diff --git a/05. 資料收集/架站/HTTP Server/Apache.md b/00. Inbox/Linux/架站/Apache.md similarity index 100% rename from 05. 資料收集/架站/HTTP Server/Apache.md rename to 00. Inbox/Linux/架站/Apache.md diff --git a/05. 資料收集/架站/Gitea.md b/00. Inbox/Linux/架站/Gitea.md similarity index 53% rename from 05. 資料收集/架站/Gitea.md rename to 00. Inbox/Linux/架站/Gitea.md index ee2c0dc..a563854 100644 --- a/05. 資料收集/架站/Gitea.md +++ b/00. Inbox/Linux/架站/Gitea.md @@ -13,38 +13,16 @@ services: environment: - USER_UID=1000 - USER_GID=1000 - - DB_TYPE=mysql - - DB_HOST=db:3306 - - DB_NAME=gitea - - DB_USER=gitea - - DB_PASSWD=gitea - - TZ=Asia/Taipei restart: always networks: - gitea volumes: - - ./datas/gitea:/data - - /home/git/.ssh/:/data/git/.ssh + - ./data:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro ports: - - "3000:3000" - - "322:322" - depends_on: - - db - - db: - image: mysql:8 - restart: always - environment: - - MYSQL_ROOT_PASSWORD=gitea - - MYSQL_USER=gitea - - MYSQL_PASSWORD=gitea - - MYSQL_DATABASE=gitea - networks: - - gitea - volumes: - - ./datas/db:/var/lib/mysql + - "8020:3000" + - "2244:22" ``` ## 文件 diff --git a/00. Inbox/Linux/架站/Nextcloud.md b/00. Inbox/Linux/架站/Nextcloud.md new file mode 100644 index 0000000..c7af49c --- /dev/null +++ b/00. Inbox/Linux/架站/Nextcloud.md @@ -0,0 +1,52 @@ +## docker-compose.yml +```yaml +version: '3' + +services: + app: + image: nextcloud + ports: + - 8080:80 + volumes: + - ./data:/var/www/html + restart: always +``` + +## config.php +Nextcloud 的 config 檔放在`/var/www/html/config/config.php`,對應到本機就是 `./data/config/config.php`,在安裝完成之後,需要修改 `trusted_domains`、`overwriteprotocol`、`overwrite.cli.url` 這幾個參數,如下: +```php + '/', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'apps_paths' => + array ( + 0 => + array ( + 'path' => '/var/www/html/apps', + 'url' => '/apps', + 'writable' => false, + ), + 1 => + array ( + 'path' => '/var/www/html/custom_apps', + 'url' => '/custom_apps', + 'writable' => true, + ), + ), + 'upgrade.disable-web' => true, + 'instanceid' => 'ocwc2ntdj6io', + 'passwordsalt' => '/uinYW42zbfuqxG5hVNIwS6vWeslUx', + 'secret' => 'HBPMSEp6fazNbjhCbD+KpXd5C6QYhjMsc6RvU5BWOFchsPci', + 'trusted_domains' => + array ( + 0 => 'nc.awin.one', + ), + 'datadirectory' => '/var/www/html/data', + 'dbtype' => 'sqlite3', + 'version' => '28.0.2.5', + 'overwriteprotocol' => 'https', + 'overwrite.cli.url' => 'https://nc.awin.one', + 'installed' => true, +); +``` \ No newline at end of file diff --git a/05. 資料收集/架站/Pelican blog.md b/00. Inbox/Linux/架站/Pelican blog.md similarity index 100% rename from 05. 資料收集/架站/Pelican blog.md rename to 00. Inbox/Linux/架站/Pelican blog.md diff --git a/05. 資料收集/架站/Proxmox VE.md b/00. Inbox/Linux/架站/Proxmox VE.md similarity index 100% rename from 05. 資料收集/架站/Proxmox VE.md rename to 00. Inbox/Linux/架站/Proxmox VE.md diff --git a/05. 資料收集/架站/Storj.md b/00. Inbox/Linux/架站/Storj.md similarity index 100% rename from 05. 資料收集/架站/Storj.md rename to 00. Inbox/Linux/架站/Storj.md diff --git a/00. Inbox/Windows/00. _Map.canvas b/00. Inbox/Windows/00. _Map.canvas index 9e26dfe..071fbef 100644 --- a/00. Inbox/Windows/00. _Map.canvas +++ b/00. Inbox/Windows/00. _Map.canvas @@ -1 +1,9 @@ -{} \ No newline at end of file +{ + "nodes":[ + {"id":"0138bfb5c46d71f1","x":-149,"y":-191,"width":329,"height":91,"type":"text","text":"1. 用[[powercfg powerthrottling]]關閉 VirtualBox power throttling。"}, + {"id":"d34f3157e07cb50d","x":-200,"y":40,"width":100,"height":50,"color":"2","type":"text","text":"開始"} + ], + "edges":[ + {"id":"5c4879a42c2db8ac","fromNode":"d34f3157e07cb50d","fromSide":"top","toNode":"0138bfb5c46d71f1","toSide":"bottom"} + ] +} \ No newline at end of file diff --git a/00. Inbox/Windows/powercfg powerthrottling 關閉.md b/00. Inbox/Windows/powercfg powerthrottling.md similarity index 77% rename from 00. Inbox/Windows/powercfg powerthrottling 關閉.md rename to 00. Inbox/Windows/powercfg powerthrottling.md index 9a0eabb..1598d1d 100644 --- a/00. Inbox/Windows/powercfg powerthrottling 關閉.md +++ b/00. Inbox/Windows/powercfg powerthrottling.md @@ -1,4 +1,4 @@ -對於特定的軟體,使用 `powercfg` 來關閉 powerthrottling。例如,VirtualBox永遠全速執行: +對於特定的軟體,使用 `powercfg` 來關閉 powerthrottling。例如,讓 [VirtualBox](https://www.virtualbox.org/) 最大效能執行: ```cmd powercfg /powerthrottling DISABLE /PATH "C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe" powercfg /powerthrottling DISABLE /PATH "C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe" diff --git a/00. Inbox/樹莓派/00. 樹莓派.canvas b/00. Inbox/樹莓派/00. _Map.canvas similarity index 95% rename from 00. Inbox/樹莓派/00. 樹莓派.canvas rename to 00. Inbox/樹莓派/00. _Map.canvas index 816fc6c..b0a98cc 100644 --- a/00. Inbox/樹莓派/00. 樹莓派.canvas +++ b/00. Inbox/樹莓派/00. _Map.canvas @@ -6,19 +6,20 @@ {"id":"d624199752cf24de","type":"text","text":"![[更新與安裝工具]]","x":460,"y":-340,"width":360,"height":120}, {"id":"bc030994aafc5a3b","type":"text","text":"![[bashrc]]","x":460,"y":-37,"width":360,"height":177}, {"id":"6875474760fafe7c","type":"text","text":"![[raspi-config]]","x":460,"y":-200,"width":360,"height":140}, - {"id":"b77234a9cdf72aad","type":"text","text":"# 安裝 docker\n[[00. Inbox/Linux/Docker|Docker]]","x":940,"y":-340,"width":440,"height":120}, {"id":"f210470376a4829d","type":"text","text":"![[設定Cloudflare DDNS]]","x":460,"y":370,"width":360,"height":150}, {"id":"ef9431e16c90f57f","type":"text","text":"設定![[smb client]]","x":460,"y":540,"width":360,"height":180}, {"id":"6e59f6b9f36b24e2","type":"text","text":"![[安裝]]","x":-40,"y":132,"width":383,"height":177}, + {"id":"2a7d5efcc0f2dc0e","type":"text","text":"# 安裝 Portainer\n教學: [Portainer:一款圖形化容器管理工具|方格子 vocus](https://vocus.cc/article/643e9f74fd89780001b51739)\n\n官網:[Portainer: Container Management Software for Kubernetes and Docker](https://www.portainer.io/)","x":940,"y":489,"width":440,"height":191}, + {"id":"a63a5baed201beda","type":"text","text":"![[設定日誌大小]]","x":460,"y":163,"width":360,"height":180}, + {"id":"b77234a9cdf72aad","type":"text","text":"# 安裝 docker\n[[00. Inbox/Linux/Docker|Docker]]","x":940,"y":-340,"width":440,"height":120}, {"id":"d0711febf5985ed5","type":"text","text":"# 安裝nginx-certbot\n教學: [iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/m/articles/10301801\n\nGithub: [JonasAlfredsson/docker-nginx-certbot: Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.](https://github.com/JonasAlfredsson/docker-nginx-certbot)","x":940,"y":-190,"width":440,"height":240}, {"id":"b900ad17a2841b99","type":"text","text":"# 安裝 Filebrowser\n[官方安裝流程](https://filebrowser.org/installation#docker)","x":1400,"y":-340,"width":440,"height":120}, {"id":"8cac63e48dff1f2a","type":"text","text":"# 安裝 Gitea\n官方教學:[Installation with Docker](https://docs.gitea.com/installation/install-with-docker)\n\n設定Gmail寄信:[Gitea 使用 Gmail 寄信 - 筆記ZONE](https://zonego.tw/2021/11/14/gitea-gmail/)\n","x":940,"y":80,"width":440,"height":140}, {"id":"94fa9ef036dbe62a","type":"text","text":"# Speedtest 測試\n超簡單命令:`docker run --rm robinmanuelthiel/speedtest:latest`\n\nGithub: [robinmanuelthiel/speedtest: Check internet bandwidth from a Docker container and save the results to an InfluxDB](https://github.com/robinmanuelthiel/speedtest)","x":940,"y":253,"width":440,"height":207}, - {"id":"2a7d5efcc0f2dc0e","type":"text","text":"# 安裝 Portainer\n教學: [Portainer:一款圖形化容器管理工具|方格子 vocus](https://vocus.cc/article/643e9f74fd89780001b51739)\n\n官網:[Portainer: Container Management Software for Kubernetes and Docker](https://www.portainer.io/)","x":940,"y":489,"width":440,"height":191}, {"id":"94f3e389e2687b35","type":"text","text":"# 安裝 Watch Tower\n![[Watchtower#或使用 docke-compose.yml|docke-compose.yml]]","x":1400,"y":-190,"width":440,"height":322}, {"id":"fc32cf264646fdec","type":"text","text":"# 安裝 Storj\n![[Storj]]","x":1400,"y":160,"width":440,"height":300}, - {"id":"a63a5baed201beda","type":"text","text":"![[設定日誌大小]]","x":460,"y":163,"width":360,"height":180}, - {"id":"ff16e3814718d144","type":"text","text":"# 設定 crontab\n1. 用[[ddns.sh]]定時更新DNS\n2. 用[[backup_docker_gitea.sh]]備份 gitea docker\n3. 用[[backup_pi.sh]]備份整張SD卡","x":1960,"y":-340,"width":440,"height":150} + {"id":"ff16e3814718d144","type":"text","text":"# 設定 crontab\n1. 用[[ddns.sh]]定時更新DNS\n2. 用[[backup_docker_gitea.sh]]備份 gitea docker\n3. 用[[backup_pi.sh]]備份整張SD卡","x":1960,"y":-340,"width":440,"height":150}, + {"id":"3f1bf9d99d9d544d","x":1400,"y":489,"width":440,"height":191,"type":"text","text":"# 安裝 [Nxtcloud](https://nextcloud.com/)\n![[Nextcloud]]"} ], "edges":[ {"id":"9683c15c63c167c0","fromNode":"6e59f6b9f36b24e2","fromSide":"right","toNode":"e94c9e71b9aeaa89","toSide":"left"}, diff --git a/05. 資料收集/架站/HTTP Server/Nginx/Reverse Proxy(Layer4).md b/05. 資料收集/架站/HTTP Server/Nginx/Reverse Proxy(Layer4).md deleted file mode 100644 index fc927d9..0000000 --- a/05. 資料收集/架站/HTTP Server/Nginx/Reverse Proxy(Layer4).md +++ /dev/null @@ -1,292 +0,0 @@ -## Reverse Proxy(Layer4) -一般的Reverse Proxy所用的方法雖然可以反向代理多個網站,但是對於像是Trojan這種TLS不行被中斷的服務來說,會導致handshake失敗,所以需要用Nginx的stream來做Layer 4的轉發。 - -### docker-compose.yaml -需要先把`nginx.conf`與`mime.types`給copy到data目錄下。 -依序執行下面2個命令: -```shell -sudo docker run --rm -it nginx cat /etc/nginx/nginx.conf > nginx.conf -sudo docker run --rm -it nginx cat /etc/nginx/mime.types > mime.types -``` -然後: -```shell -mkdir data ;\ -mv nginx.conf mime.types data -``` - -建立`docker-compose.yaml` -```yaml -version: '3' -services: - nginx_reverseproxy_l4: - container_name: nginx - restart: always - image: nginx - ports: - - "80:80" - - "443:443" - volumes: - - ./data:/etc/nginx -``` - -修改`data/nginx.conf`: -```nginx -events { - worker_connections 1024; <-- event 不用動 -} - -stream { - map $ssl_preread_server_name $backend_name { - tjn.awin.one trojan; - storj.awin.one swag; - } - - # trojan - upstream trojan { - server 192.168.1.31:443; - } - - # swag - upstream swag { - server 192.168.1.20:44320; - } - - # 监听 443 并开启 ssl_preread - server { - listen 80 reuseport; - listen 443 reuseport; - listen [::]:443 reuseport; - proxy_pass $backend_name; - ssl_preread on; - } -} - -http { - ... <-- http 不用動 -} -``` - -重點來源: -1. [Trojan 共用 443 端口方案 - 程小白](https://www.chengxiaobai.cn/record/trojan-shared-443-port-scheme.html) -2. [NaiveProxy + Trojan + 多HTTPS站点共存,复用443端口 | 心底的河流](https://lhy.life/20200815-naiveproxy+trojan/) -3. `$ssl_preread_server_name`的官方說明:[Module ngx_stream_ssl_preread_module](http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html) - -## Reverse Proxy - -> **重要**:確定docker與docker-compose已經安裝好。 -> 參考[[RaspberryPi#Docker]]與[[RaspberryPi#docker-compose]] - -### Use SWAG docker -[swag](https://github.com/linuxserver/docker-swag)(之前叫做letsencrypt)是linuxserver.io包裝的Nginx webserver和reverse proxy的container。 - -#### Setup HTTPS -1. 建立folder - ```bash - mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag - ``` - -2. 建立`docker-compose.yaml`: - ``` - vim docker-compose.yaml - ``` - - 填入內容如下: - ```yaml - version: "2.1" - services: - swag: - image: ghcr.io/linuxserver/swag - container_name: swag - cap_add: - - NET_ADMIN - environment: - - PUID=1000 - - PGID=1000 - - TZ=Asia/Taipei - - URL=awin.one - - SUBDOMAINS=wildcard - - VALIDATION=dns - - CERTPROVIDER= #optional - - DNSPLUGIN=cloudflare #optional - - PROPAGATION= #optional - - DUCKDNSTOKEN= #optional - - EMAIL=awinhuang@gmail.com - - ONLY_SUBDOMAINS=false #optional - - EXTRA_DOMAINS= #optional - - STAGING=false #optional - - MAXMINDDB_LICENSE_KEY= #optional - volumes: - - ./config:/config - ports: - - 44320:443 - - 8020:80 #optional - restart: unless-stopped - - ``` - -3. 先跑一次: - ```bash - sudo docker-compose up - ``` - 會發現有錯誤,這是正常的,錯誤訊息像這樣: - ``` - swag | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini - swag | Cleaning up challenges - swag | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?) - swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file. - ``` - 按`ctrl + c`退出。這時候`config`目錄也會有swag所mapping出來的相關檔案。修改`config/dns-conf/cloudflare.ini`: - ```bash - vim config/dns-conf/cloudflare.ini - ``` - 把`config/dns-conf/cloudflare.ini`改為: - ``` - # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20 - # Replace with your values - - With global api key: - dns_cloudflare_email = awinhuang@gmail.com - dns_cloudflare_api_key = - - # With token (comment out both lines above and uncomment below): - #dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 - ``` - -4. 再跑一次: - ```bash - sudo docker-compose up - ``` - 這一次就可以順利取得認證了,訊息像這樣: - ``` - swag | IMPORTANT NOTES: - swag | - Congratulations! Your certificate and chain have been saved at: - swag | /etc/letsencrypt/live/awin.one/fullchain.pem - swag | Your key file has been saved at: - swag | /etc/letsencrypt/live/awin.one/privkey.pem - swag | Your certificate will expire on 2021-04-26. To obtain a new or - swag | tweaked version of this certificate in the future, simply run - swag | certbot again. To non-interactively renew *all* of your - swag | certificates, run "certbot renew" - swag | - If you like Certbot, please consider supporting our work by: - swag | - swag | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate - swag | Donating to EFF: https://eff.org/donate-le - swag | - swag | New certificate generated; starting nginx - swag | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind, - swag | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key. - swag | [cont-init.d] 50-config: exited 0. - swag | [cont-init.d] 60-renew: executing... - swag | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am). - swag | [cont-init.d] 60-renew: exited 0. - swag | [cont-init.d] 70-templates: executing... - swag | [cont-init.d] 70-templates: exited 0. - swag | [cont-init.d] 99-custom-files: executing... - swag | [custom-init] no custom files found exiting... - swag | [cont-init.d] 99-custom-files: exited 0. - swag | [cont-init.d] done. - swag | [services.d] starting services - swag | [services.d] done. - swag | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) - swag | Server ready - ``` - 最後一行的`swag | Server ready`表示server已經跑起來了。先按下`ctrl + c`退出,再來設定reverse proxy。 - -5. 修正`config/dns-conf/cloudflare.ini`的安全性問題 - ``` - cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini - ``` - -#### Setup reverse proxy -1. 建立folder: - ``` - cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled - ``` - -2. 建立以下檔案: - - `config/nginx/sites-available/common.conf`,內容: - ``` - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - ``` - - `config/nginx/sites-available/common_location.conf`,內容: - ``` - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - ``` - - `config/nginx/sites-available/storj.conf`,內容: - ``` - upstream storj { - server 192.168.1.11:14002; - } - - server { - listen 443 ssl; - server_name storj.awin.one; - - include /config/nginx/sites-available/common.conf; - include /config/nginx/ssl.conf; - - location / { - proxy_pass http://192.168.1.11:14002/; - include /config/nginx/sites-available/common_location.conf; - } - } - - ``` - -3. 在`config/nginx/sites-enabled`裡面建立要enable的config: - ``` - cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd - - ``` - -4. 修改`config/nginx/nginx.conf`: - ``` - vim config/nginx/nginx.conf - ``` - 找到`include /config/nginx/site-confs/*;`這一行,把它comment掉,在下面新增一行: - ``` - include /config/nginx/sites-enabled/*.conf; - ``` - -5. 啟動swag: - ``` - cd ~/dockers/linuxserverswag ; sudo docker-compose up -d - ``` - -#### Restart -```bash -cd ~/dockers/linuxserverswag ; sudo docker-compose restart -``` - -#### Update certification -1. 進到dockr的swag bash裡面:`sudo docker exec -it swag /bin/bash` -2. 輸入 `certbot renew` -3. ![[Pasted image 20210422205534.png]] - -#### Trouble shooting -- 如果遇到類似下面的錯誤: - ``` - ERROR: for swag Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated. - ``` - 表示有其他程式佔住了80 port,可能是其他docker container或是service,必須先關閉它們。[^1] - -#### 參考來源 -1. [linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.](https://github.com/linuxserver/docker-swag) -2. [How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt](https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/) -3. [SWAG setup - LinuxServer.io](https://docs.linuxserver.io/general/swag#understanding-the-proxy-conf-structure) - ------ -- 參考 - - [NGINX Docs | NGINX Reverse Proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) - - [Nginx 設定反向代理 Reverse Proxy](https://www.opencli.com/linux/nginx-config-reverse-proxy) - - [用 Nginx 伺服器建立反向代理](https://noob.tw/nginx-reverse-proxy/) - - [俄羅斯不愧是戰鬥民族:nginx - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/articles/10188498) - -[^1]: [啟動docker時出現「Cannot start service :driver failed programming external connectivity on endpoint xxx, Bind for 0.0.0.0:80 failed: port is already allocated 」](https://mitsuiwei.com/docker-cannot-start-service/) \ No newline at end of file diff --git a/05. 資料收集/架站/SWAG Reverse proxy.md b/05. 資料收集/架站/SWAG Reverse proxy.md deleted file mode 100644 index d8ca8d2..0000000 --- a/05. 資料收集/架站/SWAG Reverse proxy.md +++ /dev/null @@ -1,247 +0,0 @@ -[SWAG](https://docs.linuxserver.io/general/swag)可以幫我們反向代理,並且有https。是由linuxserver.io包裝的Nginx webserver和reverse proxy的container。 - -#### 建立docker-compose -1. 建立folder - ```bash - mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag - ``` - -2. 建立`docker-compose.yaml`: - ``` - vim docker-compose.yaml - ``` - - 填入內容如下: - ```yaml - version: "2.1" - services: - swag: - image: ghcr.io/linuxserver/swag - container_name: swag - cap_add: - - NET_ADMIN - environment: - - PUID=1000 - - PGID=1000 - - TZ=Asia/Taipei - - URL=awin.one - - SUBDOMAINS=wildcard - - VALIDATION=dns - - CERTPROVIDER= #optional - - DNSPLUGIN=cloudflare #optional - - PROPAGATION= #optional - - DUCKDNSTOKEN= #optional - - EMAIL=awinhuang@gmail.com - - ONLY_SUBDOMAINS=false #optional - - EXTRA_DOMAINS= #optional - - STAGING=false #optional - - MAXMINDDB_LICENSE_KEY= #optional - volumes: - - ./config:/config - ports: - - 44320:443 - - 8020:80 #optional - restart: unless-stopped - ``` - -3. 先跑一次: - ```bash - sudo docker-compose up - ``` - 會發現有錯誤,這是正常的,錯誤訊息像這樣: - ``` - swag | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini - swag | Cleaning up challenges - swag | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?) - swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file. - ``` - 按`ctrl + c`退出。這時候`config`目錄也會有swag所mapping出來的相關檔案。修改`config/dns-conf/cloudflare.ini`: - ```bash - vim config/dns-conf/cloudflare.ini - ``` - 把`config/dns-conf/cloudflare.ini`改為: - ``` - # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20 - # Replace with your values - - With global api key: - dns_cloudflare_email = awinhuang@gmail.com - dns_cloudflare_api_key = - - # With token (comment out both lines above and uncomment below): - #dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 - ``` - -4. 再跑一次: - ```bash - sudo docker-compose up - ``` - 這一次就可以順利取得認證了,訊息像這樣: - ``` - swag | IMPORTANT NOTES: - swag | - Congratulations! Your certificate and chain have been saved at: - swag | /etc/letsencrypt/live/awin.one/fullchain.pem - swag | Your key file has been saved at: - swag | /etc/letsencrypt/live/awin.one/privkey.pem - swag | Your certificate will expire on 2021-04-26. To obtain a new or - swag | tweaked version of this certificate in the future, simply run - swag | certbot again. To non-interactively renew *all* of your - swag | certificates, run "certbot renew" - swag | - If you like Certbot, please consider supporting our work by: - swag | - swag | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate - swag | Donating to EFF: https://eff.org/donate-le - swag | - swag | New certificate generated; starting nginx - swag | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind, - swag | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key. - swag | [cont-init.d] 50-config: exited 0. - swag | [cont-init.d] 60-renew: executing... - swag | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am). - swag | [cont-init.d] 60-renew: exited 0. - swag | [cont-init.d] 70-templates: executing... - swag | [cont-init.d] 70-templates: exited 0. - swag | [cont-init.d] 99-custom-files: executing... - swag | [custom-init] no custom files found exiting... - swag | [cont-init.d] 99-custom-files: exited 0. - swag | [cont-init.d] done. - swag | [services.d] starting services - swag | [services.d] done. - swag | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) - swag | Server ready - ``` - 最後一行的`swag | Server ready`表示server已經跑起來了。先按下`ctrl + c`退出,再來設定reverse proxy。 - -5. 修正`config/dns-conf/cloudflare.ini`的安全性問題 - ``` - cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini - ``` - -#### Setup reverse proxy -1. 建立folder: - ``` - cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled - ``` - -2. 建立以下檔案: - - `config/nginx/sites-available/common.conf`,內容: - ``` - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - ``` - - `config/nginx/sites-available/common_location.conf`,內容: - ``` - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - ``` - - `config/nginx/sites-available/storj.conf`,內容: - ``` - upstream storj { - server 192.168.1.11:14002; - } - - server { - listen 443 ssl; - server_name storj.awin.one; - - include /config/nginx/sites-available/common.conf; - include /config/nginx/ssl.conf; - - location / { - proxy_pass http://192.168.1.11:14002/; - include /config/nginx/sites-available/common_location.conf; - } - } - - ``` - - `config/nginx/sites-available/blog.conf`,內容: - ``` - upstream blog { - server 192.168.1.30:80; - } - - server { - listen 443 ssl; - server_name blog.awin.one; - - include /config/nginx/sites-available/common.conf; - include /config/nginx/ssl.conf; - - location / { - proxy_pass http://192.168.1.30:80/; - include /config/nginx/sites-available/common_location.conf; - } - } - ``` - - `config/nginx/sites-available/gitea.conf`,內容: - ``` - upstream gitea { - server 192.168.1.32:3000; ## 網址 - } - - server { - listen 443 ssl; - server_name gitea.awin.one; ## 網域 - - include /config/nginx/sites-available/common.conf; - include /config/nginx/ssl.conf; - - location / { - proxy_pass http://192.168.1.32:3000/; ## 網址 - include /config/nginx/sites-available/common_location.conf; - } - } - ``` - -3. 在`config/nginx/sites-enabled`裡面建立要enable的config: - ``` - cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd - - ``` - -4. 修改`config/nginx/nginx.conf`: - ``` - vim config/nginx/nginx.conf - ``` - 找到`include /config/nginx/site-confs/*;`這一行,把它comment掉,在下面新增一行: - ``` - include /config/nginx/sites-enabled/*.conf; - ``` - -5. 啟動swag: - ``` - cd ~/dockers/linuxserverswag ; sudo docker-compose up -d - ``` - -#### Restart -```bash -cd ~/dockers/linuxserverswag ; sudo docker-compose restart -``` - -#### Update certification -1. 進到dockr的swag bash裡面:`sudo docker exec -it swag /bin/bash` -2. 輸入 `certbot renew` -3. ![[Pasted image 20210422205534.png]] - -#### Trouble shooting -- 如果遇到類似下面的錯誤: - ``` - ERROR: for swag Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated. - ``` - 表示有其他程式佔住了80 port,可能是其他docker container或是service,必須先關閉它們。[^1] - -#### 參考來源 -1. [linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.](https://github.com/linuxserver/docker-swag) -2. [How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt](https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/) -3. [SWAG setup - LinuxServer.io](https://docs.linuxserver.io/general/swag#understanding-the-proxy-conf-structure) -4. [NGINX Docs | NGINX Reverse Proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) -5. [Nginx 設定反向代理 Reverse Proxy](https://www.opencli.com/linux/nginx-config-reverse-proxy) -6. [用 Nginx 伺服器建立反向代理](https://noob.tw/nginx-reverse-proxy/) -7. [俄羅斯不愧是戰鬥民族:nginx - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/articles/10188498) - -[^1]: [啟動docker時出現「Cannot start service :driver failed programming external connectivity on endpoint xxx, Bind for 0.0.0.0:80 failed: port is already allocated 」](https://mitsuiwei.com/docker-cannot-start-service/) \ No newline at end of file diff --git a/05. 資料收集/架站/Trojan.md b/05. 資料收集/架站/Trojan.md deleted file mode 100644 index 754edd2..0000000 --- a/05. 資料收集/架站/Trojan.md +++ /dev/null @@ -1,38 +0,0 @@ -## 準備 -1. 新增一台container,先更新container: - ``` - apt update ;\ - apu upgrade -y ;\ - apt install curl vim -y - ``` -2. 安裝trojan: - ``` - mkdir -p ~/trojan ;\ - cd ~/trojan - curl -O https://raw.githubusercontent.com/atrandys/trojan/master/trojan_mult.sh ; chmod +x trojan_mult.sh ; ./trojan_mult.sh - ``` -3. ![trojan](https://lab.twidc.net/wp-content/uploads/2020/12/2-1.jpg) -4. ![3 1](https://lab.twidc.net/wp-content/uploads/2020/12/3-1.jpg) -5. ![4 1](https://lab.twidc.net/wp-content/uploads/2020/12/4-1.jpg) -6. ![5 1](https://lab.twidc.net/wp-content/uploads/2020/12/5-1.jpg) - ------ -參考: -1. [Trojan 上網架設(替代VPN)爬梯子 科學上網 利器 - TWIDC](https://lab.twidc.net/trojan-%E4%B8%8A%E7%B6%B2%E6%9E%B6%E7%BD%AE%E6%9B%BF%E4%BB%A3vpn/) -2. [Trojan搭建私人VPN - Lingme](https://lingmin.me/2020/03/03/TrojanVPS/) -3. [[转载+修改]使用Trojan-Go科学上网 - 996 RIP](https://typecho.996.rip/index.php/archives/20/) -4. Source code: [Releases · trojan-gfw/trojan](https://github.com/trojan-gfw/trojan/releases) - -## 更新憑證 -1. 更新acme:`acme.sh --upgrade` -2. 先停止 trojan-web - ```bash - systemctl stop trojan-web - ``` -3. 停止 trojan,如下圖 - ![[Pasted image 20220815134750.png|500]] -4. 切換到 `/root/.acme.sh`,執行 `./acme.sh --cron -f`,如果憑證更新成功,應該會看到類似如下訊息: - ![[Pasted image 20220815135026.png|800]] -5. 重啟 trojan: - ![[Pasted image 20220815135248.png|400]] -6. 重啟trojan-web:`systemctl start trojan-web` \ No newline at end of file