Posts Tagged ‘ nginx

Linux安装Nagios监控系统, perl-fcgi, nginx

作者:Joshua
日期:2009年1月17日凌晨
非请勿转
安装nagios
与别的软件安装稍有不同,nagios的安装要好几步才能完成。

第一步,执行make install安装主要的程序、CGI及HTML文件;
第二步,执行 make install-commandmode 给外部命令访问nagios配置文件的权限;
第三步,执行 make install-config 把配置文件的例子复制到nagios的安装目录。

按照安装向导的提示,其实这里还有一个 make install-init的步骤,它的作用是把nagios做成一个运行脚本,使nagios随系统开机启动,这是一个很方便的措施。

cd /usr/local/
wget http://nchc.dl.sourceforge.net/sourceforge/nagios/nagios-3.0.6.tar.gz
tar xzf nagios-3.0.6.tar.gz
cd nagios-3.0.6
/usr/sbin/useradd nagios
passwd nagios
/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -G nagcmd nagios
./configure --with-command-group=nagcmd
make all
make install
make install-init
make install-config
make install-commandmode
vi /usr/local/nagios/etc/objects/contacts.cfg //修改管理员邮件地址

验证Nagios安装

验证程序是否被正确安装。切换目录到安装路径(这里是/usr/local/nagios),看是否存在 etc、bin、 sbin、 share、 var这五个目录,如果存在则可以表明程序被正确的安装到系统了。五个目录功能的简要说明:

bin Nagios执行程序所在目录,这个目录只有一个文件nagios
etc Nagios配置文件位置,初始安装完后,只有几个*.cfg-sample文件
sbin Nagios Cgi文件所在目录,也就是执行外部命令所需文件所在的目录
Share Nagios网页文件所在的目录
Var Nagios日志文件、spid 等文件所在的目录

安装nagios的插件

没有插件,nagios将什么作用也没有,插件也是nagios扩展功能的强大武器,除了下载常用的插件外,我们还可以根据实际要求编写自己的插件。 Nagios的插件nagios-plugins-1.4.5在www.nagios.org上可以找到,接着我们用wget下载它。注意:插件与 nagios之间的版本关联不大,不一定非得用nagios-plugins-1.4.5这个版本。下载完成后,安装它是很简单的:先执行配置 ./configure –prefix=/usr/local/nagios ,接着编译安装 make ;make install即可。这里需要说明一下的是在配置过程指定的安装路径是/usr/local/nagios,而不是/usr/local/nagios- plus,安装完成后,将在目录/usr/local/nagios生成目录libexec(里面有很多文件),这正是nagios所需要的。

wget http://jaist.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz
tar xf nagios-plugins-1.4.13.tar.gz
cd nagios-plugins-1.4.13
./configure --with-nagios-user=nagios --with-nagios-group=nagcmd
make
make install

添加Nagios随系统启动

/sbin/chkconfig --add nagios
/sbin/chkconfig nagios on
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
/sbin/service nagios start

安装perl fcgi模块

      wget http://www.cpan.org/modules/by-module/FCGI/FCGI-0.67.tar.gz
      tar -zxvf FCGI-0.67.tar.gz
      cd FCGI-0.67
      perl Makefile.PL
      make && make install

安装FCGI-ProcManager:

      wget http://search.cpan.org/CPAN/authors/id/G/GB/GBJK/FCGI-ProcManager-0.18.tar.gz
      tar -xzxf FCGI-ProcManager-0.18.tar.gz
      cd FCGI-ProcManager-0.18
      perl Makefile.PL
      make
      make install
cd /usr/local/nagios/bin/
vi perl-cgi.pl
#!/usr/bin/perl
 
use FCGI;
#perl -MCPAN -e 'install FCGI'
use Socket;
 
#this keeps the program alive or something after exec'ing perl scripts
END() { } BEGIN() { }
*CORE::GLOBAL::exit = sub { die "fakeexit\nrc=".shift()."\n"; }; eval q{exit}; if ($@) { exit unless $@ =~ /^fakeexit/; } ;
 
&main;
 
sub main {
                #$socket = FCGI::OpenSocket( ":3461", 10 ); #use IP sockets
                $socket = FCGI::OpenSocket( "/var/run/nagios.sock", 10 ); #use UNIX sockets - user running this script must have w access to the 'nginx' folder!!
                $request = FCGI::Request( \*STDIN, \*STDOUT, \*STDERR, \%ENV, $socket );
                if ($request) {request_loop()};
                        FCGI::CloseSocket( $socket );
}
 
sub request_loop {
                while( $request->Accept() >= 0 ) {
 
                   #processing any STDIN input from WebServer (for CGI-GET actions)
                   $env = $request->GetEnvironment();
                   $stdin_passthrough ='';
                   $req_len = 0 + $ENV{CONTENT_LENGTH};
                   if ($ENV{REQUEST_METHOD} eq 'GET'){
                                $stdin_passthrough .= $ENV{'QUERY_STRING'};
                        }
 
                        #running the cgi app
                        if ( (-x $ENV{SCRIPT_FILENAME}) && #can I execute this?
                                 (-s $ENV{SCRIPT_FILENAME}) && #Is this file empty?
                                 (-r $ENV{SCRIPT_FILENAME})     #can I read this file?
                        ){
                                #http://perldoc.perl.org/perlipc.html#Safe-Pipe-Opens
                open $cgi_app, '-|', $ENV{SCRIPT_FILENAME}, $stdin_passthrough or print("Content-type: text/plain\r\n\r\n"); print "Error: CGI app returned no output - Executing $ENV{SCRIPT_FILENAME} failed !\n";
                                if ($cgi_app) {print <$cgi_app>; close $cgi_app;}
                        }
                        else {
                                print("Content-type: text/plain\r\n\r\n");
                                print "Error: No such CGI app - $req_len - $ENV{CONTENT_LENGTH} - $ENV{REQUEST_METHOD} - $ENV{SCRIPT_FILENAME} may not exist or is not executable by this process.\n";
                        }
 
                }
}
vi start_ngind_cgi.sh
#!/bin/bash
 
## start_nginx_cgi.sh: start nginx cgi mode
## ljzhou, 2007.08.20
 
 
PERL="/usr/bin/perl"
NGINX_CGI_FILE="/usr/local/nagios/bin/perl-cgi.pl"
 
 
#bg_num=`jobs -l |grep "NGINX_CGI_FILE"`
#PID=`ps aux|grep "perl-cgi"|cut -c10-14|xargs kill -9`
PID=`ps aux|grep 'perl-cgi'|cut -c10-14|sed -n "1P"`
echo $PID
sockfiles="/var/run/nagios.sock"
kill -9 $PID
 
$PERL $NGINX_CGI_FILE &
 
sleep 3
 
`chown nobody.nobody $sockfiles`

创建身份认证文件
注意:这里的用户既是apache的nagios管理界面的登录认证用户也和nagios监控中的权限有关联。

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

修改nginx.conf文件,在虚拟机中加入:

        location /nagios {
                auth_basic              "Restricted";
                auth_basic_user_file    /usr/local/nagios/etc/htpasswd.users;
        }
        location ~ \.cgi$ {
                root /usr/local/nagios/sbin;
                rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
                fastcgi_index index.cgi;
                fastcgi_pass    unix:/var/run/nagios.sock;
 
                fastcgi_param   SCRIPT_FILENAME                     /usr/local/nagios/sbin$fastcgi_script_name;
                fastcgi_param   QUERY_STRING                        $query_string;
 
                fastcgi_param   REMOTE_ADDR                        $remote_addr;
                fastcgi_param   REMOTE_PORT                        $remote_port;
                fastcgi_param   REQUEST_METHOD                     $request_method;
                fastcgi_param   REQUEST_URI                        $request_uri;
 
                #fastcgi_param SCRIPT_NAME                        $fastcgi_script_name;
                fastcgi_param   SERVER_ADDR                        $server_addr;
                fastcgi_param   SERVER_NAME                        $server_name;
                fastcgi_param   SERVER_PORT                        $server_port;
                fastcgi_param   SERVER_PROTOCOL                    $server_protocol;
                fastcgi_param   SERVER_SOFTWARE                    nginx;
 
                fastcgi_param   CONTENT_LENGTH                     $content_length;
                fastcgi_param   CONTENT_TYPE                       $content_type;
                fastcgi_param   GATEWAY_INTERFACE                  CGI/1.1;
                fastcgi_param   HTTP_ACCEPT_ENCODING        gzip,deflate;
                fastcgi_param   HTTP_ACCEPT_LANGUAGE        zh-cn;
       }

之后运行/usr/local/nagios/bin/start_nginx_cgi.sh,并将它加到/etc/rc.local中。

/usr/local/nagios/bin/start_nginx_cgi.sh
vi /etc/rc.local ///usr/local/nagios/bin/start_nginx_cgi.sh写在最后一行

重启nginx:

ps -aux|grep nginx
kill -HUP pid //此处的pid是ps查出的nginx主进程id

最后要把nagios的share文件放到虚拟主机根目录下,并将share改名为nagios,最佳办法是:

cd 你的虚拟主机根目录
ln -s /usr/local/nagios/share nagios

访问:http://yourhost.com/nagios
如果看到根我一样的界面,那就对了,图片点击可放大。

nagios成功安装

nagios成功安装

2009
01/17
分类:
PHP
TAGS


69 条评论

nginx防盗链解决方案

方法一:

location ~* \.(js|css|jpg|png|gif|others)$ {
valid_referers none blocked *.sasacity.com sasacity.com;
if ($invalid_referer) {
rewrite ^/ http://www.sasacity.com/logo.gif;
#return 404;
}
}

方法二:
使用ngx_http_accesskey_module模块

配置例子:

location /download {
accesskey on;
accesskey_hashmethod md5;
accesskey_arg "key";
accesskey_signature "mypass$remote_addr";
}

此时客户端访问路径: http://example.com/download/file.zip?key=09093abeac094.

详细请见:http://wiki.codemongers.com/NginxHttpAccessKeyModule

2008
10/25
分类:
服务器
TAGS

抢沙发

Nginx重定向[Rewrite]配置及示例 (for zendframework & wordpress & Discuz)

首先Apache的Rewite规则差别不是很大,但是Nginx的Rewrite规则比Apache的简单灵活多了
Nginx可以用if进行条件匹配,语法规则类似C

if ($http_user_agent ~ MSIE) {
rewrite ^(.*)$ /msie/$1 break;
}
官方文档请点击这里
Rewrite的Flags

Flags can be any of the following:
* last - completes processing of rewrite directives, after which searches for corresponding URI and location
* break - completes processing of rewrite directives
*redirect - returns temporary redirect with code 302; it is used if the substituting line begins with http://
* permanent - returns permanent redirect with code 301

last – 完成重写指令后,搜索相应的URI和位置。相当于Apache里的[L]标记,表示完成rewrite,不再匹配后面的规则。
break – 中止Rewirte,不在继续匹配。
redirect – 返回临时重定向的HTTP状态302。
permanent – 返回永久重定向的HTTP状态301。

ZEND Framework的重定向规则:
案例一:
全部重定向到 /index.php
rewrite ^/(.*) /index.php?$1&amp;;
案例二:
如果文件或目录不存在则重定向到index.php
if (!-e $request_filename) {
rewrite ^/(.*) /index.php?$1&amp;;
}

WordPress的重定向规则:
案例一:
http://www.wemvc.com/12 重定向到 http://www.wemvc.com/index.php?p=12
if (!-e $request_filename) {
rewrite ^/(.+)$ /index.php?p=$1 last;
}
案例二:
与zendframework配置很像
if (!-e $request_filename) {
rewrite ^/(.*) /index.php?$1&amp;;
}

以下为Discuz完整的Rewrite for Nginx规则
if (!-f $request_filename) {
rewrite ^/archiver/((fid|tid)-[\w\-]+\.html)$ /archiver/index.php?$1 last;
rewrite ^/forum-([0-9]+)-([0-9]+)\.html$ /forumdisplay.php?fid=$1&amp;page=$2 last;
rewrite ^/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ /viewthread.php?tid=$1&amp;extra=page%3D$3&amp;page=$2 last;
rewrite ^/space-(username|uid)-(.+)\.html$ /space.php?$1=$2 last;rewrite ^/tag-(.+)\.html$ /tag.php?name=$1 last;
}

文件及目录匹配,其中:
-f和!-f用来判断是否存在文件
-d和!-d用来判断是否存在目录
-e和!-e用来判断是否存在文件或目录
-x和!-x用来判断文件是否可执行

正则表达式全部符号解释
~ 为区分大小写匹配
~* 为不区分大小写匹配
!~和!~* 分别为区分大小写不匹配及不区分大小写不匹配
(pattern) 匹配 pattern 并获取这一匹配。所获取的匹配可以从产生的 Matches 集合得到,在VBScript 中使用 SubMatches 集合,在JScript 中则使用 $0…$9 属性。要匹配圆括号字符,请使用 ‘\(‘ 或 ‘\)’。
^ 匹配输入字符串的开始位置。
$ 匹配输入字符串的结束位置。
学习更多正则知识请查看这里 正则表达式

2008
08/13
分类:
服务器
TAGS





22 条评论

Restriction of the access with the help of Nginx

In this short post the point is how to protect your files and some part of your web site with a user password. With Nginx, a lot of options exist to protect your site with usernames and passwords. In Nginx the solution is not less attractive than in apache.

In the configuration file, set folder to close, it is only necessary to load the file with passwords.
There are two examples for closing of the folder with files:
location ^~ /files/ {
root   /path/to/server;
autoindex    on;
autoindex_exact_size  off;
auth_basic “Hello, please login”;
auth_basic_user_file /usr/nginx/passwords;
access_log   /usr/nginx/logs/files.log   download;
}
and for closing of the admin-folder with the additional restriction on IP:
location ^~ /admin/ {
fastcgi_pass unix:/home/project/server.sock;
include  conf/fastcgi.conf;
allow 11.11.0.0/16;
allow 22.22.22.22;
deny all;
auth_basic “Hello, Admin, please login”;
auth_basic_user_file /usr/nginx/adminpassword;
access_log   /usr/nginx/logs/admin.log  main;
}
The passwd program utility of Apache can be used to create and update usernames and passwords of new users:
htpasswd -b passwords NewUser NewPassword
In the file the writing with the encoded password looks like:
NewUser:P47ghZ4kloG78: Your Can Comment Here
The protection from cracking the password can be organized at the same time with two methods based on the use iptables:
Blocking IP temporarily if the amount of the requests per second exceeds any reasonable amount.
Write failed attempts in the log, check it with the script every minute, than pumps the IP addresses in iptables
For the first variant it is enough to create rules:
iptables -A INPUT -p tcp –syn –dport 80 -i eth0 -m state –state NEW
-m recent –name bhttp –set
iptables -A INPUT -p tcp –syn –dport 80 -i eth0 -m state –state NEW
-m recent –name bhttp –update –seconds 120
–hitcount 360 -j DROP
iptables -A INPUT -p tcp –syn –dport 80 -i eth0 -j ACCEPT
It is possible to use TARPIT instead of DROP to complicate the life of the crackers.

For the second variant it is necessary to add in config:
location /401.html {
root   /usr/nginx;
access_log   /usr/nginx/logs/denied.log  error401;
}
For example the format error 401 looks at me:
log_format error401  ‘$remote_addr – $remote_user [$time_local] ‘
‘$status “$request”‘;
Now all wrong logins are saved in a separate log file, which is checked per cron job:
*/1 * * * * root /usr/nginx/parser401.pl >/dev/null 2>&1
For example this script: parser401.pl Скрипт проверяет лог, и если обнаруживает больше 4-х попыток неправильного набора пароля, блокирует этот IP. Script checks the log file and if it finds more than 4 attempts of the wrong password, it blocks this IP address.
Are there any ideas?

2008
08/12
分类:
服务器
TAGS

42 条评论

新浪微博

招聘Magento大师

PHP三年以上经验;
深入了解Magento;
能够承受工作压力。

地点:上海
公司:服装零售业全球第一
有意者请发邮件:
dr.joshua.li[at]gmail.com

Magento英文原版用户手册