Jeff Chang's Blog

Mar 13, 2019

NGINX SSL/設定檔案

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    gzip on;
    gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/json text/xml application/xml+rss image/jpeg image/gif image/png;
    gzip_disable "MSIE [1-6].(?!.*SV1)";
    gzip_comp_level 9;
    gzip_min_length 10k; # 大於這個 size 才壓縮，也可以寫 1000
    gzip_buffers 4 32k;
    gzip_vary on;

    #server {
    #    listen       80;
    #    server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
    #    error_page   500 502 503 504  /50x.html;
    #    location = /50x.html {
    #        root   html;
    #    }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    #}


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name mysite.idv.tw;
        return 301 https://$server_name$request_uri;
    }

    server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        ssl_certificate /etc/nginx/ssl/demo/mysite.idv.tw.bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/demo/mysite.idv.tw.key;
        #ssl_dhparam /etc/nginx/ssl/demo/dhparams.pem;

        ssl_session_cache shared:SSL:9m;
        ssl_session_cache shared:ssl_session_cache:10m;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header X-Frame-Options "DENY";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;

        location ~ /\.ht {
            deny all;
        }
    }
}

Jul 31, 2018

Part 1: 自建 private key, 建立 CSR 申請第三方憑證
#private key, need password(keep it)
openssl genrsa -des3 -out private.key 2048

# certificate signing request (CSR)
openssl req -new -key private.key -out domaincsr.csr

#產生如下列問題:
Country Name (2 letter code) [XX]:TW => 填寫國名(兩碼),填完後按下enter
State or Province Name (full name) []:Taiwan =>填寫州或郡,填完後按下enter
Locality Name (eg, city) [Default City]:Taipei =>填寫城市名稱,填完後按下enter
Organization Name (eg, company) [Default Company Ltd]:MyCompany Inc =>填寫公司名稱,填完後按下enter
Organizational Unit Name (eg, section) []:IT Dept =>填寫部門名稱,填完後按下enter
Common Name (eg, your name or your server's hostname) []:www.mydomain.com =>填寫保護網域名稱,填完後按下enter
Email Address []: demo@mydomain.com=>填寫電子郵件地址(可不填),填完後按下enter
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: =>請留空白,按下enter
An optional company name []: =>填寫公司名稱(可不填),填完後按下enter

#利用 domaincsr.csr 申請第三方憑證

refrence url:
1. https://blog.longwin.com.tw/2014/08/apache2-ssl-create-build-setup-2014/
2. https://slproweb.com/products/Win32OpenSSL.html
3. http://wiki.gandi.net/zh-tw/ssl/dcv

Part 2: 申請到憑證之後下載憑證串鏈
至少包含 2 張憑證，分別是
1. 中繼憑證 (第三方單位會提供 or 直接下載)
ex: GandiStandardSSLCA2.pem

2. 第三方單位發下來的憑證 (第三方單位會提供 or 直接下載)
ex: mydomain.crt

Part 3: 製作 HTTP Server 憑證串
#產製沒有加密過的 private key
openssl rsa -in private.key -out server_no_pwd.key

#產製包含 key 和第三方憑證 PEM 檔案
cat server_no_pwd.key > server.key

cat GandiStandardSSLCA2.pem mydomain.crt > server.pem

Part 4: 確認共有三個檔案內容:
1. 自行產生的 private key: server.key
2. 串聯的憑證: server.pem
3. 第三方認證公司發行的憑證: mydomain.crt

於 Apache2 的設定範例

ServerAdmin admin@mydomain.com.tw
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /var/www/html/gandi_key/server.pem
SSLCertificateKeyFile /var/www/html/gandi_key/server.key
SSLCertificateChainFile /var/www/html/gandi_key/mydomain.crt

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

於 Ngnix 的設定範例
# HTTPS server

server {
listen 443 ssl;
server_name mydomain.com.tw;
access_log C://data//BackendService//logs//access_log.log;

ssl_stapling on;
ssl_stapling_verify on;

ssl_certificate /ngnix/gandi_key/server.pem
ssl_certificate_key /ngnix/gandi_key/server.key

#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 5m;

#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;

ssl_trusted_certificate /ngnix/gandi_key/mydomain.crt

location / {
proxy_pass http://127.0.0.1:4001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

Aug 26, 2014

Installing Tomcat 7 + Postgres 9.3 on Amazon Linux

-------------------------------------------------------------------------------------------------------
Tomcat Part
-------------------------------------------------------------------------------------------------------

#install tomcat7


sudo yum install tomcat7-webapps tomcat7-docs-webapp tomcat7-admin-webapps

#auto startup


sudo chkconfig tomcat7 on

#redirect port


sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

sudo /sbin/service iptables save

-------------------------------------------------------------------------------------------------------
Postgres Part
-------------------------------------------------------------------------------------------------------

Install from rpm/yum from postgres repo

In the files
/etc/yum.repos.d/amzn-main.repo
and
/etc/yum.repos.d/amzn-updates.repo add the following in the
block [amzn-main]:

///////////////////////////////////////
exclude=postgresql*
///////////////////////////////////////

Then, install the repo rpm and run yum
# Change to home directory to download the software


cd ~/

# Get the right postgresql package (Redhat 64 Bit)


wget http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/pgdg-redhat93-9.3-1.noarch.rpm

# Install the package


sudo rpm -ivh pgdg-redhat93-9.3-1.noarch.rpm
sudo yum install postgresql93 postgresql93-server postgresql93-devel

# Check that the service is installed


sudo service postgresql-9.3 status

# should return "is stopped"

# init the DB


sudo service postgresql-9.3 initdb

# Start the DB


sudo service postgresql-9.3 start

# connect


sudo su - postgres
psql

# auto startup


sudo chkconfig postgresql-9.3 on

source

Jul 12, 2014

Big Data Books

幾本由專家介紹的免費巨量資料分析書籍，包含R、Python、MATLAB等語言。也可以從這些書籍中發現目前巨量資料分析的理論主要還是以統計學、資料探勘與機器學習為主。

原文出處：資料科學實驗室

Jul 11, 2014

Automatically Retry Failed Jobs in Quartz

Source: Automatically Retry Failed Jobs in Quartz

Retrying continuously until success:
If you want to keep trying over and over again until the job succeeds, all you have to do is throw a JobExecutionException with a flag to tell the scheduler to fire it again when it fails. The following code shows how:


class MyJob implements Job {
 
  public MyJob() {
  }
 
  public void execute(JobExecutionContext context)
                  throws JobExecutionException {
    try{
        //do something
    }
    catch(Exception e){
 
        Thread.sleep(10000); //sleep for 10 secs
 
        JobExecutionException e2 = new JobExecutionException(e);
        //fire it again
        e2.refireImmediately();
        throw e2;
    }
  }
}

Retrying n times:
It gets a bit more complicated if you want to retry a certain number of times only. You have to use a StatefulJob and hold a retryCounter in its JobDataMap, which you increment if the job fails. If the counter exceeds the maximum number of retries, then you can disable the job if you wish.



class MyJob implements StatefulJob {
 
  public MyJob() {
  }
 
  public void execute(JobExecutionContext context)
                                 throws JobExecutionException {
    JobDataMap dataMap = context.getJobDetail().getJobDataMap();
    int count = dataMap.getIntValue("count");
 
    // allow 5 retries
    if(count >= 5){
        JobExecutionException e = new JobExecutionException("Retries exceeded");
        //unschedule it so that it doesn't run again
        e.setUnscheduleAllTriggers(true);
        throw e;
    }
 
    try{
        //do something
 
        //reset counter back to 0
        dataMap.putAsString("count", 0);
    }
    catch(Exception e){
        count++;
        dataMap.putAsString("count", count);
        JobExecutionException e2 = new JobExecutionException(e);
 
        Thread.sleep(10000); //sleep for 10 secs
 
        //fire it again
        e2.refireImmediately();
        throw e2;
    }
  }
}

May 3, 2014

Admob廣告收入

Admob廣告收入構成
收入=廣告展示量/1,000 * 千次展示收入
千次展示收入=點擊率 * 廣告單價
廣告單價，台灣大概0.1 USD，各國不一定
假設一個月
廣告展示量＝100,000 次
點擊率＝ (0.1%) 0.001
廣告收入＝100000/1000*0.001*0.1=0.01USD
但是其他報告是說，
行動裝置平均每次點擊約有0.01 USD，一般網頁平均每次點擊約有0.1 USD
這報告告訴大家，錢真的不好賺啊 QQ