Yadda Spotify zai iya taimaka muku nazarin daemons, RFCs, cibiyoyin sadarwa da haɓaka tushen buɗe ido. Ko me zai faru idan ba za ku iya biya ba, amma da gaske kuna son wasu kyawawan abubuwan ƙima.
Начало
A rana ta uku, an lura cewa Spotify yana baje kolin tallace-tallace dangane da ƙasar adireshin IP. An kuma lura cewa a wasu kasashen ba a shigo da talla kwata-kwata. Alal misali, a Jamhuriyar Belarus. Sannan an ƙirƙiro wani shiri na “kyakkyawan” don kashe talla a cikin asusun da ba na ƙima ba.
Kadan game da Spotify
Gabaɗaya magana, Spotify yana da bakon manufa. Dole ɗan'uwanmu ya yi kyau sosai don siyan kuɗi: canza wurin da ke cikin bayanan martaba zuwa ƙetare, nemi katin kyauta mai dacewa wanda kawai za a iya biya shi tare da PayPal, wanda ke aiki da ban mamaki kwanan nan kuma yana son tarin takardu. Gabaɗaya, shi ma abin kasada ne, amma na wani tsari daban. Ko da yake mafi yawan mutane suna yin haka ne saboda sigar wayar hannu, ba na sha’awar sa. Sabili da haka, duk abin da ke ƙasa zai taimaka kawai a yanayin sigar tebur. Bugu da ƙari, ba za a sami fadada ayyuka ba. Kawai yanke wasu ƙarin.
Me yasa yake da rikitarwa haka?
Kuma na yi tunanin haka lokacin yin rijistar bayanan safa-wakili a cikin saitin Spotify. Matsalar ta zama cewa tabbatarwa a cikin safa ta amfani da shiga da kalmar wucewa ba ta aiki. Bugu da ƙari, masu haɓakawa akai-akai suna yin wani abu a kusa da wakili: wani lokaci suna ƙyale shi, wani lokaci suna haramta shi, wani lokaci suna karya shi, wanda ke haifar da dukkanin bangarori na tattaunawa a kan shafin yanar gizon.
An yanke shawarar kada a dogara ga ayyuka marasa ƙarfi kuma don samun wani abu mafi aminci da ban sha'awa.
Wani wuri a nan dole ne mai karatu ya tambayi: me zai hana a ɗauka ssh da makulli -D kuma karshensa kenan? Kuma, a gaba ɗaya, zai kasance daidai. Amma, da farko, wannan har yanzu yana buƙatar aljani kuma a yi abokantaka tare da autossh, don kada kuyi tunani game da haɗin da aka tsage. Kuma na biyu: yana da sauƙi kuma mai ban sha'awa.
Domin
Kamar yadda muka saba, bari mu tafi daga hagu zuwa dama, sama zuwa kasa kuma mu bayyana duk abin da muke bukata don aiwatar da ra'ayinmu na "sauƙaƙe".
Da farko kuna buƙatar wakili
Kuma akwai hanyoyi da yawa a lokaci guda:
- za ku iya kawai je ku ɗauka daga buɗaɗɗen jerin wakili. Mai arha (ko kuma ba don komai ba), amma ba abin dogaro ba ne kuma tsawon rayuwar irin waɗannan wakilai yana karkata zuwa sifili. Saboda haka, zai zama dole a nemo / rubuta wani parser ga proxy lists, tace su da ake so irin da kuma kasar, da kuma tambaya na musanya samu wakili a Spotify zauna a bude (da kyau, watakila ta hanyar).
HTTP_PROXYcanja wuri da ƙirƙirar kundi na al'ada don binary don kada a aika duk sauran zirga-zirga a can). - Kuna iya siyan wakili irin wannan kuma ku ceci kanku daga yawancin matsalolin da aka bayyana a sama. Amma a farashin wakili, za ka iya nan da nan saya premium a Spotify, kuma wannan ba m ga asali aiki.
- Tada naku. Kamar yadda wataƙila kuka zaci, wannan shine zaɓinmu.
Kawai kwatsam yana iya zama cewa kuna da aboki tare da sabar a cikin Jamhuriyar Belarus ko wata ƙaramar ƙasa. Kuna buƙatar amfani da wannan kuma ku fitar da wakili da ake so akansa. Masu sana'a na musamman na iya gamsuwa da aboki tare da na'ura mai ba da hanya tsakanin hanyoyin sadarwa ko makamantansu software. Amma akwai kuma wannan duniyar a fili ba ta dace da tsarin wannan labarin ba.
Don haka, zaɓuɓɓukanmu: Squid - ba mai ban sha'awa ba, kuma ba na son wakili na HTTP, akwai riga da yawa na wannan yarjejeniya a kusa. Kuma a fannin SABODA babu wani abu mai hankali sai dai ba a kai ba tukuna. Saboda haka, bari mu dauka.
Kar a jira littafin Dante akan shigarwa da daidaitawa. Shi kuma ba shi da sha'awa ta musamman. A cikin ƙaramin tsari kuna buƙatar jefa duk nau'ikan client pass, socks pass, daidai rajistar musaya kuma kar a manta da ƙarawa socksmethod: username. A cikin wannan fom, don tantancewa, za a karɓi tambarin tambarin daga masu amfani da tsarin. Kuma ɓangaren game da tsaro: hana samun damar yin amfani da localhost, iyakance masu amfani, da dai sauransu - wannan mutum ne kawai, ya danganta da rashin jin daɗi na sirri.
Sanya wakili na fuskantar hanyar sadarwa
Wasan yana cikin ayyuka biyu.
Aiki daya
Mun tsara wakili, yanzu muna buƙatar samun dama gare shi daga gidan yanar gizo na duniya. Idan kana da na'ura mai farin IP a cikin ƙasar da ake so, to, za ka iya tsallake wannan batu lafiya. Ba mu da ɗaya (mu, kamar yadda aka ambata a sama, ana shirya su a gidajen abokai) kuma farar IP mafi kusa yana wani wuri a Jamus, don haka za mu yi nazarin cibiyoyin sadarwa.
Don haka a, mai karatu mai lura zai sake tambaya: me yasa ba ku ɗauki sabis ɗin da ke akwai kamar ko makamancin haka? Kuma zai sake yin gaskiya. Amma wannan sabis ne, yana buƙatar sake yin aljani, yana iya kashe kuɗi kuma gabaɗaya ba wasa bane. Saboda haka, za mu ƙirƙira kekuna daga kayan da aka zubar.
Aiki: akwai wakili a wani wuri mai nisa a bayan NAT, kuna buƙatar rataye shi a ɗaya daga cikin tashoshin jiragen ruwa na VPS wanda ke da farin IP kuma yana a ƙarshen duniya.
Yana da ma'ana a ɗauka cewa ana iya magance wannan ta hanyar isar da tashar jiragen ruwa (wanda aka aiwatar ta hanyar abubuwan da aka ambata a sama. ssh), ko ta hanyar haɗa kayan aiki zuwa cibiyar sadarwar kama-da-wane ta hanyar VPN. TARE DA ssh mun san yadda ake aiki, autossh Yana da ban sha'awa don ɗauka, don haka bari mu ɗauki OpenVPN.
DigitalOcean yana da akan wannan al'amari. Ba ni da abin da zan kara a ciki. Kuma sakamakon saitin zai iya zama sauƙin haɗi tare da abokin ciniki na OpenVPN kuma systemd. Kawai saka shi (config) a ciki /etc/openvpn/client/ kuma kar a manta da canza tsawo zuwa .conf. Bayan haka, ja sabis ɗin [email protected]kar ka manta kayi mata enable kuma ku yi murna da cewa komai ya tashi.
Tabbas, muna buƙatar musaki duk wani jujjuyawar zirga-zirga zuwa sabuwar VPN da aka kirkira, saboda ba ma so mu rage gudu akan injin abokin ciniki ta hanyar wucewa ta hanyar rabin ball.
Kuma a, muna buƙatar yin rajistar adireshin IP na tsaye akan sabar VPN don abokin cinikinmu. Za a buƙaci wannan kadan daga baya a cikin labarin. Don yin wannan kuna buƙatar kunnawa ifconfig-pool-persist, gyara ipp.txt, wanda aka haɗa tare da OpenVPN kuma kunna abokin ciniki-config-dir, da kuma gyara saitin abokin ciniki da ake so ta ƙara ifconfig-push tare da daidai abin rufe fuska da adireshin IP da ake so.
Aiki na biyu
Yanzu muna da na'ura a kan "cibiyar sadarwa" da ke fuskantar Intanet kuma ana iya amfani dashi don dalilai na son kai. Wato, tura wani ɓangare na zirga-zirga ta cikinsa.
Don haka, sabon ɗawainiya: kuna buƙatar kashe zirga-zirgar zirga-zirgar da ke zuwa ɗaya daga cikin tashoshin jiragen ruwa na VPS tare da farin IP domin wannan zirga-zirgar ta tafi zuwa sabuwar hanyar sadarwa mai kama da juna kuma amsa zata iya dawowa daga can.
Magani: tabbas iptables! Yaushe kuma za ku sami irin wannan dama mai ban sha'awa don yin aiki tare da shi?
Za'a iya samun tsarin da ake buƙata da sauri, cikin sa'o'i uku, kalmomin zagi guda ɗari da ɗimbin ɓatattun jijiyoyi, saboda lalata hanyoyin sadarwa hanya ce ta musamman.
Da farko, kuna buƙatar kunna juyar da zirga-zirga a cikin kernel. Ana kiran wannan abu ipv4.ip_forward kuma an kunna dan kadan daban-daban dangane da OS da manajan cibiyar sadarwa.
Abu na biyu, kuna buƙatar zaɓar tashar jiragen ruwa a kan VPS kuma ku haɗa duk zirga-zirgar da ke zuwa gare ta a cikin rukunin yanar gizo mai kama-da-wane. Ana iya yin wannan, misali, kamar haka:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 10.8.0.2:8080Anan muna tura duk zirga-zirgar TCP da ke zuwa tashar jiragen ruwa 8080 na ƙirar waje zuwa na'ura mai IP 10.8.0.2 da tashar tashar 8080 iri ɗaya.
Ga waɗanda suke son ƙazantattun bayanan aikin netfilter, iptables da kuma zirga-zirga a gaba ɗaya, ya zama dole a yi la'akari ko .
Don haka, yanzu fakitinmu suna tashi zuwa rukunin yanar gizo mai kama-da-wane kuma… suna tsayawa a can. Fiye da daidai, amsa daga wakili na safa yana dawowa ta hanyar tsohuwar ƙofar a kan injin tare da Dante kuma mai karɓa ya sauke shi, saboda a cikin cibiyoyin sadarwa ba al'ada ba ne don aika buƙatun zuwa IP guda ɗaya kuma karɓar amsa daga wani. Saboda haka, muna bukatar mu ci gaba da conjure.
Don haka, yanzu kuna buƙatar tura duk fakiti daga wakili baya zuwa rukunin yanar gizon kama-da-wane zuwa VPS tare da farin IP. A nan yanayin ya ɗan yi muni, saboda kawai iptables ba za mu samu isasshe ba, domin idan muka gyara adireshin inda aka nufa kafin mu tafiPREROUTING), to fakitinmu ba zai tashi zuwa Intanet ba, kuma idan ba mu gyara ba, kunshin zai tafi default gateway. Don haka, kuna buƙatar yin haka: tuna sarkar mangle, don yin alamar fakiti ta hanyar iptables sannan a nannade su a cikin tebur na al'ada wanda zai tura su inda ya kamata.
Da zaran an fada sai aka yi:
iptables -t mangle -A OUTPUT -p tcp --sport 8080 -j MARK --set-mark 0x80
ip rule add fwmark 0x80 table 80
ip route add default via 10.8.0.1 dev tun0 table 80Muna ɗaukar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar ababen hawa, sanya alama duk abin da ke tashi daga tashar jiragen ruwa wanda wakili ke zaune a kansa (8080 a cikin yanayinmu), tura duk zirga-zirgar zirga-zirgar ababen hawa zuwa tebur mai lamba 80 (a gaba ɗaya, lambar ba ta dogara da komai ba, kawai muna so. shi haka) kuma ƙara ƙa'ida guda ɗaya , bisa ga abin da duk fakitin da aka haɗa a cikin wannan tebur suna tashi zuwa subnet na VPN.
Mai girma! Yanzu fakitin suna komawa zuwa VPS ... kuma su mutu a can. Domin VPS bai san abin da zai yi da su ba. Don haka, idan ba ku dame ku ba, zaku iya kawai tura duk zirga-zirgar zirga-zirgar da ke zuwa daga rukunin yanar gizo mai kama-da-wane zuwa Intanet:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 172.42.1.10Anan, duk abin da ya zo daga 10.8.0.0 subnet tare da abin rufe fuska na 255.255.255.000 an nannade shi a cikin tushen-NAT kuma ya tashi zuwa ƙirar tsoho, wanda aka juya zuwa Intanet. Yana da mahimmanci a lura cewa wannan abu zai yi aiki ne kawai idan muka tura tashar jiragen ruwa a fili, wato, tashar da ke shigowa a kan VPS ta dace da tashar jiragen ruwa na wakili. In ba haka ba za ku sha wahala kaɗan kaɗan.
Wani wuri yanzu komai ya kamata ya fara aiki. Kuma kaɗan ya rage: kar a manta don tabbatar da cewa duk saiti iptables и route bai ci gaba ba bayan sake kunnawa. Domin iptables akwai fayiloli na musamman kamar /etc/iptables/rules.v4(a cikin yanayin Ubuntu), amma ga hanyoyi komai yana da ɗan rikitarwa. Na tura su ciki up/down Buɗe rubutun VPN, kodayake ina tsammanin an yi su da kyau.
Kunna zirga-zirga daga aikace-aikacen a cikin wakili
Don haka, muna da wakili tare da tantancewa a cikin ƙasar da ake so, ana samun dama ta hanyar adreshin IP mai tsayayyen fari. Duk abin da ya rage shi ne don amfani da shi da tura zirga-zirga daga Spotify a can. Amma akwai wani nuance, kamar yadda aka ambata a sama, login-Password ga wakili a Spotify ba ya aiki, don haka za mu nemi yadda za a kewaye da shi.
Da farko, bari mu tuna game da . Babban abu, amma yana da tsada kamar jirgin ruwa ($ 40). Da wannan kuɗin za mu iya sake siyan kari kuma a yi da su. Saboda haka, za mu nemi ƙarin free kuma bude analogues a kan Mac (eh, muna so mu saurari kiɗa a kan Mac). Bari mu gano kayan aiki guda ɗaya: . Kuma za mu tafi da shi da farin ciki.
Amma farin cikin zai kasance ɗan gajeren lokaci, saboda ya bayyana cewa kuna buƙatar kunna yanayin lalata da haɓakar kwaya na al'ada a cikin MacOS, fayil ɗin tsari mai sauƙi kuma ku fahimci cewa wannan kayan aikin yana da matsala iri ɗaya kamar Spotify: ba zai iya wucewa ta tabbatarwa ta amfani da login-password akan safa-proxy.
Wani wuri kusa da nan shine lokacin da za a yi wasa da siyan kuɗi ... amma a'a! Mu yi kokarin neman a gyara shi, budaddiyar tushe ce! Mu yi . Kuma a cikin martani muna samun labari mai raɗaɗi game da yadda kawai mai kula ba ya da MacBook kuma zuwa jahannama tare da shi, ba gyara ba.
Za mu sake baci. Amma sai za mu tuna da matasan mu da C, kunna yanayin lalata a Dante, tono ta hanyar daruruwan kilobytes na katako, je zuwa don bayani game da ka'idar SOCKS5, bari mu duba Xcode mu nemo matsalar. Ya isa ya gyara hali ɗaya a cikin jerin lambobin hanyoyin da abokin ciniki ke bayarwa don tantancewa kuma komai ya fara aiki kamar aikin agogo. Muna murna, muna tattara binary na saki, muna yi kuma mu shiga faɗuwar rana mu tafi batu na gaba.
Sanya shi ta atomatik
Da zarar Proximac yayi aiki, yana buƙatar aljani kuma a manta dashi. Akwai tsarin farawa guda ɗaya wanda ya dace da wannan, wanda ake samu a MacOS, wato .
Mun same shi da sauri kuma mun fahimci cewa sam ba haka ba ne systemd kuma a nan ya kusan tsinkaya kuma xml. Babu ƙayyadaddun saiti a gare ku, babu umarni kamar status, restart, daemon-reload. Irin hardcore kawai start-stop, list-grep, unload-load da dai sauransu. Cin nasara duk wannan muna rubutawa plist, lodi. Ba ya aiki. Muna nazarin hanyar gyara aljani, gyara shi, fahimtar abin da ke wurin ENV даже PATH ba mu isar da na yau da kullun ba, muna jayayya, mun kawo shi (ƙara /sbin и /usr/local/bin) kuma a ƙarshe muna farin ciki tare da autostart da aikin barga.
Fitar da iska
Menene sakamakon? Mako guda na kasada, gidan zoo mai durƙusa daga hidimomin da ke ƙauna ga zuciya kuma yana yin abin da ake buƙata daga gare ta. Ilmi kaɗan a cikin wuraren fasaha masu ban sha'awa, ɗan buɗaɗɗen tushe da murmushi a fuskarka daga tunanin "Na yi shi!"
PS: wannan ba kira ba ne don kauracewa 'yan jari-hujja, don ceton a kan matches ko don jimlar wayo, amma kawai nuni ne na yiwuwar bincike da ci gaba inda, a gaba ɗaya, ba ku sa ran su ba.
source: www.habr.com