February 2019
M T W T F S S
« Jan    
 123
45678910
11121314151617
18192021222324
25262728  

Categories

WordPress Quotes

He who is not contented with what he has, would not be contented with what he would like to have.
Socrates

Recent Comments

February 2019
M T W T F S S
« Jan    
 123
45678910
11121314151617
18192021222324
25262728  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (34)
Ansibile (19)
Apache (133)
Asterisk (2)
cassandra (2)
Centos (209)
Centos RHEL 7 (261)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (28)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (2)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (31)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (34)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (60)
Uncategorized (29)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

27 visitors online now
1 guests, 26 bots, 0 members

Hit Counter provided by dental implants orange county

mod_jk or mod_proxy_ajp ?

mod_jk or mod_proxy_ajp ?

A Tomcat servlet container can be put behind an Apache web server using the AJP protocol, which carries all request information from Apache to Tomcat. There are two implementations of AJP module:

  • mod_jk which must be installed separately
  • mod_proxy_ajp which is a standard module since Apache 2.2

They both use protocol AJP, so they both provide the same functionality.

The advantage of mod_jk is its JkEnv directive, that allows to send any environmental variable from Apache to Tomcat as a request attribute. If you need to get for example the SSL_CLIENT_S_DN variable with SSL certificate DN provided by mod_ssl, or the AUTHENTICATE_CN variable provided by mod_ldap, then mod_jk can be directed to send it using simply:

<IfModule mod_jk.c>
   JkEnvVar SSL_CLIENT_S_DN
</IfModule>

while for mod_proxy_ajp, you have to use mod_rewrite to prepend AJP_ prefix to variables that you want to send:

<IfModule mod_proxy_ajp.c>
   RewriteRule .* - [E=AJP_SSL_CLIENT_S_DN:%{SSL:SSL_CLIENT_S_DN}]
</IfModule>

which is more complicated and forces you to activate the mod_rewrite.

The advantage of mod_proxy_ajp is that it is a standard Apache module, so you do not need to compile and install it itself.

An example configuration of mod_jk in Apache http.conf file is as follows:

<IfModule mod_jk.c>
 # a list of Tomcat instances
 JkWorkerProperty worker.list=tomcatA,tomcatB
 # connection properties to instance A on localhost
 JkWorkerProperty worker.tomcatA.type=ajp13
 JkWorkerProperty worker.tomcatA.host=localhost
 JkWorkerProperty worker.tomcatA.port=8009
 # connection properties to instance B on some other machine
 JkWorkerProperty worker.tomcatB.type=ajp13
 JkWorkerProperty worker.tomcatB.host=zeus.example.com
 JkWorkerProperty worker.tomcatB.port=8009
 # some other configuration
 JkLogFile "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/mod_jk.log"
 JkLogLevel error
 JkShmFile /var/log/apache2/jk.shm
 JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
 # forwarding URL prefixes to Tomcat instances
 JkMount /opencms tomcatA
 JkMount /otherapp tomcatB
</IfModule>

An example configuration of mod_proxy_ajp is here:

<IfModule mod_proxy_ajp.c>
 <Location "/opencms">
   Allow from all
   ProxyPass ajp://localhost:8009/opencms
 </Location>
 <Location "/otherapp">
   Allow from all
   ProxyPass ajp://zeus.example.com:8009/otherapp
 </Location>
</IfModule>

So mod_jk has more flexible configuration, but needs a separate installation and its configuration is more complex. If you have no special requirements, go for mod_proxy_ajp. If you need something special, like to use authentication modules from Apache for securing applications in Tomcat, go for mod_jk.

New site configuration

If you are running OpenCms (6.0 or greater) in Tomcat using an Apache front end (with mod_jk or mod_proxy_ajp, NOT MOD_PROXY IN HTTP MODE), there are three basic steps to configuring a new site in your implementation:

Create the containing folder for the site in the OpenCms Explorer

In the OpenCms Explorer view, change to the ‘/’ site, go into the ‘sites’ folder, and create a new folder. The folder name is case-sensitive, so keep track of exactly what you entered. For the examples that follow, we’ll assume the creation of a /sites/MyNewSite folder.

Add site information to OpenCms’s configuration

In order to make your new site available within OpenCms (i.e. displayed in the site list of the workplace), we need to modify the opencms-system.xml configuration file, located in <opencmsroot>/WEB-INF/config/.

Find the section of opencms-system.xml that looks like:

 <sites>
    <workplace-server>http://www.mysite.com</workplace-server>
    <default-uri>/sites/default/</default-uri>
    <site server="www.mysite.com" uri="/sites/default/"/>
 </sites>

and add another site definition as follows:

    <site server="www.mynewsite.com" uri="/sites/MyNewSite/"/>

This tells OpenCms that when it receives a request for www.mynewsite.com, it should serve that request out of the MyNewSite container. I believe you have to restart tomcat or reload opencms for this config file to be reread.

Adjust OpenCms automatic link generation (static export, module-resources)

This configuration is only valid if OpenCms is installed as the ROOT application in Tomcat. Edit the file “WEB-INF/config/opencms-importexport.xml” in your OpenCms installation and change the content of the <vfs-prefix> tag to empty:

<rendersettings>
  <rfs-prefix>${CONTEXT_NAME}/export</rfs-prefix>
  <vfs-prefix></vfs-prefix>
</rendersettings>

Then all links will have empty prefix, i.e. a link to the file /dir/file.html will be /dir/file.html instead of /opencms/dir/file.html.

Configuring the Apache WebServer

http.conf

Add the following lines to the http.conf file if needed (not already be done) to load the modules needed. Other apache distributions recommend to configure the modules to load on different locations. For apache 2.2 on SuSE-release this is e.g. done in /etc/sysconfig/apache2. On Debian, use the a2enmod command to link the files from /etc/apache2/mods-available to /etc/apache/mods-enabled. In the end, the following lines need to be somehwo included in the Apache configuration:

LoadModule jk_module modules/mod_jk.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule rewrite_module modules/mod_rewrite.so

After the modules are loaded they have to be configured.

mod_jk

If you use mod_jk, put there the following:

<IfModule mod_jk.c>
 JkWorkerProperty worker.list=ocms
 JkWorkerProperty worker.ocms.type=ajp13
 JkWorkerProperty worker.ocms.host=localhost
 JkWorkerProperty worker.ocms.port=8009
 JkLogFile "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/mod_jk.log"
 JkLogLevel error
 JkShmFile /var/log/apache2/jk.shm
 JkOptions +RejectUnsafeURI
 JkMount /opencms/* ocms
 JkMount /export/* ocms
 JkMount /resources/* ocms
 JkMountCopy All
</IfModule>

The JkMount directives forward requests to the OpenCMS servlet at /opencms and the directories at /export and /resources to Tomcat. The JkMountCopy All directive mount that for all virtual servers. If you plan to use some virtual servers without OpenCMS, do not put the directives here, but mount the prefixes in each virtual server.

mod_proxy_ajp

If you use mod_proxy_ajp, put there the following:

  <IfModule mod_proxy_ajp.c>
   <Location "/opencms">
    Allow from all
    ProxyPass ajp://localhost:8009/opencms
   </Location>
   <Location "/export">
    Allow from all
    ProxyPass ajp://localhost:8009/export
   </Location>
   <Location "/resources">
    Allow from all
    ProxyPass ajp://localhost:8009/resources
   </Location>
   <Location "/update">
    Allow from all
    ProxyPass ajp://localhost:8009/resources
   </Location>
  </IfModule>

Defining the virtual hosts

This configuration is for an OpenCms installation which is installed as the ROOT application in Tomcat.

<VirtualHost *:80>
  ServerName www.mysite.com
  ServerAdmin admin@example.com
  DocumentRoot "C:/Tomcat5.5/webapps/ROOT"
  ErrorLog logs/error.log

  # Allow accessing the document root directory 
  <Directory "C:/Tomcat5.5/webapps/ROOT">
    Options FollowSymlinks
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
  
  # If the requested URI is located in the resources folder, do not forward the request
  SetEnvIfNoCase Request_URI ^/resources/.*$ no-jk
  
  # If the requested URI is static content do not forward the request
  SetEnvIfNoCase Request_URI ^/export/.*$ no-jk
  RewriteEngine On
  RewriteLog logs/rewrite.log
  RewriteLogLevel 1

  # Deny access to php files
  RewriteCond %{REQUEST_FILENAME} (.+)\.php(.*)
  RewriteRule (.*) / [F]

  # If the requested URI is NOT located in the resources folder.
  # Prepend an /opencms to everything that does not already starts with it
  # and force the result to be handled by the next URI-handler ([PT]) (JkMount in this case)
  RewriteCond %{REQUEST_URI} !^/resources/.*$
  RewriteCond %{REQUEST_URI} !^/export/.*$
  RewriteCond %{REQUEST_URI} !^/webdav.*$
  RewriteRule !^/opencms/(.*)$ /opencms%{REQUEST_URI} [PT]

  # These are the settings for static export. If the requested resource is not already
  # statically exported create a new request to the opencms404 handler. This has to be
  # a new request, because the current would net get through mod_jk because of the "no-jk" var.
  RewriteCond %{REQUEST_URI} ^/export/.*$
  RewriteCond "%{DOCUMENT_ROOT}%{REQUEST_FILENAME}" !-f
  RewriteCond "%{DOCUMENT_ROOT}%{REQUEST_FILENAME}/index_export.html" !-f
  RewriteRule .* /opencms/handle404?exporturi=%{REQUEST_URI}&%{QUERY_STRING} [P]
  
  JkMount /* ocms
</VirtualHost>

This redirect doesn’t work with opencms 7.5.1 for static export.

RewriteRule .* /opencms/handle404?exporturi=%{REQUEST_URI}&%{QUERY_STRING} [P]

so I change it to:

RewriteRule .* http://127.0.0.1:8080/opencms/handle404?exporturi=%{REQUEST_URI}&%{QUERY_STRING} [P]

After the configuration is finished the Apache WebServer needs to be restarted.

Alternative definition

The previous definition is too complex, here is my simpler definition that works for me:

<VirtualHost 147.251.9.183:80 >
   ServerAdmin admin@example.com
   ServerName www.mysite.com
   DocumentRoot /var/www/mysite
   <Directory /var/www/mysite>
       Options Indexes MultiViews
       AllowOverride None
       Order allow,deny
       allow from all
   </Directory>
   RewriteEngine On
   RewriteRule ^/$ /opencms/ [passthrough]
   RewriteCond %{REQUEST_URI} !^/opencms/.*$
   RewriteCond %{REQUEST_URI} !^/export/.*$
   RewriteCond %{REQUEST_URI} !^/resources/.*$
   RewriteCond %{REQUEST_URI} !^/error/.*$
   RewriteCond %{REQUEST_URI} !^/icons/.*$
   RewriteCond %{REQUEST_URI} !^/update/.*$
   RewriteRule .* /opencms%{REQUEST_URI} [QSA,passthrough]
</VirtualHost>

The configuration rewrites all requests by adding /opencms in front of them, except requests that already have the prefix, or go for static files or go for Apache error files or Apache file icons.

Configuring Tomcat

Make sure the connector to be used by Apache mod_jk is configured in the server.xml file.

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

Mysql backup

#!/usr/bin/env bash

USER=""
PASSWORD=""
OUTPUTDIR=""
DAYS_TO_KEEP=60

databases=`mysql -u$USER -p$PASSWORD -e "SHOW DATABASES;" | tr -d "| " | grep -v Database`
cd $OUTPUTDIR
for db in $databases; do
    if [[ "$db" != "information_schema" ]] && [[ "$db" != "performance_schema" ]] && [[ "$db" != "mysql" ]] && [[ "$db" != _* ]] ; then
        echo "Dumping database: $db"
        mysqldump -u mysqlbackup --databases --events $db | gzip > `date +%Y%m%d`.$db.sql.gz
    fi
done
find ¨$OUTPUTDIR*.gz¨ -type f -ctime +$DAYS_TO_KEEP -exec rm '{}' ';'

How to install Fail2ban in rhel 6 & 7

How to install Fail2ban in rhel 6 & 7

What is fail2ban?

Fail2ban works by scanning and monitoring log files for selected entries then bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.


1. Install Fail2Ban

For RHEL 6

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

For RHEL 7

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

yum install fail2ban

2. Copy the Configuration File

The default fail2ban configuration file is located at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, since it can be modified by package upgrades, but rather copy it so that we can make our changes safely.

We need to copy this to a file called jail.local for fail2ban to find it:


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


3. Configure defaults in Jail.Local

The first section of defaults covers the basic rules that fail2ban will follow to all services enabled for fail2ban that are not overridden in the service’s own section.. If you want to set up more nuanced protection for your server, you can customize the details in each section.

You can see the default section below.

[DEFAULT]

# “ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# “bantime” is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated “maxretry” during the last “findtime”
# seconds.
findtime  = 600

# “maxretry” is the number of failures before a host get banned.
maxretry = 3

4. Add a jail file to protect SSH

Although you can add this parameters in the global jail.local file, it is a good practice to create seperate jail files for each of the services we want to protect with Fail2Ban.

So lets create a new jail for SSH with the vi editor.

vi /etc/fail2ban/jail.d/sshd.local

In the above file, add the following lines of code:

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 3
bantime = 3600

5. Restart Fail2Ban

service fail2ban restart

iptables -L

Check Fail2Ban Status

Use fail2ban-client command to query the overall status of the Fail2Ban jails.


fail2ban-client status

You can also query a specific jail status using the following command:

fail2ban-client status sshd

Manually Unban IP Banned by Fail2Ban

If for some reason you want to grant access to an IP that it is banned, use the following expression to manually unban an IP address, banned by fail2ban:

fail2ban-client set JAIL unbanip IP

eg. Unban IP 192.168.1.101, that was banned according to [ssh-iptables] jail:

fail2ban-client set sshd unbanip 192.168.1.101

Ngxin environment. It requires http to force a jump to https

The company intends to replace http with https in the Ngxin environment. It requires http to force a jump to https. This search on the Internet, the basic summary
Configure rewrite ^(.*)$ https://$host$1 permanent;

Or in the server configuration return 301 https://$server_name$request_uri;

Or in the server with if, here refers to the need to configure multiple domain names

If ($host ~* “^rmohan.com$”) {

Rewrite ^/(.*)$ https://dev.rmohan.com/ permanent;

}

Or in the server configuration error_page 497 https://$host$uri?$args;

Basically on the above several methods, website visit is no problem, jump is ok

After the configuration is successful, prepare to change the address of the APP interface to https. This is a problem.

The investigation found that the first GET request is to receive information, POST pass in the past is no information, I configure the $ request_body in the nginx log, the log inside that does not come with parameters, view the front of the log, POST changed Become a GET. Finding the key to the problem

Through the online search, the discovery was caused by 301. Replaced by 307 problem solving.

301 Moved Permanently The
requested resource has been permanently moved to a new location, and any future references to this resource should use one of several URIs returned by this response

307 Temporary Redirect The
requested resource now temporarily responds to requests from different URIs. Because such redirection is temporary, the client should continue to send future requests to the original address.

From the above we can see that 301 jump is a permanent redirect, and 307 is a temporary redirect. This is the difference between 301 jumps and 307 jumps.

The above may not look very clear, simple and straightforward to express the difference:

Return 307 https://$server_name$request_uri;

307: For a POST request, indicating that the request has not yet been processed, the client should re-initiate a POST request to the URI in Location.

Change to the 307 status code to force the request to change the previous method.

The following configuration 80 and 443 coexist:

Need to be configured in a server, 443 port plus ssl. Comment out ssl on;, as follows:

Server{
listen 80;
listen 443 ssl;
server_name testapp.***.com;
root /data/vhost/test-app;
index index.html index.htm index.shtml index.php;
#ssl on;
ssl_certificate /usr/local/nginx/https/***.crt;
ssl_certificate_key /usr/local/nginx/https/***.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE -RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on
ssl_session_cache shared:SSL:10m;
error_page 404 /404. Html;
Location ~ [^/]\.php(/|$) {
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
#include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
access_log /data/logs/ Nginx/access.log access;
error_log /data/logs/nginx/error.log crit;
}

The two server wording:

Server{
listen 80;
server_name testapp.***.com;
rewrite ^(.*) https://$server_name$1 permanent;
}

Server{
listen 443;
server_name testapp.***.com;
root /data/vhost/test-app;
index index.html index.htm index.shtml index.php;
Ssl on;
ssl_certificate /usr/local/nginx/https/***.crt;
ssl_certificate_key /usr/local/nginx/https/***.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE- RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on
ssl_session_cache shared:SSL:10m;
error_page 404 /404.html ;
Location ~ [^/]\.php(/|$) {
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
#include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
access_log /data/logs/ Nginx/access.log access;
error_log /data/logs/nginx/error.log crit;
}

Offer ssl optimization, the following can be used according to business, not all configuration, the general configuration of the red part on the line

Ssl on;
ssl_certificate /usr/local/https/www.localhost.com.crt;
ssl_certificate_key /usr/local/https/www.localhost.com.key;

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #allows only TLS protocol
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:! AESGCM; # cipher suite, here used CloudFlare’s Internet facing SSL cipher configurationssl_prefer_server_ciphers on; # negotiated the best encryption algorithm for the server ssl_session_cache builtin: 1000 shared: SSL: 10m;
# Session Cache, the Session cache to the server, which may take up More server resources ssl_session_tickets on; # Open the browser’s Session Ticket cache ssl_session_timeout 10m; # SSL session expiration time ssl_stapling on;
# OCSP Stapling is ON, OCSP is a service for online query certificate revocation, using OCSP Stapling can certificate The valid state information is cached to the server to increase the TLS handshake speed ssl_stapling_verify on; #OCSP Stapling verification opens the resolver 8.8.8.8 8.8.4.4 valid=300s; # is used to query the DNS resolver_timeout 5s of the OCSP server; # query domain timeout time

ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.

ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.

Create a user in Mysql in linux

login to mysql as a root

mysql -u root -p

now create user with following command

CREATE USER ‘testdb’@’localhost’ IDENTIFIED BY ‘test123’;

if you got error like below.

then you have to reset the root password as password policy level in mysql. so simply use the below command to set the password for root in mysql.

ALTER USER ‘root’@’localhost’ IDENTIFIED BY ‘Root@1234’;then it will show like “Query OK, 0 rows affected (0.00 sec)”

now try again the step to create user as per the password policy.

If you don’t want password policy and you want to create user password with some random simple password then follow the step below.

login mysql as root

mysql -u root -p

then check the policy status with below command

SHOW VARIABLES LIKE ‘validate_paswword%’;

it will show like below image.

you can see the validate_password_policy in MEDIUM.

now you have to change to LOW. So you can proceed in your own way. Now set the paoly rule in low with following command.

SET GLOBAL validat_password_policy=LOW;

now check the password policy like above. You will get like below image.

mysql> SET GLOBAL validate_password_length = 4;
Query OK, 0 rows affected (0.01 sec)

mysql> SHOW VARIABLES LIKE ‘validate_password%’;
+————————————–+——–+
| Variable_name | Value |
+————————————–+——–+
| validate_password_dictionary_file | |
| validate_password_length | 4 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+————————————–+——–+
6 rows in set (0.00 sec)

mysql> SET GLOBAL validate_password_policy = LOW;
Query OK, 0 rows affected (0.01 sec)

 

Performance schema is not installed by default.

For checking, you can run the command

SHOW VARIABLES LIKE 'performance_schema';

Suppose, now you will see OFF

To enable it, start the server with the performance_schema variable enabled. For example, use these lines in your my.cnf file:

[mysqld]
performance_schema=ON

More details you can found in official documentation:

https://dev.mysql.com/doc/refman/en/performance-schema-q

MySQL Slave Failed to Open the Relay Log

This problem is a little tricky, there are possible fixes that MySQL website has stated. Sad to say, the one’s I read in the forum and site didn’t fix my problem. What I encountered was that the relay-bin from my MySQL slave server has already been ‘rotated’, meaning deleted from the folder. This happens when the slave has been disconnected from the master for quite a long time already and has not replicated anything. A simple way to fix this is to flush the logs, but make sure the slave is stopped before using this command…

FLUSH LOGS;

Bring in a fresh copy of the database from the master-server and update the slave-server database. THIS IS IMPORTANT! Since if you don’t update the slave database, you will not have the data from the time you were disconnected until you reset the relay logs. So UPDATE YOUR SLAVE WITH THE LATEST DATABASE FROM THE MASTER!

Now when the logs are flushed,all the relay-bin logs will be deleted when the slave is started again. Usually, this fixes the problem, but when you start the slave and the failed relay log error is still there, now you have to do some more desperate measures… reset the slave. This is what I had to do to fully restore my MySQL slave server. Reseting the slaves restores all the settings to default… password, username, relay-log, port, table to replicate, etc… So better to have a copy of your settings first before actually do a slave reset. When your ready to rest the slave, do the command…

RESET SLAVE;

after which you should restore all your setting with a command something like…

CHANGE MASTER TO MASTER_HOST=.....

now start your server with…

SLAVE START;

check your slave server with…

SHOW SLAVE STATUS\G

look for …

Slave_IO_Running: Yes
Slave_SQL_Running: Yes

both should be YES, if not, check your syslog if there are other errors encountered. I’ll leave this until here since this is what I encountered and I was able to fix it.

Edit 5/14/11:

There is a possible change that after executing the CHANGE MASTER command that you’ll receive this error below…

ERROR 1201 (HY000): Could not initialize master info structure; more error messages can be found in the MySQL error log

This can occur when the relay logs under /var/lib/mysql were not properly cleaned and are still there. The next thing is to delete them manually, log back in to mysql, refresh logs, reset slave then execute the CHANGE MASTER command again. The file to delete would be relay-log.info .This should work now. Sometimes I don’t know why mysql can’t reset the slave logs.

Ngxin do http forced jump https interface POST request becomes GET

The company intends to replace http with https in the Ngxin environment. It requires http to force a jump to https. This search on the Internet, the basic summary
Configure rewrite ^(.*)$ https://$host$1 permanent;

Or in the server configuration return 301 https://$server_name$request_uri;

Or in the server with if, here refers to the need to configure multiple domain names

If ($host ~* “^rmohan.com$”) {

Rewrite ^/(.*)$ https://dev.rmohan.com/ permanent;

}

Or in the server configuration error_page 497 https://$host$uri?$args;

Basically on the above several methods, website visit is no problem, jump is ok

After the configuration is successful, prepare to change the address of the APP interface to https. This is a problem.

The investigation found that the first GET request is to receive information, POST pass in the past is no information, I configure the $ request_body in the nginx log, the log inside that does not come with parameters, view the front of the log, POST changed Become a GET. Finding the key to the problem

Through the online search, the discovery was caused by 301. Replaced by 307 problem solving.

301 Moved Permanently The
requested resource has been permanently moved to a new location, and any future references to this resource should use one of several URIs returned by this response

307 Temporary Redirect The
requested resource now temporarily responds to requests from different URIs. Because such redirection is temporary, the client should continue to send future requests to the original address.

From the above we can see that 301 jump is a permanent redirect, and 307 is a temporary redirect. This is the difference between 301 jumps and 307 jumps.

The above may not look very clear, simple and straightforward to express the difference:

Return 307 https://$server_name$request_uri;

307: For a POST request, indicating that the request has not yet been processed, the client should re-initiate a POST request to the URI in Location.

Change to the 307 status code to force the request to change the previous method.

The following configuration 80 and 443 coexist:

Need to be configured in a server, 443 port plus ssl. Comment out ssl on;, as follows:

Server{
listen 80;
listen 443 ssl;
server_name testapp.***.com;
root /data/vhost/test-app;
index index.html index.htm index.shtml index.php;
#ssl on;
ssl_certificate /usr/local/nginx/https/***.crt;
ssl_certificate_key /usr/local/nginx/https/***.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE -RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on
ssl_session_cache shared:SSL:10m;
error_page 404 /404. Html;
Location ~ [^/]\.php(/|$) {
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
#include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
access_log /data/logs/ Nginx/access.log access;
error_log /data/logs/nginx/error.log crit;
}

The two server wording:

Server{
listen 80;
server_name testapp.***.com;
rewrite ^(.*) https://$server_name$1 permanent;
}

Server{
listen 443;
server_name testapp.***.com;
root /data/vhost/test-app;
index index.html index.htm index.shtml index.php;
Ssl on;
ssl_certificate /usr/local/nginx/https/***.crt;
ssl_certificate_key /usr/local/nginx/https/***.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE- RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on
ssl_session_cache shared:SSL:10m;
error_page 404 /404.html ;
Location ~ [^/]\.php(/|$) {
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
#include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
access_log /data/logs/ Nginx/access.log access;
error_log /data/logs/nginx/error.log crit;
}

Offer ssl optimization, the following can be used according to business, not all configuration, the general configuration of the red part on the line

Ssl on;
ssl_certificate /usr/local/https/www.localhost.com.crt;
ssl_certificate_key /usr/local/https/www.localhost.com.key;

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #allows only TLS protocol
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:! AESGCM; # cipher suite, here used CloudFlare’s Internet facing SSL cipher configurationssl_prefer_server_ciphers on; # negotiated the best encryption algorithm for the server ssl_session_cache builtin: 1000 shared: SSL: 10m;
# Session Cache, the Session cache to the server, which may take up More server resources ssl_session_tickets on; # Open the browser’s Session Ticket cache ssl_session_timeout 10m; # SSL session expiration time ssl_stapling on;
# OCSP Stapling is ON, OCSP is a service for online query certificate revocation, using OCSP Stapling can certificate The valid state information is cached to the server to increase the TLS handshake speed ssl_stapling_verify on; #OCSP Stapling verification opens the resolver 8.8.8.8 8.8.4.4 valid=300s; # is used to query the DNS resolver_timeout 5s of the OCSP server; # query domain timeout time

Linux Servers Prevent Pings and Open Pings

Linux defaults to allow ping responses, which means that ping is on, but ping may be the start of a network attack, so turning off ping can improve the server’s security factor. Whether the system allows ping is determined by two factors: 1. Kernel parameters, 2. Firewall. Two factors are required to allow ping at the same time. If any of them is forbidden, ping cannot be opened. The specific configuration method is as follows:

1, the kernel parameter settings

Allow/disable ping settings (permit ping by default)

The command to temporarily enable/disable ping is to modify the contents of the /proc/sys/net/ipv4/icmp_echo_ignore_all file. The contents of the file are only 1 character. 0 is for ping, 1 is forbidden, and there is no need to restart the server.

Permanently allow/disable ping configuration method:

Modify the file /etc/sysctl.conf and add a line at the end of the file:

Net.ipv4.icmp_echo_ignore_all = 1

If you already have the net.ipv4.icmp_echo_ignore_all line, you can directly change the value after the = sign to allow 0 and 1 to disable.

Execute sysctl -p after modification to make the new configuration take effect (important).

2, firewall settings (the premise of the method here is the kernel configuration is the default value, that is not prohibited ping)

Here takes the iptables firewall as an example. For other firewall operation methods, refer to the official firewall documentation.

Allow ping settings

Iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT

Iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

Or you can temporarily stop the firewall:

Service iptables stop

Prohibit ping setting

Iptables -A INPUT -p icmp –icmp-type 8 -s 0/0 -j DROP

Linux configuration ssh remote remote login

This configuration allows you to: ssh logins between cluster servers. If you only want to ssh login from other machines (slave1, slave2) from a single machine (such as master), only follow the second step.

It is recommended to spend two or three minutes to read the full text and then follow the steps

Steps:

1. Cluster environment: master, slave1, and slave2; operating system CentOS 7. For the convenience of the next description, in addition to the master, all other slaves collectively referred to as slaveX

The necessary IP-to-hostname mappings have been added to all servers’ /etc/hosts files, as follows.

192.168.137.20 master

192.168.137.21 slave1

192.168.137.22 slave2

2. Configuration allows slave to log in to slaveX without login.

Execute the following command on the master host. Can be a non-root user, I use Hadoop users. According to my test so far, which user to use to configure, and finally only through that user to achieve free login, other users still need a password to remote login.

2.1 cd ~ // Switch to user’s home directory

2.2 ls -al //Check whether there is a hidden path in the home directory is .ssh. If not, create one. Note that the permission to view the .ssh directory is 700 (drwx — —), if not, it is changed to 700.

2.3 cd.ssh //Enter into the .ssh directory

2.4 ssh-keygen-t rsa // Press the carriage return character continuously while executing the command;

???????????// This command will use rsa algorithm to generate private key id_rsa and public key id_rsa.pub in ~/.ssh directory

2.5 ssh-copy-id master //This command appends the contents of the generated public key file to the master’s authorized_keys file.

????????????/ / Note that before executing this command authorized_keys file may not exist, it does not matter, directly execute the command on the line, it will be automatically generated, of course, you can create one yourself; pay attention to authorized_keys file permissions to be 600;

????????????// In addition to the ssh-copy-id command, you can use cat id_rsa.pub >> authorized_keys to append the contents of the public key to the authorized_keys file. It is not OK to append the content to the copy_paste method.

????????????// After executing this step, you can log in to the master through the ssh master command. (Before this step, even if you log in yourself through ssh, you will need to manually enter the password every time.)

????????????//The contents of the authorized_keys file is a string starting with ssh-rsa, as shown below:

 

Note: The host name in the figure is inconsistent with the master and slaveX described in the article, but it does not affect the understanding of the content format in the authenticated_keys file.

2.6 ssh-copy-id slaveX // append master’s public key to slaveX’s authorized_keys file, then master can login to slaveX without secret

3. Configuration makes slaveX free to log in to other machines in the cluster

After the second step above, you can already log in to the master and slaveX on the master, but you can’t log on to other machines (master, slaveX) from slaveX. If you want slaveX to be like master, you can avoid it. To log in to other machines, you need to perform the same steps in step 2 on slaveX, that is, generate your own private key public key pair on slaveX, and then append it’s public key to the authorized_keys file of other machines.

To sum up, if you want to configure cluster servers to securely log in to each other, you can use the following two methods: (The essence of the two methods is the same, but the process steps are slightly different.)

Method one: One server is operated as in step 2 until all machines are configured;

Method 2: All machines, including master and slaveX, use the ssh-keygen -t rsa command to generate their own private key public key pairs, and then use the ssh-copy-id master command to append both the master and slaveX public keys to the master. In the authorized_keys file, when all the files are appended, the master’s authorized_keys file already contains the public key information of all the servers in the cluster (including the master and other slaves). It can be seen that all the machines in the cluster can log in without SSH. Master), it is a complete public key information file, then use the scp command to send the authorized_keys on the master sequentially to the ~/.ssh/ directory of each slave (scp command example: scp ~/.ssh/ Authorized_keys hadoop@node01:~/.ssh/). In this way, the entire cluster can be ssh-free login.

————————————————– ——————————

As for the next step, I saw this operation in an individual blog post when I searched for information on the Internet. I didn’t configure this when I operated it. I don’t know how it affects the result because I didn’t do this configuration and also made ssh. Free login is successful. If you must configure it, complete this configuration before performing step 2.

On each host in the cluster

Sudo vim /etc/ssh/sshd_config

Open the following options

RSAAuthentication yes //Allows authentication with RSA keys

PubkeyAuthentication yes //Allows authentication with public key

AuthorizedKeysFile.ssh/authorized_keys //The file of the public key saved by this machine (this is more important)

For the /etc/ssh/sshd_config file, the online query suggested: “Do not change the setting of the /etc/ssh/sshd_config file unless necessary. Because the default situation is usually the most stringent SSH protection, you don’t need to change him!

Nginx load balancing and configuration

Nginx load balancing and configuration

1 Load Balancing Overview The 
    origin of load balancing is that when a server has a large amount of traffic per unit time, the server will be under great pressure. When it exceeds its own capacity, the server will crash. To avoid crashing the server. The user has a better experience, born load balancing to share the pressure of the server. 

    Load balancing is essentially implemented by the principle of reverse proxy, is a kind of technology that optimizes server resources and reasonably handles high concurrency, and can balance Server pressure to reduce user request wait time and ensure fault tolerance. Nginx is generally used as an efficient HTTP load balancing server to distribute traffic to multiple application servers to improve performance, scalability, and high availability. 

    Principle: Internal A large number of servers can be built on the network to form a server cluster. When users access the site, they first access the public network intermediate server. The intermediate server is assigned to the intranet server according to the algorithm and shares the pressure of the server. Therefore, each visit of the user will ensure the server. The pressure of each server in the cluster tends to balance, sharing server pressure and avoiding servers The collapse of the case.

    The nginx reverse proxy implementation includes the following load balancing HTTP, HTTPS, FastCGI, uwsgi, SCGI, and memcached. 
To configure HTTPS load balancing, simply use the protocol that begins with ‘http’. 
When you want to set load balancing for FastCGI, uwsgi, SCGI, or memcached, use the fastcgi_pass, uwsgi_pass, scgi_pass, and memcached_pass commands, respectively.

2 Common Balancing Mechanisms of Load Balancing

1 round-robin: The requests are distributed to different servers in a polling manner. Each request is assigned to different back-end servers in chronological order. If the back-end server goes down, it is automatically removed to ensure normal service. .

Configuration 1: 
upstream server_back {#nginx distribution service request 
    server 192.168.162.49; 
    server 192.168.162.50; 
}

Configuration 2: 
http { 
    upstream servergroup { # service group accepts requests, nginx polling distribution service requests 
        server srv1.demo.com; 
        server srv2.demo.com; 
        server srv3.demo.com; 
    } 
    server { 
        listen 80; 
        location / { 
            Proxy_pass http://servergroup; #All requests are proxied to servergroup service group 
        } 
    } 

 proxy_pass is followed by proxy server ip, can also be hostname, domain name, ip port mode 
 upstream set load balancing background server list

2 Weight load balancing: If no weight is configured, the load of each server is the same. When there is uneven server performance, weight polling is used. The weight parameter of the specified server is determined by load balancing. a part of. Heavy load is great. 
Upstream server_back { 
    server 192.168.162.49 weight=3; 
    server 192.168.162.50 weight=7; 
}

3 least-connected: The next request is allocated to the server with the least number of connections. When some requests take longer to respond, the least connections can more fairly control the load of application instances. Nginx forwards the request to the less loaded server. 
Upstream servergroup { 
        least_conn; 
        server srv1.demo.com; 
        server srv2.demo.com; 
        server srv3.demo.com; 
    }

4 ip-hash: Client-based IP address. When load balancing occurs, each request is relocated to one of the server clusters. Users who have logged in to one server then relocate to another server and their login information is lost. This is obviously not appropriate. Use ip_hash to solve this problem. If the client has accessed a server, when the user accesses it again, the request will be automatically located to the server through a hash algorithm.

Each request is assigned according to the result of the IP hash, so the request is fixed to a certain back-end server, and it can also solve the session problem 
upstream         server group { 
        ip-hash; 
server srv1.demo.com; 
        server srv2.demo.com; 
        server srv3. Demo.com; 
    }

Attach an instance: 
#user nobody; 
worker_processes 4; 
events { 
    # maximum number of concurrent 
    workers_connections 1024; 

http{ 
    # The list of pending servers to be         followed by the 
    upstream myserver{ 
# ip_hash instruction to bring the same user to the same server. 
        Ip_hash; 
        server 125.219.42.4 fail_timeout=60s; tentative time after the failure of #max_fails 60s 
        server 172.31.2.183; 
        }

    Server{ 
                # listening port 
                listen 80; 
                # root 
                location / / 
                    # select which server list 
                    proxy_pass http://myserver; 
                } 
            } 
}

Max_fails allows the number of request failures to default to 1 
fail_timeout=60s fail_timeout=60s timeout for failed timeouts 
down indicates that the current server is not participating in the loadbackup. All nonbackup 
machines will request backups when they are busy, so their stress will be lightest.