1.10 nginx打补丁

[vieyahn2017]

使用git diff 来生成patch

git diff > test_a.patch

但是，如果有新增的文件，并不在 git 管理之内 git diff --cached > test_a.patch

如果还包含二进制文件，例如图片等 git diff --cached --binary > test_a.patch

应用 patch git apply test_a.patch

[vieyahn2017]

nginx打补丁

下载发布版的openssl openssl-1.1.1c.tar.gz 解压后 git init ; git add . ;cit commit -m "init" 先初始化

再把漏洞发布的merge打开， 比如 https://github.com/openssl/openssl/pull/10575/files#diff-e55cf156f8579e17800742c38b325e07

把修改的文件内容手工改正后， 制作补丁 git diff > 05843ALM.patch 导入 cd ${src_path}/openssl-1.1.1c/ patch -p1 < CVE-2019-1563.patch

后续正常编译即可

[vieyahn2017]

install.sh

#! /bin/bash

software_path='/....//tools/deploy/business_machine/base/nginx'

OS_NAME=$1

#视图库网关地址
gateway_ip=$2

if [ -n "$3" ]; then
    loadbalance_type=lvs
    # lvs 浮动IP
    LVS_VIP=$3
else
    loadbalance_type=nginx
fi

if [ "$loadbalance_type" == "lvs" ]; then
    sed -i s#^VIP=.*#VIP=$LVS_VIP#g $software_path/realServer.sh
fi

if [ "$OS_NAME" == "Centos" ];then
    package_name=compile-nginx.tar.gz
elif [ "$OS_NAME" == "Redhat" ] || [ "$OS_NAME" == "RedHat" ];then
    package_name=compile-nginx.tar.gz
elif [ "$OS_NAME" == "Euler" ];then
    package_name=compile-nginx-arm.tar.gz
else
    package_name=compile-nginx.tar.gz
fi

if [ -d /....//base/nginx ]; then
   rm -rf /....//base/ssl
   rm -rf /....//base/nginx
fi
if [ ! -d /....//base ];then
   mkdir -p /....//base
fi
echo start install nginx
killall nginx

tar -xf ${software_path}/${package_name} -C /....//base/

rm -f /....//base/nginx/conf/nginx.conf

arr=(${gateway_ip//,/ })
num=${#arr[@]}

# nginx.conf.temp 是个配置文件模板
# 里面的server {{gateway_ip}} 数量，要和nginx的部署ip数量（num）保持一致
if [ -e "$software_path/nginx_http.conf" ];then
    rm -rf $software_path/nginx_http.conf
    rm -rf $software_path/nginx.conf
fi

# 网关ip数量为1时候直接替换
if [ "$num" -eq 1 ];then
    cp $software_path/nginx.conf.temp $software_path/nginx_http.conf
    sed -i s#{{gateway_ip}}#$gateway_ip# $software_path/nginx_http.conf
else
    # 网关ip数量大于1时候替换比较麻烦：
    # 先读入配置文件，根据数量，把需要替换的行增加到相应的数量
    cat $software_path/nginx.conf.temp | while read line
    do
        if [ `echo $line | grep -c 'server {{gateway_ip}}'` -ne 0 ]; then
            for ((i=1;i<=${num};i++))
            do
               echo $line | sed 's/{{gateway_ip}}/{{gateway_ip_'${i}'}}/g' >> $software_path/nginx_http.conf
            done
        else
            echo $line >> $software_path/nginx_http.conf
        fi
    done
    # 再对相应的ip做替换
    for ((i=1;i<=${num};i++))
    do
        sed -i s#{{gateway_ip_${i}}}#${arr[i-1]}# $software_path/nginx_http.conf
    done
    sed -i s#{{gateway_ip}}#${arr[0]}# $software_path/nginx_http.conf
    check_http_send_line='check_http_send "GET /HealthCheck HTTP/1.0\\r\\nConnection: keep-alive\\r\\n\\r\\n";'
    sed -i s#check_http_send.*#"${check_http_send_line}"#g $software_path/nginx_http.conf
fi

nginx_http_number=`grep -n "# nginx_http.conf flag" $software_path/nginx_http.conf  | awk -F ':' '{print $1}'| xargs | tr ' ' ','`
sed  ${nginx_http_number}d  $software_path/nginx_http.conf >  $software_path/nginx.conf
sed -i '/nginx_http.conf flag/d' $software_path/nginx_http.conf

cp $software_path/nginx.conf /....//base/nginx/conf/
cp $software_path/nginx_http.conf /....//base/nginx/conf/
mkdir -p /....//base/nginx/key
cp $software_path/SSL/* /....//base/nginx/key/
cp $software_path/log_util.sh /....//base/nginx/sbin/
cp $software_path/realServer.sh /....//base/nginx/sbin/
cp $software_path/nginx_cron_util.py /....//base/nginx/sbin/

chown -R viid:fusion_viid /..../
chmod 600 key/*.*

su - viid -c "/....//base/nginx/sbin/nginx"
declare pid=$(ps aux|grep 'nginx_cron_util' | grep -v grep | awk '{print $2}')
if [ ! -z $pid ]; then
    kill -9 $pid
fi

sed -i  '/viid  soft/d' /etc/security/limits.conf
sed -i  '/viid  hard/d' /etc/security/limits.conf
sed -i '$aviid  soft    nofile          1024000' /etc/security/limits.conf
sed -i '$aviid  hard   nofile          1024000' /etc/security/limits.conf

# 开机自启动nginx
if [ `grep -c "/....//base/nginx" /etc/rc.d/rc.local` -eq '0' ]; then
   sed -i '$a su - viid -c "/....//base/nginx/sbin/nginx"' /etc/rc.d/rc.local
   if [ "$loadbalance_type" == "lvs" ]; then
        sed -i '$a sh /....//base/nginx/sbin/realServer.sh start' /etc/rc.d/rc.local
    fi
fi

if [ "$loadbalance_type" == "lvs" ]; then
    echo "run realServer.sh, turn ifconig lo on"
    sh /....//base/nginx/sbin/realServer.sh start
fi

# nginx节点增加中断均衡配置：
# ethtool -L ethx combined 12。x：所有网卡
eth_cards=`cat /proc/net/dev | awk '{i++; if(i>2){print $1}}' | sed 's/^[\t]*//g' | sed 's/[:]*$//g' | grep eth`
for card in $eth_cards;do
    ethtool -L $card combined 12
done
# 该命令支持受限，请约束测试场景 

#  nginx网关性能优化，修改/etc/sysctl.conf
mv /etc/sysctl.conf /etc/sysctl.conf.bak
cat $software_path/sysctl.conf.temp > /etc/sysctl.conf
sysctl -p >/dev/null 2>&1 &

su - viid -c "nohup python /....//base/nginx/sbin/nginx_cron_util.py /....//base/nginx/sbin/log_util.sh >/dev/null 2>&1 &"
echo end of installation

[vieyahn2017]

nginx_cron_util.py log_util.sh 日志处理的

nginx_cron_util.py

#!/usr/bin/env python
# -*-coding:utf-8-*-

import os
import time
import sys

if __name__ == "__main__":
    util_path = sys.argv[1]
    cmd = 'sh ' + util_path
    while True:
        os.system(cmd)
        time.sleep(5)

log_util.sh

#!/usr/bin
NGINX_PATH=$(cd `dirname $0`;cd ..;pwd)
NGINX_LOG_PATH=$NGINX_PATH/logs/
cd ${NGINX_LOG_PATH}
NGX_PID=${NGINX_LOG_PATH}nginx.pid

PRINT_FILE=`date -d today +'%Y-%m-%d-%H-%M-%S'`

function do_clean()
{
   log_cnt=`ls $1.*.* | wc -l`
   if (($log_cnt<=8)); then
    return
   fi
   cur_time=`date -d today +'%Y-%m-%d %H:%M:%S'`
   local earliest_log_time=`date -d "${cur_time}" +%s`
   for log in `ls $1.*.*`
   do
    index=`expr index $log '.'`
    index=$((index+4))
    log_suffix=${log:$index:(${#log})}
    log_day=${log_suffix:0:10}
    log_time=${log_suffix:11}
    log_time=${log_time//-/:}
    log_suffix=${log_day}' '${log_time}
    time=`date -d "${log_suffix}" +%s`
      if ((${time}<${earliest_log_time})); then
        earliest_log_time=${time}
      fi
   done
   ear_log=$1.log.`date -d @${earliest_log_time} "+%Y-%m-%d-%H-%M-%S"`
   if [ -f ${NGINX_LOG_PATH}${ear_log} ]; then
    rm -rf ${NGINX_LOG_PATH}${ear_log} > /dev/null
   fi
}

access_log=${NGINX_LOG_PATH}access.log
error_log=${NGINX_LOG_PATH}error.log

if [ -f $access_log ]; then
    log_size=`du -m $access_log | awk '{print $1}'`
    if ((${log_size}>200)); then
        mv $access_log $access_log.${PRINT_FILE}
        if [ -f ${NGX_PID} ]; then
            kill -USR1 `cat ${NGX_PID}`
        fi
        do_clean access
    fi
fi

if [ -f $error_log ]; then
    log_size=`du -m $error_log | awk '{print $1}'`
    if ((${log_size}>200)); then
        mv $error_log $error_log.${PRINT_FILE}
        if [ -f ${NGX_PID} ]; then
            kill -USR1 `cat ${NGX_PID}`
        fi
        do_clean error
    fi
fi

[vieyahn2017]

nginx.conf.temp

user  xxxx xxxxx;
worker_processes  auto;
worker_rlimit_nofile 102400;

events {
    use epoll;
    # multi_accept on;
    worker_connections  102400;
}

http {
    include mime.types;
    default_type  application/octet-stream;
    underscores_in_headers on;
    log_format main '$time_local [$remote_addr] $request_method "$request_uri" | '
    '$status | "$upstream_addr" [ $upstream_response_time $request_time ]';
    sendfile        on;
    tcp_nodelay     on;
    tcp_nopush  on;
    server_tokens off;
    keepalive_timeout  65;
    keepalive_requests 10000;
    proxy_connect_timeout 60;
    proxy_send_timeout 90;
    proxy_read_timeout 90;
    proxy_buffer_size 128k;
    proxy_buffers 4 64k;
    proxy_busy_buffers_size 128k;
    proxy_ignore_client_abort on;
    client_body_buffer_size 1024k;
    open_file_cache max=102400 inactive=20s;
    open_file_cache_valid 60s;
    open_file_cache_min_uses 1;
    client_max_body_size 100M;

    upstream viid_https {
        server {{gateway_ip}}:8090 weight=10;
        check interval=3000 rise=2 fall=5 timeout=1000;
        check_keepalive_requests 100;
        check_http_send "GET /HealthCheck HTTP/1.0\r\nConnection: keep-alive\r\n\r\n";
        check_http_expect_alive http_2xx http_3xx;
        keepalive 4000;
    }

    upstream web_https {
        server {{gateway_ip}}:8088;
    }

    # nginx_http.conf flag --- start
    upstream viid {
        server {{gateway_ip}}:8080 weight=10;
        check interval=3000 rise=2 fall=5 timeout=1000 type=http;
        check_keepalive_requests 100;
        check_http_send "GET /HealthCheck HTTP/1.0\r\nConnection: keep-alive\r\n\r\n";
        check_http_expect_alive http_2xx http_3xx;
        keepalive 4000;
    }

    server {
        listen       8080;
        server_name www1.xxxx.com;
        charset utf-8;
        access_log  logs/access.log  main;
        error_log logs/error.log;

        location ~ /(VIID/SystemManagement/UserLog/Export|VIID/SystemManagement/downLoadLog|VIID/SystemManagement/SysLog/Export|VIID/SystemManagement/DataCheckRecord/Export)$ {
            proxy_pass http://viid_exportLogHash;
            proxy_http_version 1.1;              #后端长链接
            proxy_set_header Connection "";      #后端长链接
        }

        location / {
            proxy_pass http://viid;
            proxy_http_version 1.1;              #后端长链接
            proxy_set_header Connection "";      #后端长链接
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
    # nginx_http.conf flag --- end

    server {
        listen 8090 ssl;
        server_name www2.xxxx.com;
        #ssl on;
        ssl_certificate /..../nginx/key/cert_chain.pem;
        ssl_certificate_key /..../nginx/key/key.pem;
        ssl_session_timeout 5m;
        #ssl_session_cache    shared:SSL:1m;
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        charset utf-8;
        access_log  logs/access.log  main;
        error_log logs/error.log;

        location / {
            proxy_pass https://viid_https;
            proxy_redirect default;
            proxy_http_version 1.1;              #后端长链接
            proxy_set_header Connection "";      #后端长链接
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

    server {
        listen 8088 ssl;
        server_name www4.xxxx.com;
        #ssl on;
        ssl_certificate /..../nginx/key/cert_chain.pem;
        ssl_certificate_key /..../nginx/key/key.pem;
        ssl_session_timeout 5m;
        #ssl_session_cache    shared:SSL:1m;
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        charset utf-8;
        access_log  logs/access.log  main;
        error_log logs/error.log;

        location / {
            proxy_pass https://web_https;
            proxy_redirect default;
            proxy_http_version 1.1;              #后端长链接
            proxy_set_header Connection "";      #后端长链接
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}