Debian Jessie + PHP + OCI8

Comment installer le connecteur OCI8 pour php5 sur Debian (8.x) aka Jessie .

  • Debian 8.6 x86-64
  • Oracle Instant Client 11.2

Préparation :

apt-get install build-essential php5-dev php-pear libaio1 unzip

Télécharger l’Oracle Instant Client  (basic et sdk ) depuis le site d’Oracle :

# cp *.zip /usr/local/lib/
# cd /usr/local/lib/
# unzip instantclient-sdk-linux.x64-11.2.0.4.0.zip 
Archive:  instantclient-sdk-linux.x64-11.2.0.4.0.zip
   creating: instantclient_11_2/sdk/
   creating: instantclient_11_2/sdk/include/
  inflating: instantclient_11_2/sdk/include/occi.h  
  inflating: instantclient_11_2/sdk/include/occiCommon.h  
  inflating: instantclient_11_2/sdk/include/occiControl.h  
  inflating: instantclient_11_2/sdk/include/occiData.h  
  inflating: instantclient_11_2/sdk/include/occiObjects.h  
  inflating: instantclient_11_2/sdk/include/occiAQ.h  
  inflating: instantclient_11_2/sdk/include/oci.h  
  inflating: instantclient_11_2/sdk/include/oci1.h  
  inflating: instantclient_11_2/sdk/include/oci8dp.h  
  inflating: instantclient_11_2/sdk/include/ociap.h  
  inflating: instantclient_11_2/sdk/include/ociapr.h  
  inflating: instantclient_11_2/sdk/include/ocidef.h  
  inflating: instantclient_11_2/sdk/include/ocidem.h  
  inflating: instantclient_11_2/sdk/include/ocidfn.h  
  inflating: instantclient_11_2/sdk/include/ociextp.h  
  inflating: instantclient_11_2/sdk/include/ocikpr.h  
  inflating: instantclient_11_2/sdk/include/ocixmldb.h  
  inflating: instantclient_11_2/sdk/include/ocixstream.h  
  inflating: instantclient_11_2/sdk/include/odci.h  
  inflating: instantclient_11_2/sdk/include/oratypes.h  
  inflating: instantclient_11_2/sdk/include/ori.h  
  inflating: instantclient_11_2/sdk/include/orid.h  
  inflating: instantclient_11_2/sdk/include/orl.h  
  inflating: instantclient_11_2/sdk/include/oro.h  
  inflating: instantclient_11_2/sdk/include/ort.h  
  inflating: instantclient_11_2/sdk/include/xa.h  
  inflating: instantclient_11_2/sdk/include/nzt.h  
  inflating: instantclient_11_2/sdk/include/nzerror.h  
  inflating: instantclient_11_2/sdk/include/ldap.h  
   creating: instantclient_11_2/sdk/demo/
  inflating: instantclient_11_2/sdk/demo/demo.mk  
  inflating: instantclient_11_2/sdk/demo/cdemo81.c  
  inflating: instantclient_11_2/sdk/demo/occidemo.sql  
  inflating: instantclient_11_2/sdk/demo/occidemod.sql  
  inflating: instantclient_11_2/sdk/demo/occidml.cpp  
  inflating: instantclient_11_2/sdk/demo/occiobj.cpp  
  inflating: instantclient_11_2/sdk/demo/occiobj.typ  
  inflating: instantclient_11_2/sdk/SDK_README  
 extracting: instantclient_11_2/sdk/ottclasses.zip  
  inflating: instantclient_11_2/sdk/ott  
# unzip instantclient-basic-linux.x64-11.2.0.4.0.zip 
Archive:  instantclient-basic-linux.x64-11.2.0.4.0.zip
  inflating: instantclient_11_2/BASIC_README  
  inflating: instantclient_11_2/adrci  
  inflating: instantclient_11_2/genezi  
  inflating: instantclient_11_2/libclntsh.so.11.1  
  inflating: instantclient_11_2/libnnz11.so  
  inflating: instantclient_11_2/libocci.so.11.1  
  inflating: instantclient_11_2/libociei.so  
  inflating: instantclient_11_2/libocijdbc11.so  
  inflating: instantclient_11_2/ojdbc5.jar  
  inflating: instantclient_11_2/ojdbc6.jar  
  inflating: instantclient_11_2/uidrvci  
  inflating: instantclient_11_2/xstreams.jar  
# cd instantclient_11_2/
# ls -al
total 183536
drwxr-sr-x 3 root staff      4096 Nov 22 16:30 .
drwxrwsr-x 5 root staff      4096 Nov 22 16:30 ..
-rwxrwxr-x 1 root staff     25420 Aug 24  2013 adrci
-rw-rw-r-- 1 root staff       439 Aug 24  2013 BASIC_README
-rwxrwxr-x 1 root staff     47860 Aug 24  2013 genezi
-rwxrwxr-x 1 root staff  53865194 Aug 24  2013 libclntsh.so.11.1
-r-xr-xr-x 1 root staff   7996693 Aug 24  2013 libnnz11.so
-rwxrwxr-x 1 root staff   1973074 Aug 24  2013 libocci.so.11.1
-rwxrwxr-x 1 root staff 118738042 Aug 24  2013 libociei.so
-r-xr-xr-x 1 root staff    164942 Aug 24  2013 libocijdbc11.so
-r--r--r-- 1 root staff   2091135 Aug 24  2013 ojdbc5.jar
-r--r--r-- 1 root staff   2739616 Aug 24  2013 ojdbc6.jar
drwxrwsr-x 4 root staff      4096 Aug 24  2013 sdk
-rwxrwxr-x 1 root staff    192365 Aug 24  2013 uidrvci
-rw-rw-r-- 1 root staff     66779 Aug 24  2013 xstreams.jar
# ln -s libclntsh.so.11.1 libclntsh.so

D’apres le site de PECL, nous devons installer la version 1.4.x d’oci8 si on utilise PHP5 . Nous utiliserons le paramètre :

instantclient,/usr/local/lib/instantclient_11_2
# pecl install oci8-1.4.10
downloading oci8-1.4.10.tgz ...
Starting to download oci8-1.4.10.tgz (169,248 bytes)
.....done: 169,248 bytes
10 source files, building
running: phpize
Configuring for:
PHP Api Version:         20131106
Zend Module Api No:      20131226
Zend Extension Api No:   220131226
Please provide the path to the ORACLE_HOME directory. Use 'instantclient,/path/to/instant/client/lib' if you're compiling with Oracle Instant Client [autodetect] : instantclient,/usr/local/lib/instantclient_11_2
building in /tmp/pear/temp/pear-build-rootutoK4c/oci8-1.4.10
running: /tmp/pear/temp/oci8/configure --with-oci8=instantclient,/usr/local/lib/instantclient_11_2
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for a sed that does not truncate output... /bin/sed
[...]
Build complete.
Don't forget to run 'make test'.

running: make INSTALL_ROOT="/tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10" install
Installing shared extensions:     /tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10/usr/lib/php5/20131226/
running: find "/tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10" | xargs ls -dils
262997   4 drwxr-xr-x 3 root root   4096 Nov 22 16:39 /tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10
263027   4 drwxr-xr-x 3 root root   4096 Nov 22 16:39 /tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10/usr
263028   4 drwxr-xr-x 3 root root   4096 Nov 22 16:39 /tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10/usr/lib
263029   4 drwxr-xr-x 3 root root   4096 Nov 22 16:39 /tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10/usr/lib/php5
263030   4 drwxr-xr-x 2 root root   4096 Nov 22 16:39 /tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10/usr/lib/php5/20131226
263026 504 -rwxr-xr-x 1 root root 512928 Nov 22 16:39 /tmp/pear/temp/pear-build-rootutoK4c/install-oci8-1.4.10/usr/lib/php5/20131226/oci8.so

Build process completed successfully
Installing '/usr/lib/php5/20131226/oci8.so'
install ok: channel://pecl.php.net/oci8-1.4.10
configuration option "php_ini" is not set to php.ini location
You should add "extension=oci8.so" to php.ini

Nous pouvons activer l’extension dans PHP5 :

echo "extension=oci8.so"  > /etc/php5/mods-available/oci8.ini
php5enmod oci8
service apache2 restart

Verifions que c’est activé dans php5 :

# php5 -i | grep oci8
/etc/php5/cli/conf.d/20-oci8.ini,
oci8
oci8.connection_class => no value => no value
oci8.default_prefetch => 100 => 100
oci8.events => Off => Off
oci8.max_persistent => -1 => -1
oci8.old_oci_close_semantics => Off => Off
oci8.persistent_timeout => -1 => -1
oci8.ping_interval => 60 => 60
oci8.privileged_connect => Off => Off
oci8.statement_cache_size => 20 => 20

Linux, Nginx, Mysql, PHP (LEMP)

Ceci est un petit tuto pour installer un stack LEMP sur un instance Amazon t1.micro.

Mon serveur :

Ici LEMP veut dire :

On utilise Nginx car il est peu gourmand en mémoire qu’Apache et il est très rapide aussi. On a choisi PHP FPM car il est très performant aussi surtout en montée de charge.

Sur un Debian Wheezy il est préférable d’utiliser les paquets venant de dotdeb ou backport pour Nginx car la version 1.2 est un peu ancienne.

Mettre à jour et redémarrer le serveur avant toute manipulation :

apt-get update
apt-get dist-upgrade
reboot

Installer Mysql :

apt-get install mysql-server mysql-client

Si c’est la première installation du serveur Mysql, on vous demandera de saisir le mot de passe de l’utilisateur root de Mysql.

Lancer le script mysql_secure_installation pour sécuriser le serveur Mysql.

Installer PHP FPM avec les modules Mysql et APC

apt-get install php5-fpm php5-mysql php-apc

Configurer PHP-FPM en éditant le fichier /etc/php5/fpm/php.ini

Modifier la ligne « ;cgi.fix_pathinfo=1 » en « cgi.fix_pathinfo=0 »

[...]

; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://php.net/cgi.fix-pathinfo
cgi.fix_pathinfo=0

[...]

Redémarrer le service php-fpm

service php5-fpm restart

Il y a plusieurs type de package Ngnix dans le repository :

  • nginx
  • nginx-full
  • nginx-light
  • nginx-naxsi
  • nginx-extras

Comme j’ai un petit serveur, je vais installer la version light venant du repository backports sinon vous pouvez choisir nginx tout court

apt-get install -t wheezy-backports nginx-light

Sur mon serveur Amazon EC2, il faut ajouter le port tcp/80 ou http sur le console de management > « network & security » > « security groups ».

Ouvrir votre navigateur pour tester :

Screenshot from 2014-09-29 17:24:02

Configurer Nginx pour prendre en charge les scripts php en éditant le fichier /etc/nginx/sites-available/default

[...]

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/html;
        index index.php index.html index.htm;

        # Make site accessible from http://localhost/
        server_name localhost myipaddress;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        }

        # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
        #location /RequestDenied {
        #       proxy_pass http://127.0.0.1:8080;
        #}

       #error_page 404 /404.html;

        # redirect server error pages to the static page /50x.html
        #
        #error_page 500 502 503 504 /50x.html;
        #location = /50x.html {
        #       root /usr/share/nginx/html;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		include fastcgi_params;

		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_intercept_errors on;
	}
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}

[...]

Redémarrer Nginx pour prendre en charge la modification :

service nginx restart

Tester la prise en charge de PHP dans Nginx en créant un script test.php dans /usr/share/nginx/html/ 

<?php
 phpinfo();
?>

Capture d’écran 2014-09-30 à 02.10.51

Voilà notre petit serveur Amazon t1.micro est prêt à recevoir les applications PHP!

Vita tompoko.

Installer et lancer Fanorona

Voici en français comment installer et lancer le petit programme fanorona en python sur debian/ubuntu :

apt-get install python-pygame python-numpy

wget https://github.com/mavenix/fanorona/archive/master.zip

unzip master.zip

cd fanorona-master

PYTHONPATH=lib/ ./fanorona

Sur windows

  • Installer python 2.x , au moment de la rédaction de ce ticket j’ai 2.7.6 donc j’ai pris Windows x86 MSI Installer (2.7.6) ici : http://www.python.org/downloads/windows/
  • Installer numpy sur son site http://www.numpy.org/ ou directement sur SF http://sourceforge.net/projects/numpy/files/NumPy/ , j’ai pris numpy-1.8.0-win32-superpack-python2.7.exe
  • Installer pygame http://pygame.org/download.shtml , j’ai pris pygame-1.9.1.win32-py2.7.msi
  • Télécharger et décompresser pyfanorona https://github.com/mavenix/fanorona/archive/master.zip
  • Ajouter la variable d’environnement PYTHONPATH dans votre windows en remplaçant avec les bonne valeurs comme iciPanneau de config > Système et sécurité > Système > Paramètre système avancés > Variables d’environnement …
    • variable => PYTHONPATH
    • valeur => C:\Python27\Lib;C:\Python27\DLLs;C:\Python27\Lib\lib-tk;C:\Users\xxxx\Downloads\fanorona-master\lib
  • Modifier la variable PATH pour l’exécutable python, il faut faire très attention à la variable %PATH%!!! ajoute simplement ;C:\Python27 à la fin de la valeur .
  • Lancer cmd.exe et vérifier que les manipulations sont bonnes
    • echo %PATH%
    • echo %PYTHONPATH%
  • Lancer cmd.exe puis faire un cd C:\Users\xxxx\Downloads\fanorona-master\ puis python fanorona

fanorona

 

 

Cisco ASA: The flash device is in use by another task.

On saving the running config  on a cisco asa firewall, I got :

fw# wr mem
Building configuration…
Cryptochecksum: 49bcf8ed 0117bc47 f4a805a6 318d452e

102241 bytes copied in 3.750 secs (34080 bytes/sec)The flash device is in use by another task.
open(ffsdev/2/write/41) failed
The flash device is in use by another task.
open(ffsdev/2/write/3383) failed

[OK]

Check the sessions :

fw# sh ssh sessions

SID Client IP Version Mode Encryption Hmac State Username
0      thierry 2.0 IN    aes128-cbc md5 SessionStarted xxxxx
OUT aes128-cbc md5 SessionStarted xxxxx

You can disconnect another sessions by :

fw# ssh disconnect nnnnnnnn

If it’s only your session, you can check also with :

fw# sh asp table socket
Protocol Socket Local Address Foreign Address State
SSL 00002ebf X.X.X.X:443 0.0.0.0:* LISTEN
SSL 0000562f Y.Y.Y.Y:443 0.0.0.0:* LISTEN
SSL 00006d6f Z.Z.Z.Z:443 0.0.0.0:* LISTEN
TCP 0000fd4f N.N.N.N:22 0.0.0.0:* LISTEN
TCP 0001097f N.N.N.N:22 0.0.0.0:* LISTEN
SSL 0bfb3ff8 X.X.X.X:443 mylaptopip:29073 ESTAB
SSL 0bfb60a8 X.X.X.X:443 mylaptopip:29075 ESTAB
TCP 0c611178 X.X.X.X:22 mylaptopip:43733 ESTAB

Hummmm, asdm is always connected from my laptop !!!!

laptop$ ps aux | grep asmd

thierry 22418 0.1 1.0 3928300 82140 ? Sl 11:29 0:08 javaws -Xbootclasspath/a:/usr/share/icedtea-web/netx.jar:/usr/share/java/js.jar -Xms8m -classpath /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/rt.jar -Dicedtea-web.bin.name=javaws -Dicedtea-web.bin.location=/usr/bin/javaws -Djava.security.manager -Djava.security.policy=/etc/icedtea-web/javaws.policy net.sourceforge.jnlp.runtime.Boot /tmp/asdm-1.jnlp
thierry 22442 0.1 1.1 2435064 96388 ? Sl 11:29 0:11 javaws -Xbootclasspath/a:/usr/share/icedtea-web/netx.jar:/usr/share/java/js.jar -Xms8m -Xms64m -Xmx256m -XX:MaxNewSize=1024k -classpath /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/rt.jar -Dicedtea-web.bin.name=javaws -Dicedtea-web.bin.location=/usr/bin/javaws -Djava.security.manager -Djava.security.policy=/etc/icedtea-web/javaws.policy net.sourceforge.jnlp.runtime.Boot -Xnofork /tmp/asdm-1.jnlp

laptop$ kill -9 22418

and try again :

fw# wr mem
Building configuration…
Cryptochecksum: 49bcf8ed 0117bc47 f4a805a6 318d452e

102241 bytes copied in 3.750 secs (34080 bytes/sec)
[OK]

 

 

 

 

 

 

Bloquer le réseau Tor sur son proxy Squid

Depuis quelque temps Dansguardian n’est plus suffisant pour filtrer l’accès Web de mes utilisateurs. Certains sont assez malins pour utiliser des navigateurs Tor. Je laissais passer car ils ne sont pas beaucoup mais après j’ai trouvé qu’ils en abusent de la bande passante de la boîte.
Donc pour améliorer les installations que j’ai fait comme ici ou  , on va ajouter une couche pour les proxy Tor.

On va créer un script pour mettre à jour automatiquement les ip des proxys Tor à lancer avec cron puis on va les bloquer au niveau squid.

#!/bin/sh
cd /etc/squid3/
rm Tor_ip_list_ALL.csv
wget http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
sort Tor_ip_list_ALL.csv | uniq > tor
service squid3 reload

Puis modifier le fichier de config de squid /etc/squid3/squid.conf en ajoutant ‘acl tor dst « /etc/squid3/tor » ‘ et l’http_access ‘ http_access deny tor ‘ . Par exemple :

root@proxy:/etc/squid3# grep '^acl' squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl tor dst "/etc/squid3/tor"
...


root@proxy:/etc/squid3# grep '^http_access' squid.conf
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny tor
...

Voilà au prochain problème avec les utilisateurs …

Veloma