作者: Yangtze

Apache NameVirtualHost中IP到域名的Rewrite

有台apache服务器,想把所有通过IP的http访问重定向到域名http://dev.ymeng.net,结果完全没效果,VirtualHost配置如下

<virtualhost *:80>
    DocumentRoot /var/www/html/dev.ymeng.net
    ServerName dev.ymeng.net
    ErrorLog /var/log/apache2/dev.ymeng.net-error_log
 
    <directory "/var/www/html/dev.ymeng.net">
      Order allow,deny
      Deny from all
      Allow from 212.5.5.1
    </directory>
</virtualhost>
 
<virtualhost *:80>
    DocumentRoot /var/www/html/dev.ymeng.net
    ServerName 217.12.15.69
    ErrorLog /var/log/apache2/dev.ymeng.net-error_log
 
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^217\.12\.15\.69
    RewriteRule ^(.*)$ http://dev.ymeng.net [R,L]
 
    <directory "/var/www/html/dev.ymeng.net">
      Order allow,deny
      Deny from all
    </directory>
</virtualhost>

仔细检查后,发现NameVirtualHost被注释掉了
NameVirtualHost *:80

使用 curl 上传文件

 

curl -u httpuser:httppassword -F “postParameterName=value” -F “fileFieldName=@fileNameInOs” http://dev.ymeng.net/upload.php

  • -u 指定http认证用户名及密码
  • -F 指定使用HTTP multipart POST方式发送参数
  • @ 读取文件

 

php处理代码

 

< ?php
$parameterValue = $_POST['postParameterName'];
$uploadedFileName = $_FILES['fileFieldName']['name'];
$uploadedFileSize = $_FILES['fileFieldName']['size'];
 
// move_uploaded_file...
?>

Jenkins 1.561中的Poll SCM不触发build

升级了最新版本的Jenkins后,发现之前配置的Poll SCM不会触发build了。
Jenkins还是会去检查SCM上的更新,在Poll SCM下面还是会看到类似的提示信息
”Would last have run at Wednesday, May 7, 2014 5:45:11 AM CEST; would next run at Wednesday, May 7, 2014 5:50:11 AM CEST.“

jenkins-poll-scm-1

通过http://xxx/job/JOB-NAME/scmPollLog/查看pull log,会发现
Started on May 07, 2014 8:08:05 AM
We need to schedule a new build to get a workspace, but deferring 1,149ms in the hope that one will become available soon (all_suitable_nodes_are_offline)
Done. Took 1 ms
No changes

这个问题在Jenkins的JIRA里面有人提出来了,https://issues.jenkins-ci.org/browse/JENKINS-22750,目前还没有解决,但有其他办法绕过这个问题。这个文章的五楼有详细说明,http://jenkins-ci.361315.n4.nabble.com/No-new-jobs-are-created-after-upgrading-to-1-560-polling-plugin-reports-no-changes-when-there-are-td4699709.html

Log into your Jenkins web interface and go into ‘Manage Jenkins’ -> ‘Manage Nodes’, use the option on the left to add ‘New Node’. Give the node a name, doesn’t matter what, and choose the option ‘Dumb Slave’; click ‘ok’. Leave everything the way it is on the next page, you aren’t going to do anything with this node, and click ‘save’. This will enable the option to restrict where projects can run; this is only available if you have more than one node configured. Now go into each one of your jobs you are having a problem with and choose ‘configure’. In the top section you will now see an option for ‘Restrict where this project can be run’. Check that box and in the ‘Label Expression’ field type in ‘master’. You should now see below that box ‘Slaves in label: 1’. Click ‘Save’ on the that screen and that will fix the problem for that particular job. Leave the temporary node you added in case you need to add new polling jobs until this gets fixed.

步骤就是创建一个Dumb Slave,并且指定每一个需要触发build的job在master node上进行编译。

jenkins-poll-scm-2

CSR@GoDaddy

openssl req -new -newkey rsa:2048 -nodes -keyout dev.ymeng.net.key -out dev.ymeng.net.csr

Common Name: DOMAIN-NAME
Organisation: Name of company
Organisation Unit: eg, web server 1
City: eg, Chengdu
State: Sichuan
Country: CN (ISO-3166-2, http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2)

Generate CSR from existing certificate&key:
openssl x509 -x509toreq -in dev.ymeng.net.crt -out dev.ymeng.net.csr -signkey dev.ymeng.net.key

OpenSSL

PLACEHOLDER

  1. OpenSSL 基本配置
  2. 生成自签名CA证书及密钥
  3. 为域名生成CSR及密钥 – dev.ymeng.net
  4. 用CA的私钥为dev.ymeng.net签名,生成用户证书
  5. 转换证书为pkcs12格式
  6. 查看pkcs12证书
  7. 使用openssl验证SSL双向认证
  8. 根据已有的证书和私钥生成CSR

1. OpenSSL基本配置  TOP

dir = /etc/apache2/ssl-cert/ca
 
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req 
 
[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64 
 
# Default values for the above, for consistency and less typing.
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = Company Technologies Co., Ltd.
organizationalUnitName_default = Development Dept.
emailAddress_default = ca@company.com
localityName_default = Helsinki
# stateOrProvinceName_default =
countryName_default = FI
 
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always 
 
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash 
 
[ ca ]
default_ca = CA_default 
 
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match 
 
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

2. 生成自签名CA证书及密钥  TOP

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.conf

查看证书:

openssl x509 -in cacert.pem -noout -text

3. 为域名生成CSR及密钥 – dev.ymeng.net  TOP

openssl req -new -nodes -out dev.ymeng.net-csr.pem -keyout private/dev.ymeng.net-key.pem -config ./openssl.conf

查看CSR:

openssl req -in dev.ymeng.net-csr.pem -text -verify -noout

4. 用CA的私钥为dev.ymeng.net签名,生成用户证书  TOP

openssl ca -out dev.ymeng.net-cert.pem -config ./openssl.conf -infiles dev.ymeng.net-csr.pem

签名用到的CA密钥在配置文件中指定 [ CA_default ]

5. 转换证书为pkcs12格式  TOP

openssl pkcs12 -export -in dev.ymeng.net-cert.pem -out dev.ymeng.net-cert.p12 -inkey private/dev.ymeng.net-key.pem

6. 查看pkcs12证书  TOP

openssl pkcs12 -info -in keyStore.p12

7. 使用openssl验证SSL双向认证  TOP

openssl s_client -connect testgw.girogate.de:443 -cert customer.crt -key customer.key -CAfile ca.crt

8. 根据已有的证书和私钥生成CSR  TOP

openssl x509 -x509toreq -in certificate.crt -out certificate-request.csr -signkey private-key.key

HttpClient: SSL双向认证

拿到PPro支付的文档后,发现PPro需要客户端在与其交互的过程中,使用SSL双向认证。

也就是说,申请测试账户后,PPro会为测试账户生成一个ssl客户端证书,该证书是由PPro自签名CA签发的。

在PPro分配测试账号时,用户会得到

  • ca.crt – PPro自签名CA根证书
  • customer.crt – 用户证书
  • customer.key – 用户私钥

为了在Java中使用这些证书及私钥,需要将其导入到KeyStore中,需要创建两个KeyStore,分别存放CA证书,用户证书及私钥

1. 导入ca.crt至caKeyStore

keytool -importcert -alias pproca -file ca.crt -storetype jks -keystore caKeyStore.jks

需要指定别名、KeyStore类型(JKS),并指定KeyStore的访问密码

2. 导入customer.crt和customer至clientKeyStore

openssl pkcs12 -export -in customer.crt -out clientKeyStore.p12 -inkey customer.key -name customer

导入客户证书及密钥不能使用keytool命令,而需要使用openssl中的pkcs12 -export,并指定证书、密钥,以及别名(-name),并且需要根据提示输入export密码。keytool不能导入密钥。

openssl命令在此处生成的clientKeyStore.p12可以直接在Java中当作类型为PKCS12的KeyStore来使用。

加载KeyStore

InputStream keyStoreStream = loadKeyStoreIntoInputStream(keyStoreLocation);
KeyStore keyStore = KeyStore.getInstance("pkcs12"); // jks for CA
keyStore.load(keyStoreStream, keyStorePassword.toCharArray());

HttpClient调用KeyStore实现双向SSL认证

        HttpClient httpClient = new DefaultHttpClient();
 
        SSLSocketFactory sslSocketFactory = new SSLSocketFactory(clientKeyStore, clientKeyStorePassword, caKeyStore);
        Scheme protocolScheme = new Scheme("HTTPS", 443, sslSocketFactory);
 
        httpClient.getConnectionManager().getSchemeRegistry().register(protocolScheme);
 
        HttpPost httpPost = new HttpPost(url);

代码中的clientKeyStorePassword即是生成p12库时指定的export密码。

参考:OpenSSL设置、配置 及相关命令, KeyStore in Java

在Spring中使用Cache缓存方法返回

刚好在项目中用到了Spring中的Cache缓存服务层方法的返回值

使用相当简单,直接用@Cacheable注解标注需要缓存返回值的方法,如下

@Cacheable(value = "billfoldCache", key = "'fetchByGroupName' + #groupName")
Collection&lt;Game&gt; fetchByGroupName(final String groupName) {
}

其中value的值是缓存的名字,在ehcache配置文件中指定(如果使用ehcache作为底层缓存),key是缓存的键,并支持Spring Expression Language (SpEL)。

配置
目前Spring中带了两种实现,一是基于ehcache,另一个是基于Java中的ConcurrentMap实现。项目是使用的是ehcache

配置也很简单,在Spring配置文件中加入

    <cache :annotation-driven cache-manager="billfoldCacheManager"></cache>
 
    <bean id="billfoldCacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager"
          p:cacheManager-ref="billfoldEhCacheManagerFactoryBean"></bean>
 
    <bean id="billfoldEhCacheManagerFactoryBean"
          class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"
          p:configLocation="classpath:/ctx-ehcache.xml"></bean>

并且为ehcache创建名为ctx-ehcache.xml的配置文件

< ?xml version="1.0" encoding="UTF-8"?>
<ehcache xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:noNamespaceSchemaLocation="ehcache.xsd" updateCheck="false">
    <diskstore path="java.io.tmpdir"></diskstore>
    <defaultcache maxEntriesLocalHeap="100000" eternal="false"
                  timeToIdleSeconds="120" timeToLiveSeconds="120" maxEntriesLocalDisk="1000000"
                  diskExpiryThreadIntervalSeconds="3600" memoryStoreEvictionPolicy="LFU">
    </defaultcache>
 
    <cache name="billfoldCache" eternal="false" maxEntriesLocalHeap="100000"
           timeToLiveSeconds="60" timeToIdleSeconds="60">
        <persistence strategy="none"></persistence>
    </cache>
</ehcache>

需要注意的是:

  • Spring推荐在实现类上使用@Cache*注解,而不是在接口上使用
  • 在默认的配置下(proxy),@Cache*只对外部调用具有public可见性的方法起作用,protected, private, package-visible以及内部方法调用,缓存都不会生效。除非使用在配置时明确指定mode为aspectj。详细见Spring CacheSpring Configuration – load time weaver

iptables

周末在家装OpenVPN,结果发现客户端能成功连上服务器,但却没法访问外网。
重新审查服务器端的所有操作步骤,完全正常。还发现一个问题,偶尔会有成功访问外网的时候,但如果重启服务器,又不能访问了。冥思苦想后……

终于发现,原来是服务器的iptables没有启动~

确定当前Python环境中的site-packages目录位置

How to find the site-packages folder in Python?

在Mac OS或者Linux中比较有用,因为这些系统一般都同时安装了多个版本。尤其是Mac OS 10.5,目录结构太乱了

在python环境中:

from distutils.sysconfig import get_python_lib
print get_python_lib()

或者,直接命令行:

python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()"
Pages:  1 2 3 4 5 6