日历
| |||||||||
| 日 | 一 | 二 | 三 | 四 | 五 | 六 | |||
| 1 | 2 | 3 | 4 | 5 | |||||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 | |||
| 13 | 14 | 15 | 16 | 17 | 18 | 19 | |||
| 20 | 21 | 22 | 23 | 24 | 25 | 26 | |||
| 27 | 28 | 29 | 30 | 31 | |||||
搜索标题
统计信息
- 访问量: 565
- 日志数: 10
- 建立时间: 2007-09-05
- 更新时间: 2008-04-22
RSS订阅
我的最新日志
-
搭建 openvpn (Linux server + windows client)
2008-4-22
目标:搭建 bridge 类型的 openvpn 服务器,并使用dhcpd 为客户分配ip地址,使用 pam 进行登陆验证。
1、emerge
USE="examples iproute2 pam ssl threads" emerge openvpn2、服务端配置
将vars 的内容按照需要进行修改。cd /etc/openvpn
mkdir gateway
cp -r /usr/share/openvpn/easy-rsa /etc/openvpn
cd easy-rsa
vi vars
继续export KEY_COUNTRY="CN"
export KEY_PROVINCE="YunNan"
export KEY_CITY="Kunming"
export KEY_ORG="Risy"
export KEY_EMAIL=risy007@gmail.com
生成配置文件. ./vars
./clean-all
./build-ca
./build-key-server
./build-dh
cd ../gateway
mkdir keys
cp ../easy-rsa/keys/{ca,server}.{crt,key} ./keys
cp ../easy-rsa/keys/dh1024.pem ./keys
openvpn --genkey --secret ./keys/ta.key
vi local.conf
继续mode server
proto udp
port 1194
dev tap0
keepalive 10 120
daemon
writepid /var/run/openvpn.pid
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
verb 3
mute 20
client-to-client
duplicate-cn
cd /etc/openvpn/gateway
tls-server
tls-auth keys/ta.key 0
cipher BF-CBC
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
client-config-dir ccd
#使用PAM插件
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
#客户端可以不提供证书
client-cert-not-required
#用户登录名称作为Common Name
username-as-common-nameln -sf gateway/local.conf openvpn.conf 为最新的openrc配置桥接的openvpn接口,首先将bridge,tun编译为module,并在启动的时候加载,方法为修改 /etc/conf.d/modules 文件加入以下行
创建 net.br0 ,net.tap0 启动脚本modules_2_6="tun bridge"
配置 /etc/conf.d/net 文件加入桥接的定义cd /etc/init.d/
ln -sf net.lo net.br0
ln -sf net.lo net.tap0
将 net.tap0 net.br0 openvpn 分别加入不同的启动 leveltuntap_tap0="tap"
#config_eth0="dhcp"
config_eth1="null"
config_tap0="null"RC_NEED_br0="net.eth1 net.tap0 openvpn"
bridge_br0="eth1 tap0"
config_br0="192.168.0.1/24"
rc-update add net.tap0 boot
rc-update add net.br0 default
rc-update add openvpn default服务器配置完了。
将 /etc/openvpn/gateway/keys/ca.crt 和 ta.key 分发给需要登陆的 客户。
3、客户端配置文件
client
proto udp
port 1194 # or any other port you want to use
dev tap
remote 192.168.0.1 #替换为公网ip地址
auth-user-pass
tls-client
ca ca.crt
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pullcomp-lzo
verb 4至此,所有工作完成,客户电脑使用openvpn-gui 拨号连接服务器,会要求输入在服务器上的有效用户名和密码,正确的话就能建立vpn连接了。
如果在服务器上的br0 上绑定了 dhcpd 服务,拨号以后客户端可以自动获取到dhcp服务器给出的ip地址配置。---------------补上 dhcpd.conf 配置 --------------------------------------------
option domain-name "risy.com";
default-lease-time 3600;
max-lease-time 7200;
authorative;
log-facility local7;
ddns-update-style interim;
subnet 192.168.1.0 netmask 255.255.255.0
{
option subnet-mask 255.255.255.0;
option netbios-name-servers 192.168.1.1;
option broadcast-address 192.168.1.255;
option domain-name-servers 222.172.200.68,61.166.150.123;
class "pxeclient"
{
match if substring(option vendor-class-identifier, 0, 9) = "PXEClient";
vendor-option-space PXE;
allow bootp;
next-server 192.168.1.1;
filename "pxelinux.0";
}
class "openvpn" {
match if substring (hardware, 1, 2) = 00:FF;
}
pool {
allow members of "pxeclient";
deny members of "openvpn";
range 192.168.1.50 192.168.1.60;
option routers 192.168.1.1;
}
pool {
deny members of "pxeclient";
deny members of "openvpn";
range 192.168.1.80 192.168.1.90;
option routers 192.168.1.1;
}
pool {
allow members of "openvpn";
range 192.168.1.100 192.168.1.200;
}
} -
Gentoo 2008.0 的 baselayout2 升级笔记
2008-4-21
最新的 gentoo release 放出了2008.0-beta1 版本,最近的一个 snapshot 中将 baselayout1.x 升级到了 baselayout2 ,在 2 版本中使用了最新的 openrc 系统。
gentoo.org 专门为此写了一个迁移指南,其中特别指出了,如果将系统baselayout 从 1.x 版本升级到 2 版本并使用 openrc ,如果不按照文档的步骤执行迁移工作,将导致系统无法启动。
连接:http://www.gentoo.org/doc/zh_cn/openrc-migration.xml
由于在服务器上设置了自动 emerge,第二天重开机的时候出事了,adsl 拨不上号了,log 提示 Passwd_Err,第一感觉是被盗用了,接回 windows 拨号,一切正常,再用 pppoe-setup ,pppoe-start 测试,也能连接,最终怀疑到 /etc/conf.d/net 配置上,察看emerge纪录,发现是升级了 baselayout ,当时急着恢复上网,将 baselayout 降级了,再测试,可以用了,google 以后发现了上面的文章,既然 说 openrc 启动速度会加快,也是一个好事情,随即又将 baselayout 升级到2,这回麻烦来了,emerge 完以后直接不见了 /etc/conf.d/net 文件,且 /etc/conf.d/net.example 也没了,继续查资料,原来是新的 net.example 换位置了,找到,重写 /etc/conf.d/net 文件,最终搞定了。
后记:以后再也不敢自动 emerge 了,一不小心系统就起不来了,加上机器是放在客厅的,无显示器无键鼠,起不来就完全是折腾人。
-
旅游原来可以是这样的
2008-1-08
以前去旅游,总喜欢把行程安排得妥妥贴贴,不让自己太累,一切总是预订好的。
元旦的旅游完完全全不是这样的,非常多的不确定因素合在一起,居然也能玩得很开心,很有趣。是因为有了朋友在一起玩而变得开心了,还是因为那些晚上8点多还饿着肚子在高速入口处拦返程大巴车的新奇经验,自己也说不上来了。
-
www.phpclasses.org 有用的网站,存起来
2007-12-14
学习php oop 的好地方,值得常去挖宝的。
-
Heroes 停播了
2007-12-14
最近喜欢看的一部美剧<Heroes>据说是因为编剧罢工了,第二季只到 11集就停播了.
前几天看到有消息说,S2E11 拍了2个版本的,一个是整剧结束的,一个是还有收尾的,现在放出来的有收尾的版本,看来还会有第三季吧,期待中.
-
用 PHP GZIP 压缩 javascripts
2007-11-15
最近正在做的一个程序用了 extjs 实现客户端 UI ,但是 EXTJS 实在是太大了,500k左右的大小在第一次打开时显得特别慢,因此研究用 gzip 来压缩 js 文件,这样传输过程就能减少数据流量, google 了以下,看到有这样一篇文章:用 PHP 压缩 Javascrīpt
摘录一下这篇文章的代码<?php
// check to see if the user has enabled gzip compression in the WordPress admin panel
if ( ob_get_length() === FALSE and !ini_get('zlib.output_compression') and ini_get('output_handler') != 'ob_gzhandler' and ini_get('output_handler') != 'mb_output_handler' ) {
ob_start('ob_gzhandler');
}// The headers below tell the browser to cache the file and also tell the browser it is Javascrīpt.
header("Cache-Control: public");
header("Pragma: cache");$offset = 60*60*24*60;
$ExpStr = "Expires: ".gmdate("D, d M Y H:i:s",time() + $offset)." GMT";
$LmStr = "Last-Modified: ".gmdate("D, d M Y H:i:s",filemtime(__FILE__))." GMT";header($ExpStr);
header($LmStr);
header('Content-Type: text/javascrīpt; charset: UTF-8');
?>
看这篇文章的原理,是将这段代码加入到每个js文件的前面来实现压缩的,但是当js文件太多的时候,就相当累了,改进一下,将上面的文件保存成一个单独的 php 文件(例如 fetchjs.php),当需要引用某一个js的时候可以这样。
http://www.xxx.com/fetchjs.php?scrīpt=file.js
当然还需要对 fetchjs.php 做点完善。最简单就是在后面加上
readfile($_REQUEST['scrīpt']);
更复杂一些自然是需要处理一下js 文件的路径、是否存在等常规检查等工作了。
先写这么多吧。
-
神奇的 Reiser4 FS 压缩功能
2007-11-13
原本装在 USB 移动硬盘上的 Gentoo 已经 800多M了,用的是一个 reiserfs 1G 分区来装。
先备份下整个系统。
再重新搞一下分区,分 50M 的 boot reiserfs 分区和 一个 980M 的 reiser4 带 gzip1压缩的root分区。
再把原来的系统复制回去,再一看,原来 800 多的占用居然只有300多了,真是很神奇的东西哦,非常简单的命令就实现了这个功能.
mkfs.reiser4 -o create=ccreg40,compress=gzip1 /dev/hda2
-
Gentoo 的动态域名配置(www.3322.org)
2007-11-12
不想用网站提供的那个client程序,看到可以用lynx来更新,还是比较好的。
研究一下 /etc/conf.d/net.example
看到可以这样用
##############################################################################
# ADVANCED CONFIGURATION
#
# Four functions can be defined which will be called surrounding the
# start/stop operations. The functions are called with the interface
# name first so that one function can control multiple adapters. An extra two
# functions can be defined when an interface fails to start or stop.
#
# The return values for the preup and predown functions should be 0
# (success) to indicate that configuration or deconfiguration of the
# interface can continue. If preup returns a non-zero value, then
# interface configuration will be aborted. If predown returns a
# non-zero value, then the interface will not be allowed to continue
# deconfiguration.
#
# The return values for the postup, postdown, failup and faildown functions are
# ignored since there's nothing to do if they indicate failure.
#
# ${IFACE} is set to the interface being brought up/down
# ${IFVAR} is ${IFACE} converted to variable name bash allows
#preup() {
# # Test for link on the interface prior to bringing it up. This
# # only works on some network adapters and requires the mii-diag
# # package to be installed.
# if mii-tool "${IFACE}" 2> /dev/null | grep -q 'no link'; then
# ewarn "No link on ${IFACE}, aborting configuration"
# return 1
# fi
#
# # Test for link on the interface prior to bringing it up. This
# # only works on some network adapters and requires the ethtool
# # package to be installed.
# if ethtool "${IFACE}" | grep -q 'Link detected: no'; then
# ewarn "No link on ${IFACE}, aborting configuration"
# return 1
# fi
#
#
# # Remember to return 0 on success
# return 0
#}
#predown() {
# # The default in the scrīpt is to test for NFS root and disallow
# # downing interfaces in that case. Note that if you specify a
# # predown() function you will override that logic. Here it is, in
# # case you still want it...
# if is_net_fs /; then
# eerror "root filesystem is network mounted -- can't stop ${IFACE}"
# return 1
# fi
#
# # Remember to return 0 on success
# return 0
#}
#postup() {
# # This function could be used, for example, to register with a
# # dynamic DNS service. Another possibility would be to
# # send/receive mail once the interface is brought up.
# # Here is an example that allows the use of iproute rules
# # which have been configured using the rules_eth0 variable.
# #rules_eth0=(
# # "from 24.80.102.112/32 to 192.168.1.0/24 table localnet priority 100"
# # "from 216.113.223.51/32 to 192.168.1.0/24 table localnet priority 100"
# #)
# local x="rules_${IFVAR}[@]"
# local -a rules=( "${!x}" )
# if [[ -n ${rules} ]] ; then
# einfo "Adding IP policy routing rules"
# eindent
# # Ensure that the kernel supports policy routing
# if ! ip rule list | grep -q "^" ; then
# eerror "You need to enable IP Policy Routing (CONFIG_IP_MULTIPLE_TABLES)"
# eerror "in your kernel to use ip rules"
# else
# for x in "${rules[@]}" ; do
# ebegin "${x}"
# ip rule add ${x} dev "${IFACE}"
# eend $?
# done
# fi
# eoutdent
# # Flush the cache
# ip route flush cache dev "${IFACE}"
# fi
#}
#postdown() {
# # Enable Wake-On-LAN for every interface except for lo
# # Probably a good idea to set RC_DOWN_INTERFACE="no" in /etc/conf.d/rc
# # as well ;)
# [[ ${IFACE} != "lo" ]] && ethtool -s "${IFACE}" wol g
# Automatically erase any ip rules created in the example postup above
# if interface_exists "${IFACE}" ; then
# # Remove any rules for this interface
# local rule
# ip rule list | grep " iif ${IFACE}[ ]*" | {
# while read rule ; do
# rule="${rule#*:}"
# ip rule del ${rule}
# done
# }
# # Flush the route cache
# ip route flush cache dev "${IFACE}"
# fi
# # Return 0 always
# return 0
#}
#failup() {
# # This function is mostly here for completeness... I haven't
# # thought of anything nifty to do with it yet ;-)
#}
#faildown() {
# # This function is mostly here for completeness... I haven't
# # thought of anything nifty to do with it yet ;-)
#}
于是写了个
postup() {
#Moved from /etc/ppp/ip-up.local
if [[ "${IFACE}" = "ppp0" ]] ; then
# Run your scrīpts
/bin/sh /root/updatedns.sh
fi
return 0
}
再写个用 lynx 更新 dns 的脚本放在 /root/updatedns.sh 里面
/usr/bin/lynx -mime_header -auth=username:password "http://www.3322.org/dyndns/update?system=dyndns&hostname=your.domain.name" >/dev/null 2>&1
完成
以后每次拨号成功都会去更新这个地址了
-
Gentoo 实践显存加速Squid
2007-11-12
照着这个做的 http://gentoo-wiki.com/TIP_Use_memory_on_video_card_as_swap
把文档中的 swap 改成 squid 的 cache ,就完成了将显存作为cache 给 squid 加速网页浏览的效果了
在 /etc/conf.d/local.start 加入这些来建立 MTD
------------------------------------------------------------------------------------------------
# Mount mtd as squid cache
/sbin/modprobe slram map=VRAM,0xf0400000,+0x7c00000
/sbin/modprobe mtdchar
/sbin/modprobe mtdblock
/sbin/mkfs.reiser4 -y /dev/mtdblock0
/bin/mount /dev/mtdblock0 /var/tmp/squid
/bin/chmod 777 /var/tmp/squid
/etc/init.d/squid start
------------------------------------------------------------------------------------------------
使用了124Mbyte显存空间来做cache,在 /etc/squid/squid.conf 里做相应配置
-----------------------------------------------------------------------------------------------
http_port 192.168.0.1:3128 transparent
cache_dir ufs /var/tmp/squid 100 16 256
visible_hostname Home_cache
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /dev/null squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
forwarded_for off
coredump_dir /var/cache/squid
cache_mem 32 MB
error_directory /usr/share/squid/errors/Simplify_Chinese
-----------------------------------------------------------------------------------------