Nginx配置图片服务器


前端网站需要显示图片,在Nginx配置了一个imagelib URL过滤器,用于拦截图片请求,直接读取图片文件进行回显
server {
listen 80;
server_name 10.132.252.121;
access_log /var/log/nginx/default.access.log main;
location / {
root /data/html;
index index.html index.htm;
}
location ^~ /imagelib {
expires 24h;
root /data/imagelib/;
access_log /var/log/nginx/images.access.log;
proxy_store on;
proxy_store_access user:rw group:rw all:rw;
proxy_temp_path /data/imagelib/;
proxy_redirect off;
proxy_set_header Host 127.0.0.1;
client_max_body_size 10m;
client_body_buffer_size 1280k;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 40k;
proxy_buffers 40 320k;
proxy_busy_buffers_size 640k;
proxy_temp_file_write_size 640k;
}
}

 

Advertisements

Ubuntu 18.04配置默认的屏幕共享安全策略,确保VNCViewer可以正常连接


Ubuntu 18.04可以在设置中配置屏幕共享(默认使用vino服务),设置好包含大小写字母和数字的密码后,默认开启5900端口。

使用VNCViews进行连接时会报告安全错误,使用以下命令修改安全设置,可以确保VNCViewer正常连接。

sudo gsettings set org.gnome.Vino require-encryption false

 

Linux制作堡垒机


参考:https://aws.amazon.com/cn/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/

按照亚马逊原始方案一步一步操作即可,注意一下红色字体部分,修复了script命令方法差异。

# Create a new folder for the log files
mkdir /var/log/bastion

# Allow ec2-user only to access this folder and its content
chown ec2-user:ec2-user /var/log/bastion
chmod -R 770 /var/log/bastion
setfacl -Rdm other:0 /var/log/bastion

# Make OpenSSH execute a custom script on logins
echo -e “\nForceCommand /usr/bin/bastion/shell” >> /etc/ssh/sshd_config

# Block some SSH features that bastion host users could use to circumvent
# the solution
awk ‘!/AllowTcpForwarding/’ /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
awk ‘!/X11Forwarding/’ /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo “AllowTcpForwarding no” >> /etc/ssh/sshd_config
echo “X11Forwarding no” >> /etc/ssh/sshd_config

mkdir /usr/bin/bastion

cat > /usr/bin/bastion/shell << ‘EOF’

# Check that the SSH client did not supply a command
if [[ -z $SSH_ORIGINAL_COMMAND ]]; then

# The format of log files is /var/log/bastion/YYYY-MM-DD_HH-MM-SS_user
LOG_FILE=”`date –date=”today” “+%Y-%m-%d_%H-%M-%S”`_`whoami`”
LOG_DIR=”/var/log/bastion/”

# Print a welcome message
echo “”
echo “NOTE: This SSH session will be recorded”
echo “AUDIT KEY: $LOG_FILE”
echo “”

# I suffix the log file name with a random string. I explain why
# later on.
SUFFIX=`mktemp -u _XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`

# Wrap an interactive shell into “script” to record the SSH session
script -qf -t $LOG_DIR$LOG_FILE$SUFFIX.time $LOG_DIR$LOG_FILE$SUFFIX.data -c /bin/bash

else

# The “script” program could be circumvented with some commands
# (e.g. bash, nc). Therefore, I intentionally prevent users
# from supplying commands.

echo “This bastion supports interactive sessions only. Do not supply a command”
exit 1

fi

EOF

# Make the custom script executable
chmod a+x /usr/bin/bastion/shell

# Bastion host users could overwrite and tamper with an existing log file
# using “script” if they knew the exact file name. I take several measures
# to obfuscate the file name:
# 1. Add a random suffix to the log file name.
# 2. Prevent bastion host users from listing the folder containing log
# files.
# This is done by changing the group owner of “script” and setting GID.
chown root:ec2-user /usr/bin/script
chmod g+s /usr/bin/script

# 3. Prevent bastion host users from viewing processes owned by other
# users, because the log file name is one of the “script”
# execution parameters.
mount -o remount,rw,hidepid=2 /proc
awk ‘!/proc/’ /etc/fstab > temp && mv temp /etc/fstab
echo “proc /proc proc defaults,hidepid=2 0 0” >> /etc/fstab

# Restart the SSH service to apply /etc/ssh/sshd_config modifications.
service sshd restart

 

Android端RSA加密数据送Java服务端解密时出现BadPaddingException


原因:Android系统使用的虚拟机(dalvik)跟SUN标准JDK是有所区别的,其中他们默认的RSA实现就不同。即Android端用Cipher.getInstance(“RSA”)方法进行加密时,使用的provider是Bouncycastle Security provider,Bouncycastle Security provider默认实现的是“RSA/None/NoPadding”算法,而服务器(PC)端用Cipher.getInstance(“RSA”)进行解密时,使用的是Sun的security provider,实现的是“RSA/None/PKCS1Padding”算法,所以,解密时会失败。

正确的设置方法:Java服务端代码

Cipher cipher = Cipher.getInstance(“RSA”);

Android端代码

Cipher cipher = Cipher.getInstance(“RSA/None/PKCS1Padding”);