Search Results for no ip org

EdgeRouter Policy Based Routing Using DNSMASQ IPSET

之前用SNIProxy按域名区分流量，着实麻烦。尤其是后期发现路由表莫名其妙出问题。 EdgeRouter的Policy Based Routing(PBR)使用的是自带配置语法的firewall modify功能。官方有两篇教程： EdgeRouter – Policy-based routing for destination port EdgeRouter – Policy-based routing (source address based) 第二篇文章顺带提了network-group。之前在配置VPN时，使用过network-group，还比较过使用firewall modify + network-group 与配置一堆interface-route的区别。而，这里的network-group的实现，使用了netfilter的ipset。Man pages可以看这里，命令在edgerouter上也附带了。 dnsmasq支持 ‘–ipset‘ 参数，把对配置域名解析的IP存入到指定的ipset。具体细节可以看dnsmasq的文档。 dnsmasq配置的语法比较简单。

--ipset=/<domain>/[domain/]<ipset>[,<ipset>]

1	--ipset=/<domain>/[domain/]<ipset>[,<ipset>]

domain 部分参考 address 的语法。例如：

ipset=/.sskaje.me/MY_SET
ipset=/test.com/MY_SET

1 2	ipset=/.sskaje.me/MY_SET ipset=/test.com/MY_SET

配置好所有自己需要的域名，重启dnsmasq即可。 ipset本身支持timeout，但是edge os的network-group不支持，所以在配置dnsmasq之前，最好创建一个新的network-group。假定新建的ipset名叫 MY_SET，edge router的主要相关配置如下：

set firewall group network-group MY_SET

set firewall modify AUTO_VPN rule 20 action modify
set firewall modify AUTO_VPN rule 20 destination group network-group MY_SET
set firewall modify AUTO_VPN rule 20 modify table 4
set firewall modify AUTO_VPN rule 20 protocol all

set firewall group network-group MY_SET

set firewall modify AUTO_VPN rule 20 action modify

set firewall modify AUTO_VPN rule 20 destination group network-group MY_SET

set firewall modify AUTO_VPN rule 20 modify table 4

set firewall modify AUTO_VPN rule 20 protocol all

其他诸如配置 static table, interface firewall 可以参考最前边的文档。 Incoming search terms:edgemax Source Based … Continue reading “EdgeRouter Policy Based Routing Using DNSMASQ IPSET”

Nginx 特定 IP 需要认证

文档: satisfy 参数 all 表示，所有条件都得满足；参数 any 表示，任一条件满足即可。所包含的条件包括 ngx_http_access_module, ngx_http_auth_basic_module, ngx_http_auth_request_module, 和 ngx_http_auth_jwt_module 这4个模块。

satisfy any;

deny 192.168.1.1/32;
allow 192.168.1.0/24;
deny all;

auth_basic "auth required";
auth_basic_user_file /etc/nginx/external.passwd;


location @auth_failure {
        if ($http_authorization != "") {
                rewrite ^ http://sskaje.me/error.html redirect;
        }
}

error_page 401 = @auth_failure;

satisfy any;

deny 192.168.1.1/32;

allow 192.168.1.0/24;

deny all;

auth_basic "auth required";

auth_basic_user_file /etc/nginx/external.passwd;

location @auth_failure {

if ($http_authorization != "") {

rewrite ^ http://sskaje.me/error.html redirect;

}

error_page 401 = @auth_failure;

上述配置还处理了认证失败的跳转。这个配置可以保存成独立的 .conf 文件，在 server {} 里 include。 Link to this post!

Build SNIProxy Debian Package for EdgeRouter

SNIProxy的最新版0.4.0，上一次提交已经很久以前了，建议直接使用github库里的代码。官方github：https://github.com/dlundquist/sniproxy 我的fork：https://github.com/sskaje/sniproxy 如前文所说，Debian Wheezy已经LTS了，所以从依赖开始。不过，我没有去配交叉编译的环境，而是直接qemu装了两个虚拟机，一个mips（给EdgeRouter Lite），一个mipsel（给EdgeRouter X），具体方法可以参考之前的blog：Install Debian MIPS and Debian PowerPC on OSX。好处是，闭着眼睛就可以配构件环境；坏处是，慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢慢到死了。以mips为例，mipsel一模一样。构件环境不说了。先编译 libudns。 udns的官方包里没有debian的打包配置，所以我直接从debian官方包列表的链接里下载，下载地址在：https://packages.debian.org/source/sid/udns 三个文件都下，用到的是两个tarball。

# tar xvf udns-0.4.tar.gz 
# cd udns-0.4/
# tar xvf ../udns_0.4-1.debian.tar.gz 
# dpkg-buildpackage -us -uc

# tar xvf udns-0.4.tar.gz

# cd udns-0.4/

# tar xvf ../udns_0.4-1.debian.tar.gz

# dpkg-buildpackage -us -uc

按上述命令执行完之后，deb包会出现在上一级目录，生成的文件包括： libudns0_0.4-1_mips.deb libudns-dev_0.4-1_mips.deb udns-utils_0.4-1_mips.deb udns_0.4-1_mips.changes 其中，libudns-dev_0.4-1_mips.deb 直接安装在开发环境，libudns0_0.4-1_mips.deb 装在路由上。

dpkg -i libudns-dev_0.4-1_mips.deb

1	dpkg -i libudns-dev_0.4-1_mips.deb

然后编译sniproxy git clone 之后，同样进目录执行

dpkg-buildpackage -us -uc

1	dpkg-buildpackage -us -uc

Link to this post!

Ubnt EdgeRouter Lite 和 EdgeRouter X 上安装使用SNIProxy

EdgerRouter Lite和EdgerRouter X使用的固件版本 1.9.0 是基于debian wheezy的，但是debian wheezy现在已经进入LTS了，mips和mipsel不在官方的维护架构里，以至于现在无法使用官方的apt更新debian-security，而且在ubnt的路由上，安装很多开发库都没法搞了。 EdgerRoute Lite 使用的是mips64，debian源里需要用 mips 的包；而 EdgeRoute X 使用的是mipsel。使用lscpu看CPU的信息： EdgeRouter Lite

Architecture:          mips64
Byte Order:            Big Endian
CPU(s):                2
On-line CPU(s) list:   0,1
Thread(s) per core:    1
Core(s) per socket:    1
Socket(s):             2
L1d cache:             16K
L1i cache:             32K
L2 cache:              128K

Architecture: mips64

Byte Order: Big Endian

CPU(s): 2

On-line CPU(s) list: 0,1

Thread(s) per core: 1

Core(s) per socket: 1

Socket(s): 2

L1d cache: 16K

L1i cache: 32K

L2 cache: 128K

EdgeRouter X

Architecture:          mips
Byte Order:            Little Endian
CPU(s):                4
On-line CPU(s) list:   0-3
Thread(s) per core:    2
Core(s) per socket:    2
Socket(s):             1

Architecture: mips

Byte Order: Little Endian

CPU(s): 4

On-line CPU(s) list: 0-3

Thread(s) per core: 2

Core(s) per socket: 2

Socket(s): 1

准备编译libudns和sniproxy 待补充。我已经把构建好的包发到了 http://dl.sskaje.me/debian/。 SSH登录ER

ubnt@ubnt:~$ sudo su
root@ubnt:/home/ubnt# cd /tmp/
root@ubnt:/tmp#

ubnt@ubnt:~$ sudo su

root@ubnt:/home/ubnt# cd /tmp/

root@ubnt:/tmp#

下载软件 EdgeRouter Lite 请使用mips

# 下载编译好的mips库
wget http://dl.sskaje.me/debian/mips/libudns0_0.4-1_mips.deb http://dl.sskaje.me/debian/mips/udns-utils_0.4-1_mips.deb http://dl.sskaje.me/debian/mips/sniproxy_0.4.0_mips.deb
# 下载 libev4
wget https://ftp2.cn.debian.org/debian/pool/main/libe/libev/libev4_4.11-1_mips.deb

# 下载编译好的mips库

wget http://dl.sskaje.me/debian/mips/libudns0_0.4-1_mips.deb http://dl.sskaje.me/debian/mips/udns-utils_0.4-1_mips.deb http://dl.sskaje.me/debian/mips/sniproxy_0.4.0_mips.deb

# 下载 libev4

wget https://ftp2.cn.debian.org/debian/pool/main/libe/libev/libev4_4.11-1_mips.deb

EdgeRouter X 请使用mipsel

# 下载编译好的mipsel库
wget http://dl.sskaje.me/debian/mipsel/libudns0_0.4-1_mipsel.deb http://dl.sskaje.me/debian/mipsel/udns-utils_0.4-1_mipsel.deb http://dl.sskaje.me/debian/mipsel/sniproxy_0.4.0_mipsel.deb
# 下载 libev4 
wget https://ftp2.cn.debian.org/debian/pool/main/libe/libev/libev4_4.11-1_mipsel.deb

# 下载编译好的mipsel库

wget http://dl.sskaje.me/debian/mipsel/libudns0_0.4-1_mipsel.deb http://dl.sskaje.me/debian/mipsel/udns-utils_0.4-1_mipsel.deb http://dl.sskaje.me/debian/mipsel/sniproxy_0.4.0_mipsel.deb

# 下载 libev4

wget https://ftp2.cn.debian.org/debian/pool/main/libe/libev/libev4_4.11-1_mipsel.deb

安装

root@ubnt:/tmp# dpkg -i *.deb
(Reading database ... 37513 files and directories currently installed.)
Preparing to replace libev4 1:4.11-1 (using libev4_4.11-1_mips.deb) ...
Unpacking replacement libev4 ...
Selecting previously unselected package libudns0:mips.
Unpacking libudns0:mips (from libudns0_0.4-1_mips.deb) ...
Selecting previously unselected package sniproxy.
Unpacking sniproxy (from sniproxy_0.4.0_mips.deb) ...
Selecting previously unselected package udns-utils.
Unpacking udns-utils (from udns-utils_0.4-1_mips.deb) ...
Setting up libev4 (1:4.11-1) ...
Setting up libudns0:mips (0.4-1) ...
Setting up sniproxy (0.4.0) ...
Setting up udns-utils (0.4-1) ...

root@ubnt:/tmp# dpkg -i *.deb

(Reading database ... 37513 files and directories currently installed.)

Preparing to replace libev4 1:4.11-1 (using libev4_4.11-1_mips.deb) ...

Unpacking replacement libev4 ...

Selecting previously unselected package libudns0:mips.

Unpacking libudns0:mips (from libudns0_0.4-1_mips.deb) ...

Selecting previously unselected package sniproxy.

Unpacking sniproxy (from sniproxy_0.4.0_mips.deb) ...

Selecting previously unselected package udns-utils.

Unpacking udns-utils (from udns-utils_0.4-1_mips.deb) ...

Setting up libev4 (1:4.11-1) ...

Setting up libudns0:mips (0.4-1) ...

Setting up sniproxy (0.4.0) ...

Setting up udns-utils (0.4-1) ...

配置请参考官方文档。按我的需求，官方的功能没法满足，所以我对官方的源码做了一些改动，具体可见 https://github.com/sskaje/sniproxy。使用首先修改 /etc/default/sniproxy，这样才可以使用init的脚本启动

# Defaults for sniproxy initscript

# This file has two functions:
# 1) to completely disable starting sniproxy,
# 2) to select an alternative config file
#    by setting DAEMON_ARGS to -c <file>

# Additional options that are passed to the Daemon.
DAEMON_ARGS="-c /etc/sniproxy.conf"

# Whether or not to run the sniproxy daemon; set to 0 to disable, 1 to enable.
ENABLED=1

# Defaults for sniproxy initscript

# This file has two functions:

# 1) to completely disable starting sniproxy,

# 2) to select an alternative config file

# by setting DAEMON_ARGS to -c <file>

# Additional options that are passed to the Daemon.

DAEMON_ARGS="-c /etc/sniproxy.conf"

# Whether or not to run the sniproxy daemon; set to 0 to disable, 1 to enable.

ENABLED=1

启动

/etc/init.d/sniproxy start

1	/etc/init.d/sniproxy start

Incoming search terms:ubnt er-xits742wantn67tears72uspirito4rslidei2ksafeibaqueenn3npracticeps1opportunitygcoluckrcfadult2syinteriori97flies8stfather8v7edgerouterx ipv6edgerouterxedgerouter x … Continue reading “Ubnt EdgeRouter Lite 和 EdgeRouter X 上安装使用SNIProxy”

Install Debian MIPS and Debian PowerPC on OSX

I tried MacPorts, but its qemu does not have qemu-system-ppc or qemu-system-mips. Even though, I have qemu installed under macports, if you see any dependency missing, try to port install qemu and then uninstall. OSX 10.11.5 Xcode Install QEMU Download 2.6.0 from Qemu.org, configure and make like:

# ./configure --enable-cocoa --target-list=arm-softmmu,i386-softmmu,mips-softmmu,mips64-softmmu,ppc-softmmu,ppc64-softmmu,x86_64-softmmu
# make -j 8
# make install

# ./configure --enable-cocoa --target-list=arm-softmmu,i386-softmmu,mips-softmmu,mips64-softmmu,ppc-softmmu,ppc64-softmmu,x86_64-softmmu

# make -j 8

# make install

I did not see any error, Google … Continue reading “Install Debian MIPS and Debian PowerPC on OSX”