分类 默认分类 下的文章

我的日常工作中,有时候需要利用公司内网的机器做测试,安装一些企业应用系统,比如ERP、CMS、Crm等,同时,有些实际使用的应用只能安装到内网。为了方便外网访问,所以设置了路由端口转发,申请了公网和域名,利用DDNS-GO把域名解析到公网IP上。

有一个问题是,域名访问需要添加非80的端口号(80端口默认被电信屏蔽),不优雅,心里一直有点不爽。

最近申请了域名备案,解决这件事就提上了日程。

希望达到的最终结果:浏览器中输入目标url,即可访问原始url,且浏览器不显示原始url,从而达到隐藏端口号的目的。
目标url:t.targeturl.com
原始url:originalurl.com:88

通过搜索,尝试了2种解决方案:
1、域名显性url或者隐性url转发;
2、通过nginx进行反向代理;

显性url转发,顾名思义,就是浏览器地址栏直接跳转到原始url。经过测试,虽然通过目标url访问到了原始url,但还是暴露了端口。而隐性url转发则完美的隐藏了原始url,但带来了另外一个问题。隐性url转发同时隐藏了uri,导致某些应用出错,无法使用。

反向代理则完美解决了这个问题。不过有个前提条件,就是需要有独立的云主机。我在我的云主机上安装了宝塔面板,部署了LNMP环境,很容易就可以设置好反向代理。
参考链接:
https://juejin.cn/post/6844903808812728334
https://www.shopee6.com/web/web-tutorial/bt-reverse-proxy-acceleration-exemption-from-filing.html

最终的结果还是很完美的。

过去一周,针对Pimcore这个大热的PIM(Product Information Management)系统进行了测试安装。
安装最新版本遇到了问题,卡住了。且最新版本要求php8和Mysql8,对系统要求也高,测试机几乎运行不起来。
于是乎,改为安装pimcore 6.9版本,还是比较顺利的。

以下为安装步骤:

安装好LNMP环境,然后做如下设置。
1)修改php设置:
禁用函数:putenv, proc_open
安装扩展:opache, imagick, fileinfo, 等
2)修改Mysql设置:
在宝塔中,修改mysql的配置文件,[mysqld]下增加一句话,如下,并重载配置,且重启mysql
log-bin-trust-function-creators=1
log_bin_trust_function_creators=1

3)安装pimcore
运行如下命令:

Demo版
COMPOSER_MEMORY_LIMIT=-1 composer create-project -vvv pimcore/demo=1.6.24 pimcore

设置目录权限
chown -R www:www var web/var var/cache /www/wwwroot/pimcore

安装pimcore ./vendor/bin/pimcore-install

无人值守安装 ./vendor/bin/pimcore-install --admin-username ryan --admin-password 123456 --mysql-username pimcore --mysql-password Cibirii.12 --mysql-database pimcore --no-interaction

定时设置 crontab -e -u www
/5 * /your/project/bin/console pimcore:maintenance

设置cache目录权限 chown -R www:www /www/wwwroot/pim/pimdemo/var/cache

4)宝塔设置: 新建网站;
在相应的网站目录,取消勾选防跨站攻击(open_basedir)即可,同时修改网站目录为/project/pimcore/web子目录;
绑定域名; 访问测试;

上面完成后,还要设置nginx伪静态,apache伪静态未测试。伪静态代码如下:

# Set CSP
# Please note that CSP are very tricky and can be quite advanced to get right
# For most optimal security however they are absolutely mandatory
# There are ways to 'override' them for easier development
# However they should be carefully evaluated, defined and included 
# Referrer Policy
add_header Referrer-Policy same-origin;

# Feature Policy && Permissions Policy
# Note that Feature Policy is to be replaced with Permissions Policy
# See W3C Document regarding setup: https://github.com/w3c/webappsec-permissions-policy/blob/master/permissions-policy-explainer.md
# 
# Please check how to properly evaluate, define and include to your needs
# Thanks to: https://fearby.com/article/set-up-feature-policy-referrer-policy-and-content-security-policy-headers-in-nginx/
# For pre-writing these.
add_header Feature-Policy "geolocation 'none';midi 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';fullscreen 'self';payment 'none';";
add_header Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()";

# set X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN" always;

# set Xss-Protection
add_header X-Xss-Protection "1; mode=block" always;

# X-Content-Type-Options 
add_header X-Content-Type-Options "nosniff" always;
### HTTP Header security

# Filesize depending on your data
client_max_body_size 100m;

# It is recommended to seclude logs per virtual host
access_log  /var/log/access.log;
error_log   /var/log/error.log error;

rewrite ^/cache-buster-(?:\d+)/(.*) /$1 last;

# Stay secure
#
# a) don't allow PHP in folders allowing file uploads
location ~* /var/assets/.*\.php(/|$) {
    return 404;
}
# b) Prevent clients from accessing hidden files (starting with a dot)
# Access to `/.well-known/` is allowed.
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785
location ~* /\.(?!well-known/) {
    deny all;
    log_not_found off;
    access_log off;
}
# c) Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|conf(ig)?|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
    deny all;
}

# Some Admin Modules need this:
# Database Admin, Server Info
location ~* ^/admin/(adminer|external) {
    rewrite .* /app.php$is_args$args last;
}

# Thumbnails
location ~* .*/(image|video)-thumb__\d+__.* {
    try_files /var/tmp/$1-thumbnails$uri /app.php;
    expires 2w;
    access_log off;
    add_header Cache-Control "public";
}

# Assets
# Still use a whitelist approach to prevent each and every missing asset to go through the PHP Engine.
location ~* ^(?!/admin)(.+?)\.((?:css|js)(?:\.map)?|jpe?g|gif|png|svgz?|eps|exe|gz|zip|mp\d|ogg|ogv|webm|pdf|docx?|xlsx?|pptx?)$ {
    try_files /var/assets$uri $uri =404;
    expires 2w;
    access_log off;
    log_not_found off;
    add_header Cache-Control "public";
}

location / {
    error_page 404 /meta/404;
    try_files $uri /app.php$is_args$args;
}

# Use this location when the installer has to be run
# location ~ /(app|install)\.php(/|$) {
#
# Use this after initial install is done:
location ~ ^/app\.php(/|$) {
    send_timeout 1800;
    fastcgi_read_timeout 1800;
    # regex to split $uri to $fastcgi_script_name and $fastcgi_path
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    # Check that the PHP script exists before passing it
    try_files $fastcgi_script_name =404;
    # include fastcgi.conf if needed
    include fastcgi.conf;
    # Bypass the fact that try_files resets $fastcgi_path_info
    # see: http://trac.nginx.org/nginx/ticket/321
    set $path_info $fastcgi_path_info;
    fastcgi_param PATH_INFO $path_info;

    # Activate these, if using Symlinks and opcache
    # fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    # fastcgi_param DOCUMENT_ROOT $realpath_root;

    # fastcgi_pass php-pimcore6;
    # Prevents URIs that include the front controller. This will 404:
    # http://domain.tld/app.php/some-path
    # Remove the internal directive to allow URIs like this
    internal;
}

然后就可以访问了。
pimdemo snapshot.jpg

最近几天,又测试了一下Atropim。
升级到了最新版,的确是不卡了。
但系统内的自动升级工具仍然不可用,要升级的话,还是要进入后台升级。
不完美啊,所以不太爽。这个问题还是要解决。
查了一下网站日志,发现原因是,卡在了packages.json这个文件的下载地址上面。
这个文件,我放到了一个内部测试地址,所以是没有https的。
为了解决这个问题,要么换地址,要么把内测地址加上https。
似乎换地址比较快,这篇文章就会测试一下Typecho能不能上传文件。

昨天通过手机简单看了一下Vue,直觉感觉是比之前接触过一点的jQuery要简单很多。
因为pim等应用实际上使用到了Vue,不妨学习一点,了解一些。
我还想着自己设计一些网页呢