기록's

SSL이 아닌 SMTP 메일 서버로 SSL 보안 연결을 제공하기 위해 stunnel을 사용할 수 있습니다. SMTP 서버는 25번 포트로 TCP 접속을 한다 가정하면, stunnel에 SSL 포트로 465로 설정하고 SSL이 아닌 포트를 25로 설정합니다.
즉 SMTPS를 사용하기 위해 사용하는 것이 Stunnel 이다.

https://docs.linuxconsulting.mn.it/notes/postfix-stunnel-smtps

/etc/init.d/stunnel

#!/bin/bash
#
# Init Script to run stunnel in daemon mode at boot time.
#
# Author: Riccardo Riva - RPM S.r.l.
# Revision 1.0  -  2010 November, 11
#
# Revision 1.1 - 2015 September, 21
#
#
# Changed definition of SEXE variable to find automatically the path of stunnel
#

#====================================================================
# Run level information:
#
# chkconfig: 2345 99 99
# description: Secure Tunnel
# processname: stunnel
#
# Run "/sbin/chkconfig --add stunnel" to add the Run levels.
# This will setup the symlinks and set the process to run at boot.
#====================================================================

#====================================================================
# Paths and variables and system checks.

# Source function library
. /etc/rc.d/init.d/functions

# Check that networking is up.
#
[ ${NETWORKING} ="yes" ] || exit 0

# Path to the executable.
#
SEXE=`which stunnel`

# Path to the configuration file.
#
CONF=/etc/stunnel/stunnel.conf

# Check the configuration file exists.
#
if [ ! -f $CONF ]
then
        echo "The configuration file cannot be found!"
        exit 0
fi

# Path to the lock file.
#
LOCK_FILE=/var/lock/subsys/stunnel

#====================================================================

# Run controls:

prog=$"stunnel"

RETVAL=0

# Start stunnel as daemon.
#
start() {
        if [ -f $LOCK_FILE ]
        then
                echo "stunnel is already running!"
                exit 0
        else
                echo -n $"Starting $prog: "
                $SEXE $CONF
        fi

        RETVAL=$?
        [ $RETVAL -eq 0 ] && success
        echo
        [ $RETVAL -eq 0 ] && touch $LOCK_FILE
        return $RETVAL
}

# Stop stunnel.
#
stop() {
        if [ ! -f $LOCK_FILE ]
        then
                echo "stunnel is not running!"
                exit 0

        else

                echo -n $"Shutting down $prog: "
                killproc stunnel
                RETVAL=$?
                [ $RETVAL -eq 0 ]
                rm -f $LOCK_FILE
                echo
                return $RETVAL

        fi
}

# See how we were called.
case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        restart)
                stop
                start
                ;;
        condrestart)
                if [ -f $LOCK_FILE ]
                then
                        stop
                        start
                        RETVAL=$?
                fi
                ;;
        status)
                status stunnel
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|condrestart|status}"
                RETVAL=1
esac

exit $RETVAL

/etc/stunnel/stunnel.conf

output=/var/log/stunnel

[smtp-tls-wrapper]
accept=127.0.0.1:11125
client=yes
sslVersion=TLSv1.2
connect=gw.test.com:465

/etc/postfix/virtual

가장 아래에 추가

root  ldap@test.co.kr

/etc/postfix/main.tf

윗부분에 
mydomain = test.co.kr

smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

/etc/postfix/sasl_passwd

[gw.test.com]:11125 'mail_sender':'Wjdqh02)@'

위 설정 후 추가로 sasl_passwd.db로 암호화 되게끔 세팅

추가로 SASL 암호화 관련 링크

https://www.spinics.net/lists/cyrus-sasl/msg02896.html

https://blog.sys4.de/cyrus-sasl-ldapdb-man-page-en.html

Docker의 보안에 대해 docker의 구조로 부팅하면 iptables를 편집하고 노출시킨 포트에 대한 접근을 허용하기 때문에 알게 모르게 포트를 모두 개방할 가능성이 있습니다.

위 문제를 해결하기 위해 Docker 부팅 후 iptables 규칙을 추가하는 방법을 기재합니다.

iptables 규칙을 추가할 셸 스크립트를 준비합니다.실행 권한도 설정.

# touch /usr/local/sbin/docker-iptables.sh
# chmod 755 /usr/local/sbin/docker-iptables.sh
# vi /usr/local/sbin/docker-iptables.sh

파일의 내용은 아래와 같이 합니다.

이 내용은 LAN(10.101.39.0/24)에서 TCP80번과 443번 포트에 접속하는 것만 허용하는 예입니다. 컨테이너가 공개하는 포트에 따라서적절히 규칙을 변경해주세요.

/usr/local/sbin/docker-iptables.sh

#!/bin/bash
 
function _iptables () {
    /sbin/iptables "$1" DOCKER-USER ! -i docker0 -o docker0 -j REJECT
    /sbin/iptables "$1" DOCKER-USER ! -i docker0 -o docker0 -s 10.101.39.0/24 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
    /sbin/iptables "$1" DOCKER-USER ! -i docker0 -o docker0 -s 10.101.39.0/24 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
    /sbin/iptables "$1" DOCKER-USER ! -i docker0 -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
}
 
function _usage () {
    echo "usage: $0 (start|stop)" >&2
}
 
 
case "$1" in
    start)
        _iptables -I
        ;;
    stop)
        _iptables -D
        ;;
    *)
        _usage
        ;;
esac

systemd에서 docker를 시작할 때 처리에 이 셸스크립트를 실행하도록 추가합니다.

# mkdir /etc/systemd/system/docker.service.d
# vi /etc/systemd/system/docker.service.d/add_iptables.conf

[Service]
ExecStartPost=/usr/local/sbin/docker-iptables.sh start
ExecStop=/usr/local/sbin/docker-iptables.sh stop

추가한 systemd 설정을 반영합니다

# systemctl daemon-reload

마지막으로 docker 데몬을 중지, 부팅한 상태에서 각각 iptables 규칙이 변경되었는지 확인합니다.

# systemctl stop docker.service
# iptables -vnL
# systemctl start docker.service
# iptables -vnL

redash BI툴로 오픈소스이다.

bitnami 버전의 설치와 SMTP 세팅방법이다.

다운로드

wget https://bitnami.com/redirect/to/1471031/bitnami-redash-8.0.0-14-linux-x64-installer.run

권한 변경

chmod 755 bitnami-redash-8.0.0-14-linux-x64-installer.run

설치

/root/bitnami-redash-8.0.0-14-linux-x64-installer.run

[root ]# /root/bitnami-redash-8.0.0-14-linux-x64-installer.run
----------------------------------------------------------------------------
Welcome to the Bitnami Re:dash Stack Setup Wizard.

----------------------------------------------------------------------------
Select the components you want to install; clear the components you do not want
to install. Click Next when you are ready to continue.

Re:dash : Y (Cannot be edited)

Is the selection above correct? [Y/n]: y

----------------------------------------------------------------------------
Installation folder

Please, choose a folder to install Bitnami Re:dash Stack

Select a folder [/opt/redash-8.0.0-14]:

----------------------------------------------------------------------------
Create Admin account

Bitnami Re:dash Stack admin user creation

Your real name [User Name]: admin

Email Address [user@example.com]: test@naver.com

Password :
Please confirm your password :
Do you want to configure mail support? [y/N]: y

----------------------------------------------------------------------------
Configure SMTP Settings

This is required so your application can send notifications via email.

Default email provider:

[1] GMail
[2] Custom
Please choose an option [1] : 1

----------------------------------------------------------------------------
Configure SMTP Settings

This data is stored in the application configuration files and may be visible to
others. For this reason, it is recommended that you do not use your personal
account credentials.

GMail address []: test@gmail.com   ### <-- gmail 주소 입력 --> 

GMail password :   ### <-- Gmail 패스워드 입력 중요!! -->
Re-enter :
----------------------------------------------------------------------------
Web Server Port

Choose a port that is not currently in use, such as port 81.

Apache Web Server Port [81]: 18080

----------------------------------------------------------------------------
Hostname that will be used to configure Re:dash. If this value is incorrect, you
may be unable to access your Re:dash installation from other computers.

Hostname [123.123.123.123]: redash-0

----------------------------------------------------------------------------
Setup is now ready to begin installing Bitnami Re:dash Stack on your computer.

Do you want to continue? [Y/n]: y

----------------------------------------------------------------------------
Please wait while Setup installs Bitnami Re:dash Stack on your computer.

 Installing
 0% ______________ 50% ______________ 100%
 #########################################

----------------------------------------------------------------------------
Setup has finished installing Bitnami Re:dash Stack on your computer.

웹서버 학인

ps -ef | grep apache

Redash 시작 & 중지 스크립트

redash 시작 스크립트 
/opt/redash-8.0.0-14/ctlscript.sh start
재시작
/opt/redash-8.0.0-14/ctlscript.sh restart
중지
/opt/redash-8.0.0-14/ctlscript.sh stop

간단하게 OS에서 메일 테스트

mail test@gmail.com
subject : test
test 입니다

Ctrl+D 로 마지막으로 전송

파이썬을 통한 메일 테스트
python mailingTest.py

# -*- coding: utf-8 -*-
import smtplib
smtp = smtplib.SMTP('smtp.gmail.com', 587)
#smtp = smtplib.SMTP('smtp.googlemail.com', 465)
smtp.ehlo()
smtp.starttls()
smtp.login('test@gmail.com','password')
smtp.sendmail('test@gmail.com',
              'test2@gmail.com',
              'Subject: redash smtp test!')
smtp.quit()

apache port 변경

/opt/redash-8.0.0-14/apache2/conf/httpd.conf

Listen 80 -> 18080 포트 변경
ServerName syf-redash-0.cocone:18080 로 변경

환경변수 REDASH_HOST 에 포트 추가

vi ./apps/redash/htdocs/.env

Redash 설치 및 세팅 할 때 Docker Compose으로 사용

sudo yum remove docker docker-common docker-selinux docker-engine
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum -y install docker-ce docker-ce-cli containerd.io
sudo yum install -y --setopt=obsoletes=0 docker-ce docker-ce-selinux
sudo systemctl start docker && sudo systemctl enable docker
export VER="1.23.1"
sudo curl -L https://github.com/docker/compose/releases/download/${VER}/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo usermod -aG docker $USER
newgrp docker
 
sudo yum -y update
curl -sL https://rpm.nodesource.com/setup_12.x | sudo bash -
sudo yum install -y nodejs
 
git clone https://github.com/getredash/redash.git
cd redash
npm install
npm run build

<-- 처음 docker로 등록시 SQL 쿼리 이슈 발생할 경우
sqlalchemy.exe 오류 발생시 (테이블이 정상적으로 생성되지 않은 경우)
sqlalchemy.exc.ProgrammingError
ProgrammingError: (psycopg2.ProgrammingError) relation “organizations” does not exist
LINE 2: FROM organizations
^
[SQL: ‘SELECT organizations.updated_at AS organizations_updated_at, organizations.created_at AS organizations_created_at, organizations.id AS organizations_id, organizations.name AS organizations_name, organizations.slug AS organizations_slug, organizations.settings AS organizations_settings \nFROM organizations \nWHERE organizations.slug = %(slug_1)s \n LIMIT %(param_1)s’] [parameters: {‘slug_1’: ‘default’, ‘param_1’: 1}] (Background on this error at:)
-->


docker-compose -f docker-compose.yml run --rm server create_db
docker-compose -f docker-compose.yml up

docker-compose.yml

SMTP 메일링 서비스는 AWS SES 사용

# This configuration file is for the **development** setup.
# For a production example please refer to getredash/setup repository on GitHub.
version: "2.2"
x-redash-service: &redash-service
  build:
    context: .
    args:
      skip_frontend_build: "true"
  volumes:
    - .:/app
x-redash-environment: &redash-environment
  REDASH_LOG_LEVEL: "INFO"
  REDASH_REDIS_URL: "redis://redis:6379/0"
  REDASH_DATABASE_URL: "postgresql://postgres@postgres/postgres"
  REDASH_RATELIMIT_ENABLED: "false"
  #REDASH_MAIL_SERVER: "localhost"
  #REDASH_MAIL_PORT : "25"
  #REDASH_MAIL_USE_TLS : "false"
  #REDASH_MAIL_USE_SSL : "false"
  #REDASH_MAIL_USERNAME: "None"
  #REDASH_MAIL_PASSWORD : "None"
  #REDASH_MAIL_DEFAULT_SENDER: "test@naver.com"
  REDASH_MAIL_SERVER: "email-smtp.ap-northeast-2.amazonaws.com"
  REDASH_MAIL_PORT : "587"
  REDASH_MAIL_USE_TLS : "true"
  #REDASH_MAIL_USE_SSL : "true"
  REDASH_MAIL_USERNAME: "AWS Access key"
  REDASH_MAIL_PASSWORD : "AWS Secret key"
  REDASH_MAIL_DEFAULT_SENDER: "test@naver.com"
  REDASH_ENFORCE_CSRF: "true" 
  REDASH_HOST : "ec2-3-37.amazonaws.com:5000"
  #REDASH_MAIL_DEFAULT_SENDER: "redash@example.com"
  #REDASH_MAIL_SERVER: "email"
  #REDASH_ENFORCE_CSRF: "true"
services:
  server:
    <<: *redash-service
    command: dev_server
    depends_on:
      - postgres
      - redis
    ports:
      - "5000:5000"
      - "5678:5678"
    environment:
      <<: *redash-environment
      PYTHONUNBUFFERED: 0
  scheduler:
    <<: *redash-service
    command: dev_scheduler
    depends_on:
      - server
    environment:
      <<: *redash-environment
  worker:
    <<: *redash-service
    command: dev_worker
    depends_on:
      - server
    environment:
      <<: *redash-environment
      PYTHONUNBUFFERED: 0
  redis:
    image: redis:3-alpine
    restart: unless-stopped
  postgres:
    image: postgres:9.5-alpine
    # The following turns the DB into less durable, but gains significant performance improvements for the tests run (x3
    # improvement on my personal machine). We should consider moving this into a dedicated Docker Compose configuration for
    # tests.
    ports:
      - "15432:5432"
    command: "postgres -c fsync=off -c full_page_writes=off -c synchronous_commit=OFF"
    restart: unless-stopped
    environment:
      POSTGRES_HOST_AUTH_METHOD: "trust"
  email:
    image: djfarrelly/maildev
    ports:
      - "1080:80"
    restart: unless-stopped

AWS SES에서 초대할 메일 계정 확인 후 redash에서 다시 초대 필요

사전 준비

• keepalived.conf편집용으로 keepalived-syntax.vim을 만든-Glide Note-글라이드 노트

syntax하이라이트로 keepalived.conf의 체크 스크립트의 설치.

syntax하이라이트인 설정

기본적으로 vim으로 syntax가 안 들어서 syntax의 플러그 인을 도입한다.

• glidenote/keepalived-syntax.vim · GitHub

일단 dot files에서 관리하지 않도록 하기 위해서 현시점에서는 /usr/share/vim files/syntax 아래에 직접 설치한다.

# wget https://raw.github.com/glidenote/keepalived-syntax.vim/master/syntax/keepalived.vim

" for keepalived
au BufRead,BufNewFile keepalived*.conf setlocal ft=keepalived

체크 스크립트

• frsyuki/keepalived-check · GitHub

git clone

# cd /etc/opt
# git clone https://github.com/frsyuki/keepalived-check.git

설치

# cd keepalived-check
# ln -fs /etc/opt/keepalived-check/keepalived-check /opt/sbin/

사용법

# keepalived-check /etc/keepalived/keepalived.conf

## 확인
pmm-admin list
Warning: The recommended upgrade process is to upgrade PMM Server first, then PMM Clients.
See Percona's instructions for upgrading at https://www.percona.com/doc/percona-monitoring-and-management/deploy/index.html#deploy-pmm-updating.
pmm-admin 1.17.2
 
PMM Server      | infra.naver
Client Name     | test.naver
Client Address  | 1.1.1.1
Service Manager | linux-systemd
 
---------------- ------------------- ----------- -------- ---------------------------- --------------------
SERVICE TYPE     NAME                LOCAL PORT  RUNNING  DATA SOURCE                  OPTIONS
---------------- ------------------- ----------- -------- ---------------------------- --------------------
mongodb:queries  test  -           YES      monitor:***@localhost:30001  query_examples=true
linux:metrics    test  42000       YES      -
mongodb:metrics  test  42003       YES      monitor:***@localhost:30001  cluster=hsd
 
## 중지 
pmm-admin stop --all
 
[root@test bin]# pmm-admin stop --all
OK, stopped 3 services.
 
 
## 확인
[root@test bin]# pmm-admin list
Warning: The recommended upgrade process is to upgrade PMM Server first, then PMM Clients.
See Percona's instructions for upgrading at https://www.percona.com/doc/percona-monitoring-and-management/deploy/index.html#deploy-pmm-updating.
pmm-admin 1.17.2
 
PMM Server      | infra.naver
Client Name     | test.naver
Client Address  | 1.1.1.1
Service Manager | linux-systemd
 
---------------- ------------------- ----------- -------- ---------------------------- --------------------
SERVICE TYPE     NAME                LOCAL PORT  RUNNING  DATA SOURCE                  OPTIONS
---------------- ------------------- ----------- -------- ---------------------------- --------------------
mongodb:queries  test  -           NO       monitor:***@localhost:30001  query_examples=true
linux:metrics    test  42000       NO       -
mongodb:metrics  test  42003       NO       monitor:***@localhost:30001  cluster=hsd
 
 
## 확인
[root@test bin]# ps -ef | grep pmm
root     13967 23503  0 20:38 pts/2    00:00:00 grep --color=auto pmm


## 시작
pmm-admin start --all

PMM(percona monitoring and management) 삭제 방법

[root@test ~]# ps -ef | grep pmm
root       778     1  0 22:02 ?        00:00:00 /bin/sh -c /usr/local/percona/pmm-client/node_exporter -web.listen-address=1.1.1.1:42000 -web.auth-file=/usr/local/percona/pmm-client/pmm.yml -web.ssl-key-file=/usr/local/percona/pmm-client/server.key -web.ssl-cert-file=/usr/local/percona/pmm-client/server.crt -collectors.enabled=diskstats,filefd,filesystem,loadavg,meminfo,netdev,netstat,stat,time,uname,vmstat,meminfo_numa,textfile >> /var/log/pmm-linux-metrics-42000.log 2>&1
root       779   778  1 22:02 ?        00:00:28 /usr/local/percona/pmm-client/node_exporter -web.listen-address=1.1.1.1:42000 -web.auth-file=/usr/local/percona/pmm-client/pmm.yml -web.ssl-key-file=/usr/local/percona/pmm-client/server.key -web.ssl-cert-file=/usr/local/percona/pmm-client/server.crt -collectors.enabled=diskstats,filefd,filesystem,loadavg,meminfo,netdev,netstat,stat,time,uname,vmstat,meminfo_numa,textfile
root       780     1  0 22:02 ?        00:00:00 /bin/sh -c /usr/local/percona/qan-agent/bin/percona-qan-agent >> /var/log/pmm-mongodb-queries-0.log 2>&1
root       784     1  0 22:02 ?        00:00:00 /bin/sh -c /usr/local/percona/pmm-client/mongodb_exporter -web.listen-address=1.1.1.1:42003 -web.auth-file=/usr/local/percona/pmm-client/pmm.yml -web.ssl-key-file=/usr/local/percona/pmm-client/server.key -web.ssl-cert-file=/usr/local/percona/pmm-client/server.crt >> /var/log/pmm-mongodb-metrics-42003.log 2>&1
root       792   784  0 22:02 ?        00:00:17 /usr/local/percona/pmm-client/mongodb_exporter -web.listen-address=1.1.1.1:42003 -web.auth-file=/usr/local/percona/pmm-client/pmm.yml -web.ssl-key-file=/usr/local/percona/pmm-client/server.key -web.ssl-cert-file=/usr/local/percona/pmm-client/server.crt
root     10670 10622  0 22:42 pts/0    00:00:00 grep --color=auto pmm

[root@test ~]# pmm-admin remove --all
OK, 3 services were removed.

[root@test ~]# ps -ef | grep pmm
root     11567 10622  0 22:47 pts/0    00:00:00 grep --color=auto pmm

[root@test ~]#

• 문제

Jenkins LDAP 구성 시 아래와 같은 에러 메시지 발생

• 해결 방법

해결을 위해 TLS1에 대한 부분 제거
 
 
vi JAVA_HOME/jre/lib/security/java.security
 
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1 ## 해당 부분의 TLS 관련 내용 삭제