moon published posts

Modifying SElinux configure for allowing nginx reverse proxy local site

Read about audit2allow and used it to create a policy to allow access to the denied requests for nginx.

    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te
    [root]# cat nginxlocalconf.te 
    
    module nginxlocalconf 1.0;
    
    require {
        type httpd_t;
        type var_t;
        type transproxy_port_t;
        class tcp_socket name_connect;
        class file { read getattr open };
    }
    
    #============= httpd_t ==============
    
    #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
    allow httpd_t transproxy_port_t:tcp_socket name_connect;
    allow httpd_t var_t:file { read getattr open };
    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M nginxlocalconf
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    
    semodule -i nginxlocalconf.pp
    
    [root]# semodule -i nginxlocalconf.pp

To allow http server to connect local DB, like mysql, do as fllows:

# setsebool -P httpd_can_network_connect 1
# setsebool -P httpd_can_network_connect_db 1

To allow nginx(or apache, php-fpm, etc...) to write/read some dir, do as fllows:

semanage fcontext -a -t httpd_sys_rw_content_t "/path(/.*)?"
restorecon -r /path

see kuddusic.wordpress.com


How to fix permission denied under Linux with SELinux:
update-wordpress-with-selinux-enabled
install-wordpress-centos-7

暂别上海

今天来收拾打扫办公室,被办公室其他团队抛弃的一盆小草让我犯难了,就是这个
572D64D2-7568-4BEF-88FD-68D25922B488.jpeg

我自己当时养的一棵盆栽已经送给了庆庆,这棵盆栽不是我养的但办公室另一个团队走了之后我就成了他的继父。
把它放到楼梯口又留了个纸条后回来继续打扫办公室发现它有一条小小的根已经扎到了地板缝里,突然感觉好……
3A05117A-FB91-4D44-8320-8AD4EEE6B34A.jpeg

ASCII & urlencode 码表

ASCII码表

ASCII值 控制字符 ASCII值 控制字符 ASCII值 控制字符 ASCII值 控制字符
0 NUT 32 (space) 64 @ 96
1 SOH 33 ! 65 A 97 a
2 STX 34 " 66 B 98 b
3 ETX 35 # 67 C 99 c
4 EOT 36 $ 68 D 100 d
5 ENQ 37 % 69 E 101 e
6 ACK 38 & 70 F 102 f
7 BEL 39 , 71 G 103 g
8 BS 40 ( 72 H 104 h
9 HT 41 ) 73 I 105 i
10 LF 42 * 74 J 106 j
11 VT 43 + 75 K 107 k
12 FF 44 , 76 L 108 l
13 CR 45 - 77 M 109 m
14 SO 46 . 78 N 110 n
15 SI 47 / 79 O 111 o
16 DLE 48 0 80 P 112 p
17 DCI 49 1 81 Q 113 q
18 DC2 50 2 82 R 114 r
19 DC3 51 3 83 S 115 s
20 DC4 52 4 84 T 116 t
21 NAK 53 5 85 U 117 u
22 SYN 54 6 86 V 118 v
23 TB 55 7 87 W 119 w
24 CAN 56 8 88 X 120 x
25 EM 57 9 89 Y 121 y
26 SUB 58 : 90 Z 122 z
27 ESC 59 ; 91 [ 123 {
28 FS 60 < 92 / 124 |
29 GS 61 = 93 ] 125 }
30 RS 62 > 94 ^ 126 `
31 US 63 ? 95 _ 127 DEL

urlencode码表

%20spacebar
%21!
%23#
%24$
%25%
%26&
%27'
%28(
%29)
%2A*
%2B+
%2C,
%2E.
%2F/
%3A:
%3B;
%3D=
%3F?
%40@
%5B[
%5C/
%5D]

多边形逼近算法

  1. 道格拉斯-普克算法(Douglas–Peucker algorithm,亦称为拉默-道格拉斯-普克算法、迭代适应点算法、分裂与合并算法)是将曲线近似表示为一系列点,并减少点的数量的一种算法。该算法的原始类型分别由乌尔斯·拉默(Urs Ramer)于1972年以及大卫·道格拉斯(David Douglas)和托马斯·普克(Thomas Peucker)于1973年提出,并在之后的数十年中由其他学者予以完善。
    经典的Douglas-Peucker算法描述如下:
    (1)在曲线首尾两点A,B之间连接一条直线AB,该直线为曲线的弦;
    (2)得到曲线上离该直线段距离最大的点C,计算其与AB的距离d;
    (3)比较该距离与预先给定的阈值threshold的大小,如果小于threshold,则该直线段作为曲线的近似,该段曲线处理完毕。
    (4)如果距离大于阈值,则用C将曲线分为两段AC和BC,并分别对两段取信进行1~3的处理。
    (5)当所有曲线都处理完毕时,依次连接各个分割点形成的折线,即可以作为曲线的近似。
  2. Juan-Carlos Perez, Enrique Vidal,
    Optimum polygonal approximation of digitized curves,
    Pattern Recognition Letters,
    Volume 15, Issue 8,
    1994,
    Pages 743-750,
    ISSN 0167-8655,
    https://doi.org/10.1016/0167-8655(94)90002-7.
    (http://www.sciencedirect.com/science/article/pii/0167865594900027)
    Keywords: Polygonal Approximation; Shape Representation; Dominant Points; Dynamic Programming

Explaining command su

Running a command with substitute user is the typical use of command su under linux.

Sometimes, use -s option to running the specified shell instead of the default, this option may helps a lot when need to access user whose default shell is /sbin/nologin, usage like su -s /bin/bash jenkins

Explaining file /ets/sudoers

/ets/sudoers configure user(s) who can get root privileges under linux.
440 permission is on this file by default, so chmod +w operation is required before modify file, don't forget chmod -w once modified.

Some typical configs are as follow:

allow jenkins user restart uwsgi service via systemd:

jenkins     ALL  = NOPASSWD    : /bin/systemctl restart uwsgi

explain:

user        host = need passwd?: command 1, shell 2, ...

allow moon user access sudo privileges unconditional:

moon    ALL=(ALL)       NOPASSWD: ALL