apache2.4
RemoteIPHeader X-Real-IP RemoteIPTrustedProxy 127.0.0.1
apache2.2
Не требует никакой настройки, достаточно скомпилировать и установить. При необходимости можно изменить заголовок с X-Real-IP на желаемый.
# apxs -a -i -c mod_realip.c
#include "httpd.h"
#include "http_config.h"
#include "apr_strings.h"
module AP_MODULE_DECLARE_DATA realip_module;
static int change_remote_ip(request_rec *r) {
const char *fwdvalue;
char *val;
if (fwdvalue = apr_table_get(r->headers_in, "X-Real-IP")) {
apr_array_header_t *arr = apr_array_make(r->pool, 0, sizeof(char*));
while (*fwdvalue && (val = ap_get_token(r->pool, &fwdvalue, 1))) {
*(char **)apr_array_push(arr) = apr_pstrdup(r->pool, val);
if (*fwdvalue != '\0')
++fwdvalue;
}
r->connection->remote_ip = apr_pstrdup(r->connection->pool, ((char **)arr->elts)[((arr->nelts)-1)]);
r->connection->remote_addr->sa.sin.sin_addr.s_addr = inet_addr(r->connection->remote_ip);
}
return DECLINED;
}
static void register_hooks(apr_pool_t *p) {
ap_hook_post_read_request(change_remote_ip, NULL, NULL, APR_HOOK_FIRST);
}
module AP_MODULE_DECLARE_DATA realip_module = {
STANDARD20_MODULE_STUFF,
NULL,
NULL,
NULL,
NULL,
NULL,
register_hooks,
};
# sed 's/remote_ip/client_ip/g;s/remote_addr/client_addr/g' -i mod_realip.c
diff -Nru oops-1.5.23.orig/src/lib/rwlock/rwlock.c oops-1.5.23/src/lib/rwlock/rwlock.c --- oops-1.5.23.orig/src/lib/rwlock/rwlock.c 2000-11-29 19:03:35.000000000 +0200 +++ oops-1.5.23/src/lib/rwlock/rwlock.c 2006-09-06 00:30:36.000000000 +0300 @@ -53,6 +53,8 @@ #include <pthread.h> #include "rwlock.h" +#if defined(OOPS_IMPLEMENT_RWLOCK) + /* maximum number of times a read lock may be obtained */ #define MAX_READ_LOCKS (INT_MAX - 1) @@ -375,4 +377,6 @@ return(0); } +#endif /* defined(OOPS_IMPLEMENT_RWLOCK) */ + #endif /* _THREAD_SAFE || _PTHREADS || _REENTRANT */ diff -Nru oops-1.5.23.orig/src/lib/rwlock/rwlock.h oops-1.5.23/src/lib/rwlock/rwlock.h --- oops-1.5.23.orig/src/lib/rwlock/rwlock.h 2003-10-06 17:15:40.000000000 +0300 +++ oops-1.5.23/src/lib/rwlock/rwlock.h 2006-09-06 00:29:46.000000000 +0300 @@ -53,6 +53,7 @@ #if !defined(PTHREAD_RWLOCK_INITIALIZER) #define PTHREAD_RWLOCK_INITIALIZER NULL +#define OOPS_IMPLEMENT_RWLOCK 1 struct pthread_rwlock { pthread_mutex_t lock; /* monitor lock */
Переписать этот ужас.
Только Debian. Пользователь, которому принадлежат сайты, должен быть предварительно создан.
#!/bin/bash
function read_domain
{
if [[ -z $domain ]]; then
echo -n "Provide domain to add: "
read domain
fi
}
function read_user
{
if [[ -z $user ]]; then
echo -n "Provide domain's owner login: "
read user
fi
}
function read_logs
{
if [[ -z $logs ]]; then
echo -n "Enable access/error logs? [y/N]: "
read logs
fi
case $logs in
y*|Y*)
LOGS=1
;;
*)
unset $logs
;;
esac
}
function init_vars
{
#### BASE SETTINGS ####
CLIENTS_HOME="/home/clients"
DOMAIN_DIR="/home/clients/$user/domains/$domain"
DOCROOT="$DOMAIN_DIR/html"
LOGSDIR="$DOMAIN_DIR/logs"
TMPCONFDIR="/opt/scripts/www_configs"
# can be set as IP='111.111.111.111'
IP=`ip route get 8.8.8.8 | head -1 | awk '{print $NF}'`
if [[ ! -d $TMPCONFDIR ]]; then
mkdir -p $TMPCONFDIR
fi
if [[ -z `id $user` ]]; then
echo "You need to create user '$user' first!"
exit 1
fi
if [[ ! -d $DOCROOT ]]; then
mkdir -p $DOCROOT
chown -R $user:$user $DOCROOT
fi
if [[ ! -d $LOGSDIR ]]; then
mkdir -p $LOGSDIR
fi
}
function generate_apache_vhost
{
if [[ $logs ]]; then
local log_block="LogLevel warn
ErrorLog $LOGSDIR/apache_error_log
CustomLog $LOGSDIR/apache_access_log combined"
fi
if [[ $domain ]] && [[ $user ]]; then
cat > $TMPCONFDIR/apache.$domain << EOF
<VirtualHost 127.0.0.1:82>
<IfModule mpm_itk_module>
AssignUserId $user $user
</IfModule>
ServerName $domain
ServerAlias www.$domain
ServerAdmin $user@$domain
DocumentRoot $DOCROOT
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory $DOCROOT>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ $DOCROOT/cgi-bin/
<Directory "$DOCROOT/cgi-bin/">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
$log_block
</VirtualHost>
EOF
fi
}
function generate_nginx_vhost
{
if [[ $logs ]]; then
local log_block="access_log $LOGSDIR/nginx_access_log;
error_log $LOGSDIR/nginx_error_log;"
fi
if [[ $domain ]] && [[ $user ]]; then
cat > $TMPCONFDIR/nginx.$domain << EOF
server {
listen 80;
server_name $domain www.$domain;
root $DOCROOT;
location / {
proxy_pass http://127.0.0.1:82/;
proxy_redirect off;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
location ~* ^.+.(jpg|gif|png|avi|mpg|zip|exe)$ {
root $DOCROOT;
}
$log_block
}
EOF
fi
}
function generate_named_vhost
{
serial=`/bin/date +"%Y%m%d%k"`
cat >$TMPCONFDIR/named.$domain<< EOF
\$TTL 10800
@ IN SOA ns1.$domain. root.$domain. (
$serial ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
3600 ) ; minimum
; NS
IN NS ns1.$domain.
IN NS ns2.$domain.
; MX
IN MX 10 mx1.$domain.
; records
ns1 IN A $IP
ns2 IN A $IP
mx1 IN A $IP
www IN A $IP
$domain. IN A $IP
EOF
}
function enable_apache_vhost
{
if [[ -f "/etc/apache2/sites-available/${domain}.conf" ]]; then
echo "Domain $domain already exists in /etc/apache2/sites-available/${domain}.conf"
exit 1
else
cp $TMPCONFDIR/apache.$domain /etc/apache2/sites-available/${domain}.conf
a2ensite $domain
if [[ -z `apache2ctl configtest` ]]; then
/etc/init.d/apache2 reload
echo "$domain enabled!"
else
echo "Errors detected, please solve it manually!"
exit 1
fi
fi
}
function enable_nginx_vhost
{
if [[ -f "/etc/nginx/sites-available/$domain" ]]; then
echo "Domain $domain already exists in /etc/nginx/sites-available/$domain"
exit 1
else
cp $TMPCONFDIR/nginx.$domain /etc/nginx/sites-available/$domain
ln -s /etc/nginx/sites-available/$domain /etc/nginx/sites-enabled/$domain
if [[ -z `nginx -t` ]]; then
/etc/init.d/nginx reload
echo "$domain enabled!"
else
echo "Errors detected, please solve it manually!"
exit 1
fi
fi
}
function enable_named_vhost
{
[[ -d "/etc/bind/zones" ]] || mkdir -p "/etc/bind/zones"
if [[ -f "/etc/bind/zones/$domain.conf" ]]; then
echo "Zone $domain already exists in /etc/bind/zones/$domain.conf"
exit 1
else
cp $TMPCONFDIR/named.$domain /etc/bind/zones/$domain.conf
cat >>/etc/bind/named.conf.local<< EOF
zone "$domain" {
type master;
file "/etc/bind/zones/$domain.conf";
};
EOF
if [[ -z `/usr/sbin/named-checkconf` && -z `/usr/sbin/named-checkzone -q $domain /etc/bind/zones/$domain.conf` ]] ; then
/usr/sbin/rndc reload
echo "bind9: $domain enabled"
else
echo "Errors detected, please solve it manually!"
exit 1
fi
fi
}
function enable_logrotate
{
if [[ ! -d "/etc/logrotate.d/vhosts" ]]; then
mkdir -p /etc/logrotate.d/vhosts
fi
cat > $TMPCONFDIR/logrotate.$domain << EOF
$LOGSDIR/*_log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 0644 root root
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \\
run-parts /etc/logrotate.d/httpd-prerotate; \\
fi; \\
endscript
postrotate
/etc/init.d/apache2 reload > /dev/null
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
endscript
}
EOF
if [[ $logs ]]; then
# install logrotate
if [[ -f "/etc/logrotate.d/vhosts/$domain" ]]; then
echo "Domain $domain already exists in /etc/logrotate.d/vhosts/$domain"
exit 1
else
cp $TMPCONFDIR/logrotate.$domain /etc/logrotate.d/vhosts/$domain
fi
fi
}
read_domain
read_user
read_logs
init_vars
generate_apache_vhost
generate_nginx_vhost
generate_named_vhost
enable_apache_vhost
enable_nginx_vhost
enable_named_vhost
enable_logrotate
Необходимо предварительно создать пользователя http
#!/bin/bash
echo -n "Введите имя сайта: "
read domain
# СОЗДАНИЕ ДИРЕКТОРИИ
mkdir -p /home/http/domains/$domain/html/cgi-bin
chown -R http:http /home/http/domains/$domain/html
# СОЗДАНИЕ КОНФИГА ВИРТХОСТА ДЛЯ АПАЧА
cat >/etc/apache2/sites-available/$domain << EOF
<VirtualHost *:80>
ServerName $domain
ServerAlias www.$domain
DocumentRoot /home/http/domains/$domain/html
ErrorLog /dev/null
ScriptAlias /cgi-bin/ "/home/http/domains/$domain/html/cgi-bin/"
<Directory "/cgi-bin/">
AllowOverride None
Options None +FollowSymLinks ExecCGI
DirectoryIndex index.pl
</Directory>
<Directory />
Options All -Indexes
AllowOverride All
</Directory>
</VirtualHost>
EOF
# ВКЛЮЧЕНИЕ ВИРТХОСТА
/usr/sbin/a2ensite $domain
/etc/init.d/apache2 reload
# СОЗДАНИЕ ФАЙЛА ДНС-ЗОНЫ
serial=`/bin/date +"%Y%m%d%k"`
cat >/etc/bind/zones/$domain<< EOF
\$TTL 10800
@ IN SOA ns1.$domain. root.$domain. (
$serial ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
3600 ) ; minimum
; NS
IN NS ns1.$domain.
IN NS ns2.$domain.
; MX
IN MX 10 mx1.$domain.
; records
ns1 IN A 95.169.190.217
ns2 IN A 95.169.191.217
www IN A 95.169.191.217
$domain. IN A 95.169.191.217
EOF
# СОЗДАНИЕ ЗАПИСИ О ДНС-ЗОНЕ
cat >>/etc/bind/named.conf.local<< EOF
zone "$domain" {
type master;
file "/etc/bind/zones/$domain";
};
EOF
# ВКЛЮЧЕНИЕ ЗОНЫ
/usr/sbin/rndc reload
Костыль проверяет количество чайлдов апача, если это количество меньше значения директивы MinSpareServers, то прибивает все процессы вебсервера через kill -9, чистит семафоры и стартует апач. Добавить в крон на каждую минуту.
* * * * * /opt/scripts/apache/apache_checker.sh check
# mkdir /opt/scripts/apache
#!/bin/sh ALERTEMAIL="[email protected]" APACHECTL=/usr/sbin/apache2ctl SCRIPT_DIR=/opt/scripts/apache RUNNING_PROCESSES=`ps auxww | grep -c bin/apache`; APACHEUSER="www-data" MinSpareServers="24" ######## [DO NOT MODIFY] ### LOG_FILE=${SCRIPT_DIR}/status.log DATE=`date '+%Y-%m-%d %T'` apache_start() { $APACHECTL start; } apache_stop() { $APACHECTL stop; sleep 1; killall -9 apache httpd apache2 >/dev/null 2>&1; } apache_restart() { apache_stop; sleep 1; apache_semclear; apache_start; } # if not running - start apache_check() { if [[ ${RUNNING_PROCESSES} -le $MinSpareServers ]]; then apache_restart; echo "${DATE} ALERT: `hostname -f` - apache was restarted" >> ${LOG_FILE}; echo "${DATE} ALERT: `hostname -f` - apache was restarted" | /usr/sbin/sendmail $ALERTEMAIL; fi } # clear semaphores apache_semclear() { for i in `ipcs | grep $APACHEUSER | awk -F ' ' '{ print $2}'` do ipcrm -s $i; done } case $1 in start) apache_start; ;; stop) apache_stop; ;; restart) apache_restart; ;; check) apache_check; ;; semclear) apache_semclear; ;; *) echo "Script usage: $0 start | stop | restart | check | semclear"; esac
Работает под debian.
# mkdir -p /opt/scripts/monitoring/active_alerts
Скрипт ложить в /opt/scripts/monitoring/checker.sh
#!/bin/bash
SCRIPT_DIR=/opt/scripts/monitoring
LOG_FILE=${SCRIPT_DIR}/status.log
PHONES="80501234567 80507654321"
CURDATE=`/bin/date +"%s"`;
function alert
{
for i in $PHONES;
do
echo "$1 $2 $3" | /usr/sbin/sendmail -fmonitoring@monitoring ${i}@sms.mysmsgate.com;
done
}
function check
{
cat $SCRIPT_DIR/targets | while read ip server;
do
/usr/bin/wget -T 5 --tries=3 -q -O - http://${ip}/.do_not_remove.php | grep SUCCESS >/dev/null;
if [[ $? == 0 ]]; then
if [[ -e $SCRIPT_DIR/active_alerts/$server ]]; then
cat $SCRIPT_DIR/active_alerts/$server | while read startdate;
do
DATE=`/bin/date +"%F %T"`;
let "i = $CURDATE - $startdate";
lenght=`/bin/date -u +"%T" --date=@${i}`;
alert "$DATE" $server "is UP, downtime is $lenght";
echo "$DATE" $server "is UP, downtime is $lenght" > $LOG_FILE
rm -f $SCRIPT_DIR/active_alerts/$server
done
fi
else
if [[ -e $SCRIPT_DIR/active_alerts/$server ]]; then
MINUTE=`/bin/date +"%M"`
if [[ $MINUTE == 00 ]]; then
cat $SCRIPT_DIR/active_alerts/$server | while read startdate;
do
DATE=`/bin/date +"%F %T"`;
let "i = $CURDATE - $startdate";
lenght=`/bin/date -u +"%T" --date=@${i}`;
alert "$DATE" $server "down for $lenght";
done
fi
else
echo $CURDATE > $SCRIPT_DIR/active_alerts/$server;
DATE=`/bin/date +"%F %T"`;
alert "$DATE" $server "is DOWN";
echo "$DATE" $server "is UP, downtime is $lenght" > $LOG_FILE
fi
fi
done
}
check
local <HOST IP> port 1194 proto tcp dev tun ca /usr/local/etc/openvpn/ca.crt cert /usr/local/etc/openvpn/server.crt key /usr/local/etc/openvpn/server.key dh /usr/local/etc/openvpn/dh1024.pem server 192.168.78.0 255.255.255.0 ifconfig-pool-persist /usr/local/etc/openvpn/ips push "redirect-gateway" auth-user-pass-verify /usr/local/etc/openvpn/auth.pl via-env client-cert-not-required username-as-common-name keepalive 100 120 comp-lzo client-config-dir /usr/local/etc/openvpn/ccd max-clients 250 persist-key persist-tun status /usr/local/etc/openvpn/openvpn-status.log verb 3
#!/usr/bin/perl
use strict;
my $passwdfile = "/usr/local/etc/openvpn/users";
my $isValidUser = 0;
my $username;
my $password;
my $thisUsername = $ENV{'username'};
my $thisPassword = $ENV{'password'};
open (PASSWORDS,"$passwdfile") or die "can't find file: $passwdfile : $!\n";
while (<PASSWORDS>) {
($username,$password)= split (/:/, $_);
chomp $username;
chomp $password;
if ($username eq $thisUsername && $password eq $thisPassword) {
$isValidUser = 1;
last;
}
}
close PASSWORDS;
if ($isValidUser == 1) {
print "ERR\n";
exit 1;
} else {
print "OK\n";
exit 0;
}
client dev tun proto tcp remote <HOST IP> 1194 resolv-retry infinite nobind persist-key persist-tun pull auth-user-pass ca ca.crt comp-lzo verb 3
login:password
Имя файла должно полностью совпадать с login. Для нормальной работы openvpn-клиента под windows - IP шлюза и серый IP клиента должны быть из одной /30 подсети. Под linux/BSD таких ограничений нет.
ifconfig-push 192.168.78.CIENT_IP 192.168.78.VPN_GATEWAY
