Skip to content


linux下安装rabbitmq及php-amqplib

一.linux 安装 git

yum 自带git 版本太低了
git version 1.7.1

yum remove git
yum -y install curl-devel expat-devel gettext-devel openssl-devel zlib-devel gcc perl-ExtUtils-MakeMaker
https://github.com/git/git/archive/v2.21.0.tar.gz
tar zxvf v2.21.0.tar.gz
cd git-2.21.0/
make configure
./configure –prefix=/usr/local/git –with-iconv=/usr/local/
make
make install

/usr/local/git/bin/git –version
git version 2.21.0

ln -s /usr/local/git/bin/git /usr/bin/git

git clone –no-checkout ‘https://github.com/php-amqplib/php-amqplib.git’ ‘/opt/php-5.4.45_phar/lib/composer/vendor/php-amqplib/php-amqplib’

SSL connect error fatal: unable to access ‘https://github.com/php-amqplib/php-amqplib.git/’: SSL connect error
git config –global http.sslversion tlsv1 vi /etc/hosts 192.30.255.112 github.com

二.安装composer

Composer 需要 PHP 5.3.2+ openssl 1.0.1+才能运行。

openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
php编译时不能带–with-curlwrappers 和–disable-phar

php查看编译参数
php -i |grep configure
Configure Command => ‘./configure’ ‘–prefix=/opt/php-5.4.45’ ‘–with-config-file-path=/opt/php-5.4.45/etc’ ‘–with-mysql=/opt/mysql’ ‘–with-mysqli=/opt/mysql/bin/mysql_config’ ‘–with-iconv-dir=/usr/local’ ‘–with-freetype-dir’ ‘–with-jpeg-dir’ ‘–with-png-dir’ ‘–with-zlib’ ‘–with-libxml-dir=/usr’ ‘–disable-rpath’ ‘–enable-bcmath’ ‘–enable-shmop’ ‘–enable-sysvsem’ ‘–enable-inline-optimization’ ‘–with-curl’ ‘–with-curlwrappers’ ‘–enable-mbregex’ ‘–enable-cgi’ ‘–enable-fpm’ ‘–enable-mbstring’ ‘–with-mcrypt’ ‘–with-gd’ ‘–enable-gd-native-ttf’ ‘–with-openssl’ ‘–with-mhash’ ‘–enable-pcntl’ ‘–enable-sockets’ ‘–with-xmlrpc’ ‘–enable-zip’ ‘–enable-soap’ ‘–enable-xml’ ‘–disable-debug’ ‘–disable-ipv6’ ‘–without-pear’ ‘–disable-phar’ ‘–enable-ftp’ ‘–with-pdo-mysql=/opt/mysql’

–disable-phar 错误

Some settings on your machine make Composer unable to work properly.
Make sure that you fix the issues listed below and run this script again:

The phar extension is missing.
Install it or recompile php without –disable-phar

–with-curlwrappers 错误
PHP was compiled with –with-curlwrappers which will cause issues with HTTP authentication and GitHub. Recompile it without this flag if possible

git 没安装错误
sh: git: command not found

wget https://getcomposer.org/composer.phar ln -s /opt/php/bin/php /usr/bin/php php composer.phar
这将返回给你一个可执行的命令列表。

或者安装成全局方式
mv composer.phar /usr/bin/composer chmod +x /usr/bin/composer composer
创建一个composer.json
{ “require”: { “monolog/monolog”: “1.0.*”, “php-amqplib/php-amqplib”: “>=2.6.1” } }

创建国内镜像
composer clearcache composer config -g repo.packagist composer https://packagist.phpcomposer.com

建议不要用root运行,
运行时compose会在当前用户下创建一个可写的cache目录/home//.compose
sudo -uandychu composer config -g repo.packagist composer https://packagist.phpcomposer.com
会composer.json中添加
“repositories”: { “packagist”: { “type”: “composer”, “url”: “https://packagist.phpcomposer.com” } }

命令行下
php composer.phar install
或者全局方式
composer up

Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals

  • Installing php-amqplib/php-amqplib (v2.8.1): Downloading (failed)
    Downloading (failed)
    Downloading (failed) Failed to download php-amqplib/php-amqplib from dist: Th
    e “https://api.github.com/repos/php-amqplib/php-amqplib/zipball/84449ffd3f5a7466
    bbee3946facb3746ff11f075″ file could not be downloaded: SSL operation failed wit
    h code 1. OpenSSL Error messages:
    error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
    Failed to enable crypto
    failed to open stream: operation failed
    Now trying to download from source
  • Installing php-amqplib/php-amqplib (v2.8.1): Cloning 84449ffd3f from cache
    Writing lock file
    Generating autoload files

vi php.ini
将/opt/php-5.4.45_phar/lib/composer 放入include_path和 open_basedir

reload php

三.linux 安装 Erlang


yum install ncurses ncurses-base ncurses-devel ncurses-libs ncurses-static ncurses-term ocaml-curses ocaml-curses-devel -y
wget http://erlang.org/download/otp_src_21.2.tar.gz
tar zxvf otp_src_21.2.tar.gz
cd otp_src_21.2
./configure –with-ssl -enable-threads -enable-smmp-support -enable-kernel-poll –enable-hipe –without-javac
make
make install
/usr/local/bin/erl
Erlang/OTP 21 [erts-10.2] [source] [64-bit] [smp:40:40] [ds:40:40:10] [async-threads:1] [hipe]

Eshell V10.2 (abort with ^G)
1> halt().

四.linux 安装 rabbitmq

http://www.rabbitmq.com/download.html
wget https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.7.11/rabbitmq-server-generic-unix-3.7.11.tar.xz tar xvf rabbitmq-server-generic-unix-3.7.11.tar.xz mv rabbitmq_server-3.7.11 /opt/ ln -s rabbitmq_server-3.7.11 rabbitmq cd /opt/rabbitmq/sbin ./rabbitmq-server &


## ##
## ## RabbitMQ 3.7.11. Copyright (C) 2007-2019 Pivotal Software, Inc.
########## Licensed under the MPL. See http://www.rabbitmq.com/
###### ##
########## Logs: /opt/rabbitmq/var/log/rabbitmq/rabbit@c1gstudio.log
/opt/rabbitmq/var/log/rabbitmq/rabbit@c1gstudio_upgrade.log

          Starting broker...

completed with 0 plugins.

[bin]

# ./rabbitmqctl status
Status of node rabbit@c1gstudio …
[{pid,28884},
{running_applications,
[{rabbit,”RabbitMQ”,”3.7.11″},
{mnesia,”MNESIA CXC 138 12″,”4.15.5″},
{os_mon,”CPO CXC 138 46″,”2.4.7″},
{sysmon_handler,”Rate-limiting system_monitor event handler”,”1.1.0″},
{rabbit_common,
“Modules shared by rabbitmq-server and rabbitmq-erlang-client”,
“3.7.11”},
{ranch,”Socket acceptor pool for TCP protocols.”,”1.7.1″},
{ssl,”Erlang/OTP SSL application”,”9.1″},
{public_key,”Public key infrastructure”,”1.6.4″},
{asn1,”The Erlang ASN1 compiler version 5.0.8″,”5.0.8″},
{inets,”INETS CXC 138 49″,”7.0.3″},
{recon,”Diagnostic tools for production use”,”2.3.6″},
{xmerl,”XML parser”,”1.3.18″},
{jsx,”a streaming, evented json parsing toolkit”,”2.9.0″},
{crypto,”CRYPTO”,”4.4″},
{lager,”Erlang logging framework”,”3.6.5″},
{goldrush,”Erlang event stream processor”,”0.1.9″},
{compiler,”ERTS CXC 138 10″,”7.3″},
{syntax_tools,”Syntax tools”,”2.1.6″},
{sasl,”SASL CXC 138 11″,”3.3″},
{stdlib,”ERTS CXC 138 10″,”3.7″},
{kernel,”ERTS CXC 138 10″,”6.2″}]},
{os,{unix,linux}},
{erlang_version,
“Erlang/OTP 21 [erts-10.2] [source] [64-bit] [smp:40:40] [ds:40:40:10] [async-threads:640] [hipe]\n”},
{memory,
[{connection_readers,0},
{connection_writers,0},
{connection_channels,0},
{connection_other,0},
{queue_procs,0},
{queue_slave_procs,0},
{plugins,10044},
{other_proc,33404336},
{metrics,197308},
{mgmt_db,0},
{mnesia,73360},
{other_ets,2314472},
{binary,150240},
{msg_index,29488},
{code,20364814},
{atom,1082561},
{other_system,30248961},
{allocated_unused,50253824},
{reserved_unallocated,0},
{strategy,rss},
{total,[{erlang,87875584},{rss,113528832},{allocated,138129408}]}]},
{alarms,[]},
{listeners,[{clustering,25672,”::”},{amqp,5672,”0.0.0.0″}]},
{vm_memory_calculation_strategy,rss},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,13413631590},
{disk_free_limit,50000000},
{disk_free,322518425600},
{file_descriptors,
[{total_limit,51100},
{total_used,2},
{sockets_limit,45988},
{sockets_used,0}]},
{processes,[{limit,1048576},{used,253}]},
{run_queue,1},
{uptime,128},
{kernel,{net_ticktime,60}}]

启动服务: ./rabbitmq-server &

查看服务状态:./rabbitmqctl status

关闭服务:./rabbitmqctl stop

启动管理 ./rabbitmq-plugins enable rabbitmq_management

查看mq用户:./rabbitmqctl list_users

查看用户权限:./rabbitmqctl list_user_permissions guest

新增用户: ./rabbitmqctl add_user admin 123456

设为管理员
./rabbitmqctl set_user_tags admin administrator

编辑配置文件

cd /opt/rabbitmq/etc/rabbitmq
wget https://raw.githubusercontent.com/rabbitmq/rabbitmq-server/master/docs/rabbitmq.conf.example
cp rabbitmq.conf.example rabbitmq.conf

vi rabbitmq.conf
listeners.tcp.local = 192.168.0.37:5672
management.tcp.port = 15672
management.tcp.ip = 192.168.0.99

management.http_log_dir = /var/log/nginx/access.log

五.开机启动

vi /etc/rc.local /opt/rabbitmq/sbin/rabbitmq-server &

六.iptables

iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp –dport 5672 -j ACCEPT iptables -A INPUT -s 192.168.0.99/32 -p tcp -m tcp –dport 15672 -j ACCEPT

/etc/init.d/iptables save

七.nginx配置

vi /opt/nginx/conf/nginx.conf

server
{
listen 80;
server_name admin.c1gstudio.com;
index index.html index.htm index.php;
root /opt/htdocs/www;

    include manageip.conf;
    deny    all;

     location /rabbit/ {
      proxy_pass        http://192.168.0.37:15672/;
      proxy_set_header  Host        $host;
      proxy_set_header  X-Real-IP   $remote_addr;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
     }            

     location / {
      proxy_pass        http://192.168.0.37:80/;
      proxy_set_header  Host        $host;
      proxy_set_header  X-Real-IP   $remote_addr;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_redirect    off;
     }            

         access_log  /opt/nginx/logs/access.log  access;
 }

八.测试

打开send.php文件:

<?php

require_once DIR . ‘/vendor/autoload.php’;

use PhpAmqpLib\Connection\AMQPStreamConnection;
use PhpAmqpLib\Message\AMQPMessage;

// RabbitMQ 默认端口5672, 默认账号密码: guest / guest
// $host = ‘localhost’;
$host = ‘192.168.99.100’;
$port = ‘5672’;
$username = ‘guest’;
$password = ‘guest’;

// $connection = new AMQPStreamConnection(‘localhost’, 5672, ‘guest’, ‘guest’);
$connection = new AMQPStreamConnection($host, $port, $username, $password);
$channel = $connection->channel();
$channel->queue_declare(‘hello’, false, false, false, false);

$msg = new AMQPMessage(‘Hello World!’);
$channel->basic_publish($msg, ”, ‘hello’);
echo ” [x] Sent ‘Hello World!’\n”;

$channel->close();
$connection->close();

打开 receive.php 文件:

<?php
// file: receive.php
require_once DIR . ‘/vendor/autoload.php’;
use PhpAmqpLib\Connection\AMQPStreamConnection;

// RabbitMQ 默认端口5672, 默认账号密码: guest / guest
// $host = ‘localhost’;
// $host = ‘5672’;
$host = ‘192.168.99.100’;
$port = ‘5672’;
$username = ‘guest’;
$password = ‘guest’;

$connection = new AMQPStreamConnection($host, $port, $username, $password);
$channel = $connection->channel();

$queueName = ‘hello-test’;
$channel->queue_declare($queueName, false, false, false, false);

echo ‘ [*] Waiting for messages. To exit press CTRL+C’, “\n”;

$callback = function($msg) {
echo ” [x] Received: {“, $msg->body, “}\n”;
};

$channel->basic_consume($queueName, ”, false, true, false, false, $callback);

while(count($channel->callbacks)) {
$channel->wait();
}

发送和结束队列消息
先执行receive.php.
再执行send.php文件,来发送消息:

$ php send.php

[x]

Sent: {18-02-10 02:35:15: Hello World!}
$ php send.php

[x]

Sent: {18-02-10 02:35:34: Hello World!}

https://docs.phpcomposer.com/01-basic-usage.html
http://www.rabbitmq.com/tutorials/tutorial-one-php.html

php-amqplib amqp-ext 性能对比

https://blog.forma-pro.com/php-amqp-clients-benchmark-them-all-8a4e6adb1a6b

RabbitMQ的用户角色分类:
none、management、policymaker、monitoring、administrator

RabbitMQ各类角色描述:
none
不能访问 management plugin

management
用户可以通过AMQP做的任何事外加:
列出自己可以通过AMQP登入的virtual hosts
查看自己的virtual hosts中的queues, exchanges 和 bindings
查看和关闭自己的channels 和 connections
查看有关自己的virtual hosts的“全局”的统计信息,包含其他用户在这些virtual hosts中的活动。

policymaker
management可以做的任何事外加:
查看、创建和删除自己的virtual hosts所属的policies和parameters

monitoring
management可以做的任何事外加:
列出所有virtual hosts,包括他们不能登录的virtual hosts
查看其他用户的connections和channels
查看节点级别的数据如clustering和memory使用情况
查看真正的关于所有virtual hosts的全局的统计信息

administrator
policymaker和monitoring可以做的任何事外加:
创建和删除virtual hosts
查看、创建和删除users
查看创建和删除permissions
关闭其他用户的connections

创建用户并设置角色:
可以创建管理员用户,负责整个MQ的运维,例如:
$sudo rabbitmqctl add_user user_admin passwd_admin
赋予其administrator角色:
$sudo rabbitmqctl set_user_tags user_admin administrator

可以创建RabbitMQ监控用户,负责整个MQ的监控,例如:
$sudo rabbitmqctl add_user user_monitoring passwd_monitor
赋予其monitoring角色:
$sudo rabbitmqctl set_user_tags user_monitoring monitoring

可以创建某个项目的专用用户,只能访问项目自己的virtual hosts
$sudo rabbitmqctl add_user user_proj passwd_proj
赋予其monitoring角色:
$sudo rabbitmqctl set_user_tags user_proj management

创建和赋角色完成后查看并确认:
$sudo rabbitmqctl list_users

RabbitMQ 权限控制
默认virtual host:”/”
默认用户:guest
guest具有”/”上的全部权限,仅能有localhost访问RabbitMQ包括Plugin,建议删除或更改密码。可通过将配置文件中loopback_users置孔来取消其本地访问的限制:
[{rabbit, [{loopback_users, []}]}]

用户仅能对其所能访问的virtual hosts中的资源进行操作。这里的资源指的是virtual hosts中的exchanges、queues等,操作包括对资源进行配置、写、读。配置权限可创建、删除、资源并修改资源的行为,写权限可向资源发送消息,读权限从资源获取消息。比如:
exchange和queue的declare与delete分别需要exchange和queue上的配置权限
exchange的bind与unbind需要exchange的读写权限
queue的bind与unbind需要queue写权限exchange的读权限
发消息(publish)需exchange的写权限
获取或清除(get、consume、purge)消息需queue的读权限

对何种资源具有配置、写、读的权限通过正则表达式来匹配,具体命令如下:
set_permissions [-p ]
其中, 的位置分别用正则表达式来匹配特定的资源,如’^(amq.gen.*|amq.default)$’可以匹配server生成的和默认的exchange,’^$’不匹配任何资源

需要注意的是RabbitMQ会缓存每个connection或channel的权限验证结果、因此权限发生变化后需要重连才能生效。

为用户赋权:
$sudo rabbitmqctl set_permissions -p /vhost1 user_admin ‘.’ ‘.’ ‘.*’
该命令使用户user_admin具有/vhost1这个virtual host中所有资源的配置、写、读权限以便管理其中的资源

按用户查看权限:

$sudo rabbitmqctl list_user_permissions user_admin

按服务器查看权限

$sudo rabbitmqctl list_permissions -p /vhost1

https://juejin.im/post/5b8f4a1ff265da43330c6679
https://www.rabbitmq.com/management.html#http-api

Posted in 消息rabbitmq.

Tagged with , .


windows下安装rabbitmq及支持apache+php-ampq扩展,nginx+php-amqplib扩展


一.安装erlang拓展

因为RabbitMQ是由erlang语言实现的,所以先要安装erlang环境

erlang 下载安装 http://www.erlang.org/downloads
http://erlang.org/download/otp_win64_21.3.exe
rabbitmq 下载安装 https://www.rabbitmq.com/download.html
https://dl.bintray.com/rabbitmq/all/rabbitmq-server/3.7.14/rabbitmq-server-3.7.9.exe
php的amqp扩展下载地址:http://pecl.php.net/package/amqp

erlang和rabbitmq_server直接下载安装包安装;
amqp拓展如果web服务器是apache,可以用amqp,nginx可以用compose下的php-amqplib

二.安装amqp


amqp拓展下载要选好版本;根据系统选择32位还是64位的。查看phpInfo中:Thread Safety:如果是enabled就选ts版。disabled选择nts版。
安装拓展方法:

下载解压;将php_amqp.dll复制到php/ext;
php.ini中加上extension=php_amqp.dll;

复制rabbitmq.1.dll 到php/
apache 修改http.conf 文件 添加

LoadFile “D:/wnmp/php/rabbitmq.1.dll”

重启apache,phpinfo()中既可以看到amqp拓展了;

amqp
Version 1.4.0
Revision $Revision: 327551 $
Compiled May 22 2014 @ 16:57:32
AMQP protocol version 0-9-1
librabbitmq version 0.5.0
Directive Local Value Master Value
amqp.auto_ack 0 0
amqp.connect_timeout 0 0
amqp.host localhost localhost
amqp.login guest guest
amqp.password guest guest
amqp.port 5672 5672
amqp.prefetch_count 3 3
amqp.read_timeout 0 0
amqp.timeout no value no value
amqp.vhost / /
amqp.write_timeout 0 0

如果apache没装dll,可能会报以下错误
Fatal error: Uncaught exception ‘AMQPConnectionException’ with message ‘Socket error: could not connect to host.’

Fatal error: Uncaught exception ‘AMQPConnectionException’ with message ‘Library error: a socket error occurred – Potential login failure.’

三.安装compose下的php-amqplib

Composer 需要 PHP 5.3.2+ 才能运行。

windows下安装
https://getcomposer.org/Composer-Setup.exe

如有需要可以安装git
http://git-scm.com/download/win

php -r “copy(‘https://getcomposer.org/installer’, ‘composer-setup.php’);”
php -r “if (hash_file(‘sha384’, ‘composer-setup.php’) === ’48e3236262b34d30969dca3c37281b3b4bbe3221bda826ac6a9a62d6444cdb0dcd0615698a5cbe587c3f0fe57a54d8f5′) { echo ‘Installer verified’; } else { echo ‘Installer corrupt’; unlink(‘composer-setup.php’); } echo PHP_EOL;”
php composer-setup.php
php -r “unlink(‘composer-setup.php’);”

这个命令会将 composer.phar 下载到当前目录。PHAR(PHP 压缩包)是一个压缩格式,可以在命令行下直接运行。

php composer.phar
这将返回给你一个可执行的命令列表。

创建一个composer.json
d:/wnmp/composer/composer.json
{ “require”: { “monolog/monolog”: “1.0.*”, “php-amqplib/php-amqplib”: “>=2.6.1” } }

php composer.phar up

编辑php.ini
将d:/wnmp/composer 放入include_path和 open_basedir

四.rabbitmq

进入sbin目录cmd执行rabbitmq-service.bat start

进入sbin目录cmd执行rabbitmqctl.bat status
如果出现以下的图,说明安装是成功的,并且说明现在
RabbitMQ Server 已经启动了,运行正常
Status of node rabbit@QFNO88I … [{pid,2208}, {running_applications, [{rabbit,”RabbitMQ”,”3.7.9″}, {rabbit_common, “Modules shared by rabbitmq-server and rabbitmq-erlang-client”, “3.7.9”}, {ranch_proxy_protocol,”Ranch Proxy Protocol Transport”,”2.1.1″}, {ranch,”Socket acceptor pool for TCP protocols.”,”1.6.2″}, {ssl,”Erlang/OTP SSL application”,”9.1″}, {public_key,”Public key infrastructure”,”1.6.4″}, {asn1,”The Erlang ASN1 compiler version 5.0.8″,”5.0.8″}, {mnesia,”MNESIA CXC 138 12″,”4.15.5″}, {crypto,”CRYPTO”,”4.4″}, {os_mon,”CPO CXC 138 46″,”2.4.7″}, {xmerl,”XML parser”,”1.3.18″}, {inets,”INETS CXC 138 49″,”7.0.3″}, {jsx,”a streaming, evented json parsing toolkit”,”2.9.0″}, {recon,”Diagnostic tools for production use”,”2.3.6″}, {lager,”Erlang logging framework”,”3.6.5″}, {goldrush,”Erlang event stream processor”,”0.1.9″}, {compiler,”ERTS CXC 138 10″,”7.3″}, {syntax_tools,”Syntax tools”,”2.1.6″}, {sasl,”SASL CXC 138 11″,”3.3″}, {stdlib,”ERTS CXC 138 10″,”3.7″}, {kernel,”ERTS CXC 138 10″,”6.2″}]}, {os,{win32,nt}}, {erlang_version, “Erlang/OTP 21 [erts-10.2] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:64]\n”}, {memory, [{connection_readers,0}, {connection_writers,0}, {connection_channels,0}, {connection_other,0}, {queue_procs,0}, {queue_slave_procs,0}, {plugins,13724}, {other_proc,23284296}, {metrics,195772}, {mgmt_db,0}, {mnesia,73736}, {other_ets,2460472}, {binary,211248}, {msg_index,29824}, {code,24360636}, {atom,1082561}, {other_system,10339171}, {allocated_unused,14166928}, {reserved_unallocated,0}, {strategy,rss}, {total,[{erlang,62051440},{rss,76218368},{allocated,76218368}]}]}, {alarms,[]}, {listeners,[{clustering,25672,”::”},{amqp,5672,”::”},{amqp,5672,”0.0.0.0″}]}, {vm_memory_calculation_strategy,rss}, {vm_memory_high_watermark,0.4}, {vm_memory_limit,3415903436}, {disk_free_limit,50000000}, {disk_free,42944823296}, {file_descriptors, [{total_limit,8092}, {total_used,2}, {sockets_limit,7280}, {sockets_used,0}]}, {processes,[{limit,1048576},{used,230}]}, {run_queue,1}, {uptime,29084}, {kernel,{net_ticktime,60}}]

如果没有出现的话在执行

  1. rabbitmqservice.bat install
  2. rabbitmqservice.bat start,如果是关闭的话就是rabbitmqservice.bat stop

显示管理界面
1.进入RabbitMQ的sbin目录 cmd执行
2.rabbitmq-plugins.bat list (查看所有插件)
3.rabbitmq-plugins.bat enable rabbitmq_management (启动后台管
理界面插件)

.\rabbitmq-plugins.bat list

Listing plugins with pattern “.*” …
Configured: E = explicitly enabled; e = implicitly enabled
| Status: * = running on rabbit@QFNO88I
|/
[ ] rabbitmq_amqp1_0 3.7.9
[ ] rabbitmq_auth_backend_cache 3.7.9
[ ] rabbitmq_auth_backend_http 3.7.9
[ ] rabbitmq_auth_backend_ldap 3.7.9
[ ] rabbitmq_auth_mechanism_ssl 3.7.9
[ ] rabbitmq_consistent_hash_exchange 3.7.9
[ ] rabbitmq_event_exchange 3.7.9
[ ] rabbitmq_federation 3.7.9
[ ] rabbitmq_federation_management 3.7.9
[ ] rabbitmq_jms_topic_exchange 3.7.9
[ ] rabbitmq_management 3.7.9
[ ] rabbitmq_management_agent 3.7.9
[ ] rabbitmq_mqtt 3.7.9
[ ] rabbitmq_peer_discovery_aws 3.7.9
[ ] rabbitmq_peer_discovery_common 3.7.9
[ ] rabbitmq_peer_discovery_consul 3.7.9
[ ] rabbitmq_peer_discovery_etcd 3.7.9
[ ] rabbitmq_peer_discovery_k8s 3.7.9
[ ] rabbitmq_random_exchange 3.7.9
[ ] rabbitmq_recent_history_exchange 3.7.9
[ ] rabbitmq_sharding 3.7.9
[ ] rabbitmq_shovel 3.7.9
[ ] rabbitmq_shovel_management 3.7.9
[ ] rabbitmq_stomp 3.7.9
[ ] rabbitmq_top 3.7.9
[ ] rabbitmq_tracing 3.7.9
[ ] rabbitmq_trust_store 3.7.9
[ ] rabbitmq_web_dispatch 3.7.9
[ ] rabbitmq_web_mqtt 3.7.9
[ ] rabbitmq_web_mqtt_examples 3.7.9
[ ] rabbitmq_web_stomp 3.7.9
[ ] rabbitmq_web_stomp_examples 3.7.9

.\rabbitmq-plugins.bat enable rabbitmq_management

Enabling plugins on node rabbit@QFNO88I:
rabbitmq_management
The following plugins have been configured:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
Applying plugin configuration to rabbit@QFNO88I…
The following plugins have been enabled:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch

started 3 plugins.

浏览器输入:127.0.0.1:15672

输入用户名和密码,初始化的用户名和密码是 guest: guest
注意: guest只能在localhost登录

手动添加账号
a) 查看所有账号 rabbitmqctl.bat list_users
b) 创建账号 rabbitmqctl.bat add_user
e) 设置角色 rabbitmqctl.bat set_user_tags keving administrator
f) 设置权限, rabbitmqctl.bat set_permissions –p / “.” “.” “.*”
/代表 vhost, 后面是权限在即可以 配置、写、读权限

./rabbitmqctl.bat add_user user1 user1
添加个vhost yjs

五.测试

打开send.php文件:

<?php

require_once DIR . ‘/vendor/autoload.php’;

use PhpAmqpLib\Connection\AMQPStreamConnection;
use PhpAmqpLib\Message\AMQPMessage;

// RabbitMQ 默认端口5672, 默认账号密码: guest / guest
// $host = ‘localhost’;
$host = ‘192.168.99.100’;
$port = ‘5672’;
$username = ‘guest’;
$password = ‘guest’;

// $connection = new AMQPStreamConnection(‘localhost’, 5672, ‘guest’, ‘guest’);
$connection = new AMQPStreamConnection($host, $port, $username, $password);
$channel = $connection->channel();
$channel->queue_declare(‘hello’, false, false, false, false);

$msg = new AMQPMessage(‘Hello World!’);
$channel->basic_publish($msg, ”, ‘hello’);
echo ” [x] Sent ‘Hello World!’\n”;

$channel->close();
$connection->close();

打开 receive.php 文件:

<?php
// file: receive.php
require_once DIR . ‘/vendor/autoload.php’;
use PhpAmqpLib\Connection\AMQPStreamConnection;

// RabbitMQ 默认端口5672, 默认账号密码: guest / guest
// $host = ‘localhost’;
// $host = ‘5672’;
$host = ‘192.168.99.100’;
$port = ‘5672’;
$username = ‘guest’;
$password = ‘guest’;

$connection = new AMQPStreamConnection($host, $port, $username, $password);
$channel = $connection->channel();

$queueName = ‘hello-test’;
$channel->queue_declare($queueName, false, false, false, false);

echo ‘ [*] Waiting for messages. To exit press CTRL+C’, “\n”;

$callback = function($msg) {
echo ” [x] Received: {“, $msg->body, “}\n”;
};

$channel->basic_consume($queueName, ”, false, true, false, false, $callback);

while(count($channel->callbacks)) {
$channel->wait();
}

发送和结束队列消息
先执行receive.php.
再执行send.php文件,来发送消息:

$ php send.php

[x]

Sent: {18-02-10 02:35:15: Hello World!}
$ php send.php

[x]

Sent: {18-02-10 02:35:34: Hello World!}

https://docs.phpcomposer.com/01-basic-usage.html
http://www.rabbitmq.com/tutorials/tutorial-one-php.html
php-amqplib amqp-ext 性能对比
https://blog.forma-pro.com/php-amqp-clients-benchmark-them-all-8a4e6adb1a6b


https://blog.forma-pro.com/php-amqp-clients-benchmark-them-all-8a4e6adb1a6b

RabbitMQ的用户角色分类:


none、management、policymaker、monitoring、administrator

RabbitMQ各类角色描述:
none
不能访问 management plugin

management
用户可以通过AMQP做的任何事外加:
列出自己可以通过AMQP登入的virtual hosts
查看自己的virtual hosts中的queues, exchanges 和 bindings
查看和关闭自己的channels 和 connections
查看有关自己的virtual hosts的“全局”的统计信息,包含其他用户在这些virtual hosts中的活动。

policymaker
management可以做的任何事外加:
查看、创建和删除自己的virtual hosts所属的policies和parameters

monitoring
management可以做的任何事外加:
列出所有virtual hosts,包括他们不能登录的virtual hosts
查看其他用户的connections和channels
查看节点级别的数据如clustering和memory使用情况
查看真正的关于所有virtual hosts的全局的统计信息

administrator
policymaker和monitoring可以做的任何事外加:
创建和删除virtual hosts
查看、创建和删除users
查看创建和删除permissions
关闭其他用户的connections

创建用户并设置角色:
可以创建管理员用户,负责整个MQ的运维,例如:
$sudo rabbitmqctl add_user user_admin passwd_admin
赋予其administrator角色:
$sudo rabbitmqctl set_user_tags user_admin administrator

可以创建RabbitMQ监控用户,负责整个MQ的监控,例如:
$sudo rabbitmqctl add_user user_monitoring passwd_monitor
赋予其monitoring角色:
$sudo rabbitmqctl set_user_tags user_monitoring monitoring

可以创建某个项目的专用用户,只能访问项目自己的virtual hosts
$sudo rabbitmqctl add_user user_proj passwd_proj
赋予其monitoring角色:
$sudo rabbitmqctl set_user_tags user_proj management

创建和赋角色完成后查看并确认:
$sudo rabbitmqctl list_users

RabbitMQ 权限控制
默认virtual host:”/”
默认用户:guest
guest具有”/”上的全部权限,仅能有localhost访问RabbitMQ包括Plugin,建议删除或更改密码。可通过将配置文件中loopback_users置孔来取消其本地访问的限制:
[{rabbit, [{loopback_users, []}]}]

用户仅能对其所能访问的virtual hosts中的资源进行操作。这里的资源指的是virtual hosts中的exchanges、queues等,操作包括对资源进行配置、写、读。配置权限可创建、删除、资源并修改资源的行为,写权限可向资源发送消息,读权限从资源获取消息。比如:
exchange和queue的declare与delete分别需要exchange和queue上的配置权限
exchange的bind与unbind需要exchange的读写权限
queue的bind与unbind需要queue写权限exchange的读权限
发消息(publish)需exchange的写权限
获取或清除(get、consume、purge)消息需queue的读权限

对何种资源具有配置、写、读的权限通过正则表达式来匹配,具体命令如下:
set_permissions [-p ]
其中, 的位置分别用正则表达式来匹配特定的资源,如’^(amq.gen.*|amq.default)$’可以匹配server生成的和默认的exchange,’^$’不匹配任何资源

需要注意的是RabbitMQ会缓存每个connection或channel的权限验证结果、因此权限发生变化后需要重连才能生效。

为用户赋权:
$sudo rabbitmqctl set_permissions -p /vhost1 user_admin ‘.’ ‘.’ ‘.*’
该命令使用户user_admin具有/vhost1这个virtual host中所有资源的配置、写、读权限以便管理其中的资源

按用户查看权限:

$sudo rabbitmqctl list_user_permissions user_admin

按服务器查看权限

$sudo rabbitmqctl list_permissions -p /vhost1

Posted in 技术, 消息rabbitmq.

Tagged with , , , , .


linux查看磁盘占用,找到已删除却没有释放的进程

df -h

Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg-lv_root 118G 13G 100G 12% / tmpfs 16G 4.0K 16G 1% /dev/shm /dev/sda1 477M 42M 411M 10% /boot /dev/mapper/vg-lv_app 318G 138G 164G 46% /opt /dev/mapper/vg-lv_var 99G 80G 14G 86% /var /usr/Tmp 9.4G 158M 8.8G 2% /tmp

/var/使用了80G,小于15%的空闲.

cd /var

du -sh .

490M .
.0K ./empty
4.0K ./yp
4.0K ./tmp
5.5M ./spool
4.0K ./account
4.0K ./crash
192K ./run
193M ./cache
4.0K ./local
4.0K ./agentx
16K ./lost+found
4.0K ./nis
16K ./lock
4.0K ./games
32K ./db
172M ./lib
120M ./log
4.0K ./preserve
4.0K ./opt
490M .

进入/var 看一下实际才使用490M.再查一下inode,也没问题.

df -i

Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/mapper/vg-lv_root
7864320 122554 7741766 2% /
tmpfs 4093515 2 4093513 1% /dev/shm
/dev/sda1 128016 39 127977 1% /boot
/dev/mapper/vg-lv_app
21135360 6768994 14366366 33% /opt
/dev/mapper/vg-lv_var
6553600 3068 6550532 1% /var
/usr/Tmp 625856 689 625167 1% /tmp

查看下进程是否有占用

lsof | grep delete

php-fpm 1155 www 3u REG 7,0 0 33 /tmp/ZCUDxFkJdQ (deleted)
php-fpm 2289 www 3u REG 7,0 0 33 /tmp/ZCUDxFkJdQ (deleted)
syslog-ng 4913 root 9w REG 253,3 84811572283 1310862 /var/log/nginx/blog.c1gstudio.com.20180726.log (deleted)
php-fpm 5478 root 3u REG 7,0 0 33 /tmp/ZCUDxFkJdQ (deleted)
php-fpm 5700 www 3u REG 7,0 0 33 /tmp/ZCUDxFkJdQ (deleted)
php-fpm 6438 www 3u REG 7,0 0 33 /tmp/ZCUDxFkJdQ (deleted)
php-fpm 11638 www 3u REG 7,0 0 33 /tmp/ZCUDxFkJdQ (deleted)
php-fpm 11823 www 3u REG 7,0 0 33 /tmp/ZCUDxFkJdQ (deleted)

看到 syslog-ng 4913 一直在写已删除文件.
kill 4913
再重启下进程,就可以看到恢复了.

分析下原因是日志打包脚本中忘记reoload syslog-ng,修复!
/bin/kill -USR1 cat /usr/local/syslog-ng/var/syslog-ng.pid

Posted in linux 维护优化.


避免nginx在cdn下被缓存防盗链图

如果你CDN会缓存http 302状态的话,那么CDN就有可能会缓存防盗图,正常用户访问时会返回CDN中的”提示图”,而非正常图.
这里里解决方法是让rewrite后的302改成403状态.

nginx原配置

  1. location ~* ^.+\.(jpg|jpeg|gif|png|swf|rar|zip|css|js)$ {
  2. valid_referers none blocked *.c1gstudio.com localhost cache.baiducontent.com c.360webcache.com www.sogou.com cc.bingj.com;
  3. if ($invalid_referer) {
  4.     rewrite ^/ http://leech.c1gstudio.com/leech.gif;
  5.     return 412;
  6.     break;
  7. }
  8.                  access_log   off;
  9.                  root /opt/lampp/htdocs/c1gstudio;
  10. expires 3d;
  11. break;
  12.      }

新的nginx配置
做一个代理到虚似主机

  1. upstream leech_server {
  2.      server   192.168.0.75:80;
  3.      }
  4.  
  5.      location @leech {
  6.           proxy_set_header Host  leech.c1gstudio.com;
  7.           proxy_pass http://leech_server;
  8.      }
  9.  
  10.      location ~* ^.+\.(jpg|jpeg|gif|png|swf|rar|zip|css|js)$ {
  11.           valid_referers none blocked *.c1gstudio.com localhost cache.baiducontent.com c.360webcache.com www.sogou.com cc.bingj.com;
  12.           if ($invalid_referer) {
  13.     #rewrite ^/ http://leech.c1gstudio.com/leech.gif;
  14.     error_page 412 = @leech;
  15.     return 412;
  16.     break;
  17.           }
  18.                  access_log   off;
  19.                  root /opt/lampp/htdocs/c1gstudio;
  20. expires 3d;
  21. break;
  22.      }
  23.  
  24.      server
  25.      {
  26.              listen       80;
  27.              server_name  leech.c1gstudio.com;
  28.              index index.html index.htm index.php;
  29.              root  /opt/lampp/htdocs/transfer_url;
  30.              error_page 404 =403 /leech.gif;
  31.              access_log  off;
  32.  
  33.                  location ~* ^.+\.(jpg|jpeg|gif|png)$ {
  34.                  access_log   off;
  35.                  root /opt/lampp/htdocs/transfer_url;
  36.                  add_header Cache-Control no-cache;
  37.                  add_header Pragma no-cache;
  38.                  add_header Expires 0;
  39.                  break;
  40.                  }
  41.             
  42.      location ~/\.ht {
  43.          deny all;
  44.      }
  45.      }

Posted in Nginx.

Tagged with .


nginx(tengine)无法获取自定义header头ns_clientip

如果你的web服务器前端有代理服务器或CDN时日志中的$remote_addr可能就不是客户端的真实ip了。
通常可以安装realip模块来解决。
代码也很简单

set_real_ip_from 192.168.1.0/24; 指定接收来自哪个前端发送的 IP head 可以是单个IP或者IP段
set_real_ip_from 192.168.2.1;
real_ip_header X-Real-IP; IP head 的对应参数。

注意:基本上网上教程都是使用“X-Real-IP”做head头,今天遇到了使用”ns_clientip”做header头的,怎么也获取不到。

先用”$http_ns_clientip” “$sent_http_clientip”在日志中尝了下无果。

log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http_ns_clientip" "$sent_http_clientip"';

一度怀疑前端没有带上header头,用tcp_dump确认了下确实带了。

tcpdump tcp port 80 -n -X -s 0

网上找了一圈,原来是对header name的字符做了限制,默认 underscores_in_headers 为off,表示如果header name中包含下划线,则忽略掉。
解决方法是在配置中http部分 增加underscores_in_headers on;
这下log和realip都可正常取值了。

参考:
http://nginx.org/en/docs/http/ngx_http_log_module.html
http://holy2010.blog.51cto.com/blog/1086044/1840481

Posted in Nginx.

Tagged with , .


阿里提示Discuz uc.key泄露导致代码注入漏洞uc.php的解决方法

文件路径:bbs/api/uc.php

1查找 updatebadwords 函数:

if(!API_UPDATEBADWORDS) {
            return API_RETURN_FORBIDDEN;
        }

        $data = array();
        if(is_array($post)) {
            foreach($post as $k => $v) {  
// 240 行左右      
//fix uc key
      if(substr($v[‘findpattern’], 0, 1) != ‘/’ || substr($v[‘findpattern’], -3) != ‘/is’) {
         $v[‘findpattern’] = ‘/’ . preg_quote($v[‘findpattern’], ‘/’) . ‘/is’;
      }
//end            
                $data[‘findpattern’][$k] = $v[‘findpattern’];
                $data[‘replace’][$k] = $v[‘replacement’];
            }
        }

2. 查找 updateapps 函数:
function updateapps($get, $post) {
        global $_G;

        if(!API_UPDATEAPPS) {
            return API_RETURN_FORBIDDEN;
        }
//280行左右,这里我看已删除了下行那行                
//$UC_API = $post[‘UC_API’];

        $UC_API = ”;
        if($post[‘UC_API’]) {
            $UC_API = str_replace(array(‘\”, ‘”‘, ‘\\’, “\0”, “\n”, “\r”), ”, $post[‘UC_API’]);
            unset($post[‘UC_API’]);
        }
//end
        $cachefile = DISCUZ_ROOT.’./uc_client/data/cache/apps.php’;

参考
https://bbs.aliyun.com/read/292308.html

Posted in 安全.

Tagged with .


关于ImageMagick存在远程代码执行高危漏洞的安全公告

近日,国家信息安全漏洞共享平台(CNVD)收录了ImageMagick远程代码执行漏洞(CNVD-2016-02721,对应CVE-2016-3714)。远程攻击者利用漏洞通过上传恶意构造的图像文件,可在目标服务器执行任意代码,进而获得网站服务器的控制权。由于有多种编程语言对ImageMagick提供调用支持且一些广泛应用的 Web中间件在部署中包含相关功能,对互联网站安全构成重大威胁。
一、漏洞情况分析
ImageMagick是一款开源的创建、编辑、合成图片的软件。可以读取、转换、写入多种格式的图片,遵守GPL许可协议,可运行于大多数的操作系统。
ImageMagick在MagickCore/constitute.c的ReadImage函数中解析图片,当图片地址以https://开头时,就会调用InvokeDelegate。MagickCore/delegate.c定义了委托,最终InvokeDelegate调用ExternalDelegateCommand执行命令。攻击者利用漏洞上传一个恶意图像到目标Web服务器上,程序解析图像后可执行嵌入的任意代码,进而可获取服务器端敏感信息,甚至获取服务器控制权限。
CNVD对该漏洞的综合评级为“高危”。
二、漏洞影响范围
漏洞影响ImageMagick 6.9.3-9及以下的所有版本。
ImageMagick在网站服务器中应用十分广泛,包括Perl、C++、PHP、Python、Ruby等主流编程语言都提供了ImageMagick扩展支持,且WordPress、Drupal等应用非常广泛的CMS系统软件也提供了ImageMagick选项,还包括其他调用了ImageMagick的库实现图片处理、渲染等功能的应用。此外,如果通过shell 中的convert 命令实现一些图片处理功能,也会受到此漏洞影响。
根据国内民间漏洞报告平台的收录情况,已经有多家知名互联网企业网站系统受到漏洞威胁的案例。
三、漏洞修复建议
目前,互联网上已经披露了该漏洞的利用代码,厂商尚未发布漏洞修复程序,预计近期在ImageMagick 7.0.1-1和6.9.3-10版本中修复该漏洞。CNVD建议相关用户关注厂商主页更新,及时下载使用,避免引发漏洞相关的网络安全事件。
在厂商发布新版本之前,建议采用如下措施:通过配置策略文件暂时禁用ImageMagick,可在 “/etc/ImageMagick/policy.xml” 文件中添加如下代码:

imagemagick

测试是否安全
wget https://github.com/ImageTragick/PoCs/archive/master.zip
unzip master.zip
cd PoCs
./test.sh

如果有漏洞会输出UNSAFE
user@host:~/code/PoCs$ ./test.sh
testing read
UNSAFE

testing delete
UNSAFE

testing http with local port: 44755
UNSAFE

testing http with nonce: a7DvBer2
UNSAFE

testing rce1
UNSAFE

testing rce2
UNSAFE

testing MSL
UNSAFE

安全输出
user@host:~/code/PoCs$ ./test.sh
testing read
SAFE

testing delete
SAFE

testing http with local port: 38663
SAFE

testing http with nonce: a7DyBeV7
SAFE

testing rce1
SAFE

testing rce2
SAFE

testing MSL
SAFE

升级ImageMagick.
当前最新版本为ImageMagick-7.0.2
wget http://www.imagemagick.org/download/ImageMagick.tar.gz
tar xvzf ImageMagick.tar.gz
cd ImageMagick-7.0.2
./configure
make
make install
ldconfig /usr/local/lib
/usr/local/bin/convert –version

附:参考链接:
https://imagetragick.com/ (漏洞信息专题网站)
https://github.com/ImageTragick/PoCs (本地漏洞检测脚本)

Exploit


http://www.cnvd.org.cn/flaw/show/CNVD-2016-02721
http://www.freebuf.com/vuls/103504.html

Posted in Imagemagick, 安全通告.

Tagged with , .


php重新编译安装gmp扩展

GMP是The GNU MP Bignum Library,是一个开源的数学运算库,它可以用于任意精度的数学运算,包括有符号整数、有理数和浮点数。它本身并没有精度限制,只取决于机器的硬件情况。

先尝试用动态库
http://www.ipython.me/centos/php-gmp-ext.html
yum install gmp-devel

wget http://nchc.dl.sourceforge.net/project/re2c/old/re2c-0.13.5.tar.gz -O “re2c-0.13.5.tar.gz”
tar zxvf re2c-0.13.5.tar.gz
cd re2c-0.13.5
./configure
make && make install

wget https://gmplib.org/download/gmp/archive/gmp-4.1.3.tar.bz2
tar jxvf gmp-4.1.3.tar.bz2
cd gmp-4.1.3

./configure –with-php-config=/opt/php/bin/php-config
make
make install

/opt/php/bin/phpize
recursion limit of 1024 exceeded, use -L t

一直出错…

重新编译个php
cd php安装目录
./configure –prefix=/opt/php-5.2.17gmp –with-config-file-path=/opt/php-5.2.17gmp/etc –with-mysql=/opt/mysql –with-mysqli=/opt/mysql/bin/mysql_config \
–with-iconv-dir=/usr/local –with-freetype-dir –with-jpeg-dir –with-png-dir –with-zlib –with-libxml-dir=/usr –disable-rpath \
–enable-discard-path –enable-safe-mode –enable-bcmath –enable-shmop –enable-sysvsem –enable-inline-optimization –with-curl \
–with-curlwrappers –enable-mbregex –enable-fastcgi –enable-fpm –enable-force-cgi-redirect –enable-mbstring –with-mcrypt \
–with-gd –enable-gd-native-ttf –with-openssl –with-mhash –enable-pcntl –enable-sockets –with-xmlrpc –enable-zip –enable-soap \
–enable-xml –enable-zend-multibyte –disable-debug –disable-ipv6 –with-gmp
make ZEND_EXTRA_LIBS=’-liconv’
make install

Posted in PHP.

Tagged with .


安装wkhtmltopdf让php在linux环境下给网站截屏

http://wkhtmltopdf.org/obsolete-downloads.html
新版本依赖包比较多,我是centos5.8系统,这里使用64位老版本,同时它还用windows下的版本
wget http://download.gna.org/wkhtmltopdf/obsolete/linux/wkhtmltoimage-0.10.0_rc2-static-amd64.tar.bz2

tar -jxvf wkhtmltoimage-0.10.0_rc2-static-amd64.tar.bz2

解压后就可使用
./wkhtmltoimage-amd64 –help

  1. Name:
  2.   wkhtmltoimage 0.10.0 rc2
  3.  
  4. Synopsis:
  5.   wkhtmltoimage [OPTIONS]... <input file> <output file>
  6.  
  7. Description:
  8.   Converts an HTML page into an image,
  9.  
  10. General Options:
  11.       --crop-h <int>                  Set height for croping
  12.       --crop-w <int>                  Set width for croping
  13.       --crop-x <int>                  Set x coordinate for croping
  14.       --crop-y <int>                  Set y coordinate for croping
  15.   -H, --extended-help                 Display more extensive help, detailing
  16.                                       less common command switches
  17.   -f, --format <format>               Output file format (default is jpg)
  18.       --height <int>                  Set screen height (default is calculated
  19.                                       from page content) (default 0)
  20.   -h, --help                          Display help
  21.       --quality <int>                 Output image quality (between 0 and 100)
  22.                                       (default 94)
  23.   -V, --version                       Output version information an exit
  24.       --width <int>                   Set screen width (default is 1024)
  25.                                       (default 1024)
  26.  
  27. Contact:
  28.   If you experience bugs or want to request new features please visit
  29.   <http://code.google.com/p/wkhtmltopdf/issues/list>, if you have any problems
  30.   or comments please feel free to contact me: <uuf6429@gmail.com>

./wkhtmltoimage-amd64 http://www.baidu.com baidu.jpg
Loading page (1/2)
Rendering (2/2)
Done

截一张1024*1024 质量为35的jpg图片
./wkhtmltoimage-amd64 –crop-h 1024 –crop-w 1024 –quality 35 http://blog.c1gstudio.com c1g.jpg

c1gstudio

和php结合
cp wkhtmltoimage-amd64 /opt/toolkits/
chown www:website /opt/toolkits/wkhtmltoimage-adm64
chmod 550 /opt/toolkits/wkhtmltoimage-adm64

vi /opt/php/etc/php.ini
open_basedir = “/opt/htdocs:/tmp/session:/tmp/upload:/opt/php/PEAR:/opt/php/lib/php:/opt/toolkits/”

重启phpfpm
/opt/php/sbin/php-fpm restart

vi test.php

Posted in Others.

Tagged with .


容易被忽略的HTTP_X_FORWARDED_FOR攻击

  1. function getIP() {
  2. if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
  3. $realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
  4. } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
  5. $realip = $_SERVER['HTTP_CLIENT_IP'];
  6. } else {
  7. $realip = $_SERVER['REMOTE_ADDR'];
  8. }
  9. return $realip;
  10. }

这个是网上常见获取ip函数

其中x-forword-fox的值是可以被自定义改写的.

在firefox下通过Moify Headers插件或者用php的fsockopen()函数等方法来改写.

如果你需要将IP写入数据库并打开的错误输出,那么将HTTP_X_FORWARDED_FOR的值改成192.168.0.1′ or 1= 是可能会产生sql注射.

同样$_SERVER[“HTTP_USER_AGENT”],$_SERVER[“HTTP_ACCEPT_LANGUAGE”],$_SERVER[‘HTTP_REFERER’] 等http变量入库时也需做过滤

改进的获取ip函数

  1. if(getenv('HTTP_CLIENT_IP') &amp;&amp; strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
  2. $OnlineIP = getenv('HTTP_CLIENT_IP');
  3. } elseif(getenv('HTTP_X_FORWARDED_FOR') &amp;&amp; strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
  4. $OnlineIP = getenv('HTTP_X_FORWARDED_FOR');
  5. } elseif(getenv('REMOTE_ADDR') &amp;&amp; strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
  6. $OnlineIP = getenv('REMOTE_ADDR');
  7. } elseif(isset($_SERVER['REMOTE_ADDR']) &amp;&amp; $_SERVER['REMOTE_ADDR'] &amp;&amp; strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
  8. $OnlineIP = $_SERVER['REMOTE_ADDR'];
  9. }
  10. preg_match("/[\d\.]{7,15}/", $OnlineIP, $match);
  11. $OnlineIP = $match[0] ? $match[0] : 'unknown';
  12. unset($match);

参考:

http://www.jb51.net/article/37690.htm

http://zhangxugg-163-com.iteye.com/blog/1663687

Posted in PHP, 安全.

Tagged with , .