Skip to content

nginx强制使用https访问的多种方法(http跳转到https)

nginx强制使用https访问的多种方法(http跳转到https)

先说明一下HTTP跳转的状态码

301 Moved Permanently:该方式将所有的 HTTP 请求重定向到 HTTPS 上,并且该重定向是永久性的。客户端在收到 301 响应后,会自动将 HTTP 请求转为 GET 请求,同时将请求地址修改为重定向后的地址。这意味着,如果原始请求是 POST 请求,那么 301 重定向会将其转变为 GET 请求。此外,浏览器会缓存 301 响应,下一次请求时会直接跳转到 HTTPS 上。

302 Found / 303 See Other:这两种方式将所有的 HTTP 请求临时性地重定向到 HTTPS 上。302 Found 的响应会将请求方法保持不变,同时将请求地址修改为重定向后的地址。而 303 See Other 则会将所有请求方法转变为 GET 方法,并将请求地址修改为重定向后的地址。这两种方式都不会缓存响应,下一次请求时会再次发起请求。

307 Temporary Redirect:该方式将所有的 HTTP 请求临时性地重定向到 HTTPS 上,并且会保留原始的请求方法。这意味着,如果原始请求是 POST 请求,那么重定向后的请求仍然是 POST 请求。同时,请求地址也会被修改为重定向后的地址。与 302 Found 类似,307 Temporary Redirect 不会缓存响应,下一次请求时会再次发起请求。

308 Permanent Redirect:该方式将所有的 HTTP 请求重定向到 HTTPS 上,并且该重定向是永久性的。客户端在收到 308 响应后,会自动将 HTTP 请求转为与原始请求方法相同的请求方法,同时将请求地址修改为重定向后的地址。与 301 Moved Permanently 不同的是,308 Permanent Redirect 不会允许浏览器将 POST 请求重定向到新地址。308 响应也会被缓存,下一次请求时会直接跳转到 HTTPS 上。

497 normal request was sent to HTTPS:(HTTP到HTTPS(Nginx))Nginx内置的代码,被用于原始的HTTP的请求发送给HTTPS端口去分辨4XX在日志中和一个错误页面的重定向

推荐使用return 307 跳转码,百度、亚马逊等也是使用307跳转。

方式一:
返回 301 错误,并跳转到 https 地址


server{
        listen 80;
        listen 443 ssl;
        server_name  blog.c1gstudio.com;
        set $sslflag 0;
        if ($ssl_protocol = '') {
            set $sslflag "${sslflag}1";
        }
        if ($sslflag = "01") {
            return 301 https://$server_name$request_uri;
        }
}

方式二:
当 nginx 配置的站点只允许 https 访问时,我们却使用 http 去访问,此时 nginx 会报出 497 错误码。
我们就可以利用 error_page 命令将 497 状态码的链接重定向到 https


server{
        listen 80;
        listen 443 ssl;
        server_name  blog.c1gstudio.com;
        error_page 497 https://$server_name$request_uri;
}

方式三:
使用参数标记,只跳转一次https。
将 http 请求重写到 https 地址,并带上?https=Y参数.
PURGE方式不进行跳转


server{
        listen 80;
        listen 443 ssl;
        server_name  blog.c1gstudio.com;
        set $sslflag 0;
        if ($server_port = 80) {
            set $sslflag "${sslflag}1";
        }
        if ( $request_method = "PURGE") {
            set $sslflag "${sslflag}2";
        }
        if ($arg_sslsign ) {
            set $sslflag "${sslflag}4";
        }
        set $ssljumpparam "?https=Y";
        if ($is_args = '?'){
            set $ssljumpparam "&https=Y";
        }
        if ($sslflag = "01") {
            rewrite ^(.*)$ https://$host$uri$is_args$query_string$ssljumpparam? redirect;
        }  
}

方式四:
当post数据到http协议时,重定向后会出现请求方法变为 get,post数据丢失。
解决这个问题就要换返回的状态码,307是临时,308是永久.


server{
        listen 80;
        listen 443 ssl;
        server_name  blog.c1gstudio.com;
        set $sslflag 0;
        if ($scheme = http) {
            set $sslflag "${sslflag}1";
        }
        if ($request_method = POST) {
            set $sslflag "${sslflag}2";
        }

        if ($sslflag = "012") {
        return 307 https://$host$request_uri;
        }  
        if ($sslflag = "01") {
        return 301 https://$host$request_uri;
        }
}

方式五:
所有http 的GET请求301跳转至https,
POST等请求的用proxy_pass来接收并反代https


server{
        listen 80;
        server_name  blog.c1gstudio.com;

        set $sslflag 0;
        if ($ssl_protocol = '') {
          set $sslflag "${sslflag}1";
        }
        if ( $request_method = "GET") {
            set $sslflag "${sslflag}2";
        }
        if ($sslflag = "012") {
          return 301 https://$server_name$request_uri;
        }

        location / {
            proxy_set_header Host  $host;
            proxy_set_header X-Pass my_proxy;
            proxy_pass https://127.0.0.1;
        }

}

Posted in Nginx.

Tagged with , , .

No comments

By C1G 2023/03/15

自动化运维工具SaltStack安装

一.SaltStack介绍

1.常见的自动化运维工具介绍

chef,ansible,saltstack,puppet;
这几款都是自动化运维工具,可以用来提高运维管理效率,在这几款运维工具中目前主流的是ansible和saltstack。
ansible和saltstack的区别在于ansible无需安装客户端,这也成为了ansible的一大优势。
而saltstack则需要安装客户端,也可以不用安装,他们的适用场景也不一样,ansible适用于小型企业,管理较少的服务器时适用,saltstack则用于中大型企业,因为ansible无法并行执行saltstack则可以并行执行。
但是这几款运维工具并不存在优劣,只是适用的场景的不同。

语言的选择(puppet/chef vs ansible/saltstack)
Puppet、Chef基于Ruby开发,ansible、saltstack基于python开发的
运维开发语言热衷于python(后期可做二次开发),排除Puppet、Chef

速度的选择 (ansible vs saltstack)
ansible基于ssh协议传输数据,SaltStack使用消息队列zeroMQ传输数据。从网上数据来看,SaltStack比ansible快大约40倍。
对比ansible,Saltstack缺点是需要安装客户端。为了速度建议选择SaltStack

Ansible适合100台以下到200这样服务器规模应用
SaltStack,适合几百台的规模!
puppet适合上千台和几万台的规模

2. 服务架构介绍

saltstack是基于python开发的一套C/S自动化运维工具,通信采用了zeromq消息队列的(pub/sub),数据传输采用了AES(高级加密)保证安全性,认证采用了SSL方式.
在SaltStack架构中服务器端叫作Master,客户端叫作Minion,传统C/S架构为:客户端发送请求给服务器端,服务器端接收到请求并且处理完成后再返回给客户端。在SaltStack架构中不仅有传统的C/S架构服务模式,而且有消息队列中的发布与订阅(pub/sub)服务模式。这使得SaltStack应用场景更加丰富。目前在实际环境中一般使用SaltStack的C/S架构进行配置管理。

在Master和Minion端都是以守护进程的模式运行,一直监听配置文件里面定义的ret_port(接受minion请求,默认端口号:4506)和publish_port(发布消息,默认端口号:4505)的端口。当Minion运行时会自动连接到配置文件里面定义的Master地址ret_port端口进行连接认证。默认客户端请求id是socket.getfqdn()取到的值,也可以在Minion启动之前修改Minion的id值。

SaltStack github地址:
https://github.com/saltstack/salt
SaltStack 官网文档地址:
https://docs.saltproject.io/en/latest/

3.saltstack四大功能与四大运行方式

saltstack四大功能,分别是:

远程执行 (批量执行命令)在master上执行命令时,会在所有的minion上执行。
配置管理/状态管理 (描述想到达到的状态,saltstack就会去执行)
云管理(cloud) 用于管理云主机
事件驱动 被动执行的,当达到某个值会自动触发
saltstack可以通过远程执行实现批量管理,并且通过描述状态来达到某些功能的目的。

saltstack四大运行方式:

local本地运行 (masterless模式)
master/minion传统方式 这是saltstack的主要模式
syndic 分布式
salt ssh (agentless模式)

Master:控制中心,salt命令运行和资源状态管理
Minion : 需要管理的客户端机器,会主动去连接Mater端,并从Master端得到资源状态
信息,同步资源管理信息
States:配置管理的指令集
Modules:在命令行中和配置文件中使用的指令模块,可以在命令行中运行
Grains:minion端的变量,静态的
Pillar:minion端的变量,动态的比较私密的变量,可以通过配置文件实现同步minions定义
highstate:为minion端下发永久添加状态,从sls配置文件读取.即同步状态配置
salt_schedule:会自动保持客户端配置
Python API就是给Python提供的API使用,需要在SaltStack master上运行

4.saltstack配置文件

saltstack的配置文件在/etc/salt 目录

saltstack配置文件说明:

配置文件 说明
/etc/salt/master 主控端配置文件
/etc/salt/minion 受控端配置文件
配置文件件/etc/salt/master默认的配置就可以很好的工作,故无需修改此配置文件

配置文件/etc/salt/minion常用配置参数

master:设置主控端的IP
id:设置受控端主机的唯一标识符,可以是IP也可以是主机名或自取见名知意的单词等都可。
在日常使用过程中,经常需要调整或修改Master配置文件,SaltStack大部分配置都已经指定了默认值,只需根据自己的实际需求进行修改即可。下面的几个参数是比较重要的

max_open_files:可根据Master将Minion数量进行适当的调整
timeout:可根据Master和Minion的网络状况适当调整
auto_accept和autosign_file:在大规模部署Minion时可设置自动签证
master_tops和所有以external开头的参数:这些参数是SaltStack与外部系统进行整合的相关配置参数
saltstack的认证机制
saltstack主控端是依靠openssl证书来与受控端主机认证通讯的,受控端启动后会发送给主控端一个公钥证书文件,在主控端用salt-key命令来管理证书。

master与minion的认证过程
minion在第一次启动时会在/etc/salt/下生成/pki/minion目录,并在下面创建minion.pem(私钥)和minion.pub(公钥)。
然后主动将minion.pub发送到master的/etc/salt/pki/master/minions.pre/下面,并且文件以minion的id文件内的数据命名,等待认证。
在master上执行salt-key -L命令可以查看等待签证的minion。
执行salt-key -A -y命令同意所有没有签证的minion。
这时minion会在/etc/salt/pki/minion/下生成minion_master.pub文件,注这个是master的公钥文件。
并且master会将/pki/master/minions.pre目录下的公钥转移到/pki/master/minions/目录下表示已经认证,这时master就可以管理minion了。

二.安装部署SaltStack

1.配置yum源

cat /etc/issue.net
CentOS release 6.7 (Final)

在 Master 端和 Minion 端都需要安装 epel 的 yum源
注意网上很多教程的centos6源都已过期,注意切换到存档源


#wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-archive-6.repo
#wget http://archives.fedoraproject.org/pub/archive/epel/6/x86_64/epel-release-6-8.noarch.rpm
#rpm -ivh epel-release-6-8.noarch.rpm 

#Centos7源
#wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

安装Centos6源


wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-6.10.repo
wget -O /etc/yum.repos.d/salt.repo https://archive.repo.saltproject.io/yum/redhat/6/x86_64/saltstack-rhel6.repo
sed -i 's/repo.saltstack.com/archive.repo.saltproject.io/g' /etc/yum.repos.d/salt*.repo
yum clean expire-cache

当前环境配置的示例ip
Master: 192.168.0.11
Minion: 192.168.0.73
环境说明:

主机名 IP 所需应用 系统
master(控制节点) 192.168.0.11 salt-master salt-minion CentOS6.7
minion01(被控节点) 192.168.0.12 salt-minion CentOS6.7

2. master端安装salt-master

当前python为2.6
python -V
Python 2.6.6

yum list |grep salt

PyYAML.x86_64 3.11-1.el6 @saltstack/6.7
python-crypto.x86_64 2.6.1-2.el6 @saltstack/6.7
python-futures.noarch 3.0.3-1.el6 @saltstack/6.7
python-jinja2.noarch 2.7.3-1.el6 @saltstack/6.7
python-markupsafe.x86_64 0.11-10.el6 @saltstack/6.7
python-tornado.x86_64 4.2.1-1.el6 @saltstack/6.7
python-zmq.x86_64 14.5.0-2.el6 @saltstack/6.7
salt.noarch 2016.3.1-1.el6 @saltstack/6.7
salt-minion.noarch 2016.3.1-1.el6 @saltstack/6.7
zeromq.x86_64 4.0.5-4.el6 @saltstack/6.7
python-salttesting.noarch 2015.7.10-1.el6 epel-archive
salt-api.noarch 0.8.2-0.el6 epel-archive
salt-cloud.noarch 0.8.8-1.el6 epel-archive

注意切成 archive.repo.saltproject.io 后再安装.
我这里之前安装过老版本salt-minion,现升级为3000.5,之前版本都有些安全漏洞.

yum clean expire-cache

yum install salt-master

Installing:
salt-master noarch 3000.5-1.el6 saltstack-repo 3.0 M
Installing for dependencies:
PyYAML27 x86_64 3.11-3.el6 saltstack-repo 152 k
python27 x86_64 2.7.13-3.ius.el6 saltstack-repo 82 k
python27-babel noarch 0.9.4-5.3.el6 saltstack-repo 1.4 M
python27-backports x86_64 1.0-7.el6 saltstack-repo 5.1 k
python27-backports-ssl_match_hostname noarch 3.4.0.2-4.el6 saltstack-repo 11 k
python27-backports_abc noarch 0.5-11.el6 saltstack-repo 15 k
python27-chardet noarch 3.0.4-8.el6 saltstack-repo 188 k
python27-crypto x86_64 2.6.1-5.el6 saltstack-repo 501 k
python27-futures noarch 3.0.3-3.el6 saltstack-repo 27 k
python27-idna noarch 2.7-4.el6 saltstack-repo 102 k
python27-ipaddress noarch 1.0.18-6.el6 saltstack-repo 36 k
python27-jinja2 noarch 2.8.1-3.el6 saltstack-repo 284 k
python27-libs x86_64 2.7.13-3.ius.el6 saltstack-repo 5.6 M
python27-markupsafe x86_64 0.11-12.el6 saltstack-repo 24 k
python27-msgpack x86_64 0.6.2-2.el6 saltstack-repo 83 k
python27-psutil x86_64 5.4.2-1.ius.el6 saltstack-repo 383 k
python27-pycurl x86_64 7.19.0-11.el6 saltstack-repo 76 k
python27-pysocks noarch 1.6.8-7.el6 saltstack-repo 30 k
python27-requests noarch 2.20.1-3.el6 saltstack-repo 120 k
python27-setuptools noarch 36.6.0-1.ius.el6 saltstack-repo 605 k
python27-singledispatch noarch 3.4.0.3-16.el6 saltstack-repo 19 k
python27-six noarch 1.9.0-4.el6 saltstack-repo 29 k
python27-urllib3 noarch 1.23-6.el6 saltstack-repo 180 k
python27-zmq x86_64 14.5.0-4.el6 saltstack-repo 478 k
Updating for dependencies:
salt noarch 3000.5-1.el6 saltstack-repo 11 M
salt-minion noarch 3000.5-1.el6 saltstack-repo 40 k

Transaction Summary

Install 25 Package(s)
Upgrade 2 Package(s)

Total download size: 24 M
Is this ok [y/N]:

以下可装可不装
yum install salt-ssh
yum install salt-syndic
yum install salt-cloud
yum install salt-api

master只监听内网


#手动编辑 vi /etc/salt/master
#interface: 192.168.0.11
#sed -i 's/#interface: 0.0.0.0/interface: 192.168.0.11/g' /etc/salt/master 
echo 'interface: 192.168.0.11' >> /etc/salt/master

iptables开放内网端口4505和4506
iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 -m multiport –dports 4505,4506 -j ACCEPT
/etc/init.d/iptables save

启动
/etc/init.d/salt-master start

开机启动
chkconfig salt-master on
chkconfig –list salt-master

查看当前salt版本
salt –version
salt 3000.5

查看当前salt组件版本
salt –versions-report
Salt Version:
Salt: 3000.5

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 2.8.1
libgit2: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.6.2
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.13 (default, May 8 2020, 22:36:22)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 14.5.0
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.0.5

System Versions:
dist: centos 6.7 Final
locale: UTF-8
machine: x86_64
release: 2.6———.el6.x86_64
system: Linux
version: CentOS 6.7 Final

3.安装 minion 端

在minion机
配置yum源
wget -O /etc/yum.repos.d/salt.repo https://archive.repo.saltproject.io/yum/redhat/6/x86_64/saltstack-rhel6.repo
sed -i ‘s/repo.saltstack.com/archive.repo.saltproject.io/g’ /etc/yum.repos.d/salt.repo

yum list |grep salt

修复[Errno 14]ssl错误
Loading mirror speeds from cached hostfile
https://archive.repo.saltproject.io/yum/redhat/6/x86_64/latest/repodata/repomd.xml: [Errno 14] problem making ssl connection
Trying other mirror.
关闭salt源,修改salt.repo
将里面的enabled=1改成enabled=0
sed -i ‘s/enabled=1/enabled=0/g’ /etc/yum.repos.d/salt.repo
sed -n ‘/^enabled=/p’ /etc/yum.repos.d/salt.repo

yum -y install ca-certificates
yum -y update curl nss
如果还不行,那需要升级openssl等组件或者换个非https的源

再次打开salt源
sed -i ‘s/enabled=0/enabled=1/g’ /etc/yum.repos.d/salt.repo
sed -n ‘/^enabled=/p’ /etc/yum.repos.d/salt.repo

安装 salt-minion

备份原配置文件,如果有的话
mv /etc/salt/minion /etc/salt/minion.2016.bak

yum clean expire-cache
yum -y install salt-minion

Dependencies Resolved

Package Arch Version Repository Size

Installing:
salt-minion noarch 3000.5-1.el6 saltstack-repo 40 k
Installing for dependencies:
PyYAML27 x86_64 3.11-3.el6 saltstack-repo 152 k
libyaml x86_64 0.1.3-4.el6_6 os 52 k
python27 x86_64 2.7.13-3.ius.el6 saltstack-repo 82 k
python27-babel noarch 0.9.4-5.3.el6 saltstack-repo 1.4 M
python27-backports x86_64 1.0-7.el6 saltstack-repo 5.1 k
python27-backports-ssl_match_hostname noarch 3.4.0.2-4.el6 saltstack-repo 11 k
python27-backports_abc noarch 0.5-11.el6 saltstack-repo 15 k
python27-chardet noarch 3.0.4-8.el6 saltstack-repo 188 k
python27-crypto x86_64 2.6.1-5.el6 saltstack-repo 501 k
python27-futures noarch 3.0.3-3.el6 saltstack-repo 27 k
python27-idna noarch 2.7-4.el6 saltstack-repo 102 k
python27-ipaddress noarch 1.0.18-6.el6 saltstack-repo 36 k
python27-jinja2 noarch 2.8.1-3.el6 saltstack-repo 284 k
python27-libs x86_64 2.7.13-3.ius.el6 saltstack-repo 5.6 M
python27-markupsafe x86_64 0.11-12.el6 saltstack-repo 24 k
python27-msgpack x86_64 0.6.2-2.el6 saltstack-repo 83 k
python27-psutil x86_64 5.4.2-1.ius.el6 saltstack-repo 383 k
python27-pycurl x86_64 7.19.0-11.el6 saltstack-repo 76 k
python27-pysocks noarch 1.6.8-7.el6 saltstack-repo 30 k
python27-requests noarch 2.20.1-3.el6 saltstack-repo 120 k
python27-setuptools noarch 36.6.0-1.ius.el6 saltstack-repo 605 k
python27-singledispatch noarch 3.4.0.3-16.el6 saltstack-repo 19 k
python27-six noarch 1.9.0-4.el6 saltstack-repo 29 k
python27-urllib3 noarch 1.23-6.el6 saltstack-repo 180 k
python27-zmq x86_64 14.5.0-4.el6 saltstack-repo 478 k
salt noarch 3000.5-1.el6 saltstack-repo 11 M
zeromq x86_64 4.0.5-4.el6 saltstack-repo 568 k

Transaction Summary

Install 28 Package(s)

Total download size: 22 M
Installed size: 99 M
Is this ok [y/N]:

指定 master 的ip地址


#替换#master: salt
#sed -i 's/#master: salt/master: 192.168.0.11/g' /etc/salt/minion 
#sed -i 's/master: 192.168.4.138/master: 192.168.0.56/g' /etc/salt/minion

推荐在尾部添加
echo ‘master: 192.168.0.56’ >> /etc/salt/minion
echo ‘environment: prd’ >> /etc/salt/minion
echo ‘hash_type: sha256’ >> /etc/salt/minion

再次确认master ip地址
sed -n ‘/^master:/p’ /etc/salt/minion
master: 192.168.0.11

指定minion的id
id默认为hostname,如需修改可以编辑minion配置文件的#id:
sed -i ‘s/^#id:/id: c1g-w32/g’ /etc/salt/minion #注意id:后的空格

推荐直接编辑id文件
echo hostname >/etc/salt/minion_id

查看当前版本
salt-minion –version
salt-minion 3000.5

启动服务
/etc/init.d/salt-minion start
Starting salt-minion:root:c1g-w32 daemon: OK

开机启动
chkconfig salt-minion on
chkconfig –list salt-minion

关闭服务
/etc/init.d/salt-minion stop

查看当前id
cat /etc/salt/minion_id

如id错误,修改当前id
echo ‘c1g-w32’ >/etc/salt/minion_id

4.C/S认证

在master机
salt-key 密钥管理

salt-key -L 查看当前需要接受的keys(master和minions都需要把服务开启)。
//salt-key常用选项
-L //列出所有公钥信息
-a minion //接受指定minion等待认证的key
-A //接受所有minion等待认证的key
-r minion //拒绝指定minion等待认证的key
-R //拒绝所有minion等待认证的key
-f minion //显示指定key的指纹信息
-F //显示所有key的指纹信息
-d minion //删除指定minion的key
-D //删除所有minion的key
-y //自动回答yes

查看当前证书情况
salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
c1g-w32
Rejected Keys:

单独接受c1g-w32
salt-key -ya c1g-w32

The following keys are going to be accepted:
Unaccepted Keys:
c1g-w32
Key for minion c1g-w32 accepted.

再次查看
salt-key -L
Accepted Keys:
c1g-w32
Denied Keys:
Unaccepted Keys:
Rejected Keys:

接受所有的minion证书
salt-key -yA

5.远程命令执行

测试master和minion之间的通信是否正常
salt “c1g-w32” test.ping
c1g-w32:
True

salt “*” test.ping
c1g-w32:
True

salt ‘*’ cmd.run ‘df -h’

salt ‘*’ cmd.run ‘yum -y install tree’

三.SaltStack 相关命令

1.在master上配置nodegroup

1.在/etc/salt/master的最下面加上default_include
echo ‘default_include: master.d/*.conf’ >> /etc/salt/master

2.编辑组
不要用I@ 会匹配不到
vim /etc/salt/master.d/group.conf
nodegroups:
proxy: ‘[email protected][1-7]’
nginx: ‘[email protected][8-9] or [email protected][1][0-9] or [email protected][0-3] or [email protected][3-6] or [email protected]
bak: ‘[email protected]
manage: ‘[email protected][4-8] or [email protected][0-2]’

无需重启

3.测试组
salt -N proxy test.version
salt -N nginx test.version
c1g-w35:
3000.5
c1g-w36:
3000.5

salt命令使用

salt远程执行命令
//语法:salt [options] ” [arguments]

//常用的options
–version //查看saltstack的版本号
–versions-report //查看saltstack以及依赖包的版本号
-h //查看帮助信息
-c CONFIG_DIR //指定配置文件目录(默认为/etc/salt/)
-t TIMEOUT //指定超时时间(默认是5s)
–async //异步执行
-v //verbose模式,详细显示执行过程
–username=USERNAME //指定外部认证用户名
–password=PASSWORD //指定外部认证密码
–log-file=LOG_FILE //指定日志记录文件

//常用target参数
-E //正则匹配
-L //列表匹配
-S //CIDR匹配网段
-G //grains匹配
–grain-pcre //grains加正则匹配
-N //组匹配
-R //范围匹配
-C //综合匹配(指定多个匹配)
-I //pillar值匹配

查看所有的function:
salt “c1g-w32” sys.doc cmd

默认的规则是使用glob匹配minion id
salt ‘‘ test.ping salt ‘node‘ test.ping
正则表达式
salt ‘node[1|2]’ test.ping
salt ‘node[!2]’ test.ping
salt -E ‘server[1-3]’ test.ping
salt -E ‘node(1|2)’ test.ping
指定列表
salt -L ‘server2,server3’ test.ping
指定ip
salt -S ‘192.168.0.13’ test.ping
指定ip段
salt -S ‘192.168.0.0/24’ test.ping

测试
salt ‘*’ test.echo ‘hello’

网络
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.network.html
salt ‘‘ network.ping baidu.com # 使用ping命令测试到某主机的连通性 salt ‘‘ network.connect baidu.com 80 # #测试minion至某一台服务器的网络是否连通
salt ‘‘ network.default_route #查看默认路由 network.get_route #查询到一个目标网络的路由信息 network.netstat #返回所有打开的端口和状态 network.routes #返回当前路由表 salt ‘‘ network.get_hostname # 获取主机名
salt ‘‘ network.active_tcp # 返回所有活动的tcp连接 salt ‘‘ network.ip_addrs # 返回一个IPv4的地址列表
salt ‘‘ network.get_fqdn # 查看主机的fqdn(完全限定域名) salt ‘‘ network.interfaces

salt ‘‘ service.available sshd # 查看ssh服务是否可达 salt ‘‘ service.get_all # 查看所有启动的服务
salt ‘‘ service.status nginx # 查看指定服务是否在线 salt ‘‘ state.show_top # 查看top_file情况
salt ‘*’ disk.usage

查看进程
salt c1g-w01 cmd.run ‘ps aux|grep titanagent’
c1g-w01:

查看chconfig zabbix是否开启
salt ‘c1g-w01’ cmd.run ‘chkconfig –list|grep zabbix_agentd’
salt -N bak cmd.run ‘chkconfig –list|grep zabbix_agentd’
salt ‘*’ cmd.run ‘chkconfig –list|grep zabbix_agentd’

salt-run
salt-run [options] [runner.func]
salt-run manage.status ##查看所有minion状态
salt-run manage.down ##查看所有没在线minion
salt-run manged.up ##查看所有在线minion

salt-call
该命令通常在minion上执行,minion自己执行可执行模块,不是通过master下发job
salt-call [options] [arguments]
salt-call test.ping ##自己执行test.ping命令
salt-call cmd.run ‘ifconfig’ ##自己执行cmd.run函数

文件分发salt-cp
salt-cp命令用于复制一个文件到多个minion系统中。指定minion可以使用通配符、正则表达式、Grains等方法
分发文件到minion上,不支持目录分发,通常在master运行
salt-cp [options] ” SOURCE DEST
salt-cp ‘‘ testfile.html /tmp salt-cp ‘node‘ /opt/index.html /tmp/a.html

salt-cp ‘*’ /etc/hosts /etc #不用创建上面的sls即可实现(不建议此方法)

更新nginx 的nginx.conf

salt-cp ‘c1g-w3’ /srv/salt/prd/server/c1g-w3/opt/nginx/conf/nginx.conf /opt/nginx/conf/

salt ‘c1g-w3’ cmd.run ‘/opt/nginx/sbin/nginx -t’
salt ‘c1g-w3’ cmd.run ‘/opt/nginx/sbin/nginx -s reload’

Saltstack配置管理

修改file_root文件目录
文件件中的flie_roots选项管理。Salt文件服务器的默认环境为为base环境,base环境必须定义,因为
当环境没有明确指定时,文件下载就是从base环境中去找的。其配置如下:
文件服务器在给minions传输文件时,是有搜索顺序的。配置说明:如果文件URL为:salt://httpd/httpd.conf。那么传输文件时,先搜
索/srv/salt/base/httpd/httpd.conf,如果找到了,则下载;否则就使用 /srv/salt/failover/httpd/httpd.conf

注意:
如果minion里定义了environment,那么master里也要有对应的environment

echo ‘environment: prd’ >> /etc/salt/minion

否则出会现以下环境对不上的错误
No matching salt environment for environment ‘prd’ found

vim /etc/salt/master
file_roots:
base:
– /srv/salt/base
– /srv/salt/failover
dev:
– /srv/salt/dev
– /srv/salt/base
prd:
– /srv/salt/prd
– /srv/salt/base

创建文件目录
mkdir /srv/{salt,pillar}
mkdir -p /srv/salt/{base,dev,prd,failover}/init/files

编写.sls文件
sls文件是YAML语言来进行描述的,请遵循YAML语法规范

Online YAML Parser: Convert YAML to JSON or Python data structures.
https://yaml-online-parser.appspot.com/

The Official YAML Specification
https://yaml.org/spec/1.2.2/
WHAT IS YAML
https://docs.saltproject.io/en/latest/topics/yaml/index.html

规则一: 缩进
Salt需要每个缩进级别由两个空格组成,不要使用tabs。
如果你遇到“rendering sls files errors”等错误,请检查你的sls文件,确保没有Tab等非法符合

规则二: 冒号
字典的keys在YAML中的表现形式是一个以冒号结尾的字符串。
my_key: my_value

映射到Python里面就是:
{‘my_key’: ‘my_value’}
不常见,通常情况下,一个key的value不是单一的,而是一个 列表 的values

规则三: 短横杠
想要表示列表项,使用一个短横杠加一个空格。
key:

  • v1
  • v2
  • v3

映射到Python里面就是:
{‘key’: [v1,v2,v3]}
这个在Salt很常见.

规则四: 嵌套
基本遵循2个空格的缩进,只有定义context,defaults选项的时候才使用四个空格作为缩进。用大括号的除外。

批量修改/etc/resolv.conf文件示例
file.manage
https://docs.saltproject.io/en/latest/ref/states/all/salt.states.file.html#salt.states.file.managed
cd /srv/salt/base
vim init/dns.sls
/etc/resolv.conf: #标签
file.managed: #状态模块file的mamaged方法,用以实现
– source: salt://init/files/resolv.conf #源文件resolv.conf
– user: root #文件用户属主
– group: root #文件数组
– mode: 644 #文件权限

init/files/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.0.11
nameserver 114.114.114.114

top.sls文件是必需的
vim top.sls
base:
‘: – dns dev: ‘‘:
– dns
prd:
‘*’:
– dns

重启服务
/etc/init.d/salt-master restart

执行dns状态文件
salt ‘c1g-w02’ state.sls init.dns

c1g-w02:
----------
          ID: /etc/resolv.conf
    Function: file.managed
      Result: True
     Comment: File /etc/resolv.conf updated
     Started: 14:36:30.204689
    Duration: 70.436 ms
     Changes:   
              ----------
              diff:
                  --- 
                  +++ 
                  @@ -1,4 +1,4 @@
                  -; generated by /sbin/dhclient-script
                  +# Generated by NetworkManager
                   nameserver 192.168.0.11
                   nameserver 114.114.114.114
                  +

Summary for c1g-w02
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time:  70.436 ms

指定环境运行
salt -N bak state.sls saltenv=’prd’ init.dns

state高级状态默认从top文件中执行
salt ‘c1g-w03’ state.highstate

常用文档地址
grains
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.grains.html
user.list_users
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.useradd.html#salt.modules.useradd.list_users
SALT.MODULES.CP
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.cp.html
SALT.MODULES.CP
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.cron.html#module-salt.modules.cron
SALT.MODULES.DISK
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.disk.html
SALT.MODULES.DNSMASQ
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.dnsmasq.html
SALT.MODULES.ELASTICSEARCH
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.elasticsearch.html
SALT.MODULES.ETHTOOL
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.ethtool.html
SALT.MODULES.FILE
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.file.html
SALT.MODULES.HOSTS
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.hosts.html
SALT.MODULES.HTTP
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.http.html
SALT.MODULES.IPTABLES
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.iptables.html
SALT.MODULES.LINUX_IP
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.linux_ip.html
SALT.MODULES.LINUX_LVM

https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.linux_lvm.html
SALT.MODULES.LINUX_SERVICE
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.linux_service.html
SALT.MODULES.LOCALEMOD
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.localemod.html

https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.logrotate.html

https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.memcached.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.minion.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.network.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.nginx.html#

https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.pillar.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.rabbitmq.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.redismod.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.rsync.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.saltcheck.html#
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.saltutil.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.schedule.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.scp_mod.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.selinux.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.splunk.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.ssh.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.ssh_service.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.status.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.svn.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.system.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.timezone.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.useradd.html
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.varnish.html

参考:
https://www.cnblogs.com/0x00000/p/5790918.html
https://tsov.net/uupee/23010/
https://www.jianshu.com/p/9fc253c35189

Posted in saltstack/ansible, 技术.

No comments

By C1G 2023/03/11

windows下VMware 虚拟机转换到 VirtualBox

在将 VMware 虚拟机迁移到 Vbox 之前,确保在 VMware 的状态为“关闭电源” —— 非挂起。如果是挂起,启动虚拟机然后关机。
接下来,找到 OVFTool 所在目录。如果你用的是 VMware Player,目录在类似 C:\Program Files (x86)\VMware\VMware Player\OVFTool。按住 Shift 键,右击选择在此处打开命令行窗口。

G:\Program Files\vmware\VMware Workstation\OVFTool

G:\vmos\CentOS 7_mini_vm5\CentOS 7_mini_vm5.vmx
ovftool “G:\vmos\CentOS 7_mini_vm5\CentOS 7_mini_vm5.vmx” G:\vmos\CentOS7_mini_vr\centos7.ovf

Opening VMX source: G:\vmos\CentOS 7_mini_vm5\CentOS 7_mini_vm5.vmx
Opening OVF target: G:\vmos\CentOS7_mini_vr\centos7.ovf
Writing OVF package: G:\vmos\CentOS7_mini_vr\centos7\centos7.ovf
Transfer Completed
Completed successfully

过程结束之后,可以使用管理菜单中的导入虚拟电脑选项,将 .ovf 文件导入 Vbox。

 

Posted in 技术.

Tagged with , .

No comments

By C1G 2023/02/28

安装一个自已的DNS服务器dnsmasq

补发丢失贴子

centos下超简单

yum install dnsmasq

vim /etc/dnsmasq.conf

# 让dnsmasq读取目录内所有配置文件
# conf-dir=/etc/dnsmasq.d
# 让dnsmasq读取设定的resolv-file
# no-resolv
no-poll
strict-order
resolv-file=/etc/dnsmasq.d/resolv.dnsmasq.conf

# 不读取系统hosts,读取你设定的
no-hosts
addn-hosts=/etc/dnsmasq.d/dnsmasq.hosts
# dnsmasq日志设置
log-queries
# dnsmasq缓存设置
cache-size=1024
# 单设置127只为本机使用,加入本机IP为内部全网使用
listen-address=127.0.0.1,192.168.0.56

echo 'no-poll' >> /etc/dnsmasq.conf
echo 'strict-order' >> /etc/dnsmasq.conf
echo 'resolv-file=/etc/dnsmasq.d/resolv.dnsmasq.conf' >> /etc/dnsmasq.conf
echo 'addn-hosts=/etc/dnsmasq.d/dnsmasq.hosts' >> /etc/dnsmasq.conf
echo 'log-queries' >> /etc/dnsmasq.conf
echo 'cache-size=1024' >> /etc/dnsmasq.conf
echo 'listen-address=127.0.0.1,10.100.131.1' >> /etc/dnsmasq.conf


cp /etc/hosts /etc/dnsmasq.d/dnsmasq.hosts

vi /etc/resolv.conf
nameserver 127.0.0.1

vi /etc/dnsmasq.d/resolv.dnsmasq.conf
nameserver 114.114.114.114
nameserver 223.5.5.5



dnsmasq --test
dnsmasq: syntax check OK.


/etc/init.d/dnsmasq start

chkconfig dnsmasq on

iptables -A INPUT -p tcp -m state -s 192.168.0.0/24 --state NEW --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m state -s 192.168.0.0/24 --state NEW --dport 53 -j ACCEPT

/etc/init.d/iptables save

客户端
vi /etc/resolv.conf
nameserver 192.168.0.56

dnsmasq -v
Dnsmasq version 2.48 Copyright (C) 2000-2009 Simon Kelley
Compile time options IPv6 GNU-getopt DBus no-I18N DHCP TFTP “–bind-interfaces with SO_BINDTODEVICE”

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

http://pub-shbt.s3.360.cn/cert-public-file/%E3%80%90360CERT%E3%80%91Dnsmasq__%E5%A4%9A%E4%B8%AA%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E%E9%A3%8E%E9%99%A9%E9%80%9A%E5%91%8A.pdf
修复安全漏洞,启动时加上 –dns-forward-max=100

vi /etc/init.d/dnsmasq


  start)
        if [ $UID -ne 0 ] ; then
            echo "User has insufficient privilege."
            exit 4
        fi
        echo -n "Starting dnsmasq: "
        daemon $dnsmasq --dns-forward-max=100 $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/dnsmasq

重启
/etc/init.d/dnsmasq restart
验证
ps aux|grep dnsmasq

nobody 28688 0.0 0.0 12888 712 ? S 11:42 0:00 /usr/sbin/dnsmasq –dns-forward-max=100

开启日志

log-facility=/var/log/dnsmasq.log

vi /etc/logrotate.d/dnsmasq
输入:
/var/log/dnsmasq.log {
notifempty
weekly
dateext
rotate 58
sharedscripts
postrotate
[ ! -f /var/run/dnsmasq.pid ] || kill -USR2 cat /var/run/dnsmasq.pid
endscript
}

/usr/sbin/logrotate -vf /etc/logrotate.conf

统计dnsmasq的解析

cat /var/log/dnsmasq.log |grep ‘query[A]’|gawk ‘{print $6}’|sort|uniq -c|sort -nr

Posted in dns/dnsmasq.

Tagged with , .

No comments

By C1G 2023/02/28

nginx+syslog-ng实现web日志集中管理

补发丢失的贴子

简单的要求是本地和中心都要可以实时记录日志,方便安装、管理及扩展。
参考了下其它的方案,觉得syslog-ng是很方便高效的,并且已有现成的syslog-ng+splunk中心服务器.
Scribe是facebook开源的日志收集系统,c/c++实现,可用于搜索引擎中进行大规模日志分析处理。其通常与Hadoop结合使用,安装非常复杂.主要包括三部分,分别为scribe agent, scribe和存储系统
Apache的Chukwa,属于hadoop系列产品,java实现, 因而使用了很多hadoop的组件(用HDFS存储,用mapreduce处理数据),主要有3种角色,分别为:adaptor,agent,collector
LinkedIn的Kafka 采用scala语言编写,Kafka是高吞吐量的分布式发布订阅消息系统,主要有三种角色,分别为producer,broker和consumer.支持Hadoop并行数据加载
Cloudera的Flume ,由三层组成,分别为agent,collector和storage.java实现,配置复杂
logstash Logstash 的过滤器是用 Ruby 写的,Kibana 是用纯 Javascript 写的,而 ElasticSearch 也有自己的 REST 接口和 JSON 模板。

graylog2比Kibana要弱

syslog-ng方案尝试了几种方式

nginx 1.7.1 起支持syslog

1.tnginx(nginx)通过syslog输出,本地用syslog接收并写入本地和发送至syslog-ng中心服务器.
A.每条访问日志前会有syslog的时间戳.
B.多个web日志文件分离不方便.
功能及便利就不如syslog-ng了,不推荐使用.
2.tnginx(nginx)不做修改还是输出至文件,syslog-ng监控本地文件并将变动发送至syslog-ng中心服务器.
syslog-ng中心服务器没有应用程序标记无法分离日志.
3.web访问日志通过tengine或nginx的syslog方式输出到本地syslog-ng服务,syslog-ng将日志保存在本地,并发送一份至syslog-ng中心服务器.
推荐使用

->local file tengine->local syslog-ng(syslog) ->remote syslog-ng

一.syslog-ng安装

先安装syslog-ng,本地及中心服务器都装上
最新版为syslog-ng_3.4.8,需python2.5以上支持,我用syslog-ng_3.3.9.

checking for a Python interpreter with version >= 2.5… none
configure: error: no suitable Python interpreter found
configure: error: ./configure.gnu failed for modules/afamqp/rabbitmq-c


wget https://my.balabit.com/downloads/libol/0.3/libol-0.3.18.tar.gz
wget http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.3.9/source/syslog-ng_3.3.9.tar.gz
wget http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.3.9/source/eventlog_0.2.12.tar.gz

wget http://www.balabit.com/downloads/files?path=/libol/0.3/libol-0.3.18.tar.gz http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.3.9/source/syslog-ng_3.3.9.tar.gz http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.3.9/source/eventlog_0.2.12.tar.gz

1.安装eventlog

tar -zxvf eventlog_0.2.12.tar.gz
cd eventlog-0.2.12
./configure –prefix=/usr/local/eventlog_0.2.12
make && make install
cd /usr/local/
ln -s eventlog_0.2.12 eventlog
cd –

2.安装libol
mv files?path=%2Flibol%2F0.3%2Flibol-0.3.18.tar.gz libol-0.3.18.tar.gz tar -zxvf libol-0.3.18.tar.gz cd libol-0.3.18 ./configure –prefix=/usr/local/libol-0.3.18 make && make install cd /usr/local/ ln -s libol-0.3.18 libol cd –

3.安装syslog-ng

yum install pcre

设置环境变量

export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig/:/usr/local/lib/pkgconfig/:$PKG_CONFIG_PATH

openssl如果升级过,编不过去可以关闭
–disable-ssl

tar -zxvf syslog-ng_3.3.9.tar.gz
cd syslog-ng-3.3.9
./configure –prefix=/usr/local/syslog-ng_3.3.9 –with-libol=/usr/local/libol/ –enable-pcre –disable-ipv6
make && make install
cd /usr/local/
ln -s syslog-ng_3.3.9 syslog-ng

/usr/local/syslog-ng_3.3.9/sbin/syslog-ng -V

二.方式1配置

vi /opt/nginx/conf/nginx.conf
access_log syslog:local5:notice:/dev/log:adminsyslog.c1gstudio.com access ;

查看是否是syslogd服务
ps aux|grep log
root 19199 0.0 0.0 6328 1108 ? Ss 2013 0:24 syslogd -m 0

vi /etc/init.d/syslog
SYSLOGD_OPTIONS=”-r -x -m 0″
-r: 打开接受外来日志消息的功能,其监控514 UDP端口;
-x: 关闭自动解析对方日志服务器的FQDN信息,这能避免DNS不完整所带来的麻烦;

vi /etc/syslog.conf

local5.* /opt/nginx/logs/weblog

local5.* @192.168.0.39

重启syslog服务
/etc/init.d/syslog restart

本地文件及splunk会记录日志

三.方式2配置

注释掉/etc/syslog.conf中的修改

vi /usr/local/syslog-ng/etc/syslog-ng.conf

source s_webfile { file(“/opt/nginx/logs/access.log”); };

destination r_centerlog { udp(“192.168.0.39” port(514) ); };

log { source(s_webfile); destination(r_centerlog); };

<13>Jul 22 11:30:18 192.168.0.38 192.168.0.40 – c1g_web [22/Jul/2014:11:30:18 +0800] “GET /5 HTTP/1.0” 404 219 “-” “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36” 116.210.54.88
本地文件及splunk会记录日志

四.方式3配置

vi /opt/nginx/conf/nginx.conf
access_log syslog:local5:notice:127.0.0.1:514:adminsyslog.c1gstudio.com access ;
php错误通过udp发送至syslog-ng中心服务器,web日志则通过tcp方式发送,并保存一份在/opt/nginx/logs/$PROGRAM.log

本地syslog-ng
vi /usr/local/syslog-ng/etc/syslog-ng.conf

@version: 3.3
@include “scl.conf”

options {
use_dns (no);
use_fqdn(no);
chain_hostnames(off);
keep_hostname(off);
flush_lines(0);
stats_freq(7200);
create_dirs(no);
};
source s_internal { internal(); };
destination d_syslognglog { file(“/var/log/syslog-ng.log”); };
log { source(s_internal); destination(d_syslognglog); };

source s_php { file(“/opt/php/logs/php_error.log”); };

source s_weblog { udp(ip(127.0.0.1) port(514) so_rcvbuf(8738000));};

filter f_weblog { facility(local5); };

destination r_remote { udp(“192.168.0.39” port(514) flush_lines(0) ); };
destination r_centerlog { tcp(“192.168.0.39” port(514) ); };

destination d_locallog { file(“/opt/nginx/logs/$PROGRAM.log” template(“$MSG\n”) owner(“www”) group(“website”) perm(0664) ) ); };

log { source(s_weblog); filter(f_weblog); destination(d_locallog); };
log { source(s_weblog); filter(f_weblog); destination(r_centerlog); };

log { source(s_php); destination(r_remote); };

要上没带上template(“$MSG\n”)会增加Jul 22 13:57:58 127.0.0.1 adminsyslog.c1gstudio.com[7150]:
Jul 22 13:57:58 127.0.0.1 adminsyslog.c1gstudio.com[7150]: 192.168.0.40 – c1g_web [22/Jul/2014:13:57:58 +0800] “GET /8 HTTP/1.0” 404 219 “-” “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36” 116.210.54.88

syslog-ng中心服务器配置
mkdir -p /opt/log/

vi /usr/local/syslog-ng/etc/syslog-ng.conf

source s_remotetcp {
tcp(ip(192.168.0.39) port(514) log_fetch_limit(100) log_iw_size(50000) max-connections(50) );
};
filter f_filter11 { facility(local5); };
destination r_local5 { file(“/opt/log/$YEAR.$MONTH/$DAY/$PROGRAM.log” template(“$MSG\n”) owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes) flush_lines(300) ); };

log { source(s_remotetcp); filter(f_filter11); destination(r_local5); };

完整的syslog-ng.conf
我这里还带着splunk

@version: 3.3
@include “scl.conf”
options {
use_dns (no);
use_fqdn(no);
chain_hostnames(off);
keep_hostname(off);
flush_lines(0);
stats_freq(1200);
create_dirs(yes);
log_fifo_size(1000000);
};
source s_internal { internal(); };
destination d_syslognglog { file(“/var/log/syslog-ng.log”); };
log { source(s_internal); destination(d_syslognglog); };

source s_sys { system();file(“/proc/kmsg”); unix-stream(“/dev/log”);};
destination d_cons { file(“/dev/console”); };
destination d_mesg { file(“/var/log/messages”); };
destination d_auth { file(“/var/log/secure”); };
destination d_mail { file(“/var/log/maillog”); };
destination d_spol { file(“/var/log/spooler”); };
destination d_boot { file(“/var/log/boot.log”); };
destination d_cron { file(“/var/log/cron”); };
destination d_rsync { file(“/var/log/rsync”); };
destination d_mlal { usertty(“*”); };
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv) or facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
filter f_filter9 { facility(daemon); };
filter f_filter10 { facility(local6); };
filter f_filter11 { facility(local5); };

log { source(s_sys); filter(f_filter1); destination(d_cons); };

log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };

Remote logging

source s_remote {
udp(ip(192.168.0.39) port(514));
};
source s_remotetcp {
tcp(ip(192.168.0.39) port(514) log_fetch_limit(100) log_iw_size(50000) max-connections(50) );
};

template t_weblog { template(“$MSG\n”); template_escape(no) );

destination r_mesg { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_auth { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/secure” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_mail { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/maillog” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_spol { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/spooler” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_boot { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/boot.log” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_cron { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/cron” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_daemon { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/daemon” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_local6 { file(“/var/log/syslog-ng/$YEAR.$MONTH/network/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_local5 { file(“/opt/log/$YEAR.$MONTH/$DAY/$PROGRAM.log” template(“$MSG\n”) owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes) flush_lines(300) ); };

destination d_separatedbyhosts {

file(“/var/log/syslog-ng/$HOST/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes));

};

destination d_tcp { tcp(“localhost” port(1999) localport(999) flush_lines(100) ); };

log { source(s_remote); destination(d_separatedbyhosts); };

log { source(s_remote); filter(f_filter2); destination(r_mesg); };
log { source(s_remote); filter(f_filter3); destination(r_auth); };
log { source(s_remote); filter(f_filter4); destination(r_mail); };
log { source(s_remote); filter(f_filter6); destination(r_spol); };
log { source(s_remote); filter(f_filter7); destination(r_boot); };
log { source(s_remote); filter(f_filter8); destination(r_cron); };
log { source(s_remote); filter(f_filter9); destination(r_daemon); };
log { source(s_remote); filter(f_filter10); destination(r_local6); };

log { source(s_remotetcp); filter(f_filter11); destination(r_local5); };

log { source(s_remote); destination(d_tcp); };

打开iptables接收端口,这里只开放给内网
iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 514 -j ACCEPT iptables -A INPUT -p udp -m udp -s 192.168.0.0/16 –dport 514 -j ACCEPT

启动/
/usr/local/syslog-ng/sbin/syslog-ng syslogng参数优化
以下为4个关键参数默认值,调整不佳会丢消息
log_fetch_limit =10
max_connections =10
log_iw_size =1000
log_fifo_size =10000 输出队列的行数 出现以下错误说明参数值不合理
WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-connections(). The result was too small, clamping to 100 entries. Ensure you have a proper log_fifo_size setting to avoid message loss.; orig_log_iw_size=’10’, new_log_iw_size=’100′, min_log_fifo_size=’10000′ 参数公式
log_iw_size = max_connections * log_fetch_limit
log_fifo_size = log_iw_size * (10~20) syslog-ng中心增加接收能力
source s_remotetcp { tcp(ip(192.168.0.39) port(514) log_fetch_limit(100) log_iw_size(50000) max-connections(50) ); }; log_fifo_size为全局输出值
options { use_dns (no); use_fqdn(no); chain_hostnames(off); keep_hostname(off); flush_lines(0); stats_freq(1200); create_dirs(yes); log_fifo_size(1000000); }; 本地udp接收带8M缓存
source s_weblog { udp(ip(127.0.0.1) port(514) so_rcvbuf(8738000)); }; 内核优化
/etc/sysctl.conf
net.core.rmem_max = 8738000 net.core.wmem_max = 6553600 net.ipv4.tcp_rmem = 8192 873800 8738000 net.ipv4.tcp_wmem = 4096 655360 6553600
sysctl 查看统计信息
/usr/local/syslog-ng/sbin/syslog-ng-ctl stats
SourceName;SourceId;SourceInstance;State;Type;Number destination;d_mail;;a;processed;0 destination;d_spol;;a;processed;0 destination;r_boot;;a;processed;0 global;payload_reallocs;;a;processed;86 source;s_internal;;a;processed;4 source;s_sys;;a;processed;52 destination;d_mesg;;a;processed;41 source;s_remotetcp;;a;processed;32426 destination;r_local5;;a;processed;32426 日志切割后需发个信号
…. /bin/mv ${log_dir}/proxy.www.c1gstudio.com.log ${log_dir}/proxy.www.c1gstudio.com.${yesterday}.log /bin/kill -USR1 cat /usr/local/syslog-ng/var/syslog-ng.pid /bin/gzip ${log_dir}/proxy.www.c1gstudio.com.${yesterday}.log & …. 开机启动
vi /etc/rc.local
/usr/local/syslog-ng/sbin/syslog-ng 碎碎念 使用/dev/log
会把syslog接管,远程目录会偏移
nginx
access_log syslog:local5:notice:/dev/log:adminsyslog.c1gstudio.com access ; 本地syslogng
source s_sys { unix-dgram (“/dev/log”);}; Jul 22 14:45:43 Caserver caserver adminsyslog.c1gstudio.com[13318]: 192.168.0.40 – c1g_web [22/Jul/2014:14:45:43 +0800] “GET /9 HTTP/1.0” 404 219 “-” “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36” 116.210.54.88
unix-stream()主要用在Linux,使用SOCK_STREAM参数,是面向连接的,不会造成日志消息的丢失;unix-dgram()用在BSD系统上,使用SOCK_DGRAM参数,是无连接的,如果系统过载,会造成日志消息丢失。
测试
logger -p local5.info hello 垃圾收集状态
当满足一定的条件,syslog-ng即会进入垃圾收集状态,而暂时不再接受日志信息。这时,会造成非连接的传输协议的日志丢失(例如UDP)。通过设置下面两个选项可以控制:
引用
gc_idle_threshold(n) :
意思是,一旦被分派的对象到达这个数字,并且当syslog-ng空闲时(100微秒内没有日志消息到达)。此时,syslog-ng就会启动垃圾信息收集状态。
已分配的对象可通过-v命令行参数指定其的最小值。而syslog-ng这个值应该比较小,但比已分配的对象要大即可。 例如,空闲状态,syslog-ng会显示:
引用
Nov 13 16:35:35 syslogng syslog-ng[4510]: STATS: dropped 0
Nov 13 16:45:35 syslogng syslog-ng[4510]: STATS: dropped 0 当忙时:
引用
gc_busy_threshold(n) :当syslog-ng忙时,一旦分派的对象达到这个数字,syslog-ng就进入垃圾信息收集状态的时间。该值应该比较高,以保证正常情况下不会打断日志消息的收取。 ※TCP基于连接方式传输,不会造成日志丢失,而UDP则不同。但因为传统的syslog基于UDP的514端口,所以,UDP方式也经常会使用到。 另外,514也是rshell的默认端口,请注意冲突。 参考:
https://pzolee.blogs.balabit.com/2011/02/syslog-ng-performance-tuning/
http://www.balabit.com/support/documentation/syslog-ng-ose-3.3-guides/en/syslog-ng-ose-v3.3-guide-admin-en/pdf/syslog-ng-ose-v3.3-guide-admin-en.pdf
http://dongxicheng.org/search-engine/log-systems/

Posted in Nginx, 日志.

Tagged with , , .

No comments

By C1G 2023/02/28

linux下安装rabbitmq及php-amqplib

补发丢失的贴子。

linux下安装rabbitmq及php-amqplib

一.linux 安装 git

yum 自带git 版本太低了
git version 1.7.1

yum remove git
yum -y install curl-devel expat-devel gettext-devel openssl-devel zlib-devel gcc perl-ExtUtils-MakeMaker
https://github.com/git/git/archive/v2.21.0.tar.gz
tar zxvf v2.21.0.tar.gz
cd git-2.21.0/
make configure
./configure –prefix=/usr/local/git –with-iconv=/usr/local/
make
make install

/usr/local/git/bin/git –version
git version 2.21.0

ln -s /usr/local/git/bin/git /usr/bin/git

git clone –no-checkout ‘https://github.com/php-amqplib/php-amqplib.git’ ‘/opt/php-5.4.45_phar/lib/composer/vendor/php-amqplib/php-amqplib’

SSL connect error fatal: unable to access ‘https://github.com/php-amqplib/php-amqplib.git/’: SSL connect error
git config –global http.sslversion tlsv1 vi /etc/hosts 192.30.255.112 github.com

二.安装composer

Composer 需要 PHP 5.3.2+ openssl 1.0.1+才能运行。

openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
php编译时不能带–with-curlwrappers 和–disable-phar

php查看编译参数
php -i |grep configure
Configure Command => ‘./configure’ ‘–prefix=/opt/php-5.4.45’ ‘–with-config-file-path=/opt/php-5.4.45/etc’ ‘–with-mysql=/opt/mysql’ ‘–with-mysqli=/opt/mysql/bin/mysql_config’ ‘–with-iconv-dir=/usr/local’ ‘–with-freetype-dir’ ‘–with-jpeg-dir’ ‘–with-png-dir’ ‘–with-zlib’ ‘–with-libxml-dir=/usr’ ‘–disable-rpath’ ‘–enable-bcmath’ ‘–enable-shmop’ ‘–enable-sysvsem’ ‘–enable-inline-optimization’ ‘–with-curl’ ‘–with-curlwrappers’ ‘–enable-mbregex’ ‘–enable-cgi’ ‘–enable-fpm’ ‘–enable-mbstring’ ‘–with-mcrypt’ ‘–with-gd’ ‘–enable-gd-native-ttf’ ‘–with-openssl’ ‘–with-mhash’ ‘–enable-pcntl’ ‘–enable-sockets’ ‘–with-xmlrpc’ ‘–enable-zip’ ‘–enable-soap’ ‘–enable-xml’ ‘–disable-debug’ ‘–disable-ipv6’ ‘–without-pear’ ‘–disable-phar’ ‘–enable-ftp’ ‘–with-pdo-mysql=/opt/mysql’

–disable-phar 错误

Some settings on your machine make Composer unable to work properly.
Make sure that you fix the issues listed below and run this script again:

The phar extension is missing.
Install it or recompile php without –disable-phar

–with-curlwrappers 错误
PHP was compiled with –with-curlwrappers which will cause issues with HTTP authentication and GitHub. Recompile it without this flag if possible

git 没安装错误
sh: git: command not found

wget https://getcomposer.org/composer.phar ln -s /opt/php/bin/php /usr/bin/php php composer.phar
这将返回给你一个可执行的命令列表。

或者安装成全局方式
mv composer.phar /usr/bin/composer chmod +x /usr/bin/composer composer
创建一个composer.json
{ “require”: { “monolog/monolog”: “1.0.*”, “php-amqplib/php-amqplib”: “>=2.6.1” } }

创建国内镜像
composer clearcache composer config -g repo.packagist composer https://packagist.phpcomposer.com

建议不要用root运行,
运行时compose会在当前用户下创建一个可写的cache目录/home//.compose
sudo -uandychu composer config -g repo.packagist composer https://packagist.phpcomposer.com
会composer.json中添加
“repositories”: { “packagist”: { “type”: “composer”, “url”: “https://packagist.phpcomposer.com” } }

命令行下
php composer.phar install
或者全局方式
composer up

Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals

  • Installing php-amqplib/php-amqplib (v2.8.1): Downloading (failed)
    Downloading (failed)
    Downloading (failed) Failed to download php-amqplib/php-amqplib from dist: Th
    e “https://api.github.com/repos/php-amqplib/php-amqplib/zipball/84449ffd3f5a7466
    bbee3946facb3746ff11f075″ file could not be downloaded: SSL operation failed wit
    h code 1. OpenSSL Error messages:
    error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
    Failed to enable crypto
    failed to open stream: operation failed
    Now trying to download from source
  • Installing php-amqplib/php-amqplib (v2.8.1): Cloning 84449ffd3f from cache
    Writing lock file
    Generating autoload files

vi php.ini
将/opt/php-5.4.45_phar/lib/composer 放入include_path和 open_basedir

reload php

三.linux 安装 Erlang


yum install ncurses ncurses-base ncurses-devel ncurses-libs ncurses-static ncurses-term ocaml-curses ocaml-curses-devel -y
wget http://erlang.org/download/otp_src_21.2.tar.gz
tar zxvf otp_src_21.2.tar.gz
cd otp_src_21.2
./configure –with-ssl -enable-threads -enable-smmp-support -enable-kernel-poll –enable-hipe –without-javac
make
make install
/usr/local/bin/erl
Erlang/OTP 21 [erts-10.2] [source] [64-bit] [smp:40:40] [ds:40:40:10] [async-threads:1] [hipe]

Eshell V10.2 (abort with ^G)
1> halt().

四.linux 安装 rabbitmq

http://www.rabbitmq.com/download.html
wget https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.7.11/rabbitmq-server-generic-unix-3.7.11.tar.xz tar xvf rabbitmq-server-generic-unix-3.7.11.tar.xz mv rabbitmq_server-3.7.11 /opt/ cd /opt ln -s rabbitmq_server-3.7.11 rabbitmq cd /opt/rabbitmq/sbin ./rabbitmq-server &


## ##
## ## RabbitMQ 3.7.11. Copyright (C) 2007-2019 Pivotal Software, Inc.
########## Licensed under the MPL. See http://www.rabbitmq.com/
###### ##
########## Logs: /opt/rabbitmq/var/log/rabbitmq/[email protected]
/opt/rabbitmq/var/log/rabbitmq/[email protected]_upgrade.log

          Starting broker...

completed with 0 plugins.

[bin]# ./rabbitmqctl status
Status of node [email protected]
[{pid,28884},
{running_applications,
[{rabbit,”RabbitMQ”,”3.7.11″},
{mnesia,”MNESIA CXC 138 12″,”4.15.5″},
{os_mon,”CPO CXC 138 46″,”2.4.7″},
{sysmon_handler,”Rate-limiting system_monitor event handler”,”1.1.0″},
{rabbit_common,
“Modules shared by rabbitmq-server and rabbitmq-erlang-client”,
“3.7.11”},
{ranch,”Socket acceptor pool for TCP protocols.”,”1.7.1″},
{ssl,”Erlang/OTP SSL application”,”9.1″},
{public_key,”Public key infrastructure”,”1.6.4″},
{asn1,”The Erlang ASN1 compiler version 5.0.8″,”5.0.8″},
{inets,”INETS CXC 138 49″,”7.0.3″},
{recon,”Diagnostic tools for production use”,”2.3.6″},
{xmerl,”XML parser”,”1.3.18″},
{jsx,”a streaming, evented json parsing toolkit”,”2.9.0″},
{crypto,”CRYPTO”,”4.4″},
{lager,”Erlang logging framework”,”3.6.5″},
{goldrush,”Erlang event stream processor”,”0.1.9″},
{compiler,”ERTS CXC 138 10″,”7.3″},
{syntax_tools,”Syntax tools”,”2.1.6″},
{sasl,”SASL CXC 138 11″,”3.3″},
{stdlib,”ERTS CXC 138 10″,”3.7″},
{kernel,”ERTS CXC 138 10″,”6.2″}]},
{os,{unix,linux}},
{erlang_version,
“Erlang/OTP 21 [erts-10.2] [source] [64-bit] [smp:40:40] [ds:40:40:10] [async-threads:640] [hipe]\n”},
{memory,
[{connection_readers,0},
{connection_writers,0},
{connection_channels,0},
{connection_other,0},
{queue_procs,0},
{queue_slave_procs,0},
{plugins,10044},
{other_proc,33404336},
{metrics,197308},
{mgmt_db,0},
{mnesia,73360},
{other_ets,2314472},
{binary,150240},
{msg_index,29488},
{code,20364814},
{atom,1082561},
{other_system,30248961},
{allocated_unused,50253824},
{reserved_unallocated,0},
{strategy,rss},
{total,[{erlang,87875584},{rss,113528832},{allocated,138129408}]}]},
{alarms,[]},
{listeners,[{clustering,25672,”::”},{amqp,5672,”0.0.0.0″}]},
{vm_memory_calculation_strategy,rss},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,13413631590},
{disk_free_limit,50000000},
{disk_free,322518425600},
{file_descriptors,
[{total_limit,51100},
{total_used,2},
{sockets_limit,45988},
{sockets_used,0}]},
{processes,[{limit,1048576},{used,253}]},
{run_queue,1},
{uptime,128},
{kernel,{net_ticktime,60}}]

启动服务: ./rabbitmq-server &

查看服务状态:./rabbitmqctl status

关闭服务:./rabbitmqctl stop

启动管理 ./rabbitmq-plugins enable rabbitmq_management

查看mq用户:./rabbitmqctl list_users

查看用户权限:./rabbitmqctl list_user_permissions guest

新增用户: ./rabbitmqctl add_user admin 123456
./rabbitmqctl add_user admin tEneYxJm
./rabbitmqctl add_user yjsworker 7G2hMuXf

设为管理员
./rabbitmqctl set_user_tags admin administrator

编辑配置文件

cd /opt/rabbitmq/etc/rabbitmq
wget https://raw.githubusercontent.com/rabbitmq/rabbitmq-server/master/docs/rabbitmq.conf.example
cp rabbitmq.conf.example rabbitmq.conf

vi rabbitmq.conf
listeners.tcp.local = 192.168.0.37:5672
management.tcp.port = 15672
management.tcp.ip = 192.168.0.37

management.http_log_dir = /var/log/nginx/access.log

management.tcp.port = 15672
management.tcp.ip = 192.168.0.37

五.开机启动

vi /etc/rc.local /opt/rabbitmq/sbin/rabbitmq-server &

六.iptables


iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp –dport 5672 -j ACCEPT
iptables -A INPUT -s 192.168.0.40/32 -p tcp -m tcp –dport 15672 -j ACCEPT
/etc/init.d/iptables save

七.nginx配置

vi /opt/nginx/conf/nginx.conf

server
{
listen 80;
server_name admin.c1gstudio.com;
index index.html index.htm index.php;
root /opt/htdocs/www;

    include manageip.conf;
    deny    all;

     location /rabbit/ {
      proxy_pass        http://192.168.0.37:15672/;
      proxy_set_header  Host        $host;
      proxy_set_header  X-Real-IP   $remote_addr;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
     }            

     location / {
      proxy_pass        http://192.168.0.37:80/;
      proxy_set_header  Host        $host;
      proxy_set_header  X-Real-IP   $remote_addr;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      #proxy_set_header X-Forwarded-For $remote_addr;
      proxy_redirect    off;
     }            

         access_log  /opt/nginx/logs/access.log  access;
 }

八.测试

打开send.php文件:

<?php

require_once DIR . ‘/vendor/autoload.php’;

use PhpAmqpLib\Connection\AMQPStreamConnection;
use PhpAmqpLib\Message\AMQPMessage;

// RabbitMQ 默认端口5672, 默认账号密码: guest / guest
// $host = ‘localhost’;
$host = ‘192.168.99.100’;
$port = ‘5672’;
$username = ‘guest’;
$password = ‘guest’;

// $connection = new AMQPStreamConnection(‘localhost’, 5672, ‘guest’, ‘guest’);
$connection = new AMQPStreamConnection($host, $port, $username, $password);
$channel = $connection->channel();
$channel->queue_declare(‘hello’, false, false, false, false);

$msg = new AMQPMessage(‘Hello World!’);
$channel->basic_publish($msg, ”, ‘hello’);
echo ” [x] Sent ‘Hello World!’\n”;

$channel->close();
$connection->close();

打开 receive.php 文件:

<?php
// file: receive.php
require_once DIR . ‘/vendor/autoload.php’;
use PhpAmqpLib\Connection\AMQPStreamConnection;

// RabbitMQ 默认端口5672, 默认账号密码: guest / guest
// $host = ‘localhost’;
// $host = ‘5672’;
$host = ‘192.168.99.100’;
$port = ‘5672’;
$username = ‘guest’;
$password = ‘guest’;

$connection = new AMQPStreamConnection($host, $port, $username, $password);
$channel = $connection->channel();

$queueName = ‘hello-test’;
$channel->queue_declare($queueName, false, false, false, false);

echo ‘ [*] Waiting for messages. To exit press CTRL+C’, “\n”;

$callback = function($msg) {
echo ” [x] Received: {“, $msg->body, “}\n”;
};

$channel->basic_consume($queueName, ”, false, true, false, false, $callback);

while(count($channel->callbacks)) {
$channel->wait();
}

发送和结束队列消息
先执行receive.php.
再执行send.php文件,来发送消息:

$ php send.php
[x] Sent: {18-02-10 02:35:15: Hello World!}
$ php send.php
[x] Sent: {18-02-10 02:35:34: Hello World!}

https://docs.phpcomposer.com/01-basic-usage.htmlhttp://www.rabbitmq.com/tutorials/tutorial-one-php.html

php-amqplib amqp-ext 性能对比

https://blog.forma-pro.com/php-amqp-clients-benchmark-them-all-8a4e6adb1a6b

RabbitMQ的用户角色分类:
none、management、policymaker、monitoring、administrator

RabbitMQ各类角色描述:
none
不能访问 management plugin

management
用户可以通过AMQP做的任何事外加:
列出自己可以通过AMQP登入的virtual hosts
查看自己的virtual hosts中的queues, exchanges 和 bindings
查看和关闭自己的channels 和 connections
查看有关自己的virtual hosts的“全局”的统计信息,包含其他用户在这些virtual hosts中的活动。

policymaker
management可以做的任何事外加:
查看、创建和删除自己的virtual hosts所属的policies和parameters

monitoring
management可以做的任何事外加:
列出所有virtual hosts,包括他们不能登录的virtual hosts
查看其他用户的connections和channels
查看节点级别的数据如clustering和memory使用情况
查看真正的关于所有virtual hosts的全局的统计信息

administrator
policymaker和monitoring可以做的任何事外加:
创建和删除virtual hosts
查看、创建和删除users
查看创建和删除permissions
关闭其他用户的connections

创建用户并设置角色:
可以创建管理员用户,负责整个MQ的运维,例如:
$sudo rabbitmqctl add_user user_admin passwd_admin
赋予其administrator角色:
$sudo rabbitmqctl set_user_tags user_admin administrator

可以创建RabbitMQ监控用户,负责整个MQ的监控,例如:
$sudo rabbitmqctl add_user user_monitoring passwd_monitor
赋予其monitoring角色:
$sudo rabbitmqctl set_user_tags user_monitoring monitoring

可以创建某个项目的专用用户,只能访问项目自己的virtual hosts
$sudo rabbitmqctl add_user user_proj passwd_proj
赋予其monitoring角色:
$sudo rabbitmqctl set_user_tags user_proj management

创建和赋角色完成后查看并确认:
$sudo rabbitmqctl list_users

RabbitMQ 权限控制
默认virtual host:”/”
默认用户:guest
guest具有”/”上的全部权限,仅能有localhost访问RabbitMQ包括Plugin,建议删除或更改密码。可通过将配置文件中loopback_users置孔来取消其本地访问的限制:
[{rabbit, [{loopback_users, []}]}]

用户仅能对其所能访问的virtual hosts中的资源进行操作。这里的资源指的是virtual hosts中的exchanges、queues等,操作包括对资源进行配置、写、读。配置权限可创建、删除、资源并修改资源的行为,写权限可向资源发送消息,读权限从资源获取消息。比如:
exchange和queue的declare与delete分别需要exchange和queue上的配置权限
exchange的bind与unbind需要exchange的读写权限
queue的bind与unbind需要queue写权限exchange的读权限
发消息(publish)需exchange的写权限
获取或清除(get、consume、purge)消息需queue的读权限

对何种资源具有配置、写、读的权限通过正则表达式来匹配,具体命令如下:
set_permissions [-p ]
其中, 的位置分别用正则表达式来匹配特定的资源,如’^(amq.gen.*|amq.default)$’可以匹配server生成的和默认的exchange,’^$’不匹配任何资源

需要注意的是RabbitMQ会缓存每个connection或channel的权限验证结果、因此权限发生变化后需要重连才能生效。

为用户赋权:
$sudo rabbitmqctl set_permissions -p /vhost1 user_admin ‘.’ ‘.’ ‘.*’
该命令使用户user_admin具有/vhost1这个virtual host中所有资源的配置、写、读权限以便管理其中的资源

按用户查看权限:

$sudo rabbitmqctl list_user_permissions user_admin

按服务器查看权限

$sudo rabbitmqctl list_permissions -p /vhost1

Fatal error: Uncaught exception ‘PhpAmqpLib\Exception\AMQPProtocolConnectionException’ with message ‘UNEXPECTED_FRAME – expected content header for class 60, got non content header frame instead’ in /opt/php-5.4.45/lib/composer/vendor/php-amqplib/php-amqplib/PhpAmqpLib/Connection/AbstractConnection.php:715 Stack trace: #0 [internal function]: PhpAmqpLib\Connection\AbstractConnection->connection_close(Object(PhpAmqpLib\Wire\AMQPReader)) #1 /opt/php-5.4.45/lib/composer/vendor/php-amqplib/php-amqplib/PhpAmqpLib/Channel/AbstractChannel.php(211): call_user_func(Array, Object(PhpAmqpLib\Wire\AMQPReader)) #2 /opt/php-5.4.45/lib/composer/vendor/php-amqplib/php-amqplib/PhpAmqpLib/Channel/AbstractChannel.php(369): PhpAmqpLib\Channel\AbstractChannel->dispatch(‘10,50’, ‘\x01\xF9]UNEXPECTED_F…’, NULL) #3 /opt/php-5.4.45/lib/composer/vendor/php-amqplib/php-amqplib/PhpAmqpLib/Connection/AbstractConnection.php(644): PhpAmqpLib\Channel\AbstractChannel->wait() #4 /opt/php-5.4.45/lib/composer/vendor/php-amqplib/php-amqplib/PhpAmqpLib/Chan in /opt/php-5.4.45/lib/composer/vendor/php-amqplib/php-amqplib/PhpAmqpLib/Connection/AbstractConnection.php on line 715

后续安装参考
https://help.aliyun.com/document_detail/53100.html?spm=a2c4g.11186623.0.0.503b522f7G2rRn

Posted in 消息rabbitmq.

Tagged with , .

No comments

By C1G 2023/02/28

nginx自适应https的反向代理

方式一,写死地址,用变量

最简洁

map $scheme $online_proxy_www {
default 39.156.66.10;
}

proxy_pass $scheme://$online_proxy_www:$server_port;

方式二,写两个upstream,再用proxy_pass覆盖法

缺点需要维护2个upsteam

upstream online_proxy_www {
server 39.156.66.10:80;
}
upstream online_proxy_www_https {
server 39.156.66.10:443;
}

proxy_pass $scheme://online_proxy_www;

自适应https

if ( $scheme = https) {
proxy_pass $scheme://online_proxy_www_https;
}

方式三,upstream backup法

最简单,缺点会多一次请求,多个错误日志

upstream online_proxy_www {
server 39.156.66.10:80;39.156.66.10
server 39.156.66.10:443 backup;
}
proxy_pass $scheme://online_proxy_www;

==========================

nginx.conf示例

upstream online_proxy_www {
    server   39.156.66.10:80;
    #server   39.156.66.10:443 backup;
}
upstream online_proxy_www_https {
    server   39.156.66.10:443;
}


server
{
    listen       80;
    listen       443 ssl;
    server_name  blog.c1gstudio.com;
    index index.html index.htm index.php;
    root  /opt/htdocs/www;
    access_log  /var/log/nginx/blog.c1gstudio.com.log  access ;

    include ssl.conf;

    location /
    {
        proxy_set_header Host  $host;
        proxy_set_header X-Forwarded-For $proxypass_forwarded_for;
        proxy_pass $scheme://$online_proxy_www:$server_port;

        add_header      X-Cache   C1GPROXY1;
    }


}

Posted in Nginx.

Tagged with , .

No comments

By C1G 2023/02/28

部分贴子丢失

服务商自动升级了DB,导致乱码而丢失了部分贴子.

Posted in 技术.

No comments

By C1G 2022/08/02

openresty+lua实现WAF应用防火墙

1.#基础包安装

yum -y install readline-devel pcre-devel zlib zlib-devel gcc

2.升级openssl

#yum -y openssl-devel

openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

wget –no-check-certificate https://www.openssl.org/source/openssl-1.1.1l.tar.gz
tar -zxvf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l
./config shared zlib
make && make install

#ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

备份当前Openssl
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old

使用新版Openssl
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl/ /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

更新动态链接库数据
echo “/usr/local/lib/” >> /etc/ld.so.conf
ldconfig

openssl version
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

openssl version
OpenSSL 1.1.1l 24 Aug 2021

3.安装pcre

pcre没找到,编辑时加上–with-pcre=../pcre-8.30 \
0.10/src/ngx_stream_lua_regex.c:205: undefined reference to `pcre_jit_stack_alloc’
collect2: ld returned 1 exit status

#wget -nv http://downloads.sourceforge.net/project/pcre/pcre/8.30/pcre-8.30.tar.gz -O pcre-8.30.tar.gz

wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
tar xzvf pcre-8.30.tar.gz
cd pcre-8.30
./configure –enable-utf8 –enable-unicode-properties
make
make install
ln -s /lib64/libpcre.so.0.0.1 /lib64/libpcre.so.1

4.下载ngx_cache_purge清缓组件

wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
tar zxvf ngx_cache_purge-2.3.tar.gz

5.安装openresty

wget https://openresty.org/download/openresty-1.19.9.1.tar.gz
tar zxvf openresty-1.19.9.1.tar.gz
cd openresty-1.19.9.1

伪装openresty为xcdn
sed -i ‘s/”openresty/”xcdn/g’ bundle/nginx-1.19.9/src/core/nginx.h
sed -i “s#Server: openresty#Server: xcdn#” bundle/nginx-1.19.9/src/http/ngx_http_header_filter_module.c
sed -i “s#\”

openresty<\/center>\”#\”

xcdn<\/center>\”#” bundle/nginx-1.19.9/src//http/ngx_http_special_response.c

./configure –user=www –group=website –prefix=/opt/openresty-1.19.9.1 \
–with-http_ssl_module –with-http_v2_module –with-http_realip_module –with-http_addition_module \
–with-http_geoip_module \
–with-http_gzip_static_module \
–with-http_auth_request_module \
–with-http_secure_link_module \
–with-http_degradation_module \
–with-http_stub_status_module \
–add-module=../ngx_cache_purge-2.3 \
–with-pcre=../pcre-8.30 \
–with-cc-opt=”-I /usr/local/include/openssl/ ” \
–with-ld-opt=”-L/usr/local/lib64″

gmake
gmake install

复制原配置文件
cd /opt/nginx/conf/
cp -ar ssl webip.conf geo.*.conf GeoIP.dat manageip.conf fcgi.conf htpasswd nginx.conf /opt/openresty-1.19.9.1/nginx/conf/

4.下载和配置 ngx_lua_waf

nginx下常见的开源 waf 有 mod_security、naxsi、ngx_lua_waf 这三个,ngx_lua_waf 性能高和易用性强,基本上零配置,而且常见的攻击类型都能防御,是比较省心的选择。

其git 地址为 https://github.com/loveshell/ngx_lua_waf
wget --no-check-certificate https://github.com/loveshell/ngx_lua_waf/archive/master.zip
unzip master.zip
mv ngx_lua_waf-master /opt/openresty-1.19.9.1/nginx/conf/waf
chown -R www:website /opt/openresty-1.19.9.1/nginx/conf
chown -R www:website /opt/openresty-1.19.9.1/nginx/logs
chmod 775 /opt/openresty-1.19.9.1/nginx/conf
chmod 775 /opt/openresty-1.19.9.1/nginx/conf/waf
chmod 775 /opt/openresty-1.19.9.1/nginx/conf/waf/wafconf
chmod 664 /opt/openresty-1.19.9.1/nginx/conf/.

mkdir -p /opt/openresty-1.19.9.1/nginx/logs/hack
chown www:website /opt/openresty-1.19.9.1/nginx/logs/hack
chmod -R 775 /opt/openresty-1.19.9.1/nginx/logs/hack

测试配置文件
/opt/openresty-1.19.9.1/nginx/sbin/nginx -t

注意和tengine的不兼容配置
注释掉server_info和#server_tag
[emerg] unknown directive “server_info” in /opt/openresty-1.19.9.1/nginx/conf/nginx.conf:49

#server_info off;

#server_tag off;

在http段增加清除server头
more_clear_headers "Server";

去除dso段

limit_req_zone 不支持多个key
ginx: [emerg] invalid number of arguments in “limit_req_zone” directive in /opt/openresty-1.19.9.1/nginx/conf/nginx.conf:90

#limit_req_zone $binary_remote_addr $uri zone=two:30m rate=20r/s;

5.配置ngx_lua_waf

https://github.com/loveshell/ngx_lua_waf在nginx.conf的http段添加

lua_package_path "/opt/openresty-1.19.9.1/lualib/?.lua;/opt/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /opt/openresty-1.19.9.1/nginx/conf/waf/init.lua; 
access_by_lua_file /opt/openresty-1.19.9.1/nginx/conf/waf/waf.lua;

配置config.lua里的waf规则目录(一般在waf/conf/目录下)

RulePath = "/opt/nginx/conf/waf/wafconf/"

然后重启nginx即可
部署完毕可以尝试如下命令:

curl http://xxxx/test.php?id=../etc/passwd
日志文件名称格式如下:虚拟主机名_sec.log

配置时一些错误
nginx: [alert] failed to load the ‘resty.core’ module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module ‘resty.core’ not found:
no field package.preload[‘resty.core’]
no file ‘/opt/nginx/conf/waf/resty/core.lua’
no file ‘/opt/openresty-1.19.9.1/lualib/resty/resty/core.lua’
no file ‘/opt/openresty-1.19.9.1/site/lualib/resty/core.so’
no file ‘/opt/openresty-1.19.9.1/lualib/resty/core.so’
no file ‘./resty/core.so’
no file ‘/usr/local/lib/lua/5.1/resty/core.so’
no file ‘/opt/openresty-1.19.9.1/luajit/lib/lua/5.1/resty/core.so’
no file ‘/usr/local/lib/lua/5.1/loadall.so’
no file ‘/opt/openresty-1.19.9.1/site/lualib/resty.so’
no file ‘/opt/openresty-1.19.9.1/lualib/resty.so’
no file ‘./resty.so’
no file ‘/usr/local/lib/lua/5.1/resty.so’
no file ‘/opt/openresty-1.19.9.1/luajit/lib/lua/5.1/resty.so’
no file ‘/usr/local/lib/lua/5.1/loadall.so’) in /opt/openresty-1.19.9.1/nginx/conf/nginx.conf:214

将/opt/openresty-1.19.9.1/lualib/?.lua; 加进lua_package_path
lua_package_path “/opt/openresty-1.19.9.1/lualib/?.lua;/opt/nginx/conf/waf/?.lua”;

user-agent中去除|bench,允许NetworkBench访问
“Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.77.34.5 Safari/537.36; NetworkBench/79.0.3917.0-8710402-0” “(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)”

user-agent中去除|PycURL,允许监控访问

openresty编辑说明
–help this message

–prefix=PATH set the installation prefix (default to /usr/local/openresty)

–with-debug enable debug logging

–with-no-pool-patch enable the no-pool patch for debugging memory issues

-jN pass -jN option to make while building LuaJIT 2.1

–without-http_echo_module disable ngx_http_echo_module
–without-http_xss_module disable ngx_http_xss_module
–without-http_coolkit_module disable ngx_http_coolkit_module
–without-http_set_misc_module disable ngx_http_set_misc_module
–without-http_form_input_module disable ngx_http_form_input_module
–without-http_encrypted_session_module
disable ngx_http_encrypted_session_module
–without-http_srcache_module disable ngx_http_srcache_module
–without-http_lua_module disable ngx_http_lua_module
–without-http_lua_upstream_module disable ngx_http_lua_upstream_module
–without-http_headers_more_module disable ngx_http_headers_more_module
–without-http_array_var_module disable ngx_http_array_var_module
–without-http_memc_module disable ngx_http_memc_module
–without-http_redis2_module disable ngx_http_redis2_module
–without-http_redis_module disable ngx_http_redis_module
–without-http_rds_json_module disable ngx_http_rds_json_module
–without-http_rds_csv_module disable ngx_http_rds_csv_module
–without-stream_lua_module disable ngx_stream_lua_module
–without-ngx_devel_kit_module disable ngx_devel_kit_module
–without-stream disable TCP/UDP proxy module
–without-http_ssl_module disable ngx_http_ssl_module
–without-stream_ssl_module disable ngx_stream_ssl_module

–with-http_iconv_module enable ngx_http_iconv_module
–with-http_drizzle_module enable ngx_http_drizzle_module
–with-http_postgres_module enable ngx_http_postgres_module

–without-lua_cjson disable the lua-cjson library
–without-lua_tablepool disable the lua-tablepool library (and by consequence, the
lua-resty-shell library)
–without-lua_redis_parser disable the lua-redis-parser library
–without-lua_rds_parser disable the lua-rds-parser library
–without-lua_resty_dns disable the lua-resty-dns library
–without-lua_resty_memcached disable the lua-resty-memcached library
–without-lua_resty_redis disable the lua-resty-redis library
–without-lua_resty_mysql disable the lua-resty-mysql library
–without-lua_resty_upload disable the lua-resty-upload library
–without-lua_resty_upstream_healthcheck
disable the lua-resty-upstream-healthcheck library
–without-lua_resty_string disable the lua-resty-string library
–without-lua_resty_websocket disable the lua-resty-websocket library
–without-lua_resty_limit_traffic disable the lua-resty-limit-traffic library
–without-lua_resty_lock disable the lua-resty-lock library
–without-lua_resty_lrucache disable the lua-resty-lrucache library
–without-lua_resty_signal disable the lua-resty-signal library (and by consequence,
the lua-resty-shell library)
–without-lua_resty_shell disable the lua-resty-shell library
–without-lua_resty_core disable the lua-resty-core library

–with-luajit=DIR use the external LuaJIT 2.1 installation specified by DIR
–with-luajit-xcflags=FLAGS Specify extra C compiler flags for LuaJIT 2.1
–with-luajit-ldflags=FLAGS Specify extra C linker flags for LuaJIT 2.1
–without-luajit-lua52 Turns off the LuaJIT extensions from Lua 5.2 that may break
backward compatibility
–without-luajit-gc64 Turns off the LuaJIT GC64 mode (which is enabled by default
on x86_64)

–with-libdrizzle=DIR specify the libdrizzle 1.0 (or drizzle) installation prefix
–with-libpq=DIR specify the libpq (or postgresql) installation prefix
–with-pg_config=PATH specify the path of the pg_config utility

Options directly inherited from nginx

–sbin-path=PATH set nginx binary pathname
–modules-path=PATH set modules path
–conf-path=PATH set nginx.conf pathname
–error-log-path=PATH set error log pathname
–pid-path=PATH set nginx.pid pathname
–lock-path=PATH set nginx.lock pathname

–user=USER set non-privileged user for
worker processes
–group=GROUP set non-privileged group for
worker processes

–build=NAME set build name
–builddir=DIR set build directory

–with-select_module enable select module
–without-select_module disable select module
–with-poll_module enable poll module
–without-poll_module disable poll module

–with-threads enable thread pool support

–with-file-aio enable file AIO support

–with-http_ssl_module enable ngx_http_ssl_module (default on)
–with-http_v2_module enable ngx_http_v2_module
–with-http_realip_module enable ngx_http_realip_module
–with-http_addition_module enable ngx_http_addition_module
–with-http_xslt_module enable ngx_http_xslt_module
–with-http_xslt_module=dynamic enable dynamic ngx_http_xslt_module
–with-http_image_filter_module enable ngx_http_image_filter_module
–with-http_image_filter_module=dynamic
enable dynamic ngx_http_image_filter_module
–with-http_geoip_module enable ngx_http_geoip_module
–with-http_geoip_module=dynamic enable dynamic ngx_http_geoip_module
–with-http_sub_module enable ngx_http_sub_module
–with-http_dav_module enable ngx_http_dav_module
–with-http_flv_module enable ngx_http_flv_module
–with-http_mp4_module enable ngx_http_mp4_module
–with-http_gunzip_module enable ngx_http_gunzip_module
–with-http_gzip_static_module enable ngx_http_gzip_static_module
–with-http_auth_request_module enable ngx_http_auth_request_module
–with-http_random_index_module enable ngx_http_random_index_module
–with-http_secure_link_module enable ngx_http_secure_link_module
–with-http_degradation_module enable ngx_http_degradation_module
–with-http_slice_module enable ngx_http_slice_module
–with-http_stub_status_module enable ngx_http_stub_status_module

–without-http_charset_module disable ngx_http_charset_module
–without-http_gzip_module disable ngx_http_gzip_module
–without-http_ssi_module disable ngx_http_ssi_module
–without-http_userid_module disable ngx_http_userid_module
–without-http_access_module disable ngx_http_access_module
–without-http_auth_basic_module disable ngx_http_auth_basic_module
–without-http_mirror_module disable ngx_http_mirror_module
–without-http_autoindex_module disable ngx_http_autoindex_module
–without-http_geo_module disable ngx_http_geo_module
–without-http_map_module disable ngx_http_map_module
–without-http_split_clients_module disable ngx_http_split_clients_module
–without-http_referer_module disable ngx_http_referer_module
–without-http_rewrite_module disable ngx_http_rewrite_module
–without-http_proxy_module disable ngx_http_proxy_module
–without-http_fastcgi_module disable ngx_http_fastcgi_module
–without-http_uwsgi_module disable ngx_http_uwsgi_module
–without-http_scgi_module disable ngx_http_scgi_module
–without-http_grpc_module disable ngx_http_grpc_module
–without-http_memcached_module disable ngx_http_memcached_module
–without-http_limit_conn_module disable ngx_http_limit_conn_module
–without-http_limit_req_module disable ngx_http_limit_req_module
–without-http_empty_gif_module disable ngx_http_empty_gif_module
–without-http_browser_module disable ngx_http_browser_module
–without-http_upstream_hash_module
disable ngx_http_upstream_hash_module
–without-http_upstream_ip_hash_module
disable ngx_http_upstream_ip_hash_module
–without-http_upstream_least_conn_module
disable ngx_http_upstream_least_conn_module
–without-http_upstream_random_module
disable ngx_http_upstream_random_module
–without-http_upstream_keepalive_module
disable ngx_http_upstream_keepalive_module
–without-http_upstream_zone_module
disable ngx_http_upstream_zone_module

–with-http_perl_module enable ngx_http_perl_module
–with-http_perl_module=dynamic enable dynamic ngx_http_perl_module
–with-perl_modules_path=PATH set Perl modules path
–with-perl=PATH set perl binary pathname

–http-log-path=PATH set http access log pathname
–http-client-body-temp-path=PATH set path to store
http client request body temporary files
–http-proxy-temp-path=PATH set path to store
http proxy temporary files
–http-fastcgi-temp-path=PATH set path to store
http fastcgi temporary files
–http-uwsgi-temp-path=PATH set path to store
http uwsgi temporary files
–http-scgi-temp-path=PATH set path to store
http scgi temporary files

–without-http disable HTTP server
–without-http-cache disable HTTP cache

–with-mail enable POP3/IMAP4/SMTP proxy module
–with-mail=dynamic enable dynamic POP3/IMAP4/SMTP proxy module
–with-mail_ssl_module enable ngx_mail_ssl_module
–without-mail_pop3_module disable ngx_mail_pop3_module
–without-mail_imap_module disable ngx_mail_imap_module
–without-mail_smtp_module disable ngx_mail_smtp_module

–with-stream enable TCP/UDP proxy module (default on)
–with-stream=dynamic enable dynamic TCP/UDP proxy module
–with-stream_ssl_module enable ngx_stream_ssl_module (default on)
–with-stream_realip_module enable ngx_stream_realip_module
–with-stream_geoip_module enable ngx_stream_geoip_module
–with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module
–with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
–without-stream_limit_conn_module disable ngx_stream_limit_conn_module
–without-stream_access_module disable ngx_stream_access_module
–without-stream_geo_module disable ngx_stream_geo_module
–without-stream_map_module disable ngx_stream_map_module
–without-stream_split_clients_module
disable ngx_stream_split_clients_module
–without-stream_return_module disable ngx_stream_return_module
–without-stream_upstream_hash_module
disable ngx_stream_upstream_hash_module
–without-stream_upstream_least_conn_module
disable ngx_stream_upstream_least_conn_module
–without-stream_upstream_random_module
disable ngx_stream_upstream_random_module
–without-stream_upstream_zone_module
disable ngx_stream_upstream_zone_module

–with-google_perftools_module enable ngx_google_perftools_module
–with-cpp_test_module enable ngx_cpp_test_module

–add-module=PATH enable external module
–add-dynamic-module=PATH enable dynamic external module

–with-compat dynamic modules compatibility

–with-cc=PATH set C compiler pathname
–with-cpp=PATH set C preprocessor pathname
–with-cc-opt=OPTIONS set additional C compiler options
–with-ld-opt=OPTIONS set additional linker options
–with-cpu-opt=CPU build for the specified CPU, valid values:
pentium, pentiumpro, pentium3, pentium4,
athlon, opteron, sparc32, sparc64, ppc64

–without-pcre disable PCRE library usage
–with-pcre force PCRE library usage
–with-pcre=DIR set path to PCRE library sources
–with-pcre-opt=OPTIONS set additional build options for PCRE
–with-pcre-jit build PCRE with JIT compilation support

–with-zlib=DIR set path to zlib library sources
–with-zlib-opt=OPTIONS set additional build options for zlib
–with-zlib-asm=CPU use zlib assembler sources optimized
for the specified CPU, valid values:
pentium, pentiumpro

–with-libatomic force libatomic_ops library usage
–with-libatomic=DIR set path to libatomic_ops library sources

–with-openssl=DIR set path to OpenSSL library sources
–with-openssl-opt=OPTIONS set additional build options for OpenSSL

–dry-run dry running the configure, for testing only
–platform=PLATFORM forcibly specify a platform name, for testing only

参考:
接入层限流之OpenResty提供的Lua限流模块lua-resty-limit-tra
https://www.jianshu.com/p/687e63118d84

又拍云张聪:OpenResty 动态流控的几种姿势
https://www.cnblogs.com/upyun/p/10307741.html

Posted in Nginx.

Tagged with , .

No comments

By C1G 2022/02/24

升级安装Tenginer2.3.3+lua+ngx_lua支持WAF防护功能

1、安装或升级autoconf

安装jemalloc是可能出现autoconf版本不够高
configure.ac:2: error: Autoconf version 2.68 or higher is required
configure.ac:2: the top level
autom4te: /usr/bin/m4 failed with exit status: 63
Error 0 in autoconf

升级autoconf
yum -y install autogen autoconf
Package autoconf-2.63-5.1.el6.noarch already installed and latest version
Nothing to do

查询当前autoconf版本
rpm -qf /usr/bin/autoconf
autoconf-2.63-5.1.el6.noarch

下载并编译
wget ftp://ftp.gnu.org/gnu/autoconf/autoconf-2.68.tar.gz
tar zxvf autoconf-2.68.tar.gz
cd autoconf-2.68
./configure –prefix=/usr/

卸载当前版本
rpm -e –nodeps autoconf-2.63

安装
make && make install

查看版本
autoconf -V
autoconf (GNU Autoconf) 2.68
cd ..

2、jemalloc安装

github 地址 :https://github.com/jemalloc/jemalloc/tree/master
编译安装jemalloc

wget –no-check-certificate https://github.com/jemalloc/jemalloc/releases/download/5.2.1/jemalloc-5.2.1.tar.bz2

wget -O jemalloc-5.2.1.tar.gz https://github.com/jemalloc/jemalloc/archive/refs/tags/5.2.1.tar.gz
tar -xf jemalloc-5.2.1.tar.gz && cd jemalloc-5.2.1
./autogen.sh

make -j8
make install

如果/usr/local/lib 没在ldconfig中
echo ‘/usr/local/lib’ > /etc/ld.so.conf.d/local.conf
ldconfig
cd ..

3、lua安装

curl -R -O http://www.lua.org/ftp/lua-5.4.3.tar.gz
tar zxf lua-5.4.3.tar.gz
cd lua-5.4.3
make linux
make install
cd ..

4、安装luajit

然后从https://github.com/openresty/luajit2下载安装
https://github.com/openresty/luajit2/archive/refs/heads/v2.1-agentzh.zip
unzip luajit2-2.1-agentzh.zip
cd luajit2-2.1-agentzh
make && make install
cd ..

5、安装tengine

tengine 编译说明
–prefix= 指向安装目录
–sbin-path 指向(执行)程序文件(nginx)
–conf-path= 指向配置文件(nginx.conf)
–error-log-path= 指向错误日志目录
–pid-path= 指向pid文件(nginx.pid)
–lock-path= 指向lock文件(nginx.lock)(安装文件锁定,防止安装文件被别人利用,或自己误操作。)
–user= 指定程序运行时的非特权用户
–group= 指定程序运行时的非特权用户组
–builddir= 指向编译目录
–with-rtsig_module 启用rtsig模块支持(实时信号)
–with-select_module 启用select模块支持(一种轮询模式,不推荐在高载环境下使用)禁用:–without-select_module
–with-poll_module 启用poll模块支持(功能与select相同,与select特性相同,为一种轮询模式,不推荐在高载环境下使用)
–with-file-aio 启用file aio支持(一种APL文件传输格式)
–with-ipv6 启用ipv6支持
–with-http_ssl_module 启用ngx_http_ssl_module支持(使支持https请求,需已安装openssl)
–with-http_realip_module 启用ngx_http_realip_module支持(这个模块允许从请求标头更改客户端的IP地址值,默认为关)
–with-http_addition_module 启用ngx_http_addition_module支持(作为一个输出过滤器,支持不完全缓冲,分部分响应请求)
–with-http_xslt_module 启用ngx_http_xslt_module支持(过滤转换XML请求)
–with-http_image_filter_module 启用ngx_http_image_filter_module支持(传输JPEG/GIF/PNG 图片的一个过滤器)(默认为不启用。gd库要用到)
–with-http_geoip_module 启用ngx_http_geoip_module支持(该模块创建基于与MaxMind GeoIP二进制文件相配的客户端IP地址的ngx_http_geoip_module变量)
–with-http_sub_module 启用ngx_http_sub_module支持(允许用一些其他文本替换nginx响应中的一些文本)
–with-http_dav_module 启用ngx_http_dav_module支持(增加PUT,DELETE,MKCOL:创建集合,COPY和MOVE方法)默认情况下为关闭,需编译开启
–with-http_flv_module 启用ngx_http_flv_module支持(提供寻求内存使用基于时间的偏移量文件)
–with-http_gzip_static_module 启用ngx_http_gzip_static_module支持(在线实时压缩输出数据流)
–with-http_random_index_module 启用ngx_http_random_index_module支持(从目录中随机挑选一个目录索引)
–with-http_secure_link_module 启用ngx_http_secure_link_module支持(计算和检查要求所需的安全链接网址)
–with-http_degradation_module 启用ngx_http_degradation_module支持(允许在内存不足的情况下返回204或444码)
–with-http_stub_status_module 启用ngx_http_stub_status_module支持(获取nginx自上次启动以来的工作状态)
–without-http_charset_module 禁用ngx_http_charset_module支持(重新编码web页面,但只能是一个方向–服务器端到客户端,并且只有一个字节的编码可以被重新编码)
–without-http_gzip_module 禁用ngx_http_gzip_module支持(该模块同-with-http_gzip_static_module功能一样)
–without-http_ssi_module 禁用ngx_http_ssi_module支持(该模块提供了一个在输入端处理处理服务器包含文件(SSI)的过滤器,目前支持SSI命令的列表是不完整的)
–without-http_userid_module 禁用ngx_http_userid_module支持(该模块用来处理用来确定客户端后续请求的cookies)
–without-http_access_module 禁用ngx_http_access_module支持(该模块提供了一个简单的基于主机的访问控制。允许/拒绝基于ip地址)
–without-http_auth_basic_module禁用ngx_http_auth_basic_module(该模块是可以使用用户名和密码基于http基本认证方法来保护你的站点或其部分内容)
–without-http_autoindex_module 禁用disable ngx_http_autoindex_module支持(该模块用于自动生成目录列表,只在ngx_http_index_module模块未找到索引文件时发出请求。)
–without-http_geo_module 禁用ngx_http_geo_module支持(创建一些变量,其值依赖于客户端的IP地址)
–without-http_map_module 禁用ngx_http_map_module支持(使用任意的键/值对设置配置变量)
–without-http_split_clients_module 禁用ngx_http_split_clients_module支持(该模块用来基于某些条件划分用户。条件如:ip地址、报头、cookies等等)
–without-http_referer_module 禁用disable ngx_http_referer_module支持(该模块用来过滤请求,拒绝报头中Referer值不正确的请求)
–without-http_rewrite_module 禁用ngx_http_rewrite_module支持(该模块允许使用正则表达式改变URI,并且根据变量来转向以及选择配置。如果在server级 别设置该选项,那么他们将在 location之前生效。如果在location还有更进一步的重写规则,location部分的规则依然会被执行。如果这个URI重写是因为 location部分的规则造成的,那么 location部分会再次被执行作为新的URI。 这个循环会执行10次,然后Nginx会返回一个500错误。)
–without-http_proxy_module 禁用ngx_http_proxy_module支持(有关代理服务器)
–without-http_fastcgi_module 禁用ngx_http_fastcgi_module支持(该模块允许Nginx 与FastCGI 进程交互,并通过传递参数来控制FastCGI 进程工作。 )FastCGI一个常驻型的公共网关接口。
–without-http_uwsgi_module 禁用ngx_http_uwsgi_module支持(该模块用来医用uwsgi协议,uWSGI服务器相关)
–without-http_scgi_module 禁用ngx_http_scgi_module支持(该模块用来启用SCGI协议支持,SCGI协议是CGI协议的替代。它是一种应用程序与HTTP服务接口标准。它有些像FastCGI但他的设计 更容易实现。)
–without-http_memcached_module 禁用ngx_http_memcached_module支持(该模块用来提供简单的缓存,以提高系统效率)
-without-http_limit_zone_module 禁用ngx_http_limit_zone_module支持(该模块可以针对条件,进行会话的并发连接数控制)
–without-http_limit_req_module 禁用ngx_http_limit_req_module支持(该模块允许你对于一个地址进行请求数量的限制用一个给定的session或一个特定的事件)
–without-http_empty_gif_module 禁用ngx_http_empty_gif_module支持(该模块在内存中常驻了一个1*1的透明GIF图像,可以被非常快速的调用)
–without-http_browser_module 禁用ngx_http_browser_module支持(该模块用来创建依赖于请求报头的值。如果浏览器为modern ,则$modern_browser等于modern_browser_value指令分配的值;如 果浏览器为old,则$ancient_browser等于 ancient_browser_value指令分配的值;如果浏览器为 MSIE中的任意版本,则 $msie等于1)
–without-http_upstream_ip_hash_module 禁用ngx_http_upstream_ip_hash_module支持(该模块用于简单的负载均衡)
–with-http_perl_module 启用ngx_http_perl_module支持(该模块使nginx可以直接使用perl或通过ssi调用perl)
–with-perl_modules_path= 设定perl模块路径
–with-perl= 设定perl库文件路径
–http-log-path= 设定access log路径
–http-client-body-temp-path= 设定http客户端请求临时文件路径
–http-proxy-temp-path= 设定http代理临时文件路径
–http-fastcgi-temp-path= 设定http fastcgi临时文件路径
–http-uwsgi-temp-path= 设定http uwsgi临时文件路径
–http-scgi-temp-path= 设定http scgi临时文件路径
-without-http 禁用http server功能
–without-http-cache 禁用http cache功能
–with-mail 启用POP3/IMAP4/SMTP代理模块支持
–with-mail_ssl_module 启用ngx_mail_ssl_module支持
–without-mail_pop3_module 禁用pop3协议(POP3即邮局协议的第3个版本,它是规定个人计算机如何连接到互联网上的邮件服务器进行收发邮件的协议。是因特网电子邮件的第一个离 线协议标 准,POP3协议允许用户从服务器上把邮件存储到本地主机上,同时根据客户端的操作删除或保存在邮件服务器上的邮件。POP3协议是TCP/IP协议族中 的一员,主要用于 支持使用客户端远程管理在服务器上的电子邮件)
–without-mail_imap_module 禁用imap协议(一种邮件获取协议。它的主要作用是邮件客户端可以通过这种协议从邮件服务器上获取邮件的信息,下载邮件等。IMAP协议运行在 TCP/IP协议之上, 使用的端口是143。它与POP3协议的主要区别是用户可以不用把所有的邮件全部下载,可以通过客户端直接对服务器上的邮件进行操作。)
–without-mail_smtp_module 禁用smtp协议(SMTP即简单邮件传输协议,它是一组用于由源地址到目的地址传送邮件的规则,由它来控制信件的中转方式。SMTP协议属于 TCP/IP协议族,它帮助每台计算机在发送或中转信件时找到下一个目的地。)
–with-google_perftools_module 启用ngx_google_perftools_module支持(调试用,剖析程序性能瓶颈)
–with-cpp_test_module 启用ngx_cpp_test_module支持
–add-module= 启用外部模块支持
–with-cc= 指向C编译器路径
–with-cpp= 指向C预处理路径
–with-cc-opt= 设置C编译器参数(PCRE库,需要指定–with-cc-opt=”-I /usr/local/include”,如果使用select()函数则需要同时增加文件描述符数量,可以通过–with-cc- opt=”-D FD_SETSIZE=2048”指定。)
–with-ld-opt= 设置连接文件参数。(PCRE库,需要指定–with-ld-opt=”-L /usr/local/lib”。)
–with-cpu-opt= 指定编译的CPU,可用的值为: pentium, pentiumpro, pentium3, pentium4, athlon, opteron, amd64, sparc32, sparc64, ppc64
–without-pcre 禁用pcre库
–with-pcre 启用pcre库
–with-pcre= 指向pcre库文件目录
–with-pcre-opt= 在编译时为pcre库设置附加参数
–with-md5= 指向md5库文件目录(消息摘要算法第五版,用以提供消息的完整性保护)
–with-md5-opt= 在编译时为md5库设置附加参数
–with-md5-asm 使用md5汇编源
–with-sha1= 指向sha1库目录(数字签名算法,主要用于数字签名)
–with-sha1-opt= 在编译时为sha1库设置附加参数
–with-sha1-asm 使用sha1汇编源
–with-zlib= 指向zlib库目录
–with-zlib-opt= 在编译时为zlib设置附加参数
–with-zlib-asm= 为指定的CPU使用zlib汇编源进行优化,CPU类型为pentium, pentiumpro
–with-libatomic 为原子内存的更新操作的实现提供一个架构
–with-libatomic= 指向libatomic_ops安装目录
–with-openssl= 指向openssl安装目录
–with-openssl-opt 在编译时为openssl设置附加参数
–with-debug 启用debug日志

wget http://tengine.taobao.org/download/tengine-2.3.3.tar.gz
tar zxvf tengine-2.3.3.tar.gz
cd tengine-2.3.3

./configure –user=www –group=website –prefix=/opt/tengine-2.3.3 \
–with-http_ssl_module –with-http_v2_module –with-http_realip_module –with-http_addition_module \
–with-http_geoip_module \
–with-http_gzip_static_module \
–with-http_auth_request_module \
–with-http_secure_link_module \
–with-http_degradation_module \
–with-http_stub_status_module \
–add-module=modules/ngx_http_concat_module \
–add-module=modules/ngx_http_footer_filter_module \
–add-module=modules/ngx_http_proxy_connect_module \
–add-module=modules/ngx_http_reqstat_module \
–add-module=modules/ngx_http_sysguard_module \
–add-module=modules/ngx_http_trim_filter_module \
–add-module=modules/ngx_http_upstream_check_module \
–add-module=modules/ngx_http_upstream_consistent_hash_module \
–add-module=modules/ngx_http_upstream_dynamic_module \
–add-module=modules/ngx_http_upstream_dyups_module \
–add-module=modules/ngx_http_upstream_session_sticky_module \
–add-module=modules/ngx_http_upstream_vnswrr_module \
–add-module=modules/ngx_http_user_agent_module \
–add-module=modules/ngx_multi_upstream_module \
–with-jemalloc \
–with-http_lua_module \
–with-luajit-lib=/usr/local/lib/ –with-luajit-inc=/usr/local/include/luajit-2.1/ –with-ld-opt=-Wl,-rpath,/usr/local/lib

make -j4
make install

cd /opt/tengine-2.3.3/
sbin/nginx -V
Tengine version: Tengine/2.3.3
nginx version: nginx/1.18.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC)
built with OpenSSL 1.0.2u 20 Dec 2019
TLS SNI support enabled
configure arguments: –user=www –group=website –prefix=/opt/tengine-2.3.3 –with-http_ssl_module –with-http_v2_module –with-http_realip_module –with-http_addition_module –with-http_geoip_module –with-http_gzip_static_module –with-http_auth_request_module –with-http_secure_link_module –with-http_degradation_module –with-http_stub_status_module –add-module=modules/ngx_http_concat_module –add-module=modules/ngx_http_footer_filter_module –add-module=modules/ngx_http_proxy_connect_module –add-module=modules/ngx_http_reqstat_module –add-module=modules/ngx_http_sysguard_module –add-module=modules/ngx_http_trim_filter_module –add-module=modules/ngx_http_upstream_check_module –add-module=modules/ngx_http_upstream_consistent_hash_module –add-module=modules/ngx_http_upstream_dynamic_module –add-module=modules/ngx_http_upstream_dyups_module –add-module=modules/ngx_http_upstream_session_sticky_module –add-module=modules/ngx_http_upstream_vnswrr_module –add-module=modules/ngx_http_user_agent_module –add-module=modules/ngx_multi_upstream_module –with-jemalloc –with-http_lua_module –with-luajit-lib=/usr/local/lib/ –with-luajit-inc=/usr/local/include/luajit-2.1/ –with-ld-opt=-Wl,-rpath,/usr/local/lib

查看安装的模块

sbin/nginx -m
Tengine version: Tengine/2.3.3
nginx version: nginx/1.18.0
nginx: loaded modules:
nginx: ngx_core_module (static)
nginx: ngx_errlog_module (static)
nginx: ngx_conf_module (static)
nginx: ngx_openssl_module (static)
nginx: ngx_regex_module (static)
nginx: ngx_events_module (static)
nginx: ngx_event_core_module (static)
nginx: ngx_epoll_module (static)
nginx: ngx_procs_module (static)
nginx: ngx_proc_core_module (static)
nginx: ngx_http_module (static)
nginx: ngx_http_core_module (static)
nginx: ngx_http_log_module (static)
nginx: ngx_http_upstream_module (static)
nginx: ngx_http_v2_module (static)
nginx: ngx_http_static_module (static)
nginx: ngx_http_gzip_static_module (static)
nginx: ngx_http_autoindex_module (static)
nginx: ngx_http_index_module (static)
nginx: ngx_http_mirror_module (static)
nginx: ngx_http_try_files_module (static)
nginx: ngx_http_auth_request_module (static)
nginx: ngx_http_auth_basic_module (static)
nginx: ngx_http_access_module (static)
nginx: ngx_http_limit_conn_module (static)
nginx: ngx_http_limit_req_module (static)
nginx: ngx_http_realip_module (static)
nginx: ngx_http_geo_module (static)
nginx: ngx_http_geoip_module (static)
nginx: ngx_http_map_module (static)
nginx: ngx_http_split_clients_module (static)
nginx: ngx_http_referer_module (static)
nginx: ngx_http_rewrite_module (static)
nginx: ngx_http_ssl_module (static)
nginx: ngx_http_proxy_module (static)
nginx: ngx_http_fastcgi_module (static)
nginx: ngx_http_uwsgi_module (static)
nginx: ngx_http_scgi_module (static)
nginx: ngx_http_grpc_module (static)
nginx: ngx_http_memcached_module (static)
nginx: ngx_http_empty_gif_module (static)
nginx: ngx_http_browser_module (static)
nginx: ngx_http_secure_link_module (static)
nginx: ngx_http_degradation_module (static)
nginx: ngx_http_upstream_hash_module (static)
nginx: ngx_http_upstream_ip_hash_module (static)
nginx: ngx_http_upstream_least_conn_module (static)
nginx: ngx_http_upstream_random_module (static)
nginx: ngx_http_upstream_keepalive_module (static)
nginx: ngx_http_upstream_zone_module (static)
nginx: ngx_http_stub_status_module (static)
nginx: ngx_http_proxy_connect_module (static)
nginx: ngx_http_reqstat_module (static)
nginx: ngx_http_sysguard_module (static)
nginx: ngx_http_upstream_check_module (static)
nginx: ngx_http_upstream_consistent_hash_module (static)
nginx: ngx_http_upstream_dynamic_module (static)
nginx: ngx_http_dyups_module (static)
nginx: ngx_http_upstream_vnswrr_module (static)
nginx: ngx_http_user_agent_module (static)
nginx: ngx_http_multi_upstream_module (static)
nginx: ngx_http_write_filter_module (static)
nginx: ngx_http_header_filter_module (static)
nginx: ngx_http_chunked_filter_module (static)
nginx: ngx_http_v2_filter_module (static)
nginx: ngx_http_range_header_filter_module (static)
nginx: ngx_http_gzip_filter_module (static)
nginx: ngx_http_postpone_filter_module (static)
nginx: ngx_http_ssi_filter_module (static)
nginx: ngx_http_charset_filter_module (static)
nginx: ngx_http_addition_filter_module (static)
nginx: ngx_http_userid_filter_module (static)
nginx: ngx_http_headers_filter_module (static)
nginx: ngx_http_concat_module (static)
nginx: ngx_http_footer_filter_module (static)
nginx: ngx_http_trim_filter_module (static)
nginx: ngx_http_upstream_session_sticky_module (static)
nginx: ngx_http_lua_module (static)
nginx: ngx_http_copy_filter_module (static)
nginx: ngx_http_range_body_filter_module (static)
nginx: ngx_http_not_modified_filter_module (static)
nginx: the configuration file /opt/tengine-2.3.3/conf/nginx.conf syntax is ok
nginx: configuration file /opt/tengine-2.3.3/conf/nginx.conf test is successful

cd /opt/nginx/conf
cp -ar ssl ssl.conf webip.conf geo.*.conf GeoIP.dat manageip.conf fcgi.conf htpasswd nginx.conf /opt/tengine-2.3.3/conf/
/opt/tengine-2.3.3/sbin/nginx -t -c /opt/tengine-2.3.3/conf/nginx.conf

chown www:website /opt/tengine-2.3.3/logs/
chown www:website /opt/nginx/conf/

删除旧的nginx软链接,给tengine增加软链接
rm /opt/nginx
ln -s /opt/tengine-2.3.3 /opt/nginx

关闭tengine
/opt/nginx/sbin/nginx -s quit
启动tengine
/opt/nginx/sbin/nginx
重启tengine
/opt/nginx/sbin/nginx -s reload

6、下载和配置 ngx_lua_waf

nginx下常见的开源 waf 有 mod_security、naxsi、ngx_lua_waf 这三个,ngx_lua_waf 性能高和易用性强,基本上零配置,而且常见的攻击类型都能防御,是比较省心的选择。

其git 地址为 https://github.com/loveshell/ngx_lua_waf
wget –no-check-certificate https://github.com/loveshell/ngx_lua_waf/archive/master.zip
unzip master.zip
mv ngx_lua_waf-master /opt/tengine-2.3.3/conf/waf
chgrp -R website waf
chmod -R 0775 waf

mkdir -p /opt/nginx/logs/hack
chown www:website /opt/nginx/logs/hack
chmod -R 775 /opt/nginx/logs/hack

在nginx.conf的http段添加
lua_package_path “/opt/nginx/conf/waf/?.lua”;
lua_shared_dict limit 10m;
init_by_lua_file /opt/nginx/conf/waf/init.lua;
access_by_lua_file /opt/nginx/conf/waf/waf.lua;
配置config.lua里的waf规则目录(一般在waf/conf/目录下)

RulePath = "/opt/nginx/conf/waf/wafconf/"

然后重启nginx即可
部署完毕可以尝试如下命令:

curl http://xxxx/test.php?id=../etc/passwd
日志文件名称格式如下:虚拟主机名_sec.log

Posted in Nginx.

Tagged with , , .

No comments

By C1G 2022/02/24