zxxx 大佬有话说 : 2019-12-10 07:17:41
Virmach 芝加哥 $6.22 装机 Debian ACME Nginx
本帖最后由 zxxx 于 2019-12-12 22:40 编辑
1、进入后台,选择对应的服务
https://i.loli.net/2019/12/10/TmzsBNoXbVrtJWS.jpg
2、选择 Control Panel
https://i.loli.net/2019/12/10/OkYlNMpfxQDFHoA.jpg
3、选择 Manage
https://i.loli.net/2019/12/10/JWYLaqSw7d4DxXR.jpg
4、选择 Reinstall
https://i.loli.net/2019/12/10/kpdErb5wfRuzBYa.jpg
5、选择 Debian 9 64bit Minimal
https://i.loli.net/2019/12/10/U6Sc7vhlNMXD1Hd.jpg
6、记住密码
https://i.loli.net/2019/12/10/7TuFb5oylwYCfZd.jpg
7、然后通过SSH连接VPS
Linux QuietEvergreen-VM 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
8、使用 passwd 命令修改密码,输入两遍密码
root@QuietEvergreen-VM:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
9、安装 Screen
apt install screen
The following NEW packages will be installed:
screen
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
10、启动 Screen
screen -S s
11、生成 RSA 密钥对
root@QuietEvergreen-VM:~# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory ‘/root/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:NeqEoukPQ2qi6UBq5XITvzkt3P5iKDLlnsOncgCONWg root@QuietEvergreen-VM
The key’s randomart image is:
+——-+
| |
| |
| . o |
|oEo . o . |
|=o.+. . S |
|+=o+o. o |
|=+X+..+ . |
|**oOo*o= |
|+.B=*o=.o. |
+———+
11、新建文件夹 Z:.ssh 【输入 .ssh. 】
12、通过 SFTP 连接VPS,下载密钥对
sftp> get ~/.ssh/*
Downloading id_rsa from /root/.ssh/id_rsa
100% 3KB 3KB/s 00:00:01
/root/.ssh/id_rsa: 3243 bytes transferred in 1 seconds (3243 bytes/s)
Downloading id_rsa.pub from /root/.ssh/id_rsa.pub
100% 748 bytes 748 bytes/s 00:00:01
/root/.ssh/id_rsa.pub: 748 bytes transferred in 1 seconds (748 bytes/s)
13、删除密钥对
root@QuietEvergreen-VM:~# rm ~/.ssh/id_rsa*
14、使用 PuTTY Key Generator 转换私钥添加口令,保存 authorized_keys
选择全部并复制,新建文件粘贴后另存为 authorized_keys
15、新建文件 authorized_keys 修改 sshd_config 文件并检查
root@QuietEvergreen-VM:~# cat << "EOF" > /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAA……………………….QZ3WIHkbtIaQ==
EOF
root@QuietEvergreen-VM:~# cat << "EOF" > /etc/ssh/sshd_config
> AcceptEnv LANG LC_*
> ChallengeResponseAuthentication no
> PasswordAuthentication no
> PermitRootLogin yes
> Port 22
> PrintMotd no
> PubkeyAuthentication yes
> Subsystem sftp /usr/lib/openssh/sftp-server
> UsePAM yes
> X11Forwarding yes
> EOF
root@QuietEvergreen-VM:~# sshd -t
16、重新启动 SSH 服务
systemctl restart sshd
17、使用SSH密钥登录连接 VPS
Linux QuietEvergreen-VM 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@QuietEvergreen-VM:~#
18、升级系统
screen -S s
apt update &&
apt upgrade &&
apt full-upgrade &&
apt autoremove &&
apt autoclean
19、升级到 Debian 10
sed -i ‘s/stretch/buster/g’ /etc/apt/sources.list &&
apt update &&
apt upgrade &&
apt full-upgrade &&
apt autoremove &&
apt autoclean
20、使用新内核启动
systemctl reboot
21、移除旧内核
root@QuietEvergreen-VM:~# screen -S s
root@QuietEvergreen-VM:~# dpkg –get-selections | grep linux
console-setup-linux install
firmware-linux-free install
libselinux1:amd64 install
linux-base install
linux-image-4.19.0-6-amd64 install
linux-image-4.9.0-11-amd64 install
linux-image-4.9.0-4-amd64 install
linux-image-amd64 install
util-linux install
util-linux-locales install
root@QuietEvergreen-VM:~# apt autoremove –purge linux-image-4.9.0-4-amd64 linux-image-4.9.0-11-amd64
Reading package lists… Done
root@QuietEvergreen-VM:~# dpkg –get-selections | grep linux
console-setup-linux install
firmware-linux-free install
libselinux1:amd64 install
linux-base install
linux-image-4.19.0-6-amd64 install
linux-image-amd64 install
util-linux install
util-linux-locales install
22、更新 grub
root@QuietEvergreen-VM:~# update-grub
Generating grub configuration file …
Found linux image: /boot/vmlinuz-4.19.0-6-amd64
Found initrd image: /boot/initrd.img-4.19.0-6-amd64
done
23、开启 BBR
root@QuietEvergreen-VM:~# echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf &&
> echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf &&
> sysctl -p &&
> lsmod |grep bbr
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
tcp_bbr 204801
root@QuietEvergreen-VM:~#
24、安装 acme.sh
root@QuietEvergreen-VM:~# apt install curl
root@QuietEvergreen-VM:~# curl https://get.acme.sh | sh
Install success!
root@QuietEvergreen-VM:~# echo ‘alias acme.sh=~/.acme.sh/acme.sh’ >> /etc/profile
root@QuietEvergreen-VM:~# source /etc/profile
root@QuietEvergreen-VM:~# acme.sh –upgrade –auto-upgrade
Install success!
Upgrade success!
root@QuietEvergreen-VM:~#
25、签发证书 【使用 cloudflare】
export [email protected]
export CF_Key=d2d833bd132a12a5de698b64ec5e4c91d8da6
acme.sh –issue -d domain.com -d *.domain.com –dns dns_cf
26、安装证书
mkdir -p /etc/nginx/ssl/domain.com &&
~/.acme.sh/acme.sh –install-cert -d domain.com
–cert-file /etc/nginx/ssl/domain.com/domain.com.cer
–ca-file /etc/nginx/ssl/domain.com/ca.cer
–key-file /etc/nginx/ssl/domain.com/domain.com.key
–fullchain-file /etc/nginx/ssl/domain.com/fullchain.cer
–reloadcmd "service nginx force-reload"
Installing cert to:/etc/nginx/ssl/domain.com/domain.com.cer
Installing CA to:/etc/nginx/ssl/domain.com/ca.cer
Installing key to:/etc/nginx/ssl/domain.com/domain.com.key
Installing full chain to:/etc/nginx/ssl/domain.com/fullchain.cer
Run reload cmd: service nginx force-reload
Failed to restart nginx.service: Unit nginx.service not found.
Reload error for :
27、安装 Nginx
root@QuietEvergreen-VM:~# apt install nginx
The following NEW packages will be installed:
nginx nginx-common nginx-full
0 upgraded, 23 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,559 kB of archives.
After this operation, 10.1 MB of additional disk space will be used.
Do you want to continue?
28、配置 Nginx
抱歉,您的帖子超过 10000 个字符的限制
[ 点击这里返回上一页 ]
zxxx 大佬有话说 : 2019-12-10 07:18:08
本帖最后由 zxxx 于 2019-12-10 21:49 编辑
27、安装 Nginx
root@QuietEvergreen-VM:~# apt install nginx
The following NEW packages will be installed:
nginx nginx-common nginx-full
root@QuietEvergreen-VM:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@QuietEvergreen-VM:~# systemctl status nginx
● nginx.service – A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2019-12-09 19:05:09 EST; 18s ago
Docs: man:nginx(8)
Main PID: 5233 (nginx)
Tasks: 2 (limit: 847)
Memory: 7.9M
CGroup: /system.slice/nginx.service
├─5233 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─5234 nginx: worker process
Dec 09 19:05:09 QuietEvergreen-VM systemd: Starting A high performance web server and a reverse proxy
Dec 09 19:05:09 QuietEvergreen-VM systemd: nginx.service: Failed to parse PID from file /run/nginx.pid
Dec 09 19:05:09 QuietEvergreen-VM systemd: Started A high performance web server and a reverse proxy
root@QuietEvergreen-VM:~#
默认配置文件 /etc/nginx/nginx.conf 测试通过,现在可以通过 IP 浏览主页。
https://i.loli.net/2019/12/10/l3xqdoDrCAPJHzO.jpg
zxxx 大佬有话说 : 2019-12-10 07:19:19
本帖最后由 zxxx 于 2019-12-11 22:37 编辑
28、配置 Nginx
mkdir -p /var/www/domain.com
cat << "EOF" > /var/www/domain.com/index.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a >nginx.org</a>.<br/>
Commercial support is available at
<a >nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
EOF
cat << "EOF" > /etc/nginx/nginx.conf
user www-data www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
client_header_buffer_size 32k;
client_max_body_size 128M;
keepalive_timeout 60;
large_client_header_buffers 4 32k;
log_not_found off;
sendfile on;
sendfile_max_chunk 512k;
server_names_hash_bucket_size 128;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain text/xml text/javascript text/css application/javascript application/x-javascript application/json application/xml application/xml+rss application/atom+xml image/svg+xml;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE .";
fastcgi_intercept_errors on;
proxy_intercept_errors on;
recursive_error_pages on;
error_log /var/log/nginx/error.log crit;
log_format main
‘$remote_addr – $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"’;
access_log on;
access_log /var/log/nginx/access.log main;
limit_req_log_level warn;
limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
ssl_buffer_size 16k;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src ‘self’ http: https: data: blob: ‘unsafe-inline’" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
ssl_dhparam /etc/nginx/ssl/domain.com/dhparam.pem;
ssl_certificate /etc/nginx/ssl/domain.com/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/domain.com/domain.com.key;
proxy_buffering on;
proxy_buffers 32 8k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
server {
listen 80 default_server;
listen [::]:80 default_server;
access_log off;
error_log off;
server_name _;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.domain.com;
root /var/www/domain.com;
index index.htm index.html index.php;
location ~ /.(?!well-known) {
deny all;
}
location /ws {
proxy_redirect off;
proxy_pass http://127.0.0.1:12345;
proxy_http_version 1.1;
proxy_intercept_errors on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
location / {
try_files $uri $uri/ =404;
}
}
}
EOF
nginx -t
nginx -s reload
热心市民 大佬有话说 : 2019-12-10 07:20:56
顶
iwil 大佬有话说 : 2019-12-10 07:22:51
楼主热心人!谢谢你
秘密 大佬有话说 : 2019-12-10 07:42:37
蓝翔技校 大佬有话说 : 2019-12-10 07:44:03
前排出售,广告黄金位
Kasumi 大佬有话说 : 2019-12-10 07:45:34
yem 大佬有话说 : 2019-12-10 07:52:06
顶大佬
dengdaibingning 大佬有话说 : 2019-12-10 07:57:05
支持楼主