1. Update FreeBSD to latest patch
   freebsd-update fetch
   freebsd-update install
2. Install git
   pkg install git
3. Updating source file
   git clone -o freebsd https://git.FreeBSD.org/src.git /usr/src
   cd /usr/src
   git checkout stable/13
4. prepare custom kernel file
   mkdir /root/kernels
   cd /usr/src/sys/amd64/conf
   cp GENERIC /root/kernels/MYKERNEL
   ln -s /root/kernels/MYKERNEL

   depends on your CPU architecture, config file location may be different. For usual, Intel/AMD CPU, it will be amd64

5. add/remove options in the MYKERNEL file
6. Compile and install MYKERNEL, then reboot
   cd /usr/src
   make buildkernel KERNCONF=MYKERNEL
   make installkernel KERNCONF=MYKERNEL
   reboot
7. Check if MYKERNEL is installed correctly
   uname -a
   If correct, it should show MYKERNEL

1. Install and config unbound as usual. For basic, remote set up check unbound remote resolver setup
2. Install bgpq4
3. Generate prefix list filter for your AS or AS SET
   bgpq4 -4A -h whois.radb.net -F 'access-control: %n/%l allow\n' AS-SET > /usr/local/etc/unbound/prefix.txt
4. Edit unbound.conf, under server:, add
   include: /usr/local/etc/unbound/prefix.txt
5. Set up cron job to update prefix list and restart unbound periodically

1. 登入CloudFlare 帐号, 点击添加站点
2. 输入域名, 点击"添加站点"
   
3. 点选"Free", 然后点击"继续"
   
4. 等待"快速扫瞄"完成
5. 删掉没用的DNS记录, 确认DNS 记录没错误, 关停代理状态. 然后点击"继续"
   注意DNS 记录的*, 代表所有子域名
   
6. 记录CloudFlare"名称服务器". 然后点击"完全, 检查名称服务器"
   
7. 点击"以后完成"

1. cd to Drupal installation Directory

1. Backup Drupal
   drush archive-dump
2. Check Drupal Update and get the list of modules that have update
   drush ups
   {{code}}
   1. Set Drupal Website to maintenance mode
   {{code}}
   drush sset system.maintenance_mode 1
   {{code}}
   1. Clear Drupal Cache
   {{code}}
   drush cr
   {{/code}}
   1. Update Drupal and press "Y" when asked
   {{code}}
   drush up drupal
   {{/code}}
   1. Update Drupal Database
   {{code}}
   drush updb
   {{/code}}
   1. Update Drupal modules
   {{code}}
   drush up XXXX XXXX
   {{/code}}
   where XXXX is the module name (the string inside the bracket in step 2)
   
   1. Set Drupal Website back to live mode
   {{code}}
   drush sset system.maintenance_mode 0
   {{/code}}
   1. Clear Drupal Cache Again
   {{code}}
   drush cr
   {{/code}}

By default, Drupal will not allow running of any other PHP scripts within Drupal directory. It will return "403 Forbidden", if anybody trying to access the PHP scripts.

To by pass this constraint, we will need to add 2 lines in .htaccess. .htaccess is in Drupal root directory.

1. Open .htaccess with a text editor

1. Find the section below:
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteCond %{REQUEST_URI} !=/favicon.ico
     RewriteRule ^ index.php [L]
   
     Before RewriteRule, add
   RewriteCond %{REQUEST_URI} !script
   where "script" is the directory name or file name of your custom php script.

 3. Find the section below:
  RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
  RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php
  RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
  RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F]

  Before RewriteRule, add
RewriteCond %{REQUEST_URI} !script
where "script" is the directory name or file name of your custom php script.

4. Save the file and exit.

5. You will need to add the lines back every time you upgrade Drupal.

What does the changes mean?

RewriteCond means the condition for the RewriteRule to execute.

So, by adding a "RewriteCond %{REQUEST_URI} !script", we add a new condition that tells the web server to skip this rule, if the URI has the word "script" in it. So, the "script" directory or file will no longer be managed by Drupal.

See how it works:

https://worria.com/script/trace.php

https://worria.com/

*not Drupal anymore

Symptom

Cause:

Data Collector reachs max run time (polling interval). Remaining SNMP data will not be collected.

Solution:

1. Use spine instead of cmd.php

2. Increase "Processes" and "Threads" setting under "Data Collection" --> "Data Collectors"

Recommend Setting for

"Processes" = 2 * no. Of Cores available

"Threads" = 10 - 15

1. Create a new FreeRadius Virtual site for Supermicro IPMI (without enabling SQL support)

FreeRadius With SQL

1. Edit /usr/local/etc/raddb/dictionary and add a new attribute
   ATTRIBUTE IPMI-radius  26 octets
   3. Edit /usr/local/etc/raddb/policy.d/foo and add
   foo {
        update reply {
          # Vendor-Specific = "H=4"
          &Attr-26 = 0x483D34
        }
   }
   0x483D34 is Hex Code for String "H=4"

If you need other type of permission (e.g. H=3) just change the string to hex code.

1. Edit /usr/local/etc/raddb/users and add the following user
   ipmiAdmin Cleartext-Password := "Any-password"
             IPMI-radius += "0x483d34"
   You can replace ipmiAdmin and authorization type.

1. Restart FreeRadius

1. Login to Supermicro IPMI and enable Radius support.

1. Update Port Collection
   portsnap fetch update
   if it is the first time,
   portsnap fetch extract
2. Install OpenSSL
   cd /usr/ports/security/openssl
   make install clean
3. Edit /etc/make.conf, and add
   DEFAULT_VERSIONS+=ssl=openssl
4. Install OpenVPN, easyrsa
   cd /usr/ports/security/easy-rsa
   make install clean
   cd /usr/ports/security/openvpn
   make install clean
5. Create Configuration directory and copy sample configuration file
   mkdir -p /usr/local/etc/openvpn/easy-rsa
   mkdir /usr/local/etc/openvpn/server
   cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
   cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
   
6. Edit  /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL
   set_var EASYRSA_REQ_COUNTRY     "HK"
   set_var EASYRSA_REQ_PROVINCE    "Kowloon"
   set_var EASYRSA_REQ_CITY        "San Po Kong"
   set_var EASYRSA_REQ_ORG         "Laws Cloud Infrastructure Limited"
   set_var EASYRSA_REQ_EMAIL       "demo@example.com"
   set_var EASYRSA_REQ_OU          "VPN Department"
   set_var EASYRSA_KEY_SIZE 2048
   set_var EASYRSA_CA_EXPIRE 3650
   set_var EASYRSA_CERT_EXPIRE 3650
   
7. Initialize PKI
   cd /usr/local/etc/openvpn/easy-rsa
   sh ./easyrsa.real init-pki
8. Build CA Certificate, key, certificate file
   sh ./easyrsa.real build-ca
   sh ./easyrsa.real build-server-full server nopass
   sh ./easyrsa.real build-client-full client nopass
   sh ./easyrsa.real gen-dh
   openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
   cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/

1. Edit /usr/local/etc/openvpn/server/server.conf
   port 1194
   proto udp
   dev tun
   ca /usr/local/etc/openvpn/server/ca.crt
   cert /usr/local/etc/openvpn/server/issued/server.crt
   key /usr/local/etc/openvpn/server/private/server.key  # This file should be kept secret
   dh /usr/local/etc/openvpn/server/dh.pem
   topology subnet
   server 192.168.101.0 255.255.255.0
   ifconfig-pool-persist ipp.txt
   push "redirect-gateway def1 bypass-dhcp"
   push "dhcp-option DNS 208.67.222.222"
   push "dhcp-option DNS 208.67.220.220"
   duplicate-cn
   keepalive 10 120
   tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
   cipher AES-256-CBC
   compress lz4-v2
   push "compress lz4-v2"
   ;comp-lzo
   max-clients 100
   user nobody
   group nobody
   persist-key
   persist-tun
   status /var/log/openvpn/openvpn-status.log
   log-append  /var/log/openvpn/openvpn.log
   verb 3
   explicit-exit-notify 1
   auth sha512
   remote-cert-tls client
2. Create log directory
   mkdir /var/log/openvpn/
3. Edit /etc/rc.conf and enable OpenVPN
   firewall_enable="YES"
   firewall_type="open"
   gateway_enable="YES"
   natd_enable="YES"
   natd_interface="em1"
   natd_flags="-dynamic -m"
   openvpn_enable=YES
   openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"
     **em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP
   ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"
   Network adapter name is the string after ifconfig_ (and before = )

1. Set up client ovpn profile
   client
   tls-client
   pull
   dev tun
   proto udp
   remote IP-address-of-your-VPN 1194
   resolv-retry infinite
   nobind
   dhcp-option DNS 1.1.1.1
   user nobody
   group nogroup
   persist-key
   persist-tun
   key-direction 1
   tls-auth ta.key 1
   compress
   verb 3
   auth SHA512
   remote-cert-tls server
   <ca>
   content of /usr/local/etc/openvpn/server/ca.crt
   </ca>
   <cert>
   content of /usr/local/etc/openvpn/server/issued/client.crt
   </cert>
   <key>
   content of /usr/local/etc/openvpn/server/private/client.key
   </key>
   <tls-auth>
   content of /usr/local/etc/openvpn/server/ta.key
   </tls-auth>
   key-direction 1

Optional: (Enable Radius Authen)

1. Install OpenVPN Radius Plugin
   cd /usr/ports/security/openvpn-auth-radius
   make install clean
2. Copy Sample plugin configure to OpenVPN configuration directory
   cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server
3. Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to
   OpenVPNConfig=/usr/local/etc/openvpn/server/server.conf
   and bottom, find server { and change the port, IP and secret phase to
   server
   {
    # The UDP port for radius accounting.
   acctport=1813
    # The UDP port for radius authentication.
   authport=1812
    # The name or ip address of the radius server.
   name=IP-or-hostname.of.your.radius
    # How many times should the plugin send the if there is no response?
   retry=1
    # How long should the plugin wait for a response?
   wait=1
    # The shared secret.
   sharedsecret=secret-phase-for-free-radius
   }
4. Edit Openvpn config file (server.conf). Add the following to the end of file
   plugin /usr/local/lib/radiusplugin.so /usr/local/etc/openvpn/server/radiusplugin.cnf
5. Edit Client ovpn file and add the following line
   auth-user-pass

1. Create MySQL/ Postgresql Database and user
2. import FreeRadius database schema in
   /usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql
   /usr/local/etc/raddb/mods-config/sql/main/postgresql/schema.sql
3. edit sql configuration file and fill in database details
   /usr/local/etc/raddb/mods-enabled/sql
   
    server = "hostname-here"
    port = 3306
    login = "database-login-here"
    password = "password-here"
    radius_db = "database-name-here"
4. if more than one database (for different application), copy the whole section, add an instance name and change the database details:
   sql {
   to
   sql instance1 {
5. copy "default" configuration file to "virtual1" (or any name)
6. Edit "virtual1" file. and make the following changes
   1. Change the virtual site name:
      server default {
      to
      server virtual1 {
   2. Change the port number
      port = 55555
   3. enable sql,
      find the following line
      #      sql
      and change to
      instance1
      "instance1" is the sql instance name added in step 4
7. Add a client for this virtual host
   /usr/local/etc/raddb/clients.conf
   client your-device {
          ipaddr = 192.168.0.0/24
          secret = secretPhrase
          virtual_server = virtual1
   }
   your-device is profile name

ipaddr is IP address (or IP address range) for your device(s). If more than 1, need to use "|" to separate
secret is the passphrase to use the radius service
virtual_server is the virtual site name used in step 5.

1. add user into the database
   insert into radusergroup (username, groupname, priority) VALUES ('username','groupname', 1);
   insert into radcheck (username, attribute, op, value) VALUES ('username', 'Cleartext-Password', ':=', 'password');
   {{code}}
   9. Restart radiusd