Ruby China 社区 Nginx 节点 https://ruby-china.org/ Ruby China 社区 Nginx 节点最新发帖。 把自己过去用的很不错的 WAF 开源了 <h2 id="github:">github:</h2> <p>地址: WAF: <a href="https://github.com/sg552/banana-waf" rel="nofollow" target="_blank">https://github.com/sg552/banana-waf</a></p> <p>后台:<a href="https://github.com/sg552/banana-waf-admin" rel="nofollow" target="_blank">https://github.com/sg552/banana-waf-admin</a></p> <p>BananaWaf 是个超级简单但是实用的防火墙。与 Openresty + Nginx 集成,可以轻松防御绝大部分的恶意请求。包括:</p> <ul> <li>SQLI</li> <li>XSS</li> <li>恶意后缀扫描</li> <li>恶意 POC、参数</li> <li>指定某个 URL 的访问频率</li> <li>防止客户端使用 F12</li> <li>返回迷惑性的 response, 可以定制 (例如 java 项目返回 php 报错页面)</li> <li>还具备一个管理后台,可以设置对应 URL 的访问频率(另外是个项目,等会儿更新)</li> </ul> <p>优点:</p> <p>超级快速集成 访问速度在很弱的开发服务器达到 9000 每秒,还没有进一步测试生产环境。(欢迎 PR) 具备优秀的管理后台,可以查看防御情况(对手 IP,工具手段,参数)</p> sg552sg552 Tue, 26 Oct 2021 11:34:58 +0800 https://ruby-china.org/topics/41801 https://ruby-china.org/topics/41801 飞书 + Lua 实现企业级组织架构登录认证 <p><img src="https://pic3.zhimg.com/v2-6f1ed5de3e7587b848024b63c40e2ba5_r.jpg" title="" alt=""></p> <p>飞书是字节跳动旗下一款企业级协同办公软件,本文将介绍如何基于飞书开放平台的身份验证能力,使用 Lua 实现企业级组织架构的登录认证网关。</p> <h2 id="登录流程">登录流程</h2> <p>让我们首先看一下飞书第三方网站免登的整体流程:</p> <p>第一步:网页后端发现用户未登录,请求身份验证; 第二步:用户登录后,开放平台生成登录预授权码,302 跳转至重定向地址; 第三步:网页后端调用获取登录用户身份校验登录预授权码合法性,获取到用户身份; 第四步:如需其他用户信息,网页后端可调用获取用户信息(身份验证)。</p> <p><img src="https://sf3-cn.feishucdn.com/obj/website-img/faf8b877126e0a5bc7e76f7bc955c352_CCgGABCJpR.png" title="" alt="浏览器内网页登录"></p> <h2 id="Lua 实现">Lua 实现</h2><h3 id="飞书接口部分实现">飞书接口部分实现</h3><h4 id="获取应用的 access_token">获取应用的 access_token</h4><pre class="highlight lua"><code><span class="k">function</span> <span class="nf">_M</span><span class="p">:</span><span class="n">get_app_access_token</span><span class="p">()</span> <span class="kd">local</span> <span class="n">url</span> <span class="o">=</span> <span class="s2">"https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal/"</span> <span class="kd">local</span> <span class="n">body</span> <span class="o">=</span> <span class="p">{</span> <span class="n">app_id</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">app_id</span><span class="p">,</span> <span class="n">app_secret</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">app_secret</span> <span class="p">}</span> <span class="kd">local</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">http_post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">body</span><span class="p">,</span> <span class="kc">nil</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">res</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">err</span> <span class="k">end</span> <span class="k">if</span> <span class="n">res</span><span class="p">.</span><span class="n">status</span> <span class="o">~=</span> <span class="mi">200</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">res</span><span class="p">.</span><span class="n">body</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="n">res</span><span class="p">.</span><span class="n">body</span><span class="p">)</span> <span class="k">if</span> <span class="n">data</span><span class="p">[</span><span class="s2">"code"</span><span class="p">]</span> <span class="o">~=</span> <span class="mi">0</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">res</span><span class="p">.</span><span class="n">body</span> <span class="k">end</span> <span class="k">return</span> <span class="n">data</span><span class="p">[</span><span class="s2">"tenant_access_token"</span><span class="p">]</span> <span class="k">end</span> </code></pre><h4 id="通过回调 code 获取登录用户信息">通过回调 code 获取登录用户信息</h4><pre class="highlight lua"><code><span class="k">function</span> <span class="nf">_M</span><span class="p">:</span><span class="n">get_login_user</span><span class="p">(</span><span class="n">code</span><span class="p">)</span> <span class="kd">local</span> <span class="n">app_access_token</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">self</span><span class="p">:</span><span class="n">get_app_access_token</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">app_access_token</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="s2">"get app_access_token failed: "</span> <span class="o">..</span> <span class="n">err</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">url</span> <span class="o">=</span> <span class="s2">"https://open.feishu.cn/open-apis/authen/v1/access_token"</span> <span class="kd">local</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="n">Authorization</span> <span class="o">=</span> <span class="s2">"Bearer "</span> <span class="o">..</span> <span class="n">app_access_token</span> <span class="p">}</span> <span class="kd">local</span> <span class="n">body</span> <span class="o">=</span> <span class="p">{</span> <span class="n">grant_type</span> <span class="o">=</span> <span class="s2">"authorization_code"</span><span class="p">,</span> <span class="n">code</span> <span class="o">=</span> <span class="n">code</span> <span class="p">}</span> <span class="n">ngx</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="kd">local</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">http_post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">body</span><span class="p">,</span> <span class="n">headers</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">res</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">err</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="n">res</span><span class="p">.</span><span class="n">body</span><span class="p">)</span> <span class="k">if</span> <span class="n">data</span><span class="p">[</span><span class="s2">"code"</span><span class="p">]</span> <span class="o">~=</span> <span class="mi">0</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">res</span><span class="p">.</span><span class="n">body</span> <span class="k">end</span> <span class="k">return</span> <span class="n">data</span><span class="p">[</span><span class="s2">"data"</span><span class="p">]</span> <span class="k">end</span> </code></pre><h4 id="获取用户详细信息">获取用户详细信息</h4> <p>获取登录用户信息时无法获取到用户的部门信息,故这里需要使用登录用户信息中的 <code>open_id</code> 获取用户的详细信息,同时 <code>user_access_token</code> 也是来自于获取到的登录用户信息。</p> <pre class="highlight lua"><code><span class="k">function</span> <span class="nf">_M</span><span class="p">:</span><span class="n">get_user</span><span class="p">(</span><span class="n">user_access_token</span><span class="p">,</span> <span class="n">open_id</span><span class="p">)</span> <span class="kd">local</span> <span class="n">url</span> <span class="o">=</span> <span class="s2">"https://open.feishu.cn/open-apis/contact/v3/users/"</span> <span class="o">..</span> <span class="n">open_id</span> <span class="kd">local</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="n">Authorization</span> <span class="o">=</span> <span class="s2">"Bearer "</span> <span class="o">..</span> <span class="n">user_access_token</span> <span class="p">}</span> <span class="kd">local</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">http_get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">headers</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">res</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">err</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="n">res</span><span class="p">.</span><span class="n">body</span><span class="p">)</span> <span class="k">if</span> <span class="n">data</span><span class="p">[</span><span class="s2">"code"</span><span class="p">]</span> <span class="o">~=</span> <span class="mi">0</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">res</span><span class="p">.</span><span class="n">body</span> <span class="k">end</span> <span class="k">return</span> <span class="n">data</span><span class="p">[</span><span class="s2">"data"</span><span class="p">][</span><span class="s2">"user"</span><span class="p">],</span> <span class="kc">nil</span> <span class="k">end</span> </code></pre><h3 id="登录信息">登录信息</h3><h4 id="JWT 登录凭证">JWT 登录凭证</h4> <p>我们使用 JWT 作为登录凭证,同时用于保存用户的 <code>open_id</code> 和 <code>department_ids</code>。</p> <pre class="highlight lua"><code><span class="c1">-- 生成 token</span> <span class="k">function</span> <span class="nf">_M</span><span class="p">:</span><span class="n">sign_token</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="kd">local</span> <span class="n">open_id</span> <span class="o">=</span> <span class="n">user</span><span class="p">[</span><span class="s2">"open_id"</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">open_id</span> <span class="ow">or</span> <span class="n">open_id</span> <span class="o">==</span> <span class="s2">""</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="s2">"invalid open_id"</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">department_ids</span> <span class="o">=</span> <span class="n">user</span><span class="p">[</span><span class="s2">"department_ids"</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">department_ids</span> <span class="ow">or</span> <span class="nb">type</span><span class="p">(</span><span class="n">department_ids</span><span class="p">)</span> <span class="o">~=</span> <span class="s2">"table"</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="s2">"invalid department_ids"</span> <span class="k">end</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">:</span><span class="n">sign</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">jwt_secret</span><span class="p">,</span> <span class="p">{</span> <span class="n">header</span> <span class="o">=</span> <span class="p">{</span> <span class="n">typ</span> <span class="o">=</span> <span class="s2">"JWT"</span><span class="p">,</span> <span class="n">alg</span> <span class="o">=</span> <span class="n">jwt_header_alg</span><span class="p">,</span> <span class="n">exp</span> <span class="o">=</span> <span class="n">ngx</span><span class="p">.</span><span class="n">time</span><span class="p">()</span> <span class="o">+</span> <span class="n">self</span><span class="p">.</span><span class="n">jwt_expire</span> <span class="p">},</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="n">open_id</span> <span class="o">=</span> <span class="n">open_id</span><span class="p">,</span> <span class="n">department_ids</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="n">department_ids</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="k">end</span> <span class="c1">-- 验证与解析 token</span> <span class="k">function</span> <span class="nf">_M</span><span class="p">:</span><span class="n">verify_token</span><span class="p">()</span> <span class="kd">local</span> <span class="n">token</span> <span class="o">=</span> <span class="n">ngx</span><span class="p">.</span><span class="n">var</span><span class="p">.</span><span class="n">cookie_feishu_auth_token</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="s2">"token not found"</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">result</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">:</span><span class="n">verify</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">jwt_secret</span><span class="p">,</span> <span class="n">token</span><span class="p">)</span> <span class="n">ngx</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">"jwt_obj: "</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="n">result</span><span class="p">))</span> <span class="k">if</span> <span class="n">result</span><span class="p">[</span><span class="s2">"valid"</span><span class="p">]</span> <span class="k">then</span> <span class="kd">local</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">result</span><span class="p">[</span><span class="s2">"payload"</span><span class="p">]</span> <span class="k">if</span> <span class="n">payload</span><span class="p">[</span><span class="s2">"department_ids"</span><span class="p">]</span> <span class="ow">and</span> <span class="n">payload</span><span class="p">[</span><span class="s2">"open_id"</span><span class="p">]</span> <span class="k">then</span> <span class="k">return</span> <span class="n">payload</span> <span class="k">end</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="s2">"invalid token: "</span> <span class="o">..</span> <span class="n">json</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="k">end</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="s2">"invalid token: "</span> <span class="o">..</span> <span class="n">json</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="k">end</span> </code></pre><h4 id="使用 Cookie 存储登录凭证">使用 Cookie 存储登录凭证</h4><pre class="highlight lua"><code><span class="n">ngx</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"Set-Cookie"</span><span class="p">]</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">cookie_key</span> <span class="o">..</span> <span class="s2">"="</span> <span class="o">..</span> <span class="n">token</span> </code></pre><h3 id="组织架构白名单">组织架构白名单</h3> <p>我们在用户登录时获取用户的部门信息,或者在用户后续访问应用时解析登录凭证中的部门信息,根据设置的部门白名单,判断用户是否拥有访问应用的权限。</p> <pre class="highlight lua"><code><span class="c1">-- 部门白名单配置</span> <span class="n">_M</span><span class="p">.</span><span class="n">department_whitelist</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">function</span> <span class="nf">_M</span><span class="p">:</span><span class="n">check_user_access</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">if</span> <span class="nb">type</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">department_whitelist</span><span class="p">)</span> <span class="o">~=</span> <span class="s2">"table"</span> <span class="k">then</span> <span class="n">ngx</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">"department_whitelist is not a table"</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span> <span class="k">end</span> <span class="k">if</span> <span class="o">#</span><span class="n">self</span><span class="p">.</span><span class="n">department_whitelist</span> <span class="o">==</span> <span class="mi">0</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">true</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">department_ids</span> <span class="o">=</span> <span class="n">user</span><span class="p">[</span><span class="s2">"department_ids"</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">department_ids</span> <span class="ow">or</span> <span class="n">department_ids</span> <span class="o">==</span> <span class="s2">""</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">false</span> <span class="k">end</span> <span class="k">if</span> <span class="nb">type</span><span class="p">(</span><span class="n">department_ids</span><span class="p">)</span> <span class="o">~=</span> <span class="s2">"table"</span> <span class="k">then</span> <span class="n">department_ids</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="n">department_ids</span><span class="p">)</span> <span class="k">end</span> <span class="k">for</span> <span class="n">i</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="o">#</span><span class="n">department_ids</span> <span class="k">do</span> <span class="k">if</span> <span class="n">has_value</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">department_whitelist</span><span class="p">,</span> <span class="n">department_ids</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">true</span> <span class="k">end</span> <span class="k">end</span> <span class="k">return</span> <span class="kc">false</span> <span class="k">end</span> </code></pre><h3 id="更多网关配置">更多网关配置</h3> <p>同时支持 IP 黑名单和路由白名单配置。</p> <pre class="highlight lua"><code><span class="c1">-- IP 黑名单配置</span> <span class="n">_M</span><span class="p">.</span><span class="n">ip_blacklist</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1">-- 路由白名单配置</span> <span class="n">_M</span><span class="p">.</span><span class="n">uri_whitelist</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">function</span> <span class="nf">_M</span><span class="p">:</span><span class="n">auth</span><span class="p">()</span> <span class="kd">local</span> <span class="n">request_uri</span> <span class="o">=</span> <span class="n">ngx</span><span class="p">.</span><span class="n">var</span><span class="p">.</span><span class="n">uri</span> <span class="n">ngx</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">"request uri: "</span><span class="p">,</span> <span class="n">request_uri</span><span class="p">)</span> <span class="k">if</span> <span class="n">has_value</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">uri_whitelist</span><span class="p">,</span> <span class="n">request_uri</span><span class="p">)</span> <span class="k">then</span> <span class="n">ngx</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">"uri in whitelist: "</span><span class="p">,</span> <span class="n">request_uri</span><span class="p">)</span> <span class="k">return</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">request_ip</span> <span class="o">=</span> <span class="n">ngx</span><span class="p">.</span><span class="n">var</span><span class="p">.</span><span class="n">remote_addr</span> <span class="k">if</span> <span class="n">has_value</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">ip_blacklist</span><span class="p">,</span> <span class="n">request_ip</span><span class="p">)</span> <span class="k">then</span> <span class="n">ngx</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">"forbided ip: "</span><span class="p">,</span> <span class="n">request_ip</span><span class="p">)</span> <span class="k">return</span> <span class="n">ngx</span><span class="p">.</span><span class="n">exit</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">HTTP_FORBIDDEN</span><span class="p">)</span> <span class="k">end</span> <span class="k">if</span> <span class="n">request_uri</span> <span class="o">==</span> <span class="n">self</span><span class="p">.</span><span class="n">logout_uri</span> <span class="k">then</span> <span class="k">return</span> <span class="n">self</span><span class="p">:</span><span class="n">logout</span><span class="p">()</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">payload</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">self</span><span class="p">:</span><span class="n">verify_token</span><span class="p">()</span> <span class="k">if</span> <span class="n">payload</span> <span class="k">then</span> <span class="k">if</span> <span class="n">self</span><span class="p">:</span><span class="n">check_user_access</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">then</span> <span class="k">return</span> <span class="k">end</span> <span class="n">ngx</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">"user access not permitted"</span><span class="p">)</span> <span class="n">self</span><span class="p">:</span><span class="n">clear_token</span><span class="p">()</span> <span class="k">return</span> <span class="n">self</span><span class="p">:</span><span class="n">sso</span><span class="p">()</span> <span class="k">end</span> <span class="n">ngx</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">"verify token failed: "</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">if</span> <span class="n">request_uri</span> <span class="o">~=</span> <span class="n">self</span><span class="p">.</span><span class="n">callback_uri</span> <span class="k">then</span> <span class="k">return</span> <span class="n">self</span><span class="p">:</span><span class="n">sso</span><span class="p">()</span> <span class="k">end</span> <span class="k">return</span> <span class="n">self</span><span class="p">:</span><span class="n">sso_callback</span><span class="p">()</span> <span class="k">end</span> </code></pre><h2 id="使用">使用</h2> <p>本文就不赘述 OpenResty 的安装了,可以参考我的另一篇文章<a href="https://k8scat.com/posts/linux/install-openresty-on-ubuntu-from-source-code/" rel="nofollow" target="_blank" title="">《在 Ubuntu 上使用源码安装 OpenResty》</a>。</p> <h3 id="下载">下载</h3><pre class="highlight shell"><code><span class="nb">cd</span> /path/to git clone git@github.com:ledgetech/lua-resty-http.git git clone git@github.com:SkyLothar/lua-resty-jwt.git git clone git@github.com:k8scat/lua-resty-feishu-auth.git </code></pre><h3 id="配置">配置</h3><pre class="highlight conf"><code><span class="n">lua_package_path</span> <span class="s2">"/path/to/lua-resty-feishu-auth/lib/?.lua;/path/to/lua-resty-jwt/lib/?.lua;/path/to/lua-resty-http/lib/?.lua;/path/to/lua-resty-redis/lib/?.lua;/path/to/lua-resty-redis-lock/lib/?.lua;;"</span>; <span class="n">server</span> { <span class="n">access_by_lua_block</span> { <span class="n">local</span> <span class="n">feishu_auth</span> = <span class="n">require</span> <span class="s2">"resty.feishu_auth"</span> <span class="n">feishu_auth</span>.<span class="n">app_id</span> = <span class="s2">""</span> <span class="n">feishu_auth</span>.<span class="n">app_secret</span> = <span class="s2">""</span> <span class="n">feishu_auth</span>.<span class="n">callback_uri</span> = <span class="s2">"/feishu_auth_callback"</span> <span class="n">feishu_auth</span>.<span class="n">logout_uri</span> = <span class="s2">"/feishu_auth_logout"</span> <span class="n">feishu_auth</span>.<span class="n">app_domain</span> = <span class="s2">"feishu-auth.example.com"</span> <span class="n">feishu_auth</span>.<span class="n">jwt_secret</span> = <span class="s2">"thisisjwtsecret"</span> <span class="n">feishu_auth</span>.<span class="n">ip_blacklist</span> = {<span class="s2">"47.1.2.3"</span>} <span class="n">feishu_auth</span>.<span class="n">uri_whitelist</span> = {<span class="s2">"/"</span>} <span class="n">feishu_auth</span>.<span class="n">department_whitelist</span> = {<span class="s2">"0"</span>} <span class="n">feishu_auth</span>:<span class="n">auth</span>() } } </code></pre><h3 id="配置说明">配置说明</h3> <ul> <li> <code>app_id</code> 用于设置飞书企业自建应用的 <code>App ID</code> </li> <li> <code>app_secret</code> 用于设置飞书企业自建应用的 <code>App Secret</code> </li> <li> <code>callback_uri</code> 用于设置飞书网页登录后的回调地址(需在飞书企业自建应用的安全设置中设置重定向 URL)</li> <li> <code>logout_uri</code> 用于设置登出地址</li> <li> <code>app_domain</code> 用于设置访问域名(需和业务服务的访问域名一致)</li> <li> <code>jwt_secret</code> 用于设置 JWT secret</li> <li> <code>ip_blacklist</code> 用于设置 IP 黑名单</li> <li> <code>uri_whitelist</code> 用于设置地址白名单,例如首页不需要登录认证</li> <li> <code>department_whitelist</code> 用于设置部门白名单(字符串)</li> </ul> <h3 id="应用权限说明">应用权限说明</h3> <ul> <li>获取部门基础信息</li> <li>获取部门组织架构信息</li> <li>以应用身份读取通讯录</li> <li>获取用户组织架构信息</li> <li>获取用户基本信息</li> </ul> <h2 id="开源">开源</h2> <p>本项目已完成且已在 GitHub 上开源:<a href="https://github.com/k8scat/lua-resty-feishu-auth" rel="nofollow" target="_blank" title="">k8scat/lua-resty-feishu-auth</a>,希望大家可以动动手指点个 Star,表示对本项目的肯定与支持!</p> k8scat Fri, 03 Sep 2021 23:51:26 +0800 https://ruby-china.org/topics/41653 https://ruby-china.org/topics/41653 【分享】Inside NGINX: How We Designed for Performance & Scale <p><a href="https://www.nginx.com/blog/inside-nginx-how-we-designed-for-performance-scale/" rel="nofollow" target="_blank">https://www.nginx.com/blog/inside-nginx-how-we-designed-for-performance-scale/</a></p> yfractal Thu, 26 Mar 2020 09:54:21 +0800 https://ruby-china.org/topics/39669 https://ruby-china.org/topics/39669 Rails 项目部署腾讯 Ubuntu 16.04,部署报错 We're sorry, but something went wrong. <p>我在终端跑 cap production deploy 没有报错而是直接退出<img src="https://l.ruby-china.com/photo/2020/d57dae03-b8c6-4cf0-abcf-d7afcd11e809.png!large" title="" alt=""> 然后我在浏览器输入我的服务器 ip <img src="https://l.ruby-china.com/photo/2020/4447f421-bc78-4fad-871b-cb0906a6cf0d.png!large" title="" alt=""> 这个是我的 log 文件 <img src="https://l.ruby-china.com/photo/2020/aac3e825-dc84-448e-9b01-00f4fe80966d.png!large" title="" alt=""> 我是跟着这个文档操作的 <a href="https://gorails.com/deploy/ubuntu/16.04" rel="nofollow" target="_blank">https://gorails.com/deploy/ubuntu/16.04</a> 我是一个小白之前几次部署也遇到这种情况一直没有解决,求各位老师指点。谢谢。</p> korey Fri, 06 Mar 2020 12:15:57 +0800 https://ruby-china.org/topics/39567 https://ruby-china.org/topics/39567 PHP 7 安装日志 <h2 id="前奏,安装gcc 5以上,我安装了8">前奏,安装 gcc 5 以上,我安装了 8</h2> <ol> <li>请看这个链接 <a href="https://www.cnblogs.com/ToBeExpert/p/10297697.html" rel="nofollow" target="_blank">https://www.cnblogs.com/ToBeExpert/p/10297697.html</a> ,文章的最后是高潮</li> <li>这么说吧我编译 gcc8 用了 5-6 个小时,配置,windows2012 的 vmware,cpu2x2,显示 4,内存 2G 有需要虚拟机的可以找我要</li> <li>虚拟机的问题,死活连不上网,这个可能和 dhcp 有关系,桥接然后静态 ip,解决问题,这个花了一天的时间,如果要深入理解桥接和 nat,估计只有学思科或者华为认证了</li> </ol> <h2 id="过程连接">过程连接</h2> <ol> <li><a href="https://www.cnblogs.com/dj0325/p/8481092.html" rel="nofollow" target="_blank" title="">scl 安装 gcc-把 4 改成 8</a></li> <li><a href="https://www.cnblogs.com/ToBeExpert/p/10297697.html" rel="nofollow" target="_blank" title="">CentOS 7 升级 gcc/g++ 编译器,我的是 centos6</a></li> <li> <a href="https://www.cnblogs.com/Jordandan/p/10402912.html" rel="nofollow" target="_blank" title="">编译 nginx 的时候报错 需要安装 PCRE</a> 2019 年 11 月 28 日 09:24:16</li> <li>pcre 是一个正则表达式库</li> <li><a href="https://www.cnblogs.com/selectztl/p/9473967.html" rel="nofollow" target="_blank" title="">nginx 的下载和配置</a></li> <li><a href="https://blog.csdn.net/nouswait/article/details/83105378" rel="nofollow" target="_blank" title="">php+nginx mysql 那块没有借鉴</a></li> <li><a href="https://www.cnblogs.com/chancy/p/9238149.html" rel="nofollow" target="_blank" title="">linux 安装 php7.2.7</a></li> </ol> <h2 id="补上非root php">补上非 root php</h2> <ol> <li>前奏 我把 nginx 和 php 都放在环境变量里面了,php 启动的话就是 php-fpm</li> <li>补能让 php 文件都用 root 权限上传吧!</li> <li>学习,linux 用户和组,自己创建</li> <li>php-fpm 的关闭,我是查找进程一个个关闭的,大概有 3-4 个进程,网上的看不懂</li> </ol> <h2 id="重点">重点</h2> <ol> <li><a href="https://www.cnblogs.com/lobtao/articles/9124989.html" rel="nofollow" target="_blank" title="">Nginx 访问 PHP 文件的 File not found 错误处理,两种情况</a></li> <li>我花了一点时间搞定的编辑 etc/php-fpm.d/<a href="http://www.conf" rel="nofollow" target="_blank" title="">www.conf</a> 文件 查找 user 和 group,之前已经说过了,你懂的</li> <li>默认查找 php-fpm 的进程是有 nobody 的,改完了之后就是你想要的</li> <li>过程连接中有提到 nginx 和 php 关联 把路径改了,最后一个不要加斜杠!!!记住喽,</li> <li>配置更改 fastcgi_param SCRIPT_FILENAME /home/yournname/work/php/www$fastcgi_script_name</li> </ol> <h2 id="结尾,准备装禅道,不知道mysql驱动装好没有,接下来会写步骤">结尾,准备装禅道,不知道 mysql 驱动装好没有,接下来会写步骤</h2><h2 id="xdebug很重要,不知道能否成功">xdebug 很重要,不知道能否成功</h2> Ghaker Thu, 28 Nov 2019 10:24:16 +0800 https://ruby-china.org/topics/39284 https://ruby-china.org/topics/39284 請問 nginx 中 server 帶有多個 location,那如何在瀏覽器中對 location 的緩存做標識 <p>在配置反向代理的時候遇到了一個問題就是我在 nginx 中配置了 server 對應多個 location,每個 location 都是轉發到不同的目標網站 配置文件如下 CC:8083\CC:8080\CC:8088 這三個網站文件結構類似,但屬於不同的業務模塊, 現在有個問題就是我在同一瀏覽器中先訪問了 <a href="http://AA/OA" rel="nofollow" target="_blank">http://AA/OA</a> 網站是可以正常打開的, 然後我再去訪問<a href="http://AA/OEDI" rel="nofollow" target="_blank">http://AA/OEDI</a>時網站就異常了登錄成功無法正常跳轉, 後來發現是緩存文件的問題,清理文件緩存然後再去訪問<a href="http://AA/OEDI" rel="nofollow" target="_blank">http://AA/OEDI</a>是正常的。 首次訪問了 OA 時瀏覽器緩存了 OA 的文件,再次訪問 OEDI 時調用了 OA 的緩存導致了跳轉失敗, 請問這種問題有什麼好的決解方法嗎?如何給緩存做標識?</p> <pre class="highlight conf"><code><span class="n">server</span> { <span class="n">listen</span> <span class="m">80</span>; <span class="n">server_name</span> <span class="n">AA</span>; <span class="n">fastcgi_read_timeout</span> <span class="m">600</span>; <span class="c">#設置服務響應超時問題 如果不設置WEB表單加載時間長的話會報錯(s) </span> <span class="n">fastcgi_send_timeout</span> <span class="m">600</span>; <span class="c">#設置服務響應超時問題 如果不設置WEB表單加載時間長的話會報錯(s) </span> <span class="n">client_max_body_size</span> <span class="m">30</span><span class="n">m</span>; <span class="c">#設置通過反向代理訪問web可上傳文件的最大值(m) </span> <span class="n">location</span> /<span class="n">OA</span>/ { <span class="n">root</span> <span class="n">html</span>; <span class="n">proxy_pass</span> <span class="n">https</span>://<span class="n">CC</span>:<span class="m">8083</span>/; <span class="n">proxy_pass_request_headers</span> <span class="n">on</span>; <span class="n">if</span> ( $<span class="n">host</span> ~ <span class="s2">"https://CC:8083"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OA</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ($<span class="n">document_uri</span> ~ <span class="n">http</span>://<span class="n">AA</span>/) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OA</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ( $<span class="n">Uri</span> ~ <span class="s2">"https://CC:8083"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OA</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ( $<span class="n">Uri</span> ~ <span class="s2">"https://AA"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OA</span>/$<span class="m">1</span> <span class="n">last</span>; } } <span class="n">location</span> /<span class="n">OEDI</span>/ { <span class="n">root</span> <span class="n">html</span>; <span class="n">proxy_pass</span> <span class="n">https</span>://<span class="n">CC</span>:<span class="m">8088</span>/; <span class="c">#proxy_redirect http://$host/; </span> <span class="n">proxy_pass_request_headers</span> <span class="n">on</span>; <span class="n">if</span> ( $<span class="n">host</span> ~ <span class="s2">"https://CC:8088"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ($<span class="n">document_uri</span> ~ <span class="n">http</span>://<span class="n">AA</span>/) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ( $<span class="n">Uri</span> ~ <span class="s2">"https://CC:8088"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ( $<span class="n">Uri</span> ~ <span class="s2">"https://AA"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } } <span class="n">location</span> / { <span class="n">root</span> <span class="n">html</span>; <span class="n">if</span> ($<span class="n">http_cookie</span> ~* <span class="s2">"SEDI"</span>) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">SEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ($<span class="n">http_cookie</span> ~* <span class="s2">"OEDI"</span>) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ($<span class="n">http_cookie</span> ~* <span class="s2">"OA"</span>) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">OA</span>/$<span class="m">1</span> <span class="n">last</span>; } } <span class="n">location</span> /<span class="n">SEDI</span>/ { <span class="n">root</span> <span class="n">html</span>; <span class="n">proxy_pass</span> <span class="n">https</span>://<span class="n">CC</span>:<span class="m">8080</span>/; <span class="c">#proxy_redirect http://$host/; </span> <span class="n">proxy_pass_request_headers</span> <span class="n">on</span>; <span class="n">if</span> ( $<span class="n">host</span> ~ <span class="s2">"https://CC:8080"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">SEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ( $<span class="n">host</span> ~ <span class="s2">"http://http://AA"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">SEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ($<span class="n">document_uri</span> ~ <span class="n">http</span>://<span class="n">AA</span>/) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">SEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ( $<span class="n">Uri</span> ~ <span class="s2">"https://CC:8088"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">SEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } <span class="n">if</span> ( $<span class="n">Uri</span> ~ <span class="s2">"https://AA"</span> ) { <span class="n">rewrite</span> ^/(.*)$ /<span class="n">SEDI</span>/$<span class="m">1</span> <span class="n">last</span>; } } } </code></pre> vip5529780 Thu, 15 Aug 2019 11:29:56 +0800 https://ruby-china.org/topics/38945 https://ruby-china.org/topics/38945 Nginx 进程和信号 <h2 id="Nginx 进程和信号">Nginx 进程和信号</h2><h2 id="进程结构">进程结构</h2> <p>一般来说 Nginx 有一个父进程 Master,和一个或多个子进程。</p> <p>子进程分两类,一种是 Worker 进程,另一种是 Cache 相关的进程。</p> <p>Cache 在多个 Worker 间共享使用。同时被进程 Cache manager 和 Cache loader 使用。Cache loader 做缓存的载入,Cache manager 做缓存的管理。这些进程间的通讯都是使用共享内存来解决的。</p> <p>为什么不用多线程?因为线程之间是共享地址空间的,当某一个第三方模块引发了地址空间的段错误时,地址越界出现时,会导致整个进程挂掉。</p> <p>Nginx 希望每个 Worker 进程从头到尾占有一个 CPU,所以往往不止要把 Worker 进程的数量配置与服务器的 CPU 核数一致以外,还需要把每一个 Worker 进程与某一个 CPU 核绑定在一起。这样可以更好的使用每个 CPU 核上面的 CPU 缓存,提高缓存的命中率。</p> <p>不仅仅是缓存的原因,一个进程从头到尾占有一个 CPU,减少 CPU 上下文切换的次数和耗时,让 CPU 更多的时间用在运行进程上。</p> <h3 id="Master 进程">Master 进程</h3> <p>监控 Worker 进程,接受信号</p> <ul> <li>CHLD,子进程终止的时候会向父进程发送 CHLD。Master 进程通过这个信号维持 Worker 进程的数量。</li> </ul> <p>管理 Worker 进程,发送信号</p> <ul> <li>TERM/INT,立刻停止进程。</li> <li>QUIT,优雅的退出,等请求处理完才退出,用户无感知。</li> <li>HUP,重载配置文件。</li> <li>USR1,重新打开日志文件,做日志文件的切割。</li> </ul> <p>下面 2 个信号,Nginx 命令行中没有对应的操作,只能通过 kill 直接向 Master 进程发送</p> <ul> <li>USR2,热升级第一阶段,启动新进程。旧的 Nginx 主进程 Master 将会把自己的进程文件改名为 .oldbin,然后执行新版 Nginx。此时新旧 Nginx 会同时运行,共同处理请求。</li> <li>WINCH,热升级第二阶段,停止老进程。逐步停止旧版 Nginx 的 Worker 进程就都会随着任务执行完毕而退出,新版的 Nginx 的 Worker 进程会逐渐取代旧版 Worker 进程。</li> </ul> <h3 id="Worker 进程">Worker 进程</h3> <p>和上面对应,接受信号</p> <ul> <li>TERM/INT</li> <li>QUIT</li> <li>USR1</li> <li>WINCH</li> </ul> <h3 id="Nginx 命令行">Nginx 命令行</h3> <p>启动 Nginx 以后,Nginx 会把 Master 进程的 pid 记录到一个文件中,一般是 Nginx 安装目录下 logs/nginx.pid。</p> <p>我们平时使用的命令行其实就是对这个 pid 发送对应的信号。</p> <ul> <li>reload: HUP</li> <li>reopen: USR1</li> <li>stop: TERM</li> <li>quit: QUIT</li> </ul> <h3 id="reload 流程">reload 流程</h3> <ol> <li>向 Master 进程发送 HUP 信号(reload 命令)</li> <li>Master 进程校验配置语法是否正确</li> <li>Master 进程更新监听端口(比如新配置增加了监听 443 端口)</li> <li>Master 进程用新配置启动新的 Worker 子进程</li> <li>Master 进程向老 Worker 子进程发送 QUIT 信号</li> <li>老 Worker 子进程关闭监听句柄,处理完当前连接后结束进程</li> </ol> <p>在 1.11.11 的版本中,增加了 worker_shutdown_timeout 参数来设置优雅退出 Worker 进程的超时时间。</p> <h3 id="热升级流程">热升级流程</h3> <ol> <li>将旧 Nginx 文件换成新 Nginx 文件(注意备份)</li> <li>向 Master 进程发送 USR2 信号</li> <li>Master 进程修改 pid 文件名,加后缀 .oldbin</li> <li>Master 进程用新 Nginx 文件启动新 Master 进程</li> <li>向老 Master 进程发送 WINCH 信号,老 Master 进程会优雅关闭老 Worker 进程</li> <li>此时老 Master 进程依然存活,如果出现问题需要回滚。向老 Master 进程发送 HUP,然后向新 Master 发送 QUIT 即可。(注意恢复备份文件)</li> <li>正常升级后,通过 kill -QUIT 信号关闭老 Master 进程</li> </ol> <p>新老 Master 进程,同时存在,那么是怎么同时监听端口的?</p> <p>新老 Master 进程是父子进程,所以可以同时监听。</p> <h3 id="优雅关闭 Worker 进程">优雅关闭 Worker 进程</h3> <p>优雅关闭是指 HTTP 请求,如果代理的是 WebSocket、TCP、UDP,这时候 Nginx 是无法进行优雅关闭的。</p> <ol> <li>设置定时器(这个功能默认不开启,配置文件有设置 worker_shutdown_timeout 才会生效)</li> <li>关闭监听句柄</li> <li>关闭空闲连接</li> <li>在循环中等待全部连接关闭(如果设置了 worker_shutdown_timeout,超时后会强制关闭全部连接)</li> <li>退出进程</li> </ol> <p>更多信息可以参考官方文档 <a href="https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/" rel="nofollow" target="_blank" title="">Starting, Stopping, and Restarting NGINX</a></p> <p>原文转自博客 <a href="https://www.tuliang.org/nginx-jin-cheng-he-xin-hao/" rel="nofollow" target="_blank" title="">Nginx 进程和信号</a></p> tuliang Sun, 02 Dec 2018 10:49:15 +0800 https://ruby-china.org/topics/37845 https://ruby-china.org/topics/37845 负载均衡的两台服务器里的项目,如何实现 public 下的资源共享 <p>访问 A 服务器的一张图片,404 之后再去 B 尝试一下,这种方案是否可行</p> ad583255925 Tue, 28 Aug 2018 17:49:55 +0800 https://ruby-china.org/topics/37399 https://ruby-china.org/topics/37399 有没有办法在 Nginx 记录给用户发送的页面内容 <p>因为使用 nginx 反向代理,页面被插入了跳转代码,跳转到一个广告链接。不确定是服务器出的问题还是代理服务器出的问题。想在代理服务器的 nginx 上做个日志记录,记录每次请求发送给用户的 html 页面的内容,有没有从 nginx 入手的办法?</p> gaicitadie Fri, 13 Jul 2018 17:33:46 +0800 https://ruby-china.org/topics/37152 https://ruby-china.org/topics/37152 网站反映慢,经常出现卡死 <p>我的服务器同时部署啦 homeland 和 redmine,redmine 访问无压力,很快,但是 homenald 就经常卡死,配置 ubuntu16.04, 4 核 8gb,使用的是 nginx+passenger, 不要问我为什么用论坛做文章,我也很无奈。</p> <pre class="highlight shell"><code><span class="o">[</span> N 2018-05-31 10:05:06.3541 4919/T7 age/Cor/CoreMain.cpp:616 <span class="o">]</span>: Signal received. Gracefully shutting down... <span class="o">(</span>send signal 2 more <span class="nb">time</span><span class="o">(</span>s<span class="o">)</span> to force shutdown<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.3543 4919/T1 age/Cor/CoreMain.cpp:1161 <span class="o">]</span>: Received <span class="nb">command </span>to shutdown gracefully. Waiting <span class="k">until </span>all clients have disconnected... <span class="o">[</span> N 2018-05-31 10:05:06.3543 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 20897, application /jxredmine <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.3573 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 5310, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.3617 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 32529, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.3645 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 32553, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.3695 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 32725, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.3695 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 421, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.3773 4919/T7 Ser/Server.h:903 <span class="o">]</span>: <span class="o">[</span>ServerThr.1] Freed 0 spare client objects <span class="o">[</span> N 2018-05-31 10:05:06.3773 4919/T7 Ser/Server.h:559 <span class="o">]</span>: <span class="o">[</span>ServerThr.1] Shutdown finished <span class="o">[</span> N 2018-05-31 10:05:06.3774 4919/Tf Ser/Server.h:903 <span class="o">]</span>: <span class="o">[</span>ApiServer] Freed 0 spare client objects <span class="o">[</span> N 2018-05-31 10:05:06.3774 4919/Tf Ser/Server.h:559 <span class="o">]</span>: <span class="o">[</span>ApiServer] Shutdown finished <span class="o">[</span> N 2018-05-31 10:05:06.4396 4919/Td Ser/Server.h:903 <span class="o">]</span>: <span class="o">[</span>ServerThr.4] Freed 0 spare client objects <span class="o">[</span> N 2018-05-31 10:05:06.4396 4919/Td Ser/Server.h:559 <span class="o">]</span>: <span class="o">[</span>ServerThr.4] Shutdown finished <span class="o">[</span> N 2018-05-31 10:05:06.5251 4919/T9 Ser/Server.h:903 <span class="o">]</span>: <span class="o">[</span>ServerThr.2] Freed 0 spare client objects <span class="o">[</span> N 2018-05-31 10:05:06.5252 4919/T9 Ser/Server.h:559 <span class="o">]</span>: <span class="o">[</span>ServerThr.2] Shutdown finished <span class="o">[</span> N 2018-05-31 10:05:06.5462 4919/Tb Ser/Server.h:903 <span class="o">]</span>: <span class="o">[</span>ServerThr.3] Freed 0 spare client objects <span class="o">[</span> N 2018-05-31 10:05:06.5462 4919/Tb Ser/Server.h:559 <span class="o">]</span>: <span class="o">[</span>ServerThr.3] Shutdown finished <span class="o">[</span> N 2018-05-31 10:05:06.5463 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 20897, application //jxredmine <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.7471 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 5310, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.7472 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 32529, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.7472 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 32553, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.7473 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 32725, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:06.7473 4919/T1 age/Cor/CoreMain.cpp:1075 <span class="o">]</span>: Checking whether to disconnect long-running connections <span class="k">for </span>process 421, application /jxcatbbs <span class="o">(</span>production<span class="o">)</span> <span class="o">[</span> N 2018-05-31 10:05:07.1117 4919/T1 age/Cor/CoreMain.cpp:1234 <span class="o">]</span>: Passenger core shutdown finished 2018/05/31 10:05:07 <span class="o">[</span>info] 1432#1432: Using 32768KiB of shared memory <span class="k">for </span>nchan <span class="k">in</span> /etc/nginx/nginx.conf:77 <span class="o">[</span> N 2018-05-31 10:05:07.4512 1438/T1 age/Wat/WatchdogMain.cpp:1258 <span class="o">]</span>: Starting Passenger watchdog... <span class="o">[</span> N 2018-05-31 10:05:07.4760 1441/T1 age/Cor/CoreMain.cpp:1249 <span class="o">]</span>: Starting Passenger core... <span class="o">[</span> N 2018-05-31 10:05:07.4762 1441/T1 age/Cor/CoreMain.cpp:252 <span class="o">]</span>: Passenger core running <span class="k">in </span>multi-application mode. <span class="o">[</span> N 2018-05-31 10:05:07.4897 1441/T1 age/Cor/CoreMain.cpp:984 <span class="o">]</span>: Passenger core online, PID 1441 App 1467 stdout: <span class="o">[</span> N 2018-05-31 10:05:12.2656 1441/T5 age/Cor/SecurityUpdateChecker.h:517 <span class="o">]</span>: Security update check: no update found <span class="o">(</span>next check <span class="k">in </span>24 hours<span class="o">)</span> App 1577 stdout: App 1594 stdout: App 1609 stdout: App 1624 stdout: App 1658 stdout: </code></pre> <p>nginx:</p> <pre class="highlight shell"><code>listen 443<span class="p">;</span> server_name bbs.jxcat.com<span class="p">;</span> ssl on<span class="p">;</span> root xxx/public<span class="p">;</span> passenger_enabled on<span class="p">;</span> rails_env production<span class="p">;</span> index index.html index.htm<span class="p">;</span> location / <span class="o">{</span> <span class="c"># First attempt to serve request as file, then</span> <span class="c"># as directory, then fall back to displaying a 404.</span> root xxx/public<span class="p">;</span> <span class="c"># try_files $uri $uri/ =404;</span> <span class="o">}</span> </code></pre> <p>地址:bbs.jxcat.com</p> tang05709 Thu, 31 May 2018 10:34:02 +0800 https://ruby-china.org/topics/36867 https://ruby-china.org/topics/36867 https 在 Nginx 中应该怎么配置默认就是使用 https 呢? <p>配置好 https 后,发现了两个问题:<br> 我们配置的域名是<code>www.xxx.com</code>,但是发现 ruby china 是使用<code>xxx.com</code>,不需要用到前面的<code>www</code>,这两种方式的区别在哪里呢?哪 3 一种比较好。<br> 还有一个就是,现在访问,默认依然是使用 http,只有在使用 https 访问,才会用到 https,怎么在 nginx 配置,默认就是使用 https 呢?</p> QueXuQ Fri, 04 May 2018 10:25:25 +0800 https://ruby-china.org/topics/36677 https://ruby-china.org/topics/36677 想到一个 Nginx + Docker 进行热部署的方案,不知道是否有更优解 <p>开两个 docker,一个是主 server,一个临时 server,都映射到同一个 rails 目录。</p> <p>在更新代码之前:</p> <pre class="highlight plaintext"><code>1、启动临时server 2、启动成功后修改nginx的配置文件,把端口转发到临时server,然后nginx -s reload,用临时server提供服务 3、更新代码 4、重启主server 5、等主server启动后,再把nginx的配置文件改回来,把端口转发改回主server,然后nginx -s reload,至此代码更新完毕。 </code></pre> gaicitadie Mon, 26 Mar 2018 15:59:46 +0800 https://ruby-china.org/topics/35325 https://ruby-china.org/topics/35325 ****/projects 往后的所有路径匹配到一个静态文件应该如何写 loaction? <pre class="highlight nginx"><code><span class="k">location</span> <span class="n">/projects</span> <span class="p">{</span> <span class="kn">alias</span> <span class="n">/home/deploy/www/projects_vue</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.htm</span> <span class="s">index.html</span><span class="p">;</span> <span class="p">}</span> </code></pre> <p>因为这是一个前端写的项目,本来想着这样匹配到 index 就可以了,但是没想到如果访问<code>***/projects/orders</code>之类的域名,就会出现 404,但是找了一下,没有发现相关的 nginx 该如何写这个 location,希望<code>/projects</code>后面的所有域名的去到 index.html 中呢?多谢。</p> <p>根据楼下小伙伴的提示,把配置改成:</p> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">example</span> <span class="p">{</span> <span class="kn">server</span> <span class="s">unix:///tmp/example.sock</span><span class="p">;</span> <span class="p">}</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">www.example.io</span><span class="p">;</span> <span class="kn">root</span> <span class="n">/home/deploy/example_backend/current/public</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="kn">proxy_redirect</span> <span class="no">off</span><span class="p">;</span> <span class="kn">if</span> <span class="s">(-f</span> <span class="nv">$request_filename</span><span class="n">/index.html</span><span class="s">)</span> <span class="p">{</span> <span class="kn">rewrite</span> <span class="s">(.*)</span> <span class="nv">$1</span><span class="n">/index.html</span> <span class="s">break</span><span class="p">;</span> <span class="p">}</span> <span class="kn">if</span> <span class="s">(-f</span> <span class="nv">$request_filename</span><span class="s">.html)</span> <span class="p">{</span> <span class="kn">rewrite</span> <span class="s">(.*)</span> <span class="nv">$1</span><span class="s">.html</span> <span class="s">break</span><span class="p">;</span> <span class="p">}</span> <span class="kn">if</span> <span class="s">(!-f</span> <span class="nv">$request_filename</span><span class="s">)</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://example</span><span class="p">;</span> <span class="kn">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="kn">location</span> <span class="n">/project</span> <span class="p">{</span> <span class="kn">alias</span> <span class="n">/home/deploy/example_frontend</span><span class="p">;</span> <span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri</span><span class="n">/</span> <span class="n">/index.html?/</span><span class="nv">$request_uri</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> <p>可是仍然是原来的问题,不同的是<code>/project/xxxx</code>这类域名,就跑去读取 rails 了,而不是 404 了。目前应该如何改进会更好?</p> QueXuQ Mon, 30 Oct 2017 21:46:47 +0800 https://ruby-china.org/topics/34471 https://ruby-china.org/topics/34471 配置了 https 后就返回 302 错误,自己捣鼓了快三天了,还不解决不了,请教一下各位。 <pre class="highlight nginx"><code><span class="c1">#server</span> <span class="c1"># {</span> <span class="c1"># listen 80;</span> <span class="c1"># server_name www.test.com test.com;</span> <span class="c1"># return 301 https://$server_name$request_uri;</span> <span class="c1"># </span> <span class="c1">#}</span> <span class="k">server</span> <span class="p">{</span> <span class="c1"># listen 80;</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">www.test.com</span> <span class="s">test.com</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.htm</span> <span class="s">index.php</span> <span class="s">index.html</span><span class="p">;</span> <span class="kn">root</span> <span class="n">/home/www/test</span><span class="p">;</span> <span class="kn">ssl</span> <span class="no">on</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/nginx/conf.d/cert/ssl.pem</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/nginx/conf.d/cert/ssl.key</span><span class="p">;</span> <span class="kn">ssl_session_timeout</span> <span class="mi">5m</span><span class="p">;</span> <span class="kn">ssl_ciphers</span> <span class="s">ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4</span><span class="p">;</span> <span class="kn">ssl_protocols</span> <span class="s">TLSv1</span> <span class="s">TLSv1.1</span> <span class="s">TLSv1.2</span><span class="p">;</span> <span class="kn">ssl_prefer_server_ciphers</span> <span class="no">on</span><span class="p">;</span> <span class="kn">include</span> <span class="s">enable-php5.conf</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/nginx_status</span> <span class="p">{</span> <span class="kn">stub_status</span> <span class="no">on</span><span class="p">;</span> <span class="p">}</span> <span class="kn">location</span> <span class="p">~</span> <span class="sr">.*\.(gif|jpg|jpeg|png|bmp|swf)$</span> <span class="p">{</span> <span class="kn">expires</span> <span class="s">30d</span><span class="p">;</span> <span class="p">}</span> <span class="kn">location</span> <span class="p">~</span> <span class="sr">.*\.(js|css)?$</span> <span class="p">{</span> <span class="kn">expires</span> <span class="s">12h</span><span class="p">;</span> <span class="p">}</span> <span class="kn">location</span> <span class="p">~</span> <span class="sr">/.well-known</span> <span class="p">{</span> <span class="kn">allow</span> <span class="s">all</span><span class="p">;</span> <span class="p">}</span> <span class="kn">location</span> <span class="p">~</span> <span class="sr">/\.</span> <span class="p">{</span> <span class="kn">deny</span> <span class="s">all</span><span class="p">;</span> <span class="p">}</span> <span class="kn">location</span> <span class="n">/</span><span class="p">{</span> <span class="kn">if</span> <span class="s">(!-e</span> <span class="nv">$request_filename</span><span class="s">)</span><span class="p">{</span> <span class="kn">rewrite</span> <span class="s">^/(.*)</span>$ <span class="n">/index.php?s=</span><span class="nv">$1</span> <span class="s">last</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="kn">access_log</span> <span class="n">/home/wwwlogs/test001.log</span><span class="p">;</span> <span class="p">}</span> </code></pre> apgeypeu Wed, 04 Oct 2017 10:31:34 +0800 https://ruby-china.org/topics/34320 https://ruby-china.org/topics/34320 各位大佬帮忙看个 Nginx 的问题 <p>各位大佬帮忙看个 Nginx 的问题</p> <p>程序前台访问一些内容,然后用 Nginx 的 auth 模块加了一层验证,如果 token 正确就返回 200,错误就返回 401</p> <p>但是我这里用前台传过来的</p> <p>key:x-auth-token value:834d4531-035b-475f-96bf-b54b1be2bce0</p> <p>让 nginx 往后端传的时候</p> <p><img src="https://l.ruby-china.com/photo/2017/0029eb79-3a81-4546-981b-15f3c885b043.png!large" title="" alt=""></p> <p>X-auth-token $http_x-auth-token</p> <p><img src="https://l.ruby-china.com/photo/2017/30019303-afc3-41ab-b300-ea6f821cb509.png!large" title="" alt=""></p> <p>后端接到的 value 却变成了 </p> <p>key:x-auth-token value:-auth-token</p> <p>求大佬帮忙看看为什么获取不到前台的 x-auth-token 变量</p> xandy5004 Tue, 26 Sep 2017 21:30:10 +0800 https://ruby-china.org/topics/34263 https://ruby-china.org/topics/34263 Windows 版 request.getScheme () 如何获取 https <p>windows 下 nginx-1.12.1 实现 http 转 https。 nginx.conf</p> <pre class="highlight conf"><code><span class="n">server</span> { <span class="n">listen</span> <span class="m">80</span>; <span class="n">server_name</span> *.<span class="n">cn</span>; <span class="n">rewrite</span> ^(.*)$ <span class="n">https</span>://$<span class="n">host</span>$<span class="m">1</span> <span class="n">permanent</span>; } <span class="n">proxy_set_header</span> <span class="n">Host</span> $<span class="n">host</span>; <span class="n">proxy_set_header</span> <span class="n">X</span>-<span class="n">Real</span>-<span class="n">IP</span> $<span class="n">remote_addr</span>; <span class="n">proxy_set_header</span> <span class="n">X</span>-<span class="n">Forwarded</span>-<span class="n">For</span> $<span class="n">proxy_add_x_forwarded_for</span>; <span class="n">proxy_set_header</span> <span class="n">X</span>-<span class="n">Forwarded</span>-<span class="n">Proto</span> $<span class="n">scheme</span>; <span class="n">proxy_set_header</span> <span class="n">X</span>-<span class="n">Forwarded</span>-<span class="n">Scheme</span> $<span class="n">scheme</span>; </code></pre> <p>tomcat 的 server.xml 增加:</p> <pre class="highlight erb"><code><span class="nt">&lt;Valve</span> <span class="na">className=</span><span class="s">"org.apache.catalina.valves.RemoteIpValve"</span> <span class="na">remoteIpHeader=</span><span class="s">"X-Forwarded-For"</span> <span class="na">protocolHeader=</span><span class="s">"X-Forwarded-Proto"</span> <span class="na">protocolHeaderHttpsValue=</span><span class="s">"https"</span><span class="nt">/&gt;</span> </code></pre> <p>jsp 中:String path = request.getContextPath(); String basePath = request.getScheme() + "://" request.getServerName() + ":" + request.getServerPort() 取到的仍然是 http,不是 https</p> dudm6911 Mon, 18 Sep 2017 10:11:52 +0800 https://ruby-china.org/topics/34158 https://ruby-china.org/topics/34158 请问各路大侠 nginx 怎么绑定.pro 后缀的域名 <p>请问各路大侠 nginx 怎么绑定.pro 后缀的域名</p> cison Fri, 15 Sep 2017 15:41:25 +0800 https://ruby-china.org/topics/34140 https://ruby-china.org/topics/34140 使用 Nginx 搭建文件下载服务器,但点击下载,响应时间随文件大小变大而增加 <p>设置如下:</p> <pre class="highlight conf"><code><span class="n">server</span> { <span class="n">listen</span> <span class="m">8110</span>; <span class="n">server_name</span> <span class="n">localhost</span>; <span class="n">access_log</span> /<span class="n">root</span>/<span class="n">log</span>; <span class="n">root</span> /<span class="n">pathto</span>/<span class="n">dowloads</span>; <span class="n">autoindex</span> <span class="n">on</span>; <span class="n">autoindex_exact_size</span> <span class="n">off</span>; <span class="n">autoindex_localtime</span> <span class="n">on</span>; } </code></pre> <p>请问有什么其他设置可以改进体验吗?</p> <p>比如: <a href="https://mirrors.tuna.tsinghua.edu.cn/anaconda/archive/" rel="nofollow" target="_blank">https://mirrors.tuna.tsinghua.edu.cn/anaconda/archive/</a> 这个网站,也是用 nginx 搭建的,点击要下载的文件,马上就跳出下载框了。 然而我的,几十兆的文件都要等半天才会跳出下载框。</p> <p>求教。</p> sujielei Tue, 22 Aug 2017 17:48:41 +0800 https://ruby-china.org/topics/33901 https://ruby-china.org/topics/33901 为何 Nginx 只有部分域名能进去 <p>接手到旧后台的服务器,目前只能访问他以前的域名,换回我自己的前缀却不可以,求解 <img src="https://l.ruby-china.com/photo/2017/068f744e-cdd7-415e-9558-e5b2acb3a347.jpg!large" title="" alt=""></p> <p><img src="https://l.ruby-china.com/photo/2017/b854ae18-dbed-4d30-9cd4-60acedb8b30f.png!large" title="" alt=""></p> AgainCheng Tue, 22 Aug 2017 11:05:39 +0800 https://ruby-china.org/topics/33898 https://ruby-china.org/topics/33898 求助正则大神!!!NGINX 静态目录如何仅代理子目录下的文件!? <p>如题,有以下应用场景,用 nginx 代理 D 盘下 d:/data 目录,想通过路由,如<a href="http://localhost/data/test.txt" rel="nofollow" target="_blank">http://localhost/data/test.txt</a> 去访问 d:/data/20170820/test.txt 这个文件,我的 location 配置应该如何写?要不要用正则?要不要中 rewrite,可是我两者都不熟啊大神们!!!求助 ing<img title=":sweat_smile:" alt="😅" src="https://twemoji.ruby-china.com/2/svg/1f605.svg" class="twemoji"> 这是静态目录的结构: <img src="https://l.ruby-china.com/photo/2017/b346a33c-fe43-45db-9607-a63c771acbfc.jpg!large" title="" alt=""> 这是 20170820 目录下文件存放的方式: <img src="https://l.ruby-china.com/photo/2017/1d803802-96f3-4935-84c3-87c7e6c24c68.jpg!large" title="" alt=""> 求助大神!</p> a814503592 Sun, 20 Aug 2017 10:57:18 +0800 https://ruby-china.org/topics/33885 https://ruby-china.org/topics/33885