分类 DirectAdmin 下的文章

我尝试在DirectAdmin中创建Let's Encrypt免费SSL证书时出错。返回如下:

Cannot Execute Your Request

Details

Getting challenge for parniagroup.com from acme-server...
User let's encrypt key has been found, but not registered. Registering...
Account registration error. Response: HTTP/1.1 100 Continue 
Expires: Wed, 03 Aug 2016 08:08:26 GMT 
Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 

HTTP/1.1 400 Bad Request 
Server: nginx 
Content-Type: application/problem+json 
Content-Length: 265 
Boulder-Request-Id: vdS0ublv2yTS3g8BkAW4mjM9f-HCiYV6DgYrfCkaLqI 
Replay-Nonce: QUnGB2x_ZY1sJRrGG3MgS9fwtegzDawR8xj1uJ4E50o 
Expires: Wed, 03 Aug 2016 08:08:27 GMT 
Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 
Date: Wed, 03 Aug 2016 08:08:27 GMT 
Connection: close 

{
"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]",
"status": 400
}.

- 阅读剩余部分 -

刚刚收到警告通知,一台机器的宽带使用率异常。通过top和ps aux等却看不出异常用户,负载正常;且低于常规。通过iftop看到基本都是一个IP在发送数据出去,请求数据的IP(攻击IP)有十多个段,封锁了请求IP后。查了下这些IP是CloudFlare和百度云加速的,很明显是被CC但CloudFlare和百度云加速没过滤掉发送给后端了。

发送数据的IP(被攻击网站IP)是共享的,下面有很多网站,直接封这IP会导致这IP下的所有网站挂掉。所以只能找到具体被攻击的网站和用户进一步操作,一个个看明显是不可能的。

DirectAdmin 用户的每个网站都有单独的apache日记,我们可以根据这特性,把请求数据持续时间相对长、大的ip拿出来,对所有用户的网站日记进行过滤搜索。

[root@****** ~]# grep -c 141.101.98.211 /var/log/httpd/domains/*.log | grep -v :0

/var/log/httpd/domains/****1g.com.log:1
/var/log/httpd/domains/****1g.com.error.log:30
/var/log/httpd/domains/****xv.com.log:12266

[root@****** ~]# grep -c 162.158.88.52 /var/log/httpd/domains/*.log | grep -v :0
/var/log/httpd/domains/****xv.com.log:6385

只拿出2个IP就找到了,很明显的是:****xv.com,然后具体检查该网站日记,发现从凌晨1点30分开始,到50分拒绝百度加速的请求,其实封十几个段还只是部分,这之间GET请求量已经有35万多次了,请求的IP数量未统计,非常之多,尾巴也是特别随机定制为穿透百度CDN的。之后联系到该用户,要求马上把百度云加速CC防护开到最高。然后解除刚刚封锁的IP段恢复该CDN的正常请求。算是解决了。

也许会问为什么服务器本身不能做防护?这次是比较特殊的,用户使用CDN隐藏了后端真实IP,所以攻击者不能直接对我们进行攻击,而是请求CDN,最终导致宽带占用异常的是CDN的IP,同样我们也无法正确获取到攻击者的IP,也无法对真实攻击者ip进行屏蔽,当然有方案可以做到,但我们屏蔽并没有用,CDN还是会放行;除非获取到真实攻击IP后反扑。CDN很多在用,我们肯定是不能封的。即使制定规则丢弃CC请求返回301给CDN,结局也是一样的;因为请求不会因此停止和减少,会继续对301页面请求,因为量大,宽带占用率并不会下降。只能与用户共同处理该问题。

cd /usr/local/directadmin/data/templates
cp virtual_host2*.conf custom
cd custom

完成后执行更新所有用户

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

参考来源:http://help.directadmin.com/item.php?id=2

Our PHP-Selector work wtih DirectAdmin only if PHP is running in suphp or fcgi mode. Here is the complete set of commands to enable selector on DA with suphp :

/usr/local/directadmin/custombuild/build set suphp yes
/usr/local/directadmin/custombuild/build set cloudlinux yes
/usr/local/directadmin/custombuild/build update
/usr/local/directadmin/custombuild/build apache
/usr/local/directadmin/custombuild/build php y
/usr/local/directadmin/custombuild/build suphp
/usr/local/directadmin/custombuild/build rewrite_confs
cagefsctl --force-update
cagefsctl --remount-all

Same way for fcgi mode.

http://kb.cloudlinux.com/2014/12/php-selector-and-directadmin/

当我们启用Suhosin,DA的phpmyadmin会报错,如下:

Server running with Suhosin. Please refer to documentation for possible issues.

是由于权限问题,Suhosin禁止了phpmyadmin部分操作;我们添加例外即可。执行

php -i | grep "Loaded Configuration File"

查看php.ini文件位置,编辑最底下添加

[PATH=/var/www/html/phpMyAdmin]
suhosin.simulation = On

保存后退出重启apache生效即可

1、关闭DA监控服务

vi /usr/local/directadmin/data/admin/services.status
把exim和dovecot值改为OFF

2、停止服务和禁止开机启动

service exim stop
chkconfig exim off
service dovecot stop
chkconfig dovecots off

3、损坏(重命名)exim目录

mv /usr/sbin/exim /usr/sbin/exim.old

4、清理邮件队列

cd /var/spool  
mv exim exim.old  
mkdir -p exim/input  
mkdir -p exim/msglog  
mkdir -p exim/db  
chown -R mail:mail exim 

64位系统需要安装libunwind

wget http://download.savannah.gnu.org/releases/libunwind/libunwind-1.1.tar.gz
tar zxvf libunwind-1.1-alpha.tar.gz
cd libunwind-1.1-alpha/
CFLAGS=-fPIC ./configure
make CFLAGS=-fPIC
make CFLAGS=-fPIC install

安装TCMalloc

wget http://pkgs.fedoraproject.org/repo/pkgs/gperftools/gperftools-2.4.tar.gz/2171cea3bbe053036fb5d5d25176a160/gperftools-2.4.tar.gz
tar zxvf  gperftools-2.4.tar.gz
cd gperftools-2.4/
./configure
make && make install
echo "/usr/local/lib" > /etc/ld.so.conf.d/usr_local_lib.conf
/sbin/ldconfig

MySQL载入

vi /usr/bin/mysqld_safe
#找到 # executing mysqld_safe,在下面加入:
export LD_PRELOAD=/usr/local/lib/libtcmalloc.so
service mysqld restart
#检查是否生效
lsof -n | grep tcmalloc

优化MySQL配置文件

[mysqld]
# WEED 2015-06-06
#default-storage-engine=MyISAM
open_files_limit=60000
innodb_file_per_table=1
local-infile=0
key_buffer_size = 32M
max_allowed_packet = 128M
max_connections = 150
max_user_connections = 50
wait_timeout=30
interactive_timeout=45
connect_timeout=10
tmp-table-size = 256M
max-heap-table-size = 256M
sort_buffer_size = 1M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 32M
innodb-flush-method = O_DIRECT
innodb-log-files-in-group = 2
innodb-flush-log-at-trx-commit = 1
innodb-buffer-pool-size = 64M
#innodb-buffer-pool-instances = 2
innodb_buffer_pool_instances = 1
join_buffer_size = 32M
table_open_cache=64
innodb_buffer_pool_size=2G
innodb_thread_concurrency=8
tmpdir = /dev/shm

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout

该处可参考:http://help.directadmin.com/item.php?id=44

Mod_cache可以缓存常见的静态文件,如:css、js等,提升网页加载速度。

安装

cd /usr/local/directadmin/custombuild/configure/ap2
vi configure.apache

在最底部添加

"--enable-cache" \
"--enable-disk-cache" \
"--enable-mem-cache"

cd /usr/local/directadmin/custombuild
./build apache

配置

cd /etc/httpd/conf/extra/    #进入目录
vi httpd-includes.conf    #编辑配置文件

在配置文件中加入以下内容

<IfModule mod_cache.c>
#CacheForceCompletion 100      #缓存文件数(默认不限制)
CacheDefaultExpire 3600        #缓存默认过期时间(秒)
CacheMaxExpire 86400           #缓存最大过期时间(秒)
CacheLastModifiedFactor 0.1    #缓存时间计算公式,详情请查阅网络资料

<IfModule mod_mem_cache.c>
CacheEnable mem /
MCacheSize 512000            #内存缓冲区大小,根据服务器内存大小调整(单位:kb)
MCacheMaxObjectCount 10000   #缓冲区文件数
MCacheMinObjectSize 1        #缓冲区最小文件(单位:kb)
MCacheMaxObjectSize 51200    #缓冲区最大文件(单位:kb)
</IfModule>
</IfModule>

When creating a large number of partitions or tables, MySQL may mysteriously stop working and you find this type of error on

/var/lib/mysql/$HOSTNAME.err: [ERROR] /usr/sbin/mysqld: Can't open file: './database/table.frm' (errno: 24)rrno: 24

simply means that too many files are open for the given process. There is a read-only mysql variable called open_files_limit that will show how many open files are allowed by the

mysqld

:

SHOW VARIABLES LIKE 'open%'

A lot systems set this to something very low, like 1024. Unfortunately, the following will NOT work:

SET open_files_limit=100000

MySQL will respond with:

ERROR 1238 (HY000): Variable 'open_files_limit' is a read only variable

However, it is possible to make a change to /etc/my.cnf. This file may not exist, if not, just create it. Be sure it has the following contents:

[mysqld]
open_files_limit = 100000
Then, be sure to restart mysql:

sudo /etc/init.d/mysql restart

Now, SHOW VARIABLES LIKE 'open%' should show 100000. The number you use may be different.

If the tally is using up too much disk I/O, you can slow down the dataskq using the ionice binary, if you have it.

限制 dataskq IO占用率, e编辑:

/etc/cron.d/directadmin_cron

or on FreeBSD:

/etc/crontab

打开文件并找到

* * * * * root /usr/local/directadmin/dataskq

修改为:

* * * * * root /usr/bin/ionice -c2 -n7 /usr/local/directadmin/dataskq

of course, you'll need to ensure that you actually have the /usr/bin/ionice binary. Install it if you don't.
Reload crond (or cron) after you make the change.

For backups, you can have the dataskq insert the ionice command in front of all tar, zip and unzip commands:
http://www.directadmin.com/features.php?id=1423

CentOS 安装 ionice:

yum install util-linux

Debian:

apt-get install util-linux

相关官方文档:http://help.directadmin.com/item.php?id=525