分类目录归档:Linux

autossh sock5

原理很简单就是用ssh -D建立socks代理,然后把浏览器配置成socks代理就是了。用路由器来做ssh -D的好处是不用在每个设备上(我有一个iphone,两个ipad,一个android手机,n个虚拟机)去做ssh -D。那为什么不直接在远程服务器上提供socks5代理呢?因为socks5不能fq,流量中有关键字的话会被阻断。ssh -D建立的socks proxy是加密的,暂时还不会被阻断。

第一步: 配置服务器/root/.ssh/authorized_keys放你的public key

第二步: 把private key传到openwrt的/root/.ssh/id_rsa

第三步: 把openwrt的ssh客户端从dropbear换成openssh-client,安装autossh

rm /usr/bin/scp
rm /usr/bin/ssh
opkg update
opkg install openssh-client
opkg install autossh

第四步: 配置autossh,/etc/config/autossh 如下:

config autossh
        option ssh        '-i /root/.ssh/id_rsa -N -T -D 192.168.2.1:7080 root@<your_server_ip>'
        option gatetime        '0'
        option monitorport        '20000'
        option poll        '600'

192.168.2.1是你的路由器的lan ip。关键行是-D 192.168.2.1:7080,就是这个建立了一个socks代理。

第五步: 开机自动启动

/etc/init.d/autossh enable
/etc/init.d/autossh start

使用的时候需要连接这个路由器,应该会分配一个192.168.2.x的ip(你自己知道怎么配吧)。然后把socks代理设成192.168.2.1:7080

适合懒人的简单开机自动运行

编辑/etc/rc.local加入

autossh -M 0  -NT -D 0.0.0.0:8888 ssh_host &

linux cp overwrite confirmation

This is probably caused by cp being already aliased to something like cp -i. Calling cp directly should work:

/bin/cp -rf /zzz/zzz/* /xxx/xxx

Another way to get around this is to use the yes command:

yes | cp -rf /zzz/zzz/* /xxx/xxx

waf比较(lua-nginx-module,modsecurity,naxsi)

ngx_lua_waf是一个基于lua-nginx-module(openresty)的web应用防火墙

https://github.com/loveshell/ngx_lua_waf

nginx配合modsecurity实现WAF功能

http://www.52os.net/articles/nginx-use-modsecurity-module-as-waf.html

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX

https://github.com/nbs-system/naxsi

中、小企业如何自建免费的云WAF

https://zhuanlan.zhihu.com/p/22068364

X-WAF是一款适用中、小企业的云WAF系统,让中、小企业也可以非常方便地拥有自己的免费云WAF。

https://waf.xsec.io/docs

基于openresty的Web应用安全防护系统(WAF)
http://git.oschina.net/miracleqi/OpenWAF

kjournald占I/O高,如何优化

nfsd 42687 kjournald 31201 rsync 21846 两分钟内的磁盘块读写数量排行

1、用dumpe2fs看一下Journal size是多大,把Journal size的值改大一些。

2、调整一下文件系统的jounal模式,默认为ordered ,改成writeback会提高一些效率。

Despite writing some data more than once, ext3 is often faster (higher throughput) than ext2 because ext3’s journaling optimizes hard drive head motion. You can choose from three journaling modes to optimize speed, optionally choosing to trade off some data integrity.

  • One mode, data=writeback, limits the data integrity guarantees, allowing old data to show up in files after a crash, for a potential increase in speed under some circumstances. (This mode, which is the default journaling mode for most journaling file systems, essentially provides the more limited data integrity guarantees of the ext2 file system and merely avoids the long file system check at boot time.)

  • The second mode, data=ordered (the default mode), guarantees that the data is consistent with the file system; recently-written files will never show up with garbage contents after a crash.

  • The last mode, data=journal, requires a larger journal for reasonable speed in most cases and therefore takes longer to recover in case of unclean shutdown, but is sometimes faster for certain database operations.

The default mode is recommended for general-purpose computing needs. To change the mode, add the data=something option to the mount options for that file system in the /etc/fstab file, as documented in the mount man page (man mount).

查看linux服务器硬盘IO读写负载

用top命令查看

top – 16:15:05 up 6 days,  6:25,  2 users,  load average: 1.45, 1.77, 2.14
Tasks: 147 total,   1 running, 146 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.2% us,  0.2% sy,  0.0% ni, 86.9% id, 12.6% wa,  0.0% hi,  0.0% si
Mem:   4037872k total,  4003648k used,    34224k free,     5512k buffers
Swap:  7164948k total,   629192k used,  6535756k free,  3511184k cached

查看12.6% wa

IO等待所占用的CPU时间的百分比,高过30%时IO压力高

iostat -x 1 10

avg-cpu:  %user   %nice    %sys %iowait   %idle
0.00       0.00     0.25    33.46    66.29

Device:    rrqm/s  wrqm/s   r/s    w/s     rsec/s   wsec/s    rkB/s    wkB/s avgrq-sz avgqu-sz   await  svctm  %util
sda          0.00    0.00      0.00   0.00    0.00    0.00         0.00     0.00     0.00           0.00    0.00    0.00   0.00
sdb          0.00   1122  17.00  9.00  192.00 9216.00    96.00  4608.00   123.79   137.23 1033.43  13.17 100.10
sdc          0.00    0.00     0.00   0.00     0.00     0.00      0.00     0.00     0.00             0.00    0.00      0.00   0.00

查看%util 100.10 %idle 66.29

如果 %util 接近 100%,说明产生的I/O请求太多,I/O系统已经满负荷,该磁盘可能存在瓶颈。

idle小于70% IO压力就较大了,一般读取速度有较多的wait.

vmstat

同时可以结合vmstat 查看查看b参数(等待资源的进程数)

vmstat -1

再通过如下脚本查看高峰的进程io情况

#!/bin/sh
/etc/init.d/syslog stop
echo 1 > /proc/sys/vm/block_dump
sleep 60
dmesg | awk '/(READ|WRITE|dirtied)/ {process[$1]++} END {for (x in process) \
print process[x],x}' |sort -nr |awk '{print $2 " " $1}' | \
head -n 10
echo 0 > /proc/sys/vm/block_dump
/etc/init.d/syslog start

inotify-tools + rsync 实现文件自动同步备份

公司图片服务器以前以nfs挂载在各台php-fpm服务器下,最近因为部分fpm服务器迁移到aliyun,远程挂载效率低下,为了本地不修改代码,又可以达到不低,所以想到了inotify + rsync。

inotify-tools介绍:https://github.com/rvoicilas/inotify-tools/wiki

#!/bin/sh

# get the current path
CURPATH=`pwd`

inotifywait -mr --timefmt '%d/%m/%y %H:%M' --format '%T %w %f' \
-e close_write /tmp/test | while read date time dir file; do

       FILECHANGE=${dir}${file}
       # convert absolute path to relative
       FILECHANGEREL=`echo "$FILECHANGE" | sed 's_'$CURPATH'/__'`

       rsync --progress --relative -vrae 'ssh -p 22'  $FILECHANGEREL usernam@example.com:/backup/root/dir && \
       echo "At ${time} on ${date}, file $FILECHANGE was backed up via rsync"
done

linux suspend wifi 

lsmod | grep wifi

output

iwlwifi               200704  1 iwldvm
cfg80211              548864  3 iwlwifi,mac80211,iwldvm

sudo vim /etc/pm/config.d/config

SUSPEND_MODULES="iwldvm iwlwifi"

sudo service network-manager restart