gfwleak/solutions-tsg-scripts
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'tsg-version20.11.rc1-deploy-firewall' of https://git.mesalab.cn/tsg/tsg-scripts into tsg-version20.11.rc1-deploy-firewall

Browse Source 
# Conflicts:
#	roles/firewall/tasks/main.yml
This commit is contained in:
liuxueli
2020-10-16 09:55:34 +08:00
parent b2c9836677 44885b6f02
commit 27f242ec8f
21 changed files with 112 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
install_config/group_vars/adc_global.yml
View File

@@ -46,10 +46,13 @@ capture_packet_log_level: 10
tsg_log_level: 10 tsg_log_level: 10
tsg_master_log_level: 10 tsg_master_log_level: 10
kni_log_level: 10 kni_log_level: 10
tfe_log_level: 10
tfe_http_log_level: 10 #日志等级 DEBUG INFO FATAL
pangu_log_level: 10 tfe_log_level: DEBUG
doh_log_level: 10 tfe_http_log_level: DEBUG
pangu_log_level: DEBUG
doh_log_level: DEBUG
certstore_log_level: 10 certstore_log_level: 10
clotho_log_level: 10 clotho_log_level: 10

12
install_config/group_vars/server_as_tun_mode.yml
View File

@@ -51,10 +51,14 @@ capture_packet_log_level: 10
tsg_log_level: 10 tsg_log_level: 10
tsg_master_log_level: 10 tsg_master_log_level: 10
kni_log_level: 10 kni_log_level: 10
tfe_log_level: 10
tfe_http_log_level: 10
pangu_log_level: 10 #日志等级 DEBUG INFO FATAL
doh_log_level: 10 tfe_log_level: DEBUG
tfe_http_log_level: DEBUG
pangu_log_level: DEBUG
doh_log_level: DEBUG
certstore_log_level: 10 certstore_log_level: 10
clotho_log_level: 10 clotho_log_level: 10

BIN
roles/app_global/files/app-sketch-global-1.0.2.20200918.ab44d17-1.el7.x86_64.rpm Normal file
View File

Binary file not shown.

BIN
roles/app_global/files/app-sketch-global-1.0.2.20200918.c702d02-1.el7.x86_64.rpm
View File

Binary file not shown.

7
roles/app_global/tasks/main.yml
View File

@@ -7,7 +7,7 @@
yum: yum:
name: name:
- /tmp/ansible_deploy/emqx-centos7-v4.1.2.x86_64.rpm - /tmp/ansible_deploy/emqx-centos7-v4.1.2.x86_64.rpm
- /tmp/ansible_deploy/app-sketch-global-1.0.2.20200918.c702d02-1.el7.x86_64.rpm - /tmp/ansible_deploy/app-sketch-global-1.0.2.20200918.ab44d17-1.el7.x86_64.rpm
state: present state: present
- name: "template the app_sketch_global.conf" - name: "template the app_sketch_global.conf"
@@ -15,6 +15,11 @@
src: "{{ role_path }}/templates/app_sketch_global.conf.j2" src: "{{ role_path }}/templates/app_sketch_global.conf.j2"
dest: /opt/tsg/app-sketch-global/conf/app_sketch_global.conf dest: /opt/tsg/app-sketch-global/conf/app_sketch_global.conf
- name: "template the zlog.conf"
template:
src: "{{ role_path }}/templates/zlog.conf.j2"
dest: /opt/tsg/app-sketch-global/conf/zlog.conf
- name: "Start emqx" - name: "Start emqx"
systemd: systemd:
name: emqx.service name: emqx.service

11
roles/app_global/templates/app_sketch_global.conf.j2
View File

@@ -1,9 +1,14 @@
[SYSTEM] [SYSTEM]
#1:print on screen, 0:don't #1:print on screen, 0:don't
DEBUG_SWITCH = 1 DEBUG_SWITCH = 1
#10:DEBUG, 20:INFO, 30:FATAL RUN_LOG_PATH = "conf/zlog.conf"
RUN_LOG_LEVEL = {{ app_sketch_global_log_level }}
RUN_LOG_PATH = ./logs [breakpad]
disable_coredump=0
enable_breakpad=1
breakpad_minidump_dir=/tmp/app-sketch-global/crashreport
enable_breakpad_upload=0
breakpad_upload_url=http://127.0.0.1/
[CONFIG] [CONFIG]
#Number of running threads #Number of running threads

12
roles/app_global/templates/zlog.conf.j2 Normal file
View File

@@ -0,0 +1,12 @@
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
*.fatal "./logs/error.log.%d(%F)";
*.{{ app_sketch_global_log_level }} "./logs/app_sketch_global.log.%d(%F)"

BIN
roles/certstore/files/certstore-2.1.2.202009.87fcacf-1.el7.x86_64.rpm
View File

Binary file not shown.

BIN
roles/certstore/files/certstore-2.1.2.20200923.a36312c-1.el7.x86_64.rpm Normal file
View File

Binary file not shown.

7
roles/certstore/tasks/main.yml
View File

@@ -10,7 +10,7 @@
- name: install certstore - name: install certstore
yum: yum:
name: name:
- /tmp/ansible_deploy/certstore-2.1.2.202009.87fcacf-1.el7.x86_64.rpm - /tmp/ansible_deploy/certstore-2.1.2.20200923.a36312c-1.el7.x86_64.rpm
state: present state: present
- name: template certstore configure file - name: template certstore configure file
@@ -18,6 +18,11 @@
src: "{{ role_path }}/templates/cert_store.ini.j2" src: "{{ role_path }}/templates/cert_store.ini.j2"
dest: /opt/tsg/certstore/conf/cert_store.ini dest: /opt/tsg/certstore/conf/cert_store.ini
- name: template certstore zlog file
template:
src: "{{ role_path }}/templates/zlog.conf.j2"
dest: /opt/tsg/certstore/conf/zlog.conf
- name: "start certstore" - name: "start certstore"
systemd: systemd:
name: certstore.service name: certstore.service

22
roles/certstore/templates/cert_store.ini.j2
View File

@@ -1,9 +1,15 @@
[SYSTEM] [SYSTEM]
#1:print on screen, 0:don't #1:print on screen, 0:don't
DEBUG_SWITCH = 1 DEBUG_SWITCH = 1
#10:DEBUG, 20:INFO, 30:FATAL RUN_LOG_PATH = "conf/zlog.conf"
RUN_LOG_LEVEL = {{ certstore_log_level }}
RUN_LOG_PATH = ./logs [breakpad]
disable_coredump=0
enable_breakpad=1
breakpad_minidump_dir=/tmp/certstore/crashreport
enable_breakpad_upload=0
breakpad_upload_url=http://127.0.0.1/
[CONFIG] [CONFIG]
#Number of running threads #Number of running threads
thread-nu = 4 thread-nu = 4
@@ -14,7 +20,8 @@ expire_after = 30
#Local default root certificate path #Local default root certificate path
local_debug = 1 local_debug = 1
ca_path = ./cert/tango-ca-v3-trust-ca.pem ca_path = ./cert/tango-ca-v3-trust-ca.pem
untrusted_ca_path = ./cert/mesalab-ca-untrust.pem untrusted_ca_path = ./cert/tango-ca-v3-untrust-ca.pem
[MAAT] [MAAT]
#Configure the load mode, #Configure the load mode,
#0: using the configuration distribution network #0: using the configuration distribution network
@@ -31,18 +38,21 @@ inc_cfg_dir=./rule/inc/index
full_cfg_dir=./rule/full/index full_cfg_dir=./rule/full/index
#Json file path when json schema is used #Json file path when json schema is used
pxy_obj_keyring=./conf/pxy_obj_keyring.json pxy_obj_keyring=./conf/pxy_obj_keyring.json
[LIBEVENT] [LIBEVENT]
#Local monitor port number, default is 9991 #Local monitor port number, default is 9991
port = 9991 port = 9991
[CERTSTORE_REDIS] [CERTSTORE_REDIS]
#The Redis server IP address and port number where the certificate is stored locally #The Redis server IP address and port number where the certificate is stored locally
ip = 127.0.0.1 ip = 127.0.0.1
port = 6379 port = 6379
[MAAT_REDIS] [MAAT_REDIS]
#Maat monitors the Redsi server IP address and port number #Maat monitors the Redsi server IP address and port number
ip = {{ maat_redis_server.address }} ip = {{ maat_redis_server.address }}
port = {{ maat_redis_server.port }} port = {{ maat_redis_server.port }}
dbindex = {{ maat_redis_server.db }} dbindex = {{ maat_redis_server.db }}
[stat] [stat]
statsd_server=192.168.100.1 statsd_server=127.0.0.1
statsd_port=8126 statsd_port=58100

10
roles/certstore/templates/zlog.conf.j2 Normal file
View File

@@ -0,0 +1,10 @@
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
*.fatal "./logs/error.log.%d(%F)";
*.{{ certstore_log_level }} "./logs/certstore.log.%d(%F)"

BIN
roles/firewall/files/fw_ssl_plug-3.0.3.71f6bff-2.el7.x86_64.rpm Normal file
View File

Binary file not shown.

BIN
roles/tfe/files/tfe-4.3.10.fb02543-1.el7.x86_64.rpm
View File

Binary file not shown.

BIN
roles/tfe/files/tfe-4.3.11.90ac86a-1.el7.x86_64.rpm Normal file
View File

Binary file not shown.

5
roles/tfe/tasks/main.yml
View File

@@ -27,6 +27,11 @@
src: "{{ role_path }}/templates/tfe.conf.j2" src: "{{ role_path }}/templates/tfe.conf.j2"
dest: /opt/tsg/tfe/conf/tfe/tfe.conf dest: /opt/tsg/tfe/conf/tfe/tfe.conf
- name: "template the zlog.conf"
template:
src: "{{ role_path }}/templates/zlog.conf.j2"
dest: /opt/tsg/tfe/conf/tfe/zlog.conf
- name: "template the future.conf" - name: "template the future.conf"
template: template:
src: "{{ role_path }}/templates/future.conf.j2" src: "{{ role_path }}/templates/future.conf.j2"

14
roles/tfe/templates/doh.conf.j2
View File

@@ -1,27 +1,13 @@
[doh] [doh]
# default 1
enable=1 enable=1
[log]
# default 10
# RLOG_LV_DEBUG : 10
# RLOG_LV_INFO : 20
# RLOG_LV_FATAL : 30
log_level={{ doh_log_level }}
[maat] [maat]
# default TSG_OBJ_APP_ID
table_appid=TSG_OBJ_APP_ID table_appid=TSG_OBJ_APP_ID
# default TSG_SECURITY_ADDR
table_addr=TSG_SECURITY_ADDR table_addr=TSG_SECURITY_ADDR
# default TSG_FIELD_DOH_QNAME
table_qname=TSG_FIELD_DOH_QNAME table_qname=TSG_FIELD_DOH_QNAME
# default TSG_FIELD_HTTP_HOST
table_host=TSG_FIELD_DOH_HOST table_host=TSG_FIELD_DOH_HOST
[kafka] [kafka]
# default 0
ENTRANCE_ID=0 ENTRANCE_ID=0
# default 1
# if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1 # if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1
en_sendlog=1 en_sendlog=1

7
roles/tfe/templates/future.conf.j2
View File

@@ -1,9 +1,10 @@
[STAT] [STAT]
no_stats=0 no_stats=0
statsd_server=192.168.100.1 statsd_server=127.0.0.1
statsd_port=8100 statsd_port=58100
histogram_bins=0.50,0.80,0.9,0.95 histogram_bins=0.50,0.80,0.9,0.95
statsd_cycle=5 statsd_cycle=5
# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2 # FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
statsd_format=2 statsd_format=2
print_diff=1 # printf diff Not available
# print_diff=1

2
roles/tfe/templates/pangu_pxy.conf.j2
View File

@@ -1,5 +1,5 @@
[debug] [debug]
log_level={{ pangu_log_level }} enable_plugin=1
[log] [log]
# default 1, if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1 # default 1, if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1

26
roles/tfe/templates/tfe.conf.j2
View File

@@ -6,7 +6,7 @@ enable_kni_v2=1
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally # Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
disable_coredump=0 disable_coredump=0
enable_breakpad=1 enable_breakpad=1
enable_breakpad_upload=0 enable_breakpad_upload=1
breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025 breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025
# must be /run/tfe/crashreportdue to tmpfile limit # must be /run/tfe/crashreportdue to tmpfile limit
breakpad_minidump_dir=/run/tfe/crashreport breakpad_minidump_dir=/run/tfe/crashreport
@@ -35,8 +35,10 @@ watchdog_switch=1
watchdog_port=2476 watchdog_port=2476
[ssl] [ssl]
ssl_max_version=tls13 ssl_ja3_debug=0
ssl_min_version=ssl3 # ssl version Not available, configured via TSG website
# ssl_max_version=tls13
# ssl_min_version=ssl3
ssl_compression=1 ssl_compression=1
no_ssl2=1 no_ssl2=1
no_ssl3=0 no_ssl3=0
@@ -48,7 +50,7 @@ no_cert_verify=0
# session ticket # session ticket
no_session_ticket=0 no_session_ticket=0
stek_group_num=4 stek_group_num=4096
stek_rotation_time=3600 stek_rotation_time=3600
# session cache # session cache
@@ -68,12 +70,10 @@ service_cache_fail_time_window=30
check_cert_crl=0 check_cert_crl=0
{% if tsg_running_type == 2 %} {% if tsg_running_type == 2 %}
trusted_cert_load_local=1 trusted_cert_load_local=1
#trusted_cert_file=resource/tfe/tls-ca-bundle.pem
trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
{% else %} {% else %}
trusted_cert_load_local=0 trusted_cert_load_local=1
trusted_cert_file=resource/tfe/tls-ca-bundle.pem trusted_cert_file=resource/tfe/tls-ca-bundle.pem
#trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
{% endif %} {% endif %}
trusted_cert_dir=resource/tfe/trusted_storage trusted_cert_dir=resource/tfe/trusted_storage
@@ -131,21 +131,14 @@ tcp_user_timeout=600
tcp_ttl_upstream=75 tcp_ttl_upstream=75
tcp_ttl_downstream=70 tcp_ttl_downstream=70
[log]
level={{ tfe_log_level }}
location=log/tfe.log
[stat] [stat]
statsd_server=192.168.100.1 statsd_server=127.0.0.1
statsd_port=8100 statsd_port=58100
statsd_cycle=5 statsd_cycle=5
# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE # 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
statsd_format=2 statsd_format=2
histogram_bins=0.5,0.8,0.9,0.95 histogram_bins=0.5,0.8,0.9,0.95
[http]
loglevel={{ tfe_http_log_level }}
[traffic_mirror] [traffic_mirror]
{% if tsg_running_type != 2 %} {% if tsg_running_type != 2 %}
enable={{ tfe.mirror_enable }} enable={{ tfe.mirror_enable }}
@@ -159,7 +152,6 @@ device={{ nic_traffic_mirror.name }}
type=1 type=1
{% endif %} {% endif %}
[kafka] [kafka]
enable=1 enable=1
NIC_NAME={{ nic_mgr.name }} NIC_NAME={{ nic_mgr.name }}

20
roles/tfe/templates/zlog.conf.j2 Normal file
View File

@@ -0,0 +1,20 @@
# kill -s SIGHUP "pid"
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
*.fatal "./log/error.log.%d(%F)";
tfe.{{ tfe_log_level }} "./log/tfe.log.%d(%F)";
http.{{ tfe_http_log_level }} "./log/http.log.%d(%F)";
http2.{{ tfe_http_log_level }} "./log/http2.log.%d(%F)";
doh.{{ doh_log_level }} "./log/doh_pxy.log.%d(%F)";
pangu.{{ pangu_log_level }} "./log/pangu_pxy.log.%d(%F)";