Giter Site home page Giter Site logo

blog's People

Contributors

binjjam avatar

Stargazers

avatar avatar

Watchers

avatar avatar

blog's Issues

借助反向代理来提高安全扫描体验

越来越多的内部系统只允许HTTPS访问,我的Burp不知道出了什么问题,即使导入了证书,每次刷新还是会提示证书错误,就想先降级为HTTP,避开这个问题,于是使用nginx先搞个反向代理,配置参考如下

server {
    listen 80;
    server_name www.aq.com;
    client_max_body_size 260m;
    client_body_buffer_size 64k;
    location / {
        proxy_set_header Host 'www.abc.com';                     
        proxy_set_header Referer 'https://www.abc.com/';
        proxy_pass https://1.2.3.4;   #这里结合Host属性就不用绑hosts了,如果是已经解析的就写真实域名吧
    }
    access_log  /path/logs/proxy.log  access;
}

这个配置用得好好的,结果今天又一个新的后台要审计,然后我的反向代理一直被302回真实地址,就很烦,F12观察网络请求发现是cookies少了,惯性思维下,我立马就想到自己设置cookies,结果报错了=.=

document.cookie
VM141:1 Uncaught DOMException: Failed to read the 'cookie' property from 'Document': Access is denied for this document.
    at <anonymous>:1:10

思考片刻,还是改下反向代理配置吧

server {
    listen 80;
    server_name www.aq.com;
    client_max_body_size 260m;
    client_body_buffer_size 64k;
    #登录后把cookie贴在这
    add_header Set-Cookie 'SESSID=2ba4dee3';  
    location / {
        proxy_set_header Host 'www.abc.com';                     
        proxy_set_header Referer 'https://www.abc.com/';
        proxy_pass https://1.2.3.4;   #这里结合Host属性就不用绑hosts了,如果是已经解析的就写真实域名吧
    }
    access_log  /path/logs/proxy.log  access;
}

保存后重载nginx服务,解决...虽然Burp应该也有这样的功能,改天我研究一波

CentOS6 单用户下的日志记录

默认情况下,单用户模式下rsyslog是不会被打开的,而我们的日志记录依赖rsyslog,但默认情况下,即使你chkconfig里设置 rsyslog 在1 为on 也是没用的。我们可以看看/etc/init/rcS-sulogin.conf 的内容

[root@ ~]# cat /etc/init/rcS-sulogin.conf   
# rcS-sulogin - "single-user" runlevel compatibility
#
# This task runs /bin/bash during "single-user" mode,
# then continues to the default runlevel.
#
# Do not edit this file directly. If you want to change the behaviour,
# please create a file rcS-sulogin.override and put your changes there.

start on runlevel S

stop on runlevel [!S]

console owner
script
        . /etc/sysconfig/init
        plymouth --hide-splash || true
        [ -z "$SINGLE" ] && SINGLE=/sbin/sushell
        exec $SINGLE
end script
post-stop script
        if [ "$RUNLEVEL" = "S" ]; then
                [ -f /etc/inittab ] && runlevel=$(/bin/awk -F ':' '$3 == "initdefault" && $1 !~ "^#" { print $2 }' /etc/inittab)
                [ -z "$runlevel" ] && runlevel="3"
                exec telinit $runlevel
        fi
end script

If you want to change the behaviour, please create a file rcS-sulogin.override and put your changes there.

那么我们就可以把 /etc/init/rcS-sulogin.conf 复制一份到 /etc/init/rcS-sulogin.override 然后变更一些我们需要的属性,比如启动rsyslog 甚至启动networkssh(不过我们本次只加rsyslog,确保单用户的时候,命令行操作能被记录到日志(虽然没有网络rsyslog不会被发送到远端))

 14 script
 15     . /etc/sysconfig/init
 16     plymouth --hide-splash || true
 17     /etc/init.d/rsyslog start   # 添加这行
 18     [ -z "$SINGLE" ] && SINGLE=/sbin/sushell
 19     exec $SINGLE
 20 end script
[root@ ~]# diff  /etc/init/rcS-sulogin.override /etc/init/rcS-sulogin.conf 
17d16
<     /etc/init.d/rsyslog start

那么下次我们启动到单用户模式的时候就可以被日志记录了。

celery worker 热加载

缘起:某个项目使用celery worker 来做任务队列,使用supervisord来守护,每次更新代码需要重启就很烦,需要通知用户或者找夜深人静的时候,于是老板让我解决这个问题。
方案1:每次删除需要变更的方法,再使用__import__来动态加载

try:
    del sys.modules['init_env']
except:
    pass
init_env = __import__('init_env')

两年前是这么处理的,因为该方法的执行频率很低,效率低也就没太大所谓了。现在队列数很长,需要找一个更高效的方法,思考了一下,有了下面方法
方案2:发布代码后,启动新的worker,然后通知旧的worker关闭。
查阅文档可知celery worker可以接受这些信号

The worker’s main process overrides the following signals:

TERM	Warm shutdown, wait for tasks to complete.
QUIT	Cold shutdown, terminate ASAP
USR1	Dump traceback for all active threads.
USR2	Remote debug, see celery.contrib.rdb.

那么问题就好办了。
设定2个名称,比如masterslave,用来交替启动。

ROLE=master
celery -A proj worker -c 8 -n ${ROLE} --pidfile=${ROLE}.pid
LAST_ROLE=slave
if [ -f ${LAST_ROLE}.pid ];then
    PID=$(cat ${LAST_ROLE}.pid)
    ps u -p ${PID} | grep -q celery && kill ${PID}
fi

后记:我们容易先入为主,因为使用了supervisord来管理celery workersupervisorctl restart celery会导致celery worker立即重启而不是等手头上的任务执行完再重启(尴尬,加了killasgroup=true参数导致),就以为celery worker热加载很麻烦,可实际上,很多东西都写在文档上了,可能只要你瞅一眼就看到了。不过我们的版本即使使用celery推荐的supervisor配置,执行supervisorctl restart celery后,它也只会处理完正在处理的任务,不会把所有从broker获取到的任务处理完再重启,这个还得再研究一下。

========================================
环境:

celery: 3.0.13 (Chiastic Slide)
supervisord: 3.3.4

配置文件参考https://github.com/celery/celery/blob/master/extra/supervisord/celeryd.conf

[program:celery]
; Set full path to celery program if using virtualenv
command=celery worker -A proj --loglevel=INFO

; Alternatively,
;command=celery --app=your_app.celery:app worker --loglevel=INFO -n worker.%%h
; Or run a script
;command=celery.sh

directory=/path/to/project
user=nobody
numprocs=1
stdout_logfile=/var/log/celery/worker.log
stderr_logfile=/var/log/celery/worker.log
autostart=true
autorestart=true
startsecs=10

; Need to wait for currently executing tasks to finish at shutdown.
; Increase this if you have very long running tasks.
stopwaitsecs = 600

; Causes supervisor to send the termination signal (SIGTERM) to the whole process group.
stopasgroup=true

; Set Celery priority higher than default (999)
; so, if rabbitmq is supervised, it will start first.
priority=1000

Burp修改非ASCII响应包体

我们拦截Burp请求,有时候会对响应进行修改,头一般不会出现非ASCII字符,但包体时常有。
每次编辑这些非ASCII都乱码,就很烦,那怎么搞呢?我也不知道正确的做法是啥,因为我没在官方文档或者其他第三方文档看过,但我知道,通过下面流程可以完美修改。

1.把包体剪切到文件里,比如body.txt
2.在文本编辑器里修改响应包体
3.在Burp里Paste from file并选择body.txt
4.Forward

亲测满足需求,完美~

一个简单的HTTP鉴权

内部搭建了一个静态站点,按既往的做法是加个401认证。但是呢,我win10的Chrome似乎记不住401的账号密码,就很烦,所以换个思路:

  1. 第一次先请求某个固定链接,进行授权,然后跳转到首页
  2. 其他请求都判断,是否带了对应的认证,有则允许访问,无则禁止或者跳到统一认证后台
    nginx参考配置如下
server
{
    listen       443;
    server_name test.abc.com;
    index index.html index.htm index.php;
    include ssl.conf;
    root  /var/www/html/;
    set $token 'token_content';
    set $cname 'PHPSESSID';
    set $max_age 86400; #1天
    location = /api/v1/auth {
        add_header "Set-Cookie" "$cname=$token;path=/;Max-Age=$max_age;HttpOnly;";
        return 301 /;
    }
    location / {
        #if ($cookie_$cname != $token ) {   # 不知道nginx怎么变量拼接...
        if ($cookie_PHPSESSID != $token ) {  # 如果对应的cookie的值与期望值不一致就禁止访问
            return 403;  
        }
    }
    access_log  /var/logs/$host.log;
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.