Source: https://twitter.com/54110yu/status/1344885443154694144
Enabling DHE cipher on nginx (for IE 11 compatibility)
# generated 2020-10-27, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.0.2k, intermediate configuration, no HSTS, no OCSP # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.0.2k&hsts=false&ocsp=false&guideline=5.6 ssl_dhparam /path/to/dhparam; # intermediate configuration ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; }
To add support on IE 11 on Windows 7 / 8.1, add the following ciphers to the ssl_ciphers list.
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
Realize that dhparam is a must for nginx to enable DHE Cipher, oopsie…
Foward traffic (filter by source ip and dst port) to other public ip
Check it on Gist: https://gist.github.com/richardevs/355d24b25f6c19b698b7134504843dc6
# run all these on the bastion vm # iptables can not directly route traffic to public ip ( in my test ) # so I insert a socat here to help get the job done iptables -t nat -F # flush all the current NAT rule ( be careful ) iptables -t nat -A PREROUTING -s 1.1.1.1 -p tcp --dport 443 -j DNAT --to-destination :4433 # all traffic to port 443 from 1.1.1.1 get routed to port 4433 iptables -t nat -A POSTROUTING -j MASQUERADE # let iptables do the NAT work iptables -t nat -nL # double check if iptables are correctly showing the rules nohup socat TCP4-LISTEN:4433,reuseaddr,fork TCP4:2.2.2.2:443 & # use socat to forward traffic to final destination, in the demo here, 2.2.2.2:443
【GPG Key Rotation Notice】
– 330CDE83C3337CEADA44CE70BB180B9415CDC81B 已停止使用並遞交 Revoke
– Superseeded by 8C095E600D83C696586E0BAAF41C815ACDD22938
– 新舊 Key 之間存在相互簽名
– Keybase 情報已同步更新
– 新 Key 主要使用 SubKey 進行簽名,SubKey 四年有效期,MasterKey 永久有效
– 330CDE83C3337CEADA44CE70BB180B9415CDC81B has ceased operation and revoked
– Superseeded by 8C095E600D83C696586E0BAAF41C815ACDD22938
– They are cross-signed
– Keybase has all the updated information
– Future operations will mainly be using the SubKey with 4-year validity, while MasterKey never expires
HTTP/2 Flow Control
Uploading objects to S3 using one-time pre signed URLs
Python Nested Dictionary
> Just a memo.
nested_dict = {"text": "title", "attachments": [{"text": value} for value in dict ]}
The Illustrated TLS Connection
Every byte of a TLS connection explained and reproduced.
最近感覺被掃描,TCP 通信模式固定如下:
SYN -> PUSH -> FIN
跟正常的通信比對後,發現正常的通信會在所有 TCP 包中帶上 OPTIONS,而不會像這裡一樣只有 SYN 包加了 OPTIONS,而且這個 OPTIONS 值永遠不變。不知道能不能拿這個 OPTIONS 做攔截參數。
Flags [S], seq 1799944867, win 65535, options [mss 1440,nop,nop,sackOK,nop,wscale 8], length 0
Flags [.], ack 4104578379, win 16384, length 0
Flags [P.], seq 0:32, ack 1, win 517, length 32
Flags [.], ack 2, win 517, length 0
Flags [F.], seq 205, ack 2, win 517, length 0
A Fast Analysis of TCP Fast Open
I find this article best describes all the advantages and possible disadvantages of TFO. Such as what if cookie expires, what if server stop supporting TFO.