Virmach 芝加哥 $6.22 装机 Debian ACME Nginx

zxxx · 发表于 2019-12-10 07:17:41

本帖最后由 zxxx 于 2019-12-12 22:40 编辑

1、进入后台，选择对应的服务

2、选择 Control Panel

3、选择 Manage

4、选择 Reinstall

5、选择 Debian 9 64bit Minimal

6、记住密码

7、然后通过SSH连接VPS
[ol]

Linux QuietEvergreen-VM 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.[/ol]复制代码

8、使用 passwd 命令修改密码，输入两遍密码
[ol]

root@QuietEvergreen-VM:~# passwd

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully[/ol]复制代码

9、安装 Screen
[ol]

apt install screen

The following NEW packages will be installed:

screen

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.[/ol]复制代码

10、启动 Screen
[ol]

screen -S s[/ol]复制代码

11、生成 RSA 密钥对
[ol]

root@QuietEvergreen-VM:~# ssh-keygen -t rsa -b 4096

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Created directory '/root/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:NeqEoukPQ2qi6UBq5XITvzkt3P5iKDLlnsOncgCONWg root@QuietEvergreen-VM

The key's randomart image is:

+---[RSA 4096]----+

| |

| . o |

|oEo . o . |

|=o.+. . S |

|+=o+o. o |

|=+X+..+ . |

|**oOo*o= |

|+.B=*o=.o. |

+----[SHA256]-----+[/ol]复制代码

11、新建文件夹 Z:\.ssh 【输入 .ssh. 】

12、通过 SFTP 连接VPS，下载密钥对
[ol]

sftp> get ~/.ssh/*

Downloading id_rsa from /root/.ssh/id_rsa

100% 3KB 3KB/s 00:00:01

/root/.ssh/id_rsa: 3243 bytes transferred in 1 seconds (3243 bytes/s)

Downloading id_rsa.pub from /root/.ssh/id_rsa.pub

100% 748 bytes 748 bytes/s 00:00:01

/root/.ssh/id_rsa.pub: 748 bytes transferred in 1 seconds (748 bytes/s)[/ol]复制代码

13、删除密钥对
[ol]

root@QuietEvergreen-VM:~# rm ~/.ssh/id_rsa*[/ol]复制代码

14、使用 PuTTY Key Generator 转换私钥添加口令，保存 authorized_keys

选择全部并复制，新建文件粘贴后另存为 authorized_keys

15、新建文件 authorized_keys 修改 sshd_config 文件并检查

[ol]

root@QuietEvergreen-VM:~# cat /root/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAA............................QZ3WIHkbtIaQ==

EOF

[/ol]复制代码
[ol]

root@QuietEvergreen-VM:~# cat /etc/ssh/sshd_config

> AcceptEnv LANG LC_*

> ChallengeResponseAuthentication no

> PasswordAuthentication no

> PermitRootLogin yes

> Port 22

> PrintMotd no

> PubkeyAuthentication yes

> Subsystem sftp /usr/lib/openssh/sftp-server

> UsePAM yes

> X11Forwarding yes

> EOF

root@QuietEvergreen-VM:~# sshd -t[/ol]复制代码

16、重新启动 SSH 服务
[ol]

systemctl restart sshd[/ol]复制代码

17、使用SSH密钥登录连接 VPS
[ol]

Linux QuietEvergreen-VM 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

root@QuietEvergreen-VM:~# [/ol]复制代码

18、升级系统
[ol]

screen -S s

apt update && \

apt upgrade && \

apt full-upgrade && \

apt autoremove && \

apt autoclean[/ol]复制代码

19、升级到 Debian 10
[ol]

sed -i 's/stretch/buster/g' /etc/apt/sources.list && \

apt update && \

apt upgrade && \

apt full-upgrade && \

apt autoremove && \

apt autoclean[/ol]复制代码

20、使用新内核启动
[ol]

systemctl reboot[/ol]复制代码

21、移除旧内核
[ol]

root@QuietEvergreen-VM:~# screen -S s

root@QuietEvergreen-VM:~# dpkg --get-selections | grep linux

console-setup-linux install

firmware-linux-free install

libselinux1:amd64 install

linux-base install

linux-image-4.19.0-6-amd64 install

linux-image-4.9.0-11-amd64 install

linux-image-4.9.0-4-amd64 install

linux-image-amd64 install

util-linux install

util-linux-locales install

root@QuietEvergreen-VM:~# apt autoremove --purge linux-image-4.9.0-4-amd64 linux-image-4.9.0-11-amd64

Reading package lists... Done

root@QuietEvergreen-VM:~# dpkg --get-selections | grep linux

console-setup-linux install

firmware-linux-free install

libselinux1:amd64 install

linux-base install

linux-image-4.19.0-6-amd64 install

linux-image-amd64 install

util-linux install

util-linux-locales install[/ol]复制代码

22、更新 grub
[ol]

root@QuietEvergreen-VM:~# update-grub

Generating grub configuration file ...

Found linux image: /boot/vmlinuz-4.19.0-6-amd64

Found initrd image: /boot/initrd.img-4.19.0-6-amd64

done[/ol]复制代码

23、开启 BBR
[ol]

root@QuietEvergreen-VM:~# echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf && \

> echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf && \

> sysctl -p && \

> lsmod |grep bbr

net.core.default_qdisc = fq

net.ipv4.tcp_congestion_control = bbr

tcp_bbr 20480 1

root@QuietEvergreen-VM:~# [/ol]复制代码

24、安装 acme.sh
[ol]

root@QuietEvergreen-VM:~# apt install curl

root@QuietEvergreen-VM:~# curl https://get.acme.sh | sh

[Mon 09 Dec 2019 02:18:05 PM EST] Install success!

root@QuietEvergreen-VM:~# echo 'alias acme.sh=~/.acme.sh/acme.sh' >> /etc/profile

root@QuietEvergreen-VM:~# source /etc/profile

root@QuietEvergreen-VM:~# acme.sh --upgrade --auto-upgrade

[Mon 09 Dec 2019 02:20:07 PM EST] Install success!

[Mon 09 Dec 2019 02:20:07 PM EST] Upgrade success!

root@QuietEvergreen-VM:~# [/ol]复制代码

25、签发证书【使用 cloudflare】
[ol]

export [email protected]

export CF_Key=d2d833bd132a12a5de698b64ec5e4c91d8da6

acme.sh --issue -d domain.com -d *.domain.com --dns dns_cf[/ol]复制代码

26、安装证书
[ol]

mkdir -p /etc/nginx/ssl/domain.com && \

~/.acme.sh/acme.sh --install-cert -d domain.com \

--cert-file /etc/nginx/ssl/domain.com/domain.com.cer \

--ca-file /etc/nginx/ssl/domain.com/ca.cer \

--key-file /etc/nginx/ssl/domain.com/domain.com.key \

--fullchain-file /etc/nginx/ssl/domain.com/fullchain.cer \

--reloadcmd "service nginx force-reload"[/ol]复制代码
[ol]

[Mon 09 Dec 2019 02:26:21 PM EST] Installing cert to:/etc/nginx/ssl/domain.com/domain.com.cer

[Mon 09 Dec 2019 02:26:21 PM EST] Installing CA to:/etc/nginx/ssl/domain.com/ca.cer

[Mon 09 Dec 2019 02:26:21 PM EST] Installing key to:/etc/nginx/ssl/domain.com/domain.com.key

[Mon 09 Dec 2019 02:26:21 PM EST] Installing full chain to:/etc/nginx/ssl/domain.com/fullchain.cer

[Mon 09 Dec 2019 02:26:21 PM EST] Run reload cmd: service nginx force-reload

Failed to restart nginx.service: Unit nginx.service not found.

[Mon 09 Dec 2019 02:26:22 PM EST] Reload error for :[/ol]复制代码

27、安装 Nginx
[ol]

root@QuietEvergreen-VM:~# apt install nginx

The following NEW packages will be installed:

nginx nginx-common nginx-full

0 upgraded, 23 newly installed, 0 to remove and 0 not upgraded.

Need to get 4,559 kB of archives.

After this operation, 10.1 MB of additional disk space will be used.

Do you want to continue? [Y/n] [/ol]复制代码

28、配置 Nginx

抱歉，您的帖子超过 10000 个字符的限制
[ 点击这里返回上一页 ]

zxxx · 发表于 2019-12-10 07:18:08

本帖最后由 zxxx 于 2019-12-10 21:49 编辑

27、安装 Nginx
[ol]

root@QuietEvergreen-VM:~# apt install nginx

The following NEW packages will be installed:

nginx nginx-common nginx-full

root@QuietEvergreen-VM:~# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

root@QuietEvergreen-VM:~# systemctl status nginx

● nginx.service - A high performance web server and a reverse proxy server

Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)

Active: active (running) since Mon 2019-12-09 19:05:09 EST; 18s ago

Docs: man:nginx(8)

Main PID: 5233 (nginx)

Tasks: 2 (limit: 847)

Memory: 7.9M

CGroup: /system.slice/nginx.service

├─5233 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;

└─5234 nginx: worker process

Dec 09 19:05:09 QuietEvergreen-VM systemd[1]: Starting A high performance web server and a reverse proxy

Dec 09 19:05:09 QuietEvergreen-VM systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid

Dec 09 19:05:09 QuietEvergreen-VM systemd[1]: Started A high performance web server and a reverse proxy

root@QuietEvergreen-VM:~#

[/ol]复制代码

默认配置文件 /etc/nginx/nginx.conf 测试通过，现在可以通过 IP 浏览主页。

zxxx · 发表于 2019-12-10 07:19:19

本帖最后由 zxxx 于 2019-12-11 22:37 编辑

28、配置 Nginx

[ol]

mkdir -p /var/www/domain.com

cat /var/www/domain.com/index.html

Welcome to nginx!

body {

width: 35em;

margin: 0 auto;

font-family: Tahoma, Verdana, Arial, sans-serif;

}

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and

working. Further configuration is required.

For online documentation and support please refer to

nginx.org.

Commercial support is available at

nginx.com.

Thank you for using nginx.

EOF

[/ol]复制代码

[ol]

cat /etc/nginx/nginx.conf

user www-data www-data;

worker_processes auto;

worker_rlimit_nofile 65535;

events {

multi_accept on;

worker_connections 4096;

}

http {

include mime.types;

default_type application/octet-stream;

charset utf-8;

client_header_buffer_size 32k;

client_max_body_size 128M;

keepalive_timeout 60;

large_client_header_buffers 4 32k;

log_not_found off;

sendfile on;

sendfile_max_chunk 512k;

server_names_hash_bucket_size 128;

server_tokens off;

tcp_nodelay on;

tcp_nopush on;

types_hash_max_size 2048;

gzip on;

gzip_min_length 1k;

gzip_buffers 4 16k;

gzip_http_version 1.1;

gzip_comp_level 6;

gzip_types text/plain text/xml text/javascript text/css application/javascript application/x-javascript application/json application/xml application/xml+rss application/atom+xml image/svg+xml;

gzip_vary on;

gzip_proxied expired no-cache no-store private auth;

gzip_disable "MSIE [1-6]\.";

fastcgi_intercept_errors on;

proxy_intercept_errors on;

recursive_error_pages on;

error_log /var/log/nginx/error.log crit;

log_format main

'$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

access_log on;

access_log /var/log/nginx/access.log main;

limit_req_log_level warn;

limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;

ssl_buffer_size 16k;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 1d;

ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;

resolver_timeout 2s;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

add_header Referrer-Policy "no-referrer-when-downgrade" always;

add_header X-Content-Type-Options "nosniff" always;

add_header X-Frame-Options "SAMEORIGIN" always;

add_header X-XSS-Protection "1; mode=block" always;

ssl_dhparam /etc/nginx/ssl/domain.com/dhparam.pem;

ssl_certificate /etc/nginx/ssl/domain.com/fullchain.cer;

ssl_certificate_key /etc/nginx/ssl/domain.com/domain.com.key;

proxy_buffering on;

proxy_buffers 32 8k;

proxy_connect_timeout 90;

proxy_send_timeout 90;

proxy_read_timeout 90;

server {

listen 80 default_server;

listen [::]:80 default_server;

access_log off;

error_log off;

server_name _;

return 301 https://www.domain.com$request_uri;

}

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name domain.com;

return 301 https://www.domain.com$request_uri;

}

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name www.domain.com;

root /var/www/domain.com;

index index.htm index.html index.php;

location ~ /\.(?!well-known) {

deny all;

}

location /ws {

proxy_redirect off;

proxy_pass http://127.0.0.1:12345;

proxy_http_version 1.1;

proxy_intercept_errors on;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header Host $http_host;

}

location / {

try_files $uri $uri/ =404;

}

EOF

[/ol]复制代码

[ol]

nginx -t

nginx -s reload[/ol]复制代码

热心市民 · 发表于 2019-12-10 07:20:56

楼主热心人！谢谢你

iwil · 发表于 2019-12-10 07:22:51

前排出售，广告黄金位

蓝翔技校 · 发表于 2019-12-10 07:42:37

顶大佬

Kasumi · 发表于 2019-12-10 07:44:03

支持楼主这教程用心了，转走了

yem · 发表于 2019-12-10 07:45:34

后面的内容呢

h3cie · 发表于 2019-12-10 07:52:06

h3cie 发表于 2019-12-10 08:13

后面的内容呢

发不下了，正在编辑，请稍等。。。

zxxx · 发表于 2019-12-10 07:57:05

mark

		自动登录	找回密码
密码			立即注册

Virmach 芝加哥 $6.22 装机 Debian ACME Nginx

本帖子中包含更多资源

本帖子中包含更多资源