Nginx 前挂Cloudflare 后的日志分析

Adserver, Cloudflare, NginxLeave a comment

将nginx服务器隐藏在cloudflare 服务后端,在nginx 的默认access log里面显示的IP 都是cloudflare,因此我们需要把日志中的访问IP改成真正的用户IP. 有很多种办法可以实现,但是下面的这种办法应该是最简单的.

Cloudflare 用X-Forwarded-For这个header 来传递用户的真实IP,因此我们只需要在nginx 的conf中,设置一个新的nginx log format就可以.

默认的nginx access log format 是:

log_format combined '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

我们可以添加一个新的log format:

log_format csf '$http_x_forwarded_for - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

access log 可以设置成类似于这样的:

access_log /your/access/log/path csf;

这样,用户的真实IP就会展现在access log里面了

Centos 7 通过nginx repo 安装的nginx的配置解析

SEOLeave a comment 
[root@vultr ~]# nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

我们可以看到nginx官方就是使用的Centos/RHEL官方自带的repo里的gcc来编译的, gcc 版本是4.8.5, openssl 也是官方repo里面自带的1.0.2k的版本(1.1.1以后的版本支持更多的加密方式)

因此nginx 的配置路径为:

nginx path prefix: "/etc/nginx"
nginx binary file: "/usr/sbin/nginx"
nginx modules path: "/usr/lib64/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/var/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/cache/nginx/client_temp"
nginx http proxy temporary files: "/var/cache/nginx/proxy_temp"
nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp"
nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp"
nginx http scgi temporary files: "/var/cache/nginx/scgi_temp"

下面看看usergroup

vi /etc/password
nginx:x:997:995:nginx user:/var/cache/nginx:/sbin/nologin

看看user group history

[root@vultr ~]# grep nginx /var/log/secure
Dec 7 11:36:28 vultr groupadd[1162]: group added to /etc/group: name=nginx, GID=995
Dec 7 11:36:28 vultr groupadd[1162]: group added to /etc/gshadow: name=nginx
Dec 7 11:36:28 vultr groupadd[1162]: new group: name=nginx, GID=995
Dec 7 11:36:28 vultr useradd[1167]: new user: name=nginx, UID=997, GID=995, home=/var/cache/nginx, shell=/sbin/nologin

看看nginx service

vi /usr/lib/systemd/system/nginx.service

[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

 

 

Mysql 快速备份和恢复

Mysql 
shell> mysqldump db1 > dump.sql
shell> mysqladmin create db2
shell> mysql db2 < dump.sql

Do not use –databases on the mysqldump command line because that causes USE db1 to be included in the dump file, which overrides the effect of naming db2 on the mysql command line.

有的时候root的密码不为空,这个时候我们就需要:

shell> mysqldump -uroot -p db1 > dump.sql

这个我们就可以把db1的表给倒出来了

Centos 7 安装并配置monit

CentOSLeave a comment

Monit 是一个开源的linux 程序,用来监控程序,并且在必要的时候重启.

在centos上安装的非常的简单.

首先需要安装epel repo:

yum install epel-release

然后就可以安装monit了

yum install monit

将monit加入开机自启动并且start monit进程:

systemctl enable monit
systemctl start monit

查看monit 状态:

systemctl status monit

更多

404 error when downloading .iso file from IIS

IISLeave a comment

最近运行了一些IIS 服务器来做下载服务器,在下载.iso 文件的时候,经常会有404 error,这是因为IIS 服务器的配置文件里面没有正确的iso文件的MIME类型,因此我们需要为iso 文件添加MIME 类型

在IIS Manager上,Sites -> Your_Site, 在右边feature view里面双击MIME Types, 选择添加, file name extension 为 iso, MIME type 是

application/octetstream

点击OK,这时候你在下载就会发现404 错误没有了

Debian 9, Debian 10 以及Ubuntu 关闭IPv6

LinuxLeave a comment

用netinst.iso 安装的debian 和 ubuntu,默认都会开启IPv6,但是很多服务商并不分配IPv6,因此大部分的时候我们需要将IPv6 关闭。主要有两种办法,一个是修改sysctl.conf, 或者是在/etc/sysctl.d 目录下创建一个.conf 文件

Method 1:

编辑/etc/sysctl.conf 文件,在文件的最末尾添加下面的entry:

net.ipv6.conf.all.disable_ipv6 = 1

如果仅想关闭某一网卡的ipv6,比如说ens4, 那就可以添加下面的entry:

net.ipv6.conf.ens4.disable_ipv6 = 1

让命令生效:

sysctl -p

Method 2:

在/etc/sysctl.d 目录下创建70-disable-ipv6.conf

nano /etc/sysctl.d/70-disable-ipv6.conf

添加下面的entry:

net.ipv6.conf.all.disable_ipv6 = 1

如果仅仅想关闭某一网卡,比如说ens4, 添加下面的entry:

net.ipv6.conf.ens4.disable_ipv6 = 1

立刻生效:

sysctl -p -f /etc/sysctl.d/70-disable-ipv6.conf

就是这么简单

 

 

Centos 7, Debian 9, Debian 10 安装open virtual machine tools(open-vm-tools)

VMWare, ,

open-vm-tools 是esxi 采用的开源版本的vmware tools

在ESXi的虚拟机上,你或者安装vmware tools,或者安装开源版本的open-vm-tools. 在vmware的官方文档上,open-vm-tools 是被推荐使用的.

在centos7, debian 9 或者debian 10上,安装open-vm-tools 非常的简单,只需要一条命令就可以:

yum install open-vm-tools
apt-get install open-vm-tools

安装完毕以后,需要重启一下让open-vm-tools生效

搬瓦工DC9 CN2GIA 小鸡benchmark

BenchmarkLeave a comment

用了很久的CN2GIA,今天没事正好看看网络质量,看看是不是合适做smb服务.

测试使用的程序:

wget -qO- bench.sh | bash

下面是结果:

----------------------------------------------------------------------
CPU model : QEMU Virtual CPU version (cpu64-rhel6)
Number of cores : 2
CPU frequency : 2599.998 MHz
Total size of Disk : 19.9 GB (2.5 GB Used)
Total amount of Mem : 1003 MB (89 MB Used)
Total amount of Swap : 259 MB (10 MB Used)
System uptime : 0 days, 0 hour 37 min
Load average : 0.33, 0.09, 0.03
OS : Debian GNU/Linux 10
Arch : x86_64 (64 Bit)
Kernel : 4.19.0-6-amd64
----------------------------------------------------------------------
I/O speed(1st run) : 444 MB/s
I/O speed(2nd run) : 431 MB/s
I/O speed(3rd run) : 406 MB/s
Average I/O speed : 427.0 MB/s
----------------------------------------------------------------------
Node Name IPv4 address Download Speed
CacheFly 205.234.175.175 84.2MB/s
Linode, Tokyo2, JP 139.162.65.37 2.32MB/s
Linode, Singapore, SG 139.162.23.4 1.09MB/s
Linode, London, UK 176.58.107.39 2.12MB/s
Linode, Frankfurt, DE 139.162.130.8 2.06MB/s
Linode, Fremont, CA 50.116.14.9 12.0MB/s
Softlayer, Dallas, TX 173.192.68.18 3.96MB/s
Softlayer, Seattle, WA 67.228.112.250 7.59MB/s
Softlayer, Frankfurt, DE 159.122.69.4 2.05MB/s
Softlayer, Singapore, SG 119.81.28.170 4.78MB/s
Softlayer, HongKong, CN 119.81.130.170 3.06MB/s

由此可见,DC9 的网络对US 的支持很一般,开启samba服务要当心