條理清晰,操作科學可靠,可供參考。
https://www.howtoforge.com/tutorial/how-to-upgrade-kernel-in-centos-7-server/
服務器已搬遷至阿里雲香港(國際版)
幾個亮點:
1. 全面使用 ECC 384 bits SSL 證書。
2. 更加 偷懶 創新的 Linux 用戶權限管理。
(詳見 https://github.com/richardevs/self-written-bash-script )
3. 改用 acme.sh 管理 Let’s Encrypt 訂閱。
4. 更細分更容易管理的 Nginx 配置寫法。
刪除阿里雲 CentOS 主機的開機自啟服務( aliyun.service )
wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh
rm uninstall.sh
systemctl stop aliyun.service
systemctl disable aliyun.service
rm /etc/systemd/system/aliyun.service
rm /usr/sbin/aliyun-service
systemctl daemon-reload
chkconfig agentwatch off
chkconfig --del agentwatch
rm /etc/init.d/agentwatch
systemctl reboot
感恩 2018,展望 2019,新的一年也請多多指教。
© BANDAI NAMCO Entertainment Inc.
Best Practices for Building Containers
WordPress / NGINX HTTP Response Splitting
最近開始使用 Detectify – 一款個人十分喜歡的在線網站掃描工具。驚訝的發現由於 WordPress 官方的一個 Nginx 推薦配置,很多人都因此存在這個問題。
長話短說,WordPress 官方推薦的一個 wp-admin 轉發規則:
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
然而這個規則的 $uri 是可以帶有轉義字符的函數,於是就導致了下面的漏洞。
curl https://holywhite.com/%0d%0asplitting:/wp-admin --http1.1 -v
Response:
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Fri, 26 Oct 2018 01:05:04 GMT
< Content-Type: text/html
< Content-Length: 162
< Location: https://holywhite.com/
< splitting:/wp-admin/
< Connection: keep-alive
<
經過一點點研究,目前個人改為了更為安全的函數去解決這個問題。
rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;
唔,經濟收入連續兩個月受到重度打擊…很很很認真的尋求外快工作中。
![[跪了]](https://img.t.sinajs.cn/t4/appstyle/expression/ext/normal/75/2018new_gui_org.png)
– 現負責在職公司新產品架構設計,較熟悉 AWS 運用,同理可運用騰訊雲,阿里雲等平台。
– 使用 Python 編寫自動化運維程序,或 Slack Bot 之類。
– 理所當然的熟悉 DNS,域名,SSL 等最基本的互聯網基礎設施。
– 其他的能做的但不敢寫,不然副業成了主業了就要丟主業了…
歡迎國內個體或公司聯繫,在日主體除非能以支付寶/微信支付款項,不接受日本銀行交易。
E-Mail: a#rsl.gd
This server now supports TLS 1.3
Implemented with Nginx Mainline and OpenSSL 1.1.1.
Major browsers are not ready for RFC version yet, so TLS 1.2 will be chosen.
Update on 10-12:
--with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
Looks like this is the key configuration to make Nginx enbale TLSv1.3.
Phusion Passenger 世界性死亡事件
Passenger 從 5.1 開始導入了 SecurityUpdateCheck 功能,一旦發現有重大補丁更新,就會自動推送。
本來是件好事情,然而 Passenger 的老版本有一個 Bug,如果收到的 Response 超過 500B 的話,就會崩掉… 這個問題在 5.1.5 得到了修復。
於是全世界的 < 5.1.5 版本的 Passenger 都死掉了…
For more details: https://github.com/phusion/passenger/issues/2089
Not again, Namecheap
Never thought that I would have to criticize Namecheap again, after I left their services.
Let me explain, I bought myself a new domain this month, and found out that there is a 3-year SSL certificate valid for my domain through crt.sh. Naturally I contacted Comodo SSL Abuse Dept. and got redirected to the reseller – Namecheap. After reaching out to Namecheap they insisted that as long as I issued a new certificate, the valid certificate that the former domain owner had will have no power whatsoever ( which is not true ), even after ticket escalation, they’re just re-assuring me that MITM somehow will not exist as long as I set up a new SSL cert and “there is no need to worry about the security of your website and the information transmitted via Internet”.
So, according to Namecheap’s statement, Wosign accident is just a fraud and people obtained github.com’s certificate will do absolutely no harm to Github. Good to know.
A public discussion is under way: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/4R1parm1XCc