Alpine Linux - User contributions [en]

Generating SSL certs with ACF

2011-06-08T17:35:59Z

Jjamesjohnson: /* Acf-openssl */

=Creating SSL certs using ACF=
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your VPN services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?
Alpine, via ACF, has a nice web interface to use for this sort of job...

==Installation Process==
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on your VPN gateway, but use another machine to generate your certificates.

===Install Alpine ===
Link below to the standard document...

[[Installing_Alpine]]

=== Install and Configure ACF ===
Run the following command:
This will install the web front end to Alpine Linux, called ACF.

<tt>/sbin/setup-acf</tt>

Install acf-openssl

<tt>apk add acf-openssl</tt>

Browse to your computer https://ipaddr/

Login as root.

Click on the User Management tab and create yourself an account.

=== Acf-openssl ===

From the navigation bar on the left, under the Applications section, click the Certificate Authority link.

If you already have a CA that you would like to have the web interface manage you can upload it from the Status page (as a pfx).

From the Status tab, Click Configure(to remove most of the error messages).

If you do not have a CA, To generate a new CA certificate:
Click the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it then Click Save.
Click the Status tab. Input values for the input boxes to generate a CA and click Generate.

=== Generate a certificate with ACF ===
==== Request Form ====
Provided Fields:
* Country Name (2 letter abbreviation)
* Locality Name (e.g. city)
* Organization Name
* Common Name (eg, the certificate CN)
* Email Address
* Multiple Organizational Unit Name (eg, division)
* Certificate Type

A box has been set aside for adding Additional x509 Extensions formatted the same as if you were to fill out a section directly in openssl.cnf. Section would be
<tt>[v3_req]</tt>

You could put in here:
* subjectAltName ="IP:192.168.1.1"
* subjectAltName ="DNS:192.168.1.10"

Here is also where you would specify the CRL / OCSP distribution point, from where clients can query information:
* crlDistributionPoints=URI:http://whatever.com/whatever.crl

Once this form has been filled out and the password entered click submit.

==== View ====
Go to the View tab after you have the request form submitted. The view tab will show you pending requests for certificates. Also available from this tab are already approved requests (generated certs), revoked certs, and the CRL.

For a Pending request, make sure to review the cert before approving it. Once you have verified that all the information is correct, with no mis-types or spelling mistakes, Approve the request.

The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.

==== Extract PFX certificate ====
To get the CA CERT

<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt>

To get the Private Key

<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt>

To get the Certificate

<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt>

Display the cert or key readable/text format

<tt>openssl x509 -in mycert.pem -noout -text</tt>

====OpenSSL command line to create your CA ====
The following command will need a password. Make sure to remember this.

<tt>openssl genrsa -des3 -out server.key 2048 </tt>

<tt>openssl req -new -key server.key -out server.csr</tt>

<tt>openssl rsa -in server.key. -out server.pem</tt>

<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt>

<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt>

===Edits to /etc/ssl/openssl-ca-acf.cnf ===
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.

<tt>3.subjectAltName = Assigned IP Address </tt>

<tt>3.subjectAltName_default = 192.168.1.1/32</tt>

Generating SSL certs with ACF

2011-06-08T17:23:09Z

Jjamesjohnson: /* View */

=Creating SSL certs using ACF=
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your VPN services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?
Alpine, via ACF, has a nice web interface to use for this sort of job...

==Installation Process==
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on your VPN gateway, but use another machine to generate your certificates.

===Install Alpine ===
Link below to the standard document...

[[Installing_Alpine]]

=== Install and Configure ACF ===
Run the following command:
This will install the web front end to Alpine Linux, called ACF.

<tt>/sbin/setup-acf</tt>

Install acf-openssl

<tt>apk add acf-openssl</tt>

Browse to your computer https://ipaddr/

Login as root.

Click on the User Management tab and create yourself an account.

=== Acf-openssl ===

Under the Applications section you should now have a Certificate Authority link. Click on this.

It should open with the Status tab. You will see a lot of red error messages. Click Configure to configure the environment (and remove most of the error messages).

If you already have a CA that you would like to have the web interface manage you can upload it from the Status page (as a pfx).

To generate a new CA certificate:
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it.
Click Save.
Go back to the Status tab. Input values for the input boxes to generate a CA.
Click Generate.

=== Generate a certificate with ACF ===
==== Request Form ====
Provided Fields:
* Country Name (2 letter abbreviation)
* Locality Name (e.g. city)
* Organization Name
* Common Name (eg, the certificate CN)
* Email Address
* Multiple Organizational Unit Name (eg, division)
* Certificate Type

A box has been set aside for adding Additional x509 Extensions formatted the same as if you were to fill out a section directly in openssl.cnf. Section would be
<tt>[v3_req]</tt>

You could put in here:
* subjectAltName ="IP:192.168.1.1"
* subjectAltName ="DNS:192.168.1.10"

Here is also where you would specify the CRL / OCSP distribution point, from where clients can query information:
* crlDistributionPoints=URI:http://whatever.com/whatever.crl

Once this form has been filled out and the password entered click submit.

==== View ====
Go to the View tab after you have the request form submitted. The view tab will show you pending requests for certificates. Also available from this tab are already approved requests (generated certs), revoked certs, and the CRL.

For a Pending request, make sure to review the cert before approving it. Once you have verified that all the information is correct, with no mis-types or spelling mistakes, Approve the request.

The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.

==== Extract PFX certificate ====
To get the CA CERT

<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt>

To get the Private Key

<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt>

To get the Certificate

<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt>

Display the cert or key readable/text format

<tt>openssl x509 -in mycert.pem -noout -text</tt>

====OpenSSL command line to create your CA ====
The following command will need a password. Make sure to remember this.

<tt>openssl genrsa -des3 -out server.key 2048 </tt>

<tt>openssl req -new -key server.key -out server.csr</tt>

<tt>openssl rsa -in server.key. -out server.pem</tt>

<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt>

<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt>

===Edits to /etc/ssl/openssl-ca-acf.cnf ===
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.

<tt>3.subjectAltName = Assigned IP Address </tt>

<tt>3.subjectAltName_default = 192.168.1.1/32</tt>

Pllua

2011-06-02T14:16:15Z

Jjamesjohnson:

PL/Lua is an implementation of Lua as a loadable procedural language for PostgreSQL: with PL/Lua you can use PostgreSQL functions and triggers written in the Lua programming language.

= How to Install and Use PL/Lua =

# Install PL/Lua
apk add pllua
# Install PL/Lua on your database.
psql -U postgres -f /usr/share/postgresql/contrib/pllua.sql <DBNAME>

== Official Documentation ==

Official documentation is found at http://pllua.projects.postgresql.org/.

== Additional Functions ==

These functions may not be listed in other documentation, but were found by printing entries in _G in a PL/Lua trigger.
_PLVERSION PL/Lua
fromstring function:
info function:
log function:
notice function:
server table:
setshared function:
shared table:
trigger table:
warning function:

Pllua

2011-06-02T14:14:42Z

Jjamesjohnson:

= How to Install and Use PL/Lua =
PL/Lua is an implementation of Lua as a loadable procedural language for PostgreSQL: with PL/Lua you can use PostgreSQL functions and triggers written in the Lua programming language.

# Install PL/Lua
apk add pllua
# Install PL/Lua on your database.
psql -U postgres -f /usr/share/postgresql/contrib/pllua.sql <DBNAME>

== Official Documentation ==

Official documentation is found at http://pllua.projects.postgresql.org/.

== Additional Functions ==

These functions may not be listed in other documentation, but were found by printing entries in _G in a PL/Lua trigger.
_PLVERSION PL/Lua
fromstring function:
info function:
log function:
notice function:
server table:
setshared function:
shared table:
trigger table:
warning function:

IGMPproxy

2011-06-02T14:13:21Z

Jjamesjohnson:

=IPTV How to=
Internet Protocol television (IPTV) is a system through which Internet television services are delivered using the architecture and networking methods of the Internet Protocol Suite over a packet-switched network infrastructure, e.g., the Internet and broadband Internet access networks, instead of being delivered through traditional radio frequency broadcast, satellite signal, and cable television (CATV) formats.

==Installing tools==
Add alpine http repository to /etc/apk/repositories
echo http://alpine.nethq.org/alpine/v1.9/packages/testing/ >> /etc/apk/repositories
Install igmpproxy
apk add igmpproxy
Install iptables (optional, see troubleshooting)
apk add iptables
==Setup igmpproxy==
Open /etc/igmpproxy.conf in your favorite editor
nano /etc/igmpproxy.conf

Set upstream interface to your WAN interface. In my case eth0
phyint eth0 upstream ratelimit 0 threshold 1

If you know your ISPs multicast sources you should add them here. If not don't worry we'll come back here later.
altnet 88.222.0.0/16
altnet 10.0.0.0/8

Set downstream interface to your LAN interface. In my case eth1
phyint eth1 downstream ratelimit 0 threshold 1

Disable other unused interfaces
phyint lo disabled

If you haven't added multicast sources yet your igmpproxy.conf should look like this
quickleave
phyint eth0 upstream ratelimit 0 threshold 1
phyint eth1 downstream ratelimit 0 threshold 1
phyint lo disabled

Launch igmpproxy in debug mode
igmpproxy -d -v /etc/igmpproxy.conf
You should see output similar to this
RECV Membership query from 10.253.88.1 to 224.0.0.1
RECV Membership query from 10.254.88.1 to 224.0.0.1
RECV V2 member report from 88.222.27.35 to 239.255.255.250
Now we know that ISPs multicast sources are 10.x.x.x (10.0.0.0/8) and 88.222.x.x(88.222.0.0/16). We need to specify them in /etc/igmpproxy.conf right after upstream interface declaration like this
phyint eth0 upstream ratelimit 0 threshold 1
altnet 88.222.0.0/16
altnet 10.0.0.0/8

Your complete igmpproxy.conf should look like this
quickleave
phyint eth0 upstream ratelimit 0 threshold 1
altnet 88.222.0.0/16
altnet 10.0.0.0/8
phyint eth1 downstream ratelimit 0 threshold 1
phyint lo disabled

Launch igmpproxy and enjoy IPTV :)
igmpproxy /etc/igmpproxy.conf

==Troubleshooting==
* Make sure your local subnet is not same as your ISP's multicast source. 192.168.0.0/24 is probably safe bet.
* You might need to add forwarding rules to iptables
iptables -I FORWARD -s 88.222.0.0/16 -d 224.0.0.0/4 -j ACCEPT
iptables -I FORWARD -s 10.0.0.0/8 -d 224.0.0.0/4 -j ACCEPT
iptables -I INPUT -d 224.0.0.0/4 -j ACCEPT
* If you're using shorewall modify /etc/shorewall/shorewall.conf
MULTICAST=Yes
Add following rules to /etc/shorewall/rules
ACCEPT all fw:224.0.0.0/4
ACCEPT all net:224.0.0.0/4
ACCEPT all loc:224.0.0.0/4