WackGet's questions

我有一个公共网站，其中包含一些仅供私人/内部使用的 URL/目录。这些私人区域只能通过特定的 IP 地址或已知的用户名/密码访问。

目前我通过 .htaccess 文件实现这一点，如下所示：

AuthType     Basic
AuthName     "Protected Area"
AuthUserFile /path/to/.htpasswd

SetEnvIf Remote_Addr     1.2.3.4 trusted
SetEnvIf X-Forwarded-For 1.2.3.4 trusted
# (Note I am aware X-Forwarded-For can be spoofed)

<RequireAny>
    Require env trusted
    Require valid-user
</RequireAny>

问题是我想在我的服务器前面添加 Varnish 以提供缓存。显然，现有设置不适用于 Varnish，因为它无法以这种方式缓存受 .htaccess 文件限制的内容。

有没有办法我可以继续使用我的 .htaccess 文件来保护我的内部页面，或者我可以使用类似的方法来将安全责任放在 Varnish 本身上，它不需要每次我想要更改 Varnish 的 VCL 文件添加或修改限制？

我正在使用 Varnish 4 和 Apache 的ProxyPass指令来尝试在 HTTPS 网站（运行 Magento 电子商务软件）上缓存内容。

Varnish 监听 80 端口，Apache 监听 8080（HTTP）和 443（HTTPS）端口。

在我的 SSL vhost 中，我有一个 ProxyPass 指令来将 HTTPS 请求代理到 Varnish 服务器，如下所示：

    # Reverse proxy configuration for Varnish
    ProxyPreserveHost On
    ProxyPass         / http://127.0.0.1:80/
    RequestHeader     set X-Forwarded-Port "443"
    RequestHeader     set X-Forwarded-Proto "https"

我的问题是这些代理请求似乎没有X-Forwarded-For标头（或我能看到的任何其他标头）。我做到了LogLevel trace4，这是通过 Varnish 代理后到达端口 8080 服务器的内容：

http_request.c(437): [client 127.0.0.1:44580] Headers received from client:
http_request.c(441): [client 127.0.0.1:44580]   Host: 127.0.0.1
http_request.c(441): [client 127.0.0.1:44580]   Connection: close

Magento 提供的 Varnish 配置文件如下。

它似乎没有删除标题，当我通过添加std.syslog(0, req.http.X-Forwarded-For);到 VCL 文件进行一些调试时，我能够在日志输出中看到标题。

有任何想法吗？

vcl 4.0;

import std;
# The minimal Varnish version is 4.0
# For SSL offloading, pass the following header in your proxy server or load balancer: 'X-Forwarded-Proto: https'

backend default {
    .host = "127.0.0.1";
    .port = "8080";
    .first_byte_timeout = 600s;
    .probe = {
        .url = "/pub/health_check.php";
        .timeout = 2s;
        .interval = 5s;
        .window = 10;
        .threshold = 5;
   }
}

acl purge {
    "localhost";
}

sub vcl_recv {
    if (req.method == "PURGE") {
        if (client.ip !~ purge) {
            return (synth(405, "Method not allowed"));
        }
        # To use the X-Pool header for purging varnish during automated deployments, make sure the X-Pool header
        # has been added to the response in your backend server config. This is used, for example, by the
        # capistrano-magento2 gem for purging old content from varnish during it's deploy routine.
        if (!req.http.X-Magento-Tags-Pattern && !req.http.X-Pool) {
            return (synth(400, "X-Magento-Tags-Pattern or X-Pool header required"));
        }
        if (req.http.X-Magento-Tags-Pattern) {
          ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
        }
        if (req.http.X-Pool) {
          ban("obj.http.X-Pool ~ " + req.http.X-Pool);
        }
        return (synth(200, "Purged"));
    }

    if (req.method != "GET" &&
        req.method != "HEAD" &&
        req.method != "PUT" &&
        req.method != "POST" &&
        req.method != "TRACE" &&
        req.method != "OPTIONS" &&
        req.method != "DELETE") {
          /* Non-RFC2616 or CONNECT which is weird. */
          return (pipe);
    }

    # We only deal with GET and HEAD by default
    if (req.method != "GET" && req.method != "HEAD") {
        return (pass);
    }

    # Bypass shopping cart, checkout and search requests
    if (req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
        return (pass);
    }

    # Bypass health check requests
    if (req.url ~ "/pub/health_check.php") {
        return (pass);
    }

    # Set initial grace period usage status
    set req.http.grace = "none";

    # normalize url in case of leading HTTP scheme and domain
    set req.url = regsub(req.url, "^http[s]?://", "");

    # collect all cookies
    std.collect(req.http.Cookie);

    # Compression filter. See https://www.varnish-cache.org/trac/wiki/FAQ/Compression
    if (req.http.Accept-Encoding) {
        if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
            # No point in compressing these
            unset req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            # unknown algorithm
            unset req.http.Accept-Encoding;
        }
    }

    # Remove all marketing get parameters to minimize the cache objects
    if (req.url ~ "(\?|&)(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
        set req.url = regsuball(req.url, "(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
        set req.url = regsub(req.url, "[?|&]+$", "");
    }

    # Static files caching
    if (req.url ~ "^/(pub/)?(media|static)/") {
        # Static files should not be cached by default
        return (pass);

        # But if you use a few locales and don't use CDN you can enable caching static files by commenting previous line (#return (pass);) and uncommenting next 3 lines
        #unset req.http.Https;
        #unset req.http.X-Forwarded-Proto;
        #unset req.http.Cookie;
    }

    return (hash);
}

sub vcl_hash {
    if (req.http.cookie ~ "X-Magento-Vary=") {
        hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
    }

    # For multi site configurations to not cache each other's content
    if (req.http.host) {
        hash_data(req.http.host);
    } else {
        hash_data(server.ip);
    }

    if (req.url ~ "/graphql") {
        call process_graphql_headers;
    }

    # To make sure http users don't see ssl warning
    if (req.http.X-Forwarded-Proto) {
        hash_data(req.http.X-Forwarded-Proto);
    }
    if (req.http.user-agent ~ "(?i)theme_blank") {
        hash_data("1");
    } elsif (req.http.user-agent ~ "(?i)theme_luma") {
        hash_data("3");
    }
}

sub process_graphql_headers {
    if (req.http.Store) {
        hash_data(req.http.Store);
    }
    if (req.http.Content-Currency) {
        hash_data(req.http.Content-Currency);
    }
}

sub vcl_backend_response {

    set beresp.grace = 3d;

    if (beresp.http.content-type ~ "text") {
        set beresp.do_esi = true;
    }

    if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
        set beresp.do_gzip = true;
    }

    if (beresp.http.X-Magento-Debug) {
        set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
    }

    # cache only successfully responses and 404s
    if (beresp.status != 200 && beresp.status != 404) {
        set beresp.ttl = 0s;
        set beresp.uncacheable = true;
        return (deliver);
    } elsif (beresp.http.Cache-Control ~ "private") {
        set beresp.uncacheable = true;
        set beresp.ttl = 86400s;
        return (deliver);
    }

    # validate if we need to cache it and prevent from setting cookie
    if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
        unset beresp.http.set-cookie;
    }

   # If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
   if (beresp.ttl <= 0s ||
       beresp.http.Surrogate-control ~ "no-store" ||
       (!beresp.http.Surrogate-Control &&
       beresp.http.Cache-Control ~ "no-cache|no-store") ||
       beresp.http.Vary == "*") {
       # Mark as Hit-For-Pass for the next 2 minutes
        set beresp.ttl = 120s;
        set beresp.uncacheable = true;
    }

    return (deliver);
}

sub vcl_deliver {
    if (resp.http.X-Magento-Debug) {
        if (resp.http.x-varnish ~ " ") {
            set resp.http.X-Magento-Cache-Debug = "HIT";
            set resp.http.Grace = req.http.grace;
        } else {
            set resp.http.X-Magento-Cache-Debug = "MISS";
        }
    } else {
        unset resp.http.Age;
    }

    # Not letting browser to cache non-static files.
    if (resp.http.Cache-Control !~ "private" && req.url !~ "^/(pub/)?(media|static)/") {
        set resp.http.Pragma = "no-cache";
        set resp.http.Expires = "-1";
        set resp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
    }

    unset resp.http.X-Magento-Debug;
    unset resp.http.X-Magento-Tags;
    unset resp.http.X-Powered-By;
    unset resp.http.Server;
    unset resp.http.X-Varnish;
    unset resp.http.Via;
    unset resp.http.Link;
}

sub vcl_hit {
    if (obj.ttl >= 0s) {
        # Hit within TTL period
        return (deliver);
    }
    if (std.healthy(req.backend_hint)) {
        if (obj.ttl + 300s > 0s) {
            # Hit after TTL expiration, but within grace period
            set req.http.grace = "normal (healthy server)";
            return (deliver);
        } else {
            # Hit after TTL and grace expiration
            return (fetch);
        }
    } else {
        # server is not healthy, retrieve from cache
        set req.http.grace = "unlimited (unhealthy server)";
        return (deliver);
    }
}

我正在使用 php-fpm 5.4 运行 Centos 7。我在我的 php-fpm 错误日志中遇到（信号 11）SIGSEGV 错误并想对其进行调试。

我遵循了php5 fpm 的建议：你如何从 segfault 生成核心转储？但 php-fpm 甚至还没有尝试生成核心转储。从 php-fpm 错误日志：

WARNING: [pool website.com] child 26953 exited on signal 11 (SIGSEGV) after 0.931337 seconds from start

如果生成了核心转储，它会读取(SEGSEGV - core dumped)但不会。

我在基于 CentOS 的服务器上托管了一个 Subversion 存储库。有几个团队需要访问存储库的不同部分。我想允许不同的用户查看 repo 的不同部分，并隐藏其他部分。

我知道可以通过基于路径的规则设置每个目录的权限，因此例如我可以将designer用户限制为 r/w onmyrepo/myapp/media/images/和myrepo/myapp/core/css/. 但这意味着设计者必须使用这两个特定的 URL 来访问images和css文件夹。没有我授予他读取权限，他不能只使用根 URL。

我希望他能够自由地浏览目录树，但只能看到他有权访问的文件夹及其父母。

如果这是一个常规文件系统，我会使用bind --mount命令在/home/designer/like/home/designer/css等中创建一组受限目录/home/designer/images。

可以在 SVN 回购中完成同样的事情吗？

至少，我是否可以创建第二个“虚拟”存储库，其中包含虚拟链接到主存储库中真实文件夹的文件夹（例如images， ）？css