Man Yue Mo z GitHub Security Lab se podrobně rozepsal o již opravené zranitelnosti CVE-2023-6241 v Arm Mali GPU umožňující získání roota na telefonu Pixel 8 s povoleným MTE (Memory Tagging Extension).
V San José probíhá vývojářská konference NVIDIA GTC 2024. CEO společnosti NVIDIA Jensen Huang měl dvouhodinovou keynote, ve které představil celou řadu novinek: NVIDIA Blackwell platform, NVIDIA NIM microservices, NVIDIA Omniverse Cloud APIs, Project GR00T, …
Byly zpracovány a na YouTube zveřejněny videozáznamy jednotlivých přednášek z letošního Installfestu.
Od 21. do 23. března proběhnou Arduino Days 2024. Sledovat bude možné oficiální streamy. Zúčastnit se lze i lokálních akcí. V Česku jsou aktuálně registrovány dvě: v Praze na Matfyzu a v Poličce v městské knihovně.
Letošní ročník konference LinuxDays se uskuteční o víkendu 12. a 13. října, opět se potkáme v pražských Dejvicích na FIT ČVUT. Také během letošního ročníku nás budou čekat desítky přednášek, workshopy, stánky a spousta doprovodného programu. Aktuální dění můžete sledovat na Twitteru, Facebooku nebo na Mastodonu, přidat se můžete také do telegramové diskusní skupiny.
Byla vydána nová major verze 2.0.0 a krátce na to opravné verze 2.0.1 open source online editoru Etherpad (Wikipedie) umožňujícího společné úpravy v reálném čase.
Matematický software GNU Octave byl vydán ve verzi 9.1.0. Podrobnosti v poznámkách k vydání. Nově je preferovaný grafický backend Qt a preferovaná verze Qt 6. V tomto vydání byly přepracovány funkce pro převod čísel z desítkové soustavy. Jako obvykle jsou zahrnuta také výkonnostní vylepšení a zlepšení kompatibility s Matlabem.
Společnost PINE64 stojící za telefony PinePhone nebo notebooky Pinebook publikovala na svém blogu březnový souhrn novinek. Vypíchnout lze, že pracují na virtuálním asistentu PineVox a zatím bezejmenných sluchátkách na lícní kosti (bone conduction).
Hyprland, kompozitor pro Wayland zaměřený na dláždění okny a zároveň grafické efekty, je již dva roky starý. Při té příležitosti byla vydána verze 0.37.0 (a záhy opravná 0.37.1 řešící chybu ve vykreslování oken). Nově závisí na knihovně hyprcursor, která poskytuje škálovatelné kurzory myši.
[root@vps html]# cat /etc/nginx/sites-available/00-default-ssl.conf # # Note: This file must be loaded before other virtual host config files, # # HTTPS server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name _; root /var/www/html/; index index.php index.html; include /etc/nginx/templates/misc.tmpl; include /etc/nginx/templates/ssl.tmpl; include /etc/nginx/templates/iredadmin.tmpl; # include /etc/nginx/templates/roundcube.tmpl; include /etc/nginx/templates/sogo.tmpl; include /etc/nginx/templates/netdata.tmpl; include /etc/nginx/templates/php-catchall.tmpl; include /etc/nginx/templates/stub_status.tmpl; include /etc/nginx/templates/nextcloud.tmpl; include /etc/nginx/templates/web.tmpl; }
[root@vps html]# cat /etc/nginx/templates/misc.tmpl # Allow access to '^/.well-known/' location ~ ^/.well-known/ { allow all; access_log off; log_not_found off; autoindex off; #root /var/www/html; } # Deny all attempts to access hidden files such as .htaccess. location ~ /\. { deny all; } # Handling noisy messages location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } [root@vps html]# cat /etc/nginx/templates/ssl.tmpl ssl_protocols TLSv1.2 TLSv1.3; # Fix 'The Logjam Attack'. ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH; ssl_prefer_server_ciphers on; ssl_dhparam /etc/pki/tls/dh2048_param.pem; # Greatly improve the performance of keep-alive connections over SSL. # With this enabled, client is not necessary to do a full SSL-handshake for # every request, thus saving time and cpu-resources. ssl_session_cache shared:SSL:10m; # To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to # ssl cert/key used below, so that we can manage this config file with Ansible. # # For example: # # rm -f /etc/pki/tls/private/iRedMail.key # rm -f /etc/pki/tls/certs/iRedMail.crt # ln -s /etc/letsencrypt/live/domain/privkey.pem /etc/pki/tls/private/iRedMail.key # ln -s /etc/letsencrypt/live/domain/fullchain.pem /etc/pki/tls/certs/iRedMail.crt # # To request free "Let's Encrypt" cert, please check our tutorial: # https://docs.iredmail.org/letsencrypt.html ssl_certificate /etc/pki/tls/certs/iRedMail.crt; ssl_certificate_key /etc/pki/tls/private/iRedMail.key;
[root@vps html]# cat /etc/nginx/templates/iredadmin.tmpl # Settings for iRedAdmin. # static files under /iredadmin/static location ~ ^/iredadmin/static/(.*) { alias /opt/www/iredadmin/static/$1; } # Python scripts location ~ ^/iredadmin(.*) { rewrite ^/iredadmin(/.*)$ $1 break; include /etc/nginx/templates/hsts.tmpl; include uwsgi_params; uwsgi_pass 127.0.0.1:7791; uwsgi_param UWSGI_CHDIR /opt/www/iredadmin; uwsgi_param UWSGI_SCRIPT iredadmin; uwsgi_param SCRIPT_NAME /iredadmin; # Access control #allow 127.0.0.1; #allow 192.168.1.10; #allow 192.168.1.0/24; #deny all; } # iRedAdmin: redirect /iredadmin to /iredadmin/ location = /iredadmin { rewrite ^ /iredadmin/; } # Handle newsletter-style subscription/unsubscription supported in iRedAdmin-Pro. location ~ ^/newsletter/ { rewrite /newsletter/(.*) /iredadmin/newsletter/$1 last; }
[root@vps html]# cat /etc/nginx/templates/sogo.tmpl # Settings for SOGo Groupware # SOGo location ~ ^/sogo { rewrite ^ https://$host/SOGo; } location ~ ^/SOGO { rewrite ^ https://$host/SOGo; } # Redirect /mail to /SOGo location ~ ^/mail { rewrite ^ https://$host/SOGo; } # For Mac OS X and iOS devices. rewrite ^/.well-known/caldav /SOGo/dav permanent; rewrite ^/.well-known/carddav /SOGo/dav permanent; rewrite ^/principals /SOGo/dav permanent; location ^~ /SOGo { include /etc/nginx/templates/hsts.tmpl; proxy_pass http://127.0.0.1:20000; # forward user's IP address proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; # always use https proxy_set_header x-webobjects-server-port $server_port; proxy_set_header x-webobjects-server-name $host; proxy_set_header x-webobjects-server-url https://$host; proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_busy_buffers_size 64k; proxy_buffers 8 64k; proxy_buffer_size 64k; } location ^~ /Microsoft-Server-ActiveSync { proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; proxy_connect_timeout 3540; proxy_send_timeout 3540; proxy_read_timeout 3540; proxy_busy_buffers_size 64k; proxy_buffers 8 64k; proxy_buffer_size 64k; } location ^~ /SOGo/Microsoft-Server-ActiveSync { proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; proxy_connect_timeout 3540; proxy_send_timeout 3540; proxy_read_timeout 3540; proxy_busy_buffers_size 64k; proxy_buffers 8 64k; proxy_buffer_size 64k; } location /SOGo.woa/WebServerResources/ { alias /usr/lib64/GNUstep/SOGo/WebServerResources/; expires max; } location /SOGo/WebServerResources/ { alias /usr/lib64/GNUstep/SOGo/WebServerResources/; expires max; } location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ { alias /usr/lib64/GNUstep/SOGo/$1.SOGo/Resources/$2; expires max; }
[root@vps html]# cat /etc/nginx/templates/netdata.tmpl # Running netdata as a subfolder to an existing virtual host # FYI: https://github.com/firehol/netdata/wiki/Running-behind-nginx location = /netdata { return 301 /netdata/; } location ~ /netdata/(? ndpath .*) { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; proxy_pass http://127.0.0.1:19999/$ndpath$is_args$args; gzip on; gzip_proxied any; gzip_types *; auth_basic "Authentication Required"; auth_basic_user_file /etc/nginx/netdata.users; }
[root@vps html]# cat /etc/nginx/templates/php-catchall.tmpl # Normal PHP scripts location ~ \.php$ { include /etc/nginx/templates/fastcgi_php.tmpl; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; }
[root@vps html]# cat /etc/nginx/templates/stub_status.tmpl location = /stub_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location = /status { include fastcgi_params; fastcgi_pass php_workers; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; access_log off; allow 127.0.0.1; deny all; }
[root@vps html]# cat /etc/nginx/templates/nextcloud.tmpl location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location /.well-known/acme-challenge { } location ^~ /nextcloud { # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location /nextcloud { rewrite ^ /nextcloud/index.php$request_uri; } location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^\/nextcloud\/(?:updater|ocs-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js, css and map files # Make sure it is BELOW the PHP block location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /nextcloud/index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended # to have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read # into this topic first. # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; # Optional: Don't log access to assets access_log off; } location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /nextcloud/index.php$request_uri; # Optional: Don't log access to other assets access_log off; } }
[root@vps html]# cat /etc/nginx/conf-available/php_fpm.conf upstream php_workers { server 127.0.0.1:9999; } upstream php-handler { server 127.0.0.1:9000; # server unix:/var/run/php/php7.4-fpm.sock; }
2022/04/06 11:48:31 [error] 183326#0: *1 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xx.xx, server: _, request: "GET /web/index.php HTTP/2.0", upstream: "fastcgi://127.0.0.1:9999", host: "xxxxxxx.xx"
Řešení dotazu:
upstream php_workers { server 127.0.0.1:9999; } upstream php-handler { server 127.0.0.1:9000; # server unix:/var/run/php/php7.4-fpm.sock; }
Kdepak, ten běží.
[root@vps ~]# systemctl status php-fpm.service ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2022-04-06 10:35:33 CEST; 5h 36min ago Main PID: 179534 (php-fpm) Status: "Processes active: 0, idle: 6, Requests: 869, slow: 0, Traffic: 0req/sec" Tasks: 7 (limit: 24932) Memory: 115.6M CGroup: /system.slice/php-fpm.service ├─179534 php-fpm: master process (/etc/php-fpm.conf) ├─190997 php-fpm: pool inet ├─191040 php-fpm: pool inet ├─191044 php-fpm: pool inet ├─191083 php-fpm: pool inet ├─191087 php-fpm: pool inet └─191616 php-fpm: pool inet Apr 06 14:16:23 vps php-fpm[179534]: [NOTICE] [pool inet] child 179539 exited with code 0 after 13250.376719 seconds from start Apr 06 14:16:23 vps php-fpm[179534]: [NOTICE] [pool inet] child 191040 started Apr 06 14:16:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 179538 exited with code 0 after 13280.381147 seconds from start Apr 06 14:16:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 191044 started Apr 06 14:17:23 vps php-fpm[179534]: [NOTICE] [pool inet] child 179536 exited with code 0 after 13310.377432 seconds from start Apr 06 14:17:23 vps php-fpm[179534]: [NOTICE] [pool inet] child 191083 started Apr 06 14:17:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 179537 exited with code 0 after 13340.382813 seconds from start Apr 06 14:17:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 191087 started Apr 06 14:28:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 179596 exited with code 0 after 13966.336811 seconds from start Apr 06 14:28:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 191616 started
telnet 127.0.0.1 9999 curl 'http://127.0.0.1:9999/'Ten port je divný, přijde mi, že log nedpovídá konfiguraci. Vidím ho jen u
php_workers
, které se použije jen u location = /status
. Funguje správně reloadování?
sudo nginx -tZmění se port v logu, pokud ho změníš u
php_workers
?
[root@vps ~]# ss -lntp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 5 127.0.0.1:20000 0.0.0.0:* users:(("sogod",pid=1469,fd=4),("sogod",pid=1468,fd=4),("sogod",pid=1467,fd=4),("sogod",pid=1466,fd=4),("sogod",pid=1465,fd=4),("sogod",pid=1464,fd=4),("sogod",pid=1463,fd=4),("sogod",pid=1462,fd=4),("sogod",pid=1461,fd=4),("sogod",pid=1460,fd=4),("sogod",pid=1433,fd=4)) LISTEN 0 5 127.0.0.1:7777 0.0.0.0:* users:(("python3",pid=1505,fd=6)) LISTEN 0 128 0.0.0.0:993 0.0.0.0:* users:(("dovecot",pid=1134,fd=50)) LISTEN 0 5 127.0.0.1:7778 0.0.0.0:* users:(("python3",pid=1505,fd=7)) LISTEN 0 5 127.0.0.1:7779 0.0.0.0:* users:(("python3",pid=1505,fd=8)) LISTEN 0 100 0.0.0.0:995 0.0.0.0:* users:(("dovecot",pid=1134,fd=30)) LISTEN 0 128 127.0.0.1:9000 0.0.0.0:* users:(("php-fpm",pid=270596,fd=12),("php-fpm",pid=269997,fd=12),("php-fpm",pid=269983,fd=12),("php-fpm",pid=269949,fd=12),("php-fpm",pid=269904,fd=12),("php-fpm",pid=269865,fd=12),("php-fpm",pid=269449,fd=12),("php-fpm",pid=179534,fd=9)) LISTEN 0 128 127.0.0.1:10024 0.0.0.0:* users:(("/usr/sbin/amavi",pid=1672,fd=7),("/usr/sbin/amavi",pid=1671,fd=7),("/usr/sbin/amavi",pid=1670,fd=7),("/usr/sbin/amavi",pid=1669,fd=7),("/usr/sbin/amavi",pid=1494,fd=7)) LISTEN 0 100 127.0.0.1:10025 0.0.0.0:* users:(("master",pid=1512,fd=121)) LISTEN 0 128 127.0.0.1:10026 0.0.0.0:* users:(("/usr/sbin/amavi",pid=1672,fd=8),("/usr/sbin/amavi",pid=1671,fd=8),("/usr/sbin/amavi",pid=1670,fd=8),("/usr/sbin/amavi",pid=1669,fd=8),("/usr/sbin/amavi",pid=1494,fd=8)) LISTEN 0 100 0.0.0.0:587 0.0.0.0:* users:(("master",pid=1512,fd=104)) LISTEN 0 128 127.0.0.1:10027 0.0.0.0:* users:(("/usr/sbin/amavi",pid=1672,fd=9),("/usr/sbin/amavi",pid=1671,fd=9),("/usr/sbin/amavi",pid=1670,fd=9),("/usr/sbin/amavi",pid=1669,fd=9),("/usr/sbin/amavi",pid=1494,fd=9)) LISTEN 0 128 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=637,fd=23)) LISTEN 0 100 127.0.0.1:10028 0.0.0.0:* users:(("master",pid=1512,fd=124)) LISTEN 0 128 127.0.0.1:9998 0.0.0.0:* users:(("/usr/sbin/amavi",pid=1672,fd=10),("/usr/sbin/amavi",pid=1671,fd=10),("/usr/sbin/amavi",pid=1670,fd=10),("/usr/sbin/amavi",pid=1669,fd=10),("/usr/sbin/amavi",pid=1494,fd=10)) LISTEN 0 100 0.0.0.0:110 0.0.0.0:* users:(("dovecot",pid=1134,fd=28)) LISTEN 0 100 127.0.0.1:7790 0.0.0.0:* users:(("uwsgi",pid=1431,fd=10),("uwsgi",pid=1430,fd=10),("uwsgi",pid=1429,fd=10),("uwsgi",pid=1428,fd=10),("uwsgi",pid=1427,fd=10),("uwsgi",pid=1049,fd=10)) LISTEN 0 128 0.0.0.0:143 0.0.0.0:* users:(("dovecot",pid=1134,fd=48)) LISTEN 0 100 127.0.0.1:7791 0.0.0.0:* users:(("uwsgi",pid=1478,fd=10),("uwsgi",pid=1477,fd=10),("uwsgi",pid=1476,fd=10),("uwsgi",pid=1475,fd=10),("uwsgi",pid=1474,fd=10),("uwsgi",pid=1061,fd=10)) LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=183326,fd=10),("nginx",pid=183325,fd=10)) LISTEN 0 100 0.0.0.0:465 0.0.0.0:* users:(("master",pid=1512,fd=108)) LISTEN 0 128 127.0.0.1:24242 0.0.0.0:* users:(("stats",pid=1411,fd=10),("dovecot",pid=1134,fd=23)) LISTEN 0 100 127.0.0.1:12340 0.0.0.0:* users:(("dovecot",pid=1134,fd=71)) LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=644,fd=5)) LISTEN 0 100 127.0.0.1:24 0.0.0.0:* users:(("lmtp",pid=1407,fd=9),("lmtp",pid=1406,fd=9),("lmtp",pid=1405,fd=9),("lmtp",pid=1404,fd=9),("lmtp",pid=1397,fd=9),("dovecot",pid=1134,fd=38)) LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("master",pid=1512,fd=16)) LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=183326,fd=8),("nginx",pid=183325,fd=8)) LISTEN 0 128 127.0.0.1:8125 0.0.0.0:* users:(("netdata",pid=251411,fd=75)) LISTEN 0 100 127.0.0.1:4190 0.0.0.0:* users:(("dovecot",pid=1134,fd=18)) LISTEN 0 128 127.0.0.1:19999 0.0.0.0:* users:(("netdata",pid=251411,fd=5)) LISTEN 0 128 [::]:993 [::]:* users:(("dovecot",pid=1134,fd=51)) LISTEN 0 100 [::]:995 [::]:* users:(("dovecot",pid=1134,fd=31)) LISTEN 0 128 *:3306 *:* users:(("mysqld",pid=832,fd=24)) LISTEN 0 100 [::]:587 [::]:* users:(("master",pid=1512,fd=105)) LISTEN 0 100 [::]:110 [::]:* users:(("dovecot",pid=1134,fd=29)) LISTEN 0 128 [::]:143 [::]:* users:(("dovecot",pid=1134,fd=49)) LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=183326,fd=11),("nginx",pid=183325,fd=11)) LISTEN 0 100 [::]:465 [::]:* users:(("master",pid=1512,fd=109)) LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=644,fd=7)) LISTEN 0 100 [::]:25 [::]:* users:(("master",pid=1512,fd=17)) LISTEN 0 128 [::]:443 [::]:* users:(("nginx",pid=183326,fd=9),("nginx",pid=183325,fd=9)) LISTEN 0 128 [::1]:8125 [::]:* users:(("netdata",pid=251411,fd=64))
[root@vps ~]# curl 'http://127.0.0.1:9999/' curl: (7) Failed to connect to 127.0.0.1 port 9999: Connection refused
Pardon, jsem totálně slepý.
V /etc/nginx/conf-enabled/php_fpm.conf změněn port na 9000 a všechno jede
upstream php_workers { server 127.0.0.1:9000; } upstream php-handler { server 127.0.0.1:9000; # server unix:/var/run/php/php7.4-fpm.sock; }
Mocrát děkuji
Tiskni Sdílej: