why decloud is so importment

Summary of the development of cloud computing

Since cloud computing was proposed in 2006, it has roughly experienced the formation stage, development stage and application stage. The past decade has been a decade of rapid progress in cloud computing, and the global cloud computing market has grown several times. At present, the global cloud computing market maintains a steady growth trend. In 2019, the global cloud computing market represented by IaaS, PaaS and SaaS reached 188.3 billion, a growth rate of 20.86%. It is expected that the average market growth rate in the next few years will be around 18%, and the market size will exceed US$350 billion by 2023.

In the future, cloud computing will still usher in the next golden decade, entering a period of inclusive development. First, with the advancement of new infrastructure, cloud computing will speed up the application process and achieve rapid development in different fields such as the Internet, government affairs, finance, transportation, logistics, and education. Second, in the context of the global digital economy, cloud computing has become an inevitable choice for enterprises’ digital transformation, and the process of enterprises going to the cloud will further accelerate. Third, the emergence of the new crown pneumonia epidemic has accelerated the implementation of SaaS services such as remote office and online education, and promoted the rapid development of the cloud computing industry.

hexo部署到akash decloud 教程

hexo 是一款静态博客工具,不涉及到任何后端、数据库。

1、安装docker
参考文档:https://docs.docker.com/

2、docker-compose

docker-compose 并不是必须使用的,这里是为了更方便的管理我们的容器。

macos 下安装 docker 时自动就安装了 docker-compose,linux 则需要使用下面的命令手动安装一下。

1
2
$ curl -L https://github.com/docker/compose/releases/download/1.8.0/run.sh > /usr/local/bin/docker-compose
$ chmod +x /usr/local/bin/docker-compose

rails安全问题

rails已经为我们防范了大部分的漏洞攻击。但是更具危险的漏洞, 大部分都是由于开发人员的代码问题导致的,讲几个由于代码问题导致的漏洞。

1.eval(可执行字符串) eval很强大,也很危险.

基本用法 文档

1
2
3
4
5
6
def get_binding(str)
return binding
end
str = "hello"
eval "str + ' Fred'" #=> "hello Fred"
eval "str + ' Fred'", get_binding("bye") #=> "bye Fred"

Unsafe

1
2
3
4
5
6
# xxx_controller.rb
def test_eavl
datas = (eval params[:model_name]).limit(10)
render :jons => datas
end

如果传参model_name = “rm -rf /“,后果是不可想像的

rails安全,CSRF和注入攻击(XSS,SQL注入)

Web安全在web开发中占有相当重要的地位,今天介绍下关于web安全方面的问题(CSRF,和注入攻击),以及rails是如何实现来防止这些攻击的。

首先介绍下什么是CSRF?中文名称:跨站请求伪造

  • 简介:

    跨站请求伪造的工作原理是,通过在页面中包含恶意代码或链接,访问已验证用户才能访问的 Web 应用。如果该 Web 应用的会话未超时,攻击者就能执行未经授权的操作。

  • 原理:

    大多数应用都使用基于 cookie 的会话。它们或者把会话 ID 储存在 cookie 中并在服务器端储存会话散列,或者把整个会话散列储存在客户端。不管是哪种情况,只要浏览器能够找到某个域名对应的 cookie,就会自动在发送请求时包含该 cookie。有争议的是,即便请求来源于另一个域名上的网站,浏览器在发送请求时也会包含客户端的 cookie。

  • 举例:

我们在本地分别起两个服务(修改/etc/hosts 将两个域名指向本地,然后通过nginx反向代理),来演示1. www.mubiao.com 为我们要攻击的网站,2. www.hacker.com 为我们自己的网站。假设我们已经猜测出目标网站的某些可用的url,比如:

1
2
http://www.mubiao.com/orders.html
http://www.mubiao.com/ancient/articles

然后我们在自己的网站上做一些陷阱,在某个页面加入

1
2
3
4
5
6
7
8
9
<img src='http://www.mubiao.com/orders.html' >
<a href="#" onclick="
var f = document.createElement('form');
f.style.display = 'none';
this.parentNode.appendChild(f);
f.method = 'post';
f.action = 'http://www.mubiao.com/ancient/articles';
f.submit();
return false;">点我啊</a>