CVE-2013-4547
nginx1.4.4和1.5.7版本之前有安全漏洞,会导致可能的绕开防护或者php解析攻击
比如
location ~ \.php$ {
fastcgi_pass …
}
by requesting a file as “/file /0.php”.
实地测试了一番,这个攻击在我们环境中比较难重现,需要以下条件同时成立
1.需要上传了一个带空格的文件(含攻击程序)
2.需要php设置了fix_pathinfo=1(默认为1)
3.需要php版本低于5.3.10,或者允许了所有的security.limit_extensions
因此,基于安全理由,建议升级并且升级php到5.3序列的最新版本
nginx有时候希望嵌套的处理error_page
比如 location / {
error_page 404 @fetch
}
location @fetch {
error_page 404 @fetch2
proxy_pass http://backend1/one/;
}
location @fetch2 {
proxy_pass http://backend2/two/;
return 200 “xxx”;
}
这是个简单的例子,如果需要实现功能需要两个参数: proxy_intercept_errors on; recursive_error_pages on;
syntax: recursive_error_pages on | off;
default:
recursive_error_pages off;
context: http, server, location
Enables or disables doing several redirects using the error_page directive. The number of such redirects is limited.
syntax: proxy_intercept_errors on | off;
default:
proxy_intercept_errors off;
context: http, server, location
Determines whether proxied responses with codes greater than or equal to 300 should be passed to a client or be redirected to nginx for processing with the error_page directive.
首先,air自带的输入法的确反人类一般的难用
其次,搜狗输入法的确很好用,这个是产品好
不过,搜狗输入法很耗电,新款air的续航能力尽管非常变态,最高可以到19小时(正常是13小时),如果用了搜狗输入法,只有10-12小时
![}78Q$7@H8241ET88UF8LX]J](http://www.4os.org/wp-content/uploads/2013/08/78Q7@H8241ET88UF8LXJ.jpg)
因此,必须干掉搜狗多余的东西,发现搜狗每3秒就自动执行一个SogouServices的东西,干掉后世界就清净了
sudo rm -rf /Library/LaunchAgents/com.sogou.SogouServices.plist
以下为该plist的内容,有兴趣的同学可以看看:
从测试看,目前ubuntu支持netsted KVM,RHEL不支持
默认情况下,UBUNTU就支持这一特性:
# modprobe -r kvm-intel
# modprobe kvm-intel nested=1
# cat /sys/module/kvm_intel/parameters/nested
Y
如果没有的话,需要手工加载内核选项:
cat /etc/default/grub | grep CMDLINE
GRUB_CMDLINE_LINUX=”rd.lvm.lv=vol0/swapVol rd.md=0 rd.dm=0 KEYTABLE=us quiet rd.lvm.lv=vol0/rootVol rhgb rd.luks=0 SYSFONT=latarcyrheb-sun16 LANG=en_US.UTF-8 kvm-intel.nested=1“
然后修改kvm的配置文件,加入:
<cpu mode=’custom’ match=’exact’>
<model fallback=’allow’>core2duo</model>
<feature policy=’require’ name=’vmx’/>
</cpu>
近期协助排查一个故障发现有50x错误,开error日志发现有malloc或者crash work process的记录
[emerg] 5309#0: *288 malloc(808334101) failed (12: Cannot allocate memory) while sending to client
[notice] 4579#0: signal 18 (SIGCHLD) received
[notice] 4579#0: worker process 5211 exited with code 0
这其实是lua模块导致的问题,在0.7.5之前,nginx lua module存在 ngx.req.clear_header 导致的内存溢出问题,需要升级到最新版
that is all,完毕
你的公司或者教育机构可能使用防火墙来增强安全性.防火墙通过阻止特定的internet 流量进出来工作.
Internet 流量 通过防火墙时基于服务id的数字,这也叫端口.
Internet traffic moves through a firewall based on service-identification numbers that are referred to as ports. Certain ports must be open for FaceTime to work. Network administrators typically open a minimal set of network ports, allowing the traffic for approved applications to enter and leave the network while blocking other network traffic.
Ports to open
If the network router that you are connected to uses a firewall or security software to restrict Internet access, contact the network administrator and refer them to this article.
To use FaceTime on a restricted network, port forwarding must be enabled for these ports:
443 (TCP)
3478 through 3497 (UDP)
5223 (TCP)
16384 through 16387 (UDP)
16393 through 16402 (UDP)
Depending on the NAT configuration for the router and network, additional ports may be used to send and receive video. Some router-specific features or configurations may interfere with FaceTime. This includes port mapping on either end, SIP dropping, or dynamic opening of media ports.
The network administrator can refer to their router, firewall, or security software documentation for information about configuring port forwarding.
Additional Information
If you encounter issues using a Wi-Fi network, use standard Wi-Fi network troubleshooting to resolve interference and other issues.
FaceTime for Mac support resources can be found here. The support page has links to support pages for FaceTime on iOS devices, on the left side.
http://support.apple.com/kb/HT4245
介绍下igor职业打手Maxim Dounin写的一个gunzip模块
Gunzip module for nginx.
This module allows gunzipping responses returned with Content-Encoding: gzip
for clients that doesn’t support it. It may be usefull if you prefer to store
data compressed (to save space or disk/network IO) but do not want to penalize
clients without gzip support.Note well: only responses with Content-Encoding set to gzip before this module
are handled (e.g. using “add_header Content-Encoding gzip;” isn’t enough as it
happens after). As of now only proxy and fastcgi are able to do so.
这个模块能针对不支持gzip编码的客户端,直接解压gzip格式的内容
好处:
1.跟源站直接请求压缩的内容,减少回源带宽,提高响应速度
2.只保留一份压缩的内容,减少缓存的大小,相同的cache能放更多的内容
配置格式比较简单:
Configuration directives:
gunzip (on|off)
Context: http, server, location
Default: offSwitches gunzip.
gunzip_buffers
Context: http, server, location
Default: 32 4k/16 8kSpecifies number and size of buffers available for decompression.
Usage:
location /storage/ {
gunzip on;
…
}
需要特别指出:
1.客户端不支持gzip编码,那么gunzip模块就返回解压的内容
2.客户端支持gzip编码,那么gunzip就自动不起作用,返回原始内容
某些特殊需求,比如addition_filter,我们知道这些filter在非压缩的内容才能正常工作,要结合这个模块就不是那么方便了
因此可以简单修改代码,让它不理会客户端的header,总是返回非压缩内容,注释掉这一整块即可:
ngx_http_gunzip_filter_module.c
141 #if (nginx_version >= 8025 || (nginx_version >= 7065 && nginx_version < 8000)) 142 143 r->gzip_vary = 1;
144
145 if (!r->gzip_tested) {
146 if (ngx_http_gzip_ok(r) == NGX_OK) {
147 return ngx_http_next_header_filter(r);
148 }
149
150 } else if (!r->gzip_ok) {
151 return ngx_http_next_header_filter(r);
152 }
153
154 #else
155
156 if (ngx_http_gzip_ok(r) == NGX_OK) {
157 return ngx_http_next_header_filter(r);
158 }
159
160 #endif
有人写了个gunzip_always的开关补丁,可以控制这个属性,patch暂时不放出来
ATS(apache traffic server)预缓存功能需要设置2个参数后才能启用:
1. proxy.config.http.background_fill_active_timeout
针对小文件可以设置为默认: INT 60
针对大文件可以设置为: INT 3600
具体可以根据文件大小和网络速度来决定
2. proxy.config.http.background_fill_completed_threshold
设置为0.0就好,默认是0.5
具体解释可以看官方说明:
http://trafficserver.apache.org/docs/trunk/admin/configuration-files/records.config.en.html
proxy.config.http.background_fill_active_timeout
INT
Default: 60
Specifies how long Traffic Server continues a background fill before giving up and dropping the origin server connection.
proxy.config.http.background_fill_completed_threshold
FLOAT
Default: 0.50000
The proportion of total document size already transferred when a client aborts at which the proxy continues fetching the document from the origin server to get it into the cache (a background fill).
Origin Server Connect Attempts
import platform
platform.python_version()
恩恩,好使,可以增加版本判断提高代码兼容性,感谢悟能