centos9安装openresty导入gpg报错解决办法

解决办法:

update-crypto-policies --set LEGACY
rpm --import https://openresty.org/package/pubkey.gpg

或者是dnf带上 --nogpgcheck参数

dnf install -y --nogpgcheck openresty 

把gpgcheck检查去掉也行.

sed -i 's/gpgcheck=1/gpgcheck=0/g'  /etc/yum.repos.d/openresty.repo

 

没导入时候报错提示

GPG Keys are configured as: https://openresty.org/package/pubkey.gpg
Error: GPG check FAILED

当导入时候的错误提示

warning: Signature not supported. Hash algorithm SHA1 not available.
error: https://openresty.org/package/pubkey.gpg: key 1 import failed

总结:更新update-crypto-policies设置

文章内容源自:https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

nginx反向代理解决googleapis字体库问题

虽然有第三方的,但是自己nginx里面写死配置来得安稳些.

用法就是在网站目录里面直接引用一下配置文件include googleapis.conf;

这里做了一个虚拟目录/assets/vendor/, 可以根据自己的需求设置.

 

# cat ../googleapis.conf
sub_filter_once off;
sub_filter_types text/css text/xml text/javascript;
sub_filter "https://fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "//fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "https://ajax.googleapis.com" "/assets/vendor/ajax";
sub_filter "https://fonts.gstatic.com" "/assets/vendor/fonts_gstatic";
proxy_hide_header Link;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;

location ~  ^/assets/vendor/googleapis/ {
proxy_set_header Accept-Encoding "";
  rewrite ^/assets/vendor/googleapis/(.+)$ /$1 break;
  proxy_pass https://fonts.googleapis.com;
  proxy_set_header Host "fonts.googleapis.com";
  proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
  expires 1d;
  sub_filter "https://fonts.gstatic.com" "/assets/vendor/fonts_gstatic";
}

location ~ ^/assets/vendor/fonts_gstatic/ {
  rewrite ^/assets/vendor/fonts_gstatic/(.+)$ /$1 break;
  proxy_pass https://fonts.gstatic.com;
  proxy_set_header Host "fonts.gstatic.com";
  proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
  expires 1y;
}

location ~  ^/assets/vendor/gstatic/ {
  rewrite ^/assets/vendor/gstatic/(.+)$ /$1 break;
  proxy_pass https://www.gstatic.com;
  proxy_set_header Host "www.gstatic.com";
  expires 1y;
}

location ~  ^/assets/vendor/ajax/ {
  rewrite ^/assets/vendor/ajax/(.+)$ /$1 break;
  proxy_pass https://gajax.googleapis.com;
  proxy_set_header Host ajax.googleapis.com;
  expires 1y;
}

Centos7快速部署openresty

curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget  vim-enhanced tcpdump iftop net-tools rsync 
yum -y -q install openresty 
systemctl enable openresty
ln -s  /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.

nginx lua暴力简单过滤cc攻击

原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack

好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。

location ~ \.php$ {
    rewrite_by_lua '
        local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
        if (ngx.var.cookie_humanflag ~= md5token) then
            ngx.header["Set-Cookie"] = "humanflag=" .. md5token
            return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
        end
    ';
    ... ...
}

location ~ \.php$ {
    if ($cookie_ipaddr != "$remote_addr"){
        add_header Set-Cookie "ipaddr=$remote_addr";
        rewrite .* "$scheme://$host$uri" redirect;
    }

    ... ...
}