blog's People
blog's Issues
借助反向代理来提高安全扫描体验
越来越多的内部系统只允许HTTPS访问,我的Burp不知道出了什么问题,即使导入了证书,每次刷新还是会提示证书错误,就想先降级为HTTP,避开这个问题,于是使用nginx先搞个反向代理,配置参考如下
server {
listen 80;
server_name www.aq.com;
client_max_body_size 260m;
client_body_buffer_size 64k;
location / {
proxy_set_header Host 'www.abc.com';
proxy_set_header Referer 'https://www.abc.com/';
proxy_pass https://1.2.3.4; #这里结合Host属性就不用绑hosts了,如果是已经解析的就写真实域名吧
}
access_log /path/logs/proxy.log access;
}
这个配置用得好好的,结果今天又一个新的后台要审计,然后我的反向代理一直被302回真实地址,就很烦,F12观察网络请求发现是cookies少了,惯性思维下,我立马就想到自己设置cookies,结果报错了=.=
document.cookie
VM141:1 Uncaught DOMException: Failed to read the 'cookie' property from 'Document': Access is denied for this document.
at <anonymous>:1:10
思考片刻,还是改下反向代理配置吧
server {
listen 80;
server_name www.aq.com;
client_max_body_size 260m;
client_body_buffer_size 64k;
#登录后把cookie贴在这
add_header Set-Cookie 'SESSID=2ba4dee3';
location / {
proxy_set_header Host 'www.abc.com';
proxy_set_header Referer 'https://www.abc.com/';
proxy_pass https://1.2.3.4; #这里结合Host属性就不用绑hosts了,如果是已经解析的就写真实域名吧
}
access_log /path/logs/proxy.log access;
}
保存后重载nginx服务,解决...虽然Burp应该也有这样的功能,改天我研究一波
一个简单的HTTP鉴权
内部搭建了一个静态站点,按既往的做法是加个401认证。但是呢,我win10的Chrome似乎记不住401的账号密码,就很烦,所以换个思路:
- 第一次先请求某个固定链接,进行授权,然后跳转到首页
- 其他请求都判断,是否带了对应的认证,有则允许访问,无则禁止或者跳到统一认证后台
nginx参考配置如下
server
{
listen 443;
server_name test.abc.com;
index index.html index.htm index.php;
include ssl.conf;
root /var/www/html/;
set $token 'token_content';
set $cname 'PHPSESSID';
set $max_age 86400; #1天
location = /api/v1/auth {
add_header "Set-Cookie" "$cname=$token;path=/;Max-Age=$max_age;HttpOnly;";
return 301 /;
}
location / {
#if ($cookie_$cname != $token ) { # 不知道nginx怎么变量拼接...
if ($cookie_PHPSESSID != $token ) { # 如果对应的cookie的值与期望值不一致就禁止访问
return 403;
}
}
access_log /var/logs/$host.log;
}
CentOS6 单用户下的日志记录
默认情况下,单用户模式下rsyslog是不会被打开的,而我们的日志记录依赖rsyslog,但默认情况下,即使你chkconfig里设置 rsyslog 在1 为on 也是没用的。我们可以看看/etc/init/rcS-sulogin.conf
的内容
[root@ ~]# cat /etc/init/rcS-sulogin.conf
# rcS-sulogin - "single-user" runlevel compatibility
#
# This task runs /bin/bash during "single-user" mode,
# then continues to the default runlevel.
#
# Do not edit this file directly. If you want to change the behaviour,
# please create a file rcS-sulogin.override and put your changes there.
start on runlevel S
stop on runlevel [!S]
console owner
script
. /etc/sysconfig/init
plymouth --hide-splash || true
[ -z "$SINGLE" ] && SINGLE=/sbin/sushell
exec $SINGLE
end script
post-stop script
if [ "$RUNLEVEL" = "S" ]; then
[ -f /etc/inittab ] && runlevel=$(/bin/awk -F ':' '$3 == "initdefault" && $1 !~ "^#" { print $2 }' /etc/inittab)
[ -z "$runlevel" ] && runlevel="3"
exec telinit $runlevel
fi
end script
If you want to change the behaviour, please create a file rcS-sulogin.override and put your changes there.
那么我们就可以把 /etc/init/rcS-sulogin.conf
复制一份到 /etc/init/rcS-sulogin.override
然后变更一些我们需要的属性,比如启动rsyslog
甚至启动network
和ssh
(不过我们本次只加rsyslog
,确保单用户的时候,命令行操作能被记录到日志(虽然没有网络rsyslog不会被发送到远端))
14 script
15 . /etc/sysconfig/init
16 plymouth --hide-splash || true
17 /etc/init.d/rsyslog start # 添加这行
18 [ -z "$SINGLE" ] && SINGLE=/sbin/sushell
19 exec $SINGLE
20 end script
[root@ ~]# diff /etc/init/rcS-sulogin.override /etc/init/rcS-sulogin.conf
17d16
< /etc/init.d/rsyslog start
那么下次我们启动到单用户模式的时候就可以被日志记录了。
Burp修改非ASCII响应包体
我们拦截Burp请求,有时候会对响应进行修改,头一般不会出现非ASCII字符,但包体时常有。
每次编辑这些非ASCII都乱码,就很烦,那怎么搞呢?我也不知道正确的做法是啥,因为我没在官方文档或者其他第三方文档看过,但我知道,通过下面流程可以完美修改。
1.把包体剪切到文件里,比如body.txt
2.在文本编辑器里修改响应包体
3.在Burp里Paste from file并选择body.txt
4.Forward
亲测满足需求,完美~
celery worker 热加载
缘起:某个项目使用celery worker
来做任务队列,使用supervisord
来守护,每次更新代码需要重启就很烦,需要通知用户或者找夜深人静的时候,于是老板让我解决这个问题。
方案1:每次删除需要变更的方法,再使用__import__
来动态加载
try:
del sys.modules['init_env']
except:
pass
init_env = __import__('init_env')
两年前是这么处理的,因为该方法的执行频率很低,效率低也就没太大所谓了。现在队列数很长,需要找一个更高效的方法,思考了一下,有了下面方法
方案2:发布代码后,启动新的worker
,然后通知旧的worker
关闭。
查阅文档可知celery worker
可以接受这些信号
The worker’s main process overrides the following signals:
TERM Warm shutdown, wait for tasks to complete.
QUIT Cold shutdown, terminate ASAP
USR1 Dump traceback for all active threads.
USR2 Remote debug, see celery.contrib.rdb.
那么问题就好办了。
设定2个名称,比如master
和slave
,用来交替启动。
ROLE=master
celery -A proj worker -c 8 -n ${ROLE} --pidfile=${ROLE}.pid
LAST_ROLE=slave
if [ -f ${LAST_ROLE}.pid ];then
PID=$(cat ${LAST_ROLE}.pid)
ps u -p ${PID} | grep -q celery && kill ${PID}
fi
后记:我们容易先入为主,因为使用了supervisord
来管理celery worker
,supervisorctl restart celery
会导致celery worker
立即重启而不是等手头上的任务执行完再重启(尴尬,加了killasgroup=true
参数导致),就以为celery worker
热加载很麻烦,可实际上,很多东西都写在文档上了,可能只要你瞅一眼就看到了。不过我们的版本即使使用celery
推荐的supervisor
配置,执行supervisorctl restart celery
后,它也只会处理完正在处理的任务,不会把所有从broker获取到的任务处理完再重启,这个还得再研究一下。
========================================
环境:
celery: 3.0.13 (Chiastic Slide)
supervisord: 3.3.4
配置文件参考https://github.com/celery/celery/blob/master/extra/supervisord/celeryd.conf
[program:celery]
; Set full path to celery program if using virtualenv
command=celery worker -A proj --loglevel=INFO
; Alternatively,
;command=celery --app=your_app.celery:app worker --loglevel=INFO -n worker.%%h
; Or run a script
;command=celery.sh
directory=/path/to/project
user=nobody
numprocs=1
stdout_logfile=/var/log/celery/worker.log
stderr_logfile=/var/log/celery/worker.log
autostart=true
autorestart=true
startsecs=10
; Need to wait for currently executing tasks to finish at shutdown.
; Increase this if you have very long running tasks.
stopwaitsecs = 600
; Causes supervisor to send the termination signal (SIGTERM) to the whole process group.
stopasgroup=true
; Set Celery priority higher than default (999)
; so, if rabbitmq is supervised, it will start first.
priority=1000
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.