
||||
#!/bin/sh
|
||||
|
||||
# the two lines below are not just comments but required by rcorder; service -e
|
||||
# PROVIDE: gstat_exporter
|
||||
# REQUIRE: NETWORKING DAEMON
|
||||
@ -19,7 +19,7 @@
|
||||
name=gstat_exporter
|
||||
rcvar=${name}_enable
|
||||
|
||||
GSTATEXPORTER="nohup /usr/local/bin/python3.6 /root/FreeBSD/scripts/gstat_exporter.py"
|
||||
GSTATEXPORTER="nohup /usr/local/bin/python3.7 /root/FreeBSD/scripts/gstat_exporter.py"
|
||||
|
||||
start_cmd="${name}_start"
|
||||
stop_cmd="${name}_stop"
|
||||
|
@ -1,24 +0,0 @@
|
||||
ZPOOL=""
|
||||
SERVER=""
|
||||
PYTHON?=/usr/local/bin/python3.7
|
||||
|
||||
depends:
|
||||
@(pkg -vv | grep -e "url.*/latest") > /dev/null 2>&1 || (echo "It is advised pkg url is using \"latest\" instead of \"quarterly\" in /etc/pkg/FreeBSD.conf.";)
|
||||
@test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python37"; pkg install -q -y python37)
|
||||
pkg install -q -y py37-libzfs
|
||||
${PYTHON} -m ensurepip
|
||||
${PYTHON} -m pip install -Ur requirements.txt
|
||||
|
||||
install: depends
|
||||
${PYTHON} -m pip install -U .
|
||||
uninstall:
|
||||
${PYTHON} -m pip uninstall -y iocage-lib iocage-cli
|
||||
test:
|
||||
pytest --zpool $(ZPOOL) --server $(SERVER)
|
||||
help:
|
||||
@echo " install"
|
||||
@echo " Installs iocage"
|
||||
@echo " uninstall"
|
||||
@echo " Removes iocage"
|
||||
@echo " test"
|
||||
@echo " Run unit tests with pytest"
|
BIN
jails/config/calibre/Find Duplicates-beta-py3.zip
Normal file
BIN
jails/config/calibre/Find Duplicates-beta-py3.zip
Normal file
Binary file not shown.
@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://localhost:9000"
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
|
@ -8,8 +8,12 @@
|
||||
|
||||
#! /usr/local/bin/bash
|
||||
# smart_host - mail - is the mail server's dns name
|
||||
# TO_IDENT sets O Timeout.ident=0s - to stop sendmail from making ident connections
|
||||
echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc
|
||||
echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc
|
||||
IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1`
|
||||
echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc
|
||||
echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc
|
||||
echo "define(\`confTO_CONNECT', \`1m')" >> /etc/mail/$HOSTNAME.mc
|
||||
echo "define(\`confTO_IDENT', \`0')" >> /etc/mail/$HOSTNAME.mc
|
||||
echo "define(\`confTO_COMMAND', \`2m')" >> /etc/mail/$HOSTNAME.mc
|
||||
|
@ -579,7 +579,7 @@ Include etc/apache24/Includes/*.conf
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://localhost:9000"
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
|
15
jails/config/ibm/create_tuns.sh
Executable file
15
jails/config/ibm/create_tuns.sh
Executable file
@ -0,0 +1,15 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
#!/bin/sh
|
||||
#
|
||||
|
||||
ifconfig tun181 create
|
||||
#ifconfig bridge1 addm tap181 up
|
||||
#ifconfig tap181 up
|
||||
#ifconfig tap181 inet6 auto_linklocal
|
17
jails/config/ibm/ibm.sh
Executable file
17
jails/config/ibm/ibm.sh
Executable file
@ -0,0 +1,17 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
#!/usr/local/bin/bash
|
||||
# ./ibm.sh under tmux
|
||||
|
||||
ifconfig tun186 create
|
||||
ifconfig tun186 inet 172.16.0.186 172.16.0.100
|
||||
chmod 666 /dev/tun186
|
||||
|
||||
cd /data/Z110/CONF
|
||||
# hercules
|
140
jails/config/ibm/ipfw.rules
Executable file
140
jails/config/ibm/ipfw.rules
Executable file
@ -0,0 +1,140 @@
|
||||
#!/bin/sh
|
||||
|
||||
# https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
|
||||
# ipfw -vated list
|
||||
|
||||
# IPFW configuration
|
||||
#sysrc firewall_enable="YES"
|
||||
#sysrc firewall_logif="YES"
|
||||
#sysrc firewall_script="/mnt/config/ipfw.rules"
|
||||
|
||||
# NATd configuration
|
||||
#sysrc gateway_enable="YES"
|
||||
#sysrc natd_enable="YES"
|
||||
#sysrc natd_interface="epair0b"
|
||||
#sysrc natd_flags="-f /mnt/config/natd.conf"
|
||||
#natd.conf:
|
||||
#redirect_port tcp 172.16.0.100:21-23 21-23
|
||||
|
||||
# Set rules command prefix
|
||||
cmd="ipfw -q add"
|
||||
lif="tun186" # interface name of tunnel attached to Local network
|
||||
rif="epair0b" # interface name of vnet attached to Remote/external network
|
||||
skip="skipto 12000"
|
||||
|
||||
# Flush out the list before we begin.
|
||||
ipfw -q -f flush
|
||||
|
||||
# gateway_enable already set in rc.conf
|
||||
# sysctl net.inet.ip.forwarding=1
|
||||
|
||||
# Packets passing the stateful NAT may be re-injected into the firewall
|
||||
# sysctl net.inet.ip.fw.one_pass=0
|
||||
ipfw disable one_pass
|
||||
|
||||
# functionality is included in the divert action
|
||||
#ipfw -q nat 1 config if $rif same_ports unreg_only reset
|
||||
|
||||
$cmd 00050 allow ip from any to any via $lif
|
||||
|
||||
$cmd 00100 allow ip from any to any via lo0
|
||||
|
||||
$cmd 00200 deny ip from any to 127.0.0.0/8
|
||||
$cmd 00300 deny ip from 127.0.0.0/8 to any
|
||||
$cmd 00400 deny ip from any to ::1
|
||||
$cmd 00500 deny ip from ::1 to any
|
||||
|
||||
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
|
||||
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
|
||||
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
|
||||
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
|
||||
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
|
||||
|
||||
# The reassemble rule is not needed with userland natd(8)
|
||||
# because the internal workings of the IPFW divert action
|
||||
# takes care of reassembling packets before delivery to the socket
|
||||
#$cmd 01100 reass all from any to any in
|
||||
|
||||
$cmd 01200 divert natd ip from any to any in via $rif # NAT any inbound packets
|
||||
|
||||
# Allow the packet through if it has an existing entry in the dynamic rules table
|
||||
$cmd 01300 check-state
|
||||
|
||||
# Allow access to DNS
|
||||
$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
|
||||
$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
|
||||
$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
|
||||
$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
|
||||
|
||||
# Allow access to ISP's DHCP server for cable/DSL configurations.
|
||||
# Use the first rule and check log for IP address.
|
||||
# Then, uncomment the second rule, input the IP address, and delete the first rule
|
||||
#$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state
|
||||
#$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state
|
||||
|
||||
# Allow outbound ping
|
||||
$cmd 02210 $skip icmp from any to any out via $rif keep-state
|
||||
|
||||
# Allow outbound NTP
|
||||
$cmd 02220 $skip udp from any to any 123 out via $rif keep-state
|
||||
|
||||
# Allow outbound TCP traffic
|
||||
$cmd 02500 $skip tcp from any to any 20,22,25,80,443 out via $rif setup keep-state
|
||||
# 03720 pasv ftp
|
||||
|
||||
# deny and log all other outbound connections
|
||||
$cmd 02999 deny log all from any to any out via $rif
|
||||
|
||||
#### Lockdown incoming traffic
|
||||
# Deny all inbound traffic from non-routable reserved address spaces
|
||||
#$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif #RFC 1918 private IP
|
||||
#$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif #RFC 1918 private IP
|
||||
#$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif #RFC 1918 private IP
|
||||
$cmd 03113 deny all from 127.0.0.0/8 to any in via $rif #loopback
|
||||
$cmd 03114 deny all from 0.0.0.0/8 to any in via $rif #loopback
|
||||
$cmd 03115 deny all from 169.254.0.0/16 to any in via $rif #DHCP auto-config
|
||||
$cmd 03116 deny all from 192.0.2.0/24 to any in via $rif #reserved for docs
|
||||
$cmd 03117 deny all from 204.152.64.0/23 to any in via $rif #Sun cluster interconnect
|
||||
$cmd 03118 deny all from 224.0.0.0/3 to any in via $rif #Class D & E multicast
|
||||
|
||||
# Allow traffic from ISP's DHCP server.
|
||||
# Replace x.x.x.x with the same IP address used in rule 02120.
|
||||
#$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state
|
||||
|
||||
# Allow public pings
|
||||
$cmd 03210 allow icmp from any to any in via $rif
|
||||
|
||||
# Deny ident
|
||||
$cmd 03230 deny tcp from any to any 113 in via $rif
|
||||
|
||||
# Deny all Netbios services.
|
||||
$cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif
|
||||
|
||||
# Deny fragments
|
||||
$cmd 03250 deny all from any to any frag in via $rif
|
||||
|
||||
# Deny ACK packets that did not match the dynamic rule table
|
||||
$cmd 03500 deny tcp from any to any established in via $rif
|
||||
|
||||
# Allow inbound SSH host connections
|
||||
$cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2
|
||||
|
||||
# Allow HTTP host connections to host web server
|
||||
$cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2
|
||||
|
||||
# Allow inbound Telnet connections to NAT
|
||||
$cmd 03710 allow tcp from any to me 23,3270 in via $rif setup limit src-addr 2
|
||||
|
||||
# Allow inbound FTP connections to NAT
|
||||
$cmd 03720 allow tcp from any to me 20,21 in via $rif setup limit src-addr 2
|
||||
# 02500 pasv ftp
|
||||
|
||||
# Reject and log all other incoming connections
|
||||
$cmd 03999 deny log all from any to any in via $rif
|
||||
#### lockdown in
|
||||
|
||||
$cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules
|
||||
|
||||
$cmd 65000 allow ip from any to any
|
||||
|
||||
#$cmd 65535 deny ip from any to any
|
2
jails/config/ibm/natd.conf
Normal file
2
jails/config/ibm/natd.conf
Normal file
@ -0,0 +1,2 @@
|
||||
redirect_port tcp 172.16.0.100:20-21 20-21
|
||||
redirect_port tcp 172.16.0.100:23 23
|
4
jails/config/ibm/setup_jail.sh
Executable file
4
jails/config/ibm/setup_jail.sh
Executable file
@ -0,0 +1,4 @@
|
||||
# requrired to run other configured scripts
|
||||
/bin/sh /etc/rc
|
||||
# launch tmux with emu
|
||||
#/mnt/config/startemu.sh
|
31
jails/config/ibm/startemu.sh
Executable file
31
jails/config/ibm/startemu.sh
Executable file
@ -0,0 +1,31 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
#!/bin/sh
|
||||
#
|
||||
session="emu_tmux"
|
||||
|
||||
# set up tmux
|
||||
tmux start-server
|
||||
|
||||
# create a new tmux session, naming the window hercules
|
||||
tmux new-session -d -s $session -n hercules
|
||||
tmux selectp -t 1
|
||||
tmux send-keys "cd /mnt/config;./ibm.sh" C-m
|
||||
|
||||
# create a new window empty
|
||||
tmux new-window -t $session:1 -n empty
|
||||
tmux selectp -t 1
|
||||
tmux send-keys "cd /mnt/config;clear" C-m
|
||||
|
||||
# return to main window
|
||||
tmux select-window -t $session:0
|
||||
tmux selectp -t 1
|
||||
|
||||
# Finished setup, attach to the tmux session!
|
||||
#tmux attach-session -t $session
|
@ -282,7 +282,8 @@ unknown_local_recipient_reject_code = 550
|
||||
#mynetworks = $config_directory/mynetworks
|
||||
#mynetworks = hash:$config_directory/network_table
|
||||
|
||||
mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56
|
||||
#mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56
|
||||
mynetworks = 127.0.0.1/32 192.168.0.0/24 [::1]/128 [fe80::]/10 [2603:3024:3f6:e1::]/64
|
||||
smtp_bind_address = 192.168.0.100
|
||||
smtp_bind_address6 = 2603:3024:3f6:e1::100
|
||||
|
||||
@ -680,6 +681,10 @@ sample_directory = /usr/local/etc/postfix
|
||||
#
|
||||
readme_directory = /usr/local/share/doc/postfix
|
||||
inet_protocols = ipv4, ipv6
|
||||
|
||||
# sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
|
||||
smtp_address_preference = ipv4
|
||||
|
||||
meta_directory = /usr/local/libexec/postfix
|
||||
shlib_directory = /usr/local/lib/postfix
|
||||
|
||||
@ -776,21 +781,21 @@ smtpd_helo_required = yes
|
||||
# entry and present a valid, FQDN HELO hostname. In addition, they can only
|
||||
# send mail to valid mailboxes on the server, and the sender's domain must
|
||||
# actually exist.
|
||||
smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_reverse_client_hostname,reject_unauth_pipelining
|
||||
smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,reject_unknown_reverse_client_hostname
|
||||
# you might want to consider:
|
||||
# reject_unknown_client_hostname,
|
||||
# here. This will reject all incoming connections without a reverse DNS
|
||||
# entry that resolves back to the client's IP address. This is a very
|
||||
# restrictive check and may reject legitimate mail.
|
||||
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname,reject_unauth_pipelining
|
||||
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_unauth_pipelining,reject_non_fqdn_helo_hostname
|
||||
# you might want to consider:
|
||||
# reject_unknown_helo_hostname,
|
||||
# here. This will reject all incoming mail without a HELO hostname that
|
||||
# properly resolves in DNS. This is a somewhat restrictive check and may
|
||||
# reject legitimate mail.
|
||||
smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unauth_pipelining
|
||||
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination
|
||||
# !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
|
||||
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
|
||||
# !!! THE LAST SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
|
||||
# !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
|
||||
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
|
||||
smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining
|
||||
@ -806,7 +811,7 @@ virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-maps.cf
|
||||
# LDAP query to find a user's email aliases
|
||||
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-alias-maps.cf, hash:/usr/local/etc/postfix/virtual-maillist-alias-maps
|
||||
|
||||
# We'll uncomment these when we set up rspamd later:
|
||||
# rspamd specific
|
||||
milter_protocol = 6
|
||||
# if rspamd is down, don't reject mail
|
||||
milter_default_action = accept
|
||||
|
@ -177,6 +177,7 @@ import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LA
|
||||
in_flow_delay = 1s
|
||||
inet_interfaces = all
|
||||
inet_protocols = all
|
||||
info_log_address_format = external
|
||||
initial_destination_concurrency = 5
|
||||
internal_mail_filter_classes =
|
||||
invalid_hostname_reject_code = 501
|
||||
@ -327,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
|
||||
luser_relay =
|
||||
mail_name = Postfix
|
||||
mail_owner = postfix
|
||||
mail_release_date = 20190921
|
||||
mail_release_date = 20200316
|
||||
mail_spool_directory = /var/mail
|
||||
mail_version = 3.4.7
|
||||
mail_version = 3.5.0
|
||||
mailbox_command =
|
||||
mailbox_command_maps =
|
||||
mailbox_delivery_lock = flock, dotlock
|
||||
@ -358,7 +359,7 @@ message_size_limit = 10240000
|
||||
message_strip_characters =
|
||||
meta_directory = /usr/local/libexec/postfix
|
||||
milter_command_timeout = 30s
|
||||
milter_connect_macros = j {daemon_name} {daemon_addr} v
|
||||
milter_connect_macros = j {daemon_name} {daemon_addr} v _
|
||||
milter_connect_timeout = 30s
|
||||
milter_content_timeout = 300s
|
||||
milter_data_macros = i
|
||||
@ -733,7 +734,7 @@ smtpd_sasl_response_limit = 12288
|
||||
smtpd_sasl_security_options = noanonymous
|
||||
smtpd_sasl_service = smtp
|
||||
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
|
||||
smtpd_sasl_type = dovecot
|
||||
smtpd_sasl_type = cyrus
|
||||
smtpd_sender_login_maps =
|
||||
smtpd_sender_restrictions =
|
||||
smtpd_service_name = smtpd
|
||||
|
@ -16,9 +16,9 @@ smtp inet n - n - - smtpd
|
||||
#dnsblog unix - - n - 0 dnsblog
|
||||
#tlsproxy unix - - n - 0 tlsproxy
|
||||
submission inet n - n - - smtpd
|
||||
# -o syslog_name=postfix/submission
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o tls_preempt_cipherlist=yes
|
||||
# -o syslog_name=postfix/submission
|
||||
# -o smtpd_sasl_auth_enable=yes
|
||||
# -o smtpd_tls_auth_only=yes
|
||||
# -o smtpd_reject_unlisted_recipient=no
|
||||
|
@ -79,7 +79,7 @@ postlog unix-dgram n - n - 1 postlogd
|
||||
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||
#
|
||||
#maildrop unix - n n - - pipe
|
||||
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
|
||||
# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
@ -98,7 +98,7 @@ postlog unix-dgram n - n - 1 postlogd
|
||||
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||
#
|
||||
#cyrus unix - n n - - pipe
|
||||
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
@ -129,5 +129,5 @@ postlog unix-dgram n - n - 1 postlogd
|
||||
# ${nexthop} ${user} ${extension}
|
||||
#
|
||||
#mailman unix - n n - - pipe
|
||||
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||
# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||
# ${nexthop} ${user}
|
||||
|
@ -1,4 +1,6 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2019, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
@ -6,8 +8,6 @@
|
||||
#
|
||||
#
|
||||
|
||||
#!/bin/sh
|
||||
|
||||
# the two lines below are not just comments but required by rcorder; service -e
|
||||
# PROVIDE: mapsserver
|
||||
# REQUIRE: NETWORKING DAEMON
|
||||
|
58
jails/config/matrix/config.json
Normal file
58
jails/config/matrix/config.json
Normal file
@ -0,0 +1,58 @@
|
||||
{
|
||||
"default_server_config": {
|
||||
"m.homeserver": {
|
||||
"base_url": "https://matrix.ahlawat.com",
|
||||
"server_name": "matrix.ahlawat.com"
|
||||
},
|
||||
"m.identity_server": {
|
||||
"base_url": "https://vector.im"
|
||||
}
|
||||
},
|
||||
"disable_custom_urls": false,
|
||||
"disable_guests": false,
|
||||
"disable_login_language_selector": false,
|
||||
"disable_3pid_login": false,
|
||||
"brand": "Riot",
|
||||
"integrations_ui_url": "https://scalar.vector.im/",
|
||||
"integrations_rest_url": "https://scalar.vector.im/api",
|
||||
"integrations_widgets_urls": [
|
||||
"https://scalar.vector.im/_matrix/integrations/v1",
|
||||
"https://scalar.vector.im/api",
|
||||
"https://scalar-staging.vector.im/_matrix/integrations/v1",
|
||||
"https://scalar-staging.vector.im/api",
|
||||
"https://scalar-staging.riot.im/scalar/api"
|
||||
],
|
||||
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
|
||||
"defaultCountryCode": "US",
|
||||
"showLabsSettings": false,
|
||||
"features": {
|
||||
"feature_pinning": "labs",
|
||||
"feature_custom_status": "labs",
|
||||
"feature_custom_tags": "labs",
|
||||
"feature_state_counters": "labs"
|
||||
},
|
||||
"default_federate": true,
|
||||
"default_theme": "light",
|
||||
"roomDirectory": {
|
||||
"servers": [
|
||||
"matrix.org"
|
||||
]
|
||||
},
|
||||
"welcomeUserId": "@riot-bot:matrix.org",
|
||||
"piwik": {
|
||||
"url": "https://piwik.riot.im/",
|
||||
"whitelistedHSUrls": ["https://matrix.org"],
|
||||
"whitelistedISUrls": ["https://vector.im", "https://matrix.org"],
|
||||
"siteId": 1
|
||||
},
|
||||
"enable_presence_by_hs_url": {
|
||||
"https://matrix.org": false,
|
||||
"https://matrix-client.matrix.org": false
|
||||
},
|
||||
"settingDefaults": {
|
||||
"breadcrumbs": true
|
||||
},
|
||||
"jitsi": {
|
||||
"preferredDomain": "meet.ahlawat.com"
|
||||
}
|
||||
}
|
161
jails/config/matrix/nginx.conf
Normal file
161
jails/config/matrix/nginx.conf
Normal file
@ -0,0 +1,161 @@
|
||||
|
||||
#user nobody;
|
||||
worker_processes 1;
|
||||
|
||||
# This default error log path is compiled-in to make sure configuration parsing
|
||||
# errors are logged somewhere, especially during unattended boot when stderr
|
||||
# isn't normally logged anywhere. This path will be touched on every nginx
|
||||
# start regardless of error log location configured here. See
|
||||
# https://trac.nginx.org/nginx/ticket/147 for more info.
|
||||
#
|
||||
#error_log /var/log/nginx/error.log;
|
||||
#
|
||||
|
||||
#pid logs/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
include mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
# '$status $body_bytes_sent "$http_referer" '
|
||||
# '"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
#access_log logs/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
#keepalive_timeout 0;
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
# server {
|
||||
# listen 80;
|
||||
# server_name localhost;
|
||||
|
||||
#charset koi8-r;
|
||||
|
||||
#access_log logs/host.access.log main;
|
||||
|
||||
# location / {
|
||||
# root /usr/local/www/nginx;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
|
||||
#error_page 404 /404.html;
|
||||
|
||||
# redirect server error pages to the static page /50x.html
|
||||
#
|
||||
# error_page 500 502 503 504 /50x.html;
|
||||
# location = /50x.html {
|
||||
# root /usr/local/www/nginx-dist;
|
||||
# }
|
||||
|
||||
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
|
||||
#
|
||||
#location ~ \.php$ {
|
||||
# proxy_pass http://127.0.0.1;
|
||||
#}
|
||||
|
||||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
|
||||
#
|
||||
#location ~ \.php$ {
|
||||
# root html;
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
# fastcgi_index index.php;
|
||||
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
|
||||
# include fastcgi_params;
|
||||
#}
|
||||
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht {
|
||||
# deny all;
|
||||
#}
|
||||
# }
|
||||
|
||||
|
||||
# another virtual host using mix of IP-, name-, and port-based configuration
|
||||
#
|
||||
#server {
|
||||
# listen 8000;
|
||||
# listen somename:8080;
|
||||
# server_name somename alias another.alias;
|
||||
|
||||
# location / {
|
||||
# root html;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
#}
|
||||
|
||||
|
||||
# HTTPS server
|
||||
#
|
||||
#server {
|
||||
# listen 443 ssl;
|
||||
# server_name localhost;
|
||||
|
||||
# ssl_certificate cert.pem;
|
||||
# ssl_certificate_key cert.key;
|
||||
|
||||
# ssl_session_cache shared:SSL:1m;
|
||||
# ssl_session_timeout 5m;
|
||||
|
||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
# ssl_prefer_server_ciphers on;
|
||||
|
||||
# location / {
|
||||
# root html;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
#}
|
||||
|
||||
server_names_hash_bucket_size 64;
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name matrix.ahlawat.com;
|
||||
|
||||
ssl_certificate /mnt/certs/fullchain.pem;
|
||||
ssl_certificate_key /mnt/certs/privkey.pem;
|
||||
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
#access_log logs/host.access.log main;
|
||||
|
||||
#location /favicon.ico { access_log off; log_not_found off; }
|
||||
|
||||
root /usr/local/www/riot;
|
||||
index index.html;
|
||||
|
||||
#error_page 404 /404.html;
|
||||
|
||||
# redirect server error pages to the static page /50x.html
|
||||
#
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/local/www/nginx-dist;
|
||||
}
|
||||
}
|
||||
}
|
9
jails/config/meet/hosts.txt
Normal file
9
jails/config/meet/hosts.txt
Normal file
@ -0,0 +1,9 @@
|
||||
|
||||
192.168.0.67 auth.meet.ahlawat.com
|
||||
2603:3024:3f6:e1::67 auth.meet.ahlawat.com
|
||||
192.168.0.67 confrence.meet.ahlawat.com
|
||||
2603:3024:3f6:e1::67 conference.meet.ahlawat.com
|
||||
192.168.0.67 focus.meet.ahlawat.com
|
||||
2603:3024:3f6:e1::67 focus.meet.ahlawat.com
|
||||
192.168.0.67 jistsi-videobridge.meet.ahlawat.com
|
||||
2603:3024:3f6:e1::67 jitsi-videobridge.meet.ahlawat.com
|
9
jails/config/meet/jicofo.conf
Normal file
9
jails/config/meet/jicofo.conf
Normal file
@ -0,0 +1,9 @@
|
||||
JVB_XMPP_HOST=localhost
|
||||
JVB_XMPP_DOMAIN=meet.ahlawat.com
|
||||
JVB_XMPP_PORT=5347
|
||||
JVB_XMPP_SECRET=YOURSECRET2-qwertyuiop
|
||||
JVB_XMPP_USER_DOMAIN=auth.meet.ahlawat.com
|
||||
JVB_XMPP_USER_NAME=focus
|
||||
JVB_XMPP_USER_SECRET=YOURSECRET3-qwertyuiop
|
||||
|
||||
MAX_MEMORY=3072m
|
542
jails/config/meet/jitsi-meet/config.js
Normal file
542
jails/config/meet/jitsi-meet/config.js
Normal file
@ -0,0 +1,542 @@
|
||||
/* eslint-disable no-unused-vars, no-var */
|
||||
|
||||
var config = {
|
||||
// Connection
|
||||
//
|
||||
|
||||
hosts: {
|
||||
// XMPP domain.
|
||||
// domain: 'jitsi-meet.example.com',
|
||||
domain: 'meet.ahlawat.com',
|
||||
|
||||
// When using authentication, domain for guest users.
|
||||
// anonymousdomain: 'guest.example.com',
|
||||
|
||||
// Domain for authenticated users. Defaults to <domain>.
|
||||
// authdomain: 'jitsi-meet.example.com',
|
||||
|
||||
// Jirecon recording component domain.
|
||||
// jirecon: 'jirecon.jitsi-meet.example.com',
|
||||
|
||||
// Call control component (Jigasi).
|
||||
// call_control: 'callcontrol.jitsi-meet.example.com',
|
||||
|
||||
// Focus component domain. Defaults to focus.<domain>.
|
||||
// focus: 'focus.jitsi-meet.example.com',
|
||||
|
||||
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
|
||||
// muc: 'conference.jitsi-meet.example.com'
|
||||
muc: 'conference.meet.ahlawat.com',
|
||||
bridge: 'jitsi-videobridge.meet.ahlawat.com',
|
||||
},
|
||||
useNicks: false,
|
||||
|
||||
// BOSH URL. FIXME: use XEP-0156 to discover it.
|
||||
// bosh: '//jitsi-meet.example.com/http-bind',
|
||||
bosh: '//meet.ahlawat.com/http-bind',
|
||||
|
||||
// Websocket URL
|
||||
// websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',
|
||||
|
||||
// The name of client node advertised in XEP-0115 'c' stanza
|
||||
clientNode: 'http://jitsi.org/jitsimeet',
|
||||
|
||||
// The real JID of focus participant - can be overridden here
|
||||
// focusUserJid: 'focus@auth.jitsi-meet.example.com',
|
||||
|
||||
|
||||
// Testing / experimental features.
|
||||
//
|
||||
|
||||
testing: {
|
||||
// P2P test mode disables automatic switching to P2P when there are 2
|
||||
// participants in the conference.
|
||||
p2pTestMode: false
|
||||
|
||||
// Enables the test specific features consumed by jitsi-meet-torture
|
||||
// testMode: false
|
||||
|
||||
// Disables the auto-play behavior of *all* newly created video element.
|
||||
// This is useful when the client runs on a host with limited resources.
|
||||
// noAutoPlayVideo: false
|
||||
},
|
||||
|
||||
// Disables ICE/UDP by filtering out local and remote UDP candidates in
|
||||
// signalling.
|
||||
// webrtcIceUdpDisable: false,
|
||||
|
||||
// Disables ICE/TCP by filtering out local and remote TCP candidates in
|
||||
// signalling.
|
||||
// webrtcIceTcpDisable: false,
|
||||
|
||||
|
||||
// Media
|
||||
//
|
||||
|
||||
// Audio
|
||||
|
||||
// Disable measuring of audio levels.
|
||||
// disableAudioLevels: false,
|
||||
// audioLevelsInterval: 200,
|
||||
|
||||
// Enabling this will run the lib-jitsi-meet no audio detection module which
|
||||
// will notify the user if the current selected microphone has no audio
|
||||
// input and will suggest another valid device if one is present.
|
||||
enableNoAudioDetection: true,
|
||||
|
||||
// Enabling this will run the lib-jitsi-meet noise detection module which will
|
||||
// notify the user if there is noise, other than voice, coming from the current
|
||||
// selected microphone. The purpose it to let the user know that the input could
|
||||
// be potentially unpleasant for other meeting participants.
|
||||
enableNoisyMicDetection: true,
|
||||
|
||||
// Start the conference in audio only mode (no video is being received nor
|
||||
// sent).
|
||||
// startAudioOnly: false,
|
||||
|
||||
// Every participant after the Nth will start audio muted.
|
||||
// startAudioMuted: 10,
|
||||
|
||||
// Start calls with audio muted. Unlike the option above, this one is only
|
||||
// applied locally. FIXME: having these 2 options is confusing.
|
||||
// startWithAudioMuted: false,
|
||||
|
||||
// Enabling it (with #params) will disable local audio output of remote
|
||||
// participants and to enable it back a reload is needed.
|
||||
// startSilent: false
|
||||
|
||||
// Video
|
||||
|
||||
// Sets the preferred resolution (height) for local video. Defaults to 720.
|
||||
// resolution: 720,
|
||||
|
||||
// w3c spec-compliant video constraints to use for video capture. Currently
|
||||
// used by browsers that return true from lib-jitsi-meet's
|
||||
// util#browser#usesNewGumFlow. The constraints are independent from
|
||||
// this config's resolution value. Defaults to requesting an ideal
|
||||
// resolution of 720p.
|
||||
// constraints: {
|
||||
// video: {
|
||||
// height: {
|
||||
// ideal: 720,
|
||||
// max: 720,
|
||||
// min: 240
|
||||
// }
|
||||
// }
|
||||
// },
|
||||
|
||||
// Enable / disable simulcast support.
|
||||
// disableSimulcast: false,
|
||||
|
||||
// Enable / disable layer suspension. If enabled, endpoints whose HD
|
||||
// layers are not in use will be suspended (no longer sent) until they
|
||||
// are requested again.
|
||||
// enableLayerSuspension: false,
|
||||
|
||||
// Every participant after the Nth will start video muted.
|
||||
// startVideoMuted: 10,
|
||||
|
||||
// Start calls with video muted. Unlike the option above, this one is only
|
||||
// applied locally. FIXME: having these 2 options is confusing.
|
||||
// startWithVideoMuted: false,
|
||||
|
||||
// If set to true, prefer to use the H.264 video codec (if supported).
|
||||
// Note that it's not recommended to do this because simulcast is not
|
||||
// supported when using H.264. For 1-to-1 calls this setting is enabled by
|
||||
// default and can be toggled in the p2p section.
|
||||
// preferH264: true,
|
||||
|
||||
// If set to true, disable H.264 video codec by stripping it out of the
|
||||
// SDP.
|
||||
// disableH264: false,
|
||||
|
||||
// Desktop sharing
|
||||
|
||||
// The ID of the jidesha extension for Chrome.
|
||||
desktopSharingChromeExtId: null,
|
||||
|
||||
// Whether desktop sharing should be disabled on Chrome.
|
||||
// desktopSharingChromeDisabled: false,
|
||||
|
||||
// The media sources to use when using screen sharing with the Chrome
|
||||
// extension.
|
||||
desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
|
||||
|
||||
// Required version of Chrome extension
|
||||
desktopSharingChromeMinExtVersion: '0.1',
|
||||
|
||||
// Whether desktop sharing should be disabled on Firefox.
|
||||
// desktopSharingFirefoxDisabled: false,
|
||||
|
||||
// Optional desktop sharing frame rate options. Default value: min:5, max:5.
|
||||
// desktopSharingFrameRate: {
|
||||
// min: 5,
|
||||
// max: 5
|
||||
// },
|
||||
|
||||
// Try to start calls with screen-sharing instead of camera video.
|
||||
// startScreenSharing: false,
|
||||
|
||||
// Recording
|
||||
|
||||
// Whether to enable file recording or not.
|
||||
// fileRecordingsEnabled: false,
|
||||
// Enable the dropbox integration.
|
||||
// dropbox: {
|
||||
// appKey: '<APP_KEY>' // Specify your app key here.
|
||||
// // A URL to redirect the user to, after authenticating
|
||||
// // by default uses:
|
||||
// // 'https://jitsi-meet.example.com/static/oauth.html'
|
||||
// redirectURI:
|
||||
// 'https://jitsi-meet.example.com/subfolder/static/oauth.html'
|
||||
// },
|
||||
// When integrations like dropbox are enabled only that will be shown,
|
||||
// by enabling fileRecordingsServiceEnabled, we show both the integrations
|
||||
// and the generic recording service (its configuration and storage type
|
||||
// depends on jibri configuration)
|
||||
// fileRecordingsServiceEnabled: false,
|
||||
// Whether to show the possibility to share file recording with other people
|
||||
// (e.g. meeting participants), based on the actual implementation
|
||||
// on the backend.
|
||||
// fileRecordingsServiceSharingEnabled: false,
|
||||
|
||||
// Whether to enable live streaming or not.
|
||||
// liveStreamingEnabled: false,
|
||||
|
||||
// Transcription (in interface_config,
|
||||
// subtitles and buttons can be configured)
|
||||
// transcribingEnabled: false,
|
||||
|
||||
// Enables automatic turning on captions when recording is started
|
||||
// autoCaptionOnRecord: false,
|
||||
|
||||
// Misc
|
||||
|
||||
// Default value for the channel "last N" attribute. -1 for unlimited.
|
||||
channelLastN: -1,
|
||||
|
||||
// Disables or enables RTX (RFC 4588) (defaults to false).
|
||||
// disableRtx: false,
|
||||
|
||||
// Disables or enables TCC (the default is in Jicofo and set to true)
|
||||
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
|
||||
// affects congestion control, it practically enables send-side bandwidth
|
||||
// estimations.
|
||||
// enableTcc: true,
|
||||
|
||||
// Disables or enables REMB (the default is in Jicofo and set to false)
|
||||
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
|
||||
// control, it practically enables recv-side bandwidth estimations. When
|
||||
// both TCC and REMB are enabled, TCC takes precedence. When both are
|
||||
// disabled, then bandwidth estimations are disabled.
|
||||
// enableRemb: false,
|
||||
|
||||
// Defines the minimum number of participants to start a call (the default
|
||||
// is set in Jicofo and set to 2).
|
||||
// minParticipants: 2,
|
||||
|
||||
// Use XEP-0215 to fetch STUN and TURN servers.
|
||||
// useStunTurn: true,
|
||||
|
||||
// Enable IPv6 support.
|
||||
// useIPv6: true,
|
||||
|
||||
// Enables / disables a data communication channel with the Videobridge.
|
||||
// Values can be 'datachannel', 'websocket', true (treat it as
|
||||
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
|
||||
// open any channel).
|
||||
// openBridgeChannel: true,
|
||||
|
||||
|
||||
// UI
|
||||
//
|
||||
|
||||
// Use display name as XMPP nickname.
|
||||
// useNicks: false,
|
||||
|
||||
// Require users to always specify a display name.
|
||||
// requireDisplayName: true,
|
||||
|
||||
// Whether to use a welcome page or not. In case it's false a random room
|
||||
// will be joined when no room is specified.
|
||||
enableWelcomePage: true,
|
||||
|
||||
// Enabling the close page will ignore the welcome page redirection when
|
||||
// a call is hangup.
|
||||
// enableClosePage: false,
|
||||
|
||||
// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
|
||||
// disable1On1Mode: false,
|
||||
|
||||
// Default language for the user interface.
|
||||
// defaultLanguage: 'en',
|
||||
|
||||
// If true all users without a token will be considered guests and all users
|
||||
// with token will be considered non-guests. Only guests will be allowed to
|
||||
// edit their profile.
|
||||
enableUserRolesBasedOnToken: false,
|
||||
|
||||
// Whether or not some features are checked based on token.
|
||||
// enableFeaturesBasedOnToken: false,
|
||||
|
||||
// Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
|
||||
// lockRoomGuestEnabled: false,
|
||||
|
||||
// When enabled the password used for locking a room is restricted to up to the number of digits specified
|
||||
// roomPasswordNumberOfDigits: 10,
|
||||
// default: roomPasswordNumberOfDigits: false,
|
||||
|
||||
// Message to show the users. Example: 'The service will be down for
|
||||
// maintenance at 01:00 AM GMT,
|
||||
// noticeMessage: '',
|
||||
|
||||
// Enables calendar integration, depends on googleApiApplicationClientID
|
||||
// and microsoftApiApplicationClientID
|
||||
// enableCalendarIntegration: false,
|
||||
|
||||
// Stats
|
||||
//
|
||||
|
||||
// Whether to enable stats collection or not in the TraceablePeerConnection.
|
||||
// This can be useful for debugging purposes (post-processing/analysis of
|
||||
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
|
||||
// estimation tests.
|
||||
// gatherStats: false,
|
||||
|
||||
// The interval at which PeerConnection.getStats() is called. Defaults to 10000
|
||||
// pcStatsInterval: 10000,
|
||||
|
||||
// To enable sending statistics to callstats.io you must provide the
|
||||
// Application ID and Secret.
|
||||
// callStatsID: '',
|
||||
// callStatsSecret: '',
|
||||
|
||||
// enables sending participants display name to callstats
|
||||
// enableDisplayNameInStats: false,
|
||||
|
||||
// enables sending participants email if available to callstats and other analytics
|
||||
// enableEmailInStats: false,
|
||||
|
||||
// Privacy
|
||||
//
|
||||
|
||||
// If third party requests are disabled, no other server will be contacted.
|
||||
// This means avatars will be locally generated and callstats integration
|
||||
// will not function.
|
||||
// disableThirdPartyRequests: false,
|
||||
|
||||
|
||||
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
|
||||
//
|
||||
|
||||
p2p: {
|
||||
// Enables peer to peer mode. When enabled the system will try to
|
||||
// establish a direct connection when there are exactly 2 participants
|
||||
// in the room. If that succeeds the conference will stop sending data
|
||||
// through the JVB and use the peer to peer connection instead. When a
|
||||
// 3rd participant joins the conference will be moved back to the JVB
|
||||
// connection.
|
||||
enabled: true,
|
||||
|
||||
// Use XEP-0215 to fetch STUN and TURN servers.
|
||||
// useStunTurn: true,
|
||||
|
||||
// The STUN servers that will be used in the peer to peer connections
|
||||
stunServers: [
|
||||
|
||||
// { urls: 'stun:jitsi-meet.example.com:4446' },
|
||||
// { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
|
||||
{ urls: 'stun:ahlawat.com:3478' }
|
||||
],
|
||||
|
||||
// Sets the ICE transport policy for the p2p connection. At the time
|
||||
// of this writing the list of possible values are 'all' and 'relay',
|
||||
// but that is subject to change in the future. The enum is defined in
|
||||
// the WebRTC standard:
|
||||
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
|
||||
// If not set, the effective value is 'all'.
|
||||
// iceTransportPolicy: 'all',
|
||||
|
||||
// If set to true, it will prefer to use H.264 for P2P calls (if H.264
|
||||
// is supported).
|
||||
preferH264: true
|
||||
|
||||
// If set to true, disable H.264 video codec by stripping it out of the
|
||||
// SDP.
|
||||
// disableH264: false,
|
||||
|
||||
// How long we're going to wait, before going back to P2P after the 3rd
|
||||
// participant has left the conference (to filter out page reload).
|
||||
// backToP2PDelay: 5
|
||||
},
|
||||
|
||||
analytics: {
|
||||
// The Google Analytics Tracking ID:
|
||||
// googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
|
||||
|
||||
// The Amplitude APP Key:
|
||||
// amplitudeAPPKey: '<APP_KEY>'
|
||||
|
||||
// Array of script URLs to load as lib-jitsi-meet "analytics handlers".
|
||||
// scriptURLs: [
|
||||
// "libs/analytics-ga.min.js", // google-analytics
|
||||
// "https://example.com/my-custom-analytics.js"
|
||||
// ],
|
||||
},
|
||||
|
||||
// Information about the jitsi-meet instance we are connecting to, including
|
||||
// the user region as seen by the server.
|
||||
deploymentInfo: {
|
||||
// shard: "shard1",
|
||||
// region: "europe",
|
||||
// userRegion: "asia"
|
||||
},
|
||||
|
||||
// Decides whether the start/stop recording audio notifications should play on record.
|
||||
// disableRecordAudioNotification: false,
|
||||
|
||||
// Information for the chrome extension banner
|
||||
// chromeExtensionBanner: {
|
||||
// // The chrome extension to be installed address
|
||||
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
|
||||
|
||||
// // Extensions info which allows checking if they are installed or not
|
||||
// chromeExtensionsInfo: [
|
||||
// {
|
||||
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
|
||||
// path: 'jitsi-logo-48x48.png'
|
||||
// }
|
||||
// ]
|
||||
// },
|
||||
|
||||
// Local Recording
|
||||
//
|
||||
|
||||
// localRecording: {
|
||||
// Enables local recording.
|
||||
// Additionally, 'localrecording' (all lowercase) needs to be added to
|
||||
// TOOLBAR_BUTTONS in interface_config.js for the Local Recording
|
||||
// button to show up on the toolbar.
|
||||
//
|
||||
// enabled: true,
|
||||
//
|
||||
|
||||
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
|
||||
// format: 'flac'
|
||||
//
|
||||
|
||||
// },
|
||||
|
||||
// Options related to end-to-end (participant to participant) ping.
|
||||
// e2eping: {
|
||||
// // The interval in milliseconds at which pings will be sent.
|
||||
// // Defaults to 10000, set to <= 0 to disable.
|
||||
// pingInterval: 10000,
|
||||
//
|
||||
// // The interval in milliseconds at which analytics events
|
||||
// // with the measured RTT will be sent. Defaults to 60000, set
|
||||
// // to <= 0 to disable.
|
||||
// analyticsInterval: 60000,
|
||||
// },
|
||||
|
||||
// If set, will attempt to use the provided video input device label when
|
||||
// triggering a screenshare, instead of proceeding through the normal flow
|
||||
// for obtaining a desktop stream.
|
||||
// NOTE: This option is experimental and is currently intended for internal
|
||||
// use only.
|
||||
// _desktopSharingSourceDevice: 'sample-id-or-label',
|
||||
|
||||
// If true, any checks to handoff to another application will be prevented
|
||||
// and instead the app will continue to display in the current browser.
|
||||
// disableDeepLinking: false,
|
||||
|
||||
// A property to disable the right click context menu for localVideo
|
||||
// the menu has option to flip the locally seen video for local presentations
|
||||
// disableLocalVideoFlip: false,
|
||||
|
||||
// Mainly privacy related settings
|
||||
|
||||
// Disables all invite functions from the app (share, invite, dial out...etc)
|
||||
// disableInviteFunctions: true,
|
||||
|
||||
// Disables storing the room name to the recents list
|
||||
// doNotStoreRoom: true,
|
||||
|
||||
// Deployment specific URLs.
|
||||
// deploymentUrls: {
|
||||
// // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
|
||||
// // user documentation.
|
||||
// userDocumentationURL: 'https://docs.example.com/video-meetings.html',
|
||||
// // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
|
||||
// // to the specified URL for an app download page.
|
||||
// downloadAppsUrl: 'https://docs.example.com/our-apps.html'
|
||||
// },
|
||||
|
||||
// Options related to the remote participant menu.
|
||||
// remoteVideoMenu: {
|
||||
// // If set to true the 'Kick out' button will be disabled.
|
||||
// disableKick: true
|
||||
// },
|
||||
|
||||
// If set to true all muting operations of remote participants will be disabled.
|
||||
// disableRemoteMute: true,
|
||||
|
||||
// List of undocumented settings used in jitsi-meet
|
||||
/**
|
||||
_immediateReloadThreshold
|
||||
autoRecord
|
||||
autoRecordToken
|
||||
debug
|
||||
debugAudioLevels
|
||||
deploymentInfo
|
||||
dialInConfCodeUrl
|
||||
dialInNumbersUrl
|
||||
dialOutAuthUrl
|
||||
dialOutCodesUrl
|
||||
disableRemoteControl
|
||||
displayJids
|
||||
etherpad_base
|
||||
externalConnectUrl
|
||||
firefox_fake_device
|
||||
googleApiApplicationClientID
|
||||
iAmRecorder
|
||||
iAmSipGateway
|
||||
microsoftApiApplicationClientID
|
||||
peopleSearchQueryTypes
|
||||
peopleSearchUrl
|
||||
requireDisplayName
|
||||
tokenAuthUrl
|
||||
*/
|
||||
|
||||
// List of undocumented settings used in lib-jitsi-meet
|
||||
/**
|
||||
_peerConnStatusOutOfLastNTimeout
|
||||
_peerConnStatusRtcMuteTimeout
|
||||
abTesting
|
||||
avgRtpStatsN
|
||||
callStatsConfIDNamespace
|
||||
callStatsCustomScriptUrl
|
||||
desktopSharingSources
|
||||
disableAEC
|
||||
disableAGC
|
||||
disableAP
|
||||
disableHPF
|
||||
disableNS
|
||||
enableLipSync
|
||||
enableTalkWhileMuted
|
||||
forceJVB121Ratio
|
||||
hiddenDomain
|
||||
ignoreStartMuted
|
||||
nick
|
||||
startBitrate
|
||||
*/
|
||||
|
||||
|
||||
// Allow all above example options to include a trailing comma and
|
||||
// prevent fear when commenting out the last value.
|
||||
makeJsonParserHappy: 'even if last key had a trailing comma'
|
||||
|
||||
// no configuration value should follow this line.
|
||||
};
|
||||
|
||||
/* eslint-enable no-unused-vars, no-var */
|
258
jails/config/meet/jitsi-meet/interface_config.js
Normal file
258
jails/config/meet/jitsi-meet/interface_config.js
Normal file
@ -0,0 +1,258 @@
|
||||
/* eslint-disable no-unused-vars, no-var, max-len */
|
||||
|
||||
var interfaceConfig = {
|
||||
// TO FIX: this needs to be handled from SASS variables. There are some
|
||||
// methods allowing to use variables both in css and js.
|
||||
DEFAULT_BACKGROUND: '#474747',
|
||||
|
||||
/**
|
||||
* Whether or not the blurred video background for large video should be
|
||||
* displayed on browsers that can support it.
|
||||
*/
|
||||
DISABLE_VIDEO_BACKGROUND: false,
|
||||
|
||||
INITIAL_TOOLBAR_TIMEOUT: 20000,
|
||||
TOOLBAR_TIMEOUT: 4000,
|
||||
TOOLBAR_ALWAYS_VISIBLE: false,
|
||||
DEFAULT_REMOTE_DISPLAY_NAME: 'Friend',
|
||||
DEFAULT_LOCAL_DISPLAY_NAME: 'me',
|
||||
SHOW_JITSI_WATERMARK: false,
|
||||
JITSI_WATERMARK_LINK: 'https://meet.ahlawat.com',
|
||||
|
||||
// if watermark is disabled by default, it can be shown only for guests
|
||||
SHOW_WATERMARK_FOR_GUESTS: false,
|
||||
SHOW_BRAND_WATERMARK: false,
|
||||
BRAND_WATERMARK_LINK: 'https://meet.ahlawat.com',
|
||||
SHOW_POWERED_BY: false,
|
||||
SHOW_DEEP_LINKING_IMAGE: false,
|
||||
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: false,
|
||||
DISPLAY_WELCOME_PAGE_CONTENT: false,
|
||||
DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
|
||||
APP_NAME: 'Ahlawat meet',
|
||||
NATIVE_APP_NAME: 'Ahlawat meet',
|
||||
PROVIDER_NAME: 'Ahlawat',
|
||||
LANG_DETECTION: true, // Allow i18n to detect the system language
|
||||
INVITATION_POWERED_BY: false,
|
||||
|
||||
/**
|
||||
* If we should show authentication block in profile
|
||||
*/
|
||||
AUTHENTICATION_ENABLE: true,
|
||||
|
||||
/**
|
||||
* The name of the toolbar buttons to display in the toolbar. If present,
|
||||
* the button will display. Exceptions are "livestreaming" and "recording"
|
||||
* which also require being a moderator and some values in config.js to be
|
||||
* enabled. Also, the "profile" button will not display for user's with a
|
||||
* jwt.
|
||||
*/
|
||||
TOOLBAR_BUTTONS: [
|
||||
'microphone', 'camera', 'closedcaptions', 'desktop', 'fullscreen',
|
||||
'fodeviceselection', 'hangup', 'profile', 'info', 'chat', 'recording',
|
||||
'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand',
|
||||
'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
|
||||
'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone',
|
||||
'e2ee'
|
||||
],
|
||||
|
||||
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ],
|
||||
|
||||
// Determines how the video would fit the screen. 'both' would fit the whole
|
||||
// screen, 'height' would fit the original video height to the height of the
|
||||
// screen, 'width' would fit the original video width to the width of the
|
||||
// screen respecting ratio.
|
||||
VIDEO_LAYOUT_FIT: 'both',
|
||||
|
||||
/**
|
||||
* Whether to only show the filmstrip (and hide the toolbar).
|
||||
*/
|
||||
filmStripOnly: false,
|
||||
|
||||
/**
|
||||
* Whether to show thumbnails in filmstrip as a column instead of as a row.
|
||||
*/
|
||||
VERTICAL_FILMSTRIP: true,
|
||||
|
||||
// A html text to be shown to guests on the close page, false disables it
|
||||
CLOSE_PAGE_GUEST_HINT: false,
|
||||
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
|
||||
RANDOM_AVATAR_URL_PREFIX: false,
|
||||
RANDOM_AVATAR_URL_SUFFIX: false,
|
||||
FILM_STRIP_MAX_HEIGHT: 120,
|
||||
|
||||
// Enables feedback star animation.
|
||||
ENABLE_FEEDBACK_ANIMATION: false,
|
||||
DISABLE_FOCUS_INDICATOR: false,
|
||||
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
|
||||
|
||||
/**
|
||||
* Whether the speech to text transcription subtitles panel is disabled.
|
||||
* If {@code undefined}, defaults to {@code false}.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
DISABLE_TRANSCRIPTION_SUBTITLES: false,
|
||||
|
||||
/**
|
||||
* Whether the ringing sound in the call/ring overlay is disabled. If
|
||||
* {@code undefined}, defaults to {@code false}.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
DISABLE_RINGING: false,
|
||||
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
|
||||
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
|
||||
POLICY_LOGO: null,
|
||||
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
|
||||
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
|
||||
// Documentation reference for the live streaming feature.
|
||||
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
|
||||
|
||||
/**
|
||||
* Whether the mobile app Jitsi Meet is to be promoted to participants
|
||||
* attempting to join a conference in a mobile Web browser. If
|
||||
* {@code undefined}, defaults to {@code true}.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
MOBILE_APP_PROMO: true,
|
||||
|
||||
/**
|
||||
* Maximum coeficient of the ratio of the large video to the visible area
|
||||
* after the large video is scaled to fit the window.
|
||||
*
|
||||
* @type {number}
|
||||
*/
|
||||
MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
|
||||
|
||||
/*
|
||||
* If indicated some of the error dialogs may point to the support URL for
|
||||
* help.
|
||||
*/
|
||||
SUPPORT_URL: 'https://ahlawat.com/',
|
||||
|
||||
/**
|
||||
* Whether the connection indicator icon should hide itself based on
|
||||
* connection strength. If true, the connection indicator will remain
|
||||
* displayed while the participant has a weak connection and will hide
|
||||
* itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
|
||||
* strong.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
|
||||
|
||||
/**
|
||||
* How long the connection indicator should remain displayed before hiding.
|
||||
* Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
|
||||
*
|
||||
* @type {number}
|
||||
*/
|
||||
CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
|
||||
|
||||
/**
|
||||
* If true, hides the connection indicators completely.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
CONNECTION_INDICATOR_DISABLED: false,
|
||||
|
||||
/**
|
||||
* If true, hides the video quality label indicating the resolution status
|
||||
* of the current large video.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
VIDEO_QUALITY_LABEL_DISABLED: false,
|
||||
|
||||
/**
|
||||
* If true, will display recent list
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
RECENT_LIST_ENABLED: true,
|
||||
|
||||
// Names of browsers which should show a warning stating the current browser
|
||||
// has a suboptimal experience. Browsers which are not listed as optimal or
|
||||
// unsupported are considered suboptimal. Valid values are:
|
||||
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
|
||||
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron' ],
|
||||
|
||||
// Browsers, in addition to those which do not fully support WebRTC, that
|
||||
// are not supported and should show the unsupported browser page.
|
||||
UNSUPPORTED_BROWSERS: [],
|
||||
|
||||
/**
|
||||
* A UX mode where the last screen share participant is automatically
|
||||
* pinned. Valid values are the string "remote-only" so remote participants
|
||||
* get pinned but not local, otherwise any truthy value for all participants,
|
||||
* and any falsy value to disable the feature.
|
||||
*
|
||||
* Note: this mode is experimental and subject to breakage.
|
||||
*/
|
||||
AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
|
||||
|
||||
/**
|
||||
* If true, presence status: busy, calling, connected etc. is not displayed.
|
||||
*/
|
||||
DISABLE_PRESENCE_STATUS: false,
|
||||
|
||||
/**
|
||||
* If true, notifications regarding joining/leaving are no longer displayed.
|
||||
*/
|
||||
DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
|
||||
|
||||
/**
|
||||
* Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
|
||||
* If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
|
||||
* being already installed is done before rendering.
|
||||
*/
|
||||
SHOW_CHROME_EXTENSION_BANNER: false
|
||||
|
||||
/**
|
||||
* When enabled, the kick participant button will not be presented for users without a JWT
|
||||
*/
|
||||
// HIDE_KICK_BUTTON_FOR_GUESTS: false
|
||||
|
||||
/**
|
||||
* How many columns the tile view can expand to. The respected range is
|
||||
* between 1 and 5.
|
||||
*/
|
||||
// TILE_VIEW_MAX_COLUMNS: 5,
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading android mobile app.
|
||||
*/
|
||||
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Specify URL for downloading ios mobile app.
|
||||
*/
|
||||
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
||||
|
||||
/**
|
||||
* Specify mobile app scheme for opening the app from the mobile browser.
|
||||
*/
|
||||
// APP_SCHEME: 'org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Specify the Android app package name.
|
||||
*/
|
||||
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Override the behavior of some notifications to remain displayed until
|
||||
* explicitly dismissed through a user action. The value is how long, in
|
||||
* milliseconds, those notifications should remain displayed.
|
||||
*/
|
||||
// ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
|
||||
|
||||
// List of undocumented settings
|
||||
/**
|
||||
INDICATOR_FONT_SIZES
|
||||
MOBILE_DYNAMIC_LINK
|
||||
PHONE_NUMBER_REGEX
|
||||
*/
|
||||
};
|
||||
|
||||
/* eslint-enable no-unused-vars, no-var, max-len */
|
190
jails/config/meet/nginx.conf
Normal file
190
jails/config/meet/nginx.conf
Normal file
@ -0,0 +1,190 @@
|
||||
|
||||
#user nobody;
|
||||
worker_processes 1;
|
||||
|
||||
# This default error log path is compiled-in to make sure configuration parsing
|
||||
# errors are logged somewhere, especially during unattended boot when stderr
|
||||
# isn't normally logged anywhere. This path will be touched on every nginx
|
||||
# start regardless of error log location configured here. See
|
||||
# https://trac.nginx.org/nginx/ticket/147 for more info.
|
||||
#
|
||||
#error_log /var/log/nginx/error.log;
|
||||
#
|
||||
|
||||
#pid logs/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
include mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
# '$status $body_bytes_sent "$http_referer" '
|
||||
# '"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
#access_log logs/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
#keepalive_timeout 0;
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
# server {
|
||||
# listen 80;
|
||||
# server_name localhost;
|
||||
|
||||
#charset koi8-r;
|
||||
|
||||
#access_log logs/host.access.log main;
|
||||
|
||||
# location / {
|
||||
# root /usr/local/www/nginx;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
|
||||
#error_page 404 /404.html;
|
||||
|
||||
# redirect server error pages to the static page /50x.html
|
||||
#
|
||||
# error_page 500 502 503 504 /50x.html;
|
||||
# location = /50x.html {
|
||||
# root /usr/local/www/nginx-dist;
|
||||
# }
|
||||
|
||||
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
|
||||
#
|
||||
#location ~ \.php$ {
|
||||
# proxy_pass http://127.0.0.1;
|
||||
#}
|
||||
|
||||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
|
||||
#
|
||||
#location ~ \.php$ {
|
||||
# root html;
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
# fastcgi_index index.php;
|
||||
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
|
||||
# include fastcgi_params;
|
||||
#}
|
||||
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht {
|
||||
# deny all;
|
||||
#}
|
||||
# }
|
||||
|
||||
|
||||
# another virtual host using mix of IP-, name-, and port-based configuration
|
||||
#
|
||||
#server {
|
||||
# listen 8000;
|
||||
# listen somename:8080;
|
||||
# server_name somename alias another.alias;
|
||||
|
||||
# location / {
|
||||
# root html;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
#}
|
||||
|
||||
|
||||
# HTTPS server
|
||||
#
|
||||
#server {
|
||||
# listen 443 ssl;
|
||||
# server_name localhost;
|
||||
|
||||
# ssl_certificate cert.pem;
|
||||
# ssl_certificate_key cert.key;
|
||||
|
||||
# ssl_session_cache shared:SSL:1m;
|
||||
# ssl_session_timeout 5m;
|
||||
|
||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
# ssl_prefer_server_ciphers on;
|
||||
|
||||
# location / {
|
||||
# root html;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
#}
|
||||
|
||||
server_names_hash_bucket_size 64;
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name meet.ahlawat.com;
|
||||
|
||||
ssl_certificate /mnt/certs/fullchain.pem;
|
||||
ssl_certificate_key /mnt/certs/privkey.pem;
|
||||
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
#access_log logs/host.access.log main;
|
||||
|
||||
#location /favicon.ico { access_log off; log_not_found off; }
|
||||
|
||||
root /usr/local/www/jitsi-meet;
|
||||
index index.html;
|
||||
location ~ ^/([a-zA-Z0-9=\?]+)$ {
|
||||
rewrite ^/(.*)$ / break;
|
||||
}
|
||||
location / {
|
||||
ssi on;
|
||||
}
|
||||
# BOSH, Bidirectional-streams Over Synchronous HTTP
|
||||
# https://en.wikipedia.org/wiki/BOSH_(protocol)
|
||||
location /http-bind {
|
||||
proxy_pass http://meet.ahlawat.com:5280/http-bind;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
# external_api.js must be accessible from the root of the
|
||||
# installation for the electron version of Jitsi Meet to work
|
||||
# https://github.com/jitsi/jitsi-meet-electron
|
||||
location /external_api.js {
|
||||
alias /usr/local/www/jitsi-meet/libs/external_api.min.js;
|
||||
}
|
||||
|
||||
# xmpp websockets
|
||||
location /xmpp-websocket {
|
||||
proxy_pass http://meet.ahlawat.com:5280/xmpp-websocket;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
#error_page 404 /404.html;
|
||||
|
||||
# redirect server error pages to the static page /50x.html
|
||||
#
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/local/www/nginx-dist;
|
||||
}
|
||||
}
|
||||
}
|
234
jails/config/meet/prosody.cfg.lua
Normal file
234
jails/config/meet/prosody.cfg.lua
Normal file
@ -0,0 +1,234 @@
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
pidfile = "/var/run/prosody/prosody.pid"
|
||||
-- interfaces = { "192.168.0.67", "2603:3024:3f6:e1::67" }
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { "focus@auth.meet.ahlawat.com" }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = true
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = true
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
error = "prosody.err";
|
||||
-- "*syslog"; -- Uncomment this for logging to syslog
|
||||
-- "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
-- certificates = "certs"
|
||||
certificates = "/mnt/certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/usr/local/etc/prosody/certs/localhost.crt"
|
||||
https_certificate = "/mnt/certs/haproxy.pem"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
-- VirtualHost "localhost"
|
||||
|
||||
VirtualHost "meet.ahlawat.com"
|
||||
ssl = {
|
||||
key = "/mnt/certs/privkeyr.pem";
|
||||
certificate = "/mnt/certs/fullchain.pem";
|
||||
}
|
||||
authentication = "anonymous"
|
||||
modules_enabled = {
|
||||
"bosh";
|
||||
"pubsub";
|
||||
}
|
||||
c2s_require_encryption = false
|
||||
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
|
||||
Component "conference.meet.ahlawat.com" "muc"
|
||||
Component "jitsi-videobridge.meet.ahlawat.com"
|
||||
component_secret = "YOURSECRET1-qwertyuiop"
|
||||
Component "focus.meet.ahlawat.com"
|
||||
component_secret = "YOURSECRET2-qwertyuiop"
|
||||
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
||||
|
||||
VirtualHost "auth.meet.ahlawat.com"
|
||||
ssl = {
|
||||
key = "/var/db/prosody/auth.meet.ahlawat.com.key";
|
||||
certificate = "/var/db/prosody/auth.meet.ahlawat.com.crt";
|
||||
}
|
||||
authentication = "internal_hashed"
|
7
jails/config/meet/videobridge/jitsi-videobridge.conf
Normal file
7
jails/config/meet/videobridge/jitsi-videobridge.conf
Normal file
@ -0,0 +1,7 @@
|
||||
JVB_XMPP_HOST=localhost
|
||||
JVB_XMPP_DOMAIN=meet.ahlawat.com
|
||||
JVB_XMPP_PORT=5347
|
||||
JVB_XMPP_SECRET=YOURSECRET1-qwertyuiop
|
||||
|
||||
VIDEOBRIDGE_MAX_MEMORY=3072m
|
||||
# VIDEOBRIDGE_DEBUG_OPTIONS="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000"
|
@ -0,0 +1,7 @@
|
||||
#org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.meet.ahlawat.com/.*
|
||||
org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
|
||||
# The videobridge uses 443 by default with 4443 as a fallback, but since we're already
|
||||
# running nginx on 443 in this example doc, we specify 4443 manually to avoid a race condition
|
||||
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
|
||||
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.0.67
|
||||
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=173.167.104.25
|
@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://localhost:9000"
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
|
938
jails/config/monitor/json/blackbox-exporter-overview_rev1.json
Normal file
938
jails/config/monitor/json/blackbox-exporter-overview_rev1.json
Normal file
@ -0,0 +1,938 @@
|
||||
{
|
||||
"__inputs": [
|
||||
{
|
||||
"name": "DS_PROMETHEUS",
|
||||
"label": "Prometheus",
|
||||
"description": "",
|
||||
"type": "datasource",
|
||||
"pluginId": "prometheus",
|
||||
"pluginName": "Prometheus"
|
||||
}
|
||||
],
|
||||
"__requires": [
|
||||
{
|
||||
"type": "grafana",
|
||||
"id": "grafana",
|
||||
"name": "Grafana",
|
||||
"version": "5.4.3"
|
||||
},
|
||||
{
|
||||
"type": "panel",
|
||||
"id": "graph",
|
||||
"name": "Graph",
|
||||
"version": "5.0.0"
|
||||
},
|
||||
{
|
||||
"type": "datasource",
|
||||
"id": "prometheus",
|
||||
"name": "Prometheus",
|
||||
"version": "5.0.0"
|
||||
},
|
||||
{
|
||||
"type": "panel",
|
||||
"id": "singlestat",
|
||||
"name": "Singlestat",
|
||||
"version": "5.0.0"
|
||||
}
|
||||
],
|
||||
"annotations": {
|
||||
"list": [
|
||||
{
|
||||
"builtIn": 1,
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"enable": true,
|
||||
"hide": true,
|
||||
"iconColor": "rgba(0, 211, 255, 1)",
|
||||
"name": "Annotations & Alerts",
|
||||
"type": "dashboard"
|
||||
}
|
||||
]
|
||||
},
|
||||
"editable": true,
|
||||
"gnetId": 11175,
|
||||
"graphTooltip": 0,
|
||||
"id": null,
|
||||
"iteration": 1573505620144,
|
||||
"links": [],
|
||||
"panels": [
|
||||
{
|
||||
"collapsed": false,
|
||||
"gridPos": {
|
||||
"h": 1,
|
||||
"w": 24,
|
||||
"x": 0,
|
||||
"y": 0
|
||||
},
|
||||
"id": 15,
|
||||
"panels": [],
|
||||
"repeat": "targets",
|
||||
"title": "$targets UP/DOWN Status",
|
||||
"type": "row"
|
||||
},
|
||||
{
|
||||
"cacheTimeout": null,
|
||||
"colorBackground": true,
|
||||
"colorValue": false,
|
||||
"colors": [
|
||||
"#d44a3a",
|
||||
"rgba(237, 129, 40, 0.89)",
|
||||
"#299c46"
|
||||
],
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"format": "none",
|
||||
"gauge": {
|
||||
"maxValue": 100,
|
||||
"minValue": 0,
|
||||
"show": false,
|
||||
"thresholdLabels": false,
|
||||
"thresholdMarkers": true
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 2,
|
||||
"w": 24,
|
||||
"x": 0,
|
||||
"y": 1
|
||||
},
|
||||
"id": 2,
|
||||
"interval": null,
|
||||
"links": [],
|
||||
"mappingType": 1,
|
||||
"mappingTypes": [
|
||||
{
|
||||
"name": "value to text",
|
||||
"value": 1
|
||||
},
|
||||
{
|
||||
"name": "range to text",
|
||||
"value": 2
|
||||
}
|
||||
],
|
||||
"maxDataPoints": 100,
|
||||
"minSpan": 3,
|
||||
"nullPointMode": "connected",
|
||||
"nullText": null,
|
||||
"postfix": "",
|
||||
"postfixFontSize": "50%",
|
||||
"prefix": "",
|
||||
"prefixFontSize": "50%",
|
||||
"rangeMaps": [
|
||||
{
|
||||
"from": "null",
|
||||
"text": "N/A",
|
||||
"to": "null"
|
||||
}
|
||||
],
|
||||
"repeat": null,
|
||||
"repeatDirection": "h",
|
||||
"sparkline": {
|
||||
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||
"full": false,
|
||||
"lineColor": "rgb(31, 120, 193)",
|
||||
"show": false
|
||||
},
|
||||
"tableColumn": "",
|
||||
"targets": [
|
||||
{
|
||||
"expr": "probe_success{instance=~\"$targets\"}",
|
||||
"format": "time_series",
|
||||
"interval": "$interval",
|
||||
"intervalFactor": 1,
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"thresholds": "1,1",
|
||||
"title": "$targets",
|
||||
"type": "singlestat",
|
||||
"valueFontSize": "80%",
|
||||
"valueMaps": [
|
||||
{
|
||||
"op": "=",
|
||||
"text": "N/A",
|
||||
"value": "null"
|
||||
},
|
||||
{
|
||||
"op": "=",
|
||||
"text": "UP",
|
||||
"value": "1"
|
||||
},
|
||||
{
|
||||
"op": "=",
|
||||
"text": "DOWN",
|
||||
"value": "0"
|
||||
}
|
||||
],
|
||||
"valueName": "current"
|
||||
},
|
||||
{
|
||||
"cacheTimeout": null,
|
||||
"colorBackground": true,
|
||||
"colorValue": false,
|
||||
"colors": [
|
||||
"#d44a3a",
|
||||
"rgba(237, 129, 40, 0.89)",
|
||||
"#299c46"
|
||||
],
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"format": "none",
|
||||
"gauge": {
|
||||
"maxValue": 100,
|
||||
"minValue": 0,
|
||||
"show": false,
|
||||
"thresholdLabels": false,
|
||||
"thresholdMarkers": true
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 2,
|
||||
"w": 6,
|
||||
"x": 0,
|
||||
"y": 3
|
||||
},
|
||||
"id": 18,
|
||||
"interval": null,
|
||||
"links": [],
|
||||
"mappingType": 1,
|
||||
"mappingTypes": [
|
||||
{
|
||||
"name": "value to text",
|
||||
"value": 1
|
||||
},
|
||||
{
|
||||
"name": "range to text",
|
||||
"value": 2
|
||||
}
|
||||
],
|
||||
"maxDataPoints": 100,
|
||||
"minSpan": 3,
|
||||
"nullPointMode": "connected",
|
||||
"nullText": null,
|
||||
"postfix": "",
|
||||
"postfixFontSize": "50%",
|
||||
"prefix": "",
|
||||
"prefixFontSize": "50%",
|
||||
"rangeMaps": [
|
||||
{
|
||||
"from": "null",
|
||||
"text": "N/A",
|
||||
"to": "null"
|
||||
}
|
||||
],
|
||||
"repeatDirection": "h",
|
||||
"sparkline": {
|
||||
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||
"full": false,
|
||||
"lineColor": "rgb(31, 120, 193)",
|
||||
"show": false
|
||||
},
|
||||
"tableColumn": "",
|
||||
"targets": [
|
||||
{
|
||||
"expr": "probe_http_ssl{instance=~\"$targets\"}",
|
||||
"format": "time_series",
|
||||
"interval": "$interval",
|
||||
"intervalFactor": 1,
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"thresholds": "0,1",
|
||||
"title": "SSL",
|
||||
"type": "singlestat",
|
||||
"valueFontSize": "80%",
|
||||
"valueMaps": [
|
||||
{
|
||||
"op": "=",
|
||||
"text": "N/A",
|
||||
"value": "null"
|
||||
},
|
||||
{
|
||||
"op": "=",
|
||||
"text": "YES",
|
||||
"value": "1"
|
||||
},
|
||||
{
|
||||
"op": "=",
|
||||
"text": "NO",
|
||||
"value": "0"
|
||||
}
|
||||
],
|
||||
"valueName": "current"
|
||||
},
|
||||
{
|
||||
"aliasColors": {},
|
||||
"bars": false,
|
||||
"dashLength": 10,
|
||||
"dashes": false,
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"fill": 1,
|
||||
"gridPos": {
|
||||
"h": 6,
|
||||
"w": 9,
|
||||
"x": 6,
|
||||
"y": 3
|
||||
},
|
||||
"id": 17,
|
||||
"legend": {
|
||||
"avg": false,
|
||||
"current": false,
|
||||
"max": false,
|
||||
"min": false,
|
||||
"show": true,
|
||||
"total": false,
|
||||
"values": false
|
||||
},
|
||||
"lines": true,
|
||||
"linewidth": 1,
|
||||
"links": [],
|
||||
"nullPointMode": "null",
|
||||
"percentage": false,
|
||||
"pointradius": 5,
|
||||
"points": false,
|
||||
"renderer": "flot",
|
||||
"seriesOverrides": [],
|
||||
"spaceLength": 10,
|
||||
"stack": false,
|
||||
"steppedLine": false,
|
||||
"targets": [
|
||||
{
|
||||
"expr": "probe_duration_seconds{instance=~\"$targets\"}",
|
||||
"format": "time_series",
|
||||
"interval": "$interval",
|
||||
"intervalFactor": 1,
|
||||
"legendFormat": "seconds",
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"thresholds": [],
|
||||
"timeFrom": null,
|
||||
"timeRegions": [],
|
||||
"timeShift": null,
|
||||
"title": "Probe Duration",
|
||||
"tooltip": {
|
||||
"shared": true,
|
||||
"sort": 0,
|
||||
"value_type": "individual"
|
||||
},
|
||||
"type": "graph",
|
||||
"xaxis": {
|
||||
"buckets": null,
|
||||
"mode": "time",
|
||||
"name": null,
|
||||
"show": true,
|
||||
"values": []
|
||||
},
|
||||
"yaxes": [
|
||||
{
|
||||
"format": "s",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
},
|
||||
{
|
||||
"format": "short",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
}
|
||||
],
|
||||
"yaxis": {
|
||||
"align": false,
|
||||
"alignLevel": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"aliasColors": {},
|
||||
"bars": false,
|
||||
"dashLength": 10,
|
||||
"dashes": false,
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"fill": 1,
|
||||
"gridPos": {
|
||||
"h": 6,
|
||||
"w": 9,
|
||||
"x": 15,
|
||||
"y": 3
|
||||
},
|
||||
"id": 21,
|
||||
"legend": {
|
||||
"avg": false,
|
||||
"current": false,
|
||||
"max": false,
|
||||
"min": false,
|
||||
"show": true,
|
||||
"total": false,
|
||||
"values": false
|
||||
},
|
||||
"lines": true,
|
||||
"linewidth": 1,
|
||||
"links": [],
|
||||
"nullPointMode": "null",
|
||||
"percentage": false,
|
||||
"pointradius": 5,
|
||||
"points": false,
|
||||
"renderer": "flot",
|
||||
"seriesOverrides": [],
|
||||
"spaceLength": 10,
|
||||
"stack": false,
|
||||
"steppedLine": false,
|
||||
"targets": [
|
||||
{
|
||||
"expr": "probe_dns_lookup_time_seconds{instance=~\"$targets\"}",
|
||||
"format": "time_series",
|
||||
"interval": "$interval",
|
||||
"intervalFactor": 1,
|
||||
"legendFormat": "seconds",
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"thresholds": [],
|
||||
"timeFrom": null,
|
||||
"timeRegions": [],
|
||||
"timeShift": null,
|
||||
"title": "DNS Lookup",
|
||||
"tooltip": {
|
||||
"shared": true,
|
||||
"sort": 0,
|
||||
"value_type": "individual"
|
||||
},
|
||||
"type": "graph",
|
||||
"xaxis": {
|
||||
"buckets": null,
|
||||
"mode": "time",
|
||||
"name": null,
|
||||
"show": true,
|
||||
"values": []
|
||||
},
|
||||
"yaxes": [
|
||||
{
|
||||
"format": "s",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
},
|
||||
{
|
||||
"format": "short",
|
||||
"label": null,
|
||||
"logBase": 1,
|
||||
"max": null,
|
||||
"min": null,
|
||||
"show": true
|
||||
}
|
||||
],
|
||||
"yaxis": {
|
||||
"align": false,
|
||||
"alignLevel": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"cacheTimeout": null,
|
||||
"colorBackground": true,
|
||||
"colorValue": false,
|
||||
"colors": [
|
||||
"#d44a3a",
|
||||
"rgba(237, 129, 40, 0.89)",
|
||||
"#299c46"
|
||||
],
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"decimals": 2,
|
||||
"format": "dtdurations",
|
||||
"gauge": {
|
||||
"maxValue": 100,
|
||||
"minValue": 0,
|
||||
"show": false,
|
||||
"thresholdLabels": false,
|
||||
"thresholdMarkers": true
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 2,
|
||||
"w": 6,
|
||||
"x": 0,
|
||||
"y": 5
|
||||
},
|
||||
"id": 19,
|
||||
"interval": null,
|
||||
"links": [],
|
||||
"mappingType": 1,
|
||||
"mappingTypes": [
|
||||
{
|
||||
"name": "value to text",
|
||||
"value": 1
|
||||
},
|
||||
{
|
||||
"name": "range to text",
|
||||
"value": 2
|
||||
}
|
||||
],
|
||||
"maxDataPoints": 100,
|
||||
"minSpan": 3,
|
||||
"nullPointMode": "connected",
|
||||
"nullText": null,
|
||||
"postfix": "",
|
||||
"postfixFontSize": "50%",
|
||||
"prefix": "",
|
||||
"prefixFontSize": "50%",
|
||||
"rangeMaps": [
|
||||
{
|
||||
"from": "null",
|
||||
"text": "N/A",
|
||||
"to": "null"
|
||||
}
|
||||
],
|
||||
"repeatDirection": "h",
|
||||
"sparkline": {
|
||||
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||
"full": false,
|
||||
"lineColor": "rgb(31, 120, 193)",
|
||||
"show": false
|
||||
},
|
||||
"tableColumn": "",
|
||||
"targets": [
|
||||
{
|
||||
"expr": "probe_ssl_earliest_cert_expiry{instance=~\"$targets\"}-time()",
|
||||
"format": "time_series",
|
||||
"interval": "$interval",
|
||||
"intervalFactor": 1,
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"thresholds": "0,1209600",
|
||||
"title": "SSL Cert Expiry",
|
||||
"type": "singlestat",
|
||||
"valueFontSize": "80%",
|
||||
"valueMaps": [
|
||||
{
|
||||
"op": "=",
|
||||
"text": "N/A",
|
||||
"value": "null"
|
||||
},
|
||||
{
|
||||
"op": "=",
|
||||
"text": "YES",
|
||||
"value": "1"
|
||||
},
|
||||
{
|
||||
"op": "=",
|
||||
"text": "NO",
|
||||
"value": "0"
|
||||
}
|
||||
],
|
||||
"valueName": "current"
|
||||
},
|
||||
{
|
||||
"cacheTimeout": null,
|
||||
"colorBackground": false,
|
||||
"colorValue": false,
|
||||
"colors": [
|
||||
"#299c46",
|
||||
"rgba(237, 129, 40, 0.89)",
|
||||
"#d44a3a"
|
||||
],
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"decimals": 0,
|
||||
"format": "none",
|
||||
"gauge": {
|
||||
"maxValue": 100,
|
||||
"minValue": 0,
|
||||
"show": false,
|
||||
"thresholdLabels": false,
|
||||
"thresholdMarkers": true
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 2,
|
||||
"w": 6,
|
||||
"x": 0,
|
||||
"y": 7
|
||||
},
|
||||
"id": 20,
|
||||
"interval": null,
|
||||
"links": [],
|
||||
"mappingType": 1,
|
||||
"mappingTypes": [
|
||||
{
|
||||
"name": "value to text",
|
||||
"value": 1
|
||||
},
|
||||
{
|
||||
"name": "range to text",
|
||||
"value": 2
|
||||
}
|
||||
],
|
||||
"maxDataPoints": 100,
|
||||
"minSpan": 3,
|
||||
"nullPointMode": "connected",
|
||||
"nullText": null,
|
||||
"postfix": "",
|
||||
"postfixFontSize": "50%",
|
||||
"prefix": "",
|
||||
"prefixFontSize": "50%",
|
||||
"rangeMaps": [
|
||||
{
|
||||
"from": "null",
|
||||
"text": "N/A",
|
||||
"to": "null"
|
||||
}
|
||||
],
|
||||
"repeatDirection": "h",
|
||||
"sparkline": {
|
||||
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||
"full": false,
|
||||
"lineColor": "rgb(31, 120, 193)",
|
||||
"show": false
|
||||
},
|
||||
"tableColumn": "",
|
||||
"targets": [
|
||||
{
|
||||
"expr": "probe_http_status_code{instance=~\"$targets\"}",
|
||||
"format": "time_series",
|
||||
"interval": "$interval",
|
||||
"intervalFactor": 1,
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"thresholds": "200,299,300",
|
||||
"title": "HTTP Status Code",
|
||||
"transparent": false,
|
||||
"type": "singlestat",
|
||||
"valueFontSize": "80%",
|
||||
"valueMaps": [
|
||||
{
|
||||
"op": "=",
|
||||
"text": "N/A",
|
||||
"value": "null"
|
||||
},
|
||||
{
|
||||
"op": "=",
|
||||
"text": "YES",
|
||||
"value": "1"
|
||||
},
|
||||
{
|
||||
"op": "=",
|
||||
"text": "NO",
|
||||
"value": "0"
|
||||
}
|
||||
],
|
||||
"valueName": "current"
|
||||
},
|
||||
{
|
||||
"cacheTimeout": null,
|
||||
"colorBackground": false,
|
||||
"colorValue": false,
|
||||
"colors": [
|
||||
"#299c46",
|
||||
"rgba(237, 129, 40, 0.89)",
|
||||
"#d44a3a"
|
||||
],
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"format": "s",
|
||||
"gauge": {
|
||||
"maxValue": 100,
|
||||
"minValue": 0,
|
||||
"show": false,
|
||||
"thresholdLabels": false,
|
||||
"thresholdMarkers": true
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 2,
|
||||
"w": 12,
|
||||
"x": 0,
|
||||
"y": 9
|
||||
},
|
||||
"id": 23,
|
||||
"interval": null,
|
||||
"links": [],
|
||||
"mappingType": 1,
|
||||
"mappingTypes": [
|
||||
{
|
||||
"name": "value to text",
|
||||
"value": 1
|
||||
},
|
||||
{
|
||||
"name": "range to text",
|
||||
"value": 2
|
||||
}
|
||||
],
|
||||
"maxDataPoints": 100,
|
||||
"nullPointMode": "connected",
|
||||
"nullText": null,
|
||||
"postfix": "",
|
||||
"postfixFontSize": "50%",
|
||||
"prefix": "",
|
||||
"prefixFontSize": "50%",
|
||||
"rangeMaps": [
|
||||
{
|
||||
"from": "null",
|
||||
"text": "N/A",
|
||||
"to": "null"
|
||||
}
|
||||
],
|
||||
"sparkline": {
|
||||
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||
"full": false,
|
||||
"lineColor": "rgb(31, 120, 193)",
|
||||
"show": false
|
||||
},
|
||||
"tableColumn": "",
|
||||
"targets": [
|
||||
{
|
||||
"expr": "avg(probe_duration_seconds{instance=~\"$targets\"})",
|
||||
"format": "time_series",
|
||||
"interval": "$interval",
|
||||
"intervalFactor": 1,
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"thresholds": "",
|
||||
"title": "Average Probe Duration",
|
||||
"type": "singlestat",
|
||||
"valueFontSize": "50%",
|
||||
"valueMaps": [
|
||||
{
|
||||
"op": "=",
|
||||
"text": "N/A",
|
||||
"value": "null"
|
||||
}
|
||||
],
|
||||
"valueName": "current"
|
||||
},
|
||||
{
|
||||
"cacheTimeout": null,
|
||||
"colorBackground": false,
|
||||
"colorValue": false,
|
||||
"colors": [
|
||||
"#299c46",
|
||||
"rgba(237, 129, 40, 0.89)",
|
||||
"#d44a3a"
|
||||
],
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"format": "s",
|
||||
"gauge": {
|
||||
"maxValue": 100,
|
||||
"minValue": 0,
|
||||
"show": false,
|
||||
"thresholdLabels": false,
|
||||
"thresholdMarkers": true
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 2,
|
||||
"w": 12,
|
||||
"x": 12,
|
||||
"y": 9
|
||||
},
|
||||
"id": 24,
|
||||
"interval": null,
|
||||
"links": [],
|
||||
"mappingType": 1,
|
||||
"mappingTypes": [
|
||||
{
|
||||
"name": "value to text",
|
||||
"value": 1
|
||||
},
|
||||
{
|
||||
"name": "range to text",
|
||||
"value": 2
|
||||
}
|
||||
],
|
||||
"maxDataPoints": 100,
|
||||
"nullPointMode": "connected",
|
||||
"nullText": null,
|
||||
"postfix": "",
|
||||
"postfixFontSize": "50%",
|
||||
"prefix": "",
|
||||
"prefixFontSize": "50%",
|
||||
"rangeMaps": [
|
||||
{
|
||||
"from": "null",
|
||||
"text": "N/A",
|
||||
"to": "null"
|
||||
}
|
||||
],
|
||||
"sparkline": {
|
||||
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||
"full": false,
|
||||
"lineColor": "rgb(31, 120, 193)",
|
||||
"show": false
|
||||
},
|
||||
"tableColumn": "",
|
||||
"targets": [
|
||||
{
|
||||
"expr": "avg(probe_dns_lookup_time_seconds{instance=~\"$targets\"})",
|
||||
"format": "time_series",
|
||||
"interval": "$interval",
|
||||
"intervalFactor": 1,
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"thresholds": "",
|
||||
"title": "Average DNS Lookup",
|
||||
"type": "singlestat",
|
||||
"valueFontSize": "50%",
|
||||
"valueMaps": [
|
||||
{
|
||||
"op": "=",
|
||||
"text": "N/A",
|
||||
"value": "null"
|
||||
}
|
||||
],
|
||||
"valueName": "current"
|
||||
}
|
||||
],
|
||||
"refresh": "1m",
|
||||
"schemaVersion": 16,
|
||||
"style": "dark",
|
||||
"tags": [
|
||||
"blackbox",
|
||||
"prometheus"
|
||||
],
|
||||
"templating": {
|
||||
"list": [
|
||||
{
|
||||
"auto": true,
|
||||
"auto_count": 10,
|
||||
"auto_min": "10s",
|
||||
"current": {
|
||||
"text": "auto",
|
||||
"value": "$__auto_interval_interval"
|
||||
},
|
||||
"hide": 0,
|
||||
"label": "Interval",
|
||||
"name": "interval",
|
||||
"options": [
|
||||
{
|
||||
"selected": true,
|
||||
"text": "auto",
|
||||
"value": "$__auto_interval_interval"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "5s",
|
||||
"value": "5s"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "10s",
|
||||
"value": "10s"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "30s",
|
||||
"value": "30s"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "1m",
|
||||
"value": "1m"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "10m",
|
||||
"value": "10m"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "30m",
|
||||
"value": "30m"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "1h",
|
||||
"value": "1h"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "6h",
|
||||
"value": "6h"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "12h",
|
||||
"value": "12h"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "1d",
|
||||
"value": "1d"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "7d",
|
||||
"value": "7d"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "14d",
|
||||
"value": "14d"
|
||||
},
|
||||
{
|
||||
"selected": false,
|
||||
"text": "30d",
|
||||
"value": "30d"
|
||||
}
|
||||
],
|
||||
"query": "5s,10s,30s,1m,10m,30m,1h,6h,12h,1d,7d,14d,30d",
|
||||
"refresh": 2,
|
||||
"skipUrlSync": false,
|
||||
"type": "interval"
|
||||
},
|
||||
{
|
||||
"allValue": null,
|
||||
"current": {},
|
||||
"datasource": "${DS_PROMETHEUS}",
|
||||
"definition": "label_values(probe_success, instance)",
|
||||
"hide": 0,
|
||||
"includeAll": true,
|
||||
"label": null,
|
||||
"multi": true,
|
||||
"name": "targets",
|
||||
"options": [],
|
||||
"query": "label_values(probe_success, instance)",
|
||||
"refresh": 1,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"sort": 0,
|
||||
"tagValuesQuery": "",
|
||||
"tags": [],
|
||||
"tagsQuery": "",
|
||||
"type": "query",
|
||||
"useTags": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"time": {
|
||||
"from": "now-1h",
|
||||
"to": "now"
|
||||
},
|
||||
"timepicker": {
|
||||
"refresh_intervals": [
|
||||
"5s",
|
||||
"10s",
|
||||
"30s",
|
||||
"1m",
|
||||
"5m",
|
||||
"15m",
|
||||
"30m",
|
||||
"1h",
|
||||
"2h",
|
||||
"1d"
|
||||
],
|
||||
"time_options": [
|
||||
"5m",
|
||||
"15m",
|
||||
"1h",
|
||||
"6h",
|
||||
"12h",
|
||||
"24h",
|
||||
"2d",
|
||||
"7d",
|
||||
"30d"
|
||||
]
|
||||
},
|
||||
"timezone": "",
|
||||
"title": "Blackbox Exporter Overview",
|
||||
"uid": "xtkCtBkiz",
|
||||
"version": 1,
|
||||
"description": "Fork of https://grafana.com/grafana/dashboards/5345 which uses 'instance' instead of 'target' label"
|
||||
}
|
1374
jails/config/monitor/json/freebsd-gstat-exporter_rev1.json
Normal file
1374
jails/config/monitor/json/freebsd-gstat-exporter_rev1.json
Normal file
File diff suppressed because it is too large
Load Diff
2711
jails/config/monitor/json/pfsense-firewall-dashboard_rev1.json
Normal file
2711
jails/config/monitor/json/pfsense-firewall-dashboard_rev1.json
Normal file
File diff suppressed because it is too large
Load Diff
2846
jails/config/monitor/json/pfsense_rev1.json
Normal file
2846
jails/config/monitor/json/pfsense_rev1.json
Normal file
File diff suppressed because it is too large
Load Diff
2941
jails/config/monitor/json/router-stats_rev1.json
Normal file
2941
jails/config/monitor/json/router-stats_rev1.json
Normal file
File diff suppressed because it is too large
Load Diff
26544
jails/config/monitor/json/switch-overview_rev1.json
Normal file
26544
jails/config/monitor/json/switch-overview_rev1.json
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,2 +1,3 @@
|
||||
mount proc
|
||||
/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
|
||||
ps axww | grep logstash
|
||||
|
@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://localhost:9000"
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
|
@ -21,7 +21,7 @@ http {
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection "";
|
||||
proxy_set_header Host $proxy_host;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
server {
|
||||
listen *:80;
|
||||
@ -95,6 +95,7 @@ http {
|
||||
proxy_cache_lock on;
|
||||
proxy_next_upstream error timeout invalid_header http_404;
|
||||
proxy_pass http://pkg-mirrors;
|
||||
proxy_http_version 1.1;
|
||||
# add_header X-Proxy-Cache $upstream_cache_status;
|
||||
}
|
||||
}
|
||||
@ -118,7 +119,7 @@ http {
|
||||
listen [::]:8002;
|
||||
server_name localhost;
|
||||
location / {
|
||||
proxy_pass http://pkg0.cyb.FreeBSD.org;
|
||||
proxy_pass http://pkg0.tuk.FreeBSD.org;
|
||||
}
|
||||
}
|
||||
|
||||
@ -146,6 +147,7 @@ http {
|
||||
proxy_cache_lock on;
|
||||
proxy_next_upstream error timeout invalid_header http_404;
|
||||
proxy_pass http://update-mirrors;
|
||||
proxy_http_version 1.1;
|
||||
# add_header X-Proxy-Cache $upstream_cache_status;
|
||||
}
|
||||
}
|
||||
|
@ -36,15 +36,6 @@ defaults
|
||||
timeout tunnel 3600s
|
||||
timeout tarpit 60s
|
||||
|
||||
#listen stats
|
||||
# bind :::1936 v4v6
|
||||
# stats uri /
|
||||
# stats enable
|
||||
# stats refresh 10s
|
||||
# stats show-node
|
||||
# stats realm Haproxy\ Statistics
|
||||
# stats auth infra:infra
|
||||
|
||||
frontend stats
|
||||
bind :::8404 v4v6
|
||||
http-request use-service prometheus-exporter if { path /metrics }
|
||||
@ -88,6 +79,7 @@ frontend ft
|
||||
use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
|
||||
|
||||
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
|
||||
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
|
||||
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com }
|
||||
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
|
||||
use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
|
||||
@ -101,6 +93,8 @@ frontend ft
|
||||
use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com }
|
||||
use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com }
|
||||
use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com }
|
||||
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
|
||||
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
|
||||
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
|
||||
|
||||
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
|
||||
@ -108,7 +102,6 @@ frontend ft
|
||||
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
|
||||
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
|
||||
|
||||
use_backend bk_beyondbell-api if { ssl_fc_sni api.beyondbell.com }
|
||||
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
|
||||
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
|
||||
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
|
||||
@ -118,26 +111,37 @@ frontend ft
|
||||
|
||||
backend bk_ahlawat
|
||||
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell
|
||||
server srv1 192.168.0.74:8000
|
||||
server srv1 192.168.0.77:8000
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_diyit
|
||||
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-sharad
|
||||
balance roundrobin
|
||||
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-rachna
|
||||
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-nivi
|
||||
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-rishabh
|
||||
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
#backend bk_ahlawat-book
|
||||
@ -164,10 +168,12 @@ backend bk_ahlawat-cam
|
||||
|
||||
backend bk_ahlawat-cloud
|
||||
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-git
|
||||
server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspidel X-Frame-Options:*
|
||||
# http-request set-var(txn.src) src
|
||||
# acl mynet var(txn.src) -m sub 192.168.0
|
||||
@ -178,8 +184,19 @@ backend bk_ahlawat-git
|
||||
|
||||
backend bk_ahlawat-hub
|
||||
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-matrix
|
||||
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-meet
|
||||
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-monitor
|
||||
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
@ -199,6 +216,7 @@ backend bk_diyit-kibana
|
||||
|
||||
backend bk_diyit-maps
|
||||
server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-ci
|
||||
@ -208,28 +226,26 @@ backend bk_ahlawat-ci
|
||||
server srv1 cix.ahlawat.com:8180 check
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-api
|
||||
server srv1 192.168.0.77:8000
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-git
|
||||
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-ci
|
||||
http-request set-header Host cix.beyondbell.com:8111
|
||||
reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
|
||||
rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
|
||||
server srv1 cix.beyondbell.com:8111 check
|
||||
server srv1 cix.beyondbell.com:8111
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-repo
|
||||
# http-request set-header Host 192.168.0.75:8080
|
||||
reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
|
||||
rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
|
||||
server srv1 192.168.0.75:8080 check
|
||||
server srv1 192.168.0.75:8080
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-gs
|
||||
server srv1 192.168.0.81:26900 check
|
||||
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
11
jails/config/rachna/020_mod_ssl.conf
Normal file
11
jails/config/rachna/020_mod_ssl.conf
Normal file
@ -0,0 +1,11 @@
|
||||
Listen 443
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
SSLHonorCipherOrder on
|
||||
SSLCompression off
|
||||
# SSLUseStapling on
|
||||
SSLSessionTickets off
|
||||
SSLOptions +StrictRequire
|
||||
SSLPassPhraseDialog builtin
|
||||
SSLSessionCacheTimeout 300
|
||||
SSLSessionCache shmcb:/usr/local/etc/apache24/ssl_scache(512000)
|
610
jails/config/rachna/httpd.conf
Normal file
610
jails/config/rachna/httpd.conf
Normal file
@ -0,0 +1,610 @@
|
||||
#
|
||||
# This is the main Apache HTTP server configuration file. It contains the
|
||||
# configuration directives that give the server its instructions.
|
||||
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
|
||||
# In particular, see
|
||||
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
|
||||
# for a discussion of each configuration directive.
|
||||
#
|
||||
# Do NOT simply read the instructions in here without understanding
|
||||
# what they do. They're here only as hints or reminders. If you are unsure
|
||||
# consult the online docs. You have been warned.
|
||||
#
|
||||
# Configuration and logfile names: If the filenames you specify for many
|
||||
# of the server's control files begin with "/" (or "drive:/" for Win32), the
|
||||
# server will use that explicit path. If the filenames do *not* begin
|
||||
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
|
||||
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
|
||||
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
|
||||
# will be interpreted as '/logs/access_log'.
|
||||
|
||||
#
|
||||
# ServerRoot: The top of the directory tree under which the server's
|
||||
# configuration, error, and log files are kept.
|
||||
#
|
||||
# Do not add a slash at the end of the directory path. If you point
|
||||
# ServerRoot at a non-local disk, be sure to specify a local disk on the
|
||||
# Mutex directive, if file-based mutexes are used. If you wish to share the
|
||||
# same ServerRoot for multiple httpd daemons, you will need to change at
|
||||
# least PidFile.
|
||||
#
|
||||
ServerRoot "/usr/local"
|
||||
|
||||
#
|
||||
# Mutex: Allows you to set the mutex mechanism and mutex file directory
|
||||
# for individual mutexes, or change the global defaults
|
||||
#
|
||||
# Uncomment and change the directory if mutexes are file-based and the default
|
||||
# mutex file directory is not on a local disk or is not appropriate for some
|
||||
# other reason.
|
||||
#
|
||||
# Mutex default:/var/run
|
||||
|
||||
#
|
||||
# Listen: Allows you to bind Apache to specific IP addresses and/or
|
||||
# ports, instead of the default. See also the <VirtualHost>
|
||||
# directive.
|
||||
#
|
||||
# Change this to Listen on specific IP addresses as shown below to
|
||||
# prevent Apache from glomming onto all bound IP addresses.
|
||||
#
|
||||
#Listen 12.34.56.78:80
|
||||
Listen 80
|
||||
|
||||
#
|
||||
# Dynamic Shared Object (DSO) Support
|
||||
#
|
||||
# To be able to use the functionality of a module which was built as a DSO you
|
||||
# have to place corresponding `LoadModule' lines at this location so the
|
||||
# directives contained in it are actually available _before_ they are used.
|
||||
# Statically compiled modules (those listed by `httpd -l') do not need
|
||||
# to be loaded here.
|
||||
#
|
||||
# Example:
|
||||
# LoadModule foo_module modules/mod_foo.so
|
||||
#
|
||||
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
|
||||
#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
|
||||
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
|
||||
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
|
||||
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
|
||||
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
|
||||
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
|
||||
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
|
||||
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
|
||||
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
|
||||
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
|
||||
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
|
||||
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
|
||||
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
|
||||
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
|
||||
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
|
||||
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
|
||||
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
|
||||
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
|
||||
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
|
||||
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
|
||||
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
|
||||
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
|
||||
#LoadModule cache_module libexec/apache24/mod_cache.so
|
||||
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
|
||||
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
|
||||
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
|
||||
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
|
||||
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
|
||||
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
|
||||
#LoadModule macro_module libexec/apache24/mod_macro.so
|
||||
#LoadModule dbd_module libexec/apache24/mod_dbd.so
|
||||
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
|
||||
#LoadModule buffer_module libexec/apache24/mod_buffer.so
|
||||
#LoadModule data_module libexec/apache24/mod_data.so
|
||||
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
|
||||
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
|
||||
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
|
||||
#LoadModule request_module libexec/apache24/mod_request.so
|
||||
#LoadModule include_module libexec/apache24/mod_include.so
|
||||
LoadModule filter_module libexec/apache24/mod_filter.so
|
||||
#LoadModule reflector_module libexec/apache24/mod_reflector.so
|
||||
#LoadModule substitute_module libexec/apache24/mod_substitute.so
|
||||
#LoadModule sed_module libexec/apache24/mod_sed.so
|
||||
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
|
||||
#LoadModule deflate_module libexec/apache24/mod_deflate.so
|
||||
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
|
||||
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
|
||||
LoadModule mime_module libexec/apache24/mod_mime.so
|
||||
LoadModule log_config_module libexec/apache24/mod_log_config.so
|
||||
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
|
||||
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
|
||||
#LoadModule logio_module libexec/apache24/mod_logio.so
|
||||
LoadModule env_module libexec/apache24/mod_env.so
|
||||
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
|
||||
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
|
||||
#LoadModule expires_module libexec/apache24/mod_expires.so
|
||||
LoadModule headers_module libexec/apache24/mod_headers.so
|
||||
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
|
||||
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
|
||||
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
|
||||
LoadModule version_module libexec/apache24/mod_version.so
|
||||
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
|
||||
LoadModule proxy_module libexec/apache24/mod_proxy.so
|
||||
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
|
||||
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
|
||||
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
|
||||
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
|
||||
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
|
||||
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
|
||||
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
|
||||
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
|
||||
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
|
||||
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
|
||||
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
|
||||
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
|
||||
#LoadModule session_module libexec/apache24/mod_session.so
|
||||
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
|
||||
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
|
||||
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
|
||||
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
|
||||
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
|
||||
LoadModule ssl_module libexec/apache24/mod_ssl.so
|
||||
#LoadModule dialup_module libexec/apache24/mod_dialup.so
|
||||
LoadModule http2_module libexec/apache24/mod_http2.so
|
||||
LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
|
||||
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
|
||||
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
|
||||
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
|
||||
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
|
||||
LoadModule unixd_module libexec/apache24/mod_unixd.so
|
||||
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
|
||||
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
|
||||
#LoadModule dav_module libexec/apache24/mod_dav.so
|
||||
LoadModule status_module libexec/apache24/mod_status.so
|
||||
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
|
||||
#LoadModule asis_module libexec/apache24/mod_asis.so
|
||||
#LoadModule info_module libexec/apache24/mod_info.so
|
||||
<IfModule !mpm_prefork_module>
|
||||
#LoadModule cgid_module libexec/apache24/mod_cgid.so
|
||||
</IfModule>
|
||||
<IfModule mpm_prefork_module>
|
||||
#LoadModule cgi_module libexec/apache24/mod_cgi.so
|
||||
</IfModule>
|
||||
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
|
||||
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
|
||||
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
|
||||
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
|
||||
LoadModule dir_module libexec/apache24/mod_dir.so
|
||||
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
|
||||
#LoadModule actions_module libexec/apache24/mod_actions.so
|
||||
#LoadModule speling_module libexec/apache24/mod_speling.so
|
||||
#LoadModule userdir_module libexec/apache24/mod_userdir.so
|
||||
LoadModule alias_module libexec/apache24/mod_alias.so
|
||||
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
|
||||
#LoadModule php7_module libexec/apache24/libphp7.so
|
||||
|
||||
# Third party modules
|
||||
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
|
||||
|
||||
<IfModule unixd_module>
|
||||
#
|
||||
# If you wish httpd to run as a different user or group, you must run
|
||||
# httpd as root initially and it will switch.
|
||||
#
|
||||
# User/Group: The name (or #number) of the user/group to run httpd as.
|
||||
# It is usually good practice to create a dedicated user and group for
|
||||
# running httpd, as with most system services.
|
||||
#
|
||||
User www
|
||||
Group www
|
||||
|
||||
</IfModule>
|
||||
|
||||
# 'Main' server configuration
|
||||
#
|
||||
# The directives in this section set up the values used by the 'main'
|
||||
# server, which responds to any requests that aren't handled by a
|
||||
# <VirtualHost> definition. These values also provide defaults for
|
||||
# any <VirtualHost> containers you may define later in the file.
|
||||
#
|
||||
# All of these directives may appear inside <VirtualHost> containers,
|
||||
# in which case these default settings will be overridden for the
|
||||
# virtual host being defined.
|
||||
#
|
||||
|
||||
#
|
||||
# ServerAdmin: Your address, where problems with the server should be
|
||||
# e-mailed. This address appears on some server-generated pages, such
|
||||
# as error documents. e.g. admin@your-domain.com
|
||||
#
|
||||
ServerAdmin sharad@ahlawat.com
|
||||
|
||||
#
|
||||
# ServerName gives the name and port that the server uses to identify itself.
|
||||
# This can often be determined automatically, but we recommend you specify
|
||||
# it explicitly to prevent problems during startup.
|
||||
#
|
||||
# If your host doesn't have a registered DNS name, enter its IP address here.
|
||||
#
|
||||
#ServerName www.example.com:80
|
||||
|
||||
#
|
||||
# Deny access to the entirety of your server's filesystem. You must
|
||||
# explicitly permit access to web content directories in other
|
||||
# <Directory> blocks below.
|
||||
#
|
||||
<Directory />
|
||||
AllowOverride none
|
||||
Require all denied
|
||||
</Directory>
|
||||
|
||||
#
|
||||
# Note that from this point forward you must specifically allow
|
||||
# particular features to be enabled - so if something's not working as
|
||||
# you might expect, make sure that you have specifically enabled it
|
||||
# below.
|
||||
#
|
||||
|
||||
#
|
||||
# DocumentRoot: The directory out of which you will serve your
|
||||
# documents. By default, all requests are taken from this directory, but
|
||||
# symbolic links and aliases may be used to point to other locations.
|
||||
#
|
||||
DocumentRoot "/usr/local/www/apache24/data"
|
||||
<Directory "/usr/local/www/apache24/data">
|
||||
|
||||
# can't set this if traffic is passing through haproxy and being redirected to ssl already
|
||||
# RewriteEngine on
|
||||
# RewriteRule ^/\.well-known/ - [L]
|
||||
# RewriteRule (.*) https://rachna.ahlawat.com [R,L]
|
||||
|
||||
#
|
||||
# Possible values for the Options directive are "None", "All",
|
||||
# or any combination of:
|
||||
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
|
||||
#
|
||||
# Note that "MultiViews" must be named *explicitly* --- "Options All"
|
||||
# doesn't give it to you.
|
||||
#
|
||||
# The Options directive is both complicated and important. Please see
|
||||
# http://httpd.apache.org/docs/2.4/mod/core.html#options
|
||||
# for more information.
|
||||
#
|
||||
Options Indexes FollowSymLinks
|
||||
|
||||
#
|
||||
# AllowOverride controls what directives may be placed in .htaccess files.
|
||||
# It can be "All", "None", or any combination of the keywords:
|
||||
# AllowOverride FileInfo AuthConfig Limit
|
||||
#
|
||||
AllowOverride None
|
||||
|
||||
#
|
||||
# Controls who can get stuff from this server.
|
||||
#
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
#
|
||||
# DirectoryIndex: sets the file that Apache will serve if a directory
|
||||
# is requested.
|
||||
#
|
||||
<IfModule dir_module>
|
||||
DirectoryIndex index.php index.html
|
||||
<FilesMatch "\.php$">
|
||||
SetHandler application/x-httpd-php
|
||||
</FilesMatch>
|
||||
<FilesMatch "\.phps$">
|
||||
SetHandler application/x-httpd-php-source
|
||||
</FilesMatch>
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# The following lines prevent .htaccess and .htpasswd files from being
|
||||
# viewed by Web clients.
|
||||
#
|
||||
<Files ".ht*">
|
||||
Require all denied
|
||||
</Files>
|
||||
|
||||
#
|
||||
# ErrorLog: The location of the error log file.
|
||||
# If you do not specify an ErrorLog directive within a <VirtualHost>
|
||||
# container, error messages relating to that virtual host will be
|
||||
# logged here. If you *do* define an error logfile for a <VirtualHost>
|
||||
# container, that host's errors will be logged there and not here.
|
||||
#
|
||||
ErrorLog "/var/log/httpd-error.log"
|
||||
|
||||
#
|
||||
# LogLevel: Control the number of messages logged to the error_log.
|
||||
# Possible values include: debug, info, notice, warn, error, crit,
|
||||
# alert, emerg.
|
||||
#
|
||||
LogLevel warn
|
||||
|
||||
<IfModule log_config_module>
|
||||
#
|
||||
# The following directives define some format nicknames for use with
|
||||
# a CustomLog directive (see below).
|
||||
#
|
||||
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
||||
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
||||
|
||||
<IfModule logio_module>
|
||||
# You need to enable mod_logio.c to use %I and %O
|
||||
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# The location and format of the access logfile (Common Logfile Format).
|
||||
# If you do not define any access logfiles within a <VirtualHost>
|
||||
# container, they will be logged here. Contrariwise, if you *do*
|
||||
# define per-<VirtualHost> access logfiles, transactions will be
|
||||
# logged therein and *not* in this file.
|
||||
#
|
||||
CustomLog "/var/log/httpd-access.log" common
|
||||
|
||||
#
|
||||
# If you prefer a logfile with access, agent, and referer information
|
||||
# (Combined Logfile Format) you can use the following directive.
|
||||
#
|
||||
#CustomLog "/var/log/httpd-access.log" combined
|
||||
</IfModule>
|
||||
|
||||
<IfModule alias_module>
|
||||
#
|
||||
# Redirect: Allows you to tell clients about documents that used to
|
||||
# exist in your server's namespace, but do not anymore. The client
|
||||
# will make a new request for the document at its new location.
|
||||
# Example:
|
||||
# Redirect permanent /foo http://www.example.com/bar
|
||||
|
||||
#
|
||||
# Alias: Maps web paths into filesystem paths and is used to
|
||||
# access content that does not live under the DocumentRoot.
|
||||
# Example:
|
||||
# Alias /webpath /full/filesystem/path
|
||||
#
|
||||
# If you include a trailing / on /webpath then the server will
|
||||
# require it to be present in the URL. You will also likely
|
||||
# need to provide a <Directory> section to allow access to
|
||||
# the filesystem path.
|
||||
|
||||
#
|
||||
# ScriptAlias: This controls which directories contain server scripts.
|
||||
# ScriptAliases are essentially the same as Aliases, except that
|
||||
# documents in the target directory are treated as applications and
|
||||
# run by the server when requested rather than as documents sent to the
|
||||
# client. The same rules about trailing "/" apply to ScriptAlias
|
||||
# directives as to Alias.
|
||||
#
|
||||
ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
|
||||
|
||||
</IfModule>
|
||||
|
||||
<IfModule cgid_module>
|
||||
#
|
||||
# ScriptSock: On threaded servers, designate the path to the UNIX
|
||||
# socket used to communicate with the CGI daemon of mod_cgid.
|
||||
#
|
||||
#Scriptsock cgisock
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
|
||||
# CGI directory exists, if you have that configured.
|
||||
#
|
||||
<Directory "/usr/local/www/apache24/cgi-bin">
|
||||
AllowOverride None
|
||||
Options None
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
<IfModule headers_module>
|
||||
#
|
||||
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
|
||||
# backend servers which have lingering "httpoxy" defects.
|
||||
# 'Proxy' request header is undefined by the IETF, not listed by IANA
|
||||
#
|
||||
RequestHeader unset Proxy early
|
||||
</IfModule>
|
||||
|
||||
<IfModule mime_module>
|
||||
#
|
||||
# TypesConfig points to the file containing the list of mappings from
|
||||
# filename extension to MIME-type.
|
||||
#
|
||||
TypesConfig etc/apache24/mime.types
|
||||
|
||||
#
|
||||
# AddType allows you to add to or override the MIME configuration
|
||||
# file specified in TypesConfig for specific file types.
|
||||
#
|
||||
#AddType application/x-gzip .tgz
|
||||
#
|
||||
# AddEncoding allows you to have certain browsers uncompress
|
||||
# information on the fly. Note: Not all browsers support this.
|
||||
#
|
||||
#AddEncoding x-compress .Z
|
||||
#AddEncoding x-gzip .gz .tgz
|
||||
#
|
||||
# If the AddEncoding directives above are commented-out, then you
|
||||
# probably should define those extensions to indicate media types:
|
||||
#
|
||||
AddType application/x-compress .Z
|
||||
AddType application/x-gzip .gz .tgz
|
||||
|
||||
#
|
||||
# AddHandler allows you to map certain file extensions to "handlers":
|
||||
# actions unrelated to filetype. These can be either built into the server
|
||||
# or added with the Action directive (see below)
|
||||
#
|
||||
# To use CGI scripts outside of ScriptAliased directories:
|
||||
# (You will also need to add "ExecCGI" to the "Options" directive.)
|
||||
#
|
||||
#AddHandler cgi-script .cgi
|
||||
|
||||
# For type maps (negotiated resources):
|
||||
#AddHandler type-map var
|
||||
|
||||
#
|
||||
# Filters allow you to process content before it is sent to the client.
|
||||
#
|
||||
# To parse .shtml files for server-side includes (SSI):
|
||||
# (You will also need to add "Includes" to the "Options" directive.)
|
||||
#
|
||||
#AddType text/html .shtml
|
||||
#AddOutputFilter INCLUDES .shtml
|
||||
|
||||
AddType application/x-httpd-php .php
|
||||
AddType application/x-httpd-php-source .phps
|
||||
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# The mod_mime_magic module allows the server to use various hints from the
|
||||
# contents of the file itself to determine its type. The MIMEMagicFile
|
||||
# directive tells the module where the hint definitions are located.
|
||||
#
|
||||
#MIMEMagicFile etc/apache24/magic
|
||||
|
||||
#
|
||||
# Customizable error responses come in three flavors:
|
||||
# 1) plain text 2) local redirects 3) external redirects
|
||||
#
|
||||
# Some examples:
|
||||
#ErrorDocument 500 "The server made a boo boo."
|
||||
#ErrorDocument 404 /missing.html
|
||||
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
|
||||
#ErrorDocument 402 http://www.example.com/subscription_info.html
|
||||
#
|
||||
|
||||
#
|
||||
# MaxRanges: Maximum number of Ranges in a request before
|
||||
# returning the entire resource, or one of the special
|
||||
# values 'default', 'none' or 'unlimited'.
|
||||
# Default setting is to accept 200 Ranges.
|
||||
#MaxRanges unlimited
|
||||
|
||||
#
|
||||
# EnableMMAP and EnableSendfile: On systems that support it,
|
||||
# memory-mapping or the sendfile syscall may be used to deliver
|
||||
# files. This usually improves server performance, but must
|
||||
# be turned off when serving from networked-mounted
|
||||
# filesystems or if support for these functions is otherwise
|
||||
# broken on your system.
|
||||
# Defaults: EnableMMAP On, EnableSendfile Off
|
||||
#
|
||||
#EnableMMAP off
|
||||
#EnableSendfile on
|
||||
|
||||
# Supplemental configuration
|
||||
#
|
||||
# The configuration files in the etc/apache24/extra/ directory can be
|
||||
# included to add extra features or to modify the default configuration of
|
||||
# the server, or you may simply copy their contents here and change as
|
||||
# necessary.
|
||||
|
||||
# Server-pool management (MPM specific)
|
||||
#Include etc/apache24/extra/httpd-mpm.conf
|
||||
|
||||
# Multi-language error messages
|
||||
#Include etc/apache24/extra/httpd-multilang-errordoc.conf
|
||||
|
||||
# Fancy directory listings
|
||||
#Include etc/apache24/extra/httpd-autoindex.conf
|
||||
|
||||
# Language settings
|
||||
#Include etc/apache24/extra/httpd-languages.conf
|
||||
|
||||
# User home directories
|
||||
#Include etc/apache24/extra/httpd-userdir.conf
|
||||
|
||||
# Real-time info on requests and configuration
|
||||
#Include etc/apache24/extra/httpd-info.conf
|
||||
|
||||
# Virtual hosts
|
||||
#Include etc/apache24/extra/httpd-vhosts.conf
|
||||
|
||||
# Local access to the Apache HTTP Server Manual
|
||||
#Include etc/apache24/extra/httpd-manual.conf
|
||||
|
||||
# Distributed authoring and versioning (WebDAV)
|
||||
#Include etc/apache24/extra/httpd-dav.conf
|
||||
|
||||
# Various default settings
|
||||
#Include etc/apache24/extra/httpd-default.conf
|
||||
|
||||
# Configure mod_proxy_html to understand HTML4/XHTML1
|
||||
<IfModule proxy_html_module>
|
||||
Include etc/apache24/extra/proxy-html.conf
|
||||
</IfModule>
|
||||
|
||||
# Secure (SSL/TLS) connections
|
||||
#Include etc/apache24/extra/httpd-ssl.conf
|
||||
#
|
||||
# Note: The following must must be present to support
|
||||
# starting without SSL on platforms with no /dev/random equivalent
|
||||
# but a statically compiled-in mod_ssl.
|
||||
#
|
||||
<IfModule ssl_module>
|
||||
SSLRandomSeed startup builtin
|
||||
SSLRandomSeed connect builtin
|
||||
</IfModule>
|
||||
|
||||
Include etc/apache24/Includes/*.conf
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName rachna.ahlawat.com
|
||||
ServerAlias *.ahlawat.com
|
||||
ServerAlias rachna
|
||||
|
||||
Protocols h2 h2c http/1.1
|
||||
|
||||
DocumentRoot "/usr/local/www/apache24/data/"
|
||||
|
||||
SSLEngine on
|
||||
SSLCertificateFile "/mnt/certs/fullchain.pem"
|
||||
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
|
||||
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
SSLHonorCipherOrder on
|
||||
SSLCompression off
|
||||
SSLSessionTickets off
|
||||
SSLOptions +StrictRequire
|
||||
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTP:Authorization} ^(.*)
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
<Directory "/usr/local/www/apache24/cgi-bin">
|
||||
SSLOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
||||
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
|
||||
CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
||||
|
||||
<Directory "/usr/local/www/apache24/data/">
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
|
||||
#-IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
|
||||
|
||||
#AllowOverride controls what directives may be placed in .htaccess files.
|
||||
#AllowOverride All
|
||||
#-AllowOverride AuthConfig
|
||||
#Controls who can get stuff from this server file
|
||||
#-Require all granted
|
||||
</Directory>
|
||||
|
||||
ErrorLog "/var/log/ssl-error.log"
|
||||
CustomLog "/var/log/ssl-access_log" combined
|
||||
|
||||
<IfModule mod_headers.c>
|
||||
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
|
||||
</IfModule>
|
||||
|
||||
</VirtualHost>
|
1918
jails/config/rachna/php.ini
Normal file
1918
jails/config/rachna/php.ini
Normal file
File diff suppressed because it is too large
Load Diff
423
jails/config/rachna/www.conf
Normal file
423
jails/config/rachna/www.conf
Normal file
@ -0,0 +1,423 @@
|
||||
; Start a new pool named 'www'.
|
||||
; the variable $pool can be used in any directive and will be replaced by the
|
||||
; pool name ('www' here)
|
||||
[www]
|
||||
|
||||
; Per pool prefix
|
||||
; It only applies on the following directives:
|
||||
; - 'access.log'
|
||||
; - 'slowlog'
|
||||
; - 'listen' (unixsocket)
|
||||
; - 'chroot'
|
||||
; - 'chdir'
|
||||
; - 'php_values'
|
||||
; - 'php_admin_values'
|
||||
; When not set, the global prefix (or /usr/local) applies instead.
|
||||
; Note: This directive can also be relative to the global prefix.
|
||||
; Default Value: none
|
||||
;prefix = /path/to/pools/$pool
|
||||
|
||||
; Unix user/group of processes
|
||||
; Note: The user is mandatory. If the group is not set, the default user's group
|
||||
; will be used.
|
||||
user = www
|
||||
group = www
|
||||
|
||||
; The address on which to accept FastCGI requests.
|
||||
; Valid syntaxes are:
|
||||
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
|
||||
; a specific port;
|
||||
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||
; a specific port;
|
||||
; 'port' - to listen on a TCP socket to all addresses
|
||||
; (IPv6 and IPv4-mapped) on a specific port;
|
||||
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||
; Note: This value is mandatory.
|
||||
listen = 127.0.0.1:9000
|
||||
|
||||
; Set listen(2) backlog.
|
||||
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
|
||||
;listen.backlog = 511
|
||||
|
||||
; Set permissions for unix socket, if one is used. In Linux, read/write
|
||||
; permissions must be set in order to allow connections from a web server. Many
|
||||
; BSD-derived systems allow connections regardless of permissions.
|
||||
; Default Values: user and group are set as the running user
|
||||
; mode is set to 0660
|
||||
;listen.owner = www
|
||||
;listen.group = www
|
||||
;listen.mode = 0660
|
||||
; When POSIX Access Control Lists are supported you can set them using
|
||||
; these options, value is a comma separated list of user/group names.
|
||||
; When set, listen.owner and listen.group are ignored
|
||||
;listen.acl_users =
|
||||
;listen.acl_groups =
|
||||
|
||||
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
|
||||
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
|
||||
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
|
||||
; must be separated by a comma. If this value is left blank, connections will be
|
||||
; accepted from any ip address.
|
||||
; Default Value: any
|
||||
;listen.allowed_clients = 127.0.0.1
|
||||
|
||||
; Specify the nice(2) priority to apply to the pool processes (only if set)
|
||||
; The value can vary from -19 (highest priority) to 20 (lower priority)
|
||||
; Note: - It will only work if the FPM master process is launched as root
|
||||
; - The pool processes will inherit the master process priority
|
||||
; unless it specified otherwise
|
||||
; Default Value: no set
|
||||
; process.priority = -19
|
||||
|
||||
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
|
||||
; or group is differrent than the master process user. It allows to create process
|
||||
; core dump and ptrace the process for the pool user.
|
||||
; Default Value: no
|
||||
; process.dumpable = yes
|
||||
|
||||
; Choose how the process manager will control the number of child processes.
|
||||
; Possible Values:
|
||||
; static - a fixed number (pm.max_children) of child processes;
|
||||
; dynamic - the number of child processes are set dynamically based on the
|
||||
; following directives. With this process management, there will be
|
||||
; always at least 1 children.
|
||||
; pm.max_children - the maximum number of children that can
|
||||
; be alive at the same time.
|
||||
; pm.start_servers - the number of children created on startup.
|
||||
; pm.min_spare_servers - the minimum number of children in 'idle'
|
||||
; state (waiting to process). If the number
|
||||
; of 'idle' processes is less than this
|
||||
; number then some children will be created.
|
||||
; pm.max_spare_servers - the maximum number of children in 'idle'
|
||||
; state (waiting to process). If the number
|
||||
; of 'idle' processes is greater than this
|
||||
; number then some children will be killed.
|
||||
; ondemand - no children are created at startup. Children will be forked when
|
||||
; new requests will connect. The following parameter are used:
|
||||
; pm.max_children - the maximum number of children that
|
||||
; can be alive at the same time.
|
||||
; pm.process_idle_timeout - The number of seconds after which
|
||||
; an idle process will be killed.
|
||||
; Note: This value is mandatory.
|
||||
pm = dynamic
|
||||
|
||||
; The number of child processes to be created when pm is set to 'static' and the
|
||||
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
|
||||
; This value sets the limit on the number of simultaneous requests that will be
|
||||
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
|
||||
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
|
||||
; CGI. The below defaults are based on a server without much resources. Don't
|
||||
; forget to tweak pm.* to fit your needs.
|
||||
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
|
||||
; Note: This value is mandatory.
|
||||
pm.max_children = 10
|
||||
|
||||
; The number of child processes created on startup.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
|
||||
pm.start_servers = 2
|
||||
|
||||
; The desired minimum number of idle server processes.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Note: Mandatory when pm is set to 'dynamic'
|
||||
pm.min_spare_servers = 1
|
||||
|
||||
; The desired maximum number of idle server processes.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Note: Mandatory when pm is set to 'dynamic'
|
||||
pm.max_spare_servers = 3
|
||||
|
||||
; The number of seconds after which an idle process will be killed.
|
||||
; Note: Used only when pm is set to 'ondemand'
|
||||
; Default Value: 10s
|
||||
;pm.process_idle_timeout = 10s;
|
||||
|
||||
; The number of requests each child process should execute before respawning.
|
||||
; This can be useful to work around memory leaks in 3rd party libraries. For
|
||||
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
|
||||
; Default Value: 0
|
||||
;pm.max_requests = 500
|
||||
|
||||
; The URI to view the FPM status page. If this value is not set, no URI will be
|
||||
; recognized as a status page. It shows the following informations:
|
||||
; pool - the name of the pool;
|
||||
; process manager - static, dynamic or ondemand;
|
||||
; start time - the date and time FPM has started;
|
||||
; start since - number of seconds since FPM has started;
|
||||
; accepted conn - the number of request accepted by the pool;
|
||||
; listen queue - the number of request in the queue of pending
|
||||
; connections (see backlog in listen(2));
|
||||
; max listen queue - the maximum number of requests in the queue
|
||||
; of pending connections since FPM has started;
|
||||
; listen queue len - the size of the socket queue of pending connections;
|
||||
; idle processes - the number of idle processes;
|
||||
; active processes - the number of active processes;
|
||||
; total processes - the number of idle + active processes;
|
||||
; max active processes - the maximum number of active processes since FPM
|
||||
; has started;
|
||||
; max children reached - number of times, the process limit has been reached,
|
||||
; when pm tries to start more children (works only for
|
||||
; pm 'dynamic' and 'ondemand');
|
||||
; Value are updated in real time.
|
||||
; Example output:
|
||||
; pool: www
|
||||
; process manager: static
|
||||
; start time: 01/Jul/2011:17:53:49 +0200
|
||||
; start since: 62636
|
||||
; accepted conn: 190460
|
||||
; listen queue: 0
|
||||
; max listen queue: 1
|
||||
; listen queue len: 42
|
||||
; idle processes: 4
|
||||
; active processes: 11
|
||||
; total processes: 15
|
||||
; max active processes: 12
|
||||
; max children reached: 0
|
||||
;
|
||||
; By default the status page output is formatted as text/plain. Passing either
|
||||
; 'html', 'xml' or 'json' in the query string will return the corresponding
|
||||
; output syntax. Example:
|
||||
; http://www.foo.bar/status
|
||||
; http://www.foo.bar/status?json
|
||||
; http://www.foo.bar/status?html
|
||||
; http://www.foo.bar/status?xml
|
||||
;
|
||||
; By default the status page only outputs short status. Passing 'full' in the
|
||||
; query string will also return status for each pool process.
|
||||
; Example:
|
||||
; http://www.foo.bar/status?full
|
||||
; http://www.foo.bar/status?json&full
|
||||
; http://www.foo.bar/status?html&full
|
||||
; http://www.foo.bar/status?xml&full
|
||||
; The Full status returns for each process:
|
||||
; pid - the PID of the process;
|
||||
; state - the state of the process (Idle, Running, ...);
|
||||
; start time - the date and time the process has started;
|
||||
; start since - the number of seconds since the process has started;
|
||||
; requests - the number of requests the process has served;
|
||||
; request duration - the duration in µs of the requests;
|
||||
; request method - the request method (GET, POST, ...);
|
||||
; request URI - the request URI with the query string;
|
||||
; content length - the content length of the request (only with POST);
|
||||
; user - the user (PHP_AUTH_USER) (or '-' if not set);
|
||||
; script - the main script called (or '-' if not set);
|
||||
; last request cpu - the %cpu the last request consumed
|
||||
; it's always 0 if the process is not in Idle state
|
||||
; because CPU calculation is done when the request
|
||||
; processing has terminated;
|
||||
; last request memory - the max amount of memory the last request consumed
|
||||
; it's always 0 if the process is not in Idle state
|
||||
; because memory calculation is done when the request
|
||||
; processing has terminated;
|
||||
; If the process is in Idle state, then informations are related to the
|
||||
; last request the process has served. Otherwise informations are related to
|
||||
; the current request being served.
|
||||
; Example output:
|
||||
; ************************
|
||||
; pid: 31330
|
||||
; state: Running
|
||||
; start time: 01/Jul/2011:17:53:49 +0200
|
||||
; start since: 63087
|
||||
; requests: 12808
|
||||
; request duration: 1250261
|
||||
; request method: GET
|
||||
; request URI: /test_mem.php?N=10000
|
||||
; content length: 0
|
||||
; user: -
|
||||
; script: /home/fat/web/docs/php/test_mem.php
|
||||
; last request cpu: 0.00
|
||||
; last request memory: 0
|
||||
;
|
||||
; Note: There is a real-time FPM status monitoring sample web page available
|
||||
; It's available in: /usr/local/share/php/fpm/status.html
|
||||
;
|
||||
; Note: The value must start with a leading slash (/). The value can be
|
||||
; anything, but it may not be a good idea to use the .php extension or it
|
||||
; may conflict with a real PHP file.
|
||||
; Default Value: not set
|
||||
;pm.status_path = /status
|
||||
|
||||
; The ping URI to call the monitoring page of FPM. If this value is not set, no
|
||||
; URI will be recognized as a ping page. This could be used to test from outside
|
||||
; that FPM is alive and responding, or to
|
||||
; - create a graph of FPM availability (rrd or such);
|
||||
; - remove a server from a group if it is not responding (load balancing);
|
||||
; - trigger alerts for the operating team (24/7).
|
||||
; Note: The value must start with a leading slash (/). The value can be
|
||||
; anything, but it may not be a good idea to use the .php extension or it
|
||||
; may conflict with a real PHP file.
|
||||
; Default Value: not set
|
||||
;ping.path = /ping
|
||||
|
||||
; This directive may be used to customize the response of a ping request. The
|
||||
; response is formatted as text/plain with a 200 response code.
|
||||
; Default Value: pong
|
||||
;ping.response = pong
|
||||
|
||||
; The access log file
|
||||
; Default: not set
|
||||
;access.log = log/$pool.access.log
|
||||
|
||||
; The access log format.
|
||||
; The following syntax is allowed
|
||||
; %%: the '%' character
|
||||
; %C: %CPU used by the request
|
||||
; it can accept the following format:
|
||||
; - %{user}C for user CPU only
|
||||
; - %{system}C for system CPU only
|
||||
; - %{total}C for user + system CPU (default)
|
||||
; %d: time taken to serve the request
|
||||
; it can accept the following format:
|
||||
; - %{seconds}d (default)
|
||||
; - %{miliseconds}d
|
||||
; - %{mili}d
|
||||
; - %{microseconds}d
|
||||
; - %{micro}d
|
||||
; %e: an environment variable (same as $_ENV or $_SERVER)
|
||||
; it must be associated with embraces to specify the name of the env
|
||||
; variable. Some exemples:
|
||||
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
|
||||
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
|
||||
; %f: script filename
|
||||
; %l: content-length of the request (for POST request only)
|
||||
; %m: request method
|
||||
; %M: peak of memory allocated by PHP
|
||||
; it can accept the following format:
|
||||
; - %{bytes}M (default)
|
||||
; - %{kilobytes}M
|
||||
; - %{kilo}M
|
||||
; - %{megabytes}M
|
||||
; - %{mega}M
|
||||
; %n: pool name
|
||||
; %o: output header
|
||||
; it must be associated with embraces to specify the name of the header:
|
||||
; - %{Content-Type}o
|
||||
; - %{X-Powered-By}o
|
||||
; - %{Transfert-Encoding}o
|
||||
; - ....
|
||||
; %p: PID of the child that serviced the request
|
||||
; %P: PID of the parent of the child that serviced the request
|
||||
; %q: the query string
|
||||
; %Q: the '?' character if query string exists
|
||||
; %r: the request URI (without the query string, see %q and %Q)
|
||||
; %R: remote IP address
|
||||
; %s: status (response code)
|
||||
; %t: server time the request was received
|
||||
; it can accept a strftime(3) format:
|
||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
|
||||
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
||||
; %T: time the log has been written (the request has finished)
|
||||
; it can accept a strftime(3) format:
|
||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
|
||||
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
||||
; %u: remote user
|
||||
;
|
||||
; Default: "%R - %u %t \"%m %r\" %s"
|
||||
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
|
||||
|
||||
; The log file for slow requests
|
||||
; Default Value: not set
|
||||
; Note: slowlog is mandatory if request_slowlog_timeout is set
|
||||
;slowlog = log/$pool.log.slow
|
||||
|
||||
; The timeout for serving a single request after which a PHP backtrace will be
|
||||
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
|
||||
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||
; Default Value: 0
|
||||
;request_slowlog_timeout = 0
|
||||
|
||||
; Depth of slow log stack trace.
|
||||
; Default Value: 20
|
||||
;request_slowlog_trace_depth = 20
|
||||
|
||||
; The timeout for serving a single request after which the worker process will
|
||||
; be killed. This option should be used when the 'max_execution_time' ini option
|
||||
; does not stop script execution for some reason. A value of '0' means 'off'.
|
||||
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||
; Default Value: 0
|
||||
;request_terminate_timeout = 0
|
||||
|
||||
; Set open file descriptor rlimit.
|
||||
; Default Value: system defined value
|
||||
;rlimit_files = 1024
|
||||
|
||||
; Set max core size rlimit.
|
||||
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
||||
; Default Value: system defined value
|
||||
;rlimit_core = 0
|
||||
|
||||
; Chroot to this directory at the start. This value must be defined as an
|
||||
; absolute path. When this value is not set, chroot is not used.
|
||||
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
|
||||
; of its subdirectories. If the pool prefix is not set, the global prefix
|
||||
; will be used instead.
|
||||
; Note: chrooting is a great security feature and should be used whenever
|
||||
; possible. However, all PHP paths will be relative to the chroot
|
||||
; (error_log, sessions.save_path, ...).
|
||||
; Default Value: not set
|
||||
;chroot =
|
||||
|
||||
; Chdir to this directory at the start.
|
||||
; Note: relative path can be used.
|
||||
; Default Value: current directory or / when chroot
|
||||
;chdir = /var/www
|
||||
|
||||
; Redirect worker stdout and stderr into main error log. If not set, stdout and
|
||||
; stderr will be redirected to /dev/null according to FastCGI specs.
|
||||
; Note: on highloaded environement, this can cause some delay in the page
|
||||
; process time (several ms).
|
||||
; Default Value: no
|
||||
;catch_workers_output = yes
|
||||
|
||||
; Clear environment in FPM workers
|
||||
; Prevents arbitrary environment variables from reaching FPM worker processes
|
||||
; by clearing the environment in workers before env vars specified in this
|
||||
; pool configuration are added.
|
||||
; Setting to "no" will make all environment variables available to PHP code
|
||||
; via getenv(), $_ENV and $_SERVER.
|
||||
; Default Value: yes
|
||||
;clear_env = no
|
||||
|
||||
; Limits the extensions of the main script FPM will allow to parse. This can
|
||||
; prevent configuration mistakes on the web server side. You should only limit
|
||||
; FPM to .php extensions to prevent malicious users to use other extensions to
|
||||
; execute php code.
|
||||
; Note: set an empty value to allow all extensions.
|
||||
; Default Value: .php
|
||||
;security.limit_extensions = .php .php3 .php4 .php5 .php7
|
||||
|
||||
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
|
||||
; the current environment.
|
||||
; Default Value: clean env
|
||||
env[HOSTNAME] = $HOSTNAME
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
env[TMP] = /tmp
|
||||
env[TMPDIR] = /tmp
|
||||
env[TEMP] = /tmp
|
||||
|
||||
; Additional php.ini defines, specific to this pool of workers. These settings
|
||||
; overwrite the values previously defined in the php.ini. The directives are the
|
||||
; same as the PHP SAPI:
|
||||
; php_value/php_flag - you can set classic ini defines which can
|
||||
; be overwritten from PHP call 'ini_set'.
|
||||
; php_admin_value/php_admin_flag - these directives won't be overwritten by
|
||||
; PHP call 'ini_set'
|
||||
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
|
||||
|
||||
; Defining 'extension' will load the corresponding shared extension from
|
||||
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
|
||||
; overwrite previously defined php.ini values, but will append the new value
|
||||
; instead.
|
||||
|
||||
; Note: path INI options can be relative and will be expanded with the prefix
|
||||
; (pool, global or /usr/local)
|
||||
|
||||
; Default Value: nothing is defined by default except the values in php.ini and
|
||||
; specified at startup with the -d argument
|
||||
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
|
||||
;php_flag[display_errors] = off
|
||||
;php_admin_value[error_log] = /var/log/fpm-php.www.log
|
||||
;php_admin_flag[log_errors] = on
|
||||
;php_admin_value[memory_limit] = 32M
|
@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://localhost:9000"
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
|
@ -577,7 +577,7 @@ Include etc/apache24/Includes/*.conf
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://localhost:9000"
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
|
131
jails/config/vpngw/ipfw.rules
Executable file
131
jails/config/vpngw/ipfw.rules
Executable file
@ -0,0 +1,131 @@
|
||||
#!/bin/sh
|
||||
|
||||
# https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
|
||||
# ipfw -vated list
|
||||
|
||||
# IPFW configuration
|
||||
#sysrc firewall_enable="YES"
|
||||
#sysrc firewall_logif="YES"
|
||||
#sysrc firewall_script="/mnt/config/ipfw.rules"
|
||||
|
||||
# NATd configuration
|
||||
#sysrc gateway_enable="YES"
|
||||
#sysrc natd_enable="YES"
|
||||
#sysrc natd_interface="tun0"
|
||||
#sysrc natd_flags="-f /mnt/config/natd.conf"
|
||||
#natd.conf: redirect_port tcp 192.168.0.9:80 80
|
||||
|
||||
# Set rules command prefix
|
||||
cmd="ipfw -q add"
|
||||
lif="epair0b" # interface name of VNET attached to Local network
|
||||
rif="tun0" # interface name of Tunnel attached to Remote network
|
||||
skip="skipto 12000"
|
||||
|
||||
# Flush out the list before we begin.
|
||||
ipfw -q -f flush
|
||||
|
||||
# gateway_enable already set in rc.conf
|
||||
# sysctl net.inet.ip.forwarding=1
|
||||
|
||||
# Packets passing the stateful NAT may be re-injected into the firewall
|
||||
# sysctl net.inet.ip.fw.one_pass=0
|
||||
ipfw disable one_pass
|
||||
|
||||
# functionality is included in the divert action
|
||||
#ipfw -q nat 1 config if $rif same_ports unreg_only reset
|
||||
|
||||
$cmd 00050 allow ip from any to any via $lif
|
||||
|
||||
$cmd 00100 allow ip from any to any via lo0
|
||||
|
||||
$cmd 00200 deny ip from any to 127.0.0.0/8
|
||||
$cmd 00300 deny ip from 127.0.0.0/8 to any
|
||||
$cmd 00400 deny ip from any to ::1
|
||||
$cmd 00500 deny ip from ::1 to any
|
||||
|
||||
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
|
||||
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
|
||||
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
|
||||
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
|
||||
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
|
||||
|
||||
# The reassemble rule is not needed with userland natd(8)
|
||||
# because the internal workings of the IPFW divert action
|
||||
# takes care of reassembling packets before delivery to the socket
|
||||
#$cmd 01100 reass all from any to any in
|
||||
|
||||
$cmd 01200 divert natd ip from any to any in via $rif # NAT any inbound packets
|
||||
|
||||
# Allow the packet through if it has an existing entry in the dynamic rules table
|
||||
$cmd 01300 check-state
|
||||
|
||||
# Allow access to DNS
|
||||
#$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
|
||||
#$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
|
||||
#$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
|
||||
#$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
|
||||
|
||||
# Allow access to ISP's DHCP server for cable/DSL configurations.
|
||||
# Use the first rule and check log for IP address.
|
||||
# Then, uncomment the second rule, input the IP address, and delete the first rule
|
||||
#$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state
|
||||
#$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state
|
||||
|
||||
# Allow outbound ping
|
||||
$cmd 02210 $skip icmp from any to any out via $rif keep-state
|
||||
|
||||
# Allow outbound NTP
|
||||
#$cmd 02220 $skip udp from any to any 123 out via $rif keep-state
|
||||
|
||||
# Allow outbound TCP traffic
|
||||
$cmd 02500 $skip tcp from any to any 22,80,443,2024,3389,5904 out via $rif setup keep-state
|
||||
|
||||
# deny and log all other outbound connections
|
||||
$cmd 02999 deny log all from any to any out via $rif
|
||||
|
||||
#### Lockdown incoming traffic
|
||||
# Deny all inbound traffic from non-routable reserved address spaces
|
||||
#$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif #RFC 1918 private IP
|
||||
#$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif #RFC 1918 private IP
|
||||
#$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif #RFC 1918 private IP
|
||||
$cmd 03113 deny all from 127.0.0.0/8 to any in via $rif #loopback
|
||||
$cmd 03114 deny all from 0.0.0.0/8 to any in via $rif #loopback
|
||||
$cmd 03115 deny all from 169.254.0.0/16 to any in via $rif #DHCP auto-config
|
||||
$cmd 03116 deny all from 192.0.2.0/24 to any in via $rif #reserved for docs
|
||||
$cmd 03117 deny all from 204.152.64.0/23 to any in via $rif #Sun cluster interconnect
|
||||
$cmd 03118 deny all from 224.0.0.0/3 to any in via $rif #Class D & E multicast
|
||||
|
||||
# Allow traffic from ISP's DHCP server.
|
||||
# Replace x.x.x.x with the same IP address used in rule 02120.
|
||||
#$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state
|
||||
|
||||
# Deny public pings
|
||||
#$cmd 03210 deny icmp from any to any in via $rif
|
||||
|
||||
# Deny ident
|
||||
$cmd 03230 deny tcp from any to any 113 in via $rif
|
||||
|
||||
# Deny all Netbios services.
|
||||
$cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif
|
||||
|
||||
# Deny fragments
|
||||
$cmd 03250 deny all from any to any frag in via $rif
|
||||
|
||||
# Deny ACK packets that did not match the dynamic rule table
|
||||
$cmd 03500 deny tcp from any to any established in via $rif
|
||||
|
||||
# Allow inbound SSH connections
|
||||
#$cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2
|
||||
|
||||
# Allow HTTP connections to internal web server
|
||||
#$cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2
|
||||
|
||||
# Reject and log all other incoming connections
|
||||
$cmd 03999 deny log all from any to any in via $rif
|
||||
#### lockdown in
|
||||
|
||||
$cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules
|
||||
|
||||
$cmd 65000 allow ip from any to any
|
||||
|
||||
#$cmd 65535 deny ip from any to any
|
1
jails/config/vpngw/natd.conf
Normal file
1
jails/config/vpngw/natd.conf
Normal file
@ -0,0 +1 @@
|
||||
redirect_port tcp 192.168.0.9:80 80
|
@ -583,7 +583,7 @@ Include etc/apache24/Includes/*.conf
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://localhost:9000"
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
|
@ -579,7 +579,7 @@ Include etc/apache24/Includes/*.conf
|
||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SetHandler "proxy:fcgi://localhost:9000"
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
@ -6,8 +8,6 @@
|
||||
#
|
||||
#
|
||||
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
JAIL=$1
|
||||
JAILHOSTNAME=$2
|
||||
JAILDOMAIN=$3
|
||||
@ -171,5 +171,5 @@ iocage exec $JAIL "pkg clean -y"
|
||||
# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
|
||||
# iocage exec $JAIL "rmdir /mnt/common"
|
||||
|
||||
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v jail-root@$JAILDOMAIN"
|
||||
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v -t jail-root@$JAILDOMAIN"
|
||||
# reverse dns should already be configured for the mail server to accept this email
|
||||
|
@ -1,3 +1,5 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
@ -6,9 +8,7 @@
|
||||
#
|
||||
#
|
||||
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
|
||||
web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
|
||||
|
||||
for i in ${web_jails[@]};
|
||||
do
|
||||
@ -27,7 +27,8 @@ for i in ${web_jails[@]};
|
||||
do
|
||||
echo "restoring httpd.conf in web_jail $i after Apache update"
|
||||
iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf"
|
||||
iocage exec $i "service apache24 reload"
|
||||
iocage exec $i "service apache24 restart"
|
||||
done
|
||||
|
||||
echo "check if php.ini or php-fpm need to be restored"
|
||||
echo "check in output above if php.ini or php-fpm need to be restored"
|
||||
echo "check pkgp jail nginx instance is running"
|
||||
|
@ -1,3 +1,5 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
@ -6,9 +8,7 @@
|
||||
#
|
||||
#
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
|
||||
web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
|
||||
|
||||
for i in ${web_jails[@]};
|
||||
do
|
||||
@ -40,7 +40,7 @@ iocage exec monitor "service elasticsearch restart"
|
||||
iocage exec monitor "service kibana restart"
|
||||
|
||||
#iocage exec monitor "service logstash restart"
|
||||
iocage exec monitor "ps axww | grep logstash | cut -f1 -d" " | xargs -n 1 kill -9 "
|
||||
iocage exec monitor 'ps axww | grep logstash | cut -f1 -d" " | xargs -n 1 kill -9 '
|
||||
iocage exec monitor "/root/start_logstash.sh"
|
||||
|
||||
iocage exec monitor "service heartbeat restart"
|
||||
|
@ -1,3 +1,5 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
@ -6,53 +8,65 @@
|
||||
#
|
||||
#
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
pkg_jail="pj121"
|
||||
pkg_repo="pkgp121"
|
||||
|
||||
#<<'COMMENT-SKIP-PKG-BUILD'
|
||||
iocage exec pkgp "pkg update -f"
|
||||
iocage exec pkgp "pkg upgrade -y"
|
||||
iocage exec pkgp "pkg clean -ay"
|
||||
if [[ $1 == "pkgp-skip" ]]; then
|
||||
|
||||
iocage set securelevel=0 pkgp
|
||||
iocage exec pkgp "poudriere jail -l"
|
||||
iocage exec pkgp "poudriere jail -u -j $pkg_jail"
|
||||
iocage set securelevel=2 pkgp
|
||||
echo "skipping pkgp update"
|
||||
|
||||
iocage exec pkgp "portsnap auto"
|
||||
else
|
||||
|
||||
iocage exec pkgp "poudriere ports -l"
|
||||
iocage exec pkgp "poudriere ports -u"
|
||||
iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail"
|
||||
#COMMENT-SKIP-PKG-BUILD
|
||||
#<<'UNCOMMENT-TO-SKIP-PKG-BUILD'
|
||||
iocage exec pkgp "pkg update"
|
||||
iocage exec pkgp "pkg upgrade -y"
|
||||
iocage exec pkgp "pkg clean -ay"
|
||||
|
||||
cd /mnt/ship/ldap/phpLDAPadmin
|
||||
pwd
|
||||
git pull
|
||||
cd /mnt/ship/r-ldap/phpLDAPadmin
|
||||
pwd
|
||||
git pull
|
||||
cd /mnt/ship/book/calibre-web
|
||||
pwd
|
||||
git pull
|
||||
cd /mnt/ship/plex/PlexConnect
|
||||
pwd
|
||||
git pull
|
||||
cd /mnt/ship/maps/networkmaps
|
||||
pwd
|
||||
git pull
|
||||
iocage set securelevel=0 pkgp
|
||||
iocage exec pkgp "poudriere jail -l"
|
||||
iocage exec pkgp "poudriere jail -u -j $pkg_jail"
|
||||
iocage set securelevel=2 pkgp
|
||||
|
||||
iocage exec pkgp "portsnap auto"
|
||||
|
||||
iocage exec pkgp "poudriere ports -l"
|
||||
iocage exec pkgp "poudriere ports -u"
|
||||
iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail"
|
||||
#UNCOMMENT-TO-SKIP-PKG-BUILD
|
||||
|
||||
cd /mnt/ship/ldap/phpLDAPadmin
|
||||
pwd
|
||||
git pull
|
||||
|
||||
cd /mnt/ship/r-ldap/phpLDAPadmin
|
||||
pwd
|
||||
git pull
|
||||
|
||||
cd /mnt/ship/book/calibre-web
|
||||
pwd
|
||||
git pull
|
||||
|
||||
cd /mnt/ship/plex/PlexConnect
|
||||
pwd
|
||||
git pull
|
||||
|
||||
cd /mnt/ship/maps/networkmaps
|
||||
pwd
|
||||
git pull
|
||||
|
||||
fi
|
||||
|
||||
if [[ $1 == "pkgp-only" ]]; then
|
||||
exit
|
||||
fi
|
||||
|
||||
#read -p "Return/Enter to continue, ctrl-c to abort? " RESP
|
||||
|
||||
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
|
||||
pkg_repo="pkgp121"
|
||||
|
||||
for i in `iocage list -h | cut -f 2`;
|
||||
do
|
||||
echo "## $i JAIL ##"
|
||||
|
||||
iocage exec $i "pkg update -f"
|
||||
iocage exec $i "pkg update"
|
||||
|
||||
if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; then
|
||||
iocage exec $i "pkg unlock -y openldap-sasl-server"
|
||||
@ -79,7 +93,8 @@ done
|
||||
|
||||
echo "NOTES:"
|
||||
|
||||
echo "pkg update -f"
|
||||
echo "update base system by running:"
|
||||
echo "pkg update"
|
||||
echo "pkg autoremove -y"
|
||||
echo "pkg upgrade -y"
|
||||
echo "pkg clean -ay"
|
||||
|
@ -1,3 +1,5 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
@ -6,8 +8,6 @@
|
||||
#
|
||||
#
|
||||
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
update_jail ()
|
||||
{
|
||||
echo "######## ## JAIL:::: $JAIL ##"
|
||||
@ -47,7 +47,7 @@ if [ ! -z $RESP ] && [ $RESP == "y" ]; then
|
||||
update_jail
|
||||
fi
|
||||
|
||||
./jails-update-pkgs.sh
|
||||
./jails-update-pkgs.sh pkgp-only
|
||||
|
||||
read -p "update all jails (y/N)? " RESP
|
||||
if [ ! -z $RESP ] && [ $RESP == "y" ]; then
|
||||
@ -63,5 +63,7 @@ fi
|
||||
echo "update base system by running:"
|
||||
echo "freebsd-update fetch"
|
||||
echo "freebsd-update install"
|
||||
echo "cd /usr/src && make -j8 buildkernel KERNCONF=diyIT && make -j8 installkernel KERNCONF=diyIT"
|
||||
echo "reboot"
|
||||
echo "pkg-static upgrade -f"
|
||||
echo "mergemaster"
|
||||
|
804
patches/D24250.patch
Normal file
804
patches/D24250.patch
Normal file
@ -0,0 +1,804 @@
|
||||
Index: head/sys/net/if_bridge.c
|
||||
===================================================================
|
||||
--- head/sys/net/if_bridge.c
|
||||
+++ head/sys/net/if_bridge.c
|
||||
@@ -189,41 +189,14 @@
|
||||
*/
|
||||
#define BRIDGE_LOCK_INIT(_sc) do { \
|
||||
mtx_init(&(_sc)->sc_mtx, "if_bridge", NULL, MTX_DEF); \
|
||||
- cv_init(&(_sc)->sc_cv, "if_bridge_cv"); \
|
||||
} while (0)
|
||||
#define BRIDGE_LOCK_DESTROY(_sc) do { \
|
||||
mtx_destroy(&(_sc)->sc_mtx); \
|
||||
- cv_destroy(&(_sc)->sc_cv); \
|
||||
} while (0)
|
||||
#define BRIDGE_LOCK(_sc) mtx_lock(&(_sc)->sc_mtx)
|
||||
#define BRIDGE_UNLOCK(_sc) mtx_unlock(&(_sc)->sc_mtx)
|
||||
#define BRIDGE_LOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_OWNED)
|
||||
#define BRIDGE_UNLOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_NOTOWNED)
|
||||
-#define BRIDGE_LOCK2REF(_sc, _err) do { \
|
||||
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
|
||||
- if ((_sc)->sc_iflist_xcnt > 0) \
|
||||
- (_err) = EBUSY; \
|
||||
- else \
|
||||
- (_sc)->sc_iflist_ref++; \
|
||||
- mtx_unlock(&(_sc)->sc_mtx); \
|
||||
-} while (0)
|
||||
-#define BRIDGE_UNREF(_sc) do { \
|
||||
- mtx_lock(&(_sc)->sc_mtx); \
|
||||
- (_sc)->sc_iflist_ref--; \
|
||||
- if (((_sc)->sc_iflist_xcnt > 0) && ((_sc)->sc_iflist_ref == 0)) \
|
||||
- cv_broadcast(&(_sc)->sc_cv); \
|
||||
- mtx_unlock(&(_sc)->sc_mtx); \
|
||||
-} while (0)
|
||||
-#define BRIDGE_XLOCK(_sc) do { \
|
||||
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
|
||||
- (_sc)->sc_iflist_xcnt++; \
|
||||
- while ((_sc)->sc_iflist_ref > 0) \
|
||||
- cv_wait(&(_sc)->sc_cv, &(_sc)->sc_mtx); \
|
||||
-} while (0)
|
||||
-#define BRIDGE_XDROP(_sc) do { \
|
||||
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
|
||||
- (_sc)->sc_iflist_xcnt--; \
|
||||
-} while (0)
|
||||
|
||||
/*
|
||||
* Bridge interface list entry.
|
||||
@@ -237,6 +210,7 @@
|
||||
uint32_t bif_addrmax; /* max # of addresses */
|
||||
uint32_t bif_addrcnt; /* cur. # of addresses */
|
||||
uint32_t bif_addrexceeded;/* # of address violations */
|
||||
+ struct epoch_context bif_epoch_ctx;
|
||||
};
|
||||
|
||||
/*
|
||||
@@ -250,6 +224,8 @@
|
||||
uint8_t brt_flags; /* address flags */
|
||||
uint8_t brt_addr[ETHER_ADDR_LEN];
|
||||
uint16_t brt_vlan; /* vlan id */
|
||||
+ struct vnet *brt_vnet;
|
||||
+ struct epoch_context brt_epoch_ctx;
|
||||
};
|
||||
#define brt_ifp brt_dst->bif_ifp
|
||||
|
||||
@@ -260,13 +236,10 @@
|
||||
struct ifnet *sc_ifp; /* make this an interface */
|
||||
LIST_ENTRY(bridge_softc) sc_list;
|
||||
struct mtx sc_mtx;
|
||||
- struct cv sc_cv;
|
||||
uint32_t sc_brtmax; /* max # of addresses */
|
||||
uint32_t sc_brtcnt; /* cur. # of addresses */
|
||||
uint32_t sc_brttimeout; /* rt timeout in seconds */
|
||||
struct callout sc_brcallout; /* bridge callout */
|
||||
- uint32_t sc_iflist_ref; /* refcount for sc_iflist */
|
||||
- uint32_t sc_iflist_xcnt; /* refcount for sc_iflist */
|
||||
CK_LIST_HEAD(, bridge_iflist) sc_iflist; /* member interface list */
|
||||
CK_LIST_HEAD(, bridge_rtnode) *sc_rthash; /* our forwarding table */
|
||||
CK_LIST_HEAD(, bridge_rtnode) sc_rtlist; /* list version of above */
|
||||
@@ -276,6 +249,7 @@
|
||||
uint32_t sc_brtexceeded; /* # of cache drops */
|
||||
struct ifnet *sc_ifaddr; /* member mac copied from */
|
||||
struct ether_addr sc_defaddr; /* Default MAC address */
|
||||
+ struct epoch_context sc_epoch_ctx;
|
||||
};
|
||||
|
||||
VNET_DEFINE_STATIC(struct mtx, bridge_list_mtx);
|
||||
@@ -596,6 +570,10 @@
|
||||
if_clone_detach(V_bridge_cloner);
|
||||
V_bridge_cloner = NULL;
|
||||
BRIDGE_LIST_LOCK_DESTROY();
|
||||
+
|
||||
+ /* Callbacks may use the UMA zone. */
|
||||
+ epoch_drain_callbacks(net_epoch_preempt);
|
||||
+
|
||||
uma_zdestroy(V_bridge_rtnode_zone);
|
||||
}
|
||||
VNET_SYSUNINIT(vnet_bridge_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY,
|
||||
@@ -722,6 +700,17 @@
|
||||
return (0);
|
||||
}
|
||||
|
||||
+static void
|
||||
+bridge_clone_destroy_cb(struct epoch_context *ctx)
|
||||
+{
|
||||
+ struct bridge_softc *sc;
|
||||
+
|
||||
+ sc = __containerof(ctx, struct bridge_softc, sc_epoch_ctx);
|
||||
+
|
||||
+ BRIDGE_LOCK_DESTROY(sc);
|
||||
+ free(sc, M_DEVBUF);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* bridge_clone_destroy:
|
||||
*
|
||||
@@ -732,7 +721,9 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_softc;
|
||||
struct bridge_iflist *bif;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
+ NET_EPOCH_ENTER(et);
|
||||
BRIDGE_LOCK(sc);
|
||||
|
||||
bridge_stop(ifp, 1);
|
||||
@@ -757,11 +748,12 @@
|
||||
BRIDGE_LIST_UNLOCK();
|
||||
|
||||
bstp_detach(&sc->sc_stp);
|
||||
+ NET_EPOCH_EXIT(et);
|
||||
+
|
||||
ether_ifdetach(ifp);
|
||||
if_free(ifp);
|
||||
|
||||
- BRIDGE_LOCK_DESTROY(sc);
|
||||
- free(sc, M_DEVBUF);
|
||||
+ NET_EPOCH_CALL(bridge_clone_destroy_cb, &sc->sc_epoch_ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -787,7 +779,10 @@
|
||||
struct ifdrv *ifd = (struct ifdrv *) data;
|
||||
const struct bridge_control *bc;
|
||||
int error = 0, oldmtu;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
+ NET_EPOCH_ENTER(et);
|
||||
+
|
||||
switch (cmd) {
|
||||
|
||||
case SIOCADDMULTI:
|
||||
@@ -908,6 +903,8 @@
|
||||
break;
|
||||
}
|
||||
|
||||
+ NET_EPOCH_EXIT(et);
|
||||
+
|
||||
return (error);
|
||||
}
|
||||
|
||||
@@ -922,6 +919,8 @@
|
||||
struct bridge_iflist *bif;
|
||||
int enabled, mask;
|
||||
|
||||
+ BRIDGE_LOCK_ASSERT(sc);
|
||||
+
|
||||
/* Initial bitmask of capabilities to test */
|
||||
mask = BRIDGE_IFCAPS_MASK;
|
||||
|
||||
@@ -930,7 +929,6 @@
|
||||
mask &= bif->bif_savedcaps;
|
||||
}
|
||||
|
||||
- BRIDGE_XLOCK(sc);
|
||||
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
enabled = bif->bif_ifp->if_capenable;
|
||||
enabled &= ~BRIDGE_IFCAPS_STRIP;
|
||||
@@ -941,8 +939,6 @@
|
||||
bridge_set_ifcap(sc, bif, enabled);
|
||||
BRIDGE_LOCK(sc);
|
||||
}
|
||||
- BRIDGE_XDROP(sc);
|
||||
-
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -983,7 +979,7 @@
|
||||
struct bridge_iflist *bif;
|
||||
struct ifnet *ifp;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
|
||||
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
ifp = bif->bif_ifp;
|
||||
@@ -1004,7 +1000,7 @@
|
||||
{
|
||||
struct bridge_iflist *bif;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
|
||||
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
if (bif->bif_ifp == member_ifp)
|
||||
@@ -1014,6 +1010,16 @@
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
+static void
|
||||
+bridge_delete_member_cb(struct epoch_context *ctx)
|
||||
+{
|
||||
+ struct bridge_iflist *bif;
|
||||
+
|
||||
+ bif = __containerof(ctx, struct bridge_iflist, bif_epoch_ctx);
|
||||
+
|
||||
+ free(bif, M_DEVBUF);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* bridge_delete_member:
|
||||
*
|
||||
@@ -1033,9 +1039,7 @@
|
||||
bstp_disable(&bif->bif_stp);
|
||||
|
||||
ifs->if_bridge = NULL;
|
||||
- BRIDGE_XLOCK(sc);
|
||||
CK_LIST_REMOVE(bif, bif_next);
|
||||
- BRIDGE_XDROP(sc);
|
||||
|
||||
/*
|
||||
* If removing the interface that gave the bridge its mac address, set
|
||||
@@ -1094,7 +1098,8 @@
|
||||
}
|
||||
bstp_destroy(&bif->bif_stp); /* prepare to free */
|
||||
BRIDGE_LOCK(sc);
|
||||
- free(bif, M_DEVBUF);
|
||||
+
|
||||
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1111,7 +1116,8 @@
|
||||
("%s: not a span interface", __func__));
|
||||
|
||||
CK_LIST_REMOVE(bif, bif_next);
|
||||
- free(bif, M_DEVBUF);
|
||||
+
|
||||
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -1167,7 +1173,6 @@
|
||||
* If any, remove all inet6 addresses from the member
|
||||
* interfaces.
|
||||
*/
|
||||
- BRIDGE_XLOCK(sc);
|
||||
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
if (in6ifa_llaonifp(bif->bif_ifp)) {
|
||||
BRIDGE_UNLOCK(sc);
|
||||
@@ -1180,7 +1185,6 @@
|
||||
bif->bif_ifp->if_xname);
|
||||
}
|
||||
}
|
||||
- BRIDGE_XDROP(sc);
|
||||
if (in6ifa_llaonifp(ifs)) {
|
||||
BRIDGE_UNLOCK(sc);
|
||||
in6_ifdetach(ifs);
|
||||
@@ -1494,12 +1498,17 @@
|
||||
struct bridge_iflist *bif;
|
||||
int error;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
bif = bridge_lookup_member(sc, req->ifba_ifsname);
|
||||
if (bif == NULL)
|
||||
return (ENOENT);
|
||||
|
||||
+ /* bridge_rtupdate() may acquire the lock. */
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
error = bridge_rtupdate(sc, req->ifba_dst, req->ifba_vlan, bif, 1,
|
||||
req->ifba_flags);
|
||||
+ BRIDGE_LOCK(sc);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@@ -1838,6 +1847,7 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_bridge;
|
||||
struct bridge_iflist *bif;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
if (ifp->if_flags & IFF_RENAMING)
|
||||
return;
|
||||
@@ -1848,6 +1858,7 @@
|
||||
*/
|
||||
return;
|
||||
}
|
||||
+ NET_EPOCH_ENTER(et);
|
||||
/* Check if the interface is a bridge member */
|
||||
if (sc != NULL) {
|
||||
BRIDGE_LOCK(sc);
|
||||
@@ -1857,6 +1868,7 @@
|
||||
bridge_delete_member(sc, bif, 1);
|
||||
|
||||
BRIDGE_UNLOCK(sc);
|
||||
+ NET_EPOCH_EXIT(et);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1873,6 +1885,7 @@
|
||||
BRIDGE_UNLOCK(sc);
|
||||
}
|
||||
BRIDGE_LIST_UNLOCK();
|
||||
+ NET_EPOCH_EXIT(et);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1909,6 +1922,7 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_softc;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
|
||||
@@ -2032,6 +2046,8 @@
|
||||
struct bridge_softc *sc;
|
||||
uint16_t vlan;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
if (m->m_len < ETHER_HDR_LEN) {
|
||||
m = m_pullup(m, ETHER_HDR_LEN);
|
||||
if (m == NULL)
|
||||
@@ -2042,7 +2058,6 @@
|
||||
sc = ifp->if_bridge;
|
||||
vlan = VLANTAGOF(m);
|
||||
|
||||
- BRIDGE_LOCK(sc);
|
||||
bifp = sc->sc_ifp;
|
||||
|
||||
/*
|
||||
@@ -2069,16 +2084,10 @@
|
||||
if (dst_if == NULL) {
|
||||
struct bridge_iflist *bif;
|
||||
struct mbuf *mc;
|
||||
- int error = 0, used = 0;
|
||||
+ int used = 0;
|
||||
|
||||
bridge_span(sc, m);
|
||||
|
||||
- BRIDGE_LOCK2REF(sc, error);
|
||||
- if (error) {
|
||||
- m_freem(m);
|
||||
- return (0);
|
||||
- }
|
||||
-
|
||||
CK_LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
dst_if = bif->bif_ifp;
|
||||
|
||||
@@ -2112,7 +2121,6 @@
|
||||
}
|
||||
if (used == 0)
|
||||
m_freem(m);
|
||||
- BRIDGE_UNREF(sc);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@@ -2124,11 +2132,9 @@
|
||||
bridge_span(sc, m);
|
||||
if ((dst_if->if_drv_flags & IFF_DRV_RUNNING) == 0) {
|
||||
m_freem(m);
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (0);
|
||||
}
|
||||
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
bridge_enqueue(sc, dst_if, m);
|
||||
return (0);
|
||||
}
|
||||
@@ -2153,10 +2159,8 @@
|
||||
|
||||
eh = mtod(m, struct ether_header *);
|
||||
|
||||
- BRIDGE_LOCK(sc);
|
||||
if (((m->m_flags & (M_BCAST|M_MCAST)) == 0) &&
|
||||
(dst_if = bridge_rtlookup(sc, eh->ether_dhost, 1)) != NULL) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
error = bridge_enqueue(sc, dst_if, m);
|
||||
} else
|
||||
bridge_broadcast(sc, ifp, m, 0);
|
||||
@@ -2190,6 +2194,8 @@
|
||||
uint8_t *dst;
|
||||
int error;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
src_if = m->m_pkthdr.rcvif;
|
||||
ifp = sc->sc_ifp;
|
||||
|
||||
@@ -2268,12 +2274,10 @@
|
||||
|| PFIL_HOOKED_IN(V_inet6_pfil_head)
|
||||
#endif
|
||||
) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
if (bridge_pfil(&m, ifp, src_if, PFIL_IN) != 0)
|
||||
return;
|
||||
if (m == NULL)
|
||||
return;
|
||||
- BRIDGE_LOCK(sc);
|
||||
}
|
||||
|
||||
if (dst_if == NULL) {
|
||||
@@ -2301,8 +2305,6 @@
|
||||
dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
|
||||
goto drop;
|
||||
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
-
|
||||
if (PFIL_HOOKED_OUT(V_inet_pfil_head)
|
||||
#ifdef INET6
|
||||
|| PFIL_HOOKED_OUT(V_inet6_pfil_head)
|
||||
@@ -2318,7 +2320,6 @@
|
||||
return;
|
||||
|
||||
drop:
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
m_freem(m);
|
||||
}
|
||||
|
||||
@@ -2339,6 +2340,8 @@
|
||||
uint16_t vlan;
|
||||
int error;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
if ((sc->sc_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
|
||||
return (m);
|
||||
|
||||
@@ -2359,10 +2362,8 @@
|
||||
m_freem(m);
|
||||
return (NULL);
|
||||
}
|
||||
- BRIDGE_LOCK(sc);
|
||||
bif = bridge_lookup_member_if(sc, ifp);
|
||||
if (bif == NULL) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (m);
|
||||
}
|
||||
|
||||
@@ -2375,13 +2376,11 @@
|
||||
if (memcmp(eh->ether_dhost, bstp_etheraddr,
|
||||
ETHER_ADDR_LEN) == 0) {
|
||||
bstp_input(&bif->bif_stp, ifp, m); /* consumes mbuf */
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
if ((bif->bif_flags & IFBIF_STP) &&
|
||||
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (m);
|
||||
}
|
||||
|
||||
@@ -2392,7 +2391,6 @@
|
||||
*/
|
||||
mc = m_dup(m, M_NOWAIT);
|
||||
if (mc == NULL) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (m);
|
||||
}
|
||||
|
||||
@@ -2424,7 +2422,6 @@
|
||||
|
||||
if ((bif->bif_flags & IFBIF_STP) &&
|
||||
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (m);
|
||||
}
|
||||
|
||||
@@ -2458,7 +2455,6 @@
|
||||
error = bridge_rtupdate(sc, eh->ether_shost, \
|
||||
vlan, bif, 0, IFBAF_DYNAMIC); \
|
||||
if (error && bif->bif_addrmax) { \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
m_freem(m); \
|
||||
return (NULL); \
|
||||
} \
|
||||
@@ -2466,7 +2462,6 @@
|
||||
m->m_pkthdr.rcvif = iface; \
|
||||
if ((iface) == ifp) { \
|
||||
/* Skip bridge processing... src == dest */ \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
return (m); \
|
||||
} \
|
||||
/* It's passing over or to the bridge, locally. */ \
|
||||
@@ -2478,13 +2473,11 @@
|
||||
OR_PFIL_HOOKED_INET6)) { \
|
||||
if (bridge_pfil(&m, NULL, ifp, \
|
||||
PFIL_IN) != 0 || m == NULL) { \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
return (NULL); \
|
||||
} \
|
||||
} \
|
||||
if ((iface) != bifp) \
|
||||
ETHER_BPF_MTAP(iface, m); \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
return (m); \
|
||||
} \
|
||||
\
|
||||
@@ -2492,7 +2485,6 @@
|
||||
if (memcmp(IF_LLADDR((iface)), eh->ether_shost, ETHER_ADDR_LEN) == 0 \
|
||||
OR_CARP_CHECK_WE_ARE_SRC((iface)) \
|
||||
) { \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
m_freem(m); \
|
||||
return (NULL); \
|
||||
}
|
||||
@@ -2543,16 +2535,12 @@
|
||||
struct bridge_iflist *dbif, *sbif;
|
||||
struct mbuf *mc;
|
||||
struct ifnet *dst_if;
|
||||
- int error = 0, used = 0, i;
|
||||
+ int used = 0, i;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
sbif = bridge_lookup_member_if(sc, src_if);
|
||||
|
||||
- BRIDGE_LOCK2REF(sc, error);
|
||||
- if (error) {
|
||||
- m_freem(m);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
/* Filter on the bridge interface before broadcasting */
|
||||
if (runfilt && (PFIL_HOOKED_OUT(V_inet_pfil_head)
|
||||
#ifdef INET6
|
||||
@@ -2560,9 +2548,9 @@
|
||||
#endif
|
||||
)) {
|
||||
if (bridge_pfil(&m, sc->sc_ifp, NULL, PFIL_OUT) != 0)
|
||||
- goto out;
|
||||
+ return;
|
||||
if (m == NULL)
|
||||
- goto out;
|
||||
+ return;
|
||||
}
|
||||
|
||||
CK_LIST_FOREACH(dbif, &sc->sc_iflist, bif_next) {
|
||||
@@ -2625,9 +2613,6 @@
|
||||
}
|
||||
if (used == 0)
|
||||
m_freem(m);
|
||||
-
|
||||
-out:
|
||||
- BRIDGE_UNREF(sc);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -2643,6 +2628,8 @@
|
||||
struct ifnet *dst_if;
|
||||
struct mbuf *mc;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
if (CK_LIST_EMPTY(&sc->sc_spanlist))
|
||||
return;
|
||||
|
||||
@@ -2674,7 +2661,8 @@
|
||||
struct bridge_rtnode *brt;
|
||||
int error;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+ BRIDGE_UNLOCK_ASSERT(sc);
|
||||
|
||||
/* Check the source address is valid and not multicast. */
|
||||
if (ETHER_IS_MULTICAST(dst) ||
|
||||
@@ -2691,13 +2679,24 @@
|
||||
* update it, otherwise create a new one.
|
||||
*/
|
||||
if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) == NULL) {
|
||||
+ BRIDGE_LOCK(sc);
|
||||
+
|
||||
+ /* Check again, now that we have the lock. There could have
|
||||
+ * been a race and we only want to insert this once. */
|
||||
+ if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) != NULL) {
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
if (sc->sc_brtcnt >= sc->sc_brtmax) {
|
||||
sc->sc_brtexceeded++;
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
return (ENOSPC);
|
||||
}
|
||||
/* Check per interface address limits (if enabled) */
|
||||
if (bif->bif_addrmax && bif->bif_addrcnt >= bif->bif_addrmax) {
|
||||
bif->bif_addrexceeded++;
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
return (ENOSPC);
|
||||
}
|
||||
|
||||
@@ -2707,8 +2706,11 @@
|
||||
* address.
|
||||
*/
|
||||
brt = uma_zalloc(V_bridge_rtnode_zone, M_NOWAIT | M_ZERO);
|
||||
- if (brt == NULL)
|
||||
+ if (brt == NULL) {
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
return (ENOMEM);
|
||||
+ }
|
||||
+ brt->brt_vnet = curvnet;
|
||||
|
||||
if (bif->bif_flags & IFBIF_STICKY)
|
||||
brt->brt_flags = IFBAF_STICKY;
|
||||
@@ -2720,17 +2722,22 @@
|
||||
|
||||
if ((error = bridge_rtnode_insert(sc, brt)) != 0) {
|
||||
uma_zfree(V_bridge_rtnode_zone, brt);
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
return (error);
|
||||
}
|
||||
brt->brt_dst = bif;
|
||||
bif->bif_addrcnt++;
|
||||
+
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
}
|
||||
|
||||
if ((brt->brt_flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC &&
|
||||
brt->brt_dst != bif) {
|
||||
+ BRIDGE_LOCK(sc);
|
||||
brt->brt_dst->bif_addrcnt--;
|
||||
brt->brt_dst = bif;
|
||||
brt->brt_dst->bif_addrcnt++;
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
}
|
||||
|
||||
if ((flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC)
|
||||
@@ -2751,7 +2758,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
|
||||
if ((brt = bridge_rtnode_lookup(sc, addr, vlan)) == NULL)
|
||||
return (NULL);
|
||||
@@ -2771,6 +2778,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt, *nbrt;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
/* Make sure we actually need to do this. */
|
||||
@@ -2800,7 +2808,9 @@
|
||||
bridge_timer(void *arg)
|
||||
{
|
||||
struct bridge_softc *sc = arg;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
+ NET_EPOCH_ENTER(et);
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
/* Destruction of rtnodes requires a proper vnet context */
|
||||
@@ -2811,6 +2821,7 @@
|
||||
callout_reset(&sc->sc_brcallout,
|
||||
bridge_rtable_prune_period * hz, bridge_timer, sc);
|
||||
CURVNET_RESTORE();
|
||||
+ NET_EPOCH_EXIT(et);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -2823,6 +2834,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt, *nbrt;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
|
||||
@@ -2843,6 +2855,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt, *nbrt;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
|
||||
@@ -2862,6 +2875,7 @@
|
||||
struct bridge_rtnode *brt;
|
||||
int found = 0;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
/*
|
||||
@@ -2886,6 +2900,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt, *nbrt;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
CK_LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
|
||||
@@ -2990,7 +3005,7 @@
|
||||
uint32_t hash;
|
||||
int dir;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
|
||||
hash = bridge_rthash(sc, addr);
|
||||
CK_LIST_FOREACH(brt, &sc->sc_rthash[hash], brt_hash) {
|
||||
@@ -3053,6 +3068,18 @@
|
||||
return (0);
|
||||
}
|
||||
|
||||
+static void
|
||||
+bridge_rtnode_destroy_cb(struct epoch_context *ctx)
|
||||
+{
|
||||
+ struct bridge_rtnode *brt;
|
||||
+
|
||||
+ brt = __containerof(ctx, struct bridge_rtnode, brt_epoch_ctx);
|
||||
+
|
||||
+ CURVNET_SET(brt->brt_vnet);
|
||||
+ uma_zfree(V_bridge_rtnode_zone, brt);
|
||||
+ CURVNET_RESTORE();
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* bridge_rtnode_destroy:
|
||||
*
|
||||
@@ -3061,6 +3088,7 @@
|
||||
static void
|
||||
bridge_rtnode_destroy(struct bridge_softc *sc, struct bridge_rtnode *brt)
|
||||
{
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
CK_LIST_REMOVE(brt, brt_hash);
|
||||
@@ -3068,7 +3096,8 @@
|
||||
CK_LIST_REMOVE(brt, brt_list);
|
||||
sc->sc_brtcnt--;
|
||||
brt->brt_dst->bif_addrcnt--;
|
||||
- uma_zfree(V_bridge_rtnode_zone, brt);
|
||||
+
|
||||
+ NET_EPOCH_CALL(bridge_rtnode_destroy_cb, &brt->brt_epoch_ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -3081,7 +3110,9 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_bridge;
|
||||
struct bridge_rtnode *brt;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
+ NET_EPOCH_ENTER(et);
|
||||
CURVNET_SET(ifp->if_vnet);
|
||||
BRIDGE_LOCK(sc);
|
||||
|
||||
@@ -3102,6 +3133,7 @@
|
||||
}
|
||||
BRIDGE_UNLOCK(sc);
|
||||
CURVNET_RESTORE();
|
||||
+ NET_EPOCH_EXIT(et);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -3607,17 +3639,20 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_bridge;
|
||||
struct bridge_iflist *bif;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
- BRIDGE_LOCK(sc);
|
||||
+ NET_EPOCH_ENTER(et);
|
||||
+
|
||||
bif = bridge_lookup_member_if(sc, ifp);
|
||||
if (bif == NULL) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
+ NET_EPOCH_EXIT(et);
|
||||
return;
|
||||
}
|
||||
bridge_linkcheck(sc);
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
|
||||
bstp_linkstate(&bif->bif_stp);
|
||||
+
|
||||
+ NET_EPOCH_EXIT(et);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -3626,7 +3661,8 @@
|
||||
struct bridge_iflist *bif;
|
||||
int new_link, hasls;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
new_link = LINK_STATE_DOWN;
|
||||
hasls = 0;
|
||||
/* Our link is considered up if at least one of our ports is active */
|
811
patches/bridge.patch
Normal file
811
patches/bridge.patch
Normal file
@ -0,0 +1,811 @@
|
||||
Index: sys/net/if_bridge.c
|
||||
===================================================================
|
||||
--- sys/net/if_bridge.c (revision 360985)
|
||||
+++ sys/net/if_bridge.c (working copy)
|
||||
@@ -165,6 +165,9 @@
|
||||
#define BRIDGE_RTABLE_PRUNE_PERIOD (5 * 60)
|
||||
#endif
|
||||
|
||||
+#define NET_EPOCH_ASSERT() MPASS(in_epoch(net_epoch_preempt))
|
||||
+#define NET_EPOCH_CALL(f, c) epoch_call(net_epoch_preempt, (c), (f))
|
||||
+
|
||||
/*
|
||||
* List of capabilities to possibly mask on the member interface.
|
||||
*/
|
||||
@@ -188,6 +191,7 @@
|
||||
uint32_t bif_addrmax; /* max # of addresses */
|
||||
uint32_t bif_addrcnt; /* cur. # of addresses */
|
||||
uint32_t bif_addrexceeded;/* # of address violations */
|
||||
+ struct epoch_context bif_epoch_ctx;
|
||||
};
|
||||
|
||||
/*
|
||||
@@ -201,6 +205,8 @@
|
||||
uint8_t brt_flags; /* address flags */
|
||||
uint8_t brt_addr[ETHER_ADDR_LEN];
|
||||
uint16_t brt_vlan; /* vlan id */
|
||||
+ struct vnet *brt_vnet;
|
||||
+ struct epoch_context brt_epoch_ctx;
|
||||
};
|
||||
#define brt_ifp brt_dst->bif_ifp
|
||||
|
||||
@@ -211,13 +217,10 @@
|
||||
struct ifnet *sc_ifp; /* make this an interface */
|
||||
LIST_ENTRY(bridge_softc) sc_list;
|
||||
struct mtx sc_mtx;
|
||||
- struct cv sc_cv;
|
||||
uint32_t sc_brtmax; /* max # of addresses */
|
||||
uint32_t sc_brtcnt; /* cur. # of addresses */
|
||||
uint32_t sc_brttimeout; /* rt timeout in seconds */
|
||||
struct callout sc_brcallout; /* bridge callout */
|
||||
- uint32_t sc_iflist_ref; /* refcount for sc_iflist */
|
||||
- uint32_t sc_iflist_xcnt; /* refcount for sc_iflist */
|
||||
LIST_HEAD(, bridge_iflist) sc_iflist; /* member interface list */
|
||||
LIST_HEAD(, bridge_rtnode) *sc_rthash; /* our forwarding table */
|
||||
LIST_HEAD(, bridge_rtnode) sc_rtlist; /* list version of above */
|
||||
@@ -227,6 +230,7 @@
|
||||
uint32_t sc_brtexceeded; /* # of cache drops */
|
||||
struct ifnet *sc_ifaddr; /* member mac copied from */
|
||||
struct ether_addr sc_defaddr; /* Default MAC address */
|
||||
+ struct epoch_context sc_epoch_ctx;
|
||||
};
|
||||
|
||||
VNET_DEFINE_STATIC(struct mtx, bridge_list_mtx);
|
||||
@@ -546,6 +550,10 @@
|
||||
if_clone_detach(V_bridge_cloner);
|
||||
V_bridge_cloner = NULL;
|
||||
BRIDGE_LIST_LOCK_DESTROY();
|
||||
+
|
||||
+ /* Callbacks may use UMA zone. */
|
||||
+ epoch_drain_callbacks(net_epoch_preempt);
|
||||
+
|
||||
uma_zdestroy(V_bridge_rtnode_zone);
|
||||
}
|
||||
VNET_SYSUNINIT(vnet_bridge_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY,
|
||||
@@ -708,6 +716,17 @@
|
||||
return (0);
|
||||
}
|
||||
|
||||
+static void
|
||||
+bridge_clone_destroy_cb(struct epoch_context *ctx)
|
||||
+{
|
||||
+ struct bridge_softc *sc;
|
||||
+
|
||||
+ sc = __containerof(ctx, struct bridge_softc, sc_epoch_ctx);
|
||||
+
|
||||
+ BRIDGE_LOCK_DESTROY(sc);
|
||||
+ free(sc, M_DEVBUF);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* bridge_clone_destroy:
|
||||
*
|
||||
@@ -718,7 +737,9 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_softc;
|
||||
struct bridge_iflist *bif;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
+ NET_EPOCH_ENTER_ET(et);
|
||||
BRIDGE_LOCK(sc);
|
||||
|
||||
bridge_stop(ifp, 1);
|
||||
@@ -743,11 +764,12 @@
|
||||
BRIDGE_LIST_UNLOCK();
|
||||
|
||||
bstp_detach(&sc->sc_stp);
|
||||
+ NET_EPOCH_EXIT_ET(et);
|
||||
+
|
||||
ether_ifdetach(ifp);
|
||||
if_free(ifp);
|
||||
|
||||
- BRIDGE_LOCK_DESTROY(sc);
|
||||
- free(sc, M_DEVBUF);
|
||||
+ NET_EPOCH_CALL(bridge_clone_destroy_cb, &sc->sc_epoch_ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -773,7 +795,10 @@
|
||||
struct ifdrv *ifd = (struct ifdrv *) data;
|
||||
const struct bridge_control *bc;
|
||||
int error = 0;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
+ NET_EPOCH_ENTER_ET(et);
|
||||
+
|
||||
switch (cmd) {
|
||||
|
||||
case SIOCADDMULTI:
|
||||
@@ -882,6 +907,8 @@
|
||||
break;
|
||||
}
|
||||
|
||||
+ NET_EPOCH_EXIT_ET(et);
|
||||
+
|
||||
return (error);
|
||||
}
|
||||
|
||||
@@ -896,6 +923,8 @@
|
||||
struct bridge_iflist *bif;
|
||||
int enabled, mask;
|
||||
|
||||
+ BRIDGE_LOCK_ASSERT(sc);
|
||||
+
|
||||
/* Initial bitmask of capabilities to test */
|
||||
mask = BRIDGE_IFCAPS_MASK;
|
||||
|
||||
@@ -904,7 +933,6 @@
|
||||
mask &= bif->bif_savedcaps;
|
||||
}
|
||||
|
||||
- BRIDGE_XLOCK(sc);
|
||||
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
enabled = bif->bif_ifp->if_capenable;
|
||||
enabled &= ~BRIDGE_IFCAPS_STRIP;
|
||||
@@ -915,8 +943,6 @@
|
||||
bridge_set_ifcap(sc, bif, enabled);
|
||||
BRIDGE_LOCK(sc);
|
||||
}
|
||||
- BRIDGE_XDROP(sc);
|
||||
-
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -957,7 +983,7 @@
|
||||
struct bridge_iflist *bif;
|
||||
struct ifnet *ifp;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
|
||||
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
ifp = bif->bif_ifp;
|
||||
@@ -978,7 +1004,7 @@
|
||||
{
|
||||
struct bridge_iflist *bif;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
|
||||
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
if (bif->bif_ifp == member_ifp)
|
||||
@@ -988,6 +1014,16 @@
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
+static void
|
||||
+bridge_delete_member_cb(struct epoch_context *ctx)
|
||||
+{
|
||||
+ struct bridge_iflist *bif;
|
||||
+
|
||||
+ bif = __containerof(ctx, struct bridge_iflist, bif_epoch_ctx);
|
||||
+
|
||||
+ free(bif, M_DEVBUF);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* bridge_delete_member:
|
||||
*
|
||||
@@ -1006,9 +1042,7 @@
|
||||
bstp_disable(&bif->bif_stp);
|
||||
|
||||
ifs->if_bridge = NULL;
|
||||
- BRIDGE_XLOCK(sc);
|
||||
LIST_REMOVE(bif, bif_next);
|
||||
- BRIDGE_XDROP(sc);
|
||||
|
||||
/*
|
||||
* If removing the interface that gave the bridge its mac address, set
|
||||
@@ -1066,7 +1100,8 @@
|
||||
}
|
||||
bstp_destroy(&bif->bif_stp); /* prepare to free */
|
||||
BRIDGE_LOCK(sc);
|
||||
- free(bif, M_DEVBUF);
|
||||
+
|
||||
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1083,7 +1118,8 @@
|
||||
("%s: not a span interface", __func__));
|
||||
|
||||
LIST_REMOVE(bif, bif_next);
|
||||
- free(bif, M_DEVBUF);
|
||||
+
|
||||
+ NET_EPOCH_CALL(bridge_delete_member_cb, &bif->bif_epoch_ctx);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -1139,7 +1175,6 @@
|
||||
* If any, remove all inet6 addresses from the member
|
||||
* interfaces.
|
||||
*/
|
||||
- BRIDGE_XLOCK(sc);
|
||||
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
if (in6ifa_llaonifp(bif->bif_ifp)) {
|
||||
BRIDGE_UNLOCK(sc);
|
||||
@@ -1152,7 +1187,6 @@
|
||||
bif->bif_ifp->if_xname);
|
||||
}
|
||||
}
|
||||
- BRIDGE_XDROP(sc);
|
||||
if (in6ifa_llaonifp(ifs)) {
|
||||
BRIDGE_UNLOCK(sc);
|
||||
in6_ifdetach(ifs);
|
||||
@@ -1466,12 +1500,17 @@
|
||||
struct bridge_iflist *bif;
|
||||
int error;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
bif = bridge_lookup_member(sc, req->ifba_ifsname);
|
||||
if (bif == NULL)
|
||||
return (ENOENT);
|
||||
|
||||
+ /* bridge_rtupdate() may acquire the lock. */
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
error = bridge_rtupdate(sc, req->ifba_dst, req->ifba_vlan, bif, 1,
|
||||
req->ifba_flags);
|
||||
+ BRIDGE_LOCK(sc);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@@ -1810,6 +1849,7 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_bridge;
|
||||
struct bridge_iflist *bif;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
if (ifp->if_flags & IFF_RENAMING)
|
||||
return;
|
||||
@@ -1820,6 +1860,7 @@
|
||||
*/
|
||||
return;
|
||||
}
|
||||
+ NET_EPOCH_ENTER_ET(et);
|
||||
/* Check if the interface is a bridge member */
|
||||
if (sc != NULL) {
|
||||
BRIDGE_LOCK(sc);
|
||||
@@ -1829,6 +1870,7 @@
|
||||
bridge_delete_member(sc, bif, 1);
|
||||
|
||||
BRIDGE_UNLOCK(sc);
|
||||
+ NET_EPOCH_EXIT_ET(et);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1845,6 +1887,7 @@
|
||||
BRIDGE_UNLOCK(sc);
|
||||
}
|
||||
BRIDGE_LIST_UNLOCK();
|
||||
+ NET_EPOCH_EXIT_ET(et);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1881,6 +1924,7 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_softc;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
|
||||
@@ -2004,6 +2048,8 @@
|
||||
struct bridge_softc *sc;
|
||||
uint16_t vlan;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
if (m->m_len < ETHER_HDR_LEN) {
|
||||
m = m_pullup(m, ETHER_HDR_LEN);
|
||||
if (m == NULL)
|
||||
@@ -2014,8 +2060,6 @@
|
||||
sc = ifp->if_bridge;
|
||||
vlan = VLANTAGOF(m);
|
||||
|
||||
- BRIDGE_LOCK(sc);
|
||||
-
|
||||
/*
|
||||
* If bridge is down, but the original output interface is up,
|
||||
* go ahead and send out that interface. Otherwise, the packet
|
||||
@@ -2037,16 +2081,10 @@
|
||||
if (dst_if == NULL) {
|
||||
struct bridge_iflist *bif;
|
||||
struct mbuf *mc;
|
||||
- int error = 0, used = 0;
|
||||
+ int used = 0;
|
||||
|
||||
bridge_span(sc, m);
|
||||
|
||||
- BRIDGE_LOCK2REF(sc, error);
|
||||
- if (error) {
|
||||
- m_freem(m);
|
||||
- return (0);
|
||||
- }
|
||||
-
|
||||
LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
|
||||
dst_if = bif->bif_ifp;
|
||||
|
||||
@@ -2080,7 +2118,6 @@
|
||||
}
|
||||
if (used == 0)
|
||||
m_freem(m);
|
||||
- BRIDGE_UNREF(sc);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@@ -2092,11 +2129,9 @@
|
||||
bridge_span(sc, m);
|
||||
if ((dst_if->if_drv_flags & IFF_DRV_RUNNING) == 0) {
|
||||
m_freem(m);
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (0);
|
||||
}
|
||||
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
bridge_enqueue(sc, dst_if, m);
|
||||
return (0);
|
||||
}
|
||||
@@ -2121,10 +2156,8 @@
|
||||
|
||||
eh = mtod(m, struct ether_header *);
|
||||
|
||||
- BRIDGE_LOCK(sc);
|
||||
if (((m->m_flags & (M_BCAST|M_MCAST)) == 0) &&
|
||||
(dst_if = bridge_rtlookup(sc, eh->ether_dhost, 1)) != NULL) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
error = bridge_enqueue(sc, dst_if, m);
|
||||
} else
|
||||
bridge_broadcast(sc, ifp, m, 0);
|
||||
@@ -2158,6 +2191,8 @@
|
||||
uint8_t *dst;
|
||||
int error;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
src_if = m->m_pkthdr.rcvif;
|
||||
ifp = sc->sc_ifp;
|
||||
|
||||
@@ -2236,12 +2271,10 @@
|
||||
|| PFIL_HOOKED(&V_inet6_pfil_hook)
|
||||
#endif
|
||||
) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
if (bridge_pfil(&m, ifp, src_if, PFIL_IN) != 0)
|
||||
return;
|
||||
if (m == NULL)
|
||||
return;
|
||||
- BRIDGE_LOCK(sc);
|
||||
}
|
||||
|
||||
if (dst_if == NULL) {
|
||||
@@ -2269,8 +2302,6 @@
|
||||
dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
|
||||
goto drop;
|
||||
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
-
|
||||
if (PFIL_HOOKED(&V_inet_pfil_hook)
|
||||
#ifdef INET6
|
||||
|| PFIL_HOOKED(&V_inet6_pfil_hook)
|
||||
@@ -2286,7 +2317,6 @@
|
||||
return;
|
||||
|
||||
drop:
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
m_freem(m);
|
||||
}
|
||||
|
||||
@@ -2307,6 +2337,8 @@
|
||||
uint16_t vlan;
|
||||
int error;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
if ((sc->sc_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
|
||||
return (m);
|
||||
|
||||
@@ -2327,10 +2359,8 @@
|
||||
m_freem(m);
|
||||
return (NULL);
|
||||
}
|
||||
- BRIDGE_LOCK(sc);
|
||||
bif = bridge_lookup_member_if(sc, ifp);
|
||||
if (bif == NULL) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (m);
|
||||
}
|
||||
|
||||
@@ -2343,13 +2373,11 @@
|
||||
if (memcmp(eh->ether_dhost, bstp_etheraddr,
|
||||
ETHER_ADDR_LEN) == 0) {
|
||||
bstp_input(&bif->bif_stp, ifp, m); /* consumes mbuf */
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
if ((bif->bif_flags & IFBIF_STP) &&
|
||||
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (m);
|
||||
}
|
||||
|
||||
@@ -2360,7 +2388,6 @@
|
||||
*/
|
||||
mc = m_dup(m, M_NOWAIT);
|
||||
if (mc == NULL) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (m);
|
||||
}
|
||||
|
||||
@@ -2392,7 +2419,6 @@
|
||||
|
||||
if ((bif->bif_flags & IFBIF_STP) &&
|
||||
bif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
return (m);
|
||||
}
|
||||
|
||||
@@ -2432,7 +2458,6 @@
|
||||
OR_PFIL_HOOKED_INET6)) { \
|
||||
if (bridge_pfil(&m, NULL, ifp, \
|
||||
PFIL_IN) != 0 || m == NULL) { \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
return (NULL); \
|
||||
} \
|
||||
eh = mtod(m, struct ether_header *); \
|
||||
@@ -2442,13 +2467,11 @@
|
||||
error = bridge_rtupdate(sc, eh->ether_shost, \
|
||||
vlan, bif, 0, IFBAF_DYNAMIC); \
|
||||
if (error && bif->bif_addrmax) { \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
m_freem(m); \
|
||||
return (NULL); \
|
||||
} \
|
||||
} \
|
||||
m->m_pkthdr.rcvif = iface; \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
return (m); \
|
||||
} \
|
||||
\
|
||||
@@ -2456,7 +2479,6 @@
|
||||
if (memcmp(IF_LLADDR((iface)), eh->ether_shost, ETHER_ADDR_LEN) == 0 \
|
||||
OR_CARP_CHECK_WE_ARE_SRC((iface)) \
|
||||
) { \
|
||||
- BRIDGE_UNLOCK(sc); \
|
||||
m_freem(m); \
|
||||
return (NULL); \
|
||||
}
|
||||
@@ -2507,16 +2529,12 @@
|
||||
struct bridge_iflist *dbif, *sbif;
|
||||
struct mbuf *mc;
|
||||
struct ifnet *dst_if;
|
||||
- int error = 0, used = 0, i;
|
||||
+ int used = 0, i;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
sbif = bridge_lookup_member_if(sc, src_if);
|
||||
|
||||
- BRIDGE_LOCK2REF(sc, error);
|
||||
- if (error) {
|
||||
- m_freem(m);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
/* Filter on the bridge interface before broadcasting */
|
||||
if (runfilt && (PFIL_HOOKED(&V_inet_pfil_hook)
|
||||
#ifdef INET6
|
||||
@@ -2524,9 +2542,9 @@
|
||||
#endif
|
||||
)) {
|
||||
if (bridge_pfil(&m, sc->sc_ifp, NULL, PFIL_OUT) != 0)
|
||||
- goto out;
|
||||
+ return;
|
||||
if (m == NULL)
|
||||
- goto out;
|
||||
+ return;
|
||||
}
|
||||
|
||||
LIST_FOREACH(dbif, &sc->sc_iflist, bif_next) {
|
||||
@@ -2589,9 +2607,6 @@
|
||||
}
|
||||
if (used == 0)
|
||||
m_freem(m);
|
||||
-
|
||||
-out:
|
||||
- BRIDGE_UNREF(sc);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -2607,6 +2622,8 @@
|
||||
struct ifnet *dst_if;
|
||||
struct mbuf *mc;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
if (LIST_EMPTY(&sc->sc_spanlist))
|
||||
return;
|
||||
|
||||
@@ -2638,7 +2655,8 @@
|
||||
struct bridge_rtnode *brt;
|
||||
int error;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+ BRIDGE_UNLOCK_ASSERT(sc);
|
||||
|
||||
/* Check the source address is valid and not multicast. */
|
||||
if (ETHER_IS_MULTICAST(dst) ||
|
||||
@@ -2655,13 +2673,24 @@
|
||||
* update it, otherwise create a new one.
|
||||
*/
|
||||
if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) == NULL) {
|
||||
+ BRIDGE_LOCK(sc);
|
||||
+
|
||||
+ /* Check again, now that we have the lock. There could have
|
||||
+ * been a race and we only want to insert this once. */
|
||||
+ if ((brt = bridge_rtnode_lookup(sc, dst, vlan)) != NULL) {
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
if (sc->sc_brtcnt >= sc->sc_brtmax) {
|
||||
sc->sc_brtexceeded++;
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
return (ENOSPC);
|
||||
}
|
||||
/* Check per interface address limits (if enabled) */
|
||||
if (bif->bif_addrmax && bif->bif_addrcnt >= bif->bif_addrmax) {
|
||||
bif->bif_addrexceeded++;
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
return (ENOSPC);
|
||||
}
|
||||
|
||||
@@ -2671,8 +2700,11 @@
|
||||
* address.
|
||||
*/
|
||||
brt = uma_zalloc(V_bridge_rtnode_zone, M_NOWAIT | M_ZERO);
|
||||
- if (brt == NULL)
|
||||
+ if (brt == NULL) {
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
return (ENOMEM);
|
||||
+ }
|
||||
+ brt->brt_vnet = curvnet;
|
||||
|
||||
if (bif->bif_flags & IFBIF_STICKY)
|
||||
brt->brt_flags = IFBAF_STICKY;
|
||||
@@ -2684,17 +2716,22 @@
|
||||
|
||||
if ((error = bridge_rtnode_insert(sc, brt)) != 0) {
|
||||
uma_zfree(V_bridge_rtnode_zone, brt);
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
return (error);
|
||||
}
|
||||
brt->brt_dst = bif;
|
||||
bif->bif_addrcnt++;
|
||||
+
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
}
|
||||
|
||||
if ((brt->brt_flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC &&
|
||||
brt->brt_dst != bif) {
|
||||
+ BRIDGE_LOCK(sc);
|
||||
brt->brt_dst->bif_addrcnt--;
|
||||
brt->brt_dst = bif;
|
||||
brt->brt_dst->bif_addrcnt++;
|
||||
+ BRIDGE_UNLOCK(sc);
|
||||
}
|
||||
|
||||
if ((flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC)
|
||||
@@ -2715,7 +2752,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
|
||||
if ((brt = bridge_rtnode_lookup(sc, addr, vlan)) == NULL)
|
||||
return (NULL);
|
||||
@@ -2735,6 +2772,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt, *nbrt;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
/* Make sure we actually need to do this. */
|
||||
@@ -2764,7 +2802,9 @@
|
||||
bridge_timer(void *arg)
|
||||
{
|
||||
struct bridge_softc *sc = arg;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
+ NET_EPOCH_ENTER_ET(et);
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
/* Destruction of rtnodes requires a proper vnet context */
|
||||
@@ -2775,6 +2815,7 @@
|
||||
callout_reset(&sc->sc_brcallout,
|
||||
bridge_rtable_prune_period * hz, bridge_timer, sc);
|
||||
CURVNET_RESTORE();
|
||||
+ NET_EPOCH_EXIT_ET(et);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -2787,6 +2828,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt, *nbrt;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
|
||||
@@ -2807,6 +2849,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt, *nbrt;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
|
||||
@@ -2826,6 +2869,7 @@
|
||||
struct bridge_rtnode *brt;
|
||||
int found = 0;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
/*
|
||||
@@ -2850,6 +2894,7 @@
|
||||
{
|
||||
struct bridge_rtnode *brt, *nbrt;
|
||||
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
LIST_FOREACH_SAFE(brt, &sc->sc_rtlist, brt_list, nbrt) {
|
||||
@@ -2954,7 +2999,7 @@
|
||||
uint32_t hash;
|
||||
int dir;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
|
||||
hash = bridge_rthash(sc, addr);
|
||||
LIST_FOREACH(brt, &sc->sc_rthash[hash], brt_hash) {
|
||||
@@ -3017,6 +3062,18 @@
|
||||
return (0);
|
||||
}
|
||||
|
||||
+static void
|
||||
+bridge_rtnode_destroy_cb(struct epoch_context *ctx)
|
||||
+{
|
||||
+ struct bridge_rtnode *brt;
|
||||
+
|
||||
+ brt = __containerof(ctx, struct bridge_rtnode, brt_epoch_ctx);
|
||||
+
|
||||
+ CURVNET_SET(brt->brt_vnet);
|
||||
+ uma_zfree(V_bridge_rtnode_zone, brt);
|
||||
+ CURVNET_RESTORE();
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* bridge_rtnode_destroy:
|
||||
*
|
||||
@@ -3025,6 +3082,7 @@
|
||||
static void
|
||||
bridge_rtnode_destroy(struct bridge_softc *sc, struct bridge_rtnode *brt)
|
||||
{
|
||||
+ NET_EPOCH_ASSERT();
|
||||
BRIDGE_LOCK_ASSERT(sc);
|
||||
|
||||
LIST_REMOVE(brt, brt_hash);
|
||||
@@ -3032,7 +3090,8 @@
|
||||
LIST_REMOVE(brt, brt_list);
|
||||
sc->sc_brtcnt--;
|
||||
brt->brt_dst->bif_addrcnt--;
|
||||
- uma_zfree(V_bridge_rtnode_zone, brt);
|
||||
+
|
||||
+ NET_EPOCH_CALL(bridge_rtnode_destroy_cb, &brt->brt_epoch_ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -3045,7 +3104,9 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_bridge;
|
||||
struct bridge_rtnode *brt;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
+ NET_EPOCH_ENTER_ET(et);
|
||||
CURVNET_SET(ifp->if_vnet);
|
||||
BRIDGE_LOCK(sc);
|
||||
|
||||
@@ -3066,6 +3127,7 @@
|
||||
}
|
||||
BRIDGE_UNLOCK(sc);
|
||||
CURVNET_RESTORE();
|
||||
+ NET_EPOCH_EXIT_ET(et);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -3577,17 +3639,20 @@
|
||||
{
|
||||
struct bridge_softc *sc = ifp->if_bridge;
|
||||
struct bridge_iflist *bif;
|
||||
+ struct epoch_tracker et;
|
||||
|
||||
- BRIDGE_LOCK(sc);
|
||||
+ NET_EPOCH_ENTER_ET(et);
|
||||
+
|
||||
bif = bridge_lookup_member_if(sc, ifp);
|
||||
if (bif == NULL) {
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
+ NET_EPOCH_EXIT_ET(et);
|
||||
return;
|
||||
}
|
||||
bridge_linkcheck(sc);
|
||||
- BRIDGE_UNLOCK(sc);
|
||||
|
||||
bstp_linkstate(&bif->bif_stp);
|
||||
+
|
||||
+ NET_EPOCH_EXIT_ET(et);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -3596,7 +3661,8 @@
|
||||
struct bridge_iflist *bif;
|
||||
int new_link, hasls;
|
||||
|
||||
- BRIDGE_LOCK_ASSERT(sc);
|
||||
+ NET_EPOCH_ASSERT();
|
||||
+
|
||||
new_link = LINK_STATE_DOWN;
|
||||
hasls = 0;
|
||||
/* Our link is considered up if at least one of our ports is active */
|
||||
Index: sys/net/if_bridgevar.h
|
||||
===================================================================
|
||||
--- sys/net/if_bridgevar.h (revision 360985)
|
||||
+++ sys/net/if_bridgevar.h (working copy)
|
||||
@@ -273,41 +273,14 @@
|
||||
|
||||
#define BRIDGE_LOCK_INIT(_sc) do { \
|
||||
mtx_init(&(_sc)->sc_mtx, "if_bridge", NULL, MTX_DEF); \
|
||||
- cv_init(&(_sc)->sc_cv, "if_bridge_cv"); \
|
||||
} while (0)
|
||||
#define BRIDGE_LOCK_DESTROY(_sc) do { \
|
||||
mtx_destroy(&(_sc)->sc_mtx); \
|
||||
- cv_destroy(&(_sc)->sc_cv); \
|
||||
} while (0)
|
||||
#define BRIDGE_LOCK(_sc) mtx_lock(&(_sc)->sc_mtx)
|
||||
#define BRIDGE_UNLOCK(_sc) mtx_unlock(&(_sc)->sc_mtx)
|
||||
#define BRIDGE_LOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_OWNED)
|
||||
#define BRIDGE_UNLOCK_ASSERT(_sc) mtx_assert(&(_sc)->sc_mtx, MA_NOTOWNED)
|
||||
-#define BRIDGE_LOCK2REF(_sc, _err) do { \
|
||||
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
|
||||
- if ((_sc)->sc_iflist_xcnt > 0) \
|
||||
- (_err) = EBUSY; \
|
||||
- else \
|
||||
- (_sc)->sc_iflist_ref++; \
|
||||
- mtx_unlock(&(_sc)->sc_mtx); \
|
||||
-} while (0)
|
||||
-#define BRIDGE_UNREF(_sc) do { \
|
||||
- mtx_lock(&(_sc)->sc_mtx); \
|
||||
- (_sc)->sc_iflist_ref--; \
|
||||
- if (((_sc)->sc_iflist_xcnt > 0) && ((_sc)->sc_iflist_ref == 0)) \
|
||||
- cv_broadcast(&(_sc)->sc_cv); \
|
||||
- mtx_unlock(&(_sc)->sc_mtx); \
|
||||
-} while (0)
|
||||
-#define BRIDGE_XLOCK(_sc) do { \
|
||||
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
|
||||
- (_sc)->sc_iflist_xcnt++; \
|
||||
- while ((_sc)->sc_iflist_ref > 0) \
|
||||
- cv_wait(&(_sc)->sc_cv, &(_sc)->sc_mtx); \
|
||||
-} while (0)
|
||||
-#define BRIDGE_XDROP(_sc) do { \
|
||||
- mtx_assert(&(_sc)->sc_mtx, MA_OWNED); \
|
||||
- (_sc)->sc_iflist_xcnt--; \
|
||||
-} while (0)
|
||||
|
||||
#define BRIDGE_INPUT(_ifp, _m) do { \
|
||||
KASSERT((_ifp)->if_bridge_input != NULL, \
|
7
scripts/cam_tag.sh
Executable file
7
scripts/cam_tag.sh
Executable file
@ -0,0 +1,7 @@
|
||||
#!/usr/local/bin/bash
|
||||
#shrinking the command Native Command Queue down to 1 effectively disabling queuing
|
||||
for Disk in `camcontrol devlist | grep "ST8000DM" | cut -d"," -f2 | cut -d")" -f1`;
|
||||
do
|
||||
camcontrol tags $Disk -N 1 ;
|
||||
camcontrol tags $Disk -v
|
||||
done
|
Loading…
Reference in New Issue
Block a user