2019 on Rickyhttps://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/Recent content in 2019 on RickyHugo -- gohugo.iozh-twMon, 30 Dec 2019 14:31:45 +0800Bash 腳本如何建立臨時檔案:mktemp 與 trap 教學https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191230-mktemp/Mon, 30 Dec 2019 14:31:45 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191230-mktemp/<ul> <li><a href="http://www.ruanyifeng.com/blog/2019/12/mktemp.html" target="_blank" rel="noopener">Bash 腳本如何建立臨時檔案:mktemp 與 trap 教學</a></li> </ul> <h4 id="mktemp-命令"><code>mktemp</code> 命令</h4> <ul> <li>產生的臨時檔案名稱是隨機的,而且權限只有使用者本人可讀寫。</li> <li>為了確保臨時檔案建立成功,<code>mktemp</code> 後面最好使用 OR 運算子(<code>||</code>),在建立失敗時退出腳本。</li> <li>為了確保腳本退出時刪除臨時檔案,可以使用 <code>trap</code> 指定退出時的清理動作。</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">#!/bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span>trap <span style="color:#e6db74">&#39;rm -f &#34;$TMPFILE&#34;&#39;</span> EXIT </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TMPFILE<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>mktemp<span style="color:#66d9ef">)</span> <span style="color:#f92672">||</span> exit <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;Our temp file is </span>$TMPFILE<span style="color:#e6db74">&#34;</span> </span></span></code></pre></div><h5 id="mktemp-參數">mktemp 參數</h5> <ul> <li><code>-d</code> 參數可以建立臨時目錄。</li> <li><code>-p</code> 參數可以指定臨時檔案所在的目錄。預設使用 <code>$TMPDIR</code> 環境變數指定的目錄;若未設定,使用 <code>/tmp</code>。</li> <li><code>-t</code> 參數可以指定臨時檔案的檔名模板,模板末尾必須至少包含三個連續的 <code>X</code> 字元作為隨機字元,建議至少六個 <code>X</code>。預設的檔名模板為 <code>tmp.</code> 加上十個隨機字元。</li> </ul> <h4 id="trap-命令的用法"><code>trap</code> 命令的用法</h4> <p>trap 命令用來在 Bash 腳本中響應系統訊號。</p> <p>最常見的系統訊號是 SIGINT(中斷),也就是按下 Ctrl + C 產生的訊號。<code>-l</code> 參數可以列出所有系統訊號。</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ trap -l </span></span><span style="display:flex;"><span> 1<span style="color:#f92672">)</span> SIGHUP 2<span style="color:#f92672">)</span> SIGINT 3<span style="color:#f92672">)</span> SIGQUIT </span></span><span style="display:flex;"><span> 4<span style="color:#f92672">)</span> SIGILL 5<span style="color:#f92672">)</span> SIGTRAP 6<span style="color:#f92672">)</span> SIGABRT </span></span><span style="display:flex;"><span> ... ... </span></span></code></pre></div><p>trap 的命令格式如下:</p>GitHub Actions 入門教學https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191223-getting-started-with-github-actions/Mon, 23 Dec 2019 10:16:01 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191223-getting-started-with-github-actions/<ul> <li><a href="http://www.ruanyifeng.com/blog/2019/09/getting-started-with-github-actions.html" target="_blank" rel="noopener">GitHub Actions 入門教學</a></li> </ul>Nginx 如何防禦 DDoS 攻擊?https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191220-nginx-defend-ddos/Fri, 20 Dec 2019 09:42:50 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191220-nginx-defend-ddos/<ul> <li><a href="https://magiclen.org/nginx-defend-ddos/" target="_blank" rel="noopener">Nginx 如何防禦 DDoS 攻擊?</a></li> <li><a href="https://www.itread01.com/content/1547474225.html" target="_blank" rel="noopener">Nginx 限制訪問速率和最大併發連線數模組&ndash;limit(防止 DDoS 攻擊)</a></li> </ul> <h4 id="ngx_http_limit_req_module">ngx_http_limit_req_module</h4> <p><code>limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;</code></p>Golang 服務的檔案句柄超出系統限制(too many open files)https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191216-23828/Mon, 16 Dec 2019 10:14:33 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191216-23828/<ul> <li><a href="https://studygolang.com/articles/23828" target="_blank" rel="noopener">Golang 服務的檔案句柄超出系統限制(too many open files)</a></li> </ul> <ol> <li> <p>查看系統設定:<code>ulimit -a | grep open</code>,系統設定正常。</p> </li> <li> <p>查看服務的開啟檔案限制:<code>cat /proc/40636/limits</code>,服務沒有繼承系統設定,仍是預設的 1024 限制。</p> </li> <li> <p>查看服務開啟檔案數(連線數):<code>lsof -p 40636 | wc -l</code>,已超過限制,因此報錯。</p> </li> <li> <p>查看開啟了哪些連線:<code>lsof -p 40636 &gt; openfiles.log</code>,發現很多 HTTP 連線未關閉,IP 是告警服務的介面。沿著線索找到原因:程式解析設定時出錯,對告警服務大量連線後未關閉,導致 too many open files。至於為何服務未繼承系統最大限制,還需進一步查看。</p> </li> <li> <p>最終原因:服務由 supervisor 管理,supervisor 預設 minfds 為 1024。於設定中加入 <code>minfds=81920</code>,並重啟 <code>supervisorctl reload</code>。</p> </li> </ol>Trellis Ansible 錯誤的解譯器https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191206-trellis-ansible-bad-interpreter-error/Fri, 06 Dec 2019 22:34:31 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191206-trellis-ansible-bad-interpreter-error/<ul> <li><a href="https://wpvilla.in/trellis-ansible-bad-interpreter-error/" target="_blank" rel="noopener">Trellis Ansible Bad Interpreter Error</a></li> </ul> <h4 id="bad-interpreter-error">Bad Interpreter Error</h4> <p>使用 Ansible 時遇到錯誤的解譯器問題。找不到 Python 2.7:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>zsh: /usr/local/bin/ansible-vault: bad interpreter: /usr/local/opt/python@2/bin/python2.7: no such file or directory </span></span></code></pre></div><p>這是正常的,因為我們檢查 /usr/local/opt 後只看到 Python 3。</p> <h4 id="安裝-python-2">安裝 Python 2</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>brew install python@2 </span></span></code></pre></div><h5 id="python-嚴重崩潰">Python 嚴重崩潰</h5> <p>接著在檢查 Ansible 版本時又出現錯誤:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>➜ trellis git:<span style="color:#f92672">(</span>master<span style="color:#f92672">)</span> ansible --version </span></span><span style="display:flex;"><span><span style="color:#f92672">[</span>1<span style="color:#f92672">]</span> <span style="color:#ae81ff">19153</span> abort ansible --version </span></span></code></pre></div><p>它在 Python 2.7 上崩潰了,但理論上應該可以正常執行。我決定升級 Ansible。</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>sudo pip install ansible --upgrade </span></span><span style="display:flex;"><span>..... </span></span><span style="display:flex;"><span>Requirement already satisfied, skipping upgrade: six&gt;<span style="color:#f92672">=</span>1.4.1 in /usr/local/lib/python2.7/site-packages <span style="color:#f92672">(</span>from cryptography-&gt;ansible<span style="color:#f92672">)</span> <span style="color:#f92672">(</span>1.11.0<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span> Requirement already satisfied, skipping upgrade: pycparser in /usr/local/lib/python2.7/site-packages <span style="color:#f92672">(</span>from cffi&gt;<span style="color:#f92672">=</span>1.7; platform_python_implementation !<span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;PyPy&#34;</span>-&gt;cryptography-&gt;ansible<span style="color:#f92672">)</span> <span style="color:#f92672">(</span>2.18<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span> Installing collected packages: ansible </span></span><span style="display:flex;"><span> Found existing installation: ansible 2.7.5 </span></span><span style="display:flex;"><span> Uninstalling ansible-2.7.5: </span></span><span style="display:flex;"><span> Successfully uninstalled ansible-2.7.5 </span></span><span style="display:flex;"><span> Successfully installed ansible-2.9.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Still I had the Python error and iTerm was showing a MacOS popup that Python was crashing unexpectedly: </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Python quit unexpectedly. </span></span><span style="display:flex;"><span>Click Reopen to open the application again. Click Report to see more detailed information and send a report to Apple. </span></span><span style="display:flex;"><span>Application Specific Information: </span></span><span style="display:flex;"><span> /usr/lib/libcrypto.dylib </span></span><span style="display:flex;"><span> abort<span style="color:#f92672">()</span> called </span></span><span style="display:flex;"><span> Invalid dylib load. Clients should not load the unversioned libcrypto dylib as it does not have a stable ABI. </span></span></code></pre></div><h5 id="invalid-dylib">Invalid DyLib</h5> <p>找到 <a href="https://stackoverflow.com/questions/58272830/python-crashing-on-macos-10-15-beta-19a582a-with-usr-lib-libcrypto-dylib" target="_blank" rel="noopener">https://stackoverflow.com/questions/58272830/python-crashing-on-macos-10-15-beta-19a582a-with-usr-lib-libcrypto-dylib</a> 這篇,知道是動態函式庫載入錯誤,於是決定安裝 openssl。</p>用 iptables 和 ip rule 做負載均衡https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191204-ip-tables-rule-load-balance/Wed, 04 Dec 2019 11:08:04 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191204-ip-tables-rule-load-balance/<ul> <li><a href="https://blog.outv.im/2019/ip-tables-rule-load-balance/" target="_blank" rel="noopener">用 iptables 和 ip rule 做負載均衡</a></li> </ul> <h4 id="操作">操作</h4> <p>這裡以一台透過有線 + 無線出口連線到網際網路的 Arch Linux 裝置為例。共有兩個出口,分別使用網卡 eth0 和 eth1。大致對應關係如下:</p> <ul> <li>標記 10 (0xa) - 路由表 #110 - 使用 eth0 出口</li> <li>標記 11 (0xb) - 路由表 #111 - 使用 eth1 出口</li> </ul> <p>我們會根據封包上的標記值判斷它應該走哪個出口。首先,使用 ip rule 為每個標記值指定一張路由表。</p> <p>通常預設路由表的權重是 32768。為了讓我們的路由表生效,需要將權重調高一些(例如 31000)。</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e"># 讓帶標記 10 (0xa) 的封包使用 110 號路由表,權重 31000</span> </span></span><span style="display:flex;"><span>ip rule add fwmark <span style="color:#ae81ff">10</span> table <span style="color:#ae81ff">110</span> prio <span style="color:#ae81ff">31000</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 讓帶標記 11 (0xb) 的封包使用 111 號路由表,權重 31000</span> </span></span><span style="display:flex;"><span>ip rule add fwmark <span style="color:#ae81ff">11</span> table <span style="color:#ae81ff">111</span> prio <span style="color:#ae81ff">31000</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 如果你的連線更多,可以繼續新增標記 &lt;-&gt; 路由表的對應關係</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># #110 路由表的路由</span> </span></span><span style="display:flex;"><span>ip route add 10.20.0.0/24 dev eth0 table <span style="color:#ae81ff">110</span> </span></span><span style="display:flex;"><span>ip route add default via 10.20.0.254 table <span style="color:#ae81ff">110</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># #111 路由表的路由</span> </span></span><span style="display:flex;"><span>ip route add 10.25.0.0/24 dev eth1 table <span style="color:#ae81ff">111</span> </span></span><span style="display:flex;"><span>ip route add default via 10.25.0.254 table <span style="color:#ae81ff">111</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 如果這條連線已經被標記,將標記設定到封包上</span> </span></span><span style="display:flex;"><span>iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark </span></span><span style="display:flex;"><span><span style="color:#75715e"># 如果封包已經有標記,直接放行</span> </span></span><span style="display:flex;"><span>iptables -t mangle -A OUTPUT -m mark ! --mark <span style="color:#ae81ff">0</span> -j ACCEPT </span></span><span style="display:flex;"><span><span style="color:#75715e"># 如果封包沒有被標記</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 把封包標記為 10 (0xa)</span> </span></span><span style="display:flex;"><span>iptables -t mangle -A OUTPUT -j MARK --set-mark <span style="color:#ae81ff">10</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 每 2 個封包就把一個封包標記為 11 (0xb)</span> </span></span><span style="display:flex;"><span>iptables -t mangle -A OUTPUT -m statistic --mode nth --every <span style="color:#ae81ff">2</span> --packet <span style="color:#ae81ff">0</span> -j MARK --set-mark <span style="color:#ae81ff">11</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 如果你有三條出口,這裡可以類似於</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># iptables -t mangle -A OUTPUT -j MARK --set-mark 10</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># iptables -t mangle -A OUTPUT -m statistic --mode nth --every 3 --packet 0 -j MARK --set-mark 11</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># iptables -t mangle -A OUTPUT -m statistic --mode nth --every 3 --packet 1 -j MARK --set-mark 12</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 把封包的標記儲存到整條連線上,讓整個連線使用同一個出口</span> </span></span><span style="display:flex;"><span>iptables -t mangle -A OUTPUT -j CONNMARK --save-mark </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 讓封包的出口與我們選擇的一致</span> </span></span><span style="display:flex;"><span>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE </span></span><span style="display:flex;"><span>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE </span></span></code></pre></div><p>之後可以用 <code>iptables -L OUTPUT -t mangle</code> 看一下規則是否正確,再用 Wireshark 驗證連線是否真的分流。</p>htop 說明https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191114-htop/Thu, 14 Nov 2019 10:05:35 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191114-htop/<ul> <li><a href="https://peteris.rocks/blog/htop/" target="_blank" rel="noopener">htop explained</a></li> </ul>Jenkinsfile 範例https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191106-228cdb1893fca91f0663bab7b095757c/Wed, 06 Nov 2019 17:29:46 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191106-228cdb1893fca91f0663bab7b095757c/<ul> <li><a href="https://gist.github.com/merikan/228cdb1893fca91f0663bab7b095757c" target="_blank" rel="noopener">Some Jenkinsfile examples</a></li> </ul> <h5 id="並行">並行</h5> <pre tabindex="0"><code>#!/usr/bin/env groovy pipeline { agent any stages { stage(&#34;Build&#34;) { steps { sh &#39;mvn -v&#39; } } stage(&#34;Testing&#34;) { parallel { stage(&#34;Unit Tests&#34;) { agent { docker &#39;openjdk:7-jdk-alpine&#39; } steps { sh &#39;java -version&#39; } } stage(&#34;Functional Tests&#34;) { agent { docker &#39;openjdk:8-jdk-alpine&#39; } steps { sh &#39;java -version&#39; } } stage(&#34;Integration Tests&#34;) { steps { sh &#39;java -version&#39; } } } } stage(&#34;Deploy&#34;) { steps { echo &#34;Deploy!&#34; } } } } </code></pre><h5 id="when">When</h5> <pre tabindex="0"><code>#!/usr/bin/env groovy pipeline { agent any environment { VALUE_ONE = &#39;1&#39; VALUE_TWO = &#39;2&#39; VALUE_THREE = &#39;3&#39; } stages { // skip a stage while creating the pipeline stage(&#34;A stage to be skipped&#34;) { when { expression { false } //skip this stage } steps { echo &#39;This step will never be run&#39; } } // Execute when branch = &#39;master&#39; stage(&#34;BASIC WHEN - Branch&#34;) { when { branch &#39;master&#39; } steps { echo &#39;BASIC WHEN - Master Branch!&#39; } } // Expression based when example with AND stage(&#39;WHEN EXPRESSION with AND&#39;) { when { expression { VALUE_ONE == &#39;1&#39; &amp;&amp; VALUE_THREE == &#39;3&#39; } } steps { echo &#39;WHEN with AND expression works!&#39; } } // Expression based when example stage(&#39;WHEN EXPRESSION with OR&#39;) { when { expression { VALUE_ONE == &#39;1&#39; || VALUE_THREE == &#39;2&#39; } } steps { echo &#39;WHEN with OR expression works!&#39; } } // When - AllOf Example stage(&#34;AllOf&#34;) { when { allOf { environment name:&#39;VALUE_ONE&#39;, value: &#39;1&#39; environment name:&#39;VALUE_TWO&#39;, value: &#39;2&#39; } } steps { echo &#34;AllOf Works!!&#34; } } // When - Not AnyOf Example stage(&#34;Not AnyOf&#34;) { when { not { anyOf { branch &#34;development&#34; environment name:&#39;VALUE_TWO&#39;, value: &#39;4&#39; } } } steps { echo &#34;Not AnyOf - Works!&#34; } } } } </code></pre>Jinja docx 樣板:在巢狀 for 中避免換行https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191029-jinja-docx-template-avoiding-new-line-in-nested-for/Tue, 29 Oct 2019 10:17:35 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191029-jinja-docx-template-avoiding-new-line-in-nested-for/<ul> <li><a href="https://stackoverflow.com/questions/45719062/jinja-docx-template-avoiding-new-line-in-nested-for#_=_" target="_blank" rel="noopener">Jinja docx 樣板:在巢狀 for 中避免換行</a></li> </ul>What the f*ck Python! 🐍 中文版https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191011-wtfpython-cn/Fri, 11 Oct 2019 14:32:20 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191011-wtfpython-cn/<ul> <li><a href="https://github.com/leisurelicht/wtfpython-cn" target="_blank" rel="noopener">What the f*ck Python! 🐍</a></li> </ul>再戰營運商快取:使用 iptables 對付快取劫持https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191007-fuck-cmcc/Mon, 07 Oct 2019 10:41:08 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191007-fuck-cmcc/<ul> <li><a href="https://v2c.tech/Article/FUCK-CMCC" target="_blank" rel="noopener">再戰營運商快取:使用 iptables 對付快取劫持</a></li> </ul> <h5 id="起因">起因</h5> <p>與移動的快取問題進行鬥爭要追溯到兩年前,那時因為移動竟然連 cnpm 的資料都進行快取。更離譜的是:移動的快取伺服器不但速度慢到堪比萬年王八跑馬拉松,還經常當機,導致我只想安安靜靜寫程式卻不得不面對一片鮮紅的報錯。</p> <h5 id="解決">解決</h5> <p><code>iptables -I FORWARD -p tcp -m tcp -m ttl --ttl-gt 20 -m ttl --ttl-lt 30 -j DROP</code></p> <p>考慮到可能還真的有其他伺服器送來的正常封包 TTL 也在 20-30 的區間,應該再加一層判斷。對比移動的 302 劫持封包和正常的 302 跳轉封包後,發現移動的劫持封包狀態位包含 FIN、PSH、ACK,而正常的 302 跳轉封包通常不會這三個都有。</p> <p>因此在 iptables 規則中加入是否包含 FIN、PSH、ACK 的判斷:</p> <p><code>iptables -I FORWARD -p tcp -m tcp -m ttl --ttl-gt 20 -m ttl --ttl-lt 30 --tcp-flags ALL FIN,PSH,ACK -j DROP</code></p> <p>這樣應能在丟棄劫持封包的同時,盡可能降低誤傷正常封包的可能性。</p>使用 Nginx 和 mod_pagespeed 自動將圖片轉換為 WebP 並輸出https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191007-serve-webp-on-the-fly-with-nginx-and-mod_pagespeed/Mon, 07 Oct 2019 10:35:22 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191007-serve-webp-on-the-fly-with-nginx-and-mod_pagespeed/<ul> <li><a href="https://nova.moe/serve-webp-on-the-fly-with-nginx-and-mod_pagespeed/" target="_blank" rel="noopener">使用 Nginx 和 mod_pagespeed 自動將圖片轉換為 WebP 並輸出</a></li> </ul> <h4 id="編譯-ngx_pagespeed">編譯 ngx_pagespeed</h4> <blockquote> <p>首先確保 Nginx 有 <code>--with-compat</code> 編譯參數,這樣就不需要按照一些奇怪的教學讓大家從頭開始編譯 Nginx</p> <p>incubator: <a href="https://github.com/apache/incubator-pagespeed-ngx.git" target="_blank" rel="noopener">https://github.com/apache/incubator-pagespeed-ngx.git</a></p></blockquote> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e"># 切換到 nginx 原始碼目錄下開始設定編譯環境</span> </span></span><span style="display:flex;"><span>./configure --with-compat --add-dynamic-module<span style="color:#f92672">=</span>../incubator-pagespeed-ngx </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 編譯 modules</span> </span></span><span style="display:flex;"><span>make modules </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 將編譯好的 module 放到 nginx 目錄下</span> </span></span><span style="display:flex;"><span>sudo cp objs/ngx_pagespeed.so /etc/nginx/modules/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 建立快取資料夾以存放自動轉換的圖片</span> </span></span><span style="display:flex;"><span>sudo mkdir -p /var/ngx_pagespeed_cache </span></span><span style="display:flex;"><span>sudo chown -R www-data:www-data /var/ngx_pagespeed_cache </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">load_module</span> <span style="color:#e6db74">modules/ngx_pagespeed.so</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># enable pagespeed module on this server block </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">pagespeed</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Needs to exist and be writable by nginx. Use tmpfs for best performance. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">pagespeed</span> <span style="color:#e6db74">FileCachePath</span> <span style="color:#e6db74">/var/ngx_pagespeed_cache</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Ensure requests for pagespeed optimized resources go to the pagespeed handler </span></span></span><span style="display:flex;"><span><span style="color:#75715e"># and no extraneous headers get set. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">location</span> ~ <span style="color:#e6db74">&#34;\.pagespeed\.([a-z]\.)?[a-z]</span>{<span style="color:#f92672">2}\.[^.]{10}\.[^.]+&#34;</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">&#34;&#34;</span> <span style="color:#e6db74">&#34;&#34;</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#f92672">location</span> ~ <span style="color:#e6db74">&#34;^/pagespeed_static/&#34;</span> { } </span></span><span style="display:flex;"><span><span style="color:#f92672">location</span> ~ <span style="color:#e6db74">&#34;^/ngx_pagespeed_beacon$&#34;</span> { } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">pagespeed</span> <span style="color:#e6db74">RewriteLevel</span> <span style="color:#e6db74">CoreFilters</span>; </span></span></code></pre></div><p>其中最後一段(<code>pagespeed RewriteLevel CoreFilters;</code>)表示啟用的最佳化方式,包含一些基礎的最佳化,例如:</p>是否有正規表示式可以檢測有效的正規表示式?https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191004-is-there-a-regular-expression-to-detect-a-valid-regular-expression/Fri, 04 Oct 2019 14:44:38 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20191004-is-there-a-regular-expression-to-detect-a-valid-regular-expression/<ul> <li><a href="https://stackoverflow.com/questions/172303/is-there-a-regular-expression-to-detect-a-valid-regular-expression" target="_blank" rel="noopener">是否有正規表示式可以檢測有效的正規表示式?</a></li> </ul> <p>這是一個遞迴正則,許多正則引擎不支援。基於 PCRE 的引擎應該支援。</p> <pre tabindex="0"><code>/ ^ # start of string ( # first group start (?: (?:[^?+*{}()[\]\\|]+ # literals and ^, $ | \\. # escaped characters | \[ (?: \^?\\. | \^[^\\] | [^\\^] ) # character classes (?: [^\]\\]+ | \\. )* \] | \( (?:\?[:=!]|\?&lt;[=!]|\?&gt;)? (?1)?? \) # parenthesis, with recursive content | \(\? (?:R|[+-]?\d+) \) # recursive matching ) (?: (?:[?+*]|\{\d+(?:,\d*)?\}) [?+]? )? # quantifiers | \| # alternative )* # repeat content ) # end first group $ # end of string / </code></pre><p>移除空白與註解後</p>用 Nginx 強制檔案下載https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190819-force-file-download-with-nginx/Mon, 19 Aug 2019 12:12:32 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190819-force-file-download-with-nginx/<ul> <li><a href="https://coderwall.com/p/3yb8vg/force-file-download-with-nginx" target="_blank" rel="noopener">用 Nginx 強制檔案下載</a></li> </ul> <p><code>add_header Content-Disposition 'attachment;';</code></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">my.domain.com</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> ~ <span style="color:#e6db74">^.*/(?P&lt;request_basename&gt;[^/]+\.(mp3))$</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">root</span> <span style="color:#e6db74">/path/to/mp3/</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">add_header</span> <span style="color:#e6db74">Content-Disposition</span> <span style="color:#e6db74">&#39;attachment</span>; <span style="color:#f92672">filename=&#34;$request_basename&#34;&#39;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">{</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">listen</span> <span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">server_name</span> <span style="color:#e6db74">backup.baifu-tech.net</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">root</span> <span style="color:#e6db74">/data/backup/rechargecent-mago</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">auth_basic</span> <span style="color:#e6db74">&#34;baifu</span> <span style="color:#e6db74">backup</span> <span style="color:#e6db74">center&#34;</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">auth_basic_user_file</span> <span style="color:#e6db74">/etc/nginx/ssl/htpasswd</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">autoindex</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">autoindex_exact_size</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">autoindex_localtime</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span><span style="color:#66d9ef">}</span> </span></span></code></pre></div>Shell 腳本學習筆記https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190807-mylxsw-growing-up-shell/Wed, 07 Aug 2019 15:14:08 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190807-mylxsw-growing-up-shell/<ul> <li><a href="https://github.com/mylxsw/growing-up/blob/master/doc/Shell%E8%84%9A%E6%9C%AC%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0.md" target="_blank" rel="noopener">Shell 腳本學習筆記</a></li> </ul> <h3 id="執行算術運算">執行算術運算</h3> <pre><code>val=`expr $a + $b` </code></pre> <h3 id="運算符">運算符</h3> <table> <thead> <tr> <th>符號</th> <th>說明</th> <th>示例</th> </tr> </thead> <tbody> <tr> <td>!</td> <td>非運算</td> <td>[ ! false ]</td> </tr> <tr> <td>-o</td> <td>或運算</td> <td>[ $a -lt 20 -o $b -gt 20 ]</td> </tr> <tr> <td>-a</td> <td>與運算</td> <td>[ $a -lt 20 -a $b -gt 20 ]</td> </tr> <tr> <td>=</td> <td>相等檢測</td> <td>[ $a = $b ]</td> </tr> <tr> <td>!=</td> <td>不相等檢測</td> <td>[ $a != $b ]</td> </tr> <tr> <td>-z</td> <td>字串長度是否為 0,為 0 則回傳 true</td> <td>[ -z $a ]</td> </tr> <tr> <td>-n</td> <td>字串長度不為 0,不為 0 回傳 true</td> <td>[ -n $a ]</td> </tr> <tr> <td>str</td> <td>檢測字串是否為空,不為空回傳 true</td> <td>[ $a ]</td> </tr> <tr> <td>-b</td> <td>檢測檔案是否是區塊裝置檔</td> <td>[ -b $file ]</td> </tr> <tr> <td>-c</td> <td>檢測檔案是否是字元裝置</td> <td>..</td> </tr> <tr> <td>-d</td> <td>檢測檔案是否為目錄</td> <td>[ -d $file ]</td> </tr> <tr> <td>-f</td> <td>檢測檔案是否為一般檔案</td> <td>[ -f $file ]</td> </tr> <tr> <td>-r</td> <td>檢測檔案是否可讀</td> <td>..</td> </tr> <tr> <td>-w</td> <td>檢測檔案是否可寫</td> <td>..</td> </tr> <tr> <td>-x</td> <td>檢測檔案是否可執行</td> <td>..</td> </tr> <tr> <td>-s</td> <td>檢測檔案是否為空</td> <td>..</td> </tr> <tr> <td>-e</td> <td>檢測檔案是否存在</td> <td>..</td> </tr> </tbody> </table> <h3 id="特殊變數">特殊變數</h3> <table> <thead> <tr> <th>變數</th> <th>含義</th> </tr> </thead> <tbody> <tr> <td>$0</td> <td>目前腳本的檔名</td> </tr> <tr> <td>$n</td> <td>傳遞給腳本或函式的參數,n 表示第幾個參數</td> </tr> <tr> <td>$#</td> <td>傳遞給腳本或函式的參數個數</td> </tr> <tr> <td>$*</td> <td>傳遞給腳本或函式的所有參數,所有參數視為一個詞,例如 &ldquo;1 2 3&rdquo;</td> </tr> <tr> <td>$@</td> <td>傳遞給腳本或函式的所有參數,每個參數視為一個詞,用雙引號包含,例如 &ldquo;1&rdquo; &ldquo;2&rdquo; &ldquo;3&rdquo;</td> </tr> <tr> <td>$?</td> <td>上個命令的退出狀態,或函式的回傳值</td> </tr> <tr> <td>$$</td> <td>目前 Shell 行程 ID;對 Shell 腳本而言,就是該腳本所在的行程 ID</td> </tr> </tbody> </table> <h3 id="posix-程式退出狀態">POSIX 程式退出狀態</h3> <table> <thead> <tr> <th>狀態碼</th> <th>含義</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>命令成功退出</td> </tr> <tr> <td>&gt; 0</td> <td>在重導向或單詞展開期間(~、變數、命令、算術展開以及單詞切割)失敗</td> </tr> <tr> <td>1 - 125</td> <td>命令不成功退出,各命令自行定義特定退出值含義</td> </tr> <tr> <td>126</td> <td>命令找到但檔案無法執行</td> </tr> <tr> <td>127</td> <td>命令未找到</td> </tr> <tr> <td>&gt; 128</td> <td>命令因收到信號而終止</td> </tr> </tbody> </table> <h3 id="輸入輸出重導向">輸入輸出重導向</h3> <table> <thead> <tr> <th>命令</th> <th>說明</th> </tr> </thead> <tbody> <tr> <td>command &gt; file</td> <td>將輸出重導向到 file</td> </tr> <tr> <td>command &gt; file</td> <td>將輸出以追加的方式重導向到 file</td> </tr> <tr> <td>n &gt; file</td> <td>將檔案描述符為 n 的檔案重導向到 file</td> </tr> <tr> <td>n &raquo; file</td> <td>將檔案描述符為 n 的檔案以追加的方式重導向到 file</td> </tr> <tr> <td>n &gt;&amp; m</td> <td>將輸出檔案 m 和 n 合併</td> </tr> <tr> <td>n &lt;&amp; m</td> <td>將輸入檔案 m 和 n 合併</td> </tr> <tr> <td>&laquo; tag</td> <td>將開始標記 tag 和結束標記 tag 之間的內容作為輸入</td> </tr> </tbody> </table> <h3 id="檔案包含">檔案包含</h3> <p>使用 <code>.</code> 或 <code>source</code> 包含檔案</p>`sentry.lang.javascript.processor: SoftTimeLimitExceeded()` 大量錯誤https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190725-getsentry-sentry-issues-4386/Thu, 25 Jul 2019 14:25:56 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190725-getsentry-sentry-issues-4386/<ul> <li><a href="https://github.com/getsentry/sentry/issues/4386" target="_blank" rel="noopener">Excessive Errors from <code>sentry.lang.javascript.processor: SoftTimeLimitExceeded()</code></a></li> <li><a href="https://forum.sentry.io/t/counters-0-queue-is-rising-continuously/5655/6" target="_blank" rel="noopener">Counters-0 queue is rising continuously</a></li> </ul> <h4 id="sentrylangjavascriptprocessor-softtimelimitexceeded-大量錯誤"><code>sentry.lang.javascript.processor: SoftTimeLimitExceeded()</code> 大量錯誤</h4> <p>mattrobenolt:</p> <p>我正打算提出這個。:) 很不幸,這個功能就是如此運作。如果它沒有用且只是浪費資源,可以很容易地全域關閉:在 <code>sentry.conf.py</code> 設定 <code>SENTRY_SCRAPE_JAVASCRIPT_CONTEXT = False</code>,或在 UI 內針對專案關閉。</p> <p>除此之外,沒有太多能做的,因為這個功能本質上是按設計運作。</p> <hr> <h4 id="counters-0-佇列持續上升">Counters-0 佇列持續上升</h4> <p>matt:</p> <p>你需要更多 worker 來處理這個佇列的負載。</p> <p>你也可以讓 worker 專門處理特定佇列,例如使用 <code>sentry run worker -Q counters-0</code>。</p>Python Telegram Bothttps://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190711-python-telegram-bot/Thu, 11 Jul 2019 14:03:25 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190711-python-telegram-bot/<ul> <li><a href="https://zaoldyeck.medium.com/%E6%89%8B%E6%8A%8A%E6%89%8B%E6%95%99%E4%BD%A0%E6%80%8E%E9%BA%BC%E6%89%93%E9%80%A0-telegram-bot-a7b539c3402a" target="_blank" rel="noopener">(一)一步步打造 Telegram Bot</a></li> <li><a href="https://zaoldyeck.medium.com/%E5%88%A9%E7%94%A8-olami-open-api-%E7%82%BA-chatbot-%E5%A2%9E%E5%8A%A0-nlp-%E5%8A%9F%E8%83%BD-e6b37940913d" target="_blank" rel="noopener">(二)為 Chatbot 增加 NLP 功能</a></li> <li><a href="https://zaoldyeck.medium.com/add-custom-skill-into-chatbot-cef9bfeeef52" target="_blank" rel="noopener">(三)為 Chatbot 添加新技能</a></li> <li><a href="https://hackmd.io/@truckski/HkgaMUc24" target="_blank" rel="noopener">Python Telegram Bot 教學</a></li> <li><a href="https://kaive.me/2018/07/15/Python-telegram-bot/" target="_blank" rel="noopener">用 Python 寫一個簡單的 Telegram Bot</a></li> <li><a href="https://github.com/python-telegram-bot/python-telegram-bot/wiki/Code-snippets" target="_blank" rel="noopener">Code snippets</a></li> </ul>Linux 磁碟空間未釋放的解決方法https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190710-linux-command-line-du-dh-lsof/Wed, 10 Jul 2019 09:57:33 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190710-linux-command-line-du-dh-lsof/<ul> <li><a href="https://www.itread01.com/content/1542767890.html" target="_blank" rel="noopener">Linux 磁碟空間未釋放的解決方法</a></li> </ul> <h5 id="使用-df--ah-命令-du--h---max-depth1">使用 <code>df -ah</code> 命令 <code>du -h --max-depth=1</code></h5> <p><code>du</code> 的總和遠小於 <code>df</code> 得到的總量。</p> <p>程式使用的檔案資源被刪除後,程式仍在執行,導致檔案未真正刪除,無法釋放磁碟空間,也無法被統計到。</p> <p><code>lsof |grep delete</code></p>Sentry 原始碼開發筆記https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190703-python-sentry-develop-notes-and-uwsgi-log-format/Wed, 03 Jul 2019 11:53:15 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190703-python-sentry-develop-notes-and-uwsgi-log-format/<ul> <li><a href="https://chroming.gitlab.io/2018/09/26/edit_sentry_source_code/" target="_blank" rel="noopener">Sentry 原始碼開發筆記</a></li> <li><a href="https://uwsgi-docs.readthedocs.io/en/latest/LogFormat.html" target="_blank" rel="noopener">Formatting uWSGI requests logs</a></li> <li><a href="https://www.postgresql.org/docs/9.3/libpq-pgpass.html" target="_blank" rel="noopener">PostgreSQL: Documentation: 9.3: The Password File</a></li> </ul>openresty+redis 攔截高頻訪問 IPhttps://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190627-openrestyredis/Thu, 27 Jun 2019 11:18:46 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190627-openrestyredis/<ul> <li><a href="https://www.centos.bz/2018/11/openrestyredis%E6%8B%A6%E6%88%AA%E9%AB%98%E9%A2%91%E8%AE%BF%E9%97%AEip/" target="_blank" rel="noopener">openresty+redis 攔截高頻訪問 IP</a></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">init_by_lua_block</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">redis</span> = <span style="color:#e6db74">require</span> <span style="color:#e6db74">&#34;redis&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">client</span> = <span style="color:#e6db74">redis.connect(&#39;127.0.0.1&#39;,</span> <span style="color:#ae81ff">6379</span><span style="color:#e6db74">)</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">}</span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">8080</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">access_by_lua_file</span> <span style="color:#e6db74">/usr/local/nginx/conf/lua/block.lua</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">http://192.168.1.102:8000</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-lua" data-lang="lua"><span style="display:flex;"><span><span style="color:#75715e">-- Redis-based IP rate limiting / blocking for OpenResty (ngx_lua)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- NOTE:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- This script assumes a global `client` variable is used/stored.</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Make sure `redis` module is available and `client` is initialized somewhere.</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">isConnected</span>() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> client:ping() </span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">createRedisConnection</span>() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> redis.connect(<span style="color:#e6db74">&#34;127.0.0.1&#34;</span>, <span style="color:#ae81ff">6379</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- 如果發生 redis 連線失敗,將停止攔截(直接放行)</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> pcall(isConnected) <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- already connected (or ping succeeded)</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- not connected; try reconnect</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> pcall(createRedisConnection) <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- 斷開重連:會導致每次訪問都需要重連 redis</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- 訪問量大時建議:關閉重連邏輯(pcall 不執行),直接 ngx.exit 放行/終止</span> </span></span><span style="display:flex;"><span> client <span style="color:#f92672">=</span> createRedisConnection() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> ttl <span style="color:#f92672">=</span> <span style="color:#ae81ff">60</span> <span style="color:#75715e">-- 監測週期(秒)</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> bktimes <span style="color:#f92672">=</span> <span style="color:#ae81ff">30</span> <span style="color:#75715e">-- 在監測週期內達到觸發攔截的訪問量</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> block_ttl <span style="color:#f92672">=</span> <span style="color:#ae81ff">600</span> <span style="color:#75715e">-- 觸發攔截後攔截時間(秒)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> ip <span style="color:#f92672">=</span> ngx.var.remote_addr </span></span><span style="display:flex;"><span><span style="color:#66d9ef">local</span> ipvtimes <span style="color:#f92672">=</span> client:get(ip) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> ipvtimes <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ipvtimes <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;-1&#34;</span> <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- blocked</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(<span style="color:#ae81ff">403</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">local</span> last_ttl <span style="color:#f92672">=</span> client:ttl(ip) </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(&#34;key exist.ttl is &#34;, last_ttl)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> last_ttl <span style="color:#f92672">==</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span> <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> client:set(ip, <span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span> client:expire(ip, ttl) </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(&#34;ttl &amp; vtimes recount&#34;)</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">local</span> vtimes <span style="color:#f92672">=</span> tonumber(client:get(ip)) <span style="color:#f92672">+</span> <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> vtimes <span style="color:#f92672">&lt;</span> bktimes <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> client:set(ip, vtimes) </span></span><span style="display:flex;"><span> client:expire(ip, last_ttl) </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(ip, &#34; view &#34;, vtimes, &#34; times&#34;)</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(ip, &#34; will be block next time.&#34;)</span> </span></span><span style="display:flex;"><span> client:set(ip, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> client:expire(ip, block_ttl) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">end</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- key does not exist</span> </span></span><span style="display:flex;"><span> client:set(ip, <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> <span style="color:#75715e">-- ngx.say(ip, &#34; view 1 times&#34;)</span> </span></span><span style="display:flex;"><span> client:expire(ip, ttl) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> ngx.exit(ngx.OK) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span> </span></span></code></pre></div>[Terraform] 入門學習筆記https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190626-terraform-getting-started/Wed, 26 Jun 2019 17:22:52 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190626-terraform-getting-started/<ul> <li><a href="https://godleon.github.io/blog/DevOps/terraform-getting-started/" target="_blank" rel="noopener">[Terraform] 入門學習筆記</a></li> </ul>設定 Haproxy 以防止 DDOS 攻擊https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190617-haproxy-ddos/Mon, 17 Jun 2019 11:07:13 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190617-haproxy-ddos/<ul> <li><a href="https://blog.maxkit.com.tw/2016/05/haproxy-ddos.html" target="_blank" rel="noopener">設定 Haproxy 以防止 DDOS 攻擊</a></li> </ul> <h3 id="tcp-syn-flood-attacks">TCP syn flood attacks</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>vi /etc/sysctl.conf </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Protection from SYN flood</span> </span></span><span style="display:flex;"><span>net.ipv4.tcp_syncookies <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span>net.ipv4.conf.all.rp_filter <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span>net.ipv4.tcp_max_syn_backlog <span style="color:#f92672">=</span> <span style="color:#ae81ff">1024</span> </span></span></code></pre></div><h3 id="slowloris-like-attacks">Slowloris like attacks</h3> <pre tabindex="0"><code>defaults option http-server-close timeout http-request 5s timeout connect 5s timeout client 30s timeout server 10s timeout tunnel 1h </code></pre><h3 id="限制每一個-user-的連線數量">限制每一個 user 的連線數量</h3> <p>普通用戶瀏覽網站的網頁,或是從網站下載東西時,瀏覽器一般會建立 5-7 個 TCP 鏈接。當一個惡意 client 打開了大量 TCP 連線時,耗費大量資源,因此我們必須要限制同一個用戶的連線數量。</p> <p>但如果有很多使用者,是從某一個私有網段,透過 NAT 的方式連線到 Server 時,且實際上我們也不知道,到底哪一個會是 NAT 的轉址後的 IP,不知道該將哪個 IP 設定為白名單,這樣的限制就會造成問題,因此我們認為實際的環境,這樣的設定應該要保留不處理。</p> <p>以下是一個設定的範例,最重要的地方是在 frontend ft_web 區塊的設定。</p> <pre tabindex="0"><code>global stats socket ./haproxy.stats level admin defaults option http-server-close mode http timeout http-request 5s timeout connect 5s timeout server 10s timeout client 30s listen stats bind 0.0.0.0:8880 stats enable stats hide-version stats uri / stats realm HAProxy Statistics stats auth admin:admin frontend ft_web bind 0.0.0.0:8080 # Table definition stick-table type ip size 100k expire 30s store conn_cur # Allow clean known IPs to bypass the filter tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst } # Shut the new connection as long as the client has already 10 opened tcp-request connection reject if { src_conn_cur ge 10 } tcp-request connection track-sc1 src # Split static and dynamic traffic since these requests have different impacts on the servers use_backend bk_web_static if { path_end .jpg .png .gif .css .js } default_backend bk_web # Dynamic part of the application backend bk_web balance roundrobin cookie MYSRV insert indirect nocache server srv1 192.168.1.2:80 check cookie srv1 maxconn 100 server srv2 192.168.1.3:80 check cookie srv2 maxconn 100 # Static objects backend bk_web_static balance roundrobin server srv1 192.168.1.2:80 check maxconn 1000 server srv2 192.168.1.3:80 check maxconn 1000 </code></pre><h3 id="限制每個-user-產生新連線的速率-limiting-the-connection-rate-per-user">限制每個 user 產生新連線的速率 Limiting the connection rate per user</h3> <p>惡意的使用者會在短時間內建立很多連線,但如果產生新連線的速度太高,就會消耗掉過多的資源服務一個使用者。</p>白話 Kubernetes Runtimehttps://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190613-k8s-runtime/Thu, 13 Jun 2019 11:28:26 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190613-k8s-runtime/<ul> <li><a href="https://mp.weixin.qq.com/s?__biz=Mzg5Mjc3MjIyMA==&amp;mid=2247543594&amp;idx=1&amp;sn=9083cff79ca7f5fb9d6fee08d1144989&amp;source=41&amp;poc_token=HL8MZmmjq-HF5O8fHC711sGwSQ1O9OuO5hGLL_px" target="_blank" rel="noopener">白話 Kubernetes Runtime</a></li> </ul>Nginx 請求處理流程你了解嗎?https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190307-nginx/Thu, 07 Mar 2019 14:05:55 +0800https://9855cc0f.linzeyan.pages.dev/zh-tw/posts/2019/20190307-nginx/<ul> <li><a href="https://mp.weixin.qq.com/s/otQIhuLABU3omOLtRfJnZQ" target="_blank" rel="noopener">Nginx 請求處理流程你了解嗎?</a></li> </ul> <h3 id="11-個處理階段">11 個處理階段</h3> <p>1)NGX_HTTP_POST_READ_PHASE:</p> <p>接收到完整的 HTTP 標頭後處理的階段,位於 URI 重寫之前。實際上很少有模組會註冊在該階段,預設情況下會被跳過。</p> <p>2)NGX_HTTP_SERVER_REWRITE_PHASE:</p> <p>在 URI 與 location 匹配前修改 URI 的階段,用於重新導向。該階段執行 server 區塊內、location 區塊外的重寫指令。在讀取請求標頭的過程中,nginx 會根據 host 及埠號找到對應的虛擬主機設定。</p> <p>3)NGX_HTTP_FIND_CONFIG_PHASE:</p> <p>根據 URI 尋找匹配的 location 設定項階段,使用重寫後的 URI 來查找對應的 location。需要注意的是該階段可能會被執行多次,因為也可能有 location 級別的重寫指令。</p> <p>4)NGX_HTTP_REWRITE_PHASE:</p> <p>上一階段找到 location 後再次修改 URI,屬於 location 級別的 URI 重寫階段,也可能會被執行多次。</p> <p>5)NGX_HTTP_POST_REWRITE_PHASE:</p> <p>防止重寫 URL 後導致的死循環,屬於 location 重寫的下一階段,用來檢查上階段是否有 URI 重寫,並根據結果跳轉到合適的階段。</p> <p>6)NGX_HTTP_PREACCESS_PHASE:</p> <p>下一階段之前的準備,屬於存取權限控制的前一階段。一般也用於存取控制,例如限制存取頻率、連線數等。</p> <p>7)NGX_HTTP_ACCESS_PHASE:</p> <p>讓 HTTP 模組判斷是否允許請求進入 Nginx 伺服器的存取控制階段,例如基於 IP 白名單/黑名單、使用者名稱密碼等的權限控制。</p> <p>8)NGX_HTTP_POST_ACCESS_PHASE:</p> <p>存取控制的後一階段,根據上一階段的執行結果進行處理,向使用者送出拒絕服務的錯誤碼,用來回應上一階段的拒絕。</p> <p>9)NGX_HTTP_TRY_FILES_PHASE:</p> <p>為存取靜態檔案資源而設置,try_files 指令的處理階段。如果沒有設定 try_files 指令,該階段會被跳過。</p> <p>10)NGX_HTTP_CONTENT_PHASE:</p>