分类目录归档:运维 & 基础架构

operations & infrastructure

Adjusting child processes for PHP-FPM (Nginx)


The following warning message appears in the logs:

[26-Jul-2012 09:49:59] WARNING: [pool www] seems busy (you may need to increase pm.start_servers, or pm.min/max_spare_servers), spawning 32 children, there are 8 idle, and 58 total children
[26-Jul-2012 09:50:00] WARNING: [pool www] server reached pm.max_children setting (50), consider raising it

It means that there are not enough PHP-FPM processes. 继续阅读

How to enable SNMP monitoring for VMWare ESXi 6.0/6.5

You can do a lot of configuration of ESXi through the GUI, but one thing I’ve found that you cannot do is configure SNMP.

I can see in  the GUI that SNMP service is stopped, and that’s about it:


  • Even if you can manage to get the service started from the GUI, you’ll still have to set your community string somehow. I couldn’t exactly find a place to set that, so it’s off to the CLI we go.

So here’s how to enable SNMP and configure the community string/firewall on ESXi 6.0 or 6.5:





# yum -y install fail2ban




[root@s108c fail2ban]# ll /etc/fail2ban/jail.d/jail.local
-rw-r–r– 1 root root 174 Sep 12 10:27 /etc/fail2ban/jail.d/jail.local
[root@s108c fail2ban]# ll /etc/fail2ban/filter.d/authdaemond.conf
-rw-r–r– 1 root root 962 Sep 12 10:08 /etc/fail2ban/filter.d/authdaemond.conf


将/etc/fail2ban/fail2ban.conf配置中logtarget 指向日志要保存的文件

logtarget = /var/log/fail2ban.log 继续阅读


The Most Widely Deployed Vulnerability Assessment Solution

Nessus® has been deployed for vulnerability, configuration and compliance assessments by more than one million users across the globe. Nessus prevents network attacks by identifying the vulnerabilities and configuration issues that hackers use to penetrate your network.

Nessus Workflow

  1. Ensure that your setup meets the minimum system requirements:
  2. Obtain the proper Activation Code for Nessus.
  3. Follow the installation steps depending on your Nessus software and operating system:
  4. Perform the initial configuration steps for Nessus in the web front end.
  5. Create a user account.
  6. Create a scan.

Block IP Addresses With Windows Firewall 2008, 2012

If you ever feel that someone may be trying to break into your FTP or IIS server or know an IP address that you want to block from accessing your server there is a built in firewall on all of our 2008-2012 Windows servers. You can use this firewall to block either a range of IP addresses or a single address. Turning Windows Firewall On

A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security:

  • Domain Profile – Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.
  • Private Profile – Applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network. A private network is one that is not connected directly to the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. For example, this could be a home network, or a business network that does not include a domain controller. The Private profile settings should be more restrictive than the Domain profile settings.
  • Public Profile – Applied to a network adapter when it is connected to a public network such as those available in airports and coffee shops. When the profile is not set to Domain or Private, the default profile is Public. The Public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be controlled. For example, a program that accepts inbound connections from the Internet (like a file sharing program) may not work in the Public profile because the Windows Firewall default setting will block all inbound connections to programs that are not on the list of allowed programs.



1、nginx+php 出现404

No input file specified.

2017/08/25 16:13:45 [error] 4866#4866: *1 FastCGI sent in stderr: “Unable to open primary script: /var/www/xxx/phpinfo.php (Operation not permitted)” while reading response header from upstream, client:, server: localhost, request: “GET /phpinfo.php HTTP/1.1”, upstream: “fastcgi://”, host: “www.xxx.com” – – [25/Aug/2017:16:13:45 +0800] “GET /phpinfo.php HTTP/1.1” 404 36 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063” “-”



server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    access_log  /var/log/nginx/host.access.log  main;

        root   /var/www/xxx;
    location / {
        #root   /var/www/xxx;
        index  index.php index.html index.htm;

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;

    # proxy the PHP scripts to Apache listening on
    #location ~ \.php$ {
    #    proxy_pass;

    # pass the PHP scripts to FastCGI server listening on
    location ~ \.php$ {
     #   root           /var/www/xxx;
        #fastcgi_pass   unix:/tmp/php-fpm.sock;
        fastcgi_index  index.php;
        #fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #location ~ /\.ht {
    #    deny  all;





LVS、Nginx 及 HAProxy 的工作原理

当前大多数的互联网系统都使用了服务器集群技术,集群是将相同服务部署在多台服务器上构成一个集群整体对外提供服务,这些集群可以是 Web 应用服务器集群,也可以是数据库服务器集群,还可以是分布式缓存服务器集群等等。

在实际应用中,在 Web 服务器集群之前总会有一台负载均衡服务器,负载均衡设备的任务就是作为 Web 服务器流量的入口,挑选最合适的一台 Web 服务器,将客户端的请求转发给它处理,实现客户端到真实服务端的透明转发。

最近几年很火的「云计算」以及分布式架构,本质上也是将后端服务器作为计算资源、存储资源,由某台管理服务器封装成一个服务对外提供,客户端不需要关心真正提供服务的是哪台机器,在它看来,就好像它面对的是一台拥有近乎无限能力的服务器,而本质上,真正提供服务的,是后端的集群。 继续阅读





  • 抓取所有经过eth1,目的或源地址是192.168.1.1的网络数据
tcpdump -i eth1 host
  • 指定源地址
tcpdump -i eth1 src host
  • 指定目的地址
tcpdump -i eth1 dst host



Python fabric远程自动部署简介



本文主要介绍CentOS 6.3上使用fabric进行自动部署的基本方法。 继续阅读

haproxy: restrict specific URLs to specific IP addresses

This snippet shows you how to use haproxy to restrict certain URLs to certain IP addresses. For example, to make sure your admin interface can only be accessed from your company IP address.

This snippet was tested on haproxy 1.5.

This snippet is tested on a Digital Ocean VPS. If you like this snippet and want to support me, plus get free credit @ DO, use this link to order a Digital Ocean VPS: https://www.digitalocean.com/?refcode=7435ae6b8212

This example restricts access to the /admin/ and /helpdesk URL’s. It only allows access from the IP addresses and Any other IP addresses will get the standard haproxy 403 forbidden error. 继续阅读