分类目录归档:运维 & 基础架构

operations & infrastructure

Howto:Nginx

1、nginx+php 出现404

No input file specified.

2017/08/25 16:13:45 [error] 4866#4866: *1 FastCGI sent in stderr: “Unable to open primary script: /var/www/xxx/phpinfo.php (Operation not permitted)” while reading response header from upstream, client: 192.168.126.234, server: localhost, request: “GET /phpinfo.php HTTP/1.1”, upstream: “fastcgi://127.0.0.1:9000”, host: “www.xxx.com”

192.168.126.234 – – [25/Aug/2017:16:13:45 +0800] “GET /phpinfo.php HTTP/1.1” 404 36 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063” “-”

网站根目录:/var/www/xxx

配置文件:

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    access_log  /var/log/nginx/host.access.log  main;

        root   /var/www/xxx;
    location / {
        #root   /var/www/xxx;
        index  index.php index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
     #   root           /var/www/xxx;
        fastcgi_pass   127.0.0.1:9000;
        #fastcgi_pass   unix:/tmp/php-fpm.sock;
        fastcgi_index  index.php;
        #fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

各种搜,各种修改权限,各种修改php.ini的open_basedir,都没效果

最后才发现,有个隐藏文件.user.ini,里面包含了内容:

open_basedir=/www/wwwroot/xxx//:/tmp/:/proc/

原来文件夹内的user.ini配置了open_basedir,导致错误,将open_basedir修改为当前正确的值后,问题解决。

LVS、Nginx 及 HAProxy 的工作原理

当前大多数的互联网系统都使用了服务器集群技术,集群是将相同服务部署在多台服务器上构成一个集群整体对外提供服务,这些集群可以是 Web 应用服务器集群,也可以是数据库服务器集群,还可以是分布式缓存服务器集群等等。

在实际应用中,在 Web 服务器集群之前总会有一台负载均衡服务器,负载均衡设备的任务就是作为 Web 服务器流量的入口,挑选最合适的一台 Web 服务器,将客户端的请求转发给它处理,实现客户端到真实服务端的透明转发。

最近几年很火的「云计算」以及分布式架构,本质上也是将后端服务器作为计算资源、存储资源,由某台管理服务器封装成一个服务对外提供,客户端不需要关心真正提供服务的是哪台机器,在它看来,就好像它面对的是一台拥有近乎无限能力的服务器,而本质上,真正提供服务的,是后端的集群。 继续阅读

tcpdump使用技巧

一般情况下,非HTTP协议的网络分析,在服务器端用tcpdump比较多,在客户端用wireshark比较多,两个抓包软件的语法是一样的。

一、基本语法

1.1、过滤主机

  • 抓取所有经过eth1,目的或源地址是192.168.1.1的网络数据
tcpdump -i eth1 host 192.168.1.1
  • 指定源地址
tcpdump -i eth1 src host 192.168.1.1
  • 指定目的地址
tcpdump -i eth1 dst host 192.168.1.1

1.2、过滤端口

继续阅读

Python fabric远程自动部署简介

Fabric是一个Python(2.5-2.7)库,用于简化使用SSH的应用程序部署或系统管理任务。

它提供的操作包括:执行本地或远程shell命令,上传/下载文件,以及其他辅助功能,如提示用户输入、中止执行等。

本文主要介绍CentOS 6.3上使用fabric进行自动部署的基本方法。 继续阅读

haproxy: restrict specific URLs to specific IP addresses

This snippet shows you how to use haproxy to restrict certain URLs to certain IP addresses. For example, to make sure your admin interface can only be accessed from your company IP address.

This snippet was tested on haproxy 1.5.

This snippet is tested on a Digital Ocean VPS. If you like this snippet and want to support me, plus get free credit @ DO, use this link to order a Digital Ocean VPS: https://www.digitalocean.com/?refcode=7435ae6b8212

This example restricts access to the /admin/ and /helpdesk URL’s. It only allows access from the IP addresses 20.30.40.50 and 20.30.40.40. Any other IP addresses will get the standard haproxy 403 forbidden error. 继续阅读

Install package network:ha-clustering:Stable / crmsh

For RedHat RHEL-6 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/RedHat_RHEL-6/network:ha-clustering:Stable.repo
yum install crmsh

For Fedora 25 run the following as root:

dnf config-manager --add-repo http://download.opensuse.org/repositories/network:ha-clustering:Stable/Fedora_25/network:ha-clustering:Stable.repo
dnf install crmsh

For CentOS CentOS-7 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/CentOS_CentOS-7/network:ha-clustering:Stable.repo
yum install crmsh

For CentOS CentOS-6 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/CentOS_CentOS-6/network:ha-clustering:Stable.repo
yum install crmsh

ModSecurity

一、简介

ModSecurity是一款免费的开源主机waf软件(@http://www.modsecurity.org/),目前官网最新版本为2.9.1,支持nginx/apache/iis(32、64位)。它主要是作为上述web应用的扩展模块形式存在,通过相关的规则文件,对外部恶意的web攻击进行识别,并作出进一步的丢弃操作。  继续阅读

CIB not supported: validator ‘pacemaker-2.4’, release ‘3.0.10’

[root@a2 ~]# crm configure show
ERROR: CIB not supported: validator ‘pacemaker-2.4’, release ‘3.0.10’
ERROR: You may try the upgrade command
ERROR: configure: Missing requirements

If you look at the first line/tag in your Pacemaker configuration (# cibadmin –query > /tmp/cib.xml) you should see something like the following:
<cib crm_feature_set=”3.0.10″ validate-with=”pacemaker-2.4″ epoch=”6″ num_updates=”8″ …> 继续阅读

Kubernetes系统架构简介

1. 前言

Together we will ensure that Kubernetes is a strong and open container management framework for any application and in any environment, whether in a private, public or hybrid cloud.

Urs Hölzle, Google

Kubernetes作为Docker生态圈中重要一员,是Google多年大规模容器管理技术的开源版本,是产线实践经验的最佳表现[G1] 。如Urs Hölzle所说,无论是公有云还是私有云甚至混合云,Kubernetes将作为一个为任何应用,任何环境的容器管理框架无处不在。正因为如此, 目前受到各大巨头及初创公司的青睐,如Microsoft、VMWare、Red Hat、CoreOS、Mesos等,纷纷加入给Kubernetes贡献代码。随着Kubernetes社区及各大厂商的不断改进、发展,Kuberentes将成为容器管理领域的领导者。

接下来我们会用一系列文章逐一探索Kubernetes是什么、能做什么以及怎么做。 继续阅读

Generating password hashes with puppet

Puppet expects the user’s password to be encrypted in the format the local system expects, for most modern Unix-like systems (Linux, *BSD, Solaris, etc.) this format is a salted SHA1 password hash.

To generate a password hash to use with puppet manifest files you can use the mkpasswd utility (it’s available in the whois package):

1
2
3
$ mkpasswd -m sha-512
Password:
$6$qfPDlAej83p$cj2nc1NjbKjhL42Mo/3Uia4NqD4dIB3ouVeI/tSG92UqH5cMKOA/ihjmxAuRtKHzGED0EHmdM0iNxa/662NW//

You can then use the password hash in a puppet manifest file:

1
2
3
4
user { 'root':
    ensure   => 'present',
    password => '$6$qfPDlAej83p$cj2nc1NjbKjhL42Mo/3Uia4NqD4dIB3ouVeI/tSG92UqH5cMKOA/ihjmxAuRtKHzGED0EHmdM0iNxa/662NW//',
}

Don’t forget to put the password in quotes so that puppet does not interpret it as a variable if it contains the dollar sign ($).

If you want the passwords to be stored in plain text in the puppet manifest you can use puppet’s generate function to call mkpassword and return the generated the hash version of the password:

1
2
3
4
5
$password = 'your_plain_text_password'
user { 'root':
    ensure   => 'present',
    password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),
}
References: