ÛãçèØÃÂ¥ Ã’ØàãáÞÃÂ’ - Xakep Online
ÛãçèØÃÂ¥ Ã’ØàãáÞÃÂ’ - Xakep Online
ÛãçèØÃÂ¥ Ã’ØàãáÞÃÂ’ - Xakep Online
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ХАКЕР.PRO<br />
SYN/ACK<br />
Ïàðà ñëîâ îá nginx<br />
Nginx (engine x) — âûñîêîïðîèçâîäèòåëüíûé è íåòðåáîâàòåëüíûé<br />
ê ðåñóðñàì HTTP-ñåðâåð è ïî÷òîâûé ïðîêñè. Îáû÷íî èñïîëüçóåòñÿ<br />
â êà÷åñòâå HTTP-àêñåëåðàòîðà, ïåðåäàþùåãî âñå çàïðîñû<br />
ê apache, èëè ëåãêîâåñíîãî ñåðâåðà äëÿ îòäà÷è ñòàòè÷åñêîãî<br />
êîíòåíòà. Ïðèìåíÿåòñÿ íà wordpress.com è áîëüøèíñòâå ñåðâåðîâ<br />
Ðàìáëåðà. Ðàçðàáàòûâàåòñÿ Èãîðåì Ñûñîåâûì ñ 2002-ãî ãîäà.<br />
# mkdir $JAIL/{dev,tmp}<br />
# chmod 7777 $JAIL/tmp<br />
Ñìîíòèðóåì ôàéëîâóþ ñèñòåìó devfs:<br />
# mount -t devfs devfs $JAIL/dev<br />
Ñîçäàäèì IP-ïñåâäîíèì è íàñòðîèì áðàíäìàóýð íà ðåäèðåêò HTTP-òðàôèêà<br />
íà IP-àäðåñ òþðüìû:<br />
# ifconfig ed0 inet alias 192.168.0.1/16<br />
# ipfw add fwd 192.168.0.1,80 tcp from any to âíåøíèé-ip 80<br />
Îòêðîåì êîíôèãóðàöèîííûé ôàéë nginx è ïðèâåäåì ñåêöèþ server ê ñëåäóþùåìó<br />
âèäó:<br />
# vi /usr/jail/nginx/etc/nginx/nginx.conf<br />
server {<br />
listen 80;<br />
server_name www.host.ru;<br />
location / {<br />
proxy_pass http://127.0.0.1:8080/;<br />
proxy_redirect off;<br />
proxy_set_header Host $host;<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_<br />
forwarded_for;<br />
client_max_body_size 10m;<br />
client_body_buffer_size 128k;<br />
Ïåðåìåííûå sysctl,<br />
î êîòîðûõ íóæíî<br />
çíàòü<br />
1 security.jail.set_hostname_allowed — ìîæåò ëè jail-ñóïåðïîëüçîâàòåëü<br />
èçìåíÿòü ñåòåâîå èìÿ (hostname) jail-ñåðâåðà. Èìååò<br />
ñìûñë îòêëþ÷èòü, åñëè äëÿ òþðüìû âûäåëåíî íàñòîÿùåå ñåòåâîå<br />
èìÿ, ïðîïèñàííîå â DNS-çîíàõ. 2 security.jail.allow_raw_sockets —<br />
ðàçðåøèòü jail-ñóïåðïîëüçîâàòåëþ ñîçäàâàòü raw-ñîêåòû. Â öåëÿõ<br />
áåçîïàñíîñòè îïöèÿ îòêëþ÷åíà, íî îíà ìåøàåò ïðàâèëüíîé ðàáîòå<br />
íåêîòîðûõ èíñòðóìåíòîâ, ïðåäíàçíà÷åííûõ äëÿ îòëàäêè ñåòè.<br />
3 security.jail.chflags_allowed — ïîçâîëèòü jail-ïðîöåññàì ìîäèôèöèðîâàòü<br />
ôëàãè ÔÑ (chflags). Ïî óìîë÷àíèþ âûêëþ÷åíà, ÷òî<br />
îòêðûâàåò èíòåðåñíûå âîçìîæíîñòè äëÿ ïîìåùåíèÿ â jail íåóäàëÿåìûõ,<br />
íå÷èòàåìûõ èëè íåçàïèñûâàåìûõ ôàéëîâ.<br />
×òîáû nginx ñòàðòîâàë ïðè çàãðóçêå, äîáàâèì â /etc/rc.conf ñëåäóþùå<br />
çàïèñè:<br />
# vi /etc/rc.conf<br />
ifconfig_ed0_alias0="inet 192.168.0.1"<br />
jail_enable="YES"<br />
jail_list="nginx"<br />
jail_nginx_rootdir="/usr/jail/nginx"<br />
jail_nginx_hostname="nginx.jail"<br />
jail_nginx_ip="192.168.0.1"<br />
// Ïîëíàÿ èíèöèàëèçàöèÿ îêðóæåíèÿ íå íóæíà, äîñòàòî÷íî<br />
ñðàçó çàïóñòèòü ñåðâèñ<br />
jail_nginx_exec_start="/sbin/nginx -c /etc/nginx/nginx.<br />
conf"<br />
// Îñòàíàâëèâàòü nginx âðó÷íóþ òàêæå íå òðåáóåòñÿ, ïåðåä<br />
çàâåðøåíèåì ðàáîòû jail àêêóðàòíî óáüåò âñå ñâîè ïðîöåññû<br />
ñ ïîìîùüþ kill<br />
jail_nginx_exec_stop=""<br />
// Íàì ïîíàäîáèòñÿ òîëüêî devfs<br />
jail_nginx_devfs_enable="YES"<br />
jail_nginx_fdescfs_enable="NO"<br />
jail_nginx_procfs_enable="NO"<br />
}<br />
}<br />
114<br />
proxy_connect_timeout 90;<br />
proxy_send_timeout 90;<br />
proxy_read_timeout 90;<br />
proxy_buffer_size 4k;<br />
proxy_buffers 4 32k;<br />
proxy_busy_buffers_size 64k;<br />
proxy_temp_file_write_size 64k;<br />
Ó÷òè, ÷òî õèòðàÿ ñèñòåìà ïîðòîâ èçìåíèëà äåôîëòîâûå ïóòè ïîèñêà ôàéëîâ â<br />
nginx, äîáàâèâ ê íèì ïðåôèêñ /usr/jail/nginx. Ïîýòîìó âñå îòíîñèòåëüíûå ïóòè<br />
â ôàéëå êîíôèãóðàöèè ïðèäåòñÿ çàìåíèòü íà àáñîëþòíûå, òî åñòü — ïðîïèñàòü<br />
âìåñòî «include mime.types;» ñòðîêó «include /etc/nginx/mime.types;». Âñå,<br />
òåïåðü âèðòóàëüíûé ñåðâåð ñ nginx ìîæíî çàïóñòèòü (îïöèÿ ‘-c’ ïîçâîëÿåò ïåðåïèñàòü<br />
íåâåðíûé äåôîëòîâûé ïóòü ïîèñêà êîíôèãóðàöèîííîãî ôàéëà):<br />
# jail /usr/jail/nginx nginx.jail 192.168.0.1 /sbin/nginx<br />
-c /etc/nginx/nginx.conf<br />
Ïî îïèñàííîé ñõåìå â òþðüìó ìîæíî ïîñàäèòü ïðàêòè÷åñêè ëþáîé ñåðâèñ,<br />
íå îòÿãîùåííûé ìíîæåñòâîì çàâèñèìîñòåé.  íåêîòîðûõ ñëó÷àÿõ<br />
ïðèäåòñÿ ïîâîçèòüñÿ ñ ñîçäàíèåì ôàéëîâ è êàòàëîãîâ, à òàêæå ñ îòñëåæèâàíèåì<br />
íåîáõîäèìûõ áèáëèîòåê (íåêîòîðûå ñåòåâûå ñåðâåðû, íàïðèìåð<br />
sshd, çàãðóæàþò áèáëèîòåêè âî âðåìÿ èñïîëíåíèÿ, òàê ÷òî ldd ïîêàæåò íå<br />
âñå, è ïðèäåòñÿ âîñïîëüçîâàòüñÿ lsof). Ïðîáëåìó òàêæå ïðåäñòàâëÿåò /dev.<br />
Âåñüìà îïðîìåò÷èâî îòêðûâàòü âñå ôàéëû ýòîãî êàòàëîãà íà ÷òåíèå, à óæ<br />
òåì áîëåå, íà çàïèñü, — ïîýòîìó äëÿ ðåãóëèðîâàíèÿ ïðàâ äîñòóïà íåîáõîäèìî<br />
èñïîëüçîâàòü ñïåöèàëüíûå íàñòðîéêè devfs. Ôàéë /etc/defaults/<br />
devfs.rules ñîäåðæèò áàçîâûå ïðàâèëà devfs äëÿ jail. Ïî óìîë÷àíèþ îí îòêðûâàåò<br />
äîñòóï ê ïîäñîáíûì ñèíòåòè÷åñêèì ôàéëàì, òàêèì êàê /dev/<br />
null è /dev/random, à òàêæå ïñåâäîòåðìèíàëàì. Äëÿ áîëüøèíñòâà êîíôèãóðàöèé<br />
íàñòðîéêè äàæå íå ïðèäåòñÿ ðåäàêòèðîâàòü, äîñòàòî÷íî ñêîïèðîâàòü<br />
ôàéë â êàòàëîã /etc è äîáàâèòü â /etc/rc.conf ñëåäóþùóþ çàïèñü:<br />
jail_èìÿ_devfs_ruleset="devfsrules_jail"<br />
Åñëè æå ïîíàäîáÿòñÿ äîïîëíèòåëüíûå ôàéëû óñòðîéñòâ, òî devfs.rules<br />
ëåãêî îòðåäàêòèðîâàòü, äîáàâèâ íåîáõîäèìûå ïðàâèëà. Ñèíòàêñèñ ôàéëà<br />
è ïðàâèë îïèñàíû íà man-ñòðàíèöàõ devfs(8) è devfs.rules(5). z<br />
XÀÊÅÐ 04 /124/ 09