nginx 401 动态验证备忘录

        auth_request /auth; 获取验证信息

server {  
    listen 8080;  
    resolver 1.1.1.1; 
    location @error401 { return 401 "Unauthorized";  }
        location = /auth {
        internal;
        proxy_pass http://backend-server/authenticate;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {  
        auth_request /auth;
        error_page 401 = @error401;
        proxy_bind $server_addr;
        proxy_pass $scheme://$http_host$request_uri;
        proxy_set_header HOST $http_host;
        proxy_buffers 256 4k;
        proxy_max_temp_file_size 0k; 
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_next_upstream error timeout invalid_header http_502;
    }  
deny 127.0.0.1;
}

Proxmox VE vncproxy noVNC 配置备忘录

PVE直接封装了WebSocket, 需要调用 VNC 和 xterm的几种方案:

1. 给虚拟机配置单独的 vnc监听端口和 ip并设置密码直接连接, 或者拿websockify转WebSocket

2.重新封装转发/api2/json/nodes/{node}/qemu/{vmid}/vncwebsocket  

3.直接访问 PVE 原生接口方式。(1.直接访问 2.nginx单独封装反向代理xtermjs和novnc|)

 

前期准备

GET /api2/json/access/ticket
POST /api2/json/nodes/{node}/qemu/{vmid}/vncproxy
wss /api2/json/nodes/{node}/qemu/{vmid}/vncwebsocket

 vncproxy 和 ticket 需要一起创建,noVNC连接vncwebsocket 需要 PVEAuthCookie才能正常通信否则无法连接。

注意:请求/api2/json/access/ticket必须要用户密码获取,用root token无法创建。
PVE 的设计思路是将 VM 分配给用户,但是没给token设计获取 ticket 应该是考虑权限分离。

 

偷懒思路解决方案,直接nginx代理 PVE 的 noVNC和xterm(又不想开放 PVE 访问)

map $arg_node  $proxyhost  {
   "PVE NODE NAME-1"  "PVE IP";
   "PVE NODE NAME-1"  "PVE IP";
   "PVE NODE NAME-1"  "PVE IP";
}

location ~/(xtermjs|novnc|api2) {
     if ( $arg_console ) { set $new_uri /?$query_string;  }
        proxy_pass https://$proxyhost:8006$new_uri;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
}

如果有安装 redis 插件, 可以从 redis 存取主机 IP, 另外还有一个版本由于安全问题暂不公开。 

和代理websocket方法一样也是需要保证wss通信的时候要带上PVEAuthCookie的 cookies

阅读剩余部分...

ipv4/ipv6分拆工具

官方项目https://github.com/emden-norfolk/cidrl

wget  https://github.com/emden-norfolk/cidrl/archive/refs/tags/v1.0.2.tar.gz   -O - | tar xz 
cd cidrl-*
./configure
make
make install

用法

cidrl6 -s50 2001:db8::1428:55ab/48
cidrl -s24 10.0.0/20

 

移除 whmcs 的 cart 蛋疼的 html 标签问题

#order-standard_cart .product-info  p:empty{ display: none; }
 li + br {display: none;}

不想改代码, 初学了下css用 empty和下一个标签功能给隐藏了

php 运行 ipmi 命令滞后卡顿解决方案

	public function IPMIcommand($ip, $user, $password, $cmd)
	{
		if (!(ereg('^[[:alnum:] ]+', $cmd))) {
			throw new Exception('Invalid characters in command');
		}
		if (ereg('^bootdev ', $cmd)) {
			$cmd = 'chassis ' . $cmd;
		}

		$output = array();
		exec('/usr/bin/ipmitool -H ' . escapeshellarg($ip) . ' -U ' . escapeshellarg($user) . ' -P ' . escapeshellarg($password) . '' . ' ' . $cmd . ' 2>&1', $output);
		return implode("\n", $output);
	}

 看别人写代码, 解决了 10 年为啥php 命令跑起来会卡顿的疑惑

debootstrap部署打包系统debian 和 ubuntu

目前为止好像还不支持 ubuntu24

具体支持的版本查看/usr/share/debootstrap/scripts/目录

#!/bin/bash
# 设置变量
NAME="jammy"
DISK="/dev/vdb"

BOOT_PART="${DISK}1"
SWAP_PART="${DISK}2"
ROOT_PART="${DISK}3"

apt update -y
apt install -y debootstrap  arch-install-scripts parted dosfstools
parted ${DISK} --script -- mklabel msdos
parted ${DISK} --script -- mkpart primary ext4 1MiB 2GiB
parted ${DISK} --script -- mkpart primary linux-swap 2GiB 3GiB
parted ${DISK} --script -- mkpart primary ext4 3GiB 100%

# 格式化分区
#mkfs.vfat -F32 $BOOT_PART
mkfs.ext4 -F $BOOT_PART
mkfs.ext4 -F $ROOT_PART
mkswap $SWAP_PART
swapon $SWAP_PART  

mount $ROOT_PART /mnt/
mkdir -p /mnt/boot
mount $BOOT_PART /mnt/boot

# 使用 debootstrap 安装基本系统
debootstrap --arch amd64 $NAME  /mnt/ http://archive.ubuntu.com/ubuntu/

mount --bind /proc /mnt/proc
mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
mount -t devpts devpts /mnt/dev/pts

#更新设置系统内核和配置
chroot /mnt /bin/bash -c "echo 'root:your_password' | chpasswd"
chroot /mnt/ apt -y update
chroot /mnt/ apt -y upgrade
chroot /mnt/ locale-gen en_US.UTF-8
chroot /mnt/ update-locale LANG=en_US.UTF-8
for I in linux-image-generic linux-firmware initramfs-tools efibootmgr grub2-common grub-efi-amd64 grub-pc;
do chroot /mnt/ apt -y install --no-install-recommends $I ; done 
chroot /mnt/ sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"#g' /etc/default/grub  
chroot /mnt/ echo GRUB_DISABLE_OS_PROBER=true >/etc/default/grub 
chroot /mnt/ grub-install $DISK
chroot /mnt/ grub-mkconfig -o /boot/grub/grub.cfg
chroot /mnt/ update-grub
#chroot /mnt/ grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ubuntu --recheck
chroot /mnt/ apt -y install  --no-install-recommends  openssh-server 
chroot /mnt/  sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
chroot /mnt/ systemctl enable systemd-networkd
chroot /mnt/ systemctl enable  ssh

cat>/mnt/etc/apt/sources.list<<EOF
deb http://archive.ubuntu.com/ubuntu ${NAME} main 
deb http://archive.ubuntu.com/ubuntu ${NAME} ${NAME}-security  main
deb http://archive.ubuntu.com/ubuntu ${NAME} ${NAME}-updates   main
EOF

cat>/mnt/etc/systemd/network/10-eth0.network<<EOF
[Match]
Name=eth0

[Network]
DHCP=yes
EOF

# 配置网络、主机名、fstab等(可根据需要添加)
cat>/mnt/etc/fstab<<EOF
/dev/vda1  /boot  ext4  defaults        1 1
/dev/vda2  swap   swap  defaults        0 0
/dev/vda3  /      ext4   defaults       1 2
EOF

echo "ubuntu" > /mnt/etc/hostname
cat <<EOL > /mnt/etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
EOL

swapoff $SWAP_PART
for i in /dev/pts /dev /proc /sys /boot /; do umount /mnt$i; done  ## 卸载挂载
echo "Ubuntu installation setup completed on $DISK"

brew 安装 php 报错备忘录

Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f968a9d5f80>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f968aa0c828>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/php-debug.rb
php-debug: undefined method `service' for #<Class:0x00007f968aa3c0c8>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f968aa7f210>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f968aaa5cd0>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f968a947230>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f96a009c700>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f968a9e4210>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f968aa77b28>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f967811a628>
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/shivammathur/homebrew-php/Formula/[email protected]
[email protected]: undefined method `service' for #<Class:0x00007f96a00a6570>
Error: Cannot tap shivammathur/php: invalid syntax in tap!

解决方法

brew untap exolnet/deprecated
brew tap --repair
brew update
brew tap shivammathur/php
brew install shivammathur/php/[email protected]
brew link --overwrite --force shivammathur/php/[email protected]

原文出处https://github.com/shivammathur/homebrew-php/discussions/743

massgrave的kms 激活

PowerShell 脚本

irm https://get.activated.win | iex

 

附各种 iso 和软件下载地址https://massgrave.dev/genuine-installation-media

dnf将repo仓库同步到本地

将metadata 里面所有的包下载下来

 dnf reposync  -p ./ --download-metadata --repoid=epel

同步最新版本和清理本地旧版本

dnf reposync  -p ./ -n --delete --download-metadata --repoid=epel

一是有些小的 repo 需要本地保存一份自建镜像,防止失联。 二是看一下有哪些安装包和结构

WHMCS调取账单付款链接数据

<?php
include("init.php");
$invoiceid = (int) $whmcs->get_req_var("id");
$invoice = new WHMCS\Invoice($invoiceid);
$params = $invoice->getGatewayInvoiceParams();
$params  = json_decode(json_encode($params), true);
print_r($invoice->getData("status"));
print_r($invoice->getData("balance"));
print_r($invoice->getPaymentLink());

$params 就支付网关XXXX_link传进去的原始数据,有了这个数据就可以方便在不需要登录的情况下直接显示出支付的信息。

通过查看 whmcs 官方版本解密源码可以看到 

https://github.com/puarudz/WHMCS-7.8.0-decoded/blob/e7446479de49a28c8801d4c0c95f4cae22dcff33/modules/gateways/callback/skrill.php

 

附带whmcs生成二维码方案, 由于默认没自带qrcode.js 又不想另外去引入文件, vendor自带有bacon-qr-code  /google-authenticator totp  tcpdf  几个可以直接拿来用。

function XXXX_qrcode($qrlink) {
                $qrcode = new TCPDF2DBarcode( $qrlink , 'QRCODE,L');
               // $Data = $qrcode->getBarcodePngData( 3 , 3);
                $Data = $barcode->getBarcodeSVG(6, 6); 
               $base64Image = base64_encode($Data);
               return 'data:image/svg+xml;base64,' . $svgEncoded;

             //  return 'data:image/png;base64,'.$base64Image;
}

Cento9 upgrade to Centos10

CentOS Stream 9 在 2027年5月31号 EOL停止更新,这里提前做一下准备。

前期准备

更新stream-release和epel-release 需要去镜像网站上查看rpm 版本号,确保路径正确。

由于目前系统上线不久,很多源的release 没有追加更新 ,需要确认是否已经对 10 支持, 否则需要移除才能升级,

例如当前升级时候就只能先卸载remi-release才能执行升级,升级前务必备份重要数据,如果安装的rpm 比较多需要确认新系统兼容。

VERSION=10.0-0.20
dnf install -y https://mirror.stream.centos.org/10-stream/BaseOS/x86_64/os/Packages/centos-{stream-release,stream-repos,gpg-keys}-${VERSION}.el10.noarch.rpm   --allowerasing

#dnf install -y https://dl.fedoraproject.org/pub/epel/epel-{next-release,release}-latest-10.noarch.rpm   #epel官方暂时还没有出

dnf install -y https://dl.fedoraproject.org/pub/epel/10/Everything/x86_64/Packages/e/epel-release-10-1.el10_0.noarch.rpm   #临时用这个

sed -e 's|^#baseurl=https://download.example/|baseurl=https://dl.fedoraproject.org/|' -e 's|^metalink=|#metalink=|' -e 's|^gpgkey=.*|gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever|'   -i.bak /etc/yum.repos.d/epel.repo       # 更新epel.repo设置,官方暂时还没更新 metalink 和 GPG key 的地址 

执行升级

dnf -y --releasever=10 --allowerasing --setopt=deltarpm=false distro-sync

收尾

rpm -qa | grep '\.el9' | xargs xargs rpm -e    #强制卸载el9的残留rpm
grub2-mkconfig -o /boot/grub2/grub.cfg     #重新生成 grub引导
grubby --default-kernel           # 查看确认默认启动内核

dnf upgrade -y     #最后再更新一下

kexec 切换新版内核 

kernel=$(grubby --default-kernel | sed 's|/boot/vmlinuz-||')
parameter=$(sed 's|.*vmlinuz-[^ ]* ||' /proc/cmdline)
kexec -l /boot/vmlinuz-$kernel --initrd=/boot/initramfs-$kernel.img  --append=\"$parameter\"
kexec -e

kexec是在当前运行的系统和内核下切换内核, 重启是让主板重新走grub引导内核。

切换内核和重启风险都很大,需要谨慎,提前做好准备。

检查grub和kernel 后有条件的可以安排时间进行尝试重启系统。

 

升级完成后查看内核和发新版本信息

# cat /etc/redhat-release
CentOS Stream release 10 (Coughlan)

# rpm -qa|grep kernel |grep el10
kernel-headers-6.11.0-25.el10.x86_64
kernel-tools-libs-6.11.0-25.el10.x86_64
kernel-modules-core-6.11.0-25.el10.x86_64
kernel-core-6.11.0-25.el10.x86_64
kernel-modules-6.11.0-25.el10.x86_64
kernel-6.11.0-25.el10.x86_64
kernel-tools-6.11.0-25.el10.x86_64

# uname -a
Linux XXXXXXX 6.11.0-25.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 16 20:35:26 UTC 2024 x86_64 GNU/Linux

善后

升级完 rpm -qa 查询出错

error: Verifying a signature using certificate 99DB70FAE1D7CE227FB6488205B555B38483C65D (CentOS (CentOS Official Signing Key) <[email protected]>):
  1. Certificate 05B555B38483C65D invalid: policy violation
      because: No binding signature at time 2024-09-03T17:32:14Z
      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
      because: SHA1 is not considered secure
  2. Certificate 05B555B38483C65D invalid: policy violation
      because: No binding signature at time 2024-10-04T09:48:41Z
      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
      because: SHA1 is not considered secure

 

解决办法卸载 epel9 的 pubkey, 如果 rpm -qa报错, 可以将查询文本保存到文件查看

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'    #查看所有gpg key

rpm -e  gpg-pubkey-3228467c-613798eb   #移除epel9的SHA1 pubkey

运行 dnf提示dnf modules 报错, 可能是之前的升级不支持的遗留,再确定后对/etc/dnf/modules.d/*目录进行清理即可

 rm -rf  /etc/dnf/modules.d/*

 

 

LSI 2208阵列卡刷 IT 直通模式, 附带 sas2flash for Linux

BIOS 模式启动 DOS 系统

megarec -adplist   #查看阵列卡编号
megarec -m0flash 0 2208_16.rom    #写入2208的RAID卡ROM ,如果卡是正常的这一步跳过。
megarec -writesbr 0 sbrempty.bin
megarec -cleanflash 0

重启设置UEFI 模式启动进入 EFI  Shell

fs0:
sas2flash -o -f 9207-8.bin -b mptsas2.rom    # 刷入IT 直通固件
sas2flash -o -sasadd 50030480195exxxx     #xxxx替换成任意 4 个数字
sas2flash -list  #检查SAS Address地址和上面写入的是否一样

由于lsi2208fixer_changed.iso只有mptsas2.rom没有 bios 和 uefi 的 rom, 刷完系统只能直通硬盘没有 boot 引导。

阅读剩余部分...

私有 IPv6 随机生成

IPv4 还能记住那几个保留的内网段 IP, IPv6太多完全没法玩, 配置设备的时候又不知道该咋写 IP段方便。

随机生成方案就简单了

https://simpledns.plus/private-ipv6

 

 

 

guestmount直接挂载虚拟硬盘

guestmount --add  /tmp/linux-centos-stream_8-x86_64-gen2-v1.qcow2  --mount /dev/sda1  /mnt/

最早 kvm 虚拟机上线的时候就玩过, 当时嫌弃在这玩意挂载后大规模读写 IO 性能差, 就多数时候在用kpartx 命令。

 

Centos9 stream 横跳almalinux 9

dnf -y install --allowerasing https://mirror.rackspace.com/almalinux/almalinux-{release,gpg-keys,repos}-latest-9.x86_64.rpm
dnf -y --releasever=9 --allowerasing --setopt=deltarpm=false distro-sync

按道理说横跳Rocky Linux应该也没问题, 最好 Centos 的版本旧一点好, 所以横跳前不建议 dnf update.