西维蜀黍

【Linux】Debian

Packages

Below is an example of a /etc/apt/sources.list for Debian 11/Bullseye, which is the default source as well.

deb http://deb.debian.org/debian bullseye main
deb-src http://deb.debian.org/debian bullseye main

deb http://deb.debian.org/debian-security/ bullseye-security main
deb-src http://deb.debian.org/debian-security/ bullseye-security main

deb http://deb.debian.org/debian bullseye-updates main
deb-src http://deb.debian.org/debian bullseye-updates main
  ...


【Linux】tinycorelinux

  ...


【Network】CDN

  ...


【Network】代理(Proxy)

Proxy

正向代理 Forward Proxy (Proxy Server)

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource

Instead of connecting directly to a server that can fulfill a request for a resource, such as a file or web page, the client directs the request to the proxy server, which evaluates the request and performs the required network transactions. This serves as a method to simplify or control the complexity of the request, or provide additional benefits such as load balancing, privacy, or security. Proxies were devised to add structure and encapsulation to distributed systems. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.

反向代理(Reverse Proxy)

In computer networks, a reverse proxy is an application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and security. The resources returned to the client appear as if they originated from the web server itself.

Large websites and content delivery networks use reverse proxies, together with other techniques, to balance the load between internal servers. Reverse proxies can keep a cache of static content, which further reduces the load on these internal servers and the internal network. It is also common for reverse proxies to add features such as compression or TLS encryption to the communication channel between the client and the reverse proxy.

Reverse proxies are typically owned or managed by the web service, and they are accessed by clients from the public Internet. In contrast, a forward proxy is typically managed by a client (or their company) who is restricted to a private, internal network, except that the client can ask the forward proxy to retrieve resources from the public Internet on behalf of the client.

反向代理(reverse proxy),是指以代理服务器来接受internet上的连接请求,然后将请求转发给内部网络上的服务器,并将从服务器上得到的结果返回给internet上请求连接的客户端,此时代理服务器对外就表现为一个反向代理服务器。

反向代理的作用就比较多了,这里简单列举一下:

  • 保护和隐藏原始资源服务器
  • 加密和SSL加速
  • 负载均衡
  • 缓存静态内容
  • 压缩
  • 减速上传
  • 安全
  • 外网发布
  ...


【VPN】Basic

  ...


【Security】证书(Certificates)

Authorization Certificate

In computer security, an attribute certificate, or authorization certificate (AC) is a digital document containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for the purpose of authorization, AC is called authorization certificate. AC is standardized in X.509. RFC 5755 further specifies the usage for authorization purpose in the Internet.

The authorization certificate works in conjunction with a public key certificate (PKC). While the PKC is issued by a certificate authority (CA) and is used as a proof of identity of its holder like a passport, the authorization certificate is issued by an attribute authority (AA) and is used to characterize or entitle its holder like a visa. Because identity information seldom changes and has a long validity time while attribute information frequently changes or has a short validity time, separate certificates with different security rigours, validity times and issuers are necessary.

Certificate Authority (CA)

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

One particularly common use for certificate authorities is to sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web. Another common use is in issuing identity cards by national governments for use in electronically signing documents

Intermediate CA certificate

A root CA certificate may be the base to issue multiple intermediate CA certificates with varying validation requirements.

Self-signed and root certificates

A self-signed certificate is a certificate with a subject that matches its issuer, and a signature that can be verified by its own public key.

For most purposes, such a self-signed certificate is worthless. However, the digital certificate chain of trust starts with a self-signed certificate, called a “root certificate,” “trust anchor,” or “trust root.” A certificate authority self-signs a root certificate to be able to sign other certificates.

An intermediate certificate has a similar purpose to the root certificate; its only use is to sign other certificate. However, an intermediate certificate is not self-signed. A root certificate or another intermediate certificate need to sign it. An end-entity or leaf certificate is any certificate that cannot sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.

PKIs (public key infrastructure)

Large organizations or government bodies may have their own PKIs (public key infrastructure), each containing their own CAs. Any site using self-signed certificates acts as its own CA.

Conversion

# Convert a certificate between binary DER encoding (.cer) and textual PEM encoding
$ openssl x509 -inform der -in output.cer -out my_output.pem

# convert crt files to PEM certs 
$ openssl x509 -inform DER -in name.crt -out my.pem -outform PEM

# .cert to .crt
$ openssl x509 -inform PEM -in <filepath>/certificate.cert -out certificate.crt

# .cer to .p12
openssl pkcs12 -export -clcerts -in client-cert.cer -inkey client-key.key -out client.p12

# Convert .pem with No password to cert.p12
$ openssl pkcs12 -export -out cert.p12 -in cert.pem -inkey key.pem -passout pass: -nokeys

# Create a pkcs12 file by .pem + a private key
openssl pkcs12 -export -out cert.p12 -in my.pem -inkey key.key
  ...


【VPN】Dynamic Split Tunneling

Split Tunneling

Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a Local Area Network (LAN) Network Interface Card (NIC), radio NIC, Wireless Local Area Network (WLAN) NIC, and VPN client software application without the benefit of access control.

For example, suppose a user utilizes a remote access VPN software client connecting to a corporate network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (Web sites, FTP sites, etc.), the connection request goes directly out the gateway provided by the hotel network. However, not every VPN allows split tunneling. Some VPNs with split tunneling include Private Internet Access (PIA), ExpressVPN, and Surfshark.

Context

In mycompany.com we have a lot of internal networks that are available only via VPN.

These are on the same domain mycompany.com, but in different networks:

10.165.248.252 - git.mycompany.com
10.236.142.18 - jira.mycompany.com
152.68.167.141 - test.mycompany.com

Is there any possibility to provide the top level domain (mycompany.com) instead of single links in domain for vpn tunneling? e.g. instead of providing single subdomains

  • git.mycompany.com
  • jira.mycompany.com
  • test.mycompany.com
  ...


【Network】暴力穷举 Subdomains

Websites

  ...


【Network】软路由

硬件选择

Intel NUC 11 NUC11PAHi7

CPU

  • Intel Core i7-1165G7:
  • 4 cores, 8 threads
  • Base clock: 2.8 GHz
  • Max Turbo Frequency: 4.7 GHz
  • 12MB Intel Smart Cache
  • 10nm SuperFin technology

Memory:

  • Dual-channel DDR4-3200 SO-DIMM slots
  • ‎16 GB DDR4
  • Supports up to 64GB of RAM (2 x 32GB)

Storage:

  • M.2 22x80 key M slot** for NVMe or SATA SSD
    • Cur: ‎512 GB SSD
  • 2.5-inch SATA3 drive bay for additional SSD or HDD (up to 9.5mm thickness)

Networking:

  • Intel Wi-Fi 6 AX201 (802.11ax)

  • Bluetooth 5.2

  • 2.5 Gigabit Ethernet (RJ-45 port)

CPU选择

不考虑

  • J1900
  • 3865U
  • 4205U 2C/2T
    • 2G内存,16G SSD -> 1090
  • 5205U 2C/2T

考虑的

大CPU

  • i3-8130U(双核四线程,8代CPU,2.2GHz)
    • 8G内存,64G SSD,千兆 1750
    • 16G内存,126G SSD硬盘 -> 2050
  • i5-8250U(四核八线程)

小CPU

  ...


【VPN】OpenConnect

Install

# macOS
$ brew install openconnect
# Ubuntu
$ sudo apt-get install openconnect
  ...