发表更新几秒读完 (大约109个字)

使用docker编译打包sailfishos

开坑

  1. ubuntu HA_BUILD

用官方的ubuntu镜像即可,16.04或18.04都可以,不要用最新的20.04。一般来说启动之后的镜像除了手动指定的目录是持久化的,其他的会重启后失效,所以最好自己做一个镜像,把安卓编译环境安装上。

启动时映射本地目录,当作ANDROID_ROOT目录。

  1. mer MER_BUILD

  2. OBS

  3. gitlab ci

发表更新2 分钟读完 (大约324个字)

harbor跨大版本升级

注意:必须是用域名的方式(也就是有内网的dns),如果以前用ip,则本方法无效!

Harbor1.2之前的版本不能直接升级到新版本,想要升级到最新版并且业务不中断,可以采用如下方式。

大体流程如下:

B机器搭一个新harbor -> 手动将旧harbor的镜像push到新harbor -> 更改A域名指向到B主机ip ->

测试B的harbor服务是否正常 -> 铲掉A上的旧harbor -> 在A上重新搭建harbor -> B机器上的harbor同步到A上的harbor

测试A的harbor服务是否正常 -> 改回A域名指向A主机 -> 删掉B上的同步。

手动push旧harbor镜像到新harbor所用到的脚本:
pip install python_harborclient
get_all.py:

1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/python
from registry import RegistryApi
api = RegistryApi('admin', 'password', 'http://pk8stemp02.rmz.flamingo-inc.com:8888')
maxsize = 65536
repos = api.getRepositoryList(maxsize)
repositories = repos.get('repositories')
for repo in repositories:
    tags = api.getTagList(repo).get('tags')
    if tags:
        for tag in tags:
            print(repo + ":" +tag)
```

python get_all.py > all_repos.txt
allimages=$(cat all_repos.txt)
ORIGIN_HOST=”pk8snode01.rmz.flamingo-inc.com:8888” #旧harbor
BACK_HOST=”pk8stemp02.rmz.flamingo-inc.com:8888” #新harbor

#提前登录一下

#docker login $BACK_HOST
for image in ${allimages}; do
docker pull ${ORIGIN_HOST}/$image
docker tag ${ORIGIN_HOST}/$image ${BACK_HOST}/$image
docker push ${BACK_HOST}/$image
sleep 1
echo $image “done”
done
`

发表更新2 分钟读完 (大约291个字)

使用Gitlab/Bitbucket等CI搭建自己的临时代理

这篇文章只是从技术层面探讨可行性,不接受一切反驳!

使用条件

  • 一个有外网的主机(frp需要)
  • gitlab或bitbucket账号

frp服务端搭建

具体可以查看frp github主页

下载对应你操作系统版本的包(我的docker打包的客户端是0.17.0版本,想使用新版的可以自行打包)

服务端配置如下(frps.ini):

1
2
3
[common]
bind_port = 7000
token = 123456

解压下载的压缩包,启动服务端: ./frps -c frps.ini

注意开通7000及需要frp客户端映射端口(这里用到了6200)

frp客户端

Gitlab参见 https://gitlab.com/0312birdzhang/frp_proxy

客户端配置如下(frpc.ini):

1
2
3
4
5
6
7
8
9
[common]
server_addr = 12.13.14.15
server_port = 7000
token = 123456

[socks_proxy_6200]
type = tcp
plugin = socks5
remote_port = 6200

fork代码后,需要修改server_addrserver_porttokenremote_port 为你服务器相关的,然后保存即可。

Bitbucket的参考:

bitbucket-pipelines.yml

image: 0312birdzhang/frpc_proxy:v2

pipelines:
  default:
    - step:
        caches:
          - pip
        script:
          - cp frpc.ini /app/my_frpc.ini
          - /app/frpc -c /app/my_frpc.ini

使用

12.13.14.15:6200 即是你的socks5代理地址

发表更新Nginx2 分钟读完 (大约241个字)

Nginx获取用户真实IP

首先强调的是,这里需要两层nginx,用户访问nginx1,转发到nginx2(192.168.1.111),nginx2到真实后端。

nginx1 配置

1
2
3
4
5
6
7
8
9
10
server{
    ...
    listen 8888;
    location /test {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $remote_addr;
        proxy_pass http://nginx2:8888/test2;
    }
}

nginx2 配置

1
2
3
4
5
6
7
8
9
server{
    ...
    listen 8888;
    location /test2 {
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-real-ip $remote_addr;
        default_type text/html;
        return 200 'This is text!';
    }

测试

用户访问

1
curl -i -H "X-Forwarded-For: 110.110.110.110" -H "X-real-ip: 110.110.110.110" -s nginx1:8888/test -v

nginx1 日志:

1
192.168.1.110 0.000 - [12/Sep/2018:11:01:51 +0800] "GET /test HTTP/1.1" 200 13 - "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" 110.110.110.110 110.110.110.110

nginx2 日志:

1
192.168.1.111 0.000 - [12/Sep/2018:11:01:51 +0800] "GET /test2 HTTP/1.1" 200 13 - "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" 192.168.1.110 110.110.110.110

其中192.168.1.111为nginx1的ip

可以看到,在nginx2中可以拿X-real-ip获取用户的真实ip,在后端中可以拿这个头信息。

注意!必须要规定好nginx是在架构的哪一层级,根据所处的层级配置,否则该方法无效。

发表更新SailfishOS / Docker9 分钟读完 (大约1324个字)

Docker on SailfishOS

How to install Docker on SailfishOS/如何将Docker安装到SailfishOS

This post will show you how to install Docker on SailfishOS, and some hacks need to do.

这篇文章将介绍如何将Docker安装到SailfishOS上,和需要做的一些hack。

Prerequisites/先决条件

https://docs.docker.com/install/linux/docker-ce/binaries/#install-daemon-and-client-binaries-on-linux

  • A 64-bit installation
  • Version 3.10 or higher of the Linux kernel. The latest version of the kernel available for you platform is recommended.
  • iptables version 1.4 or higher
  • git version 1.7 or higher
  • A ps executable, usually provided by procps or a similar package.
  • XZ Utils 4.9 or higher

  • A properly mounted cgroupfs hierarchy; a single, all-encompassing cgroup mount point is not sufficient. See Github issues #2683, #3485, #4568).

  • 64位系统

  • 3.10内核或更高
  • iptable版本至少是1.4
  • git版本至少1.7
  • 可以执行ps
  • xz工具版本至少4.9
  • 正确安装的cgroupfs层次结构; 一个单一的,无所不包的cgroup挂载点是不够的。

Check Kernel support/检查内核支持

Use this script check-config.sh
使用这个脚本 check-config.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
[nemo@Sailfish ~]$ ./check-config.sh 
info: reading kernel config from /proc/config.gz ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_NF_NAT_IPV4: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_NF_NAT_NEEDED: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_DEVPTS_MULTIPLE_INSTANCES: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: missing
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
    (cgroup swap accounting is currently enabled)
- CONFIG_MEMCG_KMEM: enabled
- CONFIG_RESOURCE_COUNTERS: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: missing
- CONFIG_IOSCHED_CFQ: enabled
- CONFIG_CFQ_GROUP_IOSCHED: missing
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: enabled
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: missing
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: enabled
- CONFIG_IP_VS: enabled
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_RR: enabled
- CONFIG_EXT3_FS: enabled
- CONFIG_EXT3_FS_XATTR: enabled
- CONFIG_EXT3_FS_POSIX_ACL: enabled
- CONFIG_EXT3_FS_SECURITY: enabled
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: missing
- CONFIG_EXT4_FS_SECURITY: enabled
    enable these ext4 configs if you are using ext4 as backing filesystem
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled
      - CONFIG_CRYPTO_GCM: enabled
      - CONFIG_CRYPTO_SEQIV: enabled
      - CONFIG_CRYPTO_GHASH: enabled
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled
      - CONFIG_XFRM_ALGO: enabled
      - CONFIG_INET_ESP: enabled
      - CONFIG_INET_XFRM_MODE_TRANSPORT: enabled
  - "ipvlan":
    - CONFIG_IPVLAN: missing
  - "macvlan":
    - CONFIG_MACVLAN: enabled
    - CONFIG_DUMMY: missing
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled
    - CONFIG_NF_CONNTRACK_FTP: enabled
    - CONFIG_NF_NAT_TFTP: enabled
    - CONFIG_NF_CONNTRACK_TFTP: enabled
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: missing
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled
    - CONFIG_BTRFS_FS_POSIX_ACL: enabled
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled
    - CONFIG_DM_THIN_PROVISIONING: missing
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled
  - "zfs":
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

[nemo@Sailfish ~]$

Generally Necessary must be all enabled, if not enabled, you must enable it in your kernel defconfig, and rebuild kernel.
Generally Necessary 部分必须全部是enabled, 如果没有启用,必须启用然后重启编译内核。

Download the static binary archive/下载静态二进制文件

https://download.docker.com/linux/static/stable/aarch64/

Extract the archive and put them to /usr/bin/, 18.06 is a working version.

Add nemo to docker group/将nemo用户添加到docker组

1
2
groupadd docker
usermod -a -G docker nemo

Run Docker/启动Docker

Start docker daemon/ 启动docker守护进程
devel-su /usr/bin/dockerd

Or use systemd/ 或者使用systemd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target

[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

Check version/检查版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@Sailfish nemo]# docker version

Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:20:38 2018
 OS/Arch:           linux/arm64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:27:20 2018
  OS/Arch:          linux/arm64
  Experimental:     false

Test/测试
devel-su docker run hello-world

This command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits. / 这个命令会下载一个测试镜像,如果执行成功会打印如下信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@Sailfish nemo]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
255483503861: Pull complete 
Digest: sha256:4b8ff392a12ed9ea17784bd3c9a8b1fa3299cac44aca35a85c90c5e3c7afacdc
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (arm64v8)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

Test network mapping /测试网络映射

On one terminal/在一个终端中执行

1
2
3
[root@Sailfish nemo]# docker run -it --rm -p 6080:80 nginx:latest        
172.17.0.1 - - [05/Sep/2018:08:54:52 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.58.0-DEV" "-"
172.17.0.1 - - [05/Sep/2018:08:55:51 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.58.0-DEV" "-"

Vist on another terminal/在另一个终端中访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[nemo@Sailfish ~]$ curl -s 127.0.0.1:6080
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[nemo@Sailfish ~]$

TODO

Wayland forward /wayland转发

Reference/参考:

Have fun ;)

发表更新1 分钟读完 (大约194个字)

从iOS迁移到SailfishOS计划

本文作为一个实验性计划,从iOS迁移到SailfishOS

首先我们来整理一下软件替代品

  • 即时通讯类
  • 拍照类
  • 金融类
  • 新闻类
  • 文本阅读类
  • 浏览器
  • 地图导航类
  • 智能穿戴设备手机端
  • SNS类
  • 一些工具类

下面展开以上几种类型有哪些及替代品

即时通讯类

  • QQ
  • 微信
  • Telegram
  • IRC

拍照类

  • 暂无需求

新闻类

  • IT之家等
  • 网易新闻等

文本阅读类

  • 暂无需求

浏览器

  • Chrome

地图导航类

  • 高德地图

智能穿戴设备手机端

  • 暂无

SNS类

  • 微博

一些工具类

  • 翻译/查询快递/等等

#### 未完待续…

本文准备弃坑

参考如下:

https://raimue.blog/2018/01/09/goodbye-sailfish-os-and-jolla/

发表更新1 分钟读完 (大约158个字)

清理kubernetes中未正常退出的pod

长时间运行的k8s节点可能会存在某些pod不自动退出,一直处于Terminating的状态
于是我们可以用这个脚本定时进行清理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/bash
#############################
### clean terminated pods ###
### run at you own risk ! ###
#############################
export PATH=/usr/local/cfssl/bin:/usr/local/docker/:/usr/local/kubernetes/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
getns(){
  namespaces=`kubectl get namespaces|grep -v "NAME"|awk '{print $1}'`
  for n in ${namespaces};
  do
    pods_str=`kubectl get pods -n ${n}|grep "Terminating"`
    IFS=$'\n' read -rd '' -a pods  <<<"$pods_str"
    if [ -n "$pods" ]; then
      getpod ${n} $pods;
    fi
  done
}
getpod(){
 ns=$1;
 for podinfo in $2;
 do
  pod=`echo $podinfo|awk '{print $1}'`
  delpod $pod $ns;
 done
}
delpod(){
   echo "kubectl delete pods $1 -n $2 --grace-period=0 --force"
   kubectl delete pods $1 -n $2 --grace-period=0 --force
}
main(){
  getns
}
main
发表更新8 分钟读完 (大约1270个字)

No subject alternative DNS name matching xxx.com found

[TOC]

故事经过 TLDR;

故事太长,可以直接看这里 解决

昨天下午,突然有同事说OA打不开了,打开页面一看出现如下错误:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
500 Servlet Exception
[show] java.security.cert.CertificateException: No subject alternative DNS name
matching xxx.com found.

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative DNS name matching xxx.com found.
	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:328)
	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:291)
	at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:32)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:187)
	at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:164)
	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
	at com.xxx.plugin.AuthenticationFilter.doFilter(AuthenticationFilter.java:163)
	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
	at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:65)
	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
	at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:187)
	at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:265)
	at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:273)
	at com.caucho.server.port.TcpConnection.run(TcpConnection.java:682)
	at com.caucho.util.ThreadPool$Item.runTasks(ThreadPool.java:730)
	at com.caucho.util.ThreadPool$Item.run(ThreadPool.java:649)
	at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative DNS name matching xxx.com found.
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1699)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)

内心中第一反应是证书的问题,于是赶紧上cas服务器查看日志,一切正常😵
然后上OA的服务器,将证书导入,重启服务,该是什么错还是什么错。。。

上谷歌一查,应该是匹配不到证书里的DNS名,但是确实是有的呀。

由于还有其他java系统接入了CAS登录,都是正常的,于是开始怀疑是OA那台的有问题,开始查看是不是有人最近改动过什么

然鹅并没有。。。

然后查看OA的日志(用的Resin中间件。。。
发现如下错误:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[17:00:15.288] {http--8080-6$1533061820} java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching auth.corp.flamingo-inc.com found.
[17:00:15.288] {http--8080-6$1533061820} 	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:295)
[17:00:15.288] {http--8080-6$1533061820} 	at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:33)
[17:00:15.288] {http--8080-6$1533061820} 	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
[17:00:15.288] {http--8080-6$1533061820} 	at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
[17:00:15.288] {http--8080-6$1533061820} 	at com.xxx.plugin.AuthenticationFilter.doFilter(AuthenticationFilter.java:163)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
[17:00:15.288] {http--8080-6$1533061820} 	at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:110)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:87)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:187)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:265)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:273)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.server.port.TcpConnection.run(TcpConnection.java:682)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.util.ThreadPool$Item.runTasks(ThreadPool.java:730)
[17:00:15.288] {http--8080-6$1533061820} 	at com.caucho.util.ThreadPool$Item.run(ThreadPool.java:649)
[17:00:15.288] {http--8080-6$1533061820} 	at java.lang.Thread.run(Thread.java:662)
[17:00:15.288] {http--8080-6$1533061820} Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching auth.corp.flamingo-inc.com found.
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1699)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
[17:00:15.288] {http--8080-6$1533061820} 	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
[17:00:15.288] {http--8080-6$1533061820} 	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
[17:00:15.288] {http--8080-6$1533061820} 	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
[17:00:15.288] {http--8080-6$1533061820} 	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
[17:00:15.288] {http--8080-6$1533061820} 	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:281)
[17:00:15.288] {http--8080-6$1533061820} 	... 15 more
[17:00:15.288] {http--8080-6$1533061820} Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching auth.corp.flamingo-inc.com found.
[17:00:15.288] {http--8080-6$1533061820} 	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
[17:00:15.288] {http--8080-6$1533061820} 	at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
[17:00:15.288] {http--8080-6$1533061820} 	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)

开始怀疑是我写的AuthenticationFilter的锅,于是用了个新版本的cas-client-core,依然不行

开始升级jdk,由于是windows,直接安装的exe,然后改了启动脚本里面的JAVA_HOME,重启依然发现不行。。。 (((φ(◎ロ◎;)φ)))

于是暂时回退到了没有用CAS接入的版本,下班了。。。

今天回来不甘心啊,继续尝试解决

既然证书找不到xxx.com,那我换台nginx直接写host试试?

更新了一下测服nginx的证书,OA主机指定测服nginx ip

然后!!!! 可以了!!!! 😭

然后跟同事调试了一会,发现他昨天下午添加了一个域名abc.com,然后导致了default_server不是adc.com了。。。

解决方法

更新一下jdk就可以了(摊手),OA用的是jdk1.6,jdk1.6旧版本不支持SNI,至于什么是SNI等,看这里 https://github.com/ditunes/blog/issues/13

之前没成功是因为windows的服务里面写死了jdk的路径。。。

发表更新4 分钟读完 (大约563个字)

使用Openresty将pastebin内容格式化显示

前情提要

这里用的 https://github.com/solusipse/fiche 的pastebin服务端,功能不多但是贴一些代码或者日志足够了

痛点

fiche将贴的内容保存为文件,然后用nginx显示,如下:

1
2
3
4
5
6
7
8
9
10
server {
    listen 80;
    server_name mysite.com www.mysite.com;
    charset utf-8;

    location / {
            root /home/www/code/;
            index index.txt index.html;
    }
}

这样显示出来的文本在行数多的时候就看瞎眼了 @_@

解决痛点

我们可以用openresty将要显示的文本提前拼凑成html,html中用google的code prettify格式化处理。
对于用curl请求的我们不做处理,直接返回纯文本。

lua代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
local headers = ngx.req.get_headers()
local reqUri = ngx.var.request_uri
local uri = ngx.var.uri
local userAgent = headers["user-agent"]
local codePath = "/data/fiche/code"

if uri == "/" then
  ngx.say("Welcome to p.qiyuos.cn")
  ngx.exit(200)
end

if uri == "/favicon.ico" then
  ngx.exit(200)
end

local function file_exists(path)
  local file = io.open(path, "rb")
  if file then file:close() end
  return file ~= nil
end

--读取文件到内存
local function readFile2Mem(file)
  local fp = io.open(file,"r")
  if fp then
    return fp:read("*all")
  end
end

local codeBeauty1 = [[
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<script src="https://cdn.bootcss.com/prettify/r298/run_prettify.min.js?autoload=true&amp;lang=html"></script>
<style type="text/css">
body {
  background: #fff;
}
pre.prettyprint {
  background-color: #eee;
}
.prettyprint ol.linenums > li { list-style-type: decimal; }
.pln{color:#000}@media screen{.str{color:#080}.kwd{color:#008}.com{color:#800}.typ{color:#606}.lit{color:#066}.clo,.opn,.pun{color:#660}.tag{color:#008}.atn{color:#606}.atv{color:#080}.dec,.var{color:#606}.fun{color:red}}@media print,projection{.kwd,.tag,.typ{font-weight:700}.str{color:#060}.kwd{color:#006}.com{color:#600;font-style:italic}.typ{color:#404}.lit{color:#044}.clo,.opn,.pun{color:#440}.tag{color:#006}.atn{color:#404}.atv{color:#060}}pre.prettyprint{padding:2px;border:1px solid #888}ol.linenums{margin-top:0;margin-bottom:0}li.L0,li.L1,li.L2,li.L3,li.L5,li.L6,li.L7,li.L8{list-style-type:none}li.L1,li.L3,li.L5,li.L7,li.L9{background:#eee}
</style>
</head>
<body>
<pre class="prettyprint linenums" id="quine">
]]
local codeBeauty2 = [[
</pre>
<script type="text/javascript">//<![CDATA[
(function () {
  function htmlEscape(s) {
    return s;
//      .replace(/&/g, '&amp;')
//      .replace(/</g, '&lt;')
//      .replace(/>/g, '&gt;');
  }
  // this page's own source code
  var quineHtml = htmlEscape(
    document.getElementById("quine").innerHTML
  );
  // Highlight the operative parts:
  quineHtml = quineHtml.replace(
    /&lt;script src[\s\S]*?&gt;&lt;\/script&gt;|&lt;!--\?[\s\S]*?--&gt;|&lt;pre\b[\s\S]*?&lt;\/pre&gt;/g,
    '<span class="operative">$&<\/span>');
  // insert into PRE
  document.getElementById("quine").innerHTML = quineHtml;
})();
//\]\]>
</script>
</body>
</html>
]]

if not file_exists(codePath .. uri .. "/index.txt") then
  ngx.exit(404)
end

local paste = readFile2Mem(codePath .. uri .. "/index.txt")
if not userAgent or string.len(userAgent) < 20 or not string.match(userAgent, "Mozilla") then
  ngx.say(paste)
  ngx.exit(200)
else
  ngx.say(codeBeauty1 .. paste .. codeBeauty2)
  ngx.exit(200)
end

nginx 配置如下:

1
2
3
4
5
6
7
8
9
server {
    listen 80;
    server_name mysite.com www.mysite.com;
    charset utf-8;
    location / {
        default_type text/html;
        content_by_lua_file "/usr/local/openresty/scripts/fiche.lua";
    }
}

最后

代码还不完善,可能存在一些bug,欢迎提出

发表更新2 分钟读完 (大约241个字)

使用openresty搭一个类似ip.cn的接口

Openresty是什么

OpenResty® 是一个基于 Nginx 与 Lua 的高性能 Web 平台,其内部集成了大量精良的 Lua 库、第三方模块以及大多数的依赖项。用于方便地搭建能够处理超高并发、扩展性极高的动态 Web 应用、Web 服务和动态网关。

官网 https://openresty.org/cn/

Openresty解决了nginx不能很好的添加一些逻辑判断的痛点,而且又不失性能。

接口代码

代码简单到不能再简单了,就三行

1
2
3
local ip = ngx.var.remote_addr
ngx.header["Content-Type"] = "text/plain charset=utf-8"
ngx.say(ip)
nginx.conf配置:
1
2
3
4
5
6
7
...
http
{
    ...
    lua_package_path "/usr/local/openresty/script/waf/?.lua;/usr/local/openresty/lualib/?.lua";
    ...

vhost配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
server
{
        listen       80;
        server_name ip.testing.cn;
        index index.html index.htm index.php;
        charset utf-8;
# 原生nginx的方式,貌似更简单...        
#        location / {
#                default_type text/plain;
#                return 200 $remote_addr;
#        }
        location /{
            content_by_lua_block {
                local ip = ngx.var.remote_addr
                ngx.header["Content-Type"] = "text/plain charset=utf-8"
                ngx.say(ip)
            }
        }

}
关注我

分类

最新文章

广告

归档

标签

9t1
Java4
Python1
Terminating1
Tomcat1
android1
apt1
cas2
coinhive1
crt1
davinci1
debian1
docker6
drbd1
frp2
gitlab1
hadk3
https2
httpservletrequest1
hybris-15.11
hybris-16.01
ios1
ip1
iphone1
irc1
java1
jolla1
js1
json1
k201
k8s3
kubernetes4
lineage-15.11
lineage-16.01
linux1
lua1
migrate1
nginx2
okcaros1
openpilot2
openresty3
opensips1
pastebin1
python3
python21
rdp1
redmi3
redmi5plus2
remix1
rk35882
rubikpi1
sailfish3
sailfishos3
signal1
sip1
socks51
subprocess1
tomcat2
trustcacerts1
ubuntu1
unix1
vince2
vmvare1
voip1
windows1
x861
xiaomi1
yavijava1
人生1
参数2
改写1
跳过1
车机1
迁移1
随笔2

订阅更新

×