Myat 's http://www.myatus.co.uk/fa/ به هدر رفتن بیت و کلمه در روزانه Wed, 08 یدلایمخیرات سپتامبر 2010 19:01:01 +0000 fa hourly 1 http://wordpress.org/?v=3.0.1 مسدود کردن اسکن w00tw00t http://www.myatus.co.uk/fa/2010/07/17/blocking-w00tw00t-scans/ http://www.myatus.co.uk/fa/2010/07/17/blocking-w00tw00t-scans/#comments Sat, 17 Jul 2010 10:53:38 +0000 Myatu http://www.myatus.co.uk/?p=1401-fa
  • Guide: Firewall and router with Proxmox – با گسترش آن Ù ثانیه ثانیه نامه
  • -j DROP

    Simply replace xxx.xxx.xxx.xxx with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using multiple IPs to host web servers), simply replace the “-d xxx.xxx.xxx.xxx” portion with:

    -m iprange --dst-range start.xxx.xxx.xxx-end.xxx.xxx.xxx

    where start.xxx.xxx.xxx and end.xxx.xxx.xxx are the first and last IPs of your web servers respectively.

    If you wish to have a fancier option, one where it will for example blacklist an IP for a certain period, etc., have a look at SpamCle@ner’s website.

    They go deeper into this subject and have provided two scripts near the end of their article. Simply save one of these scripts in a file named, به عنوان مثال, /opt/blockw00t.sh and make it executable with:

    chmod +x /opt/blockw00t.sh

    You can run it manually with typing “/opt/blockwoot.sh” in the shell or to automatically load it at boot time you can add it to your /etc/rc.local پرونده, or on Debian/Ubuntu systems add it to your / و غیره / شبکه / رابط like so:

    auto eth0
    
inet eth0 static
    
   ... [existing configuration that remains unaltered] ...
    
   # Load anti-w00t script:
    
   post-up /opt/blockw00t.sh

    Using Fail2Ban

    If you are using Fail2Ban, like described in the Shorewall firewall configuration, you can create a new definition that scans for the w00tw00t entries in the webserver log files.

    The following definition assumes your webserver log entries look like the following (NginX و آپاچی 2):

    203.127.11.214 - - [15/Jul/2010:15:50:04 +0200] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 173 "-" "-"

    Create a file /etc/fail2ban/filter.d/webserver-w00tw00t.conf:

    [Definition]
    
failregex = ^<HOST> .*"GET \/w00tw00t\.at\.ISC\.SANS\..+\:\).*?"
    

    
ignoreregex =

    This catches the known variants of the scanner, including “DFind”, ̶وest0″, “MSlog” and “ntsvc”.

    توجه داشته باشید: The <HOST> portion is specific to fail2ban and is a shorthand for the regex (?:::f{4,6}:)?(?P<host>\S+), which matches either an IPv4 or IPv6 address. See the fail2ban manual for more details.

    *Tip: If you wish to change the regular expression, I recommend RegExr to play with various options/search criteria. It’s a time saver and free :)

    *Tip 2: To test your definition’s regular expression, use:

    fail2ban-regex logfغیره /etc/fail2ban/filter.d/webserver-w00tw00t.conf

    Where logfile is the actual log file name, such as /var/log/apache2/access.log.

    Add this definition to the fail2ban Jail configuration (/etc/fail2ban/jail.conf):

    ... [existing configuration] ...
    

    
[webserver-w00tw00t]
    
enabled  = true
    
port     = http,https
    
filter   = webserver-w00tw00t
    
# !!! Keep in mind to specify the correct web server log here:
    
logpath  = /var/log/apache2/access.log
    
maxretry = 1
    
# Time in seconds, در این مورد, one day:یعنی. />
bantime  = 86400

    Now reload the service (ie., “/etc/init.d/fail2ban reload” یا “service fail2ban reload”).

    پست های مرتبط:

    1. Guide: Firewall and router with Proxmox – با گسترش آن Ù ثانیه ثانیه نامه
    2. NginX و آپاچی, اما هیچ memcached
    3. سریعتر وپ سوپر نهانگاه با nginx
    4. NginX کامپایل کردن در دبیان / اوبونتو
    ]]> Absolut NginxIt looks like I have neglected to write a new article in quite a while! Shame on me. اما, thanks to a website outage, I’ve finally got some more good stuff to share with you.

    My previous Nginx configuration became a nightmare to maintain and WordPress had become slower because Apache’s children were being killed by OOM. This was due to a  misguided PHP cache (PHP XCache to be precise) that decided to take every available bit of memory from my system, despite having max-requests per child set low (before it was purged).

    این, along with my endeavors in seeking the fastest solution to everything and the introduction of a new Cloud servers by OVH, lead me to today’s article.

    Which is faster – Varnish or Nginx?

    The first thing I wanted to do is make all the caching happen before things get pushed through to Apache. This because I wanted to eliminate both PHP XCache and the WordPress Super Cache plugin I was using, so to increase WordPress compatibility but decrease complexity.

    At first I thought about using Varnish – either as a the sole front-end, or in between Nginx and Apache (the reasoning later). همچنین, I had gotten my hands on OVH’s Cloud servers whilst they were still in “alpha”, and used this as the base system for building a pool of web servers.

    The following tests have all been performed on those Cloud servers – mC 256 (256 MBytes of guaranteed RAM, 2 GByte total memory with excess swapped to SSD’s), 4 CPU cores and 5 GBytes of storage space. The OS is Ubuntu 10.04 LTS. The output of /proc/cpuinfo is as following (x4 for briefness):

    processor       : 0
    
vendor_id       : GenuineIntel
    
cpu family      : 6
    
model           : 26
    
model name      : اینتل(R) Xeon(تحقیق) CPU           E5504  @ 2.00GHz
    
stepping        : 5
    
cpu MHz         : 1995.000
    
cache size      : 4096 KB
    
fdiv_bug        : no
    
hlt_bug         : no
    
f00f_bug        : no
    
coma_bug        : no
    
fpu             : yes
    
fpu_exception   : yes
    
cpuid level     : 11
    
wp              : yes
    
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf pni ssse3 cx16 sse4_1 sse4_2 popcnt hypervisor lahf_lm
    
bogomips        : 3990.00
    
clflush size    : 64
    
cache_alignment : 64
    
address sizes   : 40 bits physical, 48 bits virtual
    
power management:

    The stock install of Apache performed as following on a simple “Hello World” PHP script, با استفاده از “ab -c 100 -n 100000 http://host/“:

    Concurrency Level:      100
    
Time taken for tests:   29.548 seconds
    
Complete requests:      100000
    
Failed requests:        0
    
Write errors:           0
    
Total transferred:      25009500 bytes
    
HTML transferred:       3901482 bytes
    
Requests per second:    3384.27 [#/sec] (mean)
    
Time per request:       29.548 [ms] (mean)
    
Time per request:       0.295 [ms] (mean, across all concurrent requests)
    
Transfer rate:          826.55 [Kbytes/sec] received
    

    
Connection Times (ms)
    
              min  mean[+/-sd] median   max
    
Connect:        0   12  39.1     12    1960
    
Processing:     9   18  49.6     14    2036
    
Waiting:        1   15  45.9     12    1966
    
Total:         14   29  65.9     26    2159

    With Varnish in front of Apache, things really started to look good:

    Concurrency Level:      100
    
Time taken for tests:   13.489 seconds
    
Complete requests:      100000
    
Failed requests:        0
    
Write errors:           0
    
Total transferred:      28315282 bytes
    
HTML transferred:       1100594 bytes
    
Requests per second:    7413.64 [#/sec] (mean)
    
Time per request:       13.489 [ms] (mean)
    
Time per request:       0.135 [ms] (mean, across all concurrent requests)
    
Transfer rate:          2049.99 [Kbytes/sec] received
    

    
Connection Times (ms)
    
              min  mean[+/-sd] median   max
    
Connect:        0    6   2.2      6      71
    
Processing:     2    7   1.9      7      70
    
Waiting:        1    6   2.0      5      66
    
Total:          3   13   3.1     13      81

    At 2.48x more than what Apache can send out on its own, that’s a mighty impressive improvement and Varnish deserves kudos. But at 1 GBytes of RAM for caching, would it really be more efficient and quicker than Nginx? The following results tell …

    Concurrency Level:      100
    
Time taken for tests:   9.438 seconds
    
Complete requests:      100000
    
Failed requests:        0
    
Write errors:           0
    
Total transferred:      27706648 bytes
    
HTML transferred:       5201248 bytes
    
Requests per second:    10595.55 [#/sec] (mean)
    
Time per request:       9.438 [ms] (mean)
    
Time per request:       0.094 [ms] (mean, across all concurrent requests)
    
Transfer rate:          2866.87 [Kbytes/sec] received
    

    
Connection Times (ms)
    
              min  mean[+/-sd] median   max
    
Connect:        0    4   1.0      4      56
    
Processing:     2    6   9.7      5     253
    
Waiting:        0    5   9.7      5     253
    
Total:          5    9   9.7      9     257

    … a different story. Though this is not some scientific research that should be taken at face value, I personally found the difference rather significant – especially since Nginx never used more than 60 Mbytes of RAM and relied mostly on system file  caching. 1.39x faster than Varnish, 3.46x faster than Apache by itself. That’s even more impressive!

    A little Varnish quirk on Ubuntu

    دوباره, and I can’t say this often enough, these are merely the numbers obtained on my system – your mileage may vary. Varnish is definitely a worthy contender — the one issue I encountered on Ubuntu was that Varnish crashed when attempting to test with more than 1000 concurrent connections. That’s not supposed to happen in a production environment!

    The culprit seems to be the user account’s “open file descriptors” limitation. Sockets are also counted towards this value and when Varnish had hit the limit it died rather ungracefully. You can manually resolve it by using ulimit:

    ulimit -n 65535

    But you are better off using the /etc/security/limits.conf file. It is well documented, so it shouldn’t be to difficult to figure it out. I’ll continue with my blog…

    The Configuration

    So I have decided to keep Nginx as the front-end for Apache, but this time – unlike previously – activate Nginx’s caching. Doing it here, rather than working with caching plugins and a plethora of other band-aids, keeps the whole configuration clean and simple. Apache can be left alone to run as it normally does, with no special trickery. The only exception is a memcache store, because the database is located on a different server and linked through a VPN.

    First I installed Nginx, Apache, PHP5 and Memcache through the usual channels, as following:

    apt-get install nginx libapache2-mod-php5 memcached \
    
php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick \
    
php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming \
    
php5-ps php5-pspell php5-recode php5-snmp php5-sqlite \
    
php5-tidy php5-xmlrpc php5-xsl php5-json

    Update Nginx

    The Nginx version provided by the Ubuntu repository is 0.7.65. However, a feature introduced in version 0.7.66/stable - proxy_no_cache – will come handy simplifying the configuration. 0.7.67 also fixed a small issue, which mainly concerns Windows machines but is good to have patched regardless. So I’ve compiled Nginx to the latest stable version as following:

    # apt-get install libc6 libpcre3 libpcre3-dev libpcrecpp0 libssl0.9.8 libssl-dev zlib1g zlib1g-dev lsb-base
    
wget http://www.nginx.org/download/nginx-0.7.67.tar.gz
    
tar -xf nginx-0.7.67.tar.gz
    
cd nginx-0.7.67
    
./configure \
    
--user=www-data \
    
--group=www-data \
    
--sbin-path=/usr/sbin \
    
--conf-path=/etc/nginx/nginx.conf \
    
--error-log-path=/var/log/nginx/error.log \
    
--pid-path=/var/run/nginx.pid \
    
--lock-path=/var/lock/nginx.lock \
    
--http-log-path=/var/log/nginx/access.log \
    
--http-client-body-temp-path=/var/lib/nginx/body \
    
--http-proxy-temp-path=/var/lib/nginx/proxy \
    
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
    
--with-debug \
    
--with-http_stub_status_module \
    
--with-http_flv_module \
    
--with-http_ssl_module \
    
--with-http_dav_module \
    
--with-http_gzip_static_module \
    
--with-http_realip_module \
    
--with-mail \
    
--with-mail_ssl_module \
    
--with-ipv6
    
make && make install

    Yes, that’s literally cut & paste. It overwrites the binaries installed by apt-get, and we happily continue to use the official init script provided by Ubuntu/Debian. Why make life difficult?

    Configuring PHP and Apache

    At this point, configure PHP and Apache to your heart’s content. The one thing that you need to do with Apache is move it to a different port and preferably keep it on 127.0.0.1. This means you need to edit the /etc/apache2/ports.conf file:

    NameVirtualHost *:8080
    
Listen 127.0.0.1:8080

    And configure your website(s) accordingly:

    <VirtualHost *:8080>
    
... etc ...
    
</VirtualHost>

    If you are using SSL (https://), this will be handled by Nginx rather than Apache. Since this is already getting quite long, I will skip SSL in this blog.

    Configuring Nginx

    We start off by creating a few directories that will be used by Nginx:

    mkdir /etc/nginx/includes
    
mkdir -p /var/cache/nginx/tmp
    
mkdir /var/cache/nginx/cached
    
chown -R www-data:www-data /var/نهانگاه/nginx

    Next we modify the file /etc/nginx/nginx.conf as following:

    user                    www-data;
    

    
worker_processes        4;
    
worker_rlimit_nofile    16384;
    

    
error_log               /var/log/nginx/error.log;
    
pid                     /var/run/nginx.pid;
    

    
events {
    
        worker_connections  2000;
    
}
    

    
http {
    
        include                 /etc/nginx/mime.types;
    
        default_type            application/octet-stream;
    

    
        access_log              /var/log/nginx/access.log;
    

    
        sendfile                on;
    
        tcp_nopush              on;
    
        tcp_nodelay             on;
    
        keepalive_timeout       75 20;
    

    
        gzip                    on;
    
        gzip_vary               on;
    
        gzip_comp_level         3;
    
        gzip_min_length         4096;
    
        gzip_proxied            any;
    
        gzip_types              text/plain text/css application/x-javascript text/xml
    
                                application/xml application/xml+rss text/javascript;
    

    
        include                 /etc/nginx/conf.d/*.conf;
    
        include                 /etc/nginx/sites-enabled/*;
    
}

    The worker_processes variable is set according to the number of CPU cores in my system, 4 در این مورد. There are a few tcp tweaks and gzip compression is enabled on additional file types, rather than just html.  For the rest, it’s fairly run-of-the-mill.

    The core workhorse of Nginx will be the proxy and its associated cache. Because I like to keep things nicely sectioned, thus easy to configure, I’ve created the following /etc/nginx/conf.d/proxy.conf file, which will be included by Nginx by an include بیانیه:

    proxy_redirect                  خاموش;
    

    
proxy_set_header                Host $host;
    
proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
    

    
proxy_connect_timeout           90;
    
proxy_send_timeout              90;
    
proxy_read_timeout              90;
    

    
proxy_buffer_size               4k;
    
proxy_buffers                   4 32k;
    
proxy_busy_buffers_size         64k;
    
proxy_temp_file_write_size      64k;
    

    
proxy_max_temp_file_size        56m;
    
proxy_temp_path                 /var/cache/nginx/tmp;
    
proxy_cache_key                 $scheme$host$request_uri;
    
proxy_cache_path                /var/cache/nginx/cached levels=2:2 keys_zone=global:64m inactive=60m max_size=1G;
    

    
proxy_cache_valid               200 302 30m;
    
proxy_cache_valid               301 1h;
    
proxy_cache_valid               404 1m;
    

    
proxy_cache_use_stale           error timeout http_500 http_502 http_503 http_504;
    

    
proxy_pass_header               Set-Cookie;

    The proxy_set_header variables are there to help you determine the IP of the actual web page requester, rather than receiving the one from Nginx. You just need to include %{X-Forwarded-For}i in one of Apache’s log formats instead of the host (%h).

    However, I have personally disabled all access logging in Apache, because everything needs to pass through Nginx anyway and it boosts Apache’s performance a smidgen (you do this by commenting out all the CustomLog lines in Apache’s configurations). I did leave the Apache ErrorLog enabled, just for those instances and also for PHP error messages.

    The file above also defines an Nginx proxy cache zone called with the proxy_cache_path متغیر. That same variable also specifies a garbage time (60 minutes) and maximum cache size (on the disk, 1 Gbytes).

    The proxy_cache_key is simply a concatenation of “httpmyatus.co.uk/therequests.php” that will be hashed and then used to retrieve it at a later point. I’m allowing stale cache to be served in case of certain errors, for example when Apache has unexpectedly died.

    An important bit, which was quite a PITA to figure out, is the proxy_pass_header portion for the “Set-Cookie” header. WordPress includes “Set-Cookie” headers in 302 HTTP responses (which is used to point your browser to a new location) – some frown upon this practice and Nginx is no exception. Hence we need to specifically let this pass through, or else you will not be able to login to your WordPress Admin or have users leave comments.

    Includes

    In the /etc/nginx/includes folder we created earlier, we add two files. The first is a helper for sites that use WordPress. Since the /etc/nginx/includes folder is not automatically included, we can be selective about inclusions, and save on some processing time when these features aren’t used. This is the /etc/nginx/includes/wordpress.inc file:

    if ($http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_") {
    
    set $no_cache 1;
    
}
    

    
اگر ($http_user_agent ~* "(2\.0 MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine\/3\.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA\/WX310K|LG\/U990|MIDP-2\.|MMEF20|MOT-V|NetFront|Newt|Nintendo Wii|Nitro|Nokia|Opera Mini|Palm|PlayStation Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian OS|SymbianOS|TS21i-10|UP\.Browser|UP\.Link|webOS|Windows CE|WinWAP|YahooSeeker\/M1A1-R2D2|NF-Browser|iPhone|iPod|Android|BlackBerry9530|G-TU915 Obigo|LGE VX|webOS|Nokia5800)" ) {
    
    set $no_cache 1;
    
}
    

    
proxy_no_cache      $no_cache;

    It’s a very simple file, در حقیقت. The first portion checks if there are certain cookies set, related to comment authors or those who are logged into the WordPress Admin. If this is the case, the variable $no_cache قرار است 1. The second checkغیره for mobile users, like Nokia, iPhone, etc. This is helpful in case you have a mobile WordPress edition, as available through some plugins.

    If at any point the $no_cache است 1, the variable proxy_no_cache becomes true. Apache’s output might still be cached, but it will not be served to the end user (thus always fresh).

    توجه داشته باشید: Because the output from Apache may still be cached in this case (but not served), it is quite possible that if the page has not been requested before, it could be used to fill the cache (and thus served at a later point).

    For instance, let’s say someone visits /some/page with a mobile browser. This might be the first visit to this page and will be cached. Someone using a regular browser (می گویند, Firefox or Opera) could then be presented with this mobile cached version, causing some inconsistencies.

    You can solve it by adding $http_user_agent to the proxy_cache_key statement in the proxy.conf file described earlier. The drawback here is an increased cache storage requirement, as each browser version gets its own cached version. As for the logged-in WordPress admin/user, never will he/she be presented a cached version – so this only applies if you’re using a mobile version of WordPress.

    The second file is a helper that’s pretty much universal for all the websites (but can still be overridden in the actual sites-available/* files). This is the /etc/nginx/includes/default_proxy.inc file:

    # Enable caching:
    
proxy_cache     global;
    

    
# Default:
    
محل سکونت / {
    
        proxy_pass              http://127.0.0.1:8080;
    
}
    

    
# Rarely changed items can remain cached longer:
    
location ~* \.(jpg|jpeg|png|gif|ico|css|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
    
        proxy_cache_valid     &nbhttp200 3h;
    
        proxy_pass              http://127.0.0.1:8080;
    
}
    

    
# Deny access to .ht* files:
    
location ~ /\.ht {
    
        deny                    all;
    
}

    The first variable proxy_cache informs Nginx to use the zone we defined earlier in the /etc/nginx/conf.d/proxy.conf file. If it is not there, nothing will be cached and pages simply pass through.

    It further tells Nginx to send everything to Apache, but allow images and a few other static files to be cached longer than originally defined. The last portion tells Nginx to block access to files such as . htaccess یا .htpasswd right at Nginx’s level – so Apache doesn’t have to and save some processing power.

    A default site

    You can use the include files to build a very small website configuration file. به عنوان مثال, /etc/nginx/sites-available/default may looks something similar to this:

    server {
    
        listen          80;
    
        server_name     _;
    

    
        root            /var/www/sites/default/public;
    
        index           index.html index.htm;
    

    
        access_log      /var/www/sites/default/logs/access.log;
    
        error_log       /var/www/sites/default/logs/nginx.error.log;
    

    
        # Includes:
    
        include         /etc/nginx/includes/wordpress.inc;
    
    include         /etc/nginx/includes/default_proxy.inc;
    
}

    Everything is passed to Apache and cached, depending of the wordpress.inc file allows it. Apache will handle the rest. You will likely have to change the directories, but that’s basically it.

    وردپرس

    There’s little that needs to be done with WordPress. The most important thing is to actually disable any WordPress cache با این حال be using, such as WordPress Super Cache. It is no longer needed and only gives Apache / PHP more work to do. However, as noted earlier, I did include Memcache.

    The reason is that in my case, each Cloud server works off the same MySQL database cluster. To avoid unnecessary or repetitive SQL traffic, the Memcache daemon will hold these in RAM memory (or in the Cloud’s case – either RAM or SSD). This is done with the use of the object-cache.php file by Ryan Boren, which can be obtained from this website. This file needs to be placed in your $WP-ROOT$/wp-content/ directory.

    For everything else, WordPress can be plain vanilla but become blistering fast, as shown in the next output.

    Performance

    I have clustered a Cloud server with a dedicated server. For a short while (as in, half a day) I used HAProxy as the point-of-entry. HAProxy is super-fast, but I was irked by a minor issue that caused some logging issues. Nginx is on-par with HAProxy, though آپاچیnX have a little more jitter, so I now use an 2x Nginx <–> 2x (Nginx + Apache) combination. Witt the (Nginx + Apache) portion of this setup configured exactly as described above, I have been able to obtain the following speeds (based on 100 concurrent connections, 50,000 requests and keep-alive enabled):

    Coدرخواست عدم:      100
    
Time اشتباهات نوشتن نظرsts:   6.694 seconds
    
Complete requests:      50000
    
Failها منتقلp;      0
    
Write errors: اچ منتقلbsp;     0
    
Keep-Aliکلمه در ادامه متنquests:    0
    
Total transferred: &# / ثانیه    2822197200 bytes
    
HTML transferred:       280در هر زمان درخواست />
Requests per second:    746در تمام درخواست های همزمان per reqسرعت انتقال    13.389 [ms] (mean)
    
Time perKbytes / ثانیه&nدرخانمفتsp;   0.134 [ms] (mean, across allمتوسطcurrent requests)
    
Transfer rate:          411700.31 [Kbytes/sec] received
    

    
Connection Times (ms)
    
              min  mean[+/-sd] median   max
    
Connect:        0    2   0.4      2      16
    
Processing:     3   11   0.8     11      27
    
Waiting:        1درخواست در هر ثانیهsp; 1.2      3      25
    
Total:    در     6   13   0.8     13      32

    At 3.29 Gbps @ 7469 requests per second, I consider this to be a rather well performing setup. Well prepared for my next project!

    پست های مرتبط:

    1. NginX و آپاچی, اما هیچ memcached
    2. سریعتر وپ سوپر نهانگاه با nginx
    3. NginX کامپایل کردن در دبیان / اوبونتو

    ]]>     http://www.myatus.co.uk/fa/2010/06/28/a-simplified-nginx-apache-combo-with-wordpress-support/feed/ 7 کاربر: فایر وال و روتر با تالار بورس – با گسترش آن Ù ثانیه ثانیه نامه http://www.myatus.co.uk/fa/2010/03/20/guide-firewall-and-router-with-proxmox-extending-its-us/ http://www.myatus.co.uk/fa/2010/03/20/guide-firewall-and-router-with-proxmox-extending-its-us/#comments Sat, 20 مارس 2010 09:08:55 +0000 Myatu http://www.myatus.co.uk/?p=505-fa
  • Guide: فایر وال و روتر با تالار بورس
  • مسدود کردن اسکن w00tw00t
  • Guide: OpenSolaris نصب بر روی یک سرور اختصاصی از راه دور
    • ]]>     "Metro rebrands Hackers" by gwire, attribution licenseسال گذشته من نوشتم کاربر در چگونگی استفاده از Shorewall به عنوان یک فایروال و روتر را برای تالار بورس. As a follow up I will answer a few questions I’ve received about that guide that can help you extend its use.

    Proxy ARP

    سوال رایج ترین است در توجپروکسی ARPm>proxy ARP. فعال کردن این گزینه به شما اجازه خواهد داد که مستقیما به آی عمومی VM مهمان خود را به او واگذار, با حذف پورت نیاز به حمل و نقل (DNAT) or having to worry about the MAC address.

    به عنوان مثال برای استفاده از پراکسی ARP, it is helpful for those using a a SIP-based VoIP server since a STUN server is no longer required.

    Enabling Proxy ARP

    The first step is to ensure that Proxy ARP is enabled.  This is a fairly simple task and involves adding an single line to one of your static network stanzas. Which one precisely depends on your system setup; for those who have an eth0 stanza, you can use it there. For others who only have a vmbr0..n stanza, the additional line should be placed there.

    iface eth0 inet static
    
    # ... existing lines ...
    
    post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

    These changes will take effect on your next boot or whenever you restart your networking services.

    Add a route to Shorewall

    Shorewall needs to know that you’d like to use proxy ARP, for which IP that is and where this IP needs to be routed to. The beauty of Shorewall is its simplicity and so this can be quickly done by creating a file named /etc/shorewall/proxyarp that will contain this:

    #ADDRESS    INTERFACE    EXTERNAL    HAVEROUTE    PERSISTENT
    
92.22.33.44 vmbr0        eth0

    Translated, this informs Shorewall that the public IP 92.22.33.44 attached to eth0 needs to be forwarded to a guest VM (using this public IP) attached to the vmbr0 bridge.

    As you can tell from the first line, there are two additional options: haveroute and persistent.

    The haveroute option determines whether Shorewall should create a route from the external interface to the bridge. For guest containers based on OpenVZ, Proxmox will take of creating the route. But for fully virtualised containers (based on KVM), you need to create this route yourself. In this case we tell Shorewall to create the route for us, by keep this option’s value at its default value (blank, or No).

    When the haveroute option is set to No (default), the persistent option tells Shorewall if it should keep the created route active if Shorewall is stopped. Generally, and for security reasons, you should leave this at its default option (blank or No). This prevents the guest VM from being exposed without a firewall protecting it.

    Creating Shorewall rules

    In the original guide all traffic from the public side to internal VMs is blocked. This continues to be the same when you are using proxy ARP and thus need to create rules that permit traffic to certain ports. This can be done by adding rules like:

    ACCEPT    net    dmz:92.22.33.44    udp    5060

    This will permit UDP traffic on port 5060 to proceed to the guest VM on IP 92.22.33.44. You can also use the Shorewall macros, به عنوان مثال:

    HTTP/ACCEPT    net     dmz:92.22.33.44

    And in this case it will make a web server on 92.22.33.44 accessible to the public.

    معادل, you may setup a single rule that accepts all traffic on all ports:

    ACCEPT    net     dmz:92.22.33.44

    However you should take care that the guest VM has its own set of rules to block unwanted or unsafe traffic.

    The main thing to take care of with these proxy ARP firewall rules is to use “ACCEPT” and not “DNAT” as explained in the original guide.

    Multiple public IPs

    Another common question is in regards to multiple public IP addresses. The original guide assumed that the host has one public IP address, so here are a few additional pointers.

    If you are following the original guide, then any public IP will be applied the same rule. So let’s say you have two public IP addresses, 94.11.22.33 and 94.22.33.44 and the following rule:

    ACCEPT    net    fw    tcp    5900:5999

    With this rule, you can use both 93.11.2یا33:5900 or 94.22.33.44:5900 to connect to Proxmox’s VNC. But you wish to restrict it to a specific IP address, then you need to modify the rule as following:

    ACCEPT    net   fw:94.22.33.44    tcp    5900:5999

    Now you can only use 94.22.33.44:5900 to connect, but not 93.11.22.33DTA0.

    The same applies to port forwarding (DNAT) rules, which is written in a slightly different format. Let’s say we have this rule:

    DNAT    net    dmz:10.0.0.1    tcp    1234

    This will forward any public IP to port 1234 on the guest VM at 10.0.0.1. So both 94.11.22.33:1234 and 94.22.33.44:1234 will work. If you wish to restrict this to a certain public IP address, the rule needs to be modified as following:

    DNAT    net    dmz:10.0.0.1    tcp    1234    -    94.22.33.44

    Only 94.22.33.44:1234 will be allowed at this point.

    Memorable names

    If you have many IP addresses, it becomes easy to forget which IP to use. You can use Shorewall’s “params” file to give IPs a memorable name. Edit the file /etc/shorewall/params as following:

    IP_ALEX=94.11.22.33
    
IP_SONIA=94.22.33.44
    
IP_ERIC=94.33.44.55
    
IP_VM1=10.0.0.1
    
IP_VM2=10.0.0.2
    
IP_VM3=10.0.0.3

    Now you can use these names instead of the IP address in any of your Shorwall rules, like so:

    HTTP/DNAT    net     dmz:$IP_VM1    -    -    -    $IP_SONIA

    And this would forward HTTP traffic from 94.22.33.44 to a guest VM running on 10.0.0.1.

    Mixed use and bridging

    The original guide not only adds a firewall, but also helped those who’s hosting provided blocked IPs on unauthorized MACs. One such hosting provided was OVH, and they have recently introduced a “Virtual MACs for VPS” option that allows you to assign an IP address to a MAC. This eliminates the need for Proxy ARP or port forwarding/NAT, however the original guide will still prove itself useful for protecting the host.

    I will provide a sample setup below, which can be modified to suit your needs and network configuration. This assumes you have have a basic understanding of networking and read my previous guide.

    Interfaces

    We modify the / و غیره / شبکه / رابط as following:

    # The loopback network interface
    
auto lo
    
iface lo inet loopback
    

    
# Public Network. Make sure to only use MACs that were assigned to you
    
auto vmbr0
    
iface vmbr0 inet static
    
 # The following settings are specific to your hosting provider:
    
 address 94.11.22.33
    
 netmask 255.255.255.0
    
 network 94.11.22.0
    
 broadcast 94.11.22.255
    
 gateway 94.11.22.254
    
 # The following assumes eth0 is the public-side NIC, the remained is always the same
    
 bridge_ports eth0
    
 bridge_stp off
    
 bridge_fd
    

    
# Optional Private Network. This network cannot be access directly from the public side
    
auto vmbr1
    
iface vmbr1 inet auto
    
 address 10.0.0.1
    
 network 255.0.0.0
    
 broadcast 10.255.255.25
    
 bridge_ports none
    
 bridge_stp off
    
 bridge_fd 0

    The host, accessible by 94.11.22.33, will have two bridges at this point: vmbr0 serving the public-side and vmbr1 serving inter-VM communication.

    To assign a public IP address to a KVM, you use the vmbr0 bride and must ensure the MAC corresponds to the one provided by your hosting provider (if a MAC restriction is in place).

    You can also add a 2nd NIC (or as the only NIC) to the KVM, which is bridged with vmbr1. در این مورد, you need to use an IP within the 10.0.0.2-10.255.255.254 range, and as gateway 10.0.0.1. This particular IP range can only be used between other VMs on the same host / bridge, unless you use port forwarding or a VPN on the same IP range.

    Shorewall Interfaces and Zones

    The basic /etc/shorewall/interfaces will be:

    #ZONE    INTERFACE    BROADCAST    OPTIONS
    
pub    vmbr0        detect        routeback,bridge
    
loc    vmbr1        detect        routeback,bridge
    

    
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

    You could also add the blacklist گزینه, or any of the other possible Shorewall options if you wish.

    The accompanying /etc/shorewall/zones will look like this:

    #ZONE    TYPE        OPTIONS        IN            OUT
    
#                    OPTIONS            OPTIONS
    
fw    firewall
    
pub    ipv4
    
loc    ipv4
    

    
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

    You now have three distinct Shorewall zones. The fw zone is a self-reference to the hoو(in our sample setup 94.11.22.33 and 10.0.0.1). The pub zone represents the publicly accessible vmbr0 bridge and loc our internal vmbr1 bridge.

    Shorewall Policy

    The following policy defines these basic rules:

    • Traffic from the the host anywhere else is permitted
    • Traffic from the public side to the host and the internal network is denied
    • Traffic from the internal side to the host is denied, anywhere else is permitted

    ویرایش /etc/shorewall/policy:

    #SOURCE    DEST    POLICY        LOG    LIMIT:        CONNLIMIT:
    
#                    LEVEL    BURST        MASK
    

    
# From Firewall:
    
fw        fw    ACCEPT
    
fw        pub    ACCEPT
    
fw        loc    ACCEPT
    

    
# Public Bridge (read the policy warnings!):
    
pub        pub    ACCEPT
    
pub        loc    ACCEPT
    
pub        fw    DROP        info
    

    
# Local (internal) Bridge:
    
loc        loc    ACCEPT
    
loc        pub    ACCEPT
    
loc        fw    DROP        info
    

    
# THE FOLLOWING POLICY MUST BE LAST
    
#
    
all    all    REJECT        info
    

    
#LAST LINE -- DO NOT REMOVE

    Policy Warnings

    With this sample policy it means that each publicly accessible guest VM should have its own firewall. If you wish to change this behavior, and let Shorewall handle the firewall for each such guest VM, then change the Public Bridge section:

    pub        pub    DROP      info

    You then need to create specific rules that allow traffic to VMs on vmbr0.

    A similar warning applies to traffic from vmbr0 to vmbr1. The policy assumes that vmbr0 does not receive any routable traffic on a private IP range (also called “martians”). Although this is often the case, it depends on the hosting provider’s internal networking. If you are not sure whether there’s routable traffic on a private IP range from the public side, you have two options. The first is to disallow all traffic from vmbr0 (pub) به vmbr1 (loc) by editing the Public Bridge section:

    pub        loc    DROP      info

    The alternative is to have a set of rules in /etc/shorewall/rules like so:

    # ...
    
SECTION NEW
    

    
# Leave these at the top, right after "SECTION NEW"!
    
DROP        pub:10.0.0.0/8        all
    
DROP        pub:192.168.0.0/16    all
    
DROP        pub:172.168.0.0/12    all
    

    
# ... Other rules follow ...
    

    
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

    In all cases, you should verify whether traffic is truly blocked and never assume that it is!

    Shorewall and Fail2ban

    Fail2ban in its own words “scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address”. This can for instance be used to (temporarily) ban a bot that is attempting a brute-force entry through SSH.

    Fail2ban is an ideal companion to Shorewall and can be installed in a matter of minutes on a Proxmox host. You start by installing Fail2ban from the Debian packages:

    apt-get install fail2ban

    Configure Shorewall

    Next you need to edit one line in the Shorewall configuration file, located at /etc/shorewall/shorewall.conf:

    BLACKLISTNEWONLY=No

    That’s all you need to configure in Shorewall. Remember to apply your settings by restarting Shorewall with the command “shorewall restart”.

    Configure Fail2ban

    The last step is to configure Fail2ban. The file /etc/fail2ban/jail.conf is extensively documented and of particular interest are the following settings:

    ...
    
#
    
# Destination email address used solely for the interpolations in
    
# jail.{conf,local} configuration files.
    
destemail = myemail@address.com
    

    
...
    
#
    
# ACTIONS
    

    
# Default banning action (e.g. iptables, iptables-new,
    
# iptables-multiport, Shorewall, غیره) It is used to define
    
# action_* variables. Can be overriden globally or per
    
# section within jail.local file
    
banaction = shorewall
    

    
...
    
# Choose default action.  To change, just override value of 'action' with the
    
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc$
    
# globally (بخش [DEFAULT]) or per specific section
    
action = %(action_mwl)با

    Inform fail2ban of these changes by issuing the following command:

    fail2ban-client reload

    The destemail variable should be changed to your own e-mail address, where you will be informed of any ban actions. The banaction variable specifies that Shorewall should be used to block possible intruders. And finally, the action variable tells fail2ban to ban any detected intruder and then send an you a detailed e-mail with the relevant log lines (that caused the ban). Following is an example of an actual e-mail:

    Hi,
    

    
The IP 193.86.5.103 has just been banned by Fail2Ban after
    
3 attempts against ssh.
    

    
Here are more information about 193.86.5.103:
    

    
% This is the RIPE Database query service.
    
% The objects are in RPSL format.
    
%
    
% The RIPE Database is subject to Terms and Conditions.
    
% See <a class="moz-txt-link-freetext" href="http://www.ripe.net/db/support/db-terms-conditions.pdf">http://www.ripe.net/db/support/db-terms-conditions.pdf</a>
    

    
% Note: This output has been filtered.
    
%       To receive output for a database update, use the "-B" flag.
    

    
% Information related to '193.86.4.0 - 193.86.5.255'
    

    
inetnum:      193.86.4.0 - 193.86.5.255
    
netname:      BRANO
    
descr:        BRANO, Inc.
    
descr:        Hradec nad Moravici
    
country:      CZ
    
admin-c:      BK230-RIPE
    
tech-c:       TP231-RIPE
    
status:       ASSIGNED PA
    
mnt-by:       GTSCZ-MNT
    
source:       RIPE # Filtered
    

    
person:       Bohumil Kriz
    
address:      BRANO, Inc.
    
address:      Computer Centre
    
address:      Hradec nad Moravici
    
address:      747 41
    
address:      The Czech Republic
    
phone:        +420 653 918118
    
fax-no:       +420 653 911791
    
nic-hdl:      BK230-RIPE
    
source:       RIPE # Filtered
    

    
person:       Tomas Partl
    
address:      Brano, Inc.
    
address:      Computer Centre
    
address:      Hradec nad Moravici
    
address:      747 41
    
address:      The Czech Republic
    
phone:        +420 653 918371
    
fax-no:       +420 653 911791
    
nic-hdl:      TP231-RIPE
    
source:       RIPE # Filtered
    

    
% Information related to '193.86.0.0/16AS2819'
    

    
route:        193.86.0.0/16
    
descr:        CZNET-A
    
origin:       AS2819
    
mnt-by:       GTSCZ-A-MNT
    
source:       RIPE # Filtered
    

    
Lines containing IP:193.86.5.103 in /var/log/auth.log
    

    
Feb 27 03:32:02 host sshd[21460]: Failed password for root from 193.86.5.103 port 35833 ssh2
    
Feb 27 03:32:04 host sshd[21502]: Failed password for root from 193.86.5.103 port 36302 ssh2
    
Feb 27 03:32:06 host sshd[21504]: Failed password for root from 193.86.5.103 port 36719 ssh2
    

    
Regards,
    

    
Fail2Ban

    By default fail2ban is configured to monitor SSH, which for a Proxmox host works without any additional changes. Personally I prefer a ban on 3 attempts instead of the default 6, so I have made this one change in the /etc/fail2ban/jail.conf پرونده:

    [ssh]
    
maxretry = 3

    But again, the configuration file is quite well documented, so any personal preferences or modifications should be easy to accomplish.

    “Hoodies آنلاین” photo by gwire, CC Attribution License
    Hi,

The IP 193.86.5.103 has just been banned by Fail2Ban after
3 attempts against ssh.

Here are more information about 193.86.5.103:

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and مشاهدهditions.
% See http://www.ripe.net/db/support/db-terms-conditioتوجه داشته باشیدdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '193.86.4.0 - 193.86.5.255'

inetnum:      193.86.4.0 - 193.86.5.255
netname:      BRANO
descr:        BRANO, Inc.
descr:        Hradec nad Moravici
country:      CZ
admin-c:      BK230-RIPE
tech-c:       TP231-RIPE
status:       ASSIGNED PA
mnt-by:       GTSCZ-MNT
source:       RIPE # Filtered

person:       Bohumil Kriz
address:      BRANO, Inc.
address:      Computer Centre
address:      Hradec nad Moravici
address:      747 41
address:      The Czech Republic
phone:        +420 653 918118
fax-no:       +420 653 911791
nic-hdl:      BK230-RIPE
source:       RIPE # Filtered

person:       Tomas Partl
address:      Brano, Inc.
address:      Computer Centre
address:      Hradec nad Moravici
addressآدرس747 41
address:      The Czech Republic
phone:        +420 653 918371
fax-no:       +420 653 911791
nic-hdl:      TP231-RIPE
source:       RIPE # Filtered

% Information related to '193.86.0.0/16AS2819'

route:        193.86.0.0/16
descr:        CZNET-A
origin:       AS2819
mnt-by:       GTSCZ-A-MNT
source:       RIPE # Filtered

Lines containing IP:193.86.5.103 in /var/log/auth.log

Feb 27 03:32:02 host sshd[21460]: Failed password for root from 193.86.5.103 port 35833 ssh2
Feb 27 03:32:04 host sshd[21502]: Failed password for root from 193.86.5.103 port 36302 ssh2
Feb 27 03:32:06 host sshd[21504]: Failed passwofail2banoot from 193.86.5.103 port 36719 ssh2

Regards,

Fail2Ban

    پست های مرتبط:

    1. Guide: فایر وال و روتر با تالار بورس
    2. مسدود کردن اسکن w00tw00t
    3. Guide: OpenSolaris نصب بر روی یک سرور اختصاصی از راه دور

    ]]>     http://www.myatus.co.uk/fa/2010/03/20/guide-firewall-and-router-with-proxmox-extending-its-us/feed/ 7     وپ نسخه Flickr سابقه و هدف 1.0.3 (بتا) در دسترس http://www.myatus.co.uk/fa/2010/03/06/wp-flickr-background-version-103-betaavailable/ http://www.myatus.co.uk/fa/2010/03/06/wp-flickr-background-version-103-betaavailable/#comments Sat, 06 مارس 2010 07:41:05 +0000 Myatu http://www.myatus.co.uk/?p=478-fa
  • وپ نسخه Flickr سابقه و هدف 1.0.2 (بتا) در دسترس
  • وپ Flickr سابقه و هدف
  • وپ Flickr در زمینه تست آلفا
    • ]]>     نسخه 1.0.3 منتشر شد, که رفع اشکالات و چند جزئی به معرفی گزینه های جدید. هنوز هم در نظر گرفته در مرحله بتا می شود, which most likely will change with the next release.

    تغییرهای

    • A new option has been introduced to hide the license and attribution information in the footer.
    • Bug fix: پیکربندی فایل هش بود initialized هرگز
    • Bug fix: فعال کردن “cacheable” گزینه منجر به اشتباهات پی اچ پی کشنده در برخی موارد
    • Bug fiقابل ذخیرفع اشکالات کشنه پیشنمایش بود که کار نمی کند “cacheable” بود گزینه را فعال کنید
    • Bug fix: “تمام حقوق Reseved” پروانه به حال هیچ آدرس

    علاوه بر این, وپ Flickr سابقه و هدف است و دیگر نسخه های سازگار با وردپرس 2.8 or older.

    لینک ها: دانلود مستقیم WP Flickr Background (200) | دایرکتوری پلاگین وردپرس

    پست های مرتبط:

    1. وپ نسخه Flickr سابقه و هدف 1.0.2 (بتا) در دسترس
    2. WP Flickr Background
    3. وپ Flickr در زمینه تست آلفا

    ]]>     http://www.myatus.co.uk/fa/2010/03/06/wp-flickr-background-version-103-betaavailable/feed/ 2     صلیب سرخ’ جزئیات Citibank در توییتر می تواند نادرست. http://www.myatus.co.uk/fa/2010/03/01/red-cross-citibank-details-on-twitter-could-be-false/ http://www.myatus.co.uk/fa/2010/03/01/red-cross-citibank-details-on-twitter-could-be-false/#comments Mon, 01 مارس 2010 01:18:57 +0000 Myatu http://www.myatus.co.uk/?p=465-fa
  • سونامی هاوایی, Sprecks گالری تصویر
  • اضافه کردن hashtags پشتیبانی برای WordTwit
  • Lifestream ماه مارس 2nd
    • ]]>     چند لحظه پیش من را دریافت پیام در تاریخ توییتر که شامل اطلاعات در مورد چگونه شما می توانید از صلیب سرخ با تلاش های خود را در شیلی کمک. در حالی که نیت خوبی هستند, this can quickly become a target of fraudsters.

    بزرگترین نگرانی من این است که به سادگی fraudster را جایگزین اطلاعات حساب را به یکی او صاحب او را و یا خودش. از آنجا که آن را مانند یک موضوع داغ در توییتر می باشد در حال حاضر, این پیام را دگرگون می راند آن را به سرعت ساخت.

    I was able to trace the original message back to @CruzRojainforma, the Chilean Red Cross. So far the retweeted message hasn’t been altered – other than being translated into English. But I’ve urged people to stop retweeting the account details and visit the official Red Cross website at www.redcross.org instead. There’s a link right on their main page that explains how you can donate time or money to the Chilean earthquake efforts.

    On a final note, Twitter is also used to find missing persons. And with positive results I may add, as this article explains. Google also has a Person Finder database running, which it had done for te Haiiti earthquake as well. But please ensure that you do not give out too much personal details about the person you’re looking for, because it becomes a (nearly) permanent part of the Internet.

    دوباره, the intentions are good, but there are too many people out there waiting to take advantage of every possible situation so be careful!

    Fuerza Chile!

    پست های مرتبط:

    1. سونامی هاوایی, Sprecks گالری تصویر
    2. اضافه کردن hashtags پشتیبانی برای WordTwit
    3. Lifestream ماه مارس 2nd

    ]]>     http://www.myatus.co.uk/fa/2010/03/01/red-cross-citibank-details-on-twitter-could-be-false/feed/ 2     سونامی هاوایی, Sprecks گالری تصویر http://www.myatus.co.uk/fa/2010/02/28/hawaii-tsunami-sprecks-gallery/ http://www.myatus.co.uk/fa/2010/02/28/hawaii-tsunami-sprecks-gallery/#comments Sun, 28 Feb 2010 02:03:37 +0000 Myatu http://www.myatus.co.uk/?p=446-fa
  • Lifestream ماه مارس 1st
  • Lifestream for February 28th
    • ]]>     خوب, مثل بسیاری دیگر, من شده زیر داستان های اطراف در حال توسعه است که توسط سونامی ناشی از زلزله در نزدیکی سانتیاگو بود, شیلی. یکی از جزیره های بسیاری که در گروه های غیر متخصص در راه سونامی هاوایی بود و من مورد نگه داشتن چشم در webcams ارائه شده توسط MauiWindCam. آنها یکی از سایت های چند webcam در هاوایی زندگی می کنند قادر به مقابله با هجوم زیادی از افراد دیگر کنجکاو شد. برای کسانی که از دست رفته این, I’ve recorded a number of images that can be viewed in the gallery below.

    While the actual waves were thankfully less high than expected, you do notice two distinct surges in the images. The view here is of the Sprecks towards the West Maui mountains.

    [Show picture list]
    [[Show as slideshow]]

    Here’s a video which will give a better idea of what it looked like on the ground:

    I have another set (with a smoother timeline) from a different location as well, which may add soon as well. A few images from that set stood out and I will share this one with you here:

    Apparently this person wasn’t aware that there was a tsunami warning in effect and that you shouldn’t be on the beach, especially not making any phone calls.

    پست های مرتبط:

    1. Lifestream ماه مارس 1st
    2. Lifestream for February 28th

    ]]>     http://www.myatus.co.uk/fa/2010/02/28/hawaii-tsunami-sprecks-gallery/feed/ 1     وپ نسخه Flickr سابقه و هدف 1.0.2 (بتا) در دسترس http://www.myatus.co.uk/fa/2010/02/26/wp-flickr-background-version-1-0-2-beta-available/ http://www.myatus.co.uk/fa/2010/02/26/wp-flickr-background-version-1-0-2-beta-available/#comments Fri, 26 Feb 2010 03:43:10 +0000 Myatu http://www.myatus.co.uk/?p=430-fa
  • وپ نسخه Flickr سابقهدر دسترس 1.0.3 (بتا) available
  • وپ Flickr سابقه و هدف
  • وپ Flickr در زمینه تست آلفا
    • ]]>     خوب, کمی بیش از یک ماه پیش من لمس نهایی به وپ Flickr پلاگین سابقه و هدف قرار داده بود و آن را به مرحله آلفا وارد. در طی ماه کامل و با چند هزار بازدید کننده, بودند و تنها دو گزارش مسائل وجود دارد (که یکی از آنها نامربوط بود).

    راضی با این, من در حال حاضر نسخه ساخته شده 1.0.2 در دسترس به عنوان یک محصول بتا. این بدان معناست که شما می توانید به استفاده از آن برای مقاصد خود, با این حال من توصیه نمی با استفاده از این محیط زیست در تولید فقط رتبهدهی نشده است (اگر چه چیزی شما را متوقف از انجام این کار – استفاده از خود را در معرض خطر!).

    The likely issues that I’m expecting are with the installation, plugin usage and the back-end (administration). But hopefully those will only be a few. In meantime, I will start the registration procedure with WordPress.org so that the code will be available in the SVN, and the plugin available for download / upgrade within WordPress itself. Hopefully this will be a matter of just a few days.

    If you are running in any kind of issue, how small it may seem, I’d really like to know about it so I can improve the plugin. You can use the تماس با ما form, or leave a comment below and I will make note of it.

    The static page for WP Flickr Background is http://www.myatus.co.uk/wp-flickr-background, and it will be updated with the latest version as it becomes available. You can also click on دریافت فایل at the top.

    Enjoy!

    P.S.: A small update, WP Flickr Background is also available through the Flickr App Garden.

    P.P.S.: Quicker than expected, WordPress has accepted the plugin into the Plugin Directory. If you wish to use the development version (provided you know what you are doing!), see the SVN.

    پست های مرتبط:

    1. وپ نسخه Flickr سابقه و هدف 1.0.3 (بتا) در دسترس
    2. وپ Flickr سابقه و هدف
    3. وپ Flickr در زمینه تست آلفا

    ]]>     http://www.myatus.co.uk/fa/2010/02/26/wp-flickr-background-version-1-0-2-beta-available/feed/ 0     وپ Flickr سابقه و هدف http://www.myatus.co.uk/fa/2010/02/26/wp-flickr-background/ http://www.myatus.co.uk/fa/2010/02/26/wp-flickr-background/#comments Fri, 26 Feb 2010 03:19:40 +0000 Myatu http://www.myatus.co.uk/?p=402-fa
  • WP Flickr Background version 1.0.2 (Beta) available
  • وپ نسخه Flickr سابقه و هدف 1.0.3 (بتا) در دسترس
  • وپ Flickr در زمینه تست آلفا
    • ]]>     وپ Flickr پس زمینه ساده استفاده از افزونه وردپرس است که اجازه می دهد تا شما را به صفحه نمایش یک عکس از Flickr به عنوان پس زمینه قالب است., without the need to modify any files.

    همه شما باید انجام دهید ایجاد یک یا چند گالری در داخل تنظیمات افزونه 's, هر یک حاوی مجموعه ای از عکس ها از Flickr که شما انتخاب, and WP Flickr will randomly select a photo from the active gallery to display as the theme background.

    شما همچنین می توانید با اضافه کردن CSS گالری عکس کد شیک خواهد بود که همراه با عکس دلخواه لود, allowing you to color match the WordPress theme to the particular photo displayed or for other use.

    لینک ها: دانلود مستقیم: وپ Flickr سابقه و هدف (200) | دایرکتوری پلاگین وردپرس

    امکانات

    • Decide how often the background image should change (یعنی., هر روز, یک بار در هر مرورگر جلسه, etc.)
    • بسط دادن عکس پس زمینه به صورت افقی و / یا عمودی
    • عکس ها چیده شده بر اساس سابقه و هدف به صفحه بازدید کننده در طرح
    • غیر فعال کردن پس زمینه به صورت اختیاری تم اصلی پروفایل
    • اختیاری فشرده سازی جاوا اسکریپت
    • پشتیبانی از انبارها وردپرس مانند وپ سوپر نهانگاه
    • گالری چندگانه
    • Custom CSS style sheet per gallery, لود شده با موضوع اگر آن فعال

    تصاویر نمایشی

    نیازمندیها

    • نسخه وردپرس 2.9 or better
    • نسخه پی اچیا بهتر.3 or better
    • مرورگر با پشتیبانی از جاوا اسکریپت را فعال کنید

    شروع

    1. ارسال محتویات فایل زیپ را به / wp-content/plugins / دایرکتوری
    2. فعال کردن این افزونه را از طریق پلاگین منو در وردپرس
    3. دسترسی به تنظیمات افزونه از طریق تنظیمات / وپ Flickr سابقه و هدف منو:
    • گزینه های پیکربندی
    • اضافه کردن گالری ها و عکس های
    • دفعات بازدید : کمک بیشتر

    اگر شما ایده برای وپ Flickr سابقه و هدف یا آرزو به گزارش باگ, کلیک کنید پیشنهادات و انتقادات برگه در سمت چپ و یا بازدید از خود نشان داده UserVoice.

    پست های مرتبط:

    1. WP Flickr Background version 1.0.2 (Beta) available
    2. وپ نسخه Flickr سابقه و هدف 1.0.3 (بتا) در دسترس
    3. وپ Flickr در زمینه تست آلفا

    ]]>     http://www.myatus.co.uk/fa/2010/02/26/wp-flickr-background/feed/ 18     من پشت! http://www.myatus.co.uk/fa/2010/01/23/im-back/ http://www.myatus.co.uk/fa/2010/01/23/im-back/#comments Sat, 23 ژان 2010 06:33:52 +0000 Myatu http://www.myatus.co.uk/?p=364-fa I apologize to everyone who had difficulty accessing the website in recent days!

    I had taken down the website to make some changes to the web server, which quickly became a major overhaul. I figured that since it was already down, I might as well do the things I had long planned.

    A good portion of it is implemented now, but I’m not completely done. I’ll give it my best effort to ensure there will be little to no downtime. Once again, my apologies!

    No related posts.

    ]]>     http://www.myatus.co.uk/fa/2010/01/23/im-back/feed/ 0     وپ Flickr در زمینه تست آلفا http://www.myatus.co.uk/fa/2010/01/20/wp-flickr-background-in-alpha-testing/ http://www.myatus.co.uk/fa/2010/01/20/wp-flickr-background-in-alpha-testing/#comments Wed, 20 ژان 2010 01:20:00 +0000 Myatu http://www.myatus.co.uk/2010/01/20/wp-flickr-background-in-alpha-testing/-fa
  • وپ Flickr سابقه و هدف
  • WP Flickr Background version 1.0.2 (Beta) available
  • وپ نسخه Flickr سابقه و هدف 1.0.3 (بتا) در دسترس
    • ]]>

    اگر شما به این وب سایت جدید هستیم, احتمالا شما متوجه نمی. اما سابقه و هدف شما از دیدن است در واقع چیز جدیدی. و تصادفی. و جریان از Flickr. این پلاگین جدید که من در حال توسعه برای وردپرس 'sبه نام ‘WP Flickr Background’.

    کمی بیش از دو هفته پیش من تغییر تم به من حرکت توسط 85ideas, و موثر خود را با استفاده از ورق و پس زمینه intrigued شد. و از آنجایی که من حوصله و به سرعت در نظر گرفتن همین, من فکر کردم ‘چرا که نه ، این زمینه را تصادفی '? Flickr فراهم می کند میلیونها عکس, بسیاری از آنها را تحت ویکیپدیا خلاق مجوز مجوز, و این می شود منبع بسیار خوبی برای آن دسته از زمینه های تصادفی. بنابراین شروع کردم به کد نویسی…

    Interestingly, it wasn’t as straight forward as one would expect. After all, you could simply use a dynamically generated CSS style sheet with a ‘background’ element pointing to a random Flickr photo. Right?

    But small photos cascade and your website will look like a bad 1995 rendition of your first HTML page. And the large photos may be بنابراین large, you end up staring at just a grain of sand instead of a beach.

    CSS3, the brand-spanking new version of CSS style sheets, supports stretching of background images. متاسفانه, not a single browser I have tried supports it. So I reverted to good-old image hacking, basically injecting the background in a negative Z-indexed <div> block at a fixed position.

    بله, that last sentence is a great conversation breaker. But trust me, it is the injection portion that’s trickiest. For one, I do not like it when plugins require me to manually modify files, let alone modify files in the first place. So I assume there are other people out there who think alike. So how can I change a WordPress theme without actually modifying its files? Enter Javascript, jQuery to be specific, and we are on our way to great trickery!

    So in the end, WP Flickr Background will use Javascript to add a new background image overlaid by the actual (original) contents. And it works! حداقل, it does so with Opera 10, Firefox 3, Google Chrome 3, MSIE 8 and Safari 4. Hence I am now putting the plugin through a public Alpha test, waiting for complaints to roll in: “Your website looks weird” و “I’m getting Javascript errors” are some of the things I am expecting to see during testing, but hopefully there will be none! Yحقll let me know, right?

    If I am satisfied that there are no major issues with the plugin, then I will make it available for download. In meantime, I will be re-arranging a few things on the website once again to make room for the new plugin and a few others I am thinking about writing. So please excuse construction going on in the next few days!

    پست های مرتبط:

    1. وپ Flickr سابقه و هدف
    2. WP Flickr Background version 1.0.2 (Beta) available
    3. وپ نسخه Flickr سابقه و هدف 1.0.3 (بتا) در دسترس

    ]]>     http://www.myatus.co.uk/fa/2010/01/20/wp-flickr-background-in-alpha-testing/feed/ 9