系统相关
首页 > 系统相关> > 网络,防火墙,nginx点滴

网络,防火墙,nginx点滴

作者:互联网

记录一下最近的笔记

redis的一些坑,老外总结得不错
比如使用scan/cursor方式来拉数据来替代keys命令
http://www.programmersought.com/article/89521650540/
https://redis.io/commands/scan
能用:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    public Set<String> scan(String matchKey) {
        Set<String> keys = redisTemplate.execute((RedisCallback<Set<String>>) connection -> {
            Set<String> keysTmp = new HashSet<>();
            Cursor<byte[]> cursor = connection.scan(new ScanOptions.ScanOptionsBuilder().match("*" + matchKey + "*").count(1000).build());
            while (cursor.hasNext()) {
                keysTmp.add(new String(cursor.next()));
            }
            return keysTmp;
        });
 
        return keys;
    }
我的代码成品, 对count的理解还是不深,待挖掘:
    public Set<String> scanKeys(String keyPattern) {
        Set<String> keys = (Set<String>) redisTemplate.execute((RedisCallback<Set<String>>) connection -> {
            Set<String> keysTmp = new HashSet<>();
            ScanOptions scanOptions = new ScanOptions.ScanOptionsBuilder().match(keyPattern).build();
            Cursor<byte[]> cursor = connection.scan(scanOptions);
            while (cursor.hasNext()) {
                keysTmp.add(new String(cursor.next()));
            }
            return keysTmp;
        });
        return keys;
    }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>



主要还是安装es7的问题.
https://blog.csdn.net/u011265001/article/details/100084335?depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1&utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1

NG开启basic 认证
官方的文档
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
老外写的, 不错~~~
https://www.tecmint.com/setup-nginx-basic-http-authentication/

yum install nginx, --->安装在了 /usr/sbin/nginx, 配置文件在/etc/nginx/中

htpasswd /etc/nginx/.htpasswd kibana
tips: 这个工具的安装
# yum install httpd-tools        [RHEL/CentOS]
$ sudo apt install apache2-utils    [Debian/Ubuntu]


然后交互式,输入密码, 就生成了密码文件
$ cat /xxxx/.htpasswd
user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0

配置在nginx的配置文件中
location /api {
    auth_basic           “Administrator’s Area”;
    auth_basic_user_file /etc/apache2/.htpasswd; 
}
就OK了.
https://www.cnblogs.com/silent2012/p/8377837.html 可以参考


官网reverse proxy的配置在这里sample
https://nginx.org/en/docs/http/ngx_http_proxy_module.html?_ga=2.27153012.815603832.1587469798-958214196.1587469798#example


############################################################################

docker问题解决, 同下:
https://www.cnblogs.com/elson-zeng/p/12553329.html
CentOS7 firewalld docker 端口映射问题,firewall开放端口后,还是不能访问,解决方案
# 宿主机ip: 192.168.91.19
docker run -itd --name tomcat -p 8080:8080 tomcat /usr/local/apache-tomcat-9.0.30/bin/startup.sh

# 防火墙放开8080端口
firewall-cmd --add-port=8080/tcp --permanent

# 问题:发现访问:192.168.91.19:8080 访问不通,关闭firewall后,又可以访问通了
# 解决方案,把docker0网卡添加到trusted域
firewall-cmd --permanent --zone=trusted --change-interface=br-d2aa50162455
# 重启加载配置
firewall-cmd --reload
# firewall-cmd相关命令:https://www.cnblogs.com/Raodi/p/11625487.html

我的问题是, 命名防火墙禁用掉了9200端口, 别的机器还是可以访问到.
解决方法是,
https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
#The default location of the configuration file on Linux is /etc/docker/daemon.json. 
#The --config-file flag can be used to specify a non-default location.
docker的daemon.json里配置:
"iptables": false   --->把iptable禁用掉,--->直接导致,kibana无法访问elasticsearch了
然后再按上面博客, 把docker的一个区域加入了trusted里. --->kibana可以访问elasticsearch了.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
看来碰到问题的人好多
#跟我差不多
https://www.jianshu.com/p/69d3ab177655
https://www.jianshu.com/p/10c467600ef9



#docker service的配置文件在/usr/lib/systemd/system/docker.service
#当时配置docker服务的代理 在这里 /etc/systemd/system/docker.service.d/http-proxy.conf

这里涉及到了3个配置文件:
/etc/docker/daemon.json                 #守护进程各种配置, 配置项非常多, 包括docker镜像站点等
/usr/lib/systemd/system/docker.service  #服务配置文件
/etc/systemd/system/docker.service.d/http-proxy.conf   #配置代理


所以, 需要学习很多相关的知识, 算是还债. 因为一直没有搞得非常通透, 导致解决问题磕磕绊绊
1.systemctl命令相关, 启动脚本在哪里? 配置文件在哪里
2.systemctl daemon相关, 配置文件在哪里, 怎么配的

https://www.cnblogs.com/brucewhite/p/11608853.html
systemctl --help  查看帮助!!!!!!!
systemctl  enable  |  disable |  is-enabled  | status  | is-active  unit
systemctl   get-default|set-default graphical.target|multi-user.target islate 在线切换模式  
systemctl reload-daemon  加载新的unit 配置文件  
systemd的unit 的配置文件位置:redhat系列: 
目录:/usr/lib/systemd/system/ 下 
enable 是在 /etc/systemd/system/multi-user.target.wants/  这个目录下 做 unit 配置文件的软链:

3.linux自动启动的几种方式, init.d, chkconfig, service等等几个概念
https://www.cnblogs.com/liuxia912/p/10960610.html
#CentOS 7的服务systemctl脚本存放在:/usr/lib/systemd/,有系统(system)和用户(user)之分,
#像需要开机不登陆就能运行的程序,还是存在系统服务里吧,即:/usr/lib/systemd/system目录下
#对于那些支持 Systemd 的软件,安装的时候,会自动在/usr/lib/systemd/system目录添加一个配置文件。

在配置vnc服务器的时候也碰到了这个
systemctl daemon-reload

>>待续

4.防火墙的几种配置, firewalld和iptables 

>>>>>>>>>>>>>>>>>>>>>>>>>>>
$ firewall-cmd --zone=public --remove-port=10050/tcp
##这一句 runtime-to_permanent
$ firewall-cmd --runtime-to-permanent
$ firewall-cmd --reload 
>>>>>>>>>>>>>>>>>>>>>>>>>>>


https://www.tecmint.com/start-stop-disable-enable-firewalld-iptables-firewall/
下面几个课题有空再看
Understanding IPtables Firewall Basics and Tips
Configure Iptables Firewall in Linux
Configure FirewallD in Linux
Useful FirewallD Rules to Manage Firewall in Linux
How to Control Network Traffic Using FirewallD and Iptables

# Also, you can mask the firewall service 
# which creates a symbolic link of the firewall.service to /dev/null, 
# thus disabling the service.
# This is reverse of masking the service. 
# This removes the symlink of the service created during masking, 
# thus re-enabling the service.
systemctl statrt/stop/restart/disable/enable/mask/unmask/status firewalld
firewall-cmd --state


systemctl restart firewalld.service(为什么要加一个.service, 是什么意思?)
systemctl is-enabled firewalld.service          #查看服务是否开机启动
systemctl list-unit-files|grep enabled          #查看已启动的服务列表
systemctl --failed                              #查看启动失败的服务列表  

关于iptables
#How to Start/Stop and Enable/Disable IPtables Service
systemctl start/stop/restart/disable/enable/status iptables
service iptables start/stop/save/status

#ubuntu/debian?
sudo ufw enable/disable/status

iptables -L -n -v

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
关于firewalld, 这个老外写得太好了!
https://www.liquidweb.com/kb/an-introduction-to-firewalld/

firewall-cmd --permanent --add-port=22/TCP
firewall-cmd --permanent --add-port=53/UDP
firewall-cmd --permanent --remove-port=444/tcp
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --remove-service=mysql

#whitelist an ip address
firewall-cmd --permanent --add-source=192.168.1.100
#以CIDR地址形式加一个范围, 这是最近学到的.
firewall-cmd --permanent --add-source=192.168.1.0/24
firewall-cmd --permanent --remove-source=192.168.1.100

Block an IP Address
#As the firewall-cmd tool is mostly used for opening or allowing access, 
#rich rules are needed to block an IP. 
#Rich rules are similar in form to the way iptables rules are written.
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
#CIDR range
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

Whitelist an IP Address for a Specific Port (More Rich Rules)
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

#save
firewall-cmd --reload
firewall-cmd --runtime-to-permanent
#show
firewall-cmd --list-all

Bonus #1 :: Firewalld GUI Configuration 
You can find these under Applications > Sundry menu on CentOS 7.x and RedHat 7.x servers that have graphical access to. 
To install this application, from the command line, you can run the command:
sudo yum install firewall-config

Bonus #2 :: Firewalld Direct Rules
/etc/firewalld/direct.xml

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
man 1 systemctl
SYSTEMCTL(1)                  systemctl                 SYSTEMCTL(1)

NAME
       systemctl - Control the systemd system and service manager

SYNOPSIS
       systemctl [OPTIONS...] COMMAND [NAME...]

DESCRIPTION
       systemctl may be used to introspect and control the state of
       the "systemd" system and service manager. Please refer to
       systemd(1) for an introduction into the basic concepts and
       functionality this tool manages.

>>>加固Linux
https://www.liquidweb.com/kb/security-for-your-linux-server/

>>>>>
中文的在这里, 比较冗长, 没有好好排版, 内容不错.
https://www.linuxidc.com/Linux/2018-01/150072.htm
firewall daemon 独立于 system-config-firewall,但二者不能同时使用。
如果你想使用自己的 iptables 和 ip6tables 静态防火墙规则, 那么请安装 iptables-services 并且禁用 firewalld ,
启用 iptables 和ip6tables:
yum install iptables-services
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service

静态防火墙规则配置文件是 /etc/sysconfig/iptables 以及 /etc/sysconfig/ip6tables .

什么是区域?
网络区域定义了网络连接的可信等级。这是一个一对多的关系,这意味着一次连接可以仅仅是一个区域的一部分,
而一个区域可以用于很多连接。

>>>
https://www.cnblogs.com/Raodi/p/11625487.html#_label1

>>>>>>>>>>>>>>>>>>>>>>>>
若 Nginx 收到请求为 https://ngxin_server_name/hello/world
而 Nginx 代理的路径为 /hello/(即在 location /hello/ 内设置代理)
则不以 / 结尾的被代理服务器收到的请求路径是 /hello/world
以 / 结尾的被代理服务器收到的请求路径是 /world
如果是为了在同一个域名下以不同路径分配不同的APP应选择后者以 / 结尾
原文链接:https://blog.csdn.net/randomparty/java/article/details/80961189

 

记录一下最近的笔记
redis的一些坑,老外总结得不错比如使用scan/cursor方式来拉数据来替代keys命令http://www.programmersought.com/article/89521650540/https://redis.io/commands/scan能用:>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    public Set<String> scan(String matchKey) {        Set<String> keys = redisTemplate.execute((RedisCallback<Set<String>>) connection -> {            Set<String> keysTmp = new HashSet<>();            Cursor<byte[]> cursor = connection.scan(new ScanOptions.ScanOptionsBuilder().match("*" + matchKey + "*").count(1000).build());            while (cursor.hasNext()) {                keysTmp.add(new String(cursor.next()));            }            return keysTmp;        });         return keys;    }我的代码成品, 对count的理解还是不深,待挖掘:    public Set<String> scanKeys(String keyPattern) {        Set<String> keys = (Set<String>) redisTemplate.execute((RedisCallback<Set<String>>) connection -> {            Set<String> keysTmp = new HashSet<>();            ScanOptions scanOptions = new ScanOptions.ScanOptionsBuilder().match(keyPattern).build();            Cursor<byte[]> cursor = connection.scan(scanOptions);            while (cursor.hasNext()) {                keysTmp.add(new String(cursor.next()));            }            return keysTmp;        });        return keys;    }>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


主要还是安装es7的问题.https://blog.csdn.net/u011265001/article/details/100084335?depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1&utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1
NG开启basic 认证官方的文档https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/老外写的, 不错~~~https://www.tecmint.com/setup-nginx-basic-http-authentication/
yum install nginx, --->安装在了 /usr/sbin/nginx, 配置文件在/etc/nginx/中
htpasswd /etc/nginx/.htpasswd kibanatips: 这个工具的安装# yum install httpd-tools[RHEL/CentOS]$ sudo apt install apache2-utils[Debian/Ubuntu]

然后交互式,输入密码, 就生成了密码文件$ cat /xxxx/.htpasswduser1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0
配置在nginx的配置文件中location /api {    auth_basic           “Administrator’s Area”;    auth_basic_user_file /etc/apache2/.htpasswd; }就OK了.https://www.cnblogs.com/silent2012/p/8377837.html 可以参考

官网reverse proxy的配置在这里samplehttps://nginx.org/en/docs/http/ngx_http_proxy_module.html?_ga=2.27153012.815603832.1587469798-958214196.1587469798#example

############################################################################
docker问题解决, 同下:https://www.cnblogs.com/elson-zeng/p/12553329.htmlCentOS7 firewalld docker 端口映射问题,firewall开放端口后,还是不能访问,解决方案# 宿主机ip: 192.168.91.19docker run -itd --name tomcat -p 8080:8080 tomcat /usr/local/apache-tomcat-9.0.30/bin/startup.sh
# 防火墙放开8080端口firewall-cmd --add-port=8080/tcp --permanent
# 问题:发现访问:192.168.91.19:8080 访问不通,关闭firewall后,又可以访问通了# 解决方案,把docker0网卡添加到trusted域firewall-cmd --permanent --zone=trusted --change-interface=br-d2aa50162455# 重启加载配置firewall-cmd --reload# firewall-cmd相关命令:https://www.cnblogs.com/Raodi/p/11625487.html
我的问题是, 命名防火墙禁用掉了9200端口, 别的机器还是可以访问到.解决方法是,https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file#The default location of the configuration file on Linux is /etc/docker/daemon.json. #The --config-file flag can be used to specify a non-default location.docker的daemon.json里配置:"iptables": false   --->把iptable禁用掉,--->直接导致,kibana无法访问elasticsearch了然后再按上面博客, 把docker的一个区域加入了trusted里. --->kibana可以访问elasticsearch了.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>看来碰到问题的人好多#跟我差不多https://www.jianshu.com/p/69d3ab177655https://www.jianshu.com/p/10c467600ef9


#docker service的配置文件在/usr/lib/systemd/system/docker.service#当时配置docker服务的代理 在这里 /etc/systemd/system/docker.service.d/http-proxy.conf
这里涉及到了3个配置文件:/etc/docker/daemon.json                 #守护进程各种配置, 配置项非常多, 包括docker镜像站点等/usr/lib/systemd/system/docker.service  #服务配置文件/etc/systemd/system/docker.service.d/http-proxy.conf   #配置代理

所以, 需要学习很多相关的知识, 算是还债. 因为一直没有搞得非常通透, 导致解决问题磕磕绊绊1.systemctl命令相关, 启动脚本在哪里? 配置文件在哪里2.systemctl daemon相关, 配置文件在哪里, 怎么配的
https://www.cnblogs.com/brucewhite/p/11608853.htmlsystemctl --help  查看帮助!!!!!!!systemctl  enable  |  disable |  is-enabled  | status  | is-active  unitsystemctl   get-default|set-default graphical.target|multi-user.target islate 在线切换模式  systemctl reload-daemon  加载新的unit 配置文件  systemd的unit 的配置文件位置:redhat系列: 目录:/usr/lib/systemd/system/ 下 enable 是在 /etc/systemd/system/multi-user.target.wants/  这个目录下 做 unit 配置文件的软链:
3.linux自动启动的几种方式, init.d, chkconfig, service等等几个概念https://www.cnblogs.com/liuxia912/p/10960610.html#CentOS 7的服务systemctl脚本存放在:/usr/lib/systemd/,有系统(system)和用户(user)之分,#像需要开机不登陆就能运行的程序,还是存在系统服务里吧,即:/usr/lib/systemd/system目录下#对于那些支持 Systemd 的软件,安装的时候,会自动在/usr/lib/systemd/system目录添加一个配置文件。
在配置vnc服务器的时候也碰到了这个systemctl daemon-reload
>>待续
4.防火墙的几种配置, firewalld和iptables 
>>>>>>>>>>>>>>>>>>>>>>>>>>>$ firewall-cmd --zone=public --remove-port=10050/tcp##这一句 runtime-to_permanent$ firewall-cmd --runtime-to-permanent$ firewall-cmd --reload >>>>>>>>>>>>>>>>>>>>>>>>>>>

https://www.tecmint.com/start-stop-disable-enable-firewalld-iptables-firewall/下面几个课题有空再看Understanding IPtables Firewall Basics and TipsConfigure Iptables Firewall in LinuxConfigure FirewallD in LinuxUseful FirewallD Rules to Manage Firewall in LinuxHow to Control Network Traffic Using FirewallD and Iptables
# Also, you can mask the firewall service # which creates a symbolic link of the firewall.service to /dev/null, # thus disabling the service.# This is reverse of masking the service. # This removes the symlink of the service created during masking, # thus re-enabling the service.systemctl statrt/stop/restart/disable/enable/mask/unmask/status firewalldfirewall-cmd --state

systemctl restart firewalld.service(为什么要加一个.service, 是什么意思?)systemctl is-enabled firewalld.service          #查看服务是否开机启动systemctl list-unit-files|grep enabled          #查看已启动的服务列表systemctl --failed                              #查看启动失败的服务列表  
关于iptables#How to Start/Stop and Enable/Disable IPtables Servicesystemctl start/stop/restart/disable/enable/status iptablesservice iptables start/stop/save/status
#ubuntu/debian?sudo ufw enable/disable/status
iptables -L -n -v
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>关于firewalld, 这个老外写得太好了!https://www.liquidweb.com/kb/an-introduction-to-firewalld/
firewall-cmd --permanent --add-port=22/TCPfirewall-cmd --permanent --add-port=53/UDPfirewall-cmd --permanent --remove-port=444/tcpfirewall-cmd --permanent --add-service=sshfirewall-cmd --permanent --add-service=httpfirewall-cmd --permanent --remove-service=mysql
#whitelist an ip addressfirewall-cmd --permanent --add-source=192.168.1.100#以CIDR地址形式加一个范围, 这是最近学到的.firewall-cmd --permanent --add-source=192.168.1.0/24firewall-cmd --permanent --remove-source=192.168.1.100
Block an IP Address#As the firewall-cmd tool is mostly used for opening or allowing access, #rich rules are needed to block an IP. #Rich rules are similar in form to the way iptables rules are written.firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"#CIDR rangefirewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
Whitelist an IP Address for a Specific Port (More Rich Rules)firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
#savefirewall-cmd --reloadfirewall-cmd --runtime-to-permanent#showfirewall-cmd --list-all
Bonus #1 :: Firewalld GUI Configuration You can find these under Applications > Sundry menu on CentOS 7.x and RedHat 7.x servers that have graphical access to. To install this application, from the command line, you can run the command:sudo yum install firewall-config
Bonus #2 :: Firewalld Direct Rules/etc/firewalld/direct.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>man 1 systemctlSYSTEMCTL(1)                  systemctl                 SYSTEMCTL(1)
NAME       systemctl - Control the systemd system and service manager
SYNOPSIS       systemctl [OPTIONS...] COMMAND [NAME...]
DESCRIPTION       systemctl may be used to introspect and control the state of       the "systemd" system and service manager. Please refer to       systemd(1) for an introduction into the basic concepts and       functionality this tool manages.
>>>加固Linuxhttps://www.liquidweb.com/kb/security-for-your-linux-server/
>>>>>中文的在这里, 比较冗长, 没有好好排版, 内容不错.https://www.linuxidc.com/Linux/2018-01/150072.htmfirewall daemon 独立于 system-config-firewall,但二者不能同时使用。如果你想使用自己的 iptables 和 ip6tables 静态防火墙规则, 那么请安装 iptables-services 并且禁用 firewalld ,启用 iptables 和ip6tables:yum install iptables-servicessystemctl mask firewalld.servicesystemctl enable iptables.servicesystemctl enable ip6tables.service
静态防火墙规则配置文件是 /etc/sysconfig/iptables 以及 /etc/sysconfig/ip6tables .
什么是区域?网络区域定义了网络连接的可信等级。这是一个一对多的关系,这意味着一次连接可以仅仅是一个区域的一部分,而一个区域可以用于很多连接。
>>>https://www.cnblogs.com/Raodi/p/11625487.html#_label1
>>>>>>>>>>>>>>>>>>>>>>>>若 Nginx 收到请求为 https://ngxin_server_name/hello/world而 Nginx 代理的路径为 /hello/(即在 location /hello/ 内设置代理)则不以 / 结尾的被代理服务器收到的请求路径是 /hello/world以 / 结尾的被代理服务器收到的请求路径是 /world如果是为了在同一个域名下以不同路径分配不同的APP应选择后者以 / 结尾原文链接:https://blog.csdn.net/randomparty/java/article/details/80961189

标签:service,--,cmd,防火墙,nginx,systemctl,https,点滴,firewall
来源: https://www.cnblogs.com/tekikesyo/p/13301068.html