iptables 根据ip设置开放某些ip的访问,ip地址段 a-b 的方式

IPB=/sbin/iptables
$IPB -F INPUT

for kk in ` cat ip.txt | awk '{printf ("%s_%s\n",$1,$2)}'`
do
#echo $kk
startip=`echo $kk | awk -F "_" '{print $1}'`
endip=`echo $kk | awk -F "_" '{print $2}'`
$IPB -A INPUT -p tcp --dport 80 -m iprange --src-range $startip-$endip -j ACCEPT
done
### deny all 
$IPB -A INPUT -p tcp --dport 80 -j DROP

ip.txt内容是

1.0.1.0 1.0.3.255 768
1.0.8.0 1.0.15.255 2,048
1.0.32.0 1.0.63.255 8,192

thinkphp的nginx配置pathinfo模式,适用3.2 5.0

tp-nginx-config

server
{
# 适用于 thinkphp 3.2 thinkphp 5.0
# pathinfo 模式
# 模块/控制器/方法/参数
# 3.2 使用方法 /home/index/index/params
# 5.0 使用方法 /index/index/index/params
listen 80;
server_name tp;#mod this line
index index.php index.html;
root /tpdir; #mod this line

location / {
index index.php index.htm;
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php/$1 last;
break;
}
}
location ~ \.php {
fastcgi_pass 127.0.0.1:9000; #mod this line
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
if ($fastcgi_script_name ~ “^(.+?\.php)(/.+)$”) {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param PATH_INFO $path_info;
}

}

centos 6.X x86_64 安装 rpm 的mysql 5.6 下载如下包

http://repo.mysql.com/yum/mysql-5.6-community/el/6/x86_64/mysql-community-server-5.6.33-2.el6.x86_64.rpm

http://repo.mysql.com/yum/mysql-5.6-community/el/6/x86_64/mysql-community-client-5.6.33-2.el6.x86_64.rpm

http://repo.mysql.com/yum/mysql-5.6-community/el/6/x86_64/mysql-community-common-5.6.33-2.el6.x86_64.rpm

http://repo.mysql.com/yum/mysql-5.6-community/el/6/x86_64/mysql-community-devel-5.6.33-2.el6.x86_64.rpm

http://repo.mysql.com/yum/mysql-5.6-community/el/6/x86_64/mysql-community-libs-5.6.33-2.el6.x86_64.rpm

http://repo.mysql.com/yum/mysql-5.6-community/el/6/x86_64/mysql-community-libs-compat-5.6.33-2.el6.x86_64.rpm

mysql 的 information_schema 库

https://dev.mysql.com/doc/refman/5.7/en/information-schema.html

利用  information_schema 可以做很多事,这个库存储了mysql的元数据!

比如:

1)查询存在哪些 表是 innodb 的

2)查询 innodb 表的大小

3)查询某字段的定义

例子
SELECT table_schema,table_name, table_rows,
ROUND((data_length+index_length)/1024/1024) AS total_mb,
ROUND(data_length/1024/1024) AS data_mb,
ROUND(index_length/1024/1024) AS index_mb
FROM INFORMATION_SCHEMA.TABLES WHERE engine=’InnoDB’
ORDER BY total_mb desc;

nginx 的ssl ,单ip多名ssl,以及方便脚本

首先,nginx 单ip多域名的ssl配置,参考地址是

单ip nginx配置多域名https

另外,利用 脚本可以比较方便的使用 lets-encrypt 提供的免费ssl,

https://github.com/xdtianyu/scripts/tree/master/lets-encrypt

一个配置文件的例子  letsencrypt.conf-myssl

ACCOUNT_KEY=”letsencrypt-account.key”
DOMAIN_KEY=”/www/ssl/myssldomain.com.key”
DOMAIN_DIR=” /www/myssldomain”
DOMAINS=”DNS:myssldomain.com,DNS:www.myssldomain.com”

方法就是配置 conf文件,然后运行就好了,

letsencrypt.sh   letsencrypt.conf-myssl

上面脚本就能自动帮你做注册和生成key的动作。后面只需要修改nginx的配置文件即可

nginx的配置文件,这样写

server
{
listen 80;
listen 443;
if ($scheme = http) {return 301 https://$server_name$request_uri;}
server_name www.myssldomain.com myssldomain.com;
root /www/myssldomain/;
index index.php index.html;
include php.conf;
ssl on;
ssl_certificate “/www/ssl/myssldomain.chained.crt”;
### 注意这里,最好用chained.crt 容易被多数浏览器支持
ssl_certificate_key “/www/ssl/myssldomain.com.key”;
}

 

wdcp的apache编译ssl模块

下载apache的源文件 http://archive.apache.org/dist/httpd/

解压后进入 modules/ssl 运行下面语句

/www/wdlinux/apache/bin/apxs -a -i -DHAVE_OPENSSL=1 -I/usr/include/openssl -L/usr/lib64/openssl -c *.c -lcrypto -lssl -ldl

下面的3行不一定对。一般来说编辑 conf/extra/httpd-ssl.conf 里面启用 https比较好

下面3行仅供参考:

SSLCertficateChainFile /www/wdlinux/apache/conf/1_root_bundle.crt
SSLCertificateFile /www/wdlinux/apache/conf/2_www.域名.com.crt
SSLCertificateKeyFile /www/wdlinux/apache/conf/3_www.域名.com.key

PS:

http 80 转向到 https 443

.htaccess里面

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://www.yourname.com%{REQUEST_URI} [L,R=301]
</IfModule>

apache 2.4的Substitute模块使用注意

apache 2.4 的 Substitute 模块是个好东西,可以用来实时修改页面内容,做些替换什么的工作,比如

ProxyPass /  http://other_web_site.com
ProxyPassReverse / http://other_web_site.com
AddOutputFilterByType SUBSTITUTE text/html
Substitute “s|http://other_web_site.com|http://localhost|i”

可以把网页里面的 http://other_web_site.com 字样替换为 http://localhost

那么有时候 你会发现这个没生效,没法替换,但是这也没什么错误啊,
其实问题很可能是因为你proxy的那个站点用来压缩,导致在Substitute看起来页面是压缩的内容,他当然替换不了,那么必须在压缩前进行解压缩,其实并不需要解压,只需要告诉对方的服务器,我这里不接受压缩的文件,那么就需要另外一个模块了
LoadModule headers_module modules/mod_headers.so

这个模块可以更改proxy模块发到对方的header
RequestHeader set Accept-Encoding “”

那么完整就可以可以这样写

ProxyPass /  http://other_web_site.com
ProxyPassReverse /   http://other_web_site.com
RequestHeader set Accept-Encoding ""
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|http://other_web_site.com|http://localhost|i"

一共需要启用如下模块

LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule substitute_module modules/mod_substitute.so

 

附:有关nginx里面proxy的时候碰到gzip

看这里  http://www.zjpro.com/nginx-substitutions4nginx.html

 

Linux配置了vpn的ppp,访问百度速度慢或者无法访问

RT,搭设了 VPN,可以访问谷歌 FB等,现在却无法访问百度以及亚马逊,这真的很奇怪,有朋友也遇到相同的问题吗?着急求解!!

下载 ip-up-local,上传到服务器的 /etc/ppp/ip-up.local 文件,然后重启ppp服务

service pptpd stop && service pptpd start

参考资料来自

http://www.iyunv.com/thread-27228-1-1.html

nginx配置防盗链的方法

nginx里面,防盗链需要针对你的域名和泛域名做相应的开放,所有图中 *.domain.com 是必须的,否则你的类似 www.domain.com 也会在屏蔽之列了

location ~* \.(gif|jpg|jpeg|png|bmp|swf|flv)$
{
valid_referers none blocked domain.com *.domain.com baidu.com *.baidu.com ;
if ($invalid_referer) {
return 403;
}
}

nginx的高性能参数配置

1)nginx.conf 里面的参数配置,假设服务器8核心(逻辑核心)

worker_processes 8;
worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
worker_rlimit_nofile 102400;
events
{
use epoll;
worker_connections 204800;
accept_mutex on;
}

2) /etc/rc.local

echo “ulimit -SHn 65535” >> /etc/rc.local

3)/etc/security/limits.conf

* soft nofile 655360
* hard nofile 655360

4) /etc/sysctl.conf

net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000

 

参考文件:

http://www.open-open.com/lib/view/open1392942521299.html

 

apt.sw.be失效 导致wdcp安装出错

修改 /etc/yum.repos.d/rpmforge.repo

### Name: RPMforge RPM Repository for RHEL 5 to 6 - dag
### URL: http://rpmforge.net/
### MODIFIED BY QQ733905
[rpmforge]
name = RHEL $releasever - RPMforge.net - dag
baseurl = https://mirrors.tuna.tsinghua.edu.cn/repoforge/redhat/el$releasever/en/$basearch/rpmforge/
mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 0

奇怪的linux网络不通事件

一个客户Centos Linux系统出现dz通信失败,
ssh登录到服务器后发现,服务器有双ip, 1.1.1.1 和 1.1.1.2
经询问得知原来1.1.1.1 废弃不用,更改为1.1.1.2,但是原来的系统管理员图省事,
只是增加了1.1.1.2的新ip,并未去掉老的ip,导致服务器对外ping和从服务器的主动动作都
被认为是从老的ip发出,估计外围交换机做了限制,导致失败
去掉旧ip,只保留新ip,问题解决

nginx 的php配置支持php-fpm和Apache,失败后自动切换

其中 error_page 502 = @apache; 是关键!!!

 location ~ .*\.php$
{
        error_page 502 = @apache;
        fastcgi_pass  127.0.0.1:9002;
        fastcgi_index index.php;
        fastcgi_param GATEWAY_INTERFACE CGI/1.1;
        fastcgi_param SERVER_SOFTWARE nginx;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_param REQUEST_URI $request_uri;
        fastcgi_param DOCUMENT_URI $document_uri;
        fastcgi_param DOCUMENT_ROOT $document_root;
        fastcgi_param SERVER_PROTOCOL $server_protocol;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param REMOTE_PORT $remote_port;
        fastcgi_param SERVER_ADDR $server_addr;
        fastcgi_param SERVER_PORT $server_port;
        fastcgi_param SERVER_NAME $server_name;
        # PHP only, required if PHP was built with --enable-force-cgi-redirect
        fastcgi_param REDIRECT_STATUS 200;
}

 location @apache {
        proxy_pass http://127.0.0.1:88;
        proxy_connect_timeout 30s;
        proxy_send_timeout   90;
        proxy_read_timeout   90;
        proxy_buffer_size    32k;
        proxy_buffers     4 32k;
        proxy_busy_buffers_size 64k;
        proxy_redirect     off;
        proxy_hide_header  Vary;
        proxy_set_header   Accept-Encoding '';
        proxy_set_header   Host   $host;
        proxy_set_header   Referer $http_referer;
        proxy_set_header   Cookie $http_cookie;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
}

nginx的godaddy ssl 证书配置

openssl genrsa -des3 -out server.key 2048
生成server.key

openssl rsa -in server.key -out server.key
去除server.key 里面密码

openssl req -new -key server.key -out server.csr
生成server.csr

提交server.csr 内容到godaddy,审核后下载zip文件
把里面的非gd_bundled的文件和server.key 合并为pem

cat bf5d584ffa226fa6.crt server.key > /etc/nginx/server.pem
cp server.key /etc/nginx/server.key

nginx的配置里面这样写

ssl on;
ssl_certificate /etc/nginx/server.pem;
ssl_certificate_key /etc/nginx/server.key;

linux redhat centos 双网卡单网关或者双网关的配置

vim /etc/iproute2/rt_tables 增加
252  cnc
251  tel

在 /etc/rc.local 里面增加

ip route flush table tel
ip route add default via 网关1 dev eth1 src IP1 table tel
ip rule add from IP1 table tel
ip route flush table cnc
ip route add default via 网关2 dev eth0 src IP2 table cnc
ip rule add from IP2 table cnc

注意红色部分即可

写成shell脚本如下

#!/bin/bash

ip1=”1.1.1.2″
e1=”eth0″
gw1=”1.1.1.1″
ip2=”2.2.2.2″
e2=”eth1″
gw2=”2.2.2.1″

#################################################
### 上面的配置要改改
### 下面就不要动了
#################################################

rt=”/etc/iproute2/rt_tables”
echo “252 cnc ” >> $rt
echo “251 tel ” >> $rt
rclocal=”/etc/rc.local”

echo “ip route flush table tel” >> $rclocal
echo “ip route add default via $gw1 dev $e1 src $ip1 table tel” >> $rclocal
echo “ip rule add from $ip1 table tel” >> $rclocal
echo “ip route flush table cnc” >> $rclocal
echo “ip route add default via $gw2 dev $e2 src $ip2 table cnc” >> $rclocal
echo “ip rule add from $ip2 table cnc” >> $rclocal

点此下载

2iprule