start

Last updates

Last updates

Использование chroot для sftp подключений

# mkdir -p /srv/ssh/chroot
# mkdir -p /etc/ssh/authorized_keys /srv/ssh/chroot
# groupadd sftponly
# useradd -G www-data -g sftponly -s /usr/sbin/nologin -d /srv/ssh -N USERNAME
# find /var/www/static -type d -print0 | xargs -0 chmod g+xwr
# find /var/www/static -type f -print0 | xargs -0 chmod g+wr
# chmod 775 /var/www/static /srv/ssh/chroot
# mount -o bind /var/www/static /srv/ssh/chroot

/etc/ssh/sshd_config

Subsystem sftp internal-sftp -u 0002
AuthorizedKeysFile /etc/ssh/authorized_keys/%u %h/.ssh/authorized_keys .ssh/authorized_keys
Match Group sftponly
  ChrootDirectory %h
  ForceCommand internal-sftp -u 0002
  AllowTcpForwarding no
  X11Forwarding no
  PasswordAuthentication no

/etc/fstab

LABEL=cloudimg-rootfs   /               ext4  defaults,discard  0 0
/var/www/static         /srv/ssh/chroot none  bind              0 0

2018/05/10 16:05 · kyxap

ftp, ssh, sftp, chroot

How to fix Python 2.x urllib3 SNI warning

Problem

kyxap@workbench:~$ pip search pg_activity
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
pg_activity (1.3.0)  - Command line tool for PostgreSQL server activity monitoring.

Solution

kyxap@workbench:~$ pip install pyopenssl ndg-httpsclient pyasn1 -U

2016/09/22 01:10 · kyxap

python, urllib3, pip

Apache-like ~/public_html access

nginx

location ~ ^/~(.+?)(/.*)?$ {
  alias /home/$1/public_html$2;
  index  index.html index.htm;
  autoindex off;
}

2016/03/13 22:02 · kyxap

nginx, apache

ffmpeg-php centos 6.x

atrpms-repo-6-7.el6.x86_64 https://www.mirrorservice.org/sites/dl.atrpms.net/el$releasever-$basearch/atrpms/stable

atrpms.repo

[atrpms]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms
failovermethod=priority
#baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
baseurl=https://www.mirrorservice.org/sites/dl.atrpms.net/el$releasever-$basearch/atrpms/stable
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-atrpms
 
[atrpms-debuginfo]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms - Debug
failovermethod=priority
baseurl=https://www.mirrorservice.org/sites/dl.atrpms.net/debug/el$releasever-$basearch/atrpms/stable
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-atrpms
 
[atrpms-source]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms - Source
failovermethod=priority
baseurl=https://www.mirrorservice.org/sites/dl.atrpms.net/src/el$releasever-$basearch/atrpms/stable
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-atrpms

#!/usr/bin/env bash

yum --enablerepo=atrpms ffmpeg-devel

SRC_DIR=/opt/src/ffmpeg-php
[[ -d $SRC_DIR ]] || mkdir -p $SRC_DIR
cd $SRC_DIR
git clone https://github.com/tony2001/ffmpeg-php.git
cd ffmpeg-git
grep -ir avcodec_alloc_frame "$SRC_DIR" -l | xargs -I{} sed 's/avcodec_alloc_frame/av_frame_alloc/' -i {}
./configure

2016/01/29 21:43 · kyxap

bash, php, ffmpeg, php-ffmpeg, ffmpeg-php, centos, atrpms

Запуск предопределенных shell-команд через nginx fastcgi

bash скрипт

#!/usr/bin/env bash
set -e

LANG=C
PATH="/bin:/usr/sbin:/usr/bin:/sbin:/usr/local/bin:/usr/local/sbin"

# print header
echo -e "Content-type: text/html\n\n";

# print body/command
echo "<html><body>";

# print error
print_error() { echo "$@"; exit 1;}

# run cmd
runcmd() {
  [[ "$@" ]] || print_error "No args passed to runcmd()" # exit if no args
  bash -c "$@" 2>&1                                      # run cmd with stderr -> stdout redirection
}

##### USER MAPPING #####

# new array to store all users
declare -a users

mysqld='ps auxww | grep [m]ysqld'                            # cmd to run
users+=(${!mysqld*})                                         # push to users array

redis='ps auxww | grep [r]edis'
users+=(${!redis*})

# check for authenticated user
[[ $REMOTE_USER ]] || print_error "REMOTE_USER value not found"

# loop over users array then run cmd if known user found
for user in ${users[@]}
do
  [[ $REMOTE_USER == $user ]] && { runcmd "${!user}"; break; }
done

echo "</body></html>";

конфиг nginx

    location / {
      gzip off;

      auth_basic              "auth";
      auth_basic_user_file    /etc/nginx/conf.d/mydomain.tld.htpasswd;

      root /home/http/mydomain.tld/html;

      fastcgi_param DOCUMENT_ROOT /home/http/mydomain.tld/html;
      fastcgi_param SCRIPT_NAME   runme.sh;
      fastcgi_param REMOTE_USER $remote_user;

      fastcgi_pass  unix:/var/run/fcgiwrap.socket;

      include /etc/nginx/fastcgi_params;

      fastcgi_param SCRIPT_FILENAME  /home/http/mydomain.tld/html$fastcgi_script_name;
    }

2015/04/09 12:28 · kyxap

bash, nginx

Shell-wrapper для standalone passenger

/opt/scripts/passenger.sh

#!/usr/bin/env bash
 
_dir=/home/bundle     # app root dir
_home=/home/passenger # user home dir
_addr="0.0.0.0"
_port="8191"
 
_pid="$_home/passenger.pid"
_log="$_home/passenger.log"
_ngxtpl="$_home/nginx.conf.erb"
 
_args="--address $_addr --port $_port --user passenger --environment production --pid-file $_pid --log-file $_log --nginx-config-template $_ngxtpl --daemonize --sticky-sessions --app-type node --startup-file main.js"
 
[[ -f $_home/.nvm/nvm.sh ]] && source $_home/.nvm/nvm.sh
 
export MONGO_URL='mongodb://localhost:27017/mongodb'
export ROOT_URL="http://pro-manage.net:$_port"
 
[[ `whoami 2>/dev/null` == passenger ]] || echo "Run as passenger user"
 
cd $_dir
 
case $@ in
  stop)
    passenger stop --port $_port --pid-file $_pid
    ;;
  start)
    passenger start $_args
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  status)
    passenger status --port $_port --pid-file $_pid
    ;;
  *)
    echo "usage: $0 stop | start | restart | status"
    ;;
esac

2015/04/09 10:16 · kyxap

nginx, passenger, ruby, meteor, shell, bash, linux

Получение диапазона IP адресов

Prerequisites

apt-get install jq netmask moreutils

wget -P ~/tmp https://gist.githubusercontent.com/kyxap1/5233d86a9649f142e0c894598d4d60b0/raw/b369cf61cea3f20cce96244c33e55a6da0c92b89/aggregate-cidr-addresses.pl
chmod +x ~/tmp/aggregate-cidr-addresses.pl

Google1

dig +short TXT _spf.google.com \
  | grep -oP "(?<=include:).+?\s" \
  | xargs dig +short TXT \
  | grep -oP "(?<=ip4:).+?\s" \
  | xargs netmask -s \
  | perl -pne 's#(.+)/(.+)#route \1 \2 vpn_gateway#'

Google2

wget -q https://www.gstatic.com/ipranges/goog.json -O - \
  | jq '.prefixes[] | select(.ipv4Prefix) | .ipv4Prefix' -r

Amazon

wget https://ip-ranges.amazonaws.com/ip-ranges.json -O - \
  | jq -r ".prefixes[].ip_prefix" \
  | ./tmp/aggregate-cidr-addresses.pl \
  | sort -V

Github

wget -O - https://api.github.com/meta \
  | jq -r ".hooks, .web, .api, .git, .pages, .importer | .[]" \
  | ./tmp/aggregate-cidr-addresses.pl \
  | sort -V

2015/02/28 22:49 · kyxap

google, ip

Older entries >>

Table of Contents