User Tools

Site Tools


Sidebar


Tags Cloud
start

Last updates

Использование chroot для sftp подключений

# mkdir -p /srv/ssh/chroot
# mkdir -p /etc/ssh/authorized_keys /srv/ssh/chroot
# groupadd sftponly
# useradd -G www-data -g sftponly -s /usr/sbin/nologin -d /srv/ssh -N USERNAME
# find /var/www/static -type d -print0 | xargs -0 chmod g+xwr
# find /var/www/static -type f -print0 | xargs -0 chmod g+wr
# chmod 775 /var/www/static /srv/ssh/chroot
# mount -o bind /var/www/static /srv/ssh/chroot
/etc/ssh/sshd_config
Subsystem sftp internal-sftp -u 0002
AuthorizedKeysFile /etc/ssh/authorized_keys/%u %h/.ssh/authorized_keys .ssh/authorized_keys
Match Group sftponly
  ChrootDirectory %h
  ForceCommand internal-sftp -u 0002
  AllowTcpForwarding no
  X11Forwarding no
  PasswordAuthentication no
/etc/fstab
LABEL=cloudimg-rootfs   /               ext4  defaults,discard  0 0
/var/www/static         /srv/ssh/chroot none  bind              0 0
2018/05/10 16:05 · kyxap

How to fix Python 2.x urllib3 SNI warning

Problem
kyxap@workbench:~$ pip search pg_activity
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
pg_activity (1.3.0)  - Command line tool for PostgreSQL server activity monitoring.
Solution
kyxap@workbench:~$ pip install pyopenssl ndg-httpsclient pyasn1 -U
2016/09/22 01:10 · kyxap

Apache-like ~/public_html access

nginx
location ~ ^/~(.+?)(/.*)?$ {
  alias /home/$1/public_html$2;
  index  index.html index.htm;
  autoindex off;
}
2016/03/13 22:02 · kyxap

ffmpeg-php centos 6.x

atrpms-repo-6-7.el6.x86_64 https://www.mirrorservice.org/sites/dl.atrpms.net/el$releasever-$basearch/atrpms/stable

atrpms.repo
[atrpms]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms
failovermethod=priority
#baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
baseurl=https://www.mirrorservice.org/sites/dl.atrpms.net/el$releasever-$basearch/atrpms/stable
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-atrpms
 
[atrpms-debuginfo]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms - Debug
failovermethod=priority
baseurl=https://www.mirrorservice.org/sites/dl.atrpms.net/debug/el$releasever-$basearch/atrpms/stable
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-atrpms
 
[atrpms-source]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms - Source
failovermethod=priority
baseurl=https://www.mirrorservice.org/sites/dl.atrpms.net/src/el$releasever-$basearch/atrpms/stable
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-atrpms
#!/usr/bin/env bash

yum --enablerepo=atrpms ffmpeg-devel

SRC_DIR=/opt/src/ffmpeg-php
[[ -d $SRC_DIR ]] || mkdir -p $SRC_DIR
cd $SRC_DIR
git clone https://github.com/tony2001/ffmpeg-php.git
cd ffmpeg-git
grep -ir avcodec_alloc_frame "$SRC_DIR" -l | xargs -I{} sed 's/avcodec_alloc_frame/av_frame_alloc/' -i {}
./configure
2016/01/29 21:43 · kyxap

Запуск предопределенных shell-команд через nginx fastcgi

bash скрипт
#!/usr/bin/env bash
set -e

LANG=C
PATH="/bin:/usr/sbin:/usr/bin:/sbin:/usr/local/bin:/usr/local/sbin"

# print header
echo -e "Content-type: text/html\n\n";

# print body/command
echo "<html><body>";

# print error
print_error() { echo "$@"; exit 1;}

# run cmd
runcmd() {
  [[ "$@" ]] || print_error "No args passed to runcmd()" # exit if no args
  bash -c "$@" 2>&1                                      # run cmd with stderr -> stdout redirection
}

##### USER MAPPING #####

# new array to store all users
declare -a users

mysqld='ps auxww | grep [m]ysqld'                            # cmd to run
users+=(${!mysqld*})                                         # push to users array

redis='ps auxww | grep [r]edis'
users+=(${!redis*})

# check for authenticated user
[[ $REMOTE_USER ]] || print_error "REMOTE_USER value not found"

# loop over users array then run cmd if known user found
for user in ${users[@]}
do
  [[ $REMOTE_USER == $user ]] && { runcmd "${!user}"; break; }
done

echo "</body></html>";

конфиг nginx
    location / {
      gzip off;

      auth_basic              "auth";
      auth_basic_user_file    /etc/nginx/conf.d/mydomain.tld.htpasswd;

      root /home/http/mydomain.tld/html;

      fastcgi_param DOCUMENT_ROOT /home/http/mydomain.tld/html;
      fastcgi_param SCRIPT_NAME   runme.sh;
      fastcgi_param REMOTE_USER $remote_user;

      fastcgi_pass  unix:/var/run/fcgiwrap.socket;

      include /etc/nginx/fastcgi_params;

      fastcgi_param SCRIPT_FILENAME  /home/http/mydomain.tld/html$fastcgi_script_name;
    }

2015/04/09 12:28 · kyxap

Shell-wrapper для standalone passenger

/opt/scripts/passenger.sh
#!/usr/bin/env bash
 
_dir=/home/bundle     # app root dir
_home=/home/passenger # user home dir
_addr="0.0.0.0"
_port="8191"
 
_pid="$_home/passenger.pid"
_log="$_home/passenger.log"
_ngxtpl="$_home/nginx.conf.erb"
 
_args="--address $_addr --port $_port --user passenger --environment production --pid-file $_pid --log-file $_log --nginx-config-template $_ngxtpl --daemonize --sticky-sessions --app-type node --startup-file main.js"
 
[[ -f $_home/.nvm/nvm.sh ]] && source $_home/.nvm/nvm.sh
 
export MONGO_URL='mongodb://localhost:27017/mongodb'
export ROOT_URL="http://pro-manage.net:$_port"
 
[[ `whoami 2>/dev/null` == passenger ]] || echo "Run as passenger user"
 
cd $_dir
 
case $@ in
  stop)
    passenger stop --port $_port --pid-file $_pid
    ;;
  start)
    passenger start $_args
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  status)
    passenger status --port $_port --pid-file $_pid
    ;;
  *)
    echo "usage: $0 stop | start | restart | status"
    ;;
esac
2015/04/09 10:16 · kyxap

Получение диапазона IP адресов

Prerequisites
apt-get install jq netmask moreutils
wget -P ~/tmp https://gist.githubusercontent.com/kyxap1/5233d86a9649f142e0c894598d4d60b0/raw/b369cf61cea3f20cce96244c33e55a6da0c92b89/aggregate-cidr-addresses.pl
chmod +x ~/tmp/aggregate-cidr-addresses.pl
Google1
dig +short TXT _spf.google.com \
  | grep -oP "(?<=include:).+?\s" \
  | xargs dig +short TXT \
  | grep -oP "(?<=ip4:).+?\s" \
  | xargs netmask -s \
  | perl -pne 's#(.+)/(.+)#route \1 \2 vpn_gateway#'
Google2
wget -q https://www.gstatic.com/ipranges/goog.json -O - \
  | jq '.prefixes[] | select(.ipv4Prefix) | .ipv4Prefix' -r
Amazon
wget https://ip-ranges.amazonaws.com/ip-ranges.json -O - \
  | jq -r ".prefixes[].ip_prefix" \
  | ./tmp/aggregate-cidr-addresses.pl \
  | sort -V
Github
wget -O - https://api.github.com/meta \
  | jq -r ".hooks, .web, .api, .git, .pages, .importer | .[]" \
  | ./tmp/aggregate-cidr-addresses.pl \
  | sort -V
2015/02/28 22:49 · kyxap
start.txt · Last modified: 2016/09/22 01:27 by kyxap