基于docker运行Nacos单机版 前言　Nacos是更易于构建云原生应用的动态服务发现、服务配置和服务管理平台。{card-describe title="Nacos特点:"}服务发现和服务健康检测动态配置服务动态DNS服务{/card-describe}部署数据库配{message type="success" content="使用自己已经运行的mysql服务，进行建库、授权、初始化等操作。"/}#登录 mysql -uroot -pxxxxx -h127.0.0.1 #建库 CREATE DATABASE `nacos` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin; create user 'nosuser'@'%' IDENTIFIED BY 'nosuserxxx'; grant all privileges on nacos.* to 'nosuser'@'%'; flush privileges; #初始化 mysql -uroot -pxxxxx -h127.0.0.1 nacos < db/mysql-init.sql启动nacos单机版docker-compose.ymlversion: "3.8" services: nacos: image: nacos/nacos-server:${NACOS_VERSION} container_name: nacos-standalone-mysql env_file: - ./env/nacos-standlone-mysql.env volumes: - /var/log/nacos/:/home/nacos/logs ports: - "8848:8848" - "9848:9848" - "9555:9555" restart: alwaysnacos-standlone-mysql.envPREFER_HOST_MODE=hostname MODE=standalone SPRING_DATASOURCE_PLATFORM=mysql MYSQL_SERVICE_HOST=数据库IP地址 MYSQL_SERVICE_DB_NAME=nacos MYSQL_SERVICE_PORT=3306 MYSQL_SERVICE_USER=nosuser MYSQL_SERVICE_PASSWORD=nosuserxxx MYSQL_SERVICE_DB_PARAM=characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true&useSSL=false&allowPublicKeyRetrieval=true启动docker-compose up -d测试web访问http://ip:8848/nacos/#/login 　默认密码:nacos/nacos{card-default label="登录页" width="75%"}{/card-default}参考nacos-docker

ss服务部署和客户端配置方法 ss服务端docker版version: "3.3" services: '8080.ss': image: shadowsocks/shadowsocks-libev network_mode: host environment: - SERVER_PORT=8080 - METHOD=aes-256-cfb - PASSWORD=xxxxx restart: alwaysgo版本tar xvf ss-go.tgz -C /opt cd /opt/ss-go sh install.sh sh run.sh{cloud title="ss-go.tgz" type="bd" url="https://pan.baidu.com/s/1a0mB95BTky3SzkdjaB_8oQ" password="ngqc"/}客户端配置{message type="success" content="IP地址为服务器的外网IP"/}{card-default label="客户端ase加密" width="70%"}{/card-default}{card-default label="客户端char加密" width="70%"}{/card-default}

利用Caddy替代nginx提供web服务 前言{callout color="#f0ad4e"}发现了一款新的web服务器Caddy，看介绍使用和配置都非常简单就尝试一下。{/callout}{card-default label="Caddy" width="75%"}{/card-default}部署系统基本配置参考： docker和docker-compose一键安装脚本docker-compose.ymlversion: "3.8" services: caddy: image: caddy:latest restart: always ports: - '80:80' - '443:443' environment: - 'SET_CONTAINER_TIMEZONE=true' - 'TZ=Asia/Shanghai' volumes: - ./conf:/etc/caddy - /opt/www/dl:/opt/www/dl - /var/log/caddy:/opt/logs networks: - caddy_net networks: caddy_net:Caddyfile配置{message type="success" content="文件服务器"/}:801 { encode zstd gzip root * /opt/res file_server { browse } }{message type="success" content="反向代理1"/}webzhan.xyz { tls admin@webzhan.xyz encode gzip log { output file /opt/logs/access.log } header / { Strict-Transport-Security "max-age=31536000;includeSubdomains;preload" } ## HTTP 代理配置 reverse_proxy fmail:3000 }{message type="success" content="反向代理2"/}v.webzhan.xyz { tls admin@webzhan.xyz encode gzip log { output file /opt/logs/v_access.log } reverse_proxy 172.23.0.1:81 file_server handle_errors { root * /etc/caddy/error rewrite * /error.html templates file_server } }{message type="success" content="php-fpm代理"/}v.webzhan.xyz { root * /www/web/v/ tls admin@webzhan.xyz encode gzip log { output file /opt/logs/v_access.log } php_fastcgi php:9000 { split .php index index.php } file_server handle_errors { root * /opt/caddy/error rewrite * /error.html templates file_server } }使用场景反向代理wordpress{message type="success" content="安装时跳转https报错，直接禁用当前域名的https，直接走前后端均走http协议"/}w.webzhan.xyz:80 { #tls admin@webzhan.xyz #header / { # Strict-Transport-Security "max-age=31536000;includeSubdomains;preload" #} encode gzip log { output file /opt/logs/w.log } ## HTTP 代理配置, ttrss服务IP地址+端口 reverse_proxy web:81 { header_up Host {host} header_up X-Real-IP {remote} header_up X-Forwarded-For {remote} header_up X-Forwarded-Port {server_port} header_up X-Forwarded-Proto {scheme} } }chrome浏览器清理https自动跳转浏览器地址栏输入 "chrome://net-internals/#hsts"通过 "Domain Security Policy"删除即可{card-default label="删除" width="75%"}{/card-default}直接使用caddy+phpw.webzhan.xyz { tls admin@webzhan.xyz encode gzip root * /www/web/wp log { output file /opt/logs/w.log } php_fastcgi php:9000 { # some php_fastcgi-specific subdirectives split .php index index.php } file_server }特殊目录设置访问密码docker exec -it vlive_caddy_1 sh caddy hash-passwordv.webzhan.xyz { tls admin@webzhan.xyz encode gzip root * /www/web/v log { output file /opt/logs/v.log } #header / { # Strict-Transport-Security "max-age=31536000;includeSubdomains;preload" #} ### HTTP 代理配置 #reverse_proxy web:80 php_fastcgi php:9000 { # some php_fastcgi-specific subdirectives split .php index index.php } file_server #错误处理 handle_errors { root * /www/web/err rewrite * /error.html templates file_server } #访问认证 basicauth /p/* { vlive $2a$14$DIjtbTxbUSZHfHJUrjuU9.45SlrcwICIXNVSwVxehsnHhTXBBNNsi } }{card-default label="访问认证" width="80%"}{/card-default}

web服务nginx的安装与常用配置 前言{callout color="#f0ad4e"}Nginx (engine x) 是一个高性能的HTTP和反向代理web服务器。其特点是占有内存少，并发能力强，事实上nginx的并发能力确实在同类型的网页服务器中表现较好，使用方面。{/callout}{card-default label="nginx作用" width="75%"}{/card-default}精彩文章: 万字总结，体系化带你全面认识 Nginx ！基本使用安装#安装 yum -y install nginx ## 日志目录 mkdir /data/log/nginx/ && chown -R nginx:nginx /data/log/nginx/ ## 缓存目录 mkdir -p /var/cache/nginx/ && chown -R nginx:nginx /var/cache/nginx/配置文件{message type="success" content="配置文件 /etc/nginx/nginx.conf"/}user nobody; worker_processes auto; #nginx对外提供web服务时的worker进程数 error_log /data/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; #设置可由一个worker进程同时打开的最大连接数 } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /data/log/nginx/access.log main buffer=32k flush=30s; server_tokens off; #关闭在错误页面中的nginx版本数字 client_max_body_size 100m; sendfile on; #可以让sendfile函数发挥作用。sendfile函数可以在磁盘和TCP socket之间互相拷贝数据(或任意两个文件描述符) tcp_nopush on; #告诉nginx在一个数据包里发送所有头文件，而不一个接一个的发送 tcp_nodelay on; #不缓存数据 keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; #ssl 配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=63072000; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; #nginx缓存 fastcgi_cache_path /var/cache/nginx/ levels=1:2 keys_zone=wordpress:10m inactive=30m use_temp_path=off; fastcgi_cache_key $request_method$scheme$host$request_uri; fastcgi_cache_use_stale error timeout invalid_header updating http_500; fastcgi_cache_valid 200 301 302 10h; fastcgi_cache_valid 404 10m; fastcgi_ignore_headers Expires Set-Cookie Vary; #启动gzip gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 7; gzip_types text/css text/plain text/javascript application/javascript application/json application/x-javascript application/xml application/xml+rss application/xhtml+xml application/x-font-ttf application/x-font-opentype application/vnd.ms-fontobject image/svg+xml image/x-icon application/rss+xml application/atom_xml image/jpeg image/gif image/png image/icon image/bmp image/jpg; gzip_vary on; # for more information. include /etc/nginx/conf.d/*.conf; } {card-describe title="配置说明"}main 全局配置，对全局生效；events 配置影响 Nginx 服务器与用户的网络连接；http 配置代理，缓存，日志定义等绝大多数功能和第三方模块的配置；server 配置虚拟主机的相关参数，一个 http 块中可以有多个 server 块；location 用于配置匹配的 uri ；upstream 配置后端服务器具体地址，负载均衡配置不可或缺的部分；{/card-describe}{card-default label="层级结构" width="50%"}{/card-default}启动服务systemctl enable --now nginx高级用法泛域名强制跳转{card-describe title="rewrite.conf"}server { listen 80; server_name *.chreagent.com; return 301 https://$http_host$request_uri; } {/card-describe}多级代理获取用户真实IP地址隐藏内容，请前往内页查看详情反向代理配置示例{message type="success" content="包括wss反代配置"/}server { listen 443 ssl http2; server_name mon.itbunan.xyz; server_tokens off; ssl_certificate /etc/nginx/cert/mon.itbunan.xyz_bundle.crt; ssl_certificate_key /etc/nginx/cert/mon.itbunan.xyz.key; ssl_protocols TLSv1.2 TLSv1.3; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; location /ws { proxy_redirect off; proxy_pass http://172.17.0.10:8008; proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr:$remote_port; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; } location / { proxy_pass http://172.17.0.10:8008; proxy_set_header Host $host; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_cookie_path / "/; httponly; secure; SameSite=Lax"; proxy_redirect http:// https://; add_header Content-Security-Policy upgrade-insecure-requests; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET,POST,DELETE'; add_header 'Access-Control-Allow-Header' 'Content-Type,*'; } }基于客户端IP做并发访问控制在主配置文件内添加 # 针对原始用户 IP 地址做限制 ## 用户的 IP 地址 $binary_remote_addr 作为 Key，每个 IP 地址最多有 50 个并发连接 ## 你想开 几千个连接 刷死我？ 超过 50 个连接，直接返回 503 错误给你，根本不处理你的请求了 limit_conn_zone $binary_remote_addr zone=TotalConnLimitZone:20m ; limit_conn TotalConnLimitZone 50; limit_conn_log_level notice; ## 针对原始用户 IP 地址做限制 ## 用户的 IP 地址 $binary_remote_addr 作为 Key，每个 IP 地址每秒处理 10 个请求 ## 你想用程序每秒几百次的刷我，没戏，再快了就不处理了，直接返回 503 错误给你 limit_req_zone $binary_remote_addr zone=ConnLimitZone:20m rate=10r/s; #limit_req zone=ConnLimitZone burst=10 nodelay; #如果开启此条规则，burst=10的限制将会在nginx全局生效 limit_req_log_level notice;配置需要限制访问频率的server## 具体服务器配置 server { listen 80; location ~ \.php$ { ## 最多 5 个排队， 由于每秒处理 10 个请求 + 5个排队，你一秒最多发送 15 个请求过来，再多就直接返回 503 错误给你了 limit_req zone=ConnLimitZone burst=5 nodelay; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; } 利用计划任务自动更新#每小时58分更新一次 58 * * * * /usr/bin/sh /opt/scripts/add_blackip_for_ddos.sh > /dev/null 2>&1 #没3分钟更新一次 */3 * * * * /usr/bin/sh /opt/scripts/add_blackip_for_ddos_per_min.sh > /dev/null 2>&1{card-describe title="add_blackip_for_ddos.sh"}#!/bin/bash h_time=`env LC_ALL=en_US.en date '+%e/%b/%G:%H'` zjlog='/data/log/nginx/itbunan_access.log' conf='/www/server/panel/vhost/nginx/blackip.conf' #筛选攻击IP tail -n 5000000 $zjlog | grep "$h_time" |awk '{print $1}'| sort -k 1 | uniq -c | sort -rnk 1 | grep -v '::' > /tmp/zj_blackip.txt cat /tmp/zj_blackip.txt | awk '{if($1>400)print "deny "$2";"}' > $conf{/card-describe}{card-describe title="add_blackip_for_ddos_per_min.sh"}#!/bin/bash h_time=`env LC_ALL=en_US.en date '+%e/%b/%G:%H'` zjlog='/data/log/nginx/itbunan_access.log' conf='/www/server/panel/vhost/nginx/blackip.conf' #筛选攻击IP tail -n 5000000 $zjlog | grep "$h_time" |awk '{print $1}'| sort -k 1 | uniq -c | sort -rnk 1 | grep -v '::' > /tmp/zj_blackip.txt cat /tmp/zj_blackip.txt | awk '{if($1>400)print "deny "$2";"}' > $conf{/card-describe}配置加载nginx -s reload查看当前生效配置nginx -T调试lua脚本{message type="success" content="修改nginx配置文件"/}#error_log /home/wwwlogs/nginx_error.log crit; error_log /home/wwwlogs/nginx_error.log debug;网关全站置灰# 修改配置文件nginx.conf http { sub_filter '</head>' '<style type="text/css">html {-webkit-filter: grayscale(.95);}</style></head>'; sub_filter_once on; ... }FAQ清除缓存rm -rf /var/cache/nginx/*隐藏nginx版本号# 修改配置文件,添加 server_tokens off;

centos7系统下安装nginx+php服务 {card-default label="php测试" width="80%"} {/card-default}前言{callout color="#f0ad4e"}nginx + php 用于运行大部分php开发的网站。前几篇文章，都是是运行与docker下的。如果系统不方便使用docker，直接在系统内配置 nginx+php服务{/callout}安装软件yum install nginx yum install php php-xml php-mysql php-mongo php-redis php-memcache php-intl php-mbstring php-mcrypt php-pecl-swoole php-xcache php-pecl-xhprof php-fpm php-opcache配置php-fpm/etc/php.ini隐藏内容，请前往内页查看详情/etc/php-fpm.confinclude=/etc/php-fpm.d/*.conf [global] pid = /var/run/php-fpm/php-fpm.pid error_log = /var/log/php-fpm/php_error.log/etc/php-fpm.d/www.conf[www] listen = /var/run/php-fpm/php-fpm.sock listen.allowed_clients = 127.0.0.1 listen.owner = nginx listen.group = nginx listen.mode = 0660 listen.backlog = 16384 user = nginx group = nginx pm = static pm.max_children = 20 pm.start_servers = 10 pm.min_spare_servers = 10 pm.max_spare_servers = 35 pm.max_requests = 10000 request_terminate_timeout = 180 request_slowlog_timeout = 30 slowlog = /var/log/php-fpm/www-slow.log ;access.log = /opt/servicelogs/php-fpm/access.$pool.log ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{seconds}d %{megabytes}M %{user}C%%" ;ping.path = /php70fpm-ping ;pm.status_path = /phpfpm70-statusnginx/etc/nginx/nginx.conf隐藏内容，请前往内页查看详情/etc/nginx/conf.d/my-wordpress.com.confserver { listen 80 http2; server_name www.chreagent.com chreagent.com; # 请换成自己的域名 rewrite ^(.*) https://$server_name$1 permanent; } server { listen 80 http2; listen 443 ssl http2; server_name www.my-wordpress.com my-wordpress.com; charset utf-8; ssl_certificate "/etc/nginx/ssl/server.crt"; ssl_certificate_key "/etc/nginx/ssl/server.key"; set $host_path "/var/www/html/chreagent"; error_log /var/log/nginx/error_chreagent.log; access_log /var/log/nginx/acc_chreagent.log; root $host_path; # 缓存标记 set $skip_cache 0; if ($query_string != "") { set $skip_cache 1; } if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|sitemap(_index)?.xml") { set $skip_cache 1; } # 登录用户或发表评论者 if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; } location = / { index index.php index.html; try_files /index.php?$args /index.php?$args; } location / { index index.php index.html; try_files $uri $uri/ /index.php?$args; } location ~ ^/\.user\.ini { deny all; } location ~ \.php$ { try_files $uri =404; fastcgi_index index.php; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_cache wordpress; fastcgi_cache_valid 200 301 302 30m; fastcgi_cache_valid 404 10m; fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; fastcgi_cache_lock on; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/"; include fastcgi_params; } location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar|jpeg)$ { expires max; access_log off; try_files $uri =404; } }启动systemctl enable --now php-fpm systemctl enable --now nginx

centos7部署rsync服务进行数据同步 前言{callout color="#f0ad4e"}rsync的目的是实现本地主机和远程主机上的文件同步。{/callout}安装yum install rsync配置{card-describe title="/etc/rsyncd.conf"}port = 873 use chroot = no uid = nginx gid = nginx max connections = 200 timeout = 600 pid file = /var/run/rsyncd.pid lock file = /var/run/rsyncd.lock log file = /var/log/rsyncd.log [games_frontend] path = /opt/project/gamestore/games_frontend/ ignore errors read only = no auth users = gameh5 secrets file = /etc/rsyncd.secrets{/card-describe}{card-describe title="/etc/rsyncd.secrets"}gameh5:Z@W8KtBL{/card-describe}启动systemctl enable --now rsyncd数据同步rsync -azP --delete gameh5@172.16.4.10::c_h5 ./c_h5 --password-file=rsync.secrets{card-describe title="rsync.secrets"}Z@W8KtBL{/card-describe}{card-default label="结果展示" width="75%"}{/card-default}

通过rsync同步日志数据-从windows到centos 前言介绍{callout color="#f0ad4e"}　有一台服务器服务是部署在windows下的，平时linux用惯的人，在windows下不会干活了，于是折腾了半天，通过脚本每天将日志同步到centos下去分析。{/callout}{card-describe title="系统版本信息"}windows server 2012R2centos 7.9cwRsyncServer_4.1.0{/card-describe}windows下安装CWRsync并配置软件下载地址：隐藏内容，请前往内页查看详情安装目录 开始->程序->cwRsyncServer设置用户名密码SvcCWRSYNC RsyncUser123@ RsyncUser123@编辑 rsyncd.conf 服务配置文件use chroot = false strict modes = false hosts allow = xx.xx.xx.xx log file = rsyncd.log [superxpay] path = /cygdrive/c/publish read only = yes transfer logging = yes uid = 0 gid = 0启动{message type="success" content=" 输入 services.msc , 找到 RsyncServer 启动并设置为自动"/}{card-default label="rsync设置" width="75%"}{/card-default}centos 安装rsync客户端端口测试nc -z -v -w 10 xxx.xxx.xxx.xxx 873 配置rsync脚本cd /opt/scripts #密码文件 echo "RsyncUser123@" > .rsync_user.pwd && chmod 600 .rsync_user.pwd同步脚本 rsync_log.sh#!/bin/bash BACKUP_DIR="/data/superxpay" [ ! -d $BACKUP_DIR ] && mkdir -p $BACKUP_DIR rsync -avz --progress --delete --password-file=/opt/scripts/rsync_user.pwd SvcCWRSYNC@xx.xx.xx.xx::superxpay $BACKUP_DIR手动同步 sh /opt/scripts/sync_log.sh 编码转换脚本 gbk_to_utf.sh#!/bin/bash #提取最新日志，转换编码并输出到logs LOG_DIR='/data/superxpay' TO='./logs/' echo "=============update logs================" #管理后台日志 for f_group in {Manage,User} #多个文件 do for log_level in {Debug,Error,Info} #日志级别 do filename=`ls -l ${LOG_DIR}/ipay88.${f_group}/Log/${log_level} | tail -n 1 | awk '{print $9}'` iconv -f GBK -t UTF-8 ${LOG_DIR}/ipay88.${f_group}/Log/${log_level}/${filename} -o ${TO}/${f_group}-${filename} echo ${TO}/${f_group}-${filename} done done #管理后台日志 f_group='Web' for log_level in {Debug,Error,Info} #日志级别 do filename=`ls -l ${LOG_DIR}/iPay88.${f_group}/Log/${log_level} | tail -n 1 | awk '{print $9}'` iconv -f GBK -t UTF-8 ${LOG_DIR}/iPay88.${f_group}/Log/${log_level}/${filename} -o ${TO}/${f_group}-${filename} echo ${TO}/${f_group}-${filename} doneFAQwindow下rsync启动报错{message type="success" content="报错@ERROR: chdir failedrsync error: error starting client-server protocol (code 5) at main.c(1649) [Receiver=3.1.2]"/}{card-describe title="解决"}右键 C:\publish进入 属性>安全, "添加"用户， 输入对象名称为SvcCWRSYNC， 并将SvcCWRSYNC的权限设置为 所有都允许。重新启动 cwRsyncServer{/card-describe}