Задать вопрос
  • Nginx. Как заставить работать limit_req после кэша?

    @pha Автор вопроса
    dodo512, Спасибо, это помогло.
    Добавил server_name в сервер 127.0.0.1:8080
    Написано
  • Juniper теряет второй адрес на интерфейсе после срабатывания ip-monitoring. Как исправить?

    @pha Автор вопроса
    Заметил такую же ситуацию с "отвалом" IP в pfSence 2.4.4 или 2.4.5.
    Один адрес установлен на интерфейсе, а второй как "Virtual IP".

    При использовании pfSense 2.5 (на тот момент alpha, а потом beta) - такого не повторялось.

    Возможно проблема растет прямо из freebsd.
  • Как будет работать оперативная память с частотой 3200 с процессором с поддержкой 2666?

    4aki7, после чего?
    После изменения частоты - частота поменяется, после изменения таймингов - нет.
  • Как будет работать оперативная память с частотой 3200 с процессором с поддержкой 2666?

    4aki7, нельзя ставить частоту памяти в биосе выше 2666.
    На 3000 даже если вдруг такое можно выбрать не запустится.
    Тайминги обычно менять можно.
  • Тех. Проблемы с Ноутбуком и ОЗУ, Система Ноутбука не видит вторую планку ОЗУ. Что делать?

    CPUZ, AIDA64 её видно, а в bios нет.

    Так и не ясно добавилось ли памяти в системе?
  • Сертификаты StartCom снова не нравятся google?

    @pha Автор вопроса
    Всё ясно, значит настало время.
    Ждем переноса этого счастья в релизную ветку и прощаемся.
  • Сертификаты StartCom снова не нравятся google?

    @pha Автор вопроса
    Получается спустя полгода google решились признать абсолютно все сертификаты StartCom невалидными?

    Сертификаты сайтов от 26 февраля 2016 и 23 марта 2016, что раньше чем "October 21, 2016".
  • Juniper теряет второй адрес на интерфейсе после срабатывания ip-monitoring. Как исправить?

    @pha Автор вопроса
    Настроил с использованием routing-instances - также теряется второй ip (который вконце 41)
    конфиг:
    version 12.1X46-D40.2;
    groups {
        node0 {
            system {
                host-name SRX_node0;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 192.168.3.221/24;
                        }
                    }
                }
            }
        }
        node1 {
            system {
                host-name SRX_node1;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 192.168.3.222/24;
                        }
                    }
                }
            }
        }
    }
    apply-groups "${node}";
    system {
        time-zone GMT-5;
        root-authentication {
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        login {
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface reth1.1;
                }
                https {
                    system-generated-certificate;
                    interface reth1.1;
                }
            }
        }
        syslog {
            archive size 1m files 10;
            user * {
                any emergency;
            }
            file messages {
                any error;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
            file screen {
                any any;
                match RT_SCREEN;
            }
            file traffic-log {
                any any;
                match RT_FLOW_SESSION;
            }
        }
        max-configurations-on-flash 49;
        max-configuration-rollbacks 49;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    chassis {
        cluster {
            traceoptions {
                file cluster size 200k files 5;
                flag all;
            }
            reth-count 2;
            redundancy-group 1 {
                node 0 priority 254;
                node 1 priority 1;
                interface-monitor {
                    ge-0/0/0 weight 255;
                    ge-3/0/0 weight 255;
                }
            }
            redundancy-group 2 {
                node 0 priority 254;
                node 1 priority 1;
                interface-monitor {
                    ge-0/0/1 weight 255;
                    ge-3/0/1 weight 255;
                }
            }
            redundancy-group 0 {
                node 0 priority 254;
                node 1 priority 1;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/1 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        ge-3/0/0 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-3/0/1 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/5;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-3/0/5;
                }
            }
        }
        lo0 {
            unit 1 {
                description LOOPBACK-FOR-SSH;
                family inet {
                    address 192.168.11.1/32;
                }
            }
        }
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 111 {
                vlan-id 111;
                family inet {
                    filter {
                        input INPUT;
                    }
                    address 1.1.1.40/24 {
                        primary;
                        preferred;
                    }
                    address 1.1.1.41/24;
                }
            }
            unit 222 {
                vlan-id 222;
                family inet {
                    filter {
                        input INPUT;
                    }
                    address 2.2.2.2/30;
                }
            }
        }
        reth1 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 2;
            }
            unit 1 {
                description Common-LAN;
                vlan-id 1;
                family inet {
                    address 10.0.0.1/23;
                }
            }
            unit 999 {
                description test_net;
                vlan-id 999;
                family inet {
                    address 192.168.50.1/24;
                }
            }
        }
        swfab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/4;
                }
            }
        }
        swfab1 {
            fabric-options {
                member-interfaces {
                    ge-3/0/4;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet inside;
        }
        static {
            route 0.0.0.0/0 next-table ISP1.inet.0;
        }
        rib-groups {
            inside {
                import-rib [ inet.0 ISP2.inet.0 ISP1.inet.0 ];
            }
        }
    }
    security {
        address-book {
            global {
        }
        screen {
            ids-option SCREEN {
                inactive: icmp {
                    ip-sweep threshold 1000000;
                    fragment;
                    large;
                    flood threshold 20;
                    ping-death;
                }
                ip {
                    bad-option;
                    record-route-option;
                    timestamp-option;
                    security-option;
                    stream-option;
                    source-route-option;
                    unknown-protocol;
                    tear-drop;
                }
                tcp {
                    syn-fin;
                    fin-no-ack;
                    tcp-no-flag;
                    syn-frag;
                    syn-ack-ack-proxy;
                    syn-flood {
                        alarm-threshold 30;
                        attack-threshold 30;
                        source-threshold 30;
                        destination-threshold 30;
                        timeout 10;
                    }
                    land;
                    winnuke;
                    tcp-sweep threshold 1000000;
                }
                inactive: udp {
                    flood threshold 2000;
                    udp-sweep threshold 1000000;
                }
                inactive: limit-session {
                    source-ip-based 100;
                    destination-ip-based 100;
                }
            }
        }
        nat {
            source {
                pool ISP1-41 {
                    address {
                        1.1.1.41/32;
                    }
                }
                pool ISP2 {
                    address {
                        2.2.2.2/32;
                    }
                }
                pool ISP1-40 {
                    address {
                        1.1.1.40/32;
                    }
                }
                rule-set SOURCE-NAT-ISP1 {
                    from routing-instance default;
                    to routing-instance ISP1;
                    rule SOURCE-NAT-ISP1-41 {
                        match {
                            source-address [ 10.0.1.22/32 10.0.1.46/32 10.0.1.3/32 ];
                        }
                        then {
                            source-nat {
                                pool {
                                    ISP1-41;
                                }
                            }
                        }
                    }
                    rule SOURCE-NAT-ISP1-40 {
                        match {
                            source-address 10.0.0.0/23;
                        }
                        then {
                            source-nat {
                                pool {
                                    ISP1-40;
                                }
                            }
                        }
                    }
                }
                rule-set SOURCE-NAT-ISP2 {
                    from routing-instance default;
                    to routing-instance ISP2;
                    rule SOURCE-NAT-ISP2 {
                        match {
                            source-address 10.0.0.0/23;
                        }
                        then {
                            source-nat {
                                pool {
                                    ISP2;
                                }
                            }
                        }
                    }
                }
            }
            destination {
                rule-set DSTNAT-ISP1 {
                    from zone WAN-ISP1;
                }
                rule-set DSTNAT-ISP2 {
                    from zone WAN-ISP2;
                }
            }
        }
        policies {
            from-zone WAN-ISP1 to-zone LAN1 {
            }
            from-zone WAN-ISP2 to-zone LAN1 {
            }
            from-zone LAN1 to-zone LAN999 {
            }
            from-zone LAN999 to-zone LAN1 {
            }
            from-zone WAN-ISP1 to-zone LAN999 {
            }
            from-zone WAN-ISP2 to-zone LAN999 {
            }
            from-zone LAN1 to-zone WAN-ISP1 {
                policy PERMITALL {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone LAN1 to-zone WAN-ISP2 {
                policy PERMITALL {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone LAN1 to-zone LAN1 {
                policy PERMITALL {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone WAN-ISP1 {
                screen SCREEN;
                host-inbound-traffic {
                    system-services {
                        ping;
                        ssh;
                    }
                }
                interfaces {
                    reth0.111;
                }
            }
            security-zone WAN-ISP2 {
                screen SCREEN;
                host-inbound-traffic {
                    system-services {
                        ping;
                        ssh;
                    }
                }
                interfaces {
                    reth0.222;
                }
            }
            security-zone LAN1 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    reth1.1;
                    lo0.1;
                }
            }
            security-zone LAN999 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    reth1.999;
                }
            }
        }
    }
    firewall {
        family inet {
            filter INPUT {
                term SSH_DENY {
                    from {
                        destination-address {
                            1.1.1.40/32;
                            1.1.1.41/32;
                            2.2.2.2/32;
                        }
                        protocol tcp;
                        destination-port ssh;
                    }
                    then {
                        discard;
                    }
                }
                term DEFAULT {
                    then accept;
                }
            }
        }
    }
    routing-instances {
        ISP1 {
            instance-type virtual-router;
            interface reth0.111;
            routing-options {
                interface-routes {
                    rib-group inet inside;
                }
                static {
                    route 0.0.0.0/0 next-hop 2.2.2.254;
                }
            }
        }
        ISP2 {
            instance-type virtual-router;
            interface reth0.222;
            routing-options {
                interface-routes {
                    rib-group inet inside;
                }
                static {
                    route 0.0.0.0/0 next-hop 2.2.2.1;
                }
            }
        }
    }
    services {
        rpm {
            probe ISP {
                test PINGTEST-GOOGLE {
                    probe-type icmp-ping;
                    target address 8.8.8.8;
                    probe-count 10;
                    probe-interval 5;
                    test-interval 30;
                    source-address 1.1.1.40;
                    routing-instance ISP1;
                    thresholds {
                        successive-loss 10;
                    }
                }
                test PINGTEST-YANDEX {
                    probe-type icmp-ping;
                    target address 77.88.8.1;
                    probe-count 10;
                    probe-interval 5;
                    test-interval 30;
                    source-address 1.1.1.40;
                    routing-instance ISP1;
                    thresholds {
                        successive-loss 10;
                    }
                }
            }
        }
        ip-monitoring {
            policy ISP {
                match {
                    rpm-probe ISP;
                }
                then {
                    preferred-route {
                        routing-instances ISP1 {
                            route 0.0.0.0/0 {
                                next-hop 2.2.2.1;
                            }
                        }
                    }
                }
            }
        }
    }
  • Juniper теряет второй адрес на интерфейсе после срабатывания ip-monitoring. Как исправить?

    @pha Автор вопроса
    Ivan:
    version 12.1X46-D40.2;
    groups {
        node0 {
            system {
                host-name SRX_node0;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 192.168.3.221/24;
                        }
                    }
                }
            }
        }
        node1 {
            system {
                host-name SRX_node1;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 192.168.3.222/24;
                        }
                    }
                }
            }
        }
    }
    apply-groups "${node}";
    system {
        time-zone GMT-5;
        root-authentication {
            encrypted-password "";
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        login {
            user me {
                uid 2000;
                class super-user;
                authentication {
                    encrypted-password "";
                }
            }
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface reth1.1;
                }
                https {
                    system-generated-certificate;
                    interface reth1.1;
                }
            }
        }
        syslog {
            archive size 1m files 10;
            user * {
                any emergency;
            }
            file messages {
                any error;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
            file screen {
                any any;
                match RT_SCREEN;
            }
            file traffic-log {
                any any;
                match RT_FLOW_SESSION;
            }
        }
        max-configurations-on-flash 49;
        max-configuration-rollbacks 49;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server 10.10.1.10;
        }
    }
    chassis {
        cluster {
            traceoptions {
                file cluster size 200k files 5;
                flag all;
            }
            reth-count 2;
            redundancy-group 1 {
                node 0 priority 254;
                node 1 priority 1;
                interface-monitor {
                    ge-0/0/0 weight 255;
                    ge-3/0/0 weight 255;
                }
            }
            redundancy-group 2 {
                node 0 priority 254;
                node 1 priority 1;
                interface-monitor {
                    ge-0/0/1 weight 255;
                    ge-3/0/1 weight 255;
                }
            }
            redundancy-group 0 {
                node 0 priority 254;
                node 1 priority 1;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/1 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        ge-3/0/0 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-3/0/1 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/5;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-3/0/5;
                }
            }
        }
        lo0 {
            unit 1 {
                description LOOPBACK-FOR-SSH;
                family inet {
                    address 192.168.11.1/32;
                }
            }
        }
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 111 {
                description ISP1;
                vlan-id 111;
                family inet {
                    filter {
                        input INPUT;
                    }
                    address 1.1.1.40/24;{
                        preferred;
                    }
                    address 1.1.1.41/24;
                }
            }
            unit 222 {
                description ISP2;
                vlan-id 222;
                family inet {
                    filter {
                        input INPUT;
                    }
                    address 2.2.2.2/30;
                }
            }
        }
        reth1 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 2;
            }
            unit 1 {
                description Common-LAN;
                vlan-id 1;
                family inet {
                    address 10.1.0.1/23;
                }
            }
            unit 999 {
                description test_net;
                vlan-id 999;
                family inet {
                    address 192.168.50.1/24;
                }
            }
        }
        swfab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/4;
                }
            }
        }
        swfab1 {
            fabric-options {
                member-interfaces {
                    ge-3/0/4;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 1.1.1.254;
                metric 50;
            }
        }
    }
    security {
        screen {
            ids-option SCREEN {
                inactive: icmp {
                    ip-sweep threshold 1000000;
                    fragment;
                    large;
                    flood threshold 20;
                    ping-death;
                }
                ip {
                    bad-option;
                    record-route-option;
                    timestamp-option;
                    security-option;
                    stream-option;
                    source-route-option;
                    unknown-protocol;
                    tear-drop;
                }
                tcp {
                    syn-fin;
                    fin-no-ack;
                    tcp-no-flag;
                    syn-frag;
                    syn-ack-ack-proxy;
                    syn-flood {
                        alarm-threshold 30;
                        attack-threshold 30;
                        source-threshold 30;
                        destination-threshold 30;
                        timeout 10;
                    }
                    land;
                    winnuke;
                    tcp-sweep threshold 1000000;
                }
                inactive: udp {
                    flood threshold 2000;
                    udp-sweep threshold 1000000;
                }
                inactive: limit-session {
                    source-ip-based 100;
                    destination-ip-based 100;
                }
            }
        }
        nat {
            source {
                pool ISP1-41 {
                    address {
                        1.1.1.41/32;
                    }
                }
                pool ISP2 {
                    address {
                        2.2.2.2/32;
                    }
                }
                pool ISP1-40 {
                    address {
                        1.1.1.40/32;
                    }
                }
                rule-set SOURCE-NAT-ISP1 {
                    from zone LAN1;
                    to interface reth0.111;
                    rule SOURCE-NAT-ISP1-41 {
                        match {
                            source-address [ 10.1.1.22/32 ];
                        }
                        then {
                            source-nat {
                                pool {
                                    ISP1-41;
                                }
                            }
                        }
                    }
                    rule SOURCE-NAT-ISP1-40 {
                        match {
                            source-address 10.1.0.0/23;
                        }
                        then {
                            source-nat {
                                pool {
                                    ISP1-40;
                                }
                            }
                        }
                    }
                }
                rule-set SOURCE-NAT-ISP2 {
                    from zone LAN1;
                    to interface reth0.222;
                    rule SOURCE-NAT-ISP2 {
                        match {
                            source-address 10.1.0.0/23;
                        }
                        then {
                            source-nat {
                                pool {
                                    ISP2;
                                }
                            }
                        }
                    }
                }
            }
            destination {
                rule-set DSTNAT {
                    from zone WAN;
    		.........
                }
            }
        }
        policies {
            from-zone WAN to-zone LAN1 {
    		.........
            }
            from-zone LAN1 to-zone LAN999 {
            }
            from-zone LAN999 to-zone LAN1 {
            }
            from-zone WAN to-zone LAN999 {
            }
            from-zone LAN1 to-zone WAN {
                policy PERMITALL {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone LAN1 to-zone LAN1 {
                policy PERMITALL {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone WAN {
                screen SCREEN;
                host-inbound-traffic {
                    system-services {
                        ping;
                        ssh;
                    }
                }
                interfaces {
                    reth0.111;
                    reth0.222;
                }
            }
            security-zone LAN1 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    reth1.1;
                    lo0.1;
                }
            }
            security-zone LAN999 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    reth1.999;
                }
            }
        }
    }
    firewall {
        family inet {
            filter INPUT {
                term SSH_DENY {
                    from {
                        destination-address {
                            1.1.1.40/32;
                            1.1.1.41/32;
                            2.2.2.2/32;
                        }
                        protocol tcp;
                        destination-port ssh;
                    }
                    then {
                        discard;
                    }
                }
                term DEFAULT {
                    then accept;
                }
            }
        }
    }
    services {
        rpm {
            probe ISP {
                test PINGTEST-GOOGLE {
                    probe-type icmp-ping;
                    target address 8.8.8.8;
                    probe-count 10;
                    probe-interval 5;
                    test-interval 30;
                    thresholds {
                        successive-loss 10;
                    }
                    destination-interface reth0.111;
                    next-hop 1.1.1.254;
                }
                test PINGTEST-YANDEX {
                    probe-type icmp-ping;
                    target address 77.88.8.1;
                    probe-count 10;
                    probe-interval 5;
                    test-interval 30;
                    thresholds {
                        successive-loss 10;
                    }
                    destination-interface reth0.111;
                    next-hop 1.1.1.254;
                }
            }
        }
        ip-monitoring {
            policy ISP {
                match {
                    rpm-probe ISP;
                }
                then {
                    preferred-route {
                        route 0.0.0.0/0 {
                            next-hop 2.2.2.1;
                        }
                    }
                }
            }
        }
    }