XDQ的笔记本

linux

A 13 post collection


selinux 常用命令

 •  Filed under linux, centos, centos7, selinux

查看是否有被selinux阻挡

sudo cat /var/log/audit/audit.log | grep denied

boolean

查看boolean状态

sudo sestatus -b

sudo sestatus -b | grep -i sendmail

设置boolean

sudo setsebool -P $boolean名 $1或0

常用boolean

boolean名 意义
httpd_can_network_connect 允许httpd反向代理
httpd_can_sendmail 允许httpd发送邮件

semanager

安装semanager

sudo yum install -y policycoreutils-python

获取系统中的可用label

sudo semanage fcontext -l |grep {SOMETHING}

给文件设置label

sudo semanage fcontext -a -t httpd_sys_content_t /path/to/file
restorecon -v /path/to/file

给文件夹设置label

sudo semanage fcontext -a -t httpd_sys_content_t "/path/to/dir(/.*)?"
restorecon -R -v /path/to/dir

Centos7 apache使用freeipa pki提供证书

 •  Filed under centos, centos7, linux, selinux, freeipa

安装apache和mod_nss

sudo yum install httpd mod_nss -y

配置mod_nss

sudo sh -c "echo 'Listen 443' >> /etc/httpd/conf.d/nssconfig.conf"
sudo sh -c "echo 'NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha' >> /etc/httpd/conf.d/nssconfig.conf"
sudo sh -c "echo 'NSSCertificateDatabase /etc/httpd/alias' >> /etc/httpd/conf.d/nssconfig.conf"

从/etc/httpd/conf.d/nss.conf中删除默认虚拟主机

获取证书

ipa-getcert request -d /etc/httpd/alias -n 'alianame' -K HTTP/'hostname' -D 'FQDN.com'

配置https虚拟主机

<VirtualHost *:443>
    ServerName FQDN

    NSSEngine on
    NSSNickname alianame

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>

Centos 7 加入freeipa域

 •  Filed under centos, centos7, freeipa, linux

安装需要的软件包

yum install ipa-client -y

加入域

ipa-client-install --domain YOUR_DOMAIN_NAME

打开自动创建home文件夹

authconfig --enablemkhomedir --update

centos 7 安装polipo

 •  Filed under centos, linux, proxy

下载

git clone https://github.com/jech/polipo.git
cd polipo

(可选)使用发布的版本

git checkout polipo-1.1.1

安装

make all
su -c 'make install'

建立配置文件

mkdir /opt/polipo
nano /opt/polipo/config

复制http://www.pps.univ-paris-diderot.fr/~jch/software/polipo/config.sample 内容并编辑

建立polipo账户

useradd polipo -r -s /usr/sbin/nologin

新建启动脚本

nano /etc/systemd/system/polipo.service

内容为

[Unit]
Description=polipo web proxy
After=network.target

[Service]
Type=simple
WorkingDirectory=/tmp
User=polipo
Group=polipo
ExecStart=/usr/bin/polipo -c /opt/polipo/config
Restart=always
SyslogIdentifier=Polipo

[Install]
WantedBy=multi-user.target

打开防火墙

firewall-cmd --permanent --add-port=8123/tcp
firewall-cmd --reload

尝试启动服务

systemctl start polipo

查看是否被selinux阻挡

sudo cat /var/log/audit/audit.log | grep polipo | grep denied

配置selinux rule

sudo cat /var/log/audit/audit.log | grep polipo | grep denied | audit2allow -M mypolipo
sudo semodule -i mypolipo.pp

重复以上操作直至selinux不再阻挡

自动启动服务

systemctl enable polipo