Posted on

Application Pool Identities

Introduction

Whether you are running your site on your own server or in the cloud, security must be at the top of your priority list. If so, you will be happy to hear that IIS has a security feature called the application pool identity. This feature was introduced in Service Pack 2 (SP2) of Windows Server 2008 and Windows Vista. An application pool identity allows you to run an application pool under a unique account without having to create and manage domain or local accounts. The name of the application pool account corresponds to the name of the application pool. The image below shows an IIS worker process (W3wp.exe) running as the DefaultAppPool identity.

Application Pool Identity Accounts

Worker processes in IIS 6.0 and in IIS 7 run as Network Service by default. Network Service is a built-in Windows identity. It doesn’t require a password and has only user privileges; that is, it is relatively low-privileged. Running as a low-privileged account is a good security practice because then a software bug can’t be used by a malicious user to take over the whole system.

However, a problem arose over time as more and more Windows system services started to run as Network Service. This is because services running as Network Service can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities. The Windows operating system provides a feature called “virtual accounts” that allows IIS to create a unique identity for each of its application pools. Click here for more information about Virtual Accounts. Continue reading “Application Pool Identities”

Posted on

李雷和韩梅梅身世之谜揭晓

李雷和韩梅梅,他俩暗恋没有?交往没有?分手没有?在似乎有着漫长时光的青春岁月,每个曾捧着初中英语书的同学,白日无聊,也许都做过这样那样天马行空的想象。据统计,从1990年到2000年,写有“李雷和韩梅梅”故事的初中英语教科书,教育了整整一亿人。

官方权威解释,李雷和韩梅梅身世之谜揭晓

那么,抛开现在各种以李雷和韩梅梅为原型的歌曲、话剧、漫画、微电影、改编故事不提,你想不想听听李雷和韩梅梅的官方“八卦”?聊聊这套传奇教材背后的故事?

机会来了。日前,在“中国百年教科书整理与研究”项目成果发布,微信公众号“人民日报政文”的小编亲自探查,揭开了李雷和韩梅梅的“身世之谜”。

“划时代”的教科书 Continue reading “李雷和韩梅梅身世之谜揭晓”

Posted on

Windows PowerShell Quick Reference

How to Access Arguments

To access command-line arguments used when starting a script use the automatic variable $args. You can cycle through the individual arguments in the $args collection by using code similar to this:

foreach ($i in $args) {$i}

To access a particular argument use the collection index number, with 0 representing the first item in the collection, 1 representing the second item, etc:

$args[0]

You can reference the last item in a collection by using the index number –1:

$args[-1]

How to Use Colored Text

To display text in a different color use the Write-Host cmdlet and specify a foreground color:

How to Get More Information

You can also specify a different background color: Continue reading “Windows PowerShell Quick Reference”

Posted on

Nginx virtual host & php-fpm settings

共享我的当前VPS中关于nginx的一些设置,防止自己忘记了。

针对Nginx global的设置(没有写的,说明使用了默认的设置了):

#Nginx进程的用户名和用户组设置,最小权限原则
user www-data www-data;
#Nginx初始化工作进程数
worker_processes 4; 
#启用Nginx的核心安全策略,比如SQL注入,跨站之类
include /etc/nginx/naxsi_core.rules; 
#启用gzip压缩输出,对IE6禁用gzip
gzip on; 
gzip_disable "msie6";

针对Virtaul Host的设置:

首先看Reserve Proxy,

server { 
 ### server port and name ### 
 listen 443; 
 ssl on; 
 server_name ******.zhuoyue.me 
 ### SSL log files ### 
 access_log /var/log/nginx/ssl-access.log; 
 error_log /var/log/nginx/ssl-error.log; 
 
 ### SSL cert files ### 
 ssl_certificate /home/niyouzhu/nginxssl/server.crt; 
 ssl_certificate_key /home/niyouzhu/nginxssl/server.key; 
 
 ### Add SSL specific settings here ### 
 
 
 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 
 ssl_ciphers RC4:HIGH:!aNULL:!MD5; 
 ssl_prefer_server_ciphers on; 
 keepalive_timeout 60; 
 ssl_session_cache shared:SSL:10m; 
 ssl_session_timeout 10m; 
 
 ### We want full access to SSL via backend ### 
 location / {
 proxy_pass https://localhost:4200; 
 
 ### force timeouts if one of backend is died ## 
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; 
 
 ### Set headers #### 
 proxy_set_header Accept-Encoding ""; 
 proxy_set_header Host $host; 
 proxy_set_header X-Real-IP $remote_addr; 
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
 
 ### Most PHP, Python, Rails, Java App can use this header ### 
 #proxy_set_header X-Forwarded-Proto https;## 
 proxy_set_header X-Forwarded-Proto $scheme; 
 add_header Front-End-Https on; 
 proxy_redirect off; 
 }
 }

上面关于SSL自签名证书的创建,可以看我的另一篇文章:Ubuntu+LAMP+Nginx

再来看一般的Virtual Host设置, Continue reading “Nginx virtual host & php-fpm settings”

Posted on

20年后的今天,世界首个转基因动物开始供人类食用

在美国,转基因作物最早问世于1996年,随后迅速被广泛接受。2013年,从种植面积来看,美国至少95%的甜菜,93%的大豆,90%的棉花和玉米均为转基因品种,这一数据来自美国农业部国家农业统计局。

2015年11月19日,经过全面的科学论证,美国食品与药品监督管理局(FDA)批准了世界上第一种食用转基因动物——AquAdvantage转基因大西洋鲑鱼(Atlantic salmon),俗称三文鱼。这种转基因三文鱼生长速度约为普通三文鱼的两倍,可节省75%的饲料成本。

转基因三文鱼最早于问世1989年,来自于美国加州大学伯克利分校开发的抗冻蛋白(antifreeze protein)技术。A / F Protein公司最初成立于1991年。1993年该公司向FDA寻求监管指导,1995年开始申请商业化。

1996年,A/F Protein公司从多伦多大学(University of Toronto)和纽芬兰纪念大学(Memorial University of Newfoundland)获得了AquAdvantage技术许可,随后于2000年重组成为两个独立的实体公司:A/F Protein公司,保留了抗冻蛋白技术;AquaBounty Farm公司,获得了AquAdvantage技术。AquaBounty Farm公司的总部设在马萨诸塞州沃尔瑟姆2004年更名为AquaBounty Technologies。 Continue reading “20年后的今天,世界首个转基因动物开始供人类食用”

Posted on

LAMP+VPS+VPN+SSH

因为一些众所周知的原因,一直打算将服务器放到国外,周末的时候逛了国外的一些VPS服务商,选定了一款。原本服务器上的资料有7G多,包括一些站点和个人文档,当然也包括这个blog,这两天下班回到家后就SSH到VPS上折腾,现在终于算基本完善了,下面列出一些目前提供的服务。

VPN,国外的VPS当然第一件事就是架一个VPN,这样就可以自由FAN墙啦。VPN Service使用的是Pritunl。

因为公司的网络只提供80端口对外,无法在公司连到VPS,于是在VPS上提供了一个web-based ssh,使用的是shellinabox。

然后搭建了必须的3个服务:Apache2, MySqL, Php

Apache提供了Proxy reverse服务,以提供对Pritunl, shellinabox的代理访问

防火墙使用的是ufw.

[2015/12/1] Apache的并发性能不如nginx, 所以今天把apache换成了nginx,apache下的 url rewrite rule 很多不能在nginx下用,重写了一些url rewrite规则。

Posted on

Markdown 语法

概述

宗旨

Markdown 的目标是实现「易读易写」。

可读性,无论如何,都是最重要的。一份使用 Markdown 格式撰写的文件应该可以直接以纯文本发布,并且看起来不会像是由许多标签或是格式指令所构成。Markdown 语法受到一些既有 text-to-HTML 格式的影响,包括 SetextatxTextilereStructuredTextGrutatextEtText,而最大灵感来源其实是纯文本电子邮件的格式。

总之, Markdown 的语法全由一些符号所组成,这些符号经过精挑细选,其作用一目了然。比如:在文字两旁加上星号,看起来就像*强调*。Markdown 的列表看起来,嗯,就是列表。Markdown 的区块引用看起来就真的像是引用一段文字,就像你曾在电子邮件中见过的那样。

兼容 HTML

Markdown 语法的目标是:成为一种适用于网络的书写语言。

Markdown 不是想要取代 HTML,甚至也没有要和它相近,它的语法种类很少,只对应 HTML 标记的一小部分。Markdown 的构想不是要使得 HTML 文档更容易书写。在我看来, HTML 已经很容易写了。Markdown 的理念是,能让文档更容易读、写和随意改。HTML 是一种发布的格式,Markdown 是一种书写的格式。就这样,Markdown 的格式语法只涵盖纯文本可以涵盖的范围。 Continue reading “Markdown 语法”

Posted on

install gulp

1. Install gulp globally:

$ npm install --global gulp

2. Install gulp in your project devDependencies:

$ npm install --save-dev gulp

3. Create a gulpfile.js at the root of your project:

var gulp = require('gulp');

gulp.task('default', function() {
  // place code for your default task here
});

4. Run gulp:

$ gulp

The default task will run and do nothing.

To run individual tasks, use gulp <task> <othertask>.
在项目的根目录新建gulpfile.js,require需要的module

var gulp = require('gulp'),

    minifycss = require('gulp-minify-css'),

    concat = require('gulp-concat'),

    uglify = require('gulp-uglify'),

    rename = require('gulp-rename'),

    del = require('del');

压缩css

gulp.task('minifycss', function() {

    return gulp.src('src/*.css')      //压缩的文件

        .pipe(gulp.dest('minified/css'))   //输出文件夹

        .pipe(minifycss());   //执行压缩

});

压缩js

gulp.task('minifyjs', function() {

return gulp.src('src/*.js')

.pipe(concat('main.js'))    //合并所有js到main.js

.pipe(gulp.dest('minified/js'))    //输出main.js到文件夹

.pipe(rename({suffix: '.min'}))   //rename压缩后的文件名

.pipe(uglify())    //压缩

.pipe(gulp.dest('minified/js'));  //输出

});

执行压缩前,先删除文件夹里的内容

gulp.task('clean', function(cb) {

del(['minified/css', 'minified/js'], cb)

});

默认命令,在cmd中输入gulp后,执行的就是这个命令

gulp.task('default', ['clean'], function() {

gulp.start('minifycss', 'minifyjs');

});

 

Posted on

Visual Studio 2012 / 2013 Update 1 2 3 4 5 Offline Installer

  1. Get the update from Microsoft here. (updated with Update 4 link)
  2. Save the file to a folder.
  3. open the folder
  4. Pro tip – Shift + right-click the background of the folder and choose ‘Open command window here’
  5. open_command_window
  6. in the command window type VS2013.4.exe /Layout
  7. (or VS2013.1.exe /Layout or VS2013.2.exe /Layout depending on your update)
  8. command_window
  9. It will then ask you where you would like to save and extract the files.
  10. vs2012_update_2_download_location
  11. This step will take some time depending on your download speed.  This is the step that adds time to the install when you choose the web installer.
  12. downloading_extracting_update_2
  13. You will now see a folder with the update installer along with all the source files.  You can now store this safe on a network share or your hard drive and update your installation of Visual Studio without downloading 2GB of files!
  14. vs2012_extracted
  15. This should work for any version of Visual Studio going forward.