September 2013

如何显示隐藏的chrome扩展图标

  • Published in Windows 7
  • September 28, 2013

最近也不知是chrome升级的缘故,还是误操作,导致我的好几台电脑的chrome浏览器右侧的部分扩展程序的图标隐藏了,需要点“》”按钮展开,操作起来颇为不便。那怎么样重新显示被隐藏的chrome扩展图标呢?

今天偶然发现,其实解决的方法很简单,就是将鼠标放置在地址栏的最右侧,也就是加书签的五角星右侧,鼠标会变成可拖动显示,这时向左拖动展开工具栏,隐藏的扩展应用图标就重新显示了。

这个功能简单实用,我们可以通过调整扩展图标的位置,显示我们常用的图标(如switchysharp,词典),隐藏没用的图标(如ADBLOCK等)。

Read more...

nginx反向代理

  • Published in Nginx
  • September 27, 2013

Nginx代理与负载均衡配置与优化

 Nginx代理

 Nginx0.7.48版本开始,支持了类似Squid的缓存功能。NginxWeb缓存服务主要由proxy_cache相关指令集和fastcgi_cache相关指令集构成,前者用于反向代理时,对后端内容源服务器进行缓存,后者主要用于对FastCGI的动态程序进行缓存。两者的功能基本上一样。

 Nginx 0.8.32版本,proxy_cachefastcgi_cache已经比较完善,加上第三方的ngx_cache_purge模块(用于清除指定URL的缓存),已经可以完全取代Squid

 在功能上,Nginx已经具备Squid所拥有的Web缓存加速功能、清除指定URL缓存的功能。而在性能上,Nginx对多核CPU的利用,胜过Squid不少。另外,在反向代理、负载均衡、健康检查、后端服务器故障转移、Rewrite重写、易用性上,Nginx也比Squid强大得多。这使得一台Nginx可以同时作为负载均衡服务器“Web缓存服务器来使用。

 下面的文档说明了nginx如何做代理服务器,将请求转发到其他服务器,本身不做缓存。使用版本为nginx-0.8.15,配置如下:

 http

{

……..

     client_max_body_size           300m          ;                  // 允许客户端请求的最大单个文件字节数

         client_body_buffer_size       128k;         

         // 缓冲区代理缓冲用户端请求的最大字节数,可以理解为先保存到本地再传给用户

         proxy_connect_timeout          600;

    // 跟后端服务器连接的超时时间_发起握手等候响应超时时间

    // 连接成功后_等候后端服务器响应时间_其实已经进入后端排队之中等候处理

  1. 告诉nginx保存单个用的几个buffer最大用多大空间
 

// proxy缓存临时文件的大小

        server 192.168.0.110:80 weight=5;

        server 192.168.0.121:80 weight=5;

    }

    upstream mysrv {

        server 192.168.0.32:80 weight=2;

        server 127.0.0.1:8000 weight=8;

    }

    server {

        listen       80;

        server_name  club.xywy.com;

        charset gbk;

        root  /www;

        access_log logs/aaa.log combined;

//下面是第一个域名,使用clubsrv的代理

        location / {

            proxy_next_upstream http_502 http_504 error timeout invalid_header;

// 如果后端服务器返回502504或执行超时等错误,自动将请求转发到upstream另一台服务器

            proxy_pass  http://clubsrv;>

// 与上面upstream自己命名的名字填写一致

            proxy_redirect     off;

            proxy_set_header   Host            club.xywy.com;

            proxy_set_header   X-Real-IP        $remote_addr;

            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

// nginx在前端做代理,后端的日志会显示127.0.0.1,上面配置可以显示用户真实IP(还需装第三方软件,见下面的详细说明)

            index  index.htm index.html index.php;

        }

//下面是第二个域名,使用mysrv的代理,访问www.sum.com/message目录下的

    server {

        listen       80;

        server_name  www.sum.com;

        location /message {

           proxy_pass  http://mysrv;>

           proxy_set_header   Host            $host;

// 访问这个域名的,只有mysrv 本机可以访问

          }

//访问除了/message之外的www.sum.com/ 地址,

        location / {

           proxy_pass  http://mysrv;>

           proxy_set_header   Host            $host;

                     proxy_set_header   X-Real-IP       $remote_addr;

下面的配置,与上面错误返回的效果相同,这里可以不写。

 

error_page   500 502 503 504  /50x.html;  

location = /50x.html

{

   root   html;

}

 

2Nginx负载均衡指令 

Nginx属于软件的七层负载均衡(lvs是软件的四层负载均衡的代表),七层负载均衡软件还有L7SWLayer7 switching)、HAProxy等。支持负载均衡的模块是Http Upstream。下面介绍此模块及他下面的几个指令 

HTTP Upstream模块

 1ip_hash指令 

当对后端的多台动态应用服务器做负载均衡时,ip_hash指令将某个客户端IP的请求通过哈希算法定位到同一台后端服务器上。这样,当来自某ip用户在Sever A上登录后,再访问该站点的其他URL时,能保证访问仍在Server A上。如果不加ip_hash,加入用户在Server A上登录,再访问该站点其他URL,就有可能跳转到后端的Sever BC…..,而session记录在A上,BC上没有,就会提示用户未登录。

注意:但这种访问不能保证后端服务器的负载均衡,可能后端有些server接受到的请求多,有些server接受的少,设置的权重值不起作用。

建议如果后端的动态应用程序服务器能做到session共享,而不用nginx上配置ip_hash的方式。

 

upstream mysrv {

        ip_hash;

        server 192.168.0.110:80 weight=2;

        server 127.0.0.1:8000 down;

        server 192.168.0.212:80 weight=8;

    }

2server指令

该指令用语指定后端服务器的名称和参数。服务器的名称可以是一个域名,一个ip,端口号或UNIX Socket

参数介绍:

weight=number 设置服务器权重,权重值越高,被分配到客户端请求数越多。默认为1

max_fails=numbser fail_timeout指定的时间内对后端服务器请求失败的次数,如果检测到后端服务器无法连接及发生错误(404除外),则标记为失败。如果没有设置,默认为1。设置为0则关闭这项检查。

fail_timeout=time 在经历参数max_fails设置的失败次数后,暂停的时间。

配置如下:

upstream mysrv {

        ip_hash;

        server  www.xywy.com  weight=2;

        server  127.0.0.1:8000   down;

        server  192.168.0.212:80  max_fails=3  fail_timeout=30s;

        server  unix:/tmp/bakend3;

    }

Read more...

为iptables规则添加注释

  • Published in CentOS 6
  • September 20, 2013

iptables规则太多了,使用comment模块给iptables规则加上注释
-A RH-Firewall-1-INPUT -i ppp+ -m comment –comment “Allow VPN clients connect any ports” -j ACCEPT

Read more...

Log iptables Messages to a Separate File with rsyslog

  • Published in CentOS 6
  • September 20, 2013

Firewall logging is very important, both to detect break-in attempts and to ensure that firewall rules are working properly. Unfortunately, it’s often difficult to predict in advance which rules and what information should be logged. Consequently, it’s common practice to err on the side of verbosity. Given the amount of traffic that any machine connected to the Internet is exposed to, it’s critical that firewall logs be separated from normal logs in order to ease monitoring. What follows are two methods to accomplish this using iptables on Linux. The first method uses traditional syslog facility/priority filtering. The second, more robust method filters based on message content with rsyslog.

The Old Way: Use a Fixed Priority for iptables

The traditional UNIX syslog service only has two ways to categorize, and consequently route, messages: facility and priority. Facilities include kernel, mail, daemon, etc. Priorities include emergency, alert, warning, debug, etc. The Linux iptables firewall runs in the kernel and therefore always has the facility set to kern. Using traditional syslog software, the only way you can separate iptables messages from other kernel messages is to set the priority on all iptables messages to something specific that hopefully isn’t used for other kernel logging.

For example, you could add something like the following to /etc/syslog.conf:

kern.=debug -/var/log/iptables.log

and specifically remove the kernel debugging messages from all other logs like so:

kern.*;kern.!=debug -/var/log/kern.log

and in each iptables logging rule use the command line option --log-level debug.

There are two distinct disadvantages to this approach. First, there’s no guarantee that other kernel components won’t use the priority you’ve set iptables to log at. There’s a real possibility that useful messages will be lost in the deluge of firewall logging. Second, this approach prevents you from actually setting meaningful priorities in your firewall logs. You might not care about random machines hammering Windows networking ports, but you definitely want to know about malformed packets reaching your server.

The New Way: Filter Based on Message Content with rsyslog

  1. rsyslog is mostly a drop-in replacement for a tradtional syslog daemon–on Linux, klogd and sysklogd. In fact, on Debian and Ubuntu, you can simply:

$ sudo apt-get install rsyslog

and if you haven’t customized /etc/syslog.conf, logging should continue to work in precisely the same way. rsyslog has been the default syslog on Red Hat/Fedora based systems for a number of versions now, but if it’s not installed:

$ sudo yum install rsyslog

Configure iptables to Use a Unique Prefix

We’ll setup rsyslog to filter based on the beginning of a message from iptables. So, for each logging rule in your firewall script, add --log-prefix "iptables: ". Most firewall builder applications can be easily configured to add a prefix to every logging rule. For example, if you’re using firehol as I am, you could add:

FIREHOL_LOG_PREFIX="firehol: "
  1. /etc/firehol/firehol.conf.
  2. /etc/rsyslog.d/iptables.conf with the following contents:

Configure rsyslog to Filter Based on Prefix

:msg, startswith, "iptables: " -/var/log/iptables.log
& ~

The first line means send all messages that start with “iptables: ” to /var/log/iptables.log. The second line means discard the messages that were matched in the previous line. The second line is of course optional, but it saves the trouble of explicitly filtering out firewall logs from subsequent syslog rules.

When I configured this on my own machines, I did notice one issue that may be a peculiarity of firehol, but it’s probably worth mentioning anyway. It seems that firehol adds an extra single quote at the beginning of log messages that needs to be matched in the rsyslog rule. For example, here’s a log message from firehol:

Apr 17 12:41:07 tick kernel: 'firehol: 'IN-internet':'IN=eth0 OUT= MAC=fe:fd:cf:c0:47:b5:00:0e:39:6f:48:00:08:00 SRC=189.137.225.191 DST=207.192.75.74 LEN=64 TOS=0x00 PREC=0x00 TTL=32 ID=5671 DF PROTO=TCP SPT=3549 DPT=5555 WINDOW=65535 RES=0x00 SYN URGP=0

Notice the extra quote after “kernel: ” and before “firehol: “. So, on my machine I configured the rsyslog filter like so:

:msg, startswith, "'firehol: " -/var/log/iptables.log
& ~

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
	rotate 7
	daily
	missingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog reload > /dev/null
	endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.

Read more...

Force iptables to log messages to a different log file

  • Published in CentOS 6
  • September 20, 2013

Force iptables to log messages to a different log file

  1.  on OCTOBER 3, 2006 · 38 COMMENTS· LAST UPDATED FEBRUARY 23, 2008

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages
Output:

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC=192.168.1.30 DST=192.168.1.255LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP

Where,

  • --log-level 4: Level of logging. The level # 4 is for warning.
  • --log-prefix '*** TEXT ***': Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Updated for accuracy.

Read more...

Shell 之 column 格式化输出日志文件 整齐

  • Published in CentOS 6
  • September 20, 2013

最近在调整一个脚本脚本,在cygwin下,脚本输出的日志杂乱,看起来很费劲。想对输出进行排序,由于列的宽度都是不固定的,所以操作起来很吃力,怎么都调整不好。

后来找到一个命令,非常好用

 

那就是:column -t filename

先前输出的日志如下:

乱的像一团麻一样,看起来非常吃力。

使用column 之后如下:

整整齐齐,一目 了然,在脚本使用,输出也是非常清爽

Read more...

【Shell脚本】逐行处理文本文件

  • Published in CentOS 6
  • September 20, 2013

经常会对文体文件进行逐行处理,在Shell里面如何获取每行数据,然后处理该行数据,最后读取下一行数据,循环处理.有多种解决方法如下:

1.通过read命令完成.

read命令接收标准输入,或其他文件描述符的输入,得到输入后,read命令将数据放入一个标准变量中.

利用read读取文件时,每次调用read命令都会读取文件中的"一行"文本.

当文件没有可读的行时,read命令将以非零状态退出.

 
1 cat data.dat | while read line
2 do
3     echo "File:${line}"
4 done
5 
6 while read line
7 do 
8     echo "File:${line}"
9 done < data.dat
 

2.使用awk命令完成

awk是一种优良的文本处理工具,提供了极其强大的功能.

利用awk读取文件中的每行数据,并且可以对每行数据做一些处理,还可以单独处理每行数据里的每列数据.

1 cat data.dat | awk '{print $0}'
2 cat data.dat | awk 'for(i=2;i<NF;i++) {printf $i} printf "\n"}'

第1行代码输出data.dat里的每行数据,第2代码输出每行中从第2列之后的数据.

如果是单纯的数据或文本文件的按行读取和显示的话,使用awk命令比较方便.

3.使用for var in file 命令完成

for var in file 表示变量var在file中循环取值.取值的分隔符由$IFS确定.

 
1 for line in $(cat data.dat)
2 do 
3     echo "File:${line}"
4 done
5 
6 for line in `cat data.dat`
7 do 
8     echo "File:${line}"
9 done
 

如果输入文本每行中没有空格,则line在输入文本中按换行符分隔符循环取值.

如果输入文本中包括空格或制表符,则不是换行读取,line在输入文本中按空格分隔符或制表符或换行符特环取值.

可以通过把IFS设置为换行符来达到逐行读取的功能.

IFS的默认值为:空白(包括:空格,制表符,换行符).

Read more...

怎么把命令输出结果赋值给变量(已解决)

  • Published in CentOS 6
  • September 20, 2013

我要把
awk '/eth0/{print $1 }' /proc/net/dev |sed 's/eth0://'
输出的结果赋值给变量 input

搞定了
input=$(awk '/eth0/{print $1 }' /proc/net/dev |sed 's/eth0://'
)

 

 

 

awk '/eth0/{print $1 }' /proc/net/dev |sed 's/eth0://'
不能用一个句子写出来?
awk -F "[: ]+" '/eth0/{print $3}' /proc/net/dev

 

 

http://cu.img168.net/static/image/common//icon_quote_e.gif); line-height: 1.6; zoom: 1; background-position: 100% 100%; background-repeat: no-repeat no-repeat;">假如一个命令ls有3个输出1,2,3;
我如何把1,2,3分别赋值给VAR1,VAR2,VAR3呢?
  1. #bash
  2. /home/lee#ls [0-9]
  3. 1  2  3
  4. /home/lee#while read file;do ((++n));eval var$n=$file;done< <(ls [0-9])
  5. /home/lee#echo $var1
  6. 1
  7. /home/lee#echo $var2
  8. 2
  9. /home/lee#echo $var3

 

 

 

Read more...

grep 正则表达式选项要记得转义

  • Published in CentOS 6
  • September 20, 2013

使用过程中,使用最多的参数就是 -v ,但是用着并不爽。

比如说,我想查找一个单词“UserService”,但是像”*.svn” 这种文件就不用显示了,我该怎么做呢?

grep -r "UserService" ./ | grep -v "svn"

但是,如果类似于含有”test、auto_load”之类的文件我也不显示,怎么做呢?我之前的做法是:

grep -r "UserService" ./ | grep -v "svn" | grep -v "test" | grep -v "auto_load"

命令很长,而且麻烦,于是就想,grep本身是按照正则表达式来当做选项的,那么我是不是可以利用到正则表达式的“或|”命令?

grep -r "UserService" ./ | grep -v "svn|test|auto_load"

很显示,执行结果显示上面的命令不符合我的需求,于是苦思不得其解。原来,在使用正则表达式选项时,要记得将”|”转义。最终命令如下:

grep -r "UserService" ./ | grep -v "svn\|prj\|test\|auto_load"
Read more...
Subscribe to this RSS feed