Closed vieyahn2017 closed 4 years ago
nginx打补丁
下载发布版的openssl openssl-1.1.1c.tar.gz 解压后 git init ; git add . ;cit commit -m "init" 先初始化
再把漏洞发布的merge打开, 比如 https://github.com/openssl/openssl/pull/10575/files#diff-e55cf156f8579e17800742c38b325e07
把修改的文件内容手工改正后, 制作补丁 git diff > 05843ALM.patch 导入 cd ${src_path}/openssl-1.1.1c/ patch -p1 < CVE-2019-1563.patch
后续正常编译即可
install.sh
#! /bin/bash
software_path='/....//tools/deploy/business_machine/base/nginx'
OS_NAME=$1
#视图库网关地址
gateway_ip=$2
if [ -n "$3" ]; then
loadbalance_type=lvs
# lvs 浮动IP
LVS_VIP=$3
else
loadbalance_type=nginx
fi
if [ "$loadbalance_type" == "lvs" ]; then
sed -i s#^VIP=.*#VIP=$LVS_VIP#g $software_path/realServer.sh
fi
if [ "$OS_NAME" == "Centos" ];then
package_name=compile-nginx.tar.gz
elif [ "$OS_NAME" == "Redhat" ] || [ "$OS_NAME" == "RedHat" ];then
package_name=compile-nginx.tar.gz
elif [ "$OS_NAME" == "Euler" ];then
package_name=compile-nginx-arm.tar.gz
else
package_name=compile-nginx.tar.gz
fi
if [ -d /....//base/nginx ]; then
rm -rf /....//base/ssl
rm -rf /....//base/nginx
fi
if [ ! -d /....//base ];then
mkdir -p /....//base
fi
echo start install nginx
killall nginx
tar -xf ${software_path}/${package_name} -C /....//base/
rm -f /....//base/nginx/conf/nginx.conf
arr=(${gateway_ip//,/ })
num=${#arr[@]}
# nginx.conf.temp 是个配置文件模板
# 里面的server {{gateway_ip}} 数量,要和nginx的部署ip数量(num)保持一致
if [ -e "$software_path/nginx_http.conf" ];then
rm -rf $software_path/nginx_http.conf
rm -rf $software_path/nginx.conf
fi
# 网关ip数量为1时候直接替换
if [ "$num" -eq 1 ];then
cp $software_path/nginx.conf.temp $software_path/nginx_http.conf
sed -i s#{{gateway_ip}}#$gateway_ip# $software_path/nginx_http.conf
else
# 网关ip数量大于1时候替换比较麻烦:
# 先读入配置文件,根据数量,把需要替换的行增加到相应的数量
cat $software_path/nginx.conf.temp | while read line
do
if [ `echo $line | grep -c 'server {{gateway_ip}}'` -ne 0 ]; then
for ((i=1;i<=${num};i++))
do
echo $line | sed 's/{{gateway_ip}}/{{gateway_ip_'${i}'}}/g' >> $software_path/nginx_http.conf
done
else
echo $line >> $software_path/nginx_http.conf
fi
done
# 再对相应的ip做替换
for ((i=1;i<=${num};i++))
do
sed -i s#{{gateway_ip_${i}}}#${arr[i-1]}# $software_path/nginx_http.conf
done
sed -i s#{{gateway_ip}}#${arr[0]}# $software_path/nginx_http.conf
check_http_send_line='check_http_send "GET /HealthCheck HTTP/1.0\\r\\nConnection: keep-alive\\r\\n\\r\\n";'
sed -i s#check_http_send.*#"${check_http_send_line}"#g $software_path/nginx_http.conf
fi
nginx_http_number=`grep -n "# nginx_http.conf flag" $software_path/nginx_http.conf | awk -F ':' '{print $1}'| xargs | tr ' ' ','`
sed ${nginx_http_number}d $software_path/nginx_http.conf > $software_path/nginx.conf
sed -i '/nginx_http.conf flag/d' $software_path/nginx_http.conf
cp $software_path/nginx.conf /....//base/nginx/conf/
cp $software_path/nginx_http.conf /....//base/nginx/conf/
mkdir -p /....//base/nginx/key
cp $software_path/SSL/* /....//base/nginx/key/
cp $software_path/log_util.sh /....//base/nginx/sbin/
cp $software_path/realServer.sh /....//base/nginx/sbin/
cp $software_path/nginx_cron_util.py /....//base/nginx/sbin/
chown -R viid:fusion_viid /..../
chmod 600 key/*.*
su - viid -c "/....//base/nginx/sbin/nginx"
declare pid=$(ps aux|grep 'nginx_cron_util' | grep -v grep | awk '{print $2}')
if [ ! -z $pid ]; then
kill -9 $pid
fi
sed -i '/viid soft/d' /etc/security/limits.conf
sed -i '/viid hard/d' /etc/security/limits.conf
sed -i '$aviid soft nofile 1024000' /etc/security/limits.conf
sed -i '$aviid hard nofile 1024000' /etc/security/limits.conf
# 开机自启动nginx
if [ `grep -c "/....//base/nginx" /etc/rc.d/rc.local` -eq '0' ]; then
sed -i '$a su - viid -c "/....//base/nginx/sbin/nginx"' /etc/rc.d/rc.local
if [ "$loadbalance_type" == "lvs" ]; then
sed -i '$a sh /....//base/nginx/sbin/realServer.sh start' /etc/rc.d/rc.local
fi
fi
if [ "$loadbalance_type" == "lvs" ]; then
echo "run realServer.sh, turn ifconig lo on"
sh /....//base/nginx/sbin/realServer.sh start
fi
# nginx节点增加中断均衡配置:
# ethtool -L ethx combined 12。x:所有网卡
eth_cards=`cat /proc/net/dev | awk '{i++; if(i>2){print $1}}' | sed 's/^[\t]*//g' | sed 's/[:]*$//g' | grep eth`
for card in $eth_cards;do
ethtool -L $card combined 12
done
# 该命令支持受限,请约束测试场景
# nginx网关性能优化,修改/etc/sysctl.conf
mv /etc/sysctl.conf /etc/sysctl.conf.bak
cat $software_path/sysctl.conf.temp > /etc/sysctl.conf
sysctl -p >/dev/null 2>&1 &
su - viid -c "nohup python /....//base/nginx/sbin/nginx_cron_util.py /....//base/nginx/sbin/log_util.sh >/dev/null 2>&1 &"
echo end of installation
nginx_cron_util.py log_util.sh 日志处理的
nginx_cron_util.py
#!/usr/bin/env python
# -*-coding:utf-8-*-
import os
import time
import sys
if __name__ == "__main__":
util_path = sys.argv[1]
cmd = 'sh ' + util_path
while True:
os.system(cmd)
time.sleep(5)
log_util.sh
#!/usr/bin
NGINX_PATH=$(cd `dirname $0`;cd ..;pwd)
NGINX_LOG_PATH=$NGINX_PATH/logs/
cd ${NGINX_LOG_PATH}
NGX_PID=${NGINX_LOG_PATH}nginx.pid
PRINT_FILE=`date -d today +'%Y-%m-%d-%H-%M-%S'`
function do_clean()
{
log_cnt=`ls $1.*.* | wc -l`
if (($log_cnt<=8)); then
return
fi
cur_time=`date -d today +'%Y-%m-%d %H:%M:%S'`
local earliest_log_time=`date -d "${cur_time}" +%s`
for log in `ls $1.*.*`
do
index=`expr index $log '.'`
index=$((index+4))
log_suffix=${log:$index:(${#log})}
log_day=${log_suffix:0:10}
log_time=${log_suffix:11}
log_time=${log_time//-/:}
log_suffix=${log_day}' '${log_time}
time=`date -d "${log_suffix}" +%s`
if ((${time}<${earliest_log_time})); then
earliest_log_time=${time}
fi
done
ear_log=$1.log.`date -d @${earliest_log_time} "+%Y-%m-%d-%H-%M-%S"`
if [ -f ${NGINX_LOG_PATH}${ear_log} ]; then
rm -rf ${NGINX_LOG_PATH}${ear_log} > /dev/null
fi
}
access_log=${NGINX_LOG_PATH}access.log
error_log=${NGINX_LOG_PATH}error.log
if [ -f $access_log ]; then
log_size=`du -m $access_log | awk '{print $1}'`
if ((${log_size}>200)); then
mv $access_log $access_log.${PRINT_FILE}
if [ -f ${NGX_PID} ]; then
kill -USR1 `cat ${NGX_PID}`
fi
do_clean access
fi
fi
if [ -f $error_log ]; then
log_size=`du -m $error_log | awk '{print $1}'`
if ((${log_size}>200)); then
mv $error_log $error_log.${PRINT_FILE}
if [ -f ${NGX_PID} ]; then
kill -USR1 `cat ${NGX_PID}`
fi
do_clean error
fi
fi
nginx.conf.temp
user xxxx xxxxx;
worker_processes auto;
worker_rlimit_nofile 102400;
events {
use epoll;
# multi_accept on;
worker_connections 102400;
}
http {
include mime.types;
default_type application/octet-stream;
underscores_in_headers on;
log_format main '$time_local [$remote_addr] $request_method "$request_uri" | '
'$status | "$upstream_addr" [ $upstream_response_time $request_time ]';
sendfile on;
tcp_nodelay on;
tcp_nopush on;
server_tokens off;
keepalive_timeout 65;
keepalive_requests 10000;
proxy_connect_timeout 60;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_ignore_client_abort on;
client_body_buffer_size 1024k;
open_file_cache max=102400 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 1;
client_max_body_size 100M;
upstream viid_https {
server {{gateway_ip}}:8090 weight=10;
check interval=3000 rise=2 fall=5 timeout=1000;
check_keepalive_requests 100;
check_http_send "GET /HealthCheck HTTP/1.0\r\nConnection: keep-alive\r\n\r\n";
check_http_expect_alive http_2xx http_3xx;
keepalive 4000;
}
upstream web_https {
server {{gateway_ip}}:8088;
}
# nginx_http.conf flag --- start
upstream viid {
server {{gateway_ip}}:8080 weight=10;
check interval=3000 rise=2 fall=5 timeout=1000 type=http;
check_keepalive_requests 100;
check_http_send "GET /HealthCheck HTTP/1.0\r\nConnection: keep-alive\r\n\r\n";
check_http_expect_alive http_2xx http_3xx;
keepalive 4000;
}
server {
listen 8080;
server_name www1.xxxx.com;
charset utf-8;
access_log logs/access.log main;
error_log logs/error.log;
location ~ /(VIID/SystemManagement/UserLog/Export|VIID/SystemManagement/downLoadLog|VIID/SystemManagement/SysLog/Export|VIID/SystemManagement/DataCheckRecord/Export)$ {
proxy_pass http://viid_exportLogHash;
proxy_http_version 1.1; #后端长链接
proxy_set_header Connection ""; #后端长链接
}
location / {
proxy_pass http://viid;
proxy_http_version 1.1; #后端长链接
proxy_set_header Connection ""; #后端长链接
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# nginx_http.conf flag --- end
server {
listen 8090 ssl;
server_name www2.xxxx.com;
#ssl on;
ssl_certificate /..../nginx/key/cert_chain.pem;
ssl_certificate_key /..../nginx/key/key.pem;
ssl_session_timeout 5m;
#ssl_session_cache shared:SSL:1m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
charset utf-8;
access_log logs/access.log main;
error_log logs/error.log;
location / {
proxy_pass https://viid_https;
proxy_redirect default;
proxy_http_version 1.1; #后端长链接
proxy_set_header Connection ""; #后端长链接
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 8088 ssl;
server_name www4.xxxx.com;
#ssl on;
ssl_certificate /..../nginx/key/cert_chain.pem;
ssl_certificate_key /..../nginx/key/key.pem;
ssl_session_timeout 5m;
#ssl_session_cache shared:SSL:1m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
charset utf-8;
access_log logs/access.log main;
error_log logs/error.log;
location / {
proxy_pass https://web_https;
proxy_redirect default;
proxy_http_version 1.1; #后端长链接
proxy_set_header Connection ""; #后端长链接
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
使用git diff 来生成patch
git diff > test_a.patch
但是,如果有新增的文件,并不在 git 管理之内 git diff --cached > test_a.patch
如果还包含二进制文件,例如图片等 git diff --cached --binary > test_a.patch
应用 patch git apply test_a.patch