Net | GNUers 博客

策略路由的配置

最近测试DNS服务器直接和交换机跑OSPF。2上联网卡分别接入2交换机，形成邻居。服务器不设置静态的默认路由，通过和上层路由器交换路由信息的时候学习默认路由。另外的办公网接入的网卡只是绑定了IP。因为是在测试环境所以有个问题是上联的链路其实是不能访问外网的。我就单独设置了一下策略路由解决。需要达到的目的其实只是能从办公网络ssh登陆服务器，服务器上能访问部分外网（比如8.8.8.8进行DNS解析）。配置其实比较简单：1. 先新增策略路由#cat /etc/iproute2/rt_tables## reserved values#255 local254 main253 default0 unspec## local200 dns 2.给table 200增加默认的路由#cat route-eth0table dns 192.1.159.0/24 via 192.1.159.254 dev eth0table dns default via 192.1.159.254 dev eth0 ip route add 192.1.159.0/24 via 192.1.159.254 dev eth0 table dnsip route add default via 192.1.159.254 dev eth0 table dns ip rule add to 8.8.8.8 table dnsip rule add from 192.1.159.210 table dnsip rule add to 192.242.252.0/24 table dns

设置TIME_WAIT的目的

设置TIME_WAIT的两个原因是：1.实现了全双工的TCP连接关闭。TIME_WAIT会出现在主动关闭这端的原因是：该端发出最后一个ACK后，如果这个ACK丢失或最后一个FIN丢失，另外一段将会超时重传最后的FIN。主动关闭这端由于TIME_WAIT的存在可以在需要的时候重传最后的确认报文，否则它收到最后的FIN后可能无法重传最后的ACK，而只能发出RST。另外TIME_WAIT总是从收到最后一个FIN开始算起，当它收到对端重传的FIN后会重新计时。2.过时的重复报文段失效每个IP数据包的有效时间由TTL（长度定义为8bit，所以最多经过的路由次数是255）限制。MSL定义为报文的最大生存时间，Linux下是30s。每个连接的新的替身只能在2MSL后才能再次发起，主要是为了保证前一个连接的过时重复报文段不会在新的连接出现，保证不会被误认为是第二次连接的报文段。

ESTABLISHED,TIME-WAIT与网络流量的关系

之前有同事看了有2个监控图，然后就问我为什么tcp的连接数基本没有变化，但是网卡的数据流量增加了不少？这个其实比较好分析，应用系统和前端的LB之间实际是keepalive的持久连接。当单个应用服务器上请求量不是太的时候，应用服务器上看到的连接数和用户的请求量其实不是一个线性的关系，维持的连接数多少，主要看前端LB设置的保留多少个空闲连接。但是后端应用服务器（apache）上每个持久连接默认配置只能处理100个请求，所以当业务量增加的时候可以看到TIME_WAIT的数量增加了。同时网卡流量也对应增加的。

VPS iptables配置

使用VPS的时候肯定也会考虑到安全上的问题，简单配置一下iptables。直接贴一下我自己写的2个设置脚本。首先得写一个清理规则、重置默认策略的脚本放crontab里面，以免自己设置错了策略造成自己不能登录。清理规则脚本： #!/bin/bash source /etc/profile DIR=$(dirname $0) LOG=$DIR/clean.log iptables -F iptables -X iptables -Z # reset counter iptables -P INPUT ACCEPT # set default action for INPUT packages date > $LOG echo "clean the iptables rule" >> $LOG iptables 规则设置脚本： #!/bin/bash # for my vps iptables -F # remove all rules iptables -X # remove all chains defined by myself iptables -Z # reset counter iptables -P INPUT DROP # set default action for INPUT packages iptables -P OUTPUT ACCEPT # set default action for OUTPUT packages iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow all traffic through lo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow all established and related INPUT for port in 22 80 443 do iptables -A INPUT -p tcp --dport $port -m state --state NEW -j ACCEPT done iptables -A INPUT -p icmp -m limit --limit 20/m -j ACCEPT 查看规则： ...

也说说nginx日志里的400,408错误

今天看某群里有同学说做ssl卸载的nginx上有很多408错误日志。然后我也看了下我们服务器上果然有好多的，比例还不小，好几个百分点呢。HTTP状态码的还以可以简单参考http://en.wikipedia.org/wiki/List_of_HTTP_status_codes 400 Bad Request The request cannot be fulfilled due to bad syntax 408 Request TimeoutThe server timed out waiting for the request.[2] According to W3 HTTP specifications: “The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time.”408错误是由于由于client方在设置的时间内(client_header_timeout和client_body_timeout，nginx下默认都是60s)没有发送完请求造成的。其实主要是因为现在的浏览器，比如chrome的话在打开页面是会并发开10个左右的请求，其实只有一个是实际会用的，其他的几个请求虽然用不上，但是浏览器也不管，最后会因为达到超时的时间被server短断掉。为此我专门抓包测试了一下。在自己的VPS上开2个窗口，一个用来抓包，另外一个观察日志。抓包的时候过滤一下，只看SYN和FIN包的，然后chrome浏览器里打开自己的blog。tcpdump -i venet0 host 218.109.58.145 and ‘tcp[tcpflags] & (tcp-syn|tcp-fin) !=0 ‘ -ntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes15:05:46.564166 IP 218.109.58.145.63349 > 184.82.227.17.443: Flags [S], seq 1769258416, win 8192, options [mss 1452,nop,nop,sackOK], length 015:05:46.564202 IP 184.82.227.17.443 > 218.109.58.145.63349: Flags [S.], seq 1090238511, ack 1769258417, win 5840, options [mss 1460,nop,nop,sackOK], length 015:05:46.579764 IP 218.109.58.145.63350 > 184.82.227.17.443: Flags [S], seq 2476535492, win 8192, options [mss 1452,nop,nop,sackOK], length 015:05:46.579790 IP 184.82.227.17.443 > 218.109.58.145.63350: Flags [S.], seq 1079878779, ack 2476535493, win 5840, options [mss 1460,nop,nop,sackOK], length 015:05:46.580418 IP 218.109.58.145.63351 > 184.82.227.17.443: Flags [S], seq 3924057720, win 8192, options [mss 1452,nop,nop,sackOK], length 015:05:46.580444 IP 184.82.227.17.443 > 218.109.58.145.63351: Flags [S.], seq 1076802158, ack 3924057721, win 5840, options [mss 1460,nop,nop,sackOK], length 015:05:46.583872 IP 218.109.58.145.63352 > 184.82.227.17.443: Flags [S], seq 1351188747, win 8192, options [mss 1452,nop,nop,sackOK], length 015:05:46.583897 IP 184.82.227.17.443 > 218.109.58.145.63352: Flags [S.], seq 1085259777, ack 1351188748, win 5840, options [mss 1460,nop,nop,sackOK], length 015:05:46.591067 IP 218.109.58.145.63353 > 184.82.227.17.443: Flags [S], seq 3937887977, win 8192, options [mss 1452,nop,nop,sackOK], length 015:05:46.591094 IP 184.82.227.17.443 > 218.109.58.145.63353: Flags [S.], seq 1089841397, ack 3937887978, win 5840, options [mss 1460,nop,nop,sackOK], length 015:05:46.592480 IP 218.109.58.145.63354 > 184.82.227.17.443: Flags [S], seq 1123849790, win 8192, options [mss 1452,nop,nop,sackOK], length 015:05:46.592504 IP 184.82.227.17.443 > 218.109.58.145.63354: Flags [S.], seq 1090612586, ack 1123849791, win 5840, options [mss 1460,nop,nop,sackOK], length 015:05:46.593123 IP 218.109.58.145.63355 > 184.82.227.17.443: Flags [S], seq 4065204445, win 8192, options [mss 1452,nop,nop,sackOK], length 015:05:46.593149 IP 184.82.227.17.443 > 218.109.58.145.63355: Flags [S.], seq 1080746021, ack 4065204446, win 5840, options [mss 1460,nop,nop,sackOK], length 015:05:46.831197 IP 218.109.58.145.63357 > 184.82.227.17.443: Flags [S], seq 3474172840, win 8192, options [mss 1452,nop,nop,sackOK], length 015:05:46.831235 IP 184.82.227.17.443 > 218.109.58.145.63357: Flags [S.], seq 1084428126, ack 3474172841, win 5840, options [mss 1460,nop,nop,sackOK], length 015:05:54.366066 IP 184.82.227.17.443 > 218.109.58.145.63349: Flags [F.], seq 22377, ack 810, win 8576, length 015:05:57.138228 IP 218.109.58.145.63357 > 184.82.227.17.443: Flags [F.], seq 1, ack 1, win 17520, length 015:05:57.138506 IP 184.82.227.17.443 > 218.109.58.145.63357: Flags [F.], seq 1, ack 2, win 5840, length 015:05:57.780671 IP 218.109.58.145.63349 > 184.82.227.17.443: Flags [F.], seq 810, ack 22378, win 17483, length 015:06:46.859866 IP 184.82.227.17.443 > 218.109.58.145.63350: Flags [F.], seq 6079, ack 389, win 7504, length 015:06:46.860807 IP 184.82.227.17.443 > 218.109.58.145.63351: Flags [F.], seq 6079, ack 389, win 7504, length 015:06:46.861809 IP 184.82.227.17.443 > 218.109.58.145.63352: Flags [F.], seq 6079, ack 389, win 7504, length 015:06:46.864806 IP 184.82.227.17.443 > 218.109.58.145.63353: Flags [F.], seq 6079, ack 389, win 7504, length 015:06:46.865888 IP 184.82.227.17.443 > 218.109.58.145.63355: Flags [F.], seq 6079, ack 389, win 7504, length 015:06:46.866803 IP 184.82.227.17.443 > 218.109.58.145.63354: Flags [F.], seq 6079, ack 389, win 7504, length 015:06:47.756153 IP 218.109.58.145.63350 > 184.82.227.17.443: Flags [F.], seq 389, ack 6080, win 17250, length 015:06:47.756168 IP 218.109.58.145.63355 > 184.82.227.17.443: Flags [F.], seq 389, ack 6080, win 17250, length 015:06:47.756569 IP 218.109.58.145.63353 > 184.82.227.17.443: Flags [F.], seq 389, ack 6080, win 17250, length 015:06:47.757960 IP 218.109.58.145.63351 > 184.82.227.17.443: Flags [F.], seq 389, ack 6080, win 17250, length 015:06:47.758234 IP 218.109.58.145.63352 > 184.82.227.17.443: Flags [F.], seq 389, ack 6080, win 17250, length 015:06:47.759712 IP 218.109.58.145.63354 > 184.82.227.17.443: Flags [F.], seq 389, ack 6080, win 17250, length 015:06:48.361787 IP 218.109.58.145.63350 > 184.82.227.17.443: Flags [F.], seq 389, ack 6080, win 17250, length 0 nginx日志里– – 218.109.58.145:63185 – – [10/Mar/2013:15:03:40 +0000] gnuers.org “GET / HTTP/1.1” 200 15929 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17” “-” “unix:/var/run/php5-fpm.sock” 1.449 0.289– – 218.109.58.145:63186 – – [10/Mar/2013:15:03:49 +0000] localhost “-” 400 0 “-” “-” “-” “-” 0.000 –– – 218.109.58.145:63179 – – [10/Mar/2013:15:04:39 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.999 –– – 218.109.58.145:63180 – – [10/Mar/2013:15:04:39 +0000] localhost “-” 408 0 “-” “-” “-” “-” 60.000 –– – 218.109.58.145:63181 – – [10/Mar/2013:15:04:39 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.991 –– – 218.109.58.145:63182 – – [10/Mar/2013:15:04:39 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.991 –– – 218.109.58.145:63183 – – [10/Mar/2013:15:04:39 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.992 –– – 218.109.58.145:63184 – – [10/Mar/2013:15:04:39 +0000] localhost “-” 408 0 “-” “-” “-” “-” 60.000 –– – 218.109.58.145:63349 – – [10/Mar/2013:15:05:49 +0000] gnuers.org “GET / HTTP/1.1” 200 15929 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17” “-” “unix:/var/run/php5-fpm.sock” 2.525 0.271– – 218.109.58.145:63357 – – [10/Mar/2013:15:05:57 +0000] localhost “-” 400 0 “-” “-” “-” “-” 0.000 –– – 218.109.58.145:63350 – – [10/Mar/2013:15:06:46 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.991 –– – 218.109.58.145:63351 – – [10/Mar/2013:15:06:46 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.987 –– – 218.109.58.145:63352 – – [10/Mar/2013:15:06:46 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.988 –– – 218.109.58.145:63353 – – [10/Mar/2013:15:06:46 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.991 –– – 218.109.58.145:63355 – – [10/Mar/2013:15:06:46 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.992 –– – 218.109.58.145:63354 – – [10/Mar/2013:15:06:46 +0000] localhost “-” 408 0 “-” “-” “-” “-” 59.993 – ...