海运的博客

虽然dnsmasq自带参数min-cache-ttl可修改服务器缓存最小值，但是首次请求返回给客户端的时正常ttl，使用以下patch可修改返回给客户端ttl时间，配合min-cache-ttl保持和dnsmasq缓存ttl时间一致，dnsmasq不开启缓存可单独修改min ttl。
适用于dnsmasq2.80版本，

diff -urN dnsmasq-2.80/src/dnsmasq.h dnsmasq-2.80-bak/src/dnsmasq.h
--- dnsmasq-2.80/src/dnsmasq.h  2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/dnsmasq.h      2020-01-13 10:38:16.940067371 +0800
@@ -1023,7 +1023,7 @@
   int max_logs;  /* queue limit */
   int cachesize, ftabsize;
   int port, query_port, min_port, max_port;
-  unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
+  unsigned long local_ttl, neg_ttl, min_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
   char *dns_client_id;
   struct hostsfile *addn_hosts;
   struct dhcp_context *dhcp, *dhcp6;
diff -urN dnsmasq-2.80/src/option.c dnsmasq-2.80-bak/src/option.c
--- dnsmasq-2.80/src/option.c   2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/option.c       2020-01-13 17:21:13.925164926 +0800
@@ -106,6 +106,7 @@
 #define LOPT_PROXY         295
 #define LOPT_GEN_NAMES     296
 #define LOPT_MAXTTL        297
+#define LOPT_MINTTL        397
 #define LOPT_NO_REBIND     298
 #define LOPT_LOC_REBND     299
 #define LOPT_ADD_MAC       300
@@ -281,6 +282,7 @@
     { "dhcp-broadcast", 2, 0, LOPT_BROADCAST },
     { "neg-ttl", 1, 0, LOPT_NEGTTL },
     { "max-ttl", 1, 0, LOPT_MAXTTL },
+    { "min-ttl", 1, 0, LOPT_MINTTL },
     { "min-cache-ttl", 1, 0, LOPT_MINCTTL },
     { "max-cache-ttl", 1, 0, LOPT_MAXCTTL },
     { "dhcp-alternate-port", 2, 0, LOPT_ALTPORT },
@@ -409,6 +411,7 @@
   { 'T', ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for replies from /etc/hosts."), NULL },
   { LOPT_NEGTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for negative caching."), NULL },
   { LOPT_MAXTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for maximum TTL to send to clients."), NULL },
+  { LOPT_MINTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for minimum TTL to send to clients."), NULL },
   { LOPT_MAXCTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live ceiling for cache."), NULL },
   { LOPT_MINCTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live floor for cache."), NULL },
   { 'u', ARG_ONE, "<username>", gettext_noop("Change to this user after startup. (defaults to %s)."), CHUSER }, 
@@ -2664,6 +2667,7 @@
     case 'T':         /* --local-ttl */
     case LOPT_NEGTTL: /* --neg-ttl */
     case LOPT_MAXTTL: /* --max-ttl */
+    case LOPT_MINTTL: /* --min-ttl */
     case LOPT_MINCTTL: /* --min-cache-ttl */
     case LOPT_MAXCTTL: /* --max-cache-ttl */
     case LOPT_AUTHTTL: /* --auth-ttl */
@@ -2676,6 +2680,8 @@
          daemon->neg_ttl = (unsigned long)ttl;
        else if (option == LOPT_MAXTTL)
          daemon->max_ttl = (unsigned long)ttl;
+       else if (option == LOPT_MINTTL)
+         daemon->min_ttl = (unsigned long)ttl;
        else if (option == LOPT_MINCTTL)
          {
            if (ttl > TTL_FLOOR_LIMIT)
diff -urN dnsmasq-2.80/src/rfc1035.c dnsmasq-2.80-bak/src/rfc1035.c
--- dnsmasq-2.80/src/rfc1035.c  2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/rfc1035.c      2020-01-13 17:12:25.455445871 +0800
@@ -669,11 +669,20 @@
                  GETSHORT(aqtype, p1); 
                  GETSHORT(aqclass, p1);
                  GETLONG(attl, p1);
+                  unsigned long mttl = 0;
                  if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
                    {
-                     (p1) -= 4;
-                     PUTLONG(daemon->max_ttl, p1);
+                      mttl = daemon->max_ttl;
+                   }
+                 if ((daemon->min_ttl != 0) && (attl < daemon->min_ttl) && !is_sign)
+                   {
+                      mttl = daemon->min_ttl;
                    }
+                  if (mttl != 0)
+                  {
+                     (p1) -= 4;
+                     PUTLONG(mttl, p1);
+                  }
                  GETSHORT(ardlen, p1);
                  endrr = p1+ardlen;
                  
@@ -762,11 +771,20 @@
              GETSHORT(aqtype, p1); 
              GETSHORT(aqclass, p1);
              GETLONG(attl, p1);
+              unsigned long mttl = 0;
              if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
-               {
-                 (p1) -= 4;
-                 PUTLONG(daemon->max_ttl, p1);
-               }
+               {
+                  mttl = daemon->max_ttl;
+               }
+             if ((daemon->min_ttl != 0) && (attl < daemon->min_ttl) && !is_sign)
+               {
+                  mttl = daemon->min_ttl;
+               }
+              if (mttl != 0)
+              {
+                 (p1) -= 4;
+                 PUTLONG(mttl, p1);
+              }
              GETSHORT(ardlen, p1);
              endrr = p1+ardlen;
              

获取网站公钥：

openssl s_client -connect www.haiyun.me:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > www.haiyun.me.cer

获取签发者公钥，第一个为网站公钥，和上面获取的一样，等同于acme申请的免费ssl证书www.haiyun.me.cer，第二个为签发者公钥，两者合并等同于acme生成的fullchain.cer文件。

openssl s_client -connect www.haiyun.me:443 -showcerts 2>&1 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){num++}; out="haiyun.me."num".cer"; print > out}'
#openssl s_client -showcerts -connect www.wikipedia.org:443 < /dev/null 2>&1 |  sed -n '/-----BEGIN/,/-----END/p' | sed -n '/^-----END CERTIFICATE-----/,$ p' | sed 1d > chain.pem

查看网站证书验证ocsp的网址：

openssl x509 -noout -ocsp_uri -in haiyun.me.1.cer 

ocsp验证：

openssl ocsp -noverify -no_nonce -issuer haiyun.me.2.cer -cert haiyun.me.1.cer -url http://ocsp.int-x3.letsencrypt.org --text

生成haproxy可用的ocsp文件：

openssl ocsp -noverify -no_nonce -issuer haiyun.me.2.cer -cert haiyun.me.1.cer -url http://ocsp.int-x3.letsencrypt.org -respout haproxy.ocsp

通过haproxy管理sock更新ocsp：

echo "set ssl ocsp-response `base64 -w 0 haproxy.ocsp`"|socat stdio /var/run/haproxy.sock  

如果提示以下错误:

OCSP single response: Certificate ID does not match any certificate or issuer.

因为haproxy有配置多个域名ssl证书，需先让haproxy加载ocsp文件再使用sock更新，将ocsp文件保存到haproxy配置的证书目录，名字更改为证书名ocsp，重新启动haproxy则自动加载ocsp文件。
如haproxy使用acme申请的Let’s Encrypt ecc免费证书：

cat fullchain.cer www.haiyun.me.key > www.haiyun.me.pem
mv haproxy.ocsp www.haiyun.me.pem.ocsp

haproxy配置：

bind :443 allow-0rtt ssl crt www.haiyun.me_ecc/www.haiyun.pem alpn http/1.1,h2

使用openssl验证网站配置的ocsp是否生效：

openssl s_client -connect www.haiyun.me:443 -status -tlsextdebug < /dev/null 2>&1 | sed -n '/OCSP Response Data:/,/======/p'

https://github.com/pierky/haproxy-ocsp-stapling-updater
https://icicimov.github.io/blog/server/HAProxy-OCSP-stapling/
https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html

首先服务器和客户端都开启tcp fast open：

net.ipv4.tcp_fastopen = 3

使用curl开启tfo测试：

curl --tcp-fastopen https://www.haiyun.me/
#httping -F https://www.haiyun.me/

nginx开启tfo：

listen 80 fastopen=256

使用tcpdump监听数据发现：
第一次请求时客户端syn携带cookiereq，服务器如果支持tfo则返回tfo cookie：

Flags [S], options [mss 1460,sackOK,TS val 4250936141 ecr 0,nop,wscale 6,exp-tfo cookiereq], length 0
Flags [S.], options [mss 1460,sackOK,TS val 2764503812 ecr 4250936141,nop,wscale 11,exp-tfo cookie f6aecea49990ea33], length 0

后续再请求时会在syn带上tfo cookie和请求数据：

Flags [S], options [mss 1460,sackOK,TS val 4250944477 ecr 0,nop,wscale 6,exp-tfo cookie f6aecea49990ea33], length 77: HTTP: GET / HTTP/1.1

以上都配置了如果客户端syn数据包未带tfo cookiereq，则可能因为丢包或防火墙原因返回了正常模式，修改以下再测试：

net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0