Cyberbe Notes from Blackcat

Nginx secure link for HLS

location /tv/ {
rewrite /tv/([a-zA-Z0-9_\-]*)/([0-9]*)/(.*)/(.*)$ /hls/$3/$4?secl=$1&sect=$2;
}

• Читать далее
• Tweet

Nginx conf rules for Wordfence Falcon Engine Caching when using Nginx and PHP5-FPM

worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time status $status bytes $body_bytes_sent';
#Uncomment to debug rewrite rules
#rewrite_log on;
server {
listen 80;
server_name test1.com;
access_log logs/test1.access.log main;
#Uncomment to debug rewrite rules
#error_log logs/rewrite.log notice;
root /usr/local/test1;
index index.php;

# WORDFENCE FALCON ENGINE CODE
#Match on gzip first because ordering matters.
location ~ "/site/wp-content/wfcache/.*gzip$" {
gzip off;
types {}
default_type text/html;
add_header Vary "Accept-Encoding, Cookie";
add_header Content-Encoding gzip;
}
#If the previous matched, the following location won't be executed.
location ~ /site/wp-content/wfcache/.* {
add_header Vary "Accept-Encoding, Cookie";
}
set $wordfenceCacheOn 1;

#Don't cache form submissions.
if ($request_method = POST) {
set $wordfenceCacheOn 0;
}

#Allow caching of /?123=123 because this is a common DDoS to override caches.
if ($query_string !~ "^(?:\d+=\d+)?$") {
set $wordfenceCacheOn 0;
}

#Only cache URL's ending in /
if ($request_uri !~ \/$) {
set $wordfenceCacheOn 0;
}
#Don't cache any cookies with this in their names e.g. users who are logged in.
if ($http_cookie ~* "(comment_author|wp\-postpass|wf_logout|wordpress_logged_in|wptouch_switch_toggle|wpmp_switcher)") {
set $wordfenceCacheOn 0;
}
set $wordfenceEncoding "";
#Oh, you want gzipped content?
if ($http_accept_encoding ~ gzip) {
set $wordfenceEncoding _gzip;
}
set $wordfenceHTTPS "";
if ($scheme = 'https'){
#If you want to ENABLE HTTPS caching, comment out the next line.
set $wordfenceCacheOn 0; #Comment this line out to enable HTTPS caching.

set $wordfenceHTTPS '_https'; #Uncomment this line to enable HTTPS caching.
}
#The main purpose of this line is to capture the URL components into variables.
if ($request_uri !~ "^\/*(?<wfone>[^\/]*)\/*(?<wftwo>[^\/]*)\/*(?<wfthree>[^\/]*)\/*(?<wffour>[^\/]*)\/*(?<wffive>[^\/]*)(?<wfsix>.*)$"){
set $wordfenceCacheOn 0;
}
#If the file doesn't exist then don't serve from cache.
if (!-f "$document_root/site/wp-content/wfcache/${http_host}_${wfone}/${wftwo}~${wfthree}~${wffour}~${wffive}~${wfsix}_wfcache${wordfenceHTTPS}.html${wordfenceEncoding}") {
set $wordfenceCacheOn 0;
}

if ($wordfenceCacheOn = 1) {
rewrite .* "/site/wp-content/wfcache/${http_host}_${wfone}/${wftwo}~${wfthree}~${wffour}~${wffive}~${wfsix}_wfcache${wordfenceHTTPS}.html${wordfenceEncoding}" last;
}
# END Wordfence Rules

location / {
try_files $uri $uri/ /index.php?$args ;
}
location ~ .php$ {
try_files $uri /index.php;
include fastcgi_params;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
}
}

• Постоянная ссылка
• Tweet

Nginx and Perl-FastCGI on Ubuntu

Install:

apt-get update
apt-get upgrade
apt-get install spawn-fcgi fcgiwrap
Nginx config:

#Все скрипты заканчивающиеся на pl и cgi
location ~ \.(pl|cgi)$
{
#Не сжимаем скрипты
gzip off;
try_files $uri =404;
#Передаем скрипты на обработку fcgiwrap
fastcgi_pass unix:/var/run/fcgiwrap.socket;
# Используем стандартные параметры
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_ignore_client_abort off;
}
#Замена апачевской ScriptAlias
location /cgi-bin/ {
gzip off;
try_files $uri =404;
root /var/www/;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_ignore_client_abort off;
}

• Постоянная ссылка
• Tweet

Using GeoIP With Nginx On Ubuntu

1. Download The GeoIP Databases

mkdir /etc/nginx/geoip
cd /etc/nginx/geoip
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gunzip GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz

2. Configure Nginx

http {
 geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
 geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
[...]
/etc/nginx/fastcgi_params

### SET GEOIP Variables ###
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;

fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

3. A Short Test

<html>
<body>
<?php

$geoip_country_code = getenv(GEOIP_COUNTRY_CODE);
/*
$geoip_country_code = $_SERVER['GEOIP_COUNTRY_CODE']; // works as well
*/
$geoip_country_code3 = getenv(GEOIP_COUNTRY_CODE3);
$geoip_country_name = getenv(GEOIP_COUNTRY_NAME);

$geoip_city_country_code = getenv(GEOIP_CITY_COUNTRY_CODE);
$geoip_city_country_code3 = getenv(GEOIP_CITY_COUNTRY_CODE3);
$geoip_city_country_name = getenv(GEOIP_CITY_COUNTRY_NAME);
$geoip_region = getenv(GEOIP_REGION);
$geoip_city = getenv(GEOIP_CITY);
$geoip_postal_code = getenv(GEOIP_POSTAL_CODE);
$geoip_city_continent_code = getenv(GEOIP_CITY_CONTINENT_CODE);
$geoip_latitude = getenv(GEOIP_LATITUDE);
$geoip_longitude = getenv(GEOIP_LONGITUDE);

echo 'country_code: '.$geoip_country_code.'<br>';
echo 'country_code3: '.$geoip_country_code3.'<br>';
echo 'country_name: '.$geoip_country_name.'<br>';

echo 'city_country_code: '.$geoip_city_country_code.'<br>';
echo 'city_country_code3: '.$geoip_city_country_code3.'<br>';
echo 'city_country_name: '.$geoip_city_country_name.'<br>';
echo 'region: '.$geoip_region.'<br>';
echo 'city: '.$geoip_city.'<br>';
echo 'postal_code: '.$geoip_postal_code.'<br>';
echo 'city_continent_code: '.$geoip_city_continent_code.'<br>';
echo 'latitude: '.$geoip_latitude.'<br>';
echo 'longitude: '.$geoip_longitude.'<br>';

?>
</body>
</html>

• Постоянная ссылка
• Tweet

Увеличение максимального размера загружаемых файлов в PHP и Nginx (upload max filesize)

Итак для увеличения максимального размера загружаемого файла сначала необходимо увеличить значение переменных PHP upload_max_filesize и post_max_size в файле /etc/php5/fpm/php.ini, например:

; Максимально разрешенный размер для загружаемых файлов.
; http://php.net/upload-max-filesize
upload_max_filesize = 30M

; Максимальный размер POST запросов, которые PHP будет обрабатывать.
; http://php.net/post-max-size
post_max_size = 30M

далее в конфигурационном файле nginx /etc/nginx/nginx.conf увеличить значение переменной client_max_body_size, например:
http {
#...
client_max_body_size 30m;
#...
}

• Постоянная ссылка
• Tweet

Nginx сборка из исходников

Скачиваем исходники http://nginx.org/ru/download.html

mkdir nginx_build
cd nginx_build
wget http://nginx.org/download/nginx-1.6.3.tar.gz
tar -xvf nginx-1.6.3.tar.gz
Устанавливаем зависимости:

aptitude install build-essential -y
aptitude install libgd-dev -y
aptitude install libpcre++-dev -y
aptitude install libssl-dev -y
aptitude install libgeoip-dev -y
apt-get install libpam0g-dev -y
aptitude install libxml2-dev -y
aptitude install libxslt1-dev -y
apt-get install libperl-dev -y
aptitude install libpcre++-dev -y

Сборка:

./configure --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-http_spdy_module --with-http_image_filter_module

make && make install

Параметры конфигурации:

nginx.conf

geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
geoip_city /etc/nginx/geoip/GeoIPCity.dat; # the city IP database

• Постоянная ссылка
• Tweet