VPS Notes

个人VPS折腾笔记(Based on Center OS 7)

近期搬瓦工上线了CN2线路的VPS,售价$29.9,还不错,便入手了一台。
购买链接(含aff)

加速(锐速,BBR)

锐速

安装wget

1
yum install wget

下载锐速脚本

1
wget -N --no-check-certificate https://raw.githubusercontent.com/wn789/serverspeeder/master/serverspeeder.sh

执行脚本

1
bash serverspeeder.sh

默认脚本不支持Center OS,需要更换内核(版本:3.10.0-327.el7.x86_64)

1
rpm -ivh http://xz.wn789.com/CentOSkernel/kernel-3.10.0-229.1.2.el7.x86_64.rpm --force

查看安装好的内核

1
rpm -qa | grep kernel

存在kernel-3.10.0-327.el7.x86_64即可

重启VPS

1
2
reboot
uname -a //查看是否更换成功

内核如下

1
Linux host.localdomain 3.10.0-229.1.2.el7.x86_64 #1 SMP Fri Mar 27 03:04:26 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

再次执行脚本

1
bash serverspeeder.sh

BBR

安装wget

1
yum install wget

下载bbr脚本并执行

1
2
3
wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh
chmod +x bbr.sh
./bbr.sh

查看安装情况

1
2
3
4
5
6
7
8
uname -r
sysctl net.ipv4.tcp_available_congestion_control //查看返回值
返回net.ipv4.tcp_available_congestion_control = bbr cubic reno即正常
sysctl net.ipv4.tcp_congestion_control
返回 net.ipv4.tcp_congestion_control = bbr
lsmod | grep bbr //查看bbr是否启动

防火墙

centerOS 7默认为firewalld防火墙
使用方法

firewalld的基本使用

启动: systemctl start firewalld

查看状态: systemctl status firewalld

停止: systemctl disable firewalld

禁用: systemctl stop firewalld

systemctl是CentOS7的服务管理工具中主要的工具,它融合之前service和chkconfig的功能于一体。

启动一个服务:systemctl start firewalld.service

关闭一个服务:systemctl stop firewalld.service

重启一个服务:systemctl restart firewalld.service

显示一个服务的状态:systemctl status firewalld.service

在开机时启用一个服务:systemctl enable firewalld.service

在开机时禁用一个服务:systemctl disable firewalld.service

查看服务是否开机启动:systemctl is-enabled firewalld.service

查看已启动的服务列表:systemctl list-unit-files|grep enabled

查看启动失败的服务列表:systemctl --failed

配置firewalld-cmd

查看版本: firewall-cmd --version

查看帮助: firewall-cmd --help

显示状态: firewall-cmd --state

查看所有打开的端口: firewall-cmd --zone=public --list-ports

更新防火墙规则: firewall-cmd --reload

查看区域信息: firewall-cmd --get-active-zones

查看指定接口所属区域: firewall-cmd --get-zone-of-interface=eth0

拒绝所有包:firewall-cmd --panic-on

取消拒绝状态: firewall-cmd --panic-off

查看是否拒绝: firewall-cmd --query-panic

那怎么开启一个端口呢

添加

1
2
firewall-cmd --zone=public --add-port=80/tcp --permanent
(--permanent永久生效,没有此参数重启后失效)

重新载入
firewall-cmd --reload

查看
firewall-cmd --zone= public --query-port=80/tcp

删除

firewall-cmd --zone= public --remove-port=80/tcp --permanent


搭建Hexo博客

环境搭建

安装node

安装编译环境

1
sudo yum install gcc gcc-c++

安装nvm

1
2
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.31.1/install.sh | bash
nvm --version //查看安装的nvm版本

选择版本并安装

1
2
3
nvm list-remote //查看所有node版本
nvm install v6.11.2 //安装v6.11.2
node --version //查看安装的node版本

安装git

1
yum install git-core

安装hexo

1
2
npm install hexo-cli -g
hexo --version

安装nginx(默认配置)

1
2
3
4
5
6
7
8
9
yum install -y pcre pcre-devel //PCRE pcre-devel 安装
yum install -y zlib zlib-devel //zlib 安装
yum install -y openssl openssl-devel //OpenSSL 安装
wget -c https://nginx.org/download/nginx-1.12.1.tar.gz //下载源码
tar zxvf nginx-1.12.1.tar.gz //解压
cd nginx-1.12.1
./configure
make
make install

开机启动nginx

即在rc.local增加启动代码就可以了。

1
2
3
4
vi /etc/rc.local
增加一行 /usr/local/nginx/sbin/nginx
设置执行权限:
chmod 755 rc.local

启用服务器

生成网页

执行以下命令生成public文件夹即为博客网页

1
2
hexo clean
hexo generate

修改nginx.conf

修改serverlocation-root,该目录为网站对应的目录,将上面生成的目录下所有文件拷贝到上述目录,执行/usr/local/nginx/sbin/nginx -s reload重启nginx即可

nginx.conf(仅修改部分)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
user nginx;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name xxx.com;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /home/nginx/www/blog;
index index.html index.htm;
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}


启用HTTPS(TLS1.3)

nginx环境

Nginx 1.13.0 开始 正式支持 ssl_protocols 的 TLSv1.3 的选项.
1.下载对应的包
下载 Nginx 1.13.4

1
2
wget https://nginx.org/download/nginx-1.13.4.tar.gz
tar zxf nginx-1.13.4.tar.gz

安装 google-perftools

1
yum install google-perftools google-perftools-devel

下载 OpenSSL tls1.3-draft-18 分支

1
git clone -b tls1.3-draft-18 --single-branch https://github.com/openssl/openssl.git openssl-tls1.3

下载 cloudflare patch 打 http2_hpack 补丁

1
2
git clone https://github.com/cloudflare/sslconfig.git
cp sslconfig/patches/nginx_1.13.1_http2_hpack.patch nginx-1.13.4/

配置nginx源码
注意: OpenSSL Dev tls1.3-draft-18 不会默认 开启 TLS1.3 需要 加入 –with-openssl-opt=enable-tls1_3 项
http2 hpack 需要加入 –with-http_v2_hpack_enc 项
如果需要添加其他模块也要在配置时加上 –add-module= … //模块路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
cd ../nginx-1.13.4
patch -p1 < nginx_1.13.1_http2_hpack.patch
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_degradation_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-stream_realip_module \
--with-http_slice_module \
--with-mail \
--with-mail_ssl_module \
--with-http_v2_module \
--with-http_v2_hpack_enc \
--with-openssl=/root/openssl-tls1.3 \
--with-openssl-opt=enable-tls1_3 \
--with-google_perftools_module

编译安装

1
make -j8 && make install

检测

1
nginx -t

SSL证书

下载源码

1
git clone https://github.com/letsencrypt/letsencrypt

生成证书

1
2
3
cd letsencrypt
./letsencrypt-auto certonly --standalone --email xxxxx@xxx.com -d xxx.com
//生成的证书默认在/etc/letsencrypt/live

自动续期证书
由于 Let’s Encrypt 默认有效期为90天,过了60天就可以续期。为了避免忘记续期,添加一个脚本每天自动运行。为了保证nginx稳定性,每天定期重启一次,一并添加至脚本中

ssl_renew.sh

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/sh
cd /root/letsencrypt
git pull
cd /root/letsencrypt
if ! ./letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then
echo Automated renewal failed: | mail -s "LE renew failed" xxx@xxx.com
cat /var/log/letsencrypt/renew.log
exit 1
fi
nginx -s reload

定期执行脚本
修改/etc/crontab,添加执行命令

1
0 5 * * * root sh /root/ssl_renew.sh > /dev/null 2>&1

查看是否添加成功 crontab -l

修改nginx.conf

要想全站https,添加301跳转

1
2
3
4
5
6
7
8
server{
listen 80;
server_name xxx.com; //跳转域名
#告诉浏览器有效期内只准用 https 访问
add_header Strict-Transport-Security max-age=63072000;
#永久重定向到 https 站点
return 301 https://$server_name$request_uri;
}

https server,默认监听443端口
ssl_protocols 中加入 TLSv1.3 (仅 Nginx 1.13.0 及以上 低版本用 TLSv1.2就行)

ssl_ciphers 加入 TLS1.3 加密套件 支持的有如下

1
2
3
4
5
TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-128-GCM-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-AES-128-CCM-SHA256
TLS13-AES-128-CCM-8-SHA256

nginx.conf部分配置如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
server {
listen 443 ssl;
server_name xxx.com;
#证书路径
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
root /home/nginx/www/blog;
index index.html index.htm;
}
}

最终效果
111