Solid-State Society

Tag: DevOps

  • Remove Tencent Cloud (QCloud) Cloud Monitor

    bash /usr/local/qcloud/stargate/admin/uninstall.sh
bash /usr/local/qcloud/YunJing/uninst.sh
bash /usr/local/qcloud/monitor/barad/admin/uninstall.sh

rm -rf /usr/local/sa
rm -rf /usr/local/agenttools
rm -rf /usr/local/qcloud

process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
for i in ${process[@]}
do
  for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
  do
    kill -9 $A
  done
done

# Optional
chkconfig --level 35 postfix off
systemctl stop postfix
systemctl mask postfix

  • Docker Mounted Volumes Permission Issues with Nginx and PHP-FPM

    Prerequisites:

    • Official Nginx alpine Docker image
    • Official PHP Docker (Debian) image with fpm tags

    Get currenty PHP-FPM running user info:

    $ docker exec php_container_name id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

    Change the owner of your existing mounted volume:

    chown 33:33 -R /srv/www

  • The Simplest MediaWiki Update Script for Single-Server MediaWiki Site

    System requirements:

    • User uploads $wgUploadDirectory are stored offsite
    • Non-Docker MediaWiki with normal setup
    • Composor installed (Can be installed automatically during updating)

    Goals:

    • Update MediaWiki with nearly zero downtime
    • Download and install latest tagged MediaWiki from tarball package
    • Update extensions and skins from latest git tagged branch
    • Install extension-specific dependencies during updating
    (more…)

  • GeoIP Bypassing for Nginx Proxy

    Goal:

    • Proxy content for requests in specific country or region
    • Redirect any requests made outside specific country or region to original URL (to save bandwidth
    geoip_country         /usr/share/GeoIP/GeoIPv6.dat;
map $geoip_country_code $proxy_direct_pass {
  default yes;
  CN no;
}

location ~* ^/proxied-content/(.*)$ {
  if ($proxy_direct_pass = yes) {
    return 302 https://original_content/$1$is_args$args;
  }

  proxy_pass https://original_content/$1$is_args$args;
}

  • Proxying and Caching WebP Images Using the Same URI Based on User Accept Headers with Nginx

    Case:

    • The proxied image backend serves WebP images when the client requests support it with Accept headers ($http_accept)
    • The backend also provides the same URI for all WebP requests. That means URI like image.png can also be in WebP format

    The solution:

    • Using Nginx map module
    • Apply variables to different cache pools

    In nginx.conf:

    # Proxy cache pools for image caching
proxy_cache_path        /dev/shm/image_cache
                        keys_zone=image_cache:10m;

proxy_cache_path        /dev/shm/image_cache_webp
                        keys_zone=image_cache_webp:10m;

# Differenate WebP requests
map $http_accept $webp_pool {
  default                 image_cache;
  ~*webp                  image_cache_webp;
}

    In your site config:

    proxy_cache             $webp_pool;

  • Allow WordPress Embedded Posts with Global X-Frame-Options for Nginx Servers

    The problem: when you enables X-Frame-Options globally. You won’t be able to embed your posts with latest WordPress embed posts method.

    The solution: you can simply exclude it in your Nginx configuration. I’ll use Nginx map for better performance:

    map $request_uri $x_frame_options_headers {
  default                 SAMEORIGIN;
  # Matching WordPress embed page, ie. https://example.com/my-post/embed#?secret=vLi4CQcWkH
  ~/embed                 "";
}

# Don't allow the browser to render the page inside an frame or iframe
add_header X-Frame-Options $x_frame_options_headers;
    HTTPS on UniFi Cloud Key, with Remote Access Support, the Easy Way
    Embedding Demo

  • Increase PHP-FPM File Upload Limit

    Nginx:

    • client_max_body_size

    PHP:

    • post_max_size
    • upload_max_filesize

  • SELinux policy for nginx and GitLab unix socket in Fedora 19

    The installation of GitLab in Fedora 19 went fine. I followed the official installation guide with some deviations where necessary, mostly taken from the CentOS guide in gitlab-recipes. I setup nginx using the ssl config, and poked some holes in iptables. For systemd services I used these files.

    Source: SELinux policy for nginx and GitLab unix socket in Fedora 19

  • Using SSL Certificates with HAProxy – Servers for Hackers

    What programmers need to know about servers.

    Source: Using SSL Certificates with HAProxy – Servers for Hackers

  • Configuring NGINX to accept the PROXY Protocol – NGINX

    This article explains how to configure NGINX and NGINX Plus to accept the PROXY protocol. Table of Contents Introduction Using the PROXY protocol with SSL, HTTP/2, SPDY, and WebSocket Using the PROXY protocol with a TCP Stream Complete Example Introduction The PROXY protocol enables NGINX and NGINX Plus to receive client connection information passed through […]

    Source: Configuring NGINX to accept the PROXY Protocol – NGINX

  • Shaving your RTT with TCP Fast Open – Bradley Falzon

    Check out the recently released RFC on TCP Fast Open, a spec that allows most TCP connections to send data during the initial SYN packet – reducing the initial round trips required from 2 to 1. Excellent for HTTPS connections.

    Source: Shaving your RTT with TCP Fast Open – Bradley Falzon

  • How to Generate SSL Certificate Chain for Nginx

    I’m using Comodo Certificate, you will get these files from their email:

    • Root CA Certificate – AddTrustExternalCARoot.crt
    • Intermediate CA Certificate – UTNAddTrustSGCCA.crt
    • Intermediate CA Certificate – ComodoUTNSGCCA.crt
    • Intermediate CA Certificate – EssentialSSLCA_2.crt
    • Your EssentialSSL Certificate – www_example_com.crt

    Correct order:

    1. Your EssentialSSL Certificate – www_example_com.crt
    2. Intermediate CA Certificate – EssentialSSLCA_2.crt
    3. Intermediate CA Certificate – ComodoUTNSGCCA.crt
    4. Intermediate CA Certificate – UTNAddTrustSGCCA.crt
    5. Root CA Certificate – AddTrustExternalCARoot.crt

    You can create a chained certificate required by Nginx:

    cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > example.com.chained.crt

    In fact, you can only need the first three certificates: most systems have their root CA.

    cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt  > example.com.chained.crt

    Update Mar 21, 2015:

    Comodo updated their certificates filename, so the correct order now is:

    1. Your EssentialSSL Certificate – www_example_com.crt
    2. Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
    3. Intermediate CA Certificate – COMODORSAAddTrustCA.crt
    4. Root CA Certificate – AddTrustExternalCARoot.crt
    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example.com.chained.crt

  • logrotate for nginx

    vi /etc/logrotate.d/nginx
    /srv/www/*/logs/*log {
        daily
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 nginx adm
}

    # debug
logrotate -d /etc/logrotate.conf

    # focus logrotate with verbose info
logrotate -f -v /etc/logrotate.conf

  • WordPress 在 localhost MAMP 执行时出现 500 错误的解决方案

    /Applications/MAMP/logs/php_error.log 下看错误,如果是:

    PHP Fatal error:  Allowed memory size of 33554432 bytes exhausted (tried to allocate x bytes) in /path/to/file on line n

    那么就去 /Applications/MAMP/bin/php/php5.3.6/conf/php.ini 里把 memory_limit 改为 64M 或更大即可

  • Debian 手動編譯安裝 nginx + PHP-FPM 指北

    目前網上各種不靠譜的自動化安裝腳本不計其數。 nginx + PHP-FPM 教程也不多,本篇備忘錄重點針對 PHP-FPM 安裝,參考 nginx 官方 docs 與 Slicehost wiki 編寫而成

    (more…)