Tested on
FreeBSD 11
Zabbix 3.4
script /usr/local/etc/zabbix34/zabbix/externalscripts/sslinfo.sh :
#/bin/sh
expire_date=$(echo QUIT | timeout 3 openssl s_client -host "$NAME" -port "$PORT" -servername "$NAME" -showcerts /dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ *Not After : *//p')
if [ -n "$expire_date" ]; then
expire_date_unix=$(date -j -f "%b %d %T %Y %Z" "$expire_date" '+%s')
else
expire_date_unix=0
fi
date_current=$(date "+%s")
secs_left=$(( $expire_date_unix-$date_current ))
days_left=$(date -j -f "%s" "$secs_left" '+%d' )
echo $days_left
Next go to zabbix, create new item:
name: "SSL cert example.com"
type: external check
key: sslinfo.sh[example.com]
Чтобы впн переподключался после разрыва соединения:
nmcli connection modify <Your VPN connection name> vpn.persistent yes
Взято отсюда:
https://askubuntu.com/questions/679059/auto-reconnect-to-vpn-on-disconnect
Allow winbox from inet:
/ip firewall filter add chain=input protocol=tcp dst-port=8291 disabled=no action=accept place-before 0
move rule:
/ip firewall filter> move 14 destination=1
Port forwarding:
ip firewall nat add action=netmap chain=dstnat to-addresses=<server_dmz_address> to-ports=443 protocol=tcp in-interface=ether1 dst-port=443
NAT:
chain=srcnat action=masquerade src-address=192.168.1.0/24 log=no
Terminal upgrade (ssh/telnet):
system package update check-for-updates
system package update print
system package update download
system reboot
Backup/restore + script + scheduler
Based on https://www.technotrade.com.ua/Articles/beckup_config_mikrotik.php
System - script - add
:log info "Starting Backup Script...";
:local sysname [/system identity get name];
:local sysver [/system package get system version];
:log info "Flushing DNS cache...";
/ip dns cache flush;
:delay 2;
:log info "Deleting last Backups...";
:foreach i in=[/file find] do={:if ([:typeof [:find [/file get $i name] "$sysname-backup-"]]!="nil") do={/file remove $i}};
:delay 2;
:local smtpserv [:resolve "supermailserver.com"];
:local smtpport "superport";
:local Eaccount "superЭтот адрес электронной почты защищён от спам-ботов. У вас должен быть включен JavaScript для просмотра. ";
:local From "<deviceЭтот адрес электронной почты защищён от спам-ботов. У вас должен быть включен JavaScript для просмотра. >";
:local backupfile ("$sysname-backup-" . \
[:pick [/system clock get date] 7 11] . \
[:pick [/system clock get date] 0 3] . \
[:pick [/system clock get date] 4 6] . ".backup");
:log info "Creating new Full Backup file...";
/system backup save name=$backupfile;
:delay 2;
:log info "Sending Full Backup file via E-mail...";
/tool e-mail send from=$From to=$Eaccount server=$smtpserv \
port=$smtpport start-tls=no file=$backupfile \
subject=("$sysname Full Backup (" . [/system clock get date] . ")") \
body=("$sysname full Backup file see in attachment.\nRouterOS version: $sysver \
Time and Date stamp: " . [/system clock get time] . " " . \
[/system clock get date]);
:local exportfile ("$sysname-backup-" . \
[:pick [/system clock get date] 7 11] . \
[:pick [/system clock get date] 0 3] . \
[:pick [/system clock get date] 4 6] . ".rsc");
:log info "Creating new Setup Script file...";
/export verbose file=$exportfile;
:delay 2;
:log info "Sending Setup Script file via E-mail...";
/tool e-mail send from=$Form to=$Eaccount server=$smtpserv \
port=$smtpport start-tls=no file=$exportfile \
subject=("$sysname Setup Script Backup (" . [/system clock get date] . ")") \
body=("$sysname Setup Script file see in attachment.\nRouterOS version: $sysver\nTime and Date stamp: " . \
[/system clock get time] ." ". [/system clock get date]);
:delay 5;
:log info "All System Backups emailed successfully.Backup completed.";
/system scheduler add interval=1d name=backup_schedule on-event=backup_to_email start-date=apr/20/2019 start-time=03:12:50
https://wiki.mikrotik.com/wiki/Automated_Backups
Vlan useful links:
check-gateway=ping for dhcp default route:
1. set distance = 105
2. add a script in dhcp client config:
/ip route set [find where distance="105"] check-gateway=ping
Written with help of this:
https://stackoverflow.com/questions/34189199/how-do-i-use-let-s-encrypt-with-gitlab
which is based on
https://webnugget.de/setting-up-gitlab-with-free-ssl-certs-from-lets-encrypt-on-ubuntu-14-04/
one more reference:
Done on Ubuntu, assumed gitlab and certbot installed.
- Create the folder /var/www/letsencrypt
and use this directory as webroot-path
for Let's Encrypt
- Use the webroot
authenticator for Let's Encrypt (certbot -a webroot ...)
- Change the following config values in /etc/gitlab/gitlab.rb
and run gitlab-ctl reconfigure
after that:
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
If you are using Mattermost which is shipped with the Omnibus package then you can additionally set these options in /etc/gitlab/gitlab.rb
:
mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
mattermost_nginx['custom_gitlab_mattermost_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
After requesting your first certificate remember to change the external_url
to https://...
and again run gitlab-ctl reconfigure
P.S
Letsencrypt integration introduced in GitLab version 10.5 and disabled by default. Enabled by default in GitLab version 10.7 and later if external_url
is set with the https protocol and no certificates are configured.
To find out gitlabversion: You should be logged in to access the following page: https://your.domain.name/help