kk Blog —— 通用基础

date [-d @int|str] [+%s|"+%F %T"]

squid 开启cgi-bin/cachemgr.cgi

start

apache2 支持cgi

(可选)apache2 开启认证

sudo apt-get install squid-cgi

文件就在 /usr/lib/cgi-bin/ 下面,和 apache2 目录一致,不需要cp

1
2
3
4
vim /etc/squid/cachemgr.conf
localhost
换成
localhost:port
1
2
3
4
5
6
7
vim /etc/squid/squid.conf
注释掉这两行
#http_access allow localhost manager
#http_access deny manager
添加这两行
acl manager proto cache_object
http_access allow manager

squid -k reconfigure

cachemgr_passwd

vim /etc/squid/squid.conf

cachemgr_passwd none all # 所有用户开启所有权限

// cachemgr_passwd 123456 all 不生效 ???

squid -k reconfigure

web 打开 http://ip/cgi-bin/cachemgr.cgi 就能查看、操作一些squid功能了

用户名:manager 或 空

密码:空

ubuntu 18.04

18.04 的 squid 版本3.5.27-1ubuntu1.8 好像有问题,点击 Current Squid Configuration squid就重启。

换成 16.04 的 3.5.12-1ubuntu7.13 就没问题了。

http://security.ubuntu.com/ubuntu/pool/main/s/squid3/squid_3.5.12-1ubuntu7.13_amd64.deb

http://security.ubuntu.com/ubuntu/pool/universe/s/squid3/squid-cgi_3.5.12-1ubuntu7.13_amd64.deb

http://security.ubuntu.com/ubuntu/pool/main/s/squid3/squid-common_3.5.12-1ubuntu7.13_all.deb

apache2 支持cgi

http://blog.chinaunix.net/uid-26824563-id-5769678.html

ln

1
2
3
4
5
ls -l /etc/apache2/*/*cgi*

ln -s /etc/apache2/mods-available/cgid.conf /etc/apache2/mods-enabled/cgid.conf
ln -s /etc/apache2/mods-available/cgid.load /etc/apache2/mods-enabled/cgid.load
ln -s /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/cgi.load 

restart

service apache2 restart

CGI目录为 /usr/lib/cgi-bin

apache2 访问认证

创建密码

1
2
3
htpasswd -c squid.pwd admin

chown www-data:www-data squid.pwd

修改 /etc/apache2/apache2.conf

1
2
3
4
5
6
<Location /cgi-bin/cachemgr.cgi>
	AuthType Basic
	AuthName "admin"
	AuthUserFile  /etc/squid/squid.pwd
	require valid-user
</Location>

TCP_NEW_SYN_RECV

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=10feb428a5045d5eb18a5d755fbb8f0cc9645626

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d34ac51b76e8c7de6094cfb11780ef9c2b93469f

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4e9a578e5b6bdfa8b7fed7a41f28a86a7cffc85f

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=079096f103faca2dd87342cca6f23d4b34da8871

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2215089b224412bfb28c5ae823b2a5d4e28a49d7

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=26e3736090e1037ac929787df21c05497479b77f

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=85645bab57bfc6b0b43bb96a301c4ef83925c07d

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a9407000038805e5215a49c0a50c9e2b2ff38220

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8b5801477926a2b018afc84a53c0b8818843fe73

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a8399231f0b6e72bc140bcc4fecb0c622298a6bd

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=caf3f2676aaad395903d24a54e22f8ac4bc4823d

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4bdc3d66147b3a623b32216a45431d0cff005f50

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c2f34a65a61cd1ace3b53c93e8b38d2f79f4ff0d

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f03f2e154f52fdaa982de7e2c386737679963dc9

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fff1f3001cc58b5064a0f1154a7ac09b76f29c44

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aac065c50aba0c534a929aeb687eb68c58e523b8

结合以上patch,在 kernel-3.10.0-693.11.1.el7.src.rpm 内核上引入 TCP_NEW_SYN_RECV patch

好处:mptcp和4.15.0的基本一样。

不再需要spin_lock(listen_sk),最大的互斥变成atomic。(去除atomic看 tcp连接查找

ipv6_addr_v4mapped

sk_ehashfn 被 ipv4, ipv6 共用,req hash 的时候可用的变量不多,用的是 ipv6_addr_v4mapped(&sk->sk_v6_daddr) 判断是否mapped,所以原先的sk->sk_daddr = addr; sk->sk_rcv_saddr = addr; 换成下面两个函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
static inline void sk_daddr_set(struct sock *sk, __be32 addr)
{
	sk->sk_daddr = addr; /* alias of inet_daddr */
#if IS_ENABLED(CONFIG_IPV6)
	ipv6_addr_set_v4mapped(addr, &sk->sk_v6_daddr);
#endif
}

static inline void sk_rcv_saddr_set(struct sock *sk, __be32 addr)
{
	sk->sk_rcv_saddr = addr; /* alias of inet_rcv_saddr */
#if IS_ENABLED(CONFIG_IPV6)
	ipv6_addr_set_v4mapped(addr, &sk->sk_v6_rcv_saddr);
#endif
}

ir_iif, ireq_net, ireq_state

ir_iif, ireq_net, ireq_state 需要在 req 创建时赋值,因为插入ehash表后的查找需要用到这些变量。

reqsk_put

原先部分reqsk_free需要换成reqsk_put,因为req已经和sk一样,靠自己的refcnt维护

backlog

1
2
3
4
if (sk->sk_state == TCP_LISTEN) {
	ret = tcp_v4_do_rcv(sk, skb);
	goto put_and_return;
}

listen_sk 的包要在tcp_v4_rcv里处理完,不能再加入listen_sk的backlog处理,因为req已经不在listen_sk->icsk_accept_queue.listen_opt.syn_table里,而backlog(=tcp_v4_do_rcv)又不会再lookup_sk,导致无法找到req。

原来的处理是:按listen_sk的收到包的顺序处理,并且需要spin_lock。按照下面的顺序,即使syn、ack、GET包都在backlog里也能处理(GET包查不到req,能查到establish)。TCP_NEW_SYN_RECV 主要是优化调spin_lock(listen_sk)

1
2
3
4
5
6
7
8
9
10
tcp_v4_hnd_req() {
	req = inet_csk_search_req()

	if (req)
		return tcp_check_req()

	nsk = inet_lookup_established()
	if (nsk && nsk->sk_state != TCP_TIME_WAIT)
		return nsk;
}

vpn

方案一

client —– xor;drop —-> hongkong(squid) ———–> server

方案二

client —– xor;drop —-> guangzhou(squid) —– xor;drop;icmp+mss —–> hongkong(squid) ———> server

squid

icmp

有些时候client和hongkong之间能够ping通,但是tcp就是不通,全被丢弃了,这时需要方案二。

client 和 squid 之间不好使用icmp,因为client大都是在NAT后面,主动发起的icmp能通,但被动的请求进不来。这时需要加上guangzhou中间节点

mss

为了加icmp头,需要减少TCP_MSS。

xor

drop: 丢弃异常reset、fin等包。

通过web,实现跨平台随时随地购买使用

购买CVM

脚本购买CVM

web购买CVM:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no"/>
<meta name="MobileOptimized" content="320">
<meta name="format-detection" content="telephone=no">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

<!DOCTYPE html>
<html>
<head>
	<title>proxy</title>
</head>
<body>

<?php
	$region = "hk";
	if (isset($_GET['region']))
		$region = $_GET['region'];
	$count = "0";
	if (isset($_GET['count']))
		$count = $_GET['count'];
?>
<form action="index.php" method="get">
<input name="region" value="<?php echo $region; ?>" style="width:100px">
<input name="count" value="0" style="width:100px">
<input class="submit" type="submit" value="创建">
</form>
<?php
	$cmd = "python CVM.py $region $count";

	echo date("Y-m-d H:i:s") . " " . $cmd;
	echo "</br><br>";

	exec($cmd);

	if (filesize("show.log") > 0) {
		$myfile = fopen("show.log", "r");
		echo fread($myfile, filesize("show.log"));
		fclose($myfile);
	}
?>
</body>
</html>

web配置cache_peer, 方案二中的guangzhou才需要

cachemgr.cgi 没找到接口,可惜

填写 IP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no"/>
<meta name="MobileOptimized" content="320">
<meta name="format-detection" content="telephone=no">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

<!DOCTYPE html>
<html>
<head>
	<title>squid</title>
</head>
<body>

<?php
	$up = "";
	if (isset($_GET['up']))
		$up = $_GET['up'];
?>
<form action="squid.php" method="get">
<input name="up" value="<?php echo $up; ?>" style="width:200px">
<input class="submit" type="submit" value="更新">
</form>
<?php

	echo date("Y-m-d H:i:s");
	echo "</br><br>";

	if (strlen($up) > 3 && strlen($up) < 128) {
		$myfile = fopen("squid.log", "w");
		fwrite($myfile, $up . " up.com\n");
		fclose($myfile);
	}
	$myfile = fopen("squid.log", "r");
	echo fread($myfile, filesize("squid.log"));
	fclose($myfile);
?>
</body>
</html>
刷新squid
1
2
3
4
5
6
7
8
9
10
11
12
# */1 * * * * cd /var/www/html/; /var/www/html/squid.sh
# */1 * * * * sleep 30; cd /var/www/html/; /var/www/html/squid.sh
# chown -R www-data:www-data ../html/
cat /etc/hosts | grep up.com > hosts_tmp
diff hosts_tmp squid.log > /dev/null
if [ $? -eq 0 ]; then exit; fi

cat /etc/hosts | grep -v up.com > hosts
cat squid.log >> hosts 
cp hosts /etc/

/usr/sbin/squid -k reconfigure -f /root/squid/squid.conf