- docker & k8s 入门玩家
- 偏向网络方向的还要偶尔改改五花八门的代码的伪运维🐶
san3xian / randommark Goto Github PK
View Code? Open in Web Editor NEW用github repo做一些随记好了,内容在issues里。github page中仅为试验田🧪
Home Page: https://qc47.net
用github repo做一些随记好了,内容在issues里。github page中仅为试验田🧪
Home Page: https://qc47.net
在windows事件查看器中,设置自定义筛选器,选择手动编写筛选条件
XML过滤器
针对mstsc登录事件部分例子,照葫芦画葫芦时间
有IPaddress的事件
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='IpAddress']!='-' ]]</Select>
</Query>
</QueryList>
普通网络登录事件
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='LogonType'] = 3]]</Select>
</Query>
</QueryList>
普通交互式登录事件
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='LogonType'] = 2]]</Select>
</Query>
</QueryList>
PS:win10系统1903版本由于bug原因无法使用UI版本自定义筛选器,只能从命令提示符里面打命令输出日志结果,坑,没事别手残主动升级
未完待补充
由于(没钱)懒惰,想用Apache来同时反向代理一个工具的websock流量和frp的https的流量(都在443端口)
弄了$%^#$%^ hour,弄好了
测试
websock通讯比原本慢的一批
套上cloudflare更加更加更加慢
okay,我投降,买新的服务器把流量分开
这次配置Apache的时候又遇到了以前的一个问题,重新记录一下
当Apache中的site configure文件,若每个文件都设置了server name,
那对于非法域名(未被设置成server name的域名),他到底会被应用到哪个配置文件?
个人认为是在apache加载配置文件的时候最先被包含的conf文件,如a___proxy.conf,实际上看log信息也是应用到了a___proxy.conf,具体术语解释待查
overflow:hidden;
单行文字可以通过text-overflow:ellipsis; 实现
多行文字的话需要
display:-webkit-box;
-webkit-line-clamp:3;
-webkit-box-orient:vertical;
首先这种情况下,proxy_connect_timeout, proxy_read_timeout 和 proxy_send_timeout 参数值都要根据实际情况调大
然后需要注意nginx -> upstream的链路上是否有防火墙策略配置,特别是有状态型防火墙
nginx默认对client和 upstream都没有开启 TCP keepalive,即TCP会话存活检查 (不是HTTP keepalive,不是TCP会话复用!!!)
这种情况下,如果nginx -> upstream的链路上部署了有状态防火墙策略配置且该防火墙配置了300s timeout
若一个请求后端处理需要530秒,nginx将处理请求转发给upstream,nginx就会一直hold着会话(ESTABLISHED)
在等候后端处理完毕回包期间,该TCP会话上nginx<->upstream之间不会有额外的流量
这样就容易导致链路上的有状态防火墙判定该会话已经失效,然后拦截
当后端处理完毕回包时,报文无法被nginx接收到,然后待nginx 到达 proxy_read_timeout阈值后,nginx向请求方抛出504 timeout错误
且此时在nginx error.log中可见 upstream timed out (110: Connection timed out) while reading response header from upstream
错误字样
这种情况下,需要启用nginx对upstream的tcp keepalive (即socket中的SO_KEEPALIVE option)
proxy_socket_keepalive on;
开启后,nginx就会在会话中根据内核参数中的 net.ipv4.tcp_keepalive_intvl , net.ipv4.tcp_keepalive_probes 以及 net.ipv4.tcp_keepalive_time 配置的规则对 upstream 发送keepalive probe packet 探测会话存活,同时避免链路有状态防火墙拦截请求(建议多数情况下都开启,根据实际情况调整参数值,方便nginx在upstream不健康时主动断开)
ps:
Linux Kernel有三个选项影响到KeepAlive的行为:
tcp_keepalive_time 7200// 距离上次传送数据多少时间未收到新报文判断为开始检测,单位秒,默认7200s
tcp_keepalive_intvl 75// 检测开始每多少时间发送心跳包,单位秒,默认75s
tcp_keepalive_probes 9// 发送几次心跳包对方未响应则close连接,默认9次
TCP socket也有三个选项和内核对应,通过setsockopt系统调用针对单独的socket进行设置:
TCPKEEPCNT: 覆盖 tcpkeepaliveprobes
TCPKEEPIDLE: 覆盖 tcpkeepalivetime
TCPKEEPINTVL: 覆盖 tcpkeepalive_intvl
来来来,搞事情, 从英文全拼上理解作用
回忆启动
PS:不担保准确性, 尽可能保证准确性, 有错纠正
ifconfig [ interface configuration ]
ps [ process status ]
systemctl [system control]
ncpa.cpl [ network connection control panel appplet]
mstsc [ Microsoft terminal services client ]
cmd [ command ]
ipconfig [ internet protocol configuration ]
msconfig [ Microsoft System Configuration ]
msinfo32 [ Microsoft System Information ] (32我也不知道是什么鬼,当做32位吧,常见的系统位数)
chkdsk [ check disk ]
sfc [ System File Checker ]
太久没玩这个,突然失忆
同理,开始随记,开始回忆
百度百度 + 谷歌谷歌 + 博客园 + CSDN + 。。。
user()
database()
updatexml()
extractvalue()
*extract 提取
concat
@@version
exists
union
join
Database and table names are case sensitive
库名和表名大小写敏感
表的别名是严格区分大小写的
列名与列的别名在所有的情况下均是大小写不敏感
字段内容默认情况下是大小写不敏感的[ 具体看排序规则吧 ]
使用mysql 的BINARY 关键字使搜索区分大小写 select * from tb_user where BINARY username ='user';
字符集 和 排序规则[ 跟编码 + 数据提取大小写等等有关 ]
show variables like '%char%';
mysql --default-character-set=utf8 -u root -p
show table status from information_schema like 'TABLES'; [大小写敏感]
show create database information_schema;
show create table test;
show full columns from table_name;
↑返回结果包括↓
[Field | Type | Collation | Null | Key | Default | Extra | Privileges | Comment]
get库名,用户
select database()
select user()
get表名
select table_name from information_schema.tables where table_schema='table_name' #
select *** from *** where ****=** and 0 <= (select COUNT(*) from table_name ) #
select *** from *** where ****=** and exists ( select * from table_name ) #
get字段名
select column_name from information_schema.columns where table_name='table_name'
***** union (select table_name, column_name, 1 from information_schema.columns where table_name='secret_table');#
开搞
select `1` from table_name;
wxa.weixin.qq.com
mmae.qpic.cn
本来想抓包去下载资源,谁知道微信在安卓9好像不信任系统用户证书的样子,懒得深究,直接看cache
微信圈子视频缓存文件在: /sdcard/Android/data/com.tencent.mm/MicroMsg/videocache/ 目录下
我这次找到具体文件在 /sdcard/Android/data/com.tencent.mm/MicroMsg/videocache/appbrand0/0.0.1593855339250.v3.exo
直接使用播放器播放或者把后缀改成mp4就好
name: build docker image and deploy
on:
release:
types: [created]
jobs:
build_image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 1.8
uses: actions/setup-java@v1
with:
java-version: 1.8
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Prepare environment variable information
run: |
echo "::set-env name=HUAWEI_IMAGE_SITE::***.myhuaweicloud.com"
echo "::set-env name=HUAWEI_IMAGE_URL::***.myhuaweicloud.com/{{{organization name}}}"
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
echo "::set-env name=IMAGE_VERSION::$VERSION"
echo "::set-env name=IMAGE_NAME::{{{docker image name,use in docker save file name and github's repository docker image name}}}"
- name: Log into Huawei registry
run: echo -n "${{ secrets.huawei_registry_password }}" | docker login --username=${{ secrets.huawei_registry_username }} ${HUAWEI_IMAGE_SITE} --password-stdin
- name: Log into Github registry
run: echo -n "${{ secrets.githubtoken }}" | docker login --username=${{ github.repository_owner }} docker.pkg.github.com --password-stdin
- name: Build jar file with Maven
run: mvn -B package --file travel/pom.xml
- name: Build docker image
run: docker build ./travel/target --file Dockerfile --tag image
- name: Push docker image to Huawei's docker image registry
run: |
docker tag image ${HUAWEI_IMAGE_URL}/${IMAGE_NAME}:${IMAGE_VERSION}
docker push ${HUAWEI_IMAGE_URL}/${IMAGE_NAME}:${IMAGE_VERSION}
echo ${HUAWEI_IMAGE_URL}/${IMAGE_NAME}:${IMAGE_VERSION} > image_metadata
- name: Push docker image to Github's repository image registry
run: |
docker tag image docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_VERSION}
docker images
docker push docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_VERSION}
- name: Save docker image to a archive file
run: |
docker save docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_VERSION} | gzip > ${IMAGE_NAME}_${IMAGE_VERSION}.tar.gz
- name: Upload image archive file to action artifact
uses: actions/upload-artifact@v1
with:
name: image_save
path: ${{ env.IMAGE_NAME }}_${{ env.IMAGE_VERSION }}.tar.gz
- name: Upload image metadata to artifact for next job
uses: actions/upload-artifact@v1
with:
name: temp
path: image_metadata
run_image:
runs-on: ubuntu-latest
needs: build_image
steps:
- name: Get image metadata from artifact
uses: actions/download-artifact@v1
with:
name: temp
path: temp
- name: Server docker container republish
run: |
cat <<EOF > temp_server_key
${{ secrets.server_key }}
EOF
chmod 0600 temp_server_key
image=`cat temp/image_metadata`
ssh -p22 -o StrictHostKeyChecking=no -i ./temp_server_key root@*** bash /root/sanXian/docker_publish.sh $image {{{container name}}} {{{container port}}}
sleep 60
ssh -p22 -o StrictHostKeyChecking=no -i ./temp_server_key root@*** docker logs {{{container name}}}
root@ubuntu18:~/sanXian# cat docker_publish.sh
#!/bin/bash
########################################
# Author: SanXian
# $1 image repostory and version
# $2 container name
# $3 container port(same with host port)
#
#########################################
set -eu
docker_image=$1
pull_result=`docker pull $docker_image`
if [[ $pull_result =~ "Image is up to date" ]]
then
echo "[Debug] Image is up to date"
else
container_name=$2
container_port=$3
echo "[Debug] Container $2 port $3 going to rebuild or build"
docker stop $2 || true
docker rm $2 || true
docker run -it -d --name $2 -p $3:$3 $1
fi
FROM openjdk:8u212-jdk-alpine
WORKDIR /app
COPY travel-0.0.1-SNAPSHOT.jar travel-0.0.1-SNAPSHOT.jar
RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && echo "Asia/Shanghai" > /etc/timezone
CMD java $JAVA_OPTS -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap \
-Djava.security.egd=file:/dev/./urandom -jar travel-0.0.1-SNAPSHOT.jar
// ==UserScript==
// @name free-ss.site__get_link
// @namespace http://tampermonkey.net/
// @version 0.1
// @description hello world
// @author null
// @match https://free-ss.site/
// @run-at document-end
// ==/UserScript==
function get_ss_link(data){
var str = 'ss://'+ CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(data.method + ':' + data.password + '@' + data.address +':'+ data.port ));
return str;
}
unsafeWindow.get_all_ss_links = function get_all_ss_links(){
var links = "";
jQuery("#tbss_wrapper table tbody tr").each(function (index, item){
item = jQuery(this);
var data = new Object;
data.method = item.find("td").eq(3).html();
data.password = item.find("td").eq(4).html();
data.address = item.find("td").eq(1).html();
data.port = item.find("td").eq(2).html();
links += get_ss_link(data) + "\n";
});
console.log(links);
}
unsafeWindow.test = function(){
alert("123");
}
仿佛找遍了全网都没有全民K歌的签到脚本
只能自己抓包分析看看了
{$variable1}->g_tk_openkey
{$variable2}->openkey
{$variable3}->uid
{$variable4}->openid
Cookie: openkey={$variable2}; uid={$variable3}; openid={$variable4}; extroInfo=1|0|2|0|0; opentype=1
referer: http://kg.qq.com/vMission/index.html?hippy=vMission
User-Agent: *****************************
Connection: keep-alive
No-Chunked: true
Content-Type: application/x-www-form-urlencoded
Content-Length: 1038
Host: node.kg.qq.com
Accept-Encoding: gzip
g_tk_openkey={$variable1}&t_vecReportItem:array=%7B%22mData%22%3A%7B%22uid%22%3A%22{$variable3}%22%2C%22openid%22%3A%22{$variable4}%22%2C%22opentype%22%3A%221%22%2C%22act_id%22%3A%22{$variable3}_1564587566429_83931731%22%2C%22opertime%22%3A%221564587566%22%2C%22platform%22%3A%2211%22%2C%22app_version%22%3A%225.2.7.278%22%2C%22key%22%3A%22assignment%23register_module%23register%23click%230%22%7D%7D&ns=app_dcreport&cmd=extra.data_report&ns_inbuf=&mapExt=JTdCJTIyZmlsZSUyMiUzQSUyMmFwcF9kY3JlcG9ydEpjZSUyMiUyQyUyMmNtZE5hbWUlMjIlM0ElMjJEYXRhUmVwb3J0JTIyJTJDJTIyZGNhcGklMjIlM0ElN0IlMjJpbnRlcmZhY2VJZCUyMiUzQTExMzkwMDA2MSU3RCUyQyUyMmlwJTIyJTNBJTIyMTAwLjk1LjEzOC4xOCUyMiUyQyUyMnBvcnQlMjIlM0ExMjQwNiUyQyUyMmw1YXBpX2V4cDElMjIlM0ElN0IlMjJtb2RpZCUyMiUzQTgyMDg2NSUyQyUyMmNtZCUyMiUzQTUyNDI4OCU3RCUyQyUyMmw1YXBpX3Rlc3QxJTIyJTNBJTdCJTIybW9kaWQlMjIlM0E4MjA4NjUlMkMlMjJjbWQlMjIlM0E1MjQyODglN0QlMkMlMjJvdXRwdXQlMjIlM0F0cnVlJTdE
g_tk_openkey={$variable1}&t_vecReportItem:array=%7B%22mData%22%3A%7B%22uid%22%3A%22{$variable3}%22%2C%22openid%22%3A%22{$variable4}%22%2C%22opentype%22%3A%221%22%2C%22act_id%22%3A%22{$variable3}_1564589297921_63176483%22%2C%22opertime%22%3A%221564589297%22%2C%22platform%22%3A%2211%22%2C%22app_version%22%3A%225.2.7.278%22%2C%22key%22%3A%22assignment%23register_module%23register%23click%230%22%7D%7D&ns=app_dcreport&cmd=extra.data_report&ns_inbuf=&mapExt=JTdCJTIyZmlsZSUyMiUzQSUyMmFwcF9kY3JlcG9ydEpjZSUyMiUyQyUyMmNtZE5hbWUlMjIlM0ElMjJEYXRhUmVwb3J0JTIyJTJDJTIyZGNhcGklMjIlM0ElN0IlMjJpbnRlcmZhY2VJZCUyMiUzQTExMzkwMDA2MSU3RCUyQyUyMmlwJTIyJTNBJTIyMTAwLjk1LjEzOC4xOCUyMiUyQyUyMnBvcnQlMjIlM0ExMjQwNiUyQyUyMmw1YXBpX2V4cDElMjIlM0ElN0IlMjJtb2RpZCUyMiUzQTgyMDg2NSUyQyUyMmNtZCUyMiUzQTUyNDI4OCU3RCUyQyUyMmw1YXBpX3Rlc3QxJTIyJTNBJTdCJTIybW9kaWQlMjIlM0E4MjA4NjUlMkMlMjJjbWQlMjIlM0E1MjQyODglN0QlMkMlMjJvdXRwdXQlMjIlM0F0cnVlJTdE
g_tk_openkey
t_vecReportItem:array
ns [ 固定, app_dcreport]
cmd [ 固定, extra.data_report]
ns_inbuf [ 固定, 空 ]
mapExt [ 固定 ]
{"mData":{"uid":"{$variable3}","openid":"{$variable4}","opentype":"1","act_id":"{$variable3}_1564587566429_83931731","opertime":"1564587566","platform":"11","app_version":"5.2.7.278","key":"assignment#register_module#register#click#0"}}
{"mData":{"uid":"{$variable3}","openid":"{$variable4}","opentype":"1","act_id":"{$variable3}_1564589297921_63176483","opertime":"1564589297","platform":"11","app_version":"5.2.7.278","key":"assignment#register_module#register#click#0"}}
{"mData":{"uid":"{$variable3}","openid":"{$variable4}","opentype":"1","act_id":"{$variable3}{时间戳}{不知道什么鬼东西}","opertime":"{时间戳}","platform":"11","app_version":"5.2.7.278","key":"assignment#register_module#register#click#0"}}
HTTP/1.1 200 OK
Date: Wed, 31 Jul 2019 16:19:52 GMT
Content-Type: application/x-javascript
Content-Length: 88
Connection: keep-alive
X-Powered-By: TSW/Node.js
Server: TSW/1.2.4
Cache-Control: no-cache
Content-Security-Policy: script-src https://wesingapp.com http://wesingapp.com https://.wesingapp.com http://.wesingapp.com https://.qq.com http://.qq.com https://.gtimg.cn http://.gtimg.cn https://.tenpay.com https://.idqqimg.com http://.idqqimg.com https://.gtimg.com http://*.gtimg.com 'unsafe-inline' 'unsafe-eval'; report-uri https://stat.y.qq.com/monitor/report_csp
Cache-Offline: false
{"code":0,"subcode":0,"msg":"","data":{"extra.data_report":{"iCode":0,"strErrInfo":""}}}
give this script execute permission and add it to your PATH variable
#!/bin/bash
############################################
#
# Author: WILO
# Todo: syntax check
# list docker containers and select
#
############################################
set -ex
pid=`docker inspect $1 | grep "Pid\"" | grep -oP "(\d)*" `
mkdir -p /var/run/netns
ln -sf /proc/$pid/ns/net /var/run/netns/$1
ip netns exec $@
rm /var/run/netns/$1
jq '. + {"live-restore": true}' /etc/docker/daemon.json
systemctl reload docker
docker info | grep -i live
jq '. + {"live-restore": false}' /etc/docker/daemon.json
kill -SIGHUP $(pidof dockerd)
docker info | grep Live
华硕笔记本
一大早起来开不了机,我都懵了
PS:个人习惯笔记本一直开着或者用休眠状态关机,昨晚是一直开着的,也就是中间应该是突然自己关的机
我最近可能水逆
不是笔记本坏就是平板键盘坏了
什么时候到手机坏或者路由器坏。。??
windows10系统
今天对某个PSD文件想选择其他软件打开的时候出现了这个东西(印象之中好像出现了好多次了)强迫症不能忍,想想都知道肯定是注册表的锅啦
一开始想是不是\HKEY_CLASSES_ROOT下面的.psd项有异常,对比了一下其他扩展名键项,咦没毛病啊
百度!
远景网友解答
“%1”是传递符,它将文件名传递给关联程序。现在只出现了传递符“%1”,却不显示相应的关联程序,其原因是系统找不到该关联程序。这种情况通常的原因是,楼主之前安装过一个可以关联“JPG”扩展名的软件,且该软件在注册表中注册了相应的类。然而,因为某种原因,楼主删除了该软件中的这个关联程序;或者,卸载了该软件,但该软件却没有删除注册表中相应的类,这就导致僵尸项“%1”的出现。
要解决这个问题,请楼主在注册表中打开 HKEY_CLASSES_ROOT\,然后查找是否有 xx.jpg 之类的项(其中的 xx 可以理解为关联程序名,例如 ACDSee 就会创建 ACDSee Ultimate 9.jpg)。找到那个已经不存在程序创建的项,然后将其删除即可。
妙啊
开始搜索
有网友在后面回复说就是QuickTime导致的,所以留心了一下,嗯?我也有QuickTime键项????我???
( 就是那个QuickTime.psd )
好的,右键先导出到桌面备份一下(对着QuickTime.psd 键项右键)[免得翻车]
然后,删掉,再见您嘞!
再试一下。。。好了。。。End
systemctl reload nginx 和 nginx 的差别
经常有人跟我说不要用 systemctl reload nginx
去重载nginx的配置,要用nginx -s reload
问他为什么他又说不出
(这就好像经常有人跟我说重启节点不要直接用reboot
要用init 6
)
不巧,今天在摸鱼的时候知道大概原因了
今天在给一个nginx站点更新站点配置的时候对一个站点的conf文件进行了端口分离(原本这个文件里面有两段server配置,80和443)
然后我
cp default_80.conf default_443.conf
接着分别vim了两个配置文件删除了相应的不应该存在的server段
接着顺其自然地
systemctl reload nginx
shell 控制台没报错
继续对配置文件修修改改,猛然看到配置文件里面有这样一段指令
log_format cms_upstream '$remote_addr - $host [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
直觉这里必有妖,因为按照nginx性格,log_format 是不允许被重复定义的,否则会报致命错误
这里立刻去检查nginx error.log
[root@zsxs sites-enabled]# cat /var/log/nginx/error.log
2020/07/11 01:18:51 [emerg] 7467#0: duplicate "log_format" name "cms_upstream" in /etc/nginx/sites-enabled/default_443.conf:3
果然有emergency 错误,也就是换句话说,我的nginx配置是没有重载成功的,嗯?systemctl骗我??
众所周知,systemctl reload *** 是执行了对应***的service文件里面的指令
这里把有妖的nginx节点service文件cat出来看看,注意这里是Centos 7.7 + nginx 1.16.1
[root@zsxs nginx]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@zsxs nginx]# nginx -v
nginx version: nginx/1.16.1
[root@zsxs sites-enabled]# systemctl status nginx | grep Loaded
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
[root@zsxs sites-enabled]# cat /usr/lib/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
# Nginx will fail to start if /run/nginx.pid already exists but has the wrong
# SELinux context. This might happen when running `nginx -t` from the cmdline.
# https://bugzilla.redhat.com/show_bug.cgi?id=1268621
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
可以看到systemctl reload nginx
是执行了/bin/kill -s HUP $MAINPID
命令
也就是向某个PID进程发送了SIGHUP信号
ps: 虽然SIGHUP信号很多文章都会说是终止进程信号,但是更为接近的说法应该是
(转)系统对SIGHUP信号的默认处理是终止收到该信号的进程。所以若程序中没有捕捉该信号,当收到该信号时,进程就会退出。
而根据其他博主文章记载,nginx里面定义了当进程收到SIGHUP信号以后,其并不会退出,而是执行 ngx_reconfigure 操作,也就是配置文件重载
而对于nginx配置是否成功重载,kill -s HUP的返回值都是0 (命令执行成功)
回到文章中,按道理 systemctl reload nginx 是能够报错的(我之前一直这样重载配置文件的..),不过我之前一直用的是ubuntu os,这里来看看ubuntu 16.04(nginx 1.16.1)是怎么写的
root@frpServer:~# cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
root@frpServer:~# nginx -v
nginx version: nginx/1.16.1
root@frpServer:~# cat /lib/systemd/system/nginx.service
# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
划重点ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
答案就在这了,ubuntu默认的nginx service文件和centos 里面的nginx service文件reload触发的命令是不一样的
ubuntu 16.04默认的nginx service中reload触发的操作是nginx -g 'daemon on; master_process on;' -s reload
也就是指定了daemon on; master_process on;指令的情况下去发送reload(SIGHUP)信号到nginx master进程
不同于用kill直接发送信号,nginx -s reload命令在nginx重载配置失败的时候,他的返回值是非0的
所以在某些节点上面使用systemctl reload nginx能够重载配置并且知道是否重载成功
本文到这也就差不多了,至于为什么centos和ubuntu里面的service文件有差异,有缘再说吧
然后按照个人习惯决定是否修改centos nginx service里面的ExecReload参数值吧
kdig是一款类似于dig的dns调试工具
而 knot-dns 官网描述其为高性能的开源性DNS server
这里着重看看kdig的功能
不同于dig,kdig自带了更多扩展性功能,如便捷地通过-p 选项指定DNS服务的端口(虽然dig也可以通过-p指定端口)
以及方便地通过选项直接调试DoT
更是支持edns \ TCP Fast Open \ TCP protocol \ dnssec 等DNS查询行为
-- 不支持DoH噢 (DNS over Https)
add-apt-repository ppa:cz.nic-labs/knot-dns-latest && apt update
apt install knot-dnsutils
https://copr.fedorainfracloud.org/coprs/g/cznic/knot-dns-latest/
➤ kdig -d @223.5.5.5 +tls baidu.com
;; DEBUG: Querying for owner(baidu.com.), class(1), type(1), server(223.5.5.5), port(853), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=CN,ST=浙江省,L=杭州市,O=阿里巴巴(**)网络技术有限公司,CN=*.alidns.com
;; DEBUG: SHA-256 PIN: +ACy/80ww+XSVtadTogT+4L2XuYk9ZbigM6mnqmbgX8=
;; DEBUG: #2, C=BE,O=GlobalSign nv-sa,CN=GlobalSign RSA OV SSL CA 2018
;; DEBUG: SHA-256 PIN: hETpgVvaLC0bvcGG3t0cuqiHvr4XyP2MTwCiqhgRWwU=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4316
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 86 B
;; QUESTION SECTION:
;; baidu.com. IN A
;; ANSWER SECTION:
baidu.com. 34 IN A 39.156.69.79
baidu.com. 34 IN A 220.181.38.148
;; Received 178 B
;; Time 2020-07-08 22:41:36 CST
;; From 223.5.5.5@853(TCP) in 18.8 ms
-4
Use the IPv4 protocol only.
-6
Use the IPv6 protocol only.
-b address
Set the source IP address of the query to address. The address must be a valid address for local interface or :: or 0.0.0.0. An optional port can be specified in the same format as the server value.
-c class
An explicit query_class specification. See possible values above.
-d
Enable debug messages.
-h, –help
Print the program help.
-k keyfile
Use the TSIG key stored in a file keyfile to authenticate the request. The file must contain the key in the same format as accepted by the -y option.
-p port
Set the nameserver port number or service name to send a query to. The default port is 53.
-q name
Set the query name. An explicit variant of name specification.
-t type
An explicit query_type specification. See possible values above.
-V, –version
Print the program version.
-x address
Send a reverse (PTR) query for IPv4 or IPv6 address. The correct name, class and type is set automatically.
-y [alg:]name:key
Use the TSIG key named name to authenticate the request. The alg part specifies the algorithm (the default is hmac-sha256) and key specifies the shared secret encoded in Base64.
-E tapfile
Export a dnstap trace of the query and response messages received to the file tapfile.
-G tapfile
Generate message output from a previously saved dnstap file tapfile.
+[no]multiline
Wrap long records to more lines and improve human readability.
+[no]short
Show record data only.
+[no]generic
Use the generic representation format when printing resource record types and data.
+[no]crypto
Display the DNSSEC keys and signatures values in hexdump, instead of omitting them.
+[no]aaflag
Set the AA flag.
+[no]tcflag
Set the TC flag.
+[no]rdflag
Set the RD flag.
+[no]recurse
Same as +[no]rdflag
+[no]raflag
Set the RA flag.
+[no]zflag
Set the zero flag bit.
+[no]adflag
Set the AD flag.
+[no]cdflag
Set the CD flag.
+[no]dnssec
Set the DO flag.
+[no]all
Show all packet sections.
+[no]qr
Show the query packet.
+[no]header
Show the packet header.
+[no]opt
Show the EDNS pseudosection.
+[no]question
Show the question section.
+[no]answer
Show the answer section.
+[no]authority
Show the authority section.
+[no]additional
Show the additional section.
+[no]tsig
Show the TSIG pseudosection.
+[no]stats
Show trailing packet statistics.
+[no]class
Show the DNS class.
+[no]ttl
Show the TTL value.
+[no]tcp
Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
+[no]fastopen
Use TCP Fast Open (default with TCP).
+[no]ignore
Don’t use TCP automatically if a truncated reply is received.
+[no]tls
Use TLS with the Opportunistic privacy profile (RFC 7858#section-4.1).
+[no]tls-ca[=FILE]
Use TLS with a certificate validation. Certification authority certificates are loaded from the specified PEM file (default is system certificate storage if no argument is provided). Can be specified multiple times. If the +tls-hostname option is not provided, the name of the target server (if specified) is used for strict authentication.
+[no]tls-pin=BASE64
Use TLS with the Out-of-Band key-pinned privacy profile (RFC 7858#section-4.2). The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo. Can be specified multiple times.
+[no]tls-hostname=STR
Use TLS with a remote server hostname check.
+[no]nsid
Request the nameserver identifier (NSID).
+[no]bufsize=B
Set EDNS buffer size in bytes (default is 512 bytes).
+[no]padding[=B]
Use EDNS(0) padding option to pad queries, optionally to a specific size. The default is to pad queries with a sensible amount when using +tls, and not to pad at all when queries are sent without TLS. With no argument (i.e., just +padding) pad every query with a sensible amount regardless of the use of TLS. With +nopadding, never pad.
+[no]alignment[=B]
Align the query to B-byte-block message using the EDNS(0) padding option (default is no or 128 if no argument is specified).
+[no]subnet=SUBN
Set EDNS(0) client subnet SUBN=addr/prefix.
+[no]edns[=N]
Use EDNS version (default is 0).
+[no]time=T
Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout applies to each query attempt.
+[no]retry=N
Set the number (>=0) of UDP retries (default is 2). This doesn’t apply to AXFR/IXFR.
+noidn
Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends on libidn availability during project building!
208.67.222.222 OpenDNS 加拿大
208.67.220.220 OpenDNS 加拿大
202.141.162.123 中科大 电信 (推荐备用)
202.141.178.13 中科大 电信 (推荐备用)
202.38.93.153 中科大 教育网
101.6.6.6 清华大学 教育网
176.103.130.130 AdGuard DNS 广告钓鱼拦截 俄罗斯
176.103.130.131 AdGuard DNS 广告钓鱼拦截 俄罗斯
176.103.130.132 AdGuard DNS 色情拦截 俄罗斯
176.103.130.134 AdGuard DNS 色情拦截 俄罗斯
89.233.43.71 Uncensored DNS 丹麦
91.239.100.100 Uncensored DNS 丹麦
阿里DNS支持DoH和DoT
www.233py.com
提供的DNS服务[转,仅供参考]GeekDNS 相关简述 https://www.nextrt.com/s/dns
目前支持 DOT,DOH,DnsCrypt,TCP
DOH https://i.233py.com/dns-query
DOT dns.233py.com
Official Manual Page: https://www.knot-dns.cz/docs/2.6/html/man_kdig.html
20190704
朋友配置linux密钥登陆的时候
由于属主用户下的.ssh文件夹权限设置有问题
导致设置不生效
后来查询相关资料
“sshd为了安全,对属主的目录和文件权限都有要求,如果权限设置不正确,则设置不生效”
可以是755可以是700@#%#¥……#……¥&*%&
坑飞了,当时是在检查log里面发现的错误
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
then reboot system
https://docs.microsoft.com/en-us/windows/wsl/install-manual
Invoke-WebRequest -Uri https://aka.ms/wsl-ubuntu-1604 -OutFile Ubuntu.appx -UseBasicParsing
浏览器发起访问请求,客户端和服务端同时抓取报文分析
可以发现
其实客户端与服务器握手成功
客户端浏览器报错信息为connection reset
服务器抓取报文分析,在接收到客户端的client hello后,服务器进行了ack应答,接着服务器收到了一个来自[假]客户端的连接reset报文
然而实际上,客户端在此期间从未发送过reset报文,同理,客户端收到了reset报文,所以浏览器报连接reset错误,但是服务器并没有发送过reset报文(server发送的最后一个ack报文被处理掉了)
在这个实验中可以发现,某厂商的中间设备在对https流量分析了ssl挥手阶段中的client hello报文中的server name字段值(ssl.handshake.extensions_server_name)[Server Name Indication, 缩写SNI],进而伪造reset报文进行服务器和客户端的连接重置(T_T)
okay, 事件发生点找到了,那该怎么解决呢? (咕咕咕)
文章未完待续
windows10系统将3389端口改其他端口
通过注册表改
网上大多数教程说要改两个地方的portnumber
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\Repwd\Tds\Tcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP
实测只需要一个
其实只改
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP
就ok了
记得调整高级防火墙设置[firewall.cpl]
重启电脑
PS: RDP8.0巨爽,支持UDP连接RDP
我还真没去深究过,那测试试试吧
Syntax: client_max_body_size size;
Default: client_max_body_size 1m;
Context: http, server, location
Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. Please be aware that browsers cannot correctly display this error. Setting size to 0 disables checking of client request body size.
docker pull docker.io/webdevops/php-nginx:latest
mkdir app
touch app/index.php
docker run -it -d --name nginx_test -p 50000:80 -v /root/sanXian/php-nginx-test/app:/app:rw -v /root/sanXian/php-nginx-test/vhost.conf:/opt/docker/etc/nginx/vhost.conf webdevops/php-nginx
docker cp nginx_test:/opt/docker/etc/nginx/vhost.conf ./
nginx -s reload
期间报了一次错
nginx: [emerg] "client_max_body_size" directive is duplicate in /opt/docker/etc/nginx/vhost.common.d/10-general.conf:1
检查
# cat /opt/docker/etc/nginx/vhost.common.d/10-general.conf
client_max_body_size 50m;
# cat /etc/nginx/nginx.conf | grep -Ev "^\s*?#|^$"
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /docker.stdout ;
error_log /docker.stderr ;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# cat /etc/nginx/conf.d/10-docker.conf
include /opt/docker/etc/nginx/global.conf;
include /opt/docker/etc/nginx/php.conf;
include /opt/docker/etc/nginx/conf.d/*.conf;
include /opt/docker/etc/nginx/vhost.conf;
# cat /opt/docker/etc/nginx/vhost.conf
server {
listen 80 default_server;
server_name _ *.vm docker;
root "/app";
index index.php;
client_max_body_size 1m;
include /opt/docker/etc/nginx/vhost.common.d/*.conf;
}
server {
listen 443 default_server;
server_name _ *.vm docker;
root "/app";
index index.php;
include /opt/docker/etc/nginx/vhost.common.d/*.conf;
include /opt/docker/etc/nginx/vhost.ssl.conf;
}
# rm -f /opt/docker/etc/nginx/vhost.common.d/10-general.conf
# nginx -s reload
这说明了啥?这只说明了client_max_body_size不能在server context里面重复定义,能不能跨context定义达到覆写效果呢,实测在http context定义了client_max_body_size 后再在server context定义也是可以的
dd if=/dev/zero of=./zero.img bs=1MiB count=$(expr 1024 \* 1000 - 200 )
dd if=/dev/zero of=./zero.img bs=1 count=$(expr 1024 \* 1024 - 200 )
dd if=/dev/zero of=./zero.img bs=1 count=$(expr 1024 \* 1024 - 200 + 1 )
(别问我200这个数值怎么算出来的,我随便猜的[too vegetable])
size 里面如果单位是m, 那是MiB
you have some problems likes Permission denied (publickey,gssapi-with-mic), or the error 'Not a RSA1 key file' when using ssh remote login, try to fix issues as below:
get more information with ssh -vvv [email protected], it's more important.check the permissions of your private and public keys, id_rsa should 600, id_rsa.pub should 644 check if your id_rsa matched with id_rsa.pub.For the 3rd, it looks very strange, I am not sure it's a bug of openssh or something. The id_rsa.pub is the public key for my windows host (I have ssh server on windows), the id_rsa is the private key for remote linux host, I put them to the .ssh folder.But when I ssh login the linux host, I got “Permission denied (publickey,gssapi-with-mic)”. if I remove id_rsa.pub from .ssh folder, it work fine.
两点思路
chrome://flags/
Omnibox UI Hide Steady-State URL Trivial Subdomains
chrome://flags/
Omnibox UI Hide Steady-State URL Scheme
chrome://net-internals/#hsts
chrome://net-internals/#dns
部分网络环境下交换机无法对src address 为0.0.0.0 的arp 报文(即ARP探针)做出应答
在这种情况下于另一个节点上执行脚本发送伪造arp response即可曲线救国
# !/usr/bin/env python3
# -*- coding: UTF-8 -*-
import os
import sys
import signal
from scapy.all import (
get_if_hwaddr, # 获取本机网络接口的函数
getmacbyip, # 通过IP地址获取其Mac地址的函数
ARP, # 构造ARP数据包
Ether, # 构造以太网数据包
sendp # 在第二层发送数据包
)
from optparse import OptionParser #格式化用户输入的参数
def main():
#自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代
usage = 'Usage: %prog [-i interface] [--gateway gateway_ip] target'
#创建一个 OptionParser 对象
parser = OptionParser(usage)
#add_option 来定义命令行参数
parser.add_option('-i', dest='interface', help='Specify the interface to use')
parser.add_option('--gateway',dest="gatewayip",help="gateway ip address")
#调用optionparser的解析函数
(options, args) = parser.parse_args()
if len(args) != 1 or options.interface is None or options.gatewayip is None:
parser.print_help()
print("debug args:",len(args))
print("debug ",options.interface)
print("debug ",options.gatewayip)
sys.exit(1)
# For dce
# get gateway mac address
gw_mac = getmacbyip(options.gatewayip)
print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac))
target_mac = getmacbyip(args[0])
print("arp probe response to {} {}".format("0.0.0.0", target_mac))
if target_mac is None:
print("[-] Error: Could not resolve targets MAC address")
sys.exit(1)
#响应包
def build_rep():
pkt = Ether(src=gw_mac, dst=target_mac) / ARP(hwsrc=gw_mac, psrc=options.gatewayip, hwdst=target_mac, pdst="0.0.0.0", op=2)
return pkt
pkt = build_rep()
def quit(signum, frame):
print('\nYou choose to stop me.')
exit()
signal.signal(signal.SIGINT, quit)
while True:
#在两次发送数据包之间有一定的时间间隔,使用inter选项,表示每隔2秒发送一个数据包
sendp(pkt, inter=0.5, iface=options.interface)
print("arp response sent to {} {}".format("0.0.0.0", target_mac))
if __name__ == '__main__':
main()
// ==UserScript==
// @name 腾讯课堂-过时课程入口显现
// @namespace http://tampermonkey.net/
// @version 1.0
// @description 腾讯课堂-过期课程播放按钮
// @author WILO
// @supportURL https://github.com/easyjack/randomMark/issues/20
// @match https://ke.qq.com/course/*
// @icon https://ke.qq.com/favicon.ico
// @grant none
// @run-at document-end
// ==/UserScript==
//var term_id = document.getElementsByClassName("class-content js-term-item js-term-baseinfo class-content--no-des active")[0].getAttribute("data-termid");
var cource_id = metaData.terms[0].cid;
var term_id = metaData.terms[0].term_id;
if(document.getElementById("js-imgtext")){
var button_bar= document.getElementById("js-imgtext").getElementsByClassName("text-right text-right--pay")[0].getElementsByClassName("oper-bar")[0];
console.log(button_bar);
var button_player=document.createElement("span");
button_player.setAttribute("class","btn-join btn-default");
//button_player.setAttribute("onclick","window.location.href='/webcourse/index.html#cid=" + cource_id + "&term_id=" + term_id + "'");
button_player.setAttribute("onclick","window.open('https://ke.qq.com/webcourse/index.html#cid=" + cource_id + "&term_id=" + term_id + "')");
button_player.textContent="进入播放页";
button_bar.appendChild(button_player);
}
一个随便糊的用于发现设备上现有的ssh-agent会话脚本,方便在不同的terminal tab中复用一个ssh-agent
适配: macOS + fish shell
#!/usr/bin/env fish
#######################################################
# Author: SanXian
# To find the exists ssh-agent connection or create
# a new ssh-agent connection for macOS with fish shell
#######################################################
#set base_dir "/var/folders/4w/hx1kgdwd2ll9chvbzv6y70r80000gn/T"
set base_dir $TMPDIR
for i in (sh -c "ls -1 --color=never $base_dir/ssh-*/agent* 2>/dev/null")
set agent_file (echo -n $i | grep --color=never -Eo "agent.*")
echo "found: $agent_file"
set PID (echo -n $agent_file | awk -F . '{print $2 + 1}')
echo PID: $PID
export SSH_AGENT_PID=$PID
export SSH_AUTH_SOCK=$i
env | grep -i ssh_
exit
end
# ssh agent sock not found
echo "ssh agent sock file not found, creating"
eval (ssh-agent -c -t 4h)
ps: 什么是ssh-agent 和 ssh-add ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.