Supermicro IPMI/BMC nginx proxy

需要安装一个openresty或者nginx, 版本大于1.15.10

编译安装参考http://www.kvm.la/1043.html , openresty二进制包版本较低没有更新, 建议编译安装一份.

首先把IPMI的IP丢进一个ip.list的文件里面, 一行一个IP.

#/bin/bash
i=1000  #vnc start port
b=2000
# hextoip() { hex=$1;  printf "%d." 0x${hex:0:2};  printf "%d." 0x${hex:2:2};  printf "%d." 0x${hex:4:2};  printf "%d" 0x${hex:6:2};  }
#gethostip -x 10.0.12.1
stream_route_map=/etc/nginx/stream.route.map.conf
http_route_map=/etc/nginx/http.route.map.conf
echo " default 0;" > $stream_route_map
echo " default 0;" > $http_route_map
for IP in `cat /root/ipmi/ip.list | uniq -c |awk   '{ print $2 }'`;
do
i=`expr $i + 1` ;
b=`expr $b + 1` ;
HEXIP=`gethostip -x $IP | tr 'A-Z' 'a-z'` ;
echo "	   ~*($IP|$i|$b|$HEXIP)$ 	IP<$IP>|VNC<$i>|BMC<$b>|HEX<$HEXIP>;" >>$http_route_map;
echo "     ~*($b|$i)$  $IP;" >> $stream_route_map

done

nginx -s reload

阅读剩余部分...

Centos7快速部署openresty

curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget  vim-enhanced tcpdump iftop net-tools rsync 
yum -y -q install openresty 
systemctl enable openresty
ln -s  /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.

nginx lua暴力简单过滤cc攻击

好像原文出处的页面已经打不开了，原生的nginx需要编译lua，openresty可以直接用。

location ~ \.php$ {
    rewrite_by_lua '
        local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
        if (ngx.var.cookie_humanflag ~= md5token) then
            ngx.header["Set-Cookie"] = "humanflag=" .. md5token
            return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
        end
    ';
    ... ...
}

location ~ \.php$ {
    if ($cookie_ipaddr != "$remote_addr"){
        add_header Set-Cookie "ipaddr=$remote_addr";
        rewrite .* "$scheme://$host$uri" redirect;
    }

    ... ...
}

原文地址：http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack

location ~ \.php$ {
	if ($cookie_reCAPTCHA != "$remote_addr"){
		add_header Set-Cookie "reCAPTCHA=$remote_addr; PATH=/";
		rewrite .* "$scheme://$host$uri" redirect;
		#rewrite .* "$scheme://localhost:$remote_port" redirect;
	}
	
	... ...
}

location ~ \.php$ {
	default_type text/html;
	if ($cookie_reCAPTCHA != "$remote_addr"){
		add_header Set-Cookie "reCAPTCHA=$remote_addr; PATH=/";
		return 200 "<script>location.reload()</script>\n";
	}
	
	... ...
}

http {
	perl_set $reCAPTCHA 'sub{use Digest::MD5 qw(md5_base64); md5_base64("SALT",shift->variable("remote_addr"))}';
	... ...
	server {
		... ...
		location ~ \.php$ {
			default_type text/html;
			if ($cookie_reCAPTCHA != $reCAPTCHA){ #访问非text/html会异常，换用add_header设置Cookie避免js无法执行
				return 200 '<script>\ndocument.cookie="reCAPTCHA=$reCAPTCHA";\nlocation.reload();\n</script>\n';
			}
			... ...
		}
	}
}

http {
    perl_set $reCAPTCHA 'sub{use Digest::MD5 qw(md5_base64); my $r = shift;
    md5_base64("salt:RANDOM".$r->variable("remote_addr").$r->variable("http_user_agent"))}';
    ... ...
    server {
        ... ...
        location / {
            default_type text/html;
            if ($cookie_reCAPTCHA != $reCAPTCHA){
                add_header Set-Cookie "reCAPTCHA=$reCAPTCHA; PATH=/";
                return 200 '<script>location.reload()</script>';
            }
            proxy_pass http://www.baidu.com;
        }
    }
}

location ~ \.php$ {
	rewrite_by_lua '
		local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
		if (ngx.var.cookie_reCAPTCHA ~= md5token) then
			ngx.header["Set-Cookie"] = "reCAPTCHA=" .. md5token
			return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
		end
	';
	
	... ...
}