nginx brotli support

Installing Brotli from source For both distros, Ubuntu and RHEL/CentOS, you can also choose to compile your own Nginx server with Brotli support enabled. But before we need to make sure we have all the required packages for the manual compilation and post install process. RHEL and CentOS users: yum groupinstall ‚Development Tools‘ -y Ubuntu and Debian: sudo apt install build-essential -y Download Nginx source files Move to Nginx’s download area and then download the latest Nginx stable version, then run…

Es gibt mehrere Methoden – wobei ich die lange Variante bevorzuge, da diese auch crt Dateien generiert.

Schnellvariante:

openssl pkcs12 -in "PKCSOriginal" -nodes | openssl pkcs12 -export -out "PKCSNeu-ohne-Passwort"


Lange Variante:

Das Zertifikat extrahieren

$ openssl pkcs12 -clcerts -nokeys -in "Originaldatei" \
      -out certificate.crt -password pass:PASSWORT -passin pass:PASSWORT

CA extrahieren

$ openssl pkcs12 -cacerts -nokeys -in "Originaldatei" \
      -out ca-cert.ca -password pass:PASSWORT -passin pass:PASSWORT

Privaten Schlüssel extrahieren

$ openssl pkcs12 -nocerts -in "Originaldatei" \
      -out private.key -password pass:PASSWORT -passin pass:PASSWORT \
      -passout pass:NeuesPasswort

Passwort entfernen

$ openssl rsa -in private.key -out "Neu.key" \
      -passin pass:NeuesPasswort

PEM-Dateien zusammenkopieren

$ cat "Neu.key"  \
      "certificate.crt" \
      "ca-cert.ca" > PEM.pem

Neue Datei erstellen

$ openssl pkcs12 -export -nodes -CAfile ca-cert.ca \
      -in PEM.pem -out "NeuesPKCSohnePrivatekeyPasswort"

Jetzt hat der PrivateKey kein Passwort mehr.

„NeuesPasswort“ ist nun das Container-Password. Das muss man dann beim importieren in die Mailprogramme eingeben.

Nun sollte man seine Zertifikate an einem sicheren Ort speichern.

FortiOS 6.4.x benutzt per default fortiguard-anycast.

fortiguard-anycast ist meiner Meinung nach noch nicht wirklich stabil und es führt zu Client-Disconnects, wenn die anycast Server aus irgendeinem Grund nicht erreichbar sind.

Kein Surfen und  kein SSH.


Falls die Fortiguard Rating Server immer wieder ausfallen einfach auf die „alte“ Methode zurückswitchen

config system fortiguard

set fortiguard-anycast disable

set port 8888

set protocol udp

set sdns-server-ip 208.91.112.220

end

 

Danach auf der Console noch prüfen:

#diag debug rating

 

Nun sollten wieder einige Server gelistet sein.

Grundvoraussetzung:  Minimal Installation centos 8.2

** dnf install setuptool -y N/A
dnf install ntsysv -y
dnf install curl -y
dnf install -y libtool
dnf install gcc -y
dnf install make -y
dnf install openssl -y
dnf install pcre -y
dnf install libcap -y
dnf install flex -y
dnf config-manager --set-enabled powertools
dnf install hwloc* -y
dnf install kernel-devel -y
dnf install lua -y
dnf install zlib -y
dnf install curl -y
dnf install curl-devel -y
dnf install ncurses-devel ncurses* -y
dnf install perl -y
dnf install perl-devel -y
dnf install geoip geoip-devel -y
dnf install libunwind libunwind-devel -y
dnf install tcl tcl-devel -y
dnf install epel-release -y
dnf install dnf-utils http://rpms.remirepo.net/enterprise/remi-release-8.rpm
sudo dnf module reset php
sudo dnf module enable php:remi-7.4
sudo dnf install php -y
dnf install php-gd php-mysqlnd php-soap -y
dnf install php-devel php-zip php-bcmath php-cli php-fpm php-mysqlnd php-zip php-devel php-gd php-mcrypt php-mbstring php-curl php-xml php-pear php-json
dnf install GraphicsMagick GraphicsMagick-devel GraphicsMagick-perl -y
dnf groupinstall 'Development Tools'
dnf install net-tools -y
dnf install git -y
dnf install ghostscript ghostscript-devel -y
dnf install php-pecl-imagick -y
dnf install libwebp* -y
dnf install libpciaccess -y
dnf install ImageMagick-c++-* -y
dnf install ImageMagick-c++-devel -y
dnf install bzip2 bzip2-devel -y
dnf install pcre-devel -y
dnf install brotli -y
dnf install brotli-devel -y
dnf install jansson-devel -y
dnf install lua-* -y
dnf install ccache -y
dnf install luajit* -y
dnf install python3 -y
dnf install python3-devel -y
dnf install python3-magic -y
dnf install libtool-lt* -y
dnf install libjpeg-turbo* -y
dnf install openjpeg2 openjpeg2-devel jasper-devel libwmf* libtiff libtiff-devel
dnf install rpm-devel -y
dnf install parted-devel -y
dnf install hiredis hredis-devel -y

in case of GraphicsMagick is not the latest:
wget ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/GraphicsMagick-LATEST.tar.gz
./configure --enable-shared=yes --enable-static=yes --with-modules=yes --with-jpeg=yes --with-lzma=yes --with-magick-plus-plus=yes --with-png=yes --with-perl=yes --with-webp=yes --with-zlib=yes --with-perl=yes --with-bzlib=yes --with-tcmalloc=yes --with-tiff=yes
make
make test
make install
cd /usr/local/src
wget https://pecl.php.net/get/gmagick
tar xfvz gmagick
cd gmagick-*
phpize
./configure
make
make install
*****
git clone https://github.com/apache/trafficserver.git
autoreconf -if
./configure --enable-experimental-plugins --prefix=/opt/ts #change the prefix to your needs
make
make test
make install

Ausgangsbasis ist eine centos7 Minimal-Installation

yum update -y
yum install setuptool -y
yum install ntsysv -y
yum install curl -y
yum install -y libtool
yum install gcc -y
yum install make -y
yum install openssl -y
yum install pcre -y
yum install libcap -y
yum install flex -y
yum install hwloc hwloc-devel -y
yum install lua -y
yum install zlib -y
yum install curl -y
yum install curl-devel -y
yum install ncurses-devel ncurses -y
yum install perl-devel -y
yum install libunwind libunwind-devel -y

yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum -y install epel-release yum-utils
yum-config-manager --disable remi-php54
yum-config-manager --enable remi-php73
yum -y install php php-cli php-fpm php-mysqlnd php-zip php-devel php-gd php-mcrypt php-mbstring php-curl php-xml php-pear php-bcmath php-json
yum -y install ImageMagick ImageMagick-devel
yum install libwebp* -y
yum install git

gcc 17:
yum install centos-release-scl
yum install devtoolset-7-gcc*
scl enable devtoolset-7 bash

git clone https://github.com/apache/trafficserver.git

git pull
autoreconf -if
./configure --enable-experimental-plugins --prefix=/opt/ts
make
make check
make install

Die Beschreibung zur Verwendung befindet sich im Quellcode.

#/usr/bin/perl -w

##############################################################################
# CGPro Honeypot 2 Fortigate Threat Feed
# Version 1.0
# Maintained by Juergen P. [core.at]
#
# This sample script writes Temporary Blacklisted IP's from a CommuniGate Pro SMTP/SIP Honeypot
# to a File for offloading BAD host blocking to a Fortigate Firewall with Forti OS 6x
# via the Fortigate Threat Feed Connector. You should adopt it to your needs.
# The Script should be run via cron (i suggest every 5 minutes) and write the o utput
# to a textfile into a specific CGPro users webspace(public) for downloading to the firewall
# via the following FortiOS CLI configuration commands:
######
# config system external-resource
# edit <name>
# set type {category | address | domain}
# set category <value>
# set comments [comments]
# set resource <resource-url>
# set refresh-rate <minutes>
# set last-update <datetime>
# next
# end
#####
#
# The Threat feed connector flushes the Table at each run, so IPs which are not blocked anymore, are removed.
# The size of the file can be a maximum of 10 MB, or 128,000 lines of text, whic hever is most restrictive.
#####
# Replace $CGServerAddress, $Login and $Password below with the correct Values in Section 2
# To run in interactive mode for testing, uncomment Section 1 and comment out S ection 2
# Replace $filename with the filename you defined in the Fortinet Fortigate con fig.
#
##############################################################################
use strict;

# Make sure the "CLI.pm" is in current directory
use CLI;
use LWP::UserAgent;
my $Data ="";
my $x =""; #counter
my $filename ="/var/CommuniGate/SharedDomains/my.domain/postmaster.macnt/account.w eb/honeypotlist.txt";
my $ua=new LWP::UserAgent;
my $request="";
my $response="";
my $content="";
my $url="";
####
#### Section 1
####
# print "Server address: "; # Print the server name prompt
# my $CGServerAddress = <STDIN>; # Read the domain name from standard inp ut
# chomp $CGServerAddress; # Remove \n if present
#
# print "Login (Enter for \"postmaster\"): ";
# my $Login = <STDIN>;
# chomp $Login;
# if ($Login eq '') { $Login = "postmaster"; }
#
# print "Password: ";
# my $Password = <STDIN>;
# chomp $Password;
#
#### End of Section 1

### Section 2

my $CGServerAddress = "1.2.3.4"; # CGPro Server IP
my $Login="postmaster"; # CGPro postmaster Account
my $Password="MyPassword"; # CGPro postmaster Password

#### End of Section 2

# Open TCP connection to given address port 106 (PWD, or CGPro CLI).
# Submit username and password. If login fail, the program will stop.

my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress,
PeerPort => 106,
login => $Login,
password => $Password } )
|| die "Can't login to CGPro: ".$CGP::ERR_STRING."\n";

if($Data = $cli->GetTempBlacklistedIPs()) {
# my $a = split(/,/,$Data); # Number of Elements (uncomment, if needed)
my @b = split(/,/,$Data); # Array of IPs including time in seconds
open(my $OUTFILE, '>', "$filename") || die "could not open output file: $!" ;
select $OUTFILE;
foreach $x (@b) {
$x=~ s/\].*//; # remove everything after "]"
$x= substr $x,1; # remove first "["
print "$x\n"; # write IP to file

$ua->timeout(120);
$url='http://my.rbl.domain/drop.php?ipaddress='.$x.'&black orwhite=b&notes=blacklisted';
$request = new HTTP::Request('GET', $url);
$response = $ua->request($request);
$content = $response->content();
print $url;
print $content;

}
#print "$a\n"; # Print Number of elements

}
else
{
($cli->isSuccess) ? print "No Output created.\n"
: die "Error: ".$cli->getErrMessage.", quitting"; }

$cli->Logout; # Close the CLI session and disconnect

__END__

 

Threat Feed Connectors

This feature introduces
the ability to dynamically import external block list text files from an
HTTP server. The text files can contain IP addresses and domain names.
These dynamic block lists are called ‚Threat Feeds‘. You can block
access to the addresses in the text files by adding one or more threat
feeds to:

FortiOS keeps threat feeds up to date by dynamically re-downloading them from the HTTP server according to the refresh rate.

Threat Feeds can be configured under Security Fabric > Fabric Connectorsby creating new Threat Feeds.

The New Fabric Connector edit page provides the following fields:

The domain resource is a text file which contains a domain name for each line and supports simple wildcard. For example:

mail.*.or.th
*-special.de.vu
http://www.*de.vu
610-pawn.com
aaliyah-hq-gallery.de.vu
abcgolocal.com

The address resource is a
text file which contains an IP/IP range for each line (note that only
IPv4 is supported in DNS profiles, so IPv6 addresses will be ignored).
For example:

1.1.1.1
10.0.0.70
2.1.1.1
100.0.0.1-100.0.0.100
10.0.0.99-10.0.0.201
1.2.2.2/24

FortiOS configuration

config system external-resource
edit
set type {category | address | domain}
set category
set comments [comments]
set resource
set refresh-rate
set last-update
next
end

In der Dokumentation sind nicht viele Informationen über die Felder auf dieser Settings-Page zu finden.

Hier nun eine etwas detailiiertere Beschreibung:


Local Area Code

Hier trägt man den aktuellen local Area Code für den Server/Domain-PSTN Standort ein.

für Österreich beispielsweise „43“ (das „+“ bitte weglassen).

43

Emergency Code

Das ist die Einstellung für die Notfallnummer. (Polizei, Feuerwehr, etc.)

call=sip:911@telnum (für Österereich z.B.: call=sip:133@telnum – Polizei)

call=sip:133@telnum

Gateway Domain

Default: pstn.communigate.com – Das ist der Hostname oder die IP Adresse des PSTN-Gateways.

pstngateway.core.at

Gateway Address

Default: <leer>

Eine IP-Adressse muss hier nur dann eingetragen werden wenn per DNS das PSTN-Gateway nicht aufgelöst werden kann.

Caller ID

ID-String des Callers, der das Gateway benutzt.

Default: $

„$“ bedeutet lt. gatewaycaller.sppr: „use the name from auth credentials with the gateway domain“

Name for the Gateway

Username (Authentication Account) für das Gateway.

gatewayuser

Password for the Gateway

Das Password