ααΏαβαα·αβαααααΆαβα α·αααβαααα»αβααΆαβααΎαβα‘αΎαβα ααααβαα·αααβααααα·βααααβαααα»αβααααΆααα ααα»ααααααΌα ααΆαα·ααααααΆαα α·αααααΌα αααααΆααΆαααααααααΆααααααΆαα Mikhail ααΆααααΆααααααΆααΆααααααΆααααααααΆαααααα»αα
αααα»αααααΌααααα·ααΆαααΆαα·ααααααααααα»αααΊααα’ααΆαα ααΌααΈαα-user: α’αΆα
ααα‘αΎααααααααααααα½αα―αααΆαα αααααα·ααΈ MySQL, αααααα·ααΈ PHP αα·ααααααΎαααΆααααααααΆαααα nginx.
α αΎαααΆααααΆαααα αααααααΆαααα·α α¬αα½αααααα αααα§αααα·ααααα§ααααααααααα
ααα ααααααα½ααααα»αα
ααααααα αααααααΆααααααααα§αααα·αααα sawsaws αααα·ααα
αααΆαααΉαααΆααα
αααα»α TOP αααααΆαααΈααααααααα ααα αααααβαααβααΊβααΆβα’αααβαα·αα·αααβααΎαβαα·αβαααβααΆαα·ααααααα ααα»ααααβααΆαβααααΆβααααΆααβα
αΌαβαα
βαααα»αβαααααΆααβααβααΆαβααΆαβαααα αΆαβααΆβα αααα DDoSαααααΆαααααααααΆααααΆα αΆα αααααΆαααααα½ααααααααααα·α’αΆαα’αΆααΆα α αΎαααααΎααΆαααααΆααα
ααΆααα’ααααααα αα αα·ααα
RKN α
ααααα
ααα α’αααΈαααΆαααααααα
αα·α α αΎαααΆααααααααααΆαααααααΆααααααα
ααΆαα·αααα’ α αΎαααα ααααααααααΆαα
αΆααααααΎαααααα·α
αααα α α
αΆαα
ααααΈαααααΆααααααΌααααααααααααααααα
αααβααΆβααΆαβααΎαβα‘αΎαβααααβ Admin ααααΆααα
αα·αβαααβααααβα
αΌαβαααβα αΎαβαααβααΌαααααβαααααΊβα‘αΎαα βααΆα α―αβαα·αβααΎαβαααΆαααΈαβαααααΎβαααα»αβαα? ααΆα αΆααααΌα
ααΆαααα»αααΆαααα»αααααΌαααΆααααα½α
α
αΌα αααα»ααα·αα’αΆα
αααα αΆαααΆααΆααα ααα»ααααα’αΆαααααααα·αααΆαα
αΆαα
ααααΈαααα»ααααααΆαααααααΆα αααΈααΈαααααα αααα ααβααΆβαααβαααβα αΎαβαααααΆααβαααα»αβααΎααααΈβααα½αβααΆαβααΆαβααααΆααΆαβααααΊβαααα½αβααααΌα?
α’αααΈβαααβαααααΆααβααβααΊβααΆαβαα·ααΆααααΆβααααααβαααααβααααβαααβα’αΆα
βααααααβααΌα
βααΆαβαααααα
- ααΈαααααΆααααΆααα½α α αΌαααΆαααΈααΆαα·ααΆααα
- α’αααααΆααααα αΆαα’αΆα ααα½αααΆααα·αααα·α’αααααααΎααααΆααααΆαααααααα
- ααΆαααΆααααα αΆα (ααααα·αααΎααΆααΆαααΎαα‘αΎα) ααααΌαααΆααααααααααα ααΆαα·ααααα ααααααααα;
- ααααααααα αΆααααΌαααΆααααααααΌα α αΎαα’αααααααΆααααααααΌααααααΆααΎααΆαααΆααααααα αΌαα¬α’ααα
- ααΆα hack αα·αα’αΆα αααααΆαααααααΌαααα ααααα αα·αααΌαααααΆααα·ααααααααα
ααΆααααααΉαα ααα»α α α»ααααααα
ααΆααα IP frontend ααααααα»ααααααααααΎααα
ααΎαα·αααααα αα·αααΆαααΆαααααΆααααααΌααααΆα backends αα·α frontend αα ααΎαααααα http(s) α’αααααααΎααααΆαα/passwords αα»αααααΆ ααααΆα keys ααααΌαααΆαααααΆααααααΌαααα αα
ααΎα’αΆααααααΆαααααααααα α
αααααΆααα’ααααΎαααααα 80/443 ααααΌαααΆααα·αα IP backend ααααααααΌαααΆαααααααΆααααα
ααααα’αααααααΎααααΆααααΈαααΆααααα Mikhail ααΏααΆααααΆαααααα»αα
ααΆαααα‘αΎααα αααααααΆααα»α Debian 9 α αΎααα ααααααααΆαα α ααΌααααααααααΌαααΆααααααΎαα‘αΎα αααααααααααααααΌαααΆαααΆα αααααΆαααΈαα·αααααααααααααΆααααααΎαααΆααααα α αΎαααΆαααααααα
βααααααα α’αα»ααααΆαα±αααααα»αα αΌαααααΎβ αααα»ααααααα α α·ααααα·αααααααααααααα½αααααα "αααα»αααΉαααΎααααααααΆααααααα" α
αα ααΈααα αα·αα αααΎααααα
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
αααα»ααααααααααΆα hack αααα’αΆα ααΎαααΆα
αααα»αα αΆααααααΎααααΆαααΈααα ααΆααααΌααα αααα»α αααααααααααα. αααα»αβααΆααβααΆαβα αΎαβαααα‘ααβααβαα·αα αα·αααα·-αααααα ααα», αααααααα·ααΆααααααααααα ααα»αααααααα ααα ααααα·αααΎα’αΆα ααααΎααΆα αααα»ααα·αα·αααααΎαααΆαααα·α ααααααααΆααααααΎαα―αααΆα αααααΈααΆαααα»ααααααΆ αααααααΊααααααΆααΉα "α‘αΎα" αααααΆααααΈαααα½αααΆααααααα α αΎα Misha ααΆα "ααΆααααααΈ" α αααΎααα½α αα α αΎα αααααααααααΆαααααα»αααααααααααα½αα―αα .
αααα»αα
αΆααααααΎααααα»αααααααααααΆ αα·αααΆαααααααΈα’αααΈαααααααΌαααααΎα αααα»ααα·ααααΆααΆααααααα ααααΌααααα»αα
αΆααα’αΆαααααα nginx α
αΆααααΆααααΈ ααΆααΌαα
ααααΆαα’αααΈαααααααααα
ααΎαααααααΆααα»ααα ααΎααααααααΆα
ααΆαβαααααβαα
ααΆααααααααβααΆαβααα αβααΌα
ααΆαβαα
ααΆααααααααβααα’βααΆβα―αααΆαβααΆααβαα·α αααα»αβααααΆααβααβααΎαβααΆαβαα½αβααΆβααα»αααααα ααααΆ'α’αΌαααααα½ααα α’αααΈαα αΆααααΌα
ααΆααα’αΆαααα’α ααα»ααααα’ααααα·αααΉαααΆαααα»αααααΆαα’αααΈαααααα αα½ααααα
αΌαααΆααα’αα»ααααΆαα±αααααα»αααααΎαααααΈαααααα:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
αααα»ααα·ααααααα "ααΎαααααΈααααααα α―ααΆ?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
αααα½αααΈααΈαααααΌαααΆααααααααα αααα½αα α»ααααααΈ: "α ααα»α’αααΈααΆαααΆαααααα»ααΆααα nginx αααααα?"
ααΎαααΈααααααααααααααααΏααΆααααΆααααα α»αααααααααα»αααααΌαααΆαααα‘αΎα:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
αααα»ααααα»αα α
α
- Misha α ααα»α’αααΈααΆαααΆα’ααααααααΌααααα»αα‘αΎααα·α nginx?
- α
αΆααααα»ααα·αααΉαααααΎαααΆααααα
!
- α’αΌαα ααααα
...
Nginx ααΆβααααΌαβααΆαβααβαααααΎαβα‘αΎαβαα·αβαααΆαβα αααΆαα α αΎαβααααααβααβααΆαβα α»αβαααααΈβαααβααααΎ β-Tβ ααααΌαβααΆαβααΆααβαααβα ααα»ααα αα·αααΆαααΆααααααααααααα’αααΈααΆααα½α α αΌα α αΎαα’αααα’αΆα ααα½αααααΆαααααΆαααα α αΎα (α αΆααααΆααααΈ Misha ααΆααααα½ααααΆαααΈααααααααααΈαα½α) αα·α αΆαααΆαααα αΆααααΌαααΆααααααααΆαα
α αΎαααΆααΆααα·αααΆαα α αΆααααΆααααΈααααΆααααΆααααΆαααα½ααα·αααα· ααΆ root'α’αΆ αααααΆααααααΆααα ααα»αααααα»αααΆαααααΎ ααα‘αΎαααααααααα‘αΎααα·αα αΎαααΆααααΆααααααααααααααα»αααΆαααααΎαα’αααΈααααα»ααα ααΈααα ααα»ααααααΎααααααΆαα ααααΉαα ααααΎαααΆαααααααααΆααααα ααΎααΎαα’αΆα ααααΎαα’αααΈααααα½αααα ααααΆααααΈααΎααααααααααΆ?
αααααααΆααΆαααΆαααΆαα
$ strace nginx -T
ααΎαααΎααα ααΆα αααΆααααΆααααΆαα·αααΆααααααΆαααααααααααΆαααα αααα»α trace a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
ααααΆααβααβααΆβααΆαβαααβααΎα ααΌαβααααααααβααΆαβααβααΎαα
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
αααα»ααα·αααΆααΆααααααα½αααααΌα /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
ααααΌαααΆαααΆααααα αααααα:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
α¬
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
ααΌα ααααααΆαα α»ααααααΈααα "-T" αα·αααααΌαααΆααααα αΆαααα
ααα»ααααααΎααΎαα’αΆα ααΎαααΆααααααααααααΎααααααααααΆ?
ααααα·αααΎαααα·ααααααααα»αααααΉαααααΌα α αΎααααα αΆααΊααΆααααα αααα»αα’αααααα»αααααα ngx_dump_config αααααααΆααΆαααα‘αΎαααΆαααααααΎ gdbααΆααααΆαααα’ααΆαααΌααααα½αα --with-cc-opt -g αα αα α»αααααα α αΎααααααΉαααΆααΆααααααΎαααααα·αααααΆααααα -O2 ααΆααΉααα·αααααΎα±ααααΎαααΊα αΆααααα αααααΉαβααΉαβααα αααα»αβαα·αβααΉαβαααΆαβαααα βααα ngx_dump_config α’αΆα ααααΌαααΆαααααΎαααΆααα αααα»α ααααΈ 'T':ααΎαααΉααα·αα α αααα»αααααα ααα»ααααααα‘αΎαααΆαααααααΎ ααααΈ 't':
α ααα»α’αααΈααΆαααΆα’αααα’αΆα ααααΎ '-t' ααααΌα ααΆ '-T'ααααΎαααΆααααααααΆαα ααααα·αααΎ (ngx_dump_config) ααΎαα‘αΎααα ααΆααααα»α ααααα·αααΎ (ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
ααΆααΆααα·αααΆααααααα·αααΎαααααΌαααααΌαααΆαααααΆααααααΌααα αααα»ααααααααααα·ααα·ααα αααα»α ααααΈ 'T':αααααΆαααααα·ααΈααΆααααααααααααα»αααΉααα·αααααΎαααΆαααα
ααΆααααα nginx.confαααααΆααααααααΆααααα αΆααααα·ααααααα½α α αΎα ααΆααααΌαααΆααααααΎαα‘αΎαααΆααΆαααααααα ααΆααααααααα’αααααααΆααΊααααΌαααΆαααΆαααΆααααααΆαααααααααααΎαααΆα nginx ααααααα
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
ααΎαααΉαααααΎααΆαααααΆαααααααααα αααα»αα’αααααα
ααΎαααααΎαααΆααααααα·ααΈααααΆααααα α»α
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map ΠΎ:$sign_user_agent:$sign_uri $sign_o
{
ΠΎ:1:0 o;
default ΠΎ;
}
map Π°:$sign_user_agent:$sign_uri $sign_a
{
Π°:1:0 a;
default Π°;
}
sub_filter_once off;
sub_filter 'ΠΎ' $sign_o;
sub_filter 'Π°' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
ααααβαα½αβααα αΆα:
- αααααα ααα»α ααααα αααα»ααα»αααΆα αα ()
- ααΎαααααΎαααΆααααααα·ααΈ
- ααααΆααααααΌααααααααα’αααααααααααααααααααααΆαααααα ngx_dump_config=1
- αααα / αααα αααααααα·ααΈ
ααΌα αααααΎαα’αΆα ααΎαααΎα ααΆαααααααα·αααααΆαααα»αααΈααααααΎα ααΎαααααΎαααΎαααααααααΆαααΆαααΈαααΈααΆα
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map ΠΎ:$sign_user_agent:$sign_uri $sign_o
{
ΠΎ:1:0 o;
default ΠΎ;
}
map Π°:$sign_user_agent:$sign_uri $sign_a
{
Π°:1:0 a;
default Π°;
}
sub_filter_once off;
sub_filter 'ΠΎ' $sign_o;
sub_filter 'Π°' $sign_a;
ααΌααααα‘ααααΎαα’αααΈααααααα»αααΎαα‘αΎααα ααΈαααααΆαααααΆαααααααα
ααααα ααααΆααααΆαα’αααααααΎααααΆααααααα yandex/googleα
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
αααααααααΆααααααααΌαααΆαααα αα αααα, ααΌαααΆα:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
α αΎααααααΆααα’ααααααααααΆαααααααααααααααααΆααααΈαααΆαααΎ
map ΠΎ:$sign_user_agent:$sign_uri $sign_o
{
ΠΎ:1:0 o;
default ΠΎ;
}
map Π°:$sign_user_agent:$sign_uri $sign_a
{
Π°:1:0 a;
default Π°;
}
αα αααα»αα’ααααα html- ααΆαααααΆααααααΌαααααα 'α’αΌ' αα ααΎ 'o' ΠΈ 'A' αα ααΎ 'a':
sub_filter_once off;
sub_filter 'ΠΎ' $sign_o;
sub_filter 'Π°' $sign_a;
ααΆααΆαααααΉαααααΌα ααΆααααααααααααα½ααααααΊααΆ 'a' != 'a' ααααΌα ααΆ 'o' != 'o':
ααΌα
αααα αααΆαααΈαααααααα bots ααα½αααΆα αααα½αα±ααα’ααααα Cyrillic ααααααΆ 100% ααααΆααααααΆααααααα diluted ααΆαα½αα‘αΆααΆαα 'a' ΠΈ 'o'. αααα»ααα·αα ααΆααα·ααΆααααΆα’αααΈαααααααααΆαααααΆααααα SEO ααααα ααα»ααααααΆαα·ααααααααααΆααΆααααα’ααααααααααααΉαααΆαα₯αααα·αααα·αααααΆααα
ααΎαα»αααααααα
αααα»αααααααααααααααααααα
ααΎαααα»αα’αΆα αα·ααΆαα’αααΈααΆααα»αααααααΆαααΆααααααΎααααααα
ααα ααααΈααα
ααααα: www.habr.com