awin/Obsidian-Main
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vault backup: 2024-02-16 14:10:29

Browse Source
This commit is contained in:
Awin Huang
2024-02-16 14:10:29 +08:00
parent 7111f2dad0
commit 25bb46c952
12 changed files with 70 additions and 608 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
05. 資料收集/架站/HTTP Server/Apache.md → 00. Inbox/Linux/架站/Apache.md
View File

28
05. 資料收集/架站/Gitea.md → 00. Inbox/Linux/架站/Gitea.md
View File

@@ -13,38 +13,16 @@ services:
environment: environment:
- USER_UID=1000 - USER_UID=1000
- USER_GID=1000 - USER_GID=1000
- DB_TYPE=mysql
- DB_HOST=db:3306
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=gitea
- TZ=Asia/Taipei
restart: always restart: always
networks: networks:
- gitea - gitea
volumes: volumes:
- ./datas/gitea:/data - ./data:/data
- /home/git/.ssh/:/data/git/.ssh
- /etc/timezone:/etc/timezone:ro - /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
ports: ports:
- "3000:3000" - "8020:3000"
- "322:322" - "2244:22"
depends_on:
- db
db:
image: mysql:8
restart: always
environment:
- MYSQL_ROOT_PASSWORD=gitea
- MYSQL_USER=gitea
- MYSQL_PASSWORD=gitea
- MYSQL_DATABASE=gitea
networks:
- gitea
volumes:
- ./datas/db:/var/lib/mysql
``` ```
## 文件 ## 文件

52
00. Inbox/Linux/架站/Nextcloud.md Normal file
View File

@@ -0,0 +1,52 @@
## docker-compose.yml
```yaml
version: '3'
services:
app:
image: nextcloud
ports:
- 8080:80
volumes:
- ./data:/var/www/html
restart: always
```
## config.php
Nextcloud 的 config 檔放在`/var/www/html/config/config.php`,對應到本機就是 `./data/config/config.php`,在安裝完成之後,需要修改 `trusted_domains``overwriteprotocol``overwrite.cli.url` 這幾個參數,如下:
```php
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'upgrade.disable-web' => true,
'instanceid' => 'ocwc2ntdj6io',
'passwordsalt' => '/uinYW42zbfuqxG5hVNIwS6vWeslUx',
'secret' => 'HBPMSEp6fazNbjhCbD+KpXd5C6QYhjMsc6RvU5BWOFchsPci',
'trusted_domains' =>
array (
0 => 'nc.awin.one',
),
'datadirectory' => '/var/www/html/data',
'dbtype' => 'sqlite3',
'version' => '28.0.2.5',
'overwriteprotocol' => 'https',
'overwrite.cli.url' => 'https://nc.awin.one',
'installed' => true,
);
```

0
05. 資料收集/架站/Pelican blog.md → 00. Inbox/Linux/架站/Pelican blog.md
View File

0
05. 資料收集/架站/Proxmox VE.md → 00. Inbox/Linux/架站/Proxmox VE.md
View File

0
05. 資料收集/架站/Storj.md → 00. Inbox/Linux/架站/Storj.md
View File

10
00. Inbox/Windows/00. _Map.canvas
View File

@@ -1 +1,9 @@
{} {
"nodes":[
{"id":"0138bfb5c46d71f1","x":-149,"y":-191,"width":329,"height":91,"type":"text","text":"1. 用[[powercfg powerthrottling]]關閉 VirtualBox power throttling。"},
{"id":"d34f3157e07cb50d","x":-200,"y":40,"width":100,"height":50,"color":"2","type":"text","text":"開始"}
],
"edges":[
{"id":"5c4879a42c2db8ac","fromNode":"d34f3157e07cb50d","fromSide":"top","toNode":"0138bfb5c46d71f1","toSide":"bottom"}
]
}

2
00. Inbox/Windows/powercfg powerthrottling 關閉.md → 00. Inbox/Windows/powercfg powerthrottling.md
View File

@@ -1,4 +1,4 @@
對於特定的軟體,使用 `powercfg` 來關閉 powerthrottling。例如VirtualBox永遠全速執行: 對於特定的軟體,使用 `powercfg` 來關閉 powerthrottling。例如讓 [VirtualBox](https://www.virtualbox.org/) 最大效能執行:
```cmd ```cmd
powercfg /powerthrottling DISABLE /PATH "C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe" powercfg /powerthrottling DISABLE /PATH "C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe"
powercfg /powerthrottling DISABLE /PATH "C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe" powercfg /powerthrottling DISABLE /PATH "C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe"

9
00. Inbox/樹莓派/00. 樹莓派.canvas → 00. Inbox/樹莓派/00. _Map.canvas
View File

@@ -6,19 +6,20 @@
{"id":"d624199752cf24de","type":"text","text":"![[更新與安裝工具]]","x":460,"y":-340,"width":360,"height":120}, {"id":"d624199752cf24de","type":"text","text":"![[更新與安裝工具]]","x":460,"y":-340,"width":360,"height":120},
{"id":"bc030994aafc5a3b","type":"text","text":"![[bashrc]]","x":460,"y":-37,"width":360,"height":177}, {"id":"bc030994aafc5a3b","type":"text","text":"![[bashrc]]","x":460,"y":-37,"width":360,"height":177},
{"id":"6875474760fafe7c","type":"text","text":"![[raspi-config]]","x":460,"y":-200,"width":360,"height":140}, {"id":"6875474760fafe7c","type":"text","text":"![[raspi-config]]","x":460,"y":-200,"width":360,"height":140},
{"id":"b77234a9cdf72aad","type":"text","text":"# 安裝 docker\n[[00. Inbox/Linux/Docker|Docker]]","x":940,"y":-340,"width":440,"height":120},
{"id":"f210470376a4829d","type":"text","text":"![[設定Cloudflare DDNS]]","x":460,"y":370,"width":360,"height":150}, {"id":"f210470376a4829d","type":"text","text":"![[設定Cloudflare DDNS]]","x":460,"y":370,"width":360,"height":150},
{"id":"ef9431e16c90f57f","type":"text","text":"設定![[smb client]]","x":460,"y":540,"width":360,"height":180}, {"id":"ef9431e16c90f57f","type":"text","text":"設定![[smb client]]","x":460,"y":540,"width":360,"height":180},
{"id":"6e59f6b9f36b24e2","type":"text","text":"![[安裝]]","x":-40,"y":132,"width":383,"height":177}, {"id":"6e59f6b9f36b24e2","type":"text","text":"![[安裝]]","x":-40,"y":132,"width":383,"height":177},
{"id":"2a7d5efcc0f2dc0e","type":"text","text":"# 安裝 Portainer\n教學 [Portainer一款圖形化容器管理工具方格子 vocus](https://vocus.cc/article/643e9f74fd89780001b51739)\n\n官網[Portainer: Container Management Software for Kubernetes and Docker](https://www.portainer.io/)","x":940,"y":489,"width":440,"height":191},
{"id":"a63a5baed201beda","type":"text","text":"![[設定日誌大小]]","x":460,"y":163,"width":360,"height":180},
{"id":"b77234a9cdf72aad","type":"text","text":"# 安裝 docker\n[[00. Inbox/Linux/Docker|Docker]]","x":940,"y":-340,"width":440,"height":120},
{"id":"d0711febf5985ed5","type":"text","text":"# 安裝nginx-certbot\n教學: [iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/m/articles/10301801\n\nGithub: [JonasAlfredsson/docker-nginx-certbot: Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.](https://github.com/JonasAlfredsson/docker-nginx-certbot)","x":940,"y":-190,"width":440,"height":240}, {"id":"d0711febf5985ed5","type":"text","text":"# 安裝nginx-certbot\n教學: [iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/m/articles/10301801\n\nGithub: [JonasAlfredsson/docker-nginx-certbot: Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.](https://github.com/JonasAlfredsson/docker-nginx-certbot)","x":940,"y":-190,"width":440,"height":240},
{"id":"b900ad17a2841b99","type":"text","text":"# 安裝 Filebrowser\n[官方安裝流程](https://filebrowser.org/installation#docker)","x":1400,"y":-340,"width":440,"height":120}, {"id":"b900ad17a2841b99","type":"text","text":"# 安裝 Filebrowser\n[官方安裝流程](https://filebrowser.org/installation#docker)","x":1400,"y":-340,"width":440,"height":120},
{"id":"8cac63e48dff1f2a","type":"text","text":"# 安裝 Gitea\n官方教學[Installation with Docker](https://docs.gitea.com/installation/install-with-docker)\n\n設定Gmail寄信[Gitea 使用 Gmail 寄信 - 筆記ZONE](https://zonego.tw/2021/11/14/gitea-gmail/)\n","x":940,"y":80,"width":440,"height":140}, {"id":"8cac63e48dff1f2a","type":"text","text":"# 安裝 Gitea\n官方教學[Installation with Docker](https://docs.gitea.com/installation/install-with-docker)\n\n設定Gmail寄信[Gitea 使用 Gmail 寄信 - 筆記ZONE](https://zonego.tw/2021/11/14/gitea-gmail/)\n","x":940,"y":80,"width":440,"height":140},
{"id":"94fa9ef036dbe62a","type":"text","text":"# Speedtest 測試\n超簡單命令`docker run --rm robinmanuelthiel/speedtest:latest`\n\nGithub: [robinmanuelthiel/speedtest: Check internet bandwidth from a Docker container and save the results to an InfluxDB](https://github.com/robinmanuelthiel/speedtest)","x":940,"y":253,"width":440,"height":207}, {"id":"94fa9ef036dbe62a","type":"text","text":"# Speedtest 測試\n超簡單命令`docker run --rm robinmanuelthiel/speedtest:latest`\n\nGithub: [robinmanuelthiel/speedtest: Check internet bandwidth from a Docker container and save the results to an InfluxDB](https://github.com/robinmanuelthiel/speedtest)","x":940,"y":253,"width":440,"height":207},
{"id":"2a7d5efcc0f2dc0e","type":"text","text":"# 安裝 Portainer\n教學 [Portainer一款圖形化容器管理工具方格子 vocus](https://vocus.cc/article/643e9f74fd89780001b51739)\n\n官網[Portainer: Container Management Software for Kubernetes and Docker](https://www.portainer.io/)","x":940,"y":489,"width":440,"height":191},
{"id":"94f3e389e2687b35","type":"text","text":"# 安裝 Watch Tower\n![[Watchtower#或使用 docke-compose.yml|docke-compose.yml]]","x":1400,"y":-190,"width":440,"height":322}, {"id":"94f3e389e2687b35","type":"text","text":"# 安裝 Watch Tower\n![[Watchtower#或使用 docke-compose.yml|docke-compose.yml]]","x":1400,"y":-190,"width":440,"height":322},
{"id":"fc32cf264646fdec","type":"text","text":"# 安裝 Storj\n![[Storj]]","x":1400,"y":160,"width":440,"height":300}, {"id":"fc32cf264646fdec","type":"text","text":"# 安裝 Storj\n![[Storj]]","x":1400,"y":160,"width":440,"height":300},
{"id":"a63a5baed201beda","type":"text","text":"![[設定日誌大小]]","x":460,"y":163,"width":360,"height":180}, {"id":"ff16e3814718d144","type":"text","text":"# 設定 crontab\n1. 用[[ddns.sh]]定時更新DNS\n2. 用[[backup_docker_gitea.sh]]備份 gitea docker\n3. 用[[backup_pi.sh]]備份整張SD卡","x":1960,"y":-340,"width":440,"height":150},
{"id":"ff16e3814718d144","type":"text","text":"# 設定 crontab\n1. 用[[ddns.sh]]定時更新DNS\n2. 用[[backup_docker_gitea.sh]]備份 gitea docker\n3. 用[[backup_pi.sh]]備份整張SD卡","x":1960,"y":-340,"width":440,"height":150} {"id":"3f1bf9d99d9d544d","x":1400,"y":489,"width":440,"height":191,"type":"text","text":"# 安裝 [Nxtcloud](https://nextcloud.com/)\n![[Nextcloud]]"}
], ],
"edges":[ "edges":[
{"id":"9683c15c63c167c0","fromNode":"6e59f6b9f36b24e2","fromSide":"right","toNode":"e94c9e71b9aeaa89","toSide":"left"}, {"id":"9683c15c63c167c0","fromNode":"6e59f6b9f36b24e2","fromSide":"right","toNode":"e94c9e71b9aeaa89","toSide":"left"},

292
05. 資料收集/架站/HTTP Server/Nginx/Reverse Proxy(Layer4).md
View File

@@ -1,292 +0,0 @@
## Reverse Proxy(Layer4)
一般的Reverse Proxy所用的方法雖然可以反向代理多個網站但是對於像是Trojan這種TLS不行被中斷的服務來說會導致handshake失敗所以需要用Nginx的stream來做Layer 4的轉發。
### docker-compose.yaml
需要先把`nginx.conf``mime.types`給copy到data目錄下。
依序執行下面2個命令
```shell
sudo docker run --rm -it nginx cat /etc/nginx/nginx.conf > nginx.conf
sudo docker run --rm -it nginx cat /etc/nginx/mime.types > mime.types
```
然後:
```shell
mkdir data ;\
mv nginx.conf mime.types data
```
建立`docker-compose.yaml`
```yaml
version: '3'
services:
nginx_reverseproxy_l4:
container_name: nginx
restart: always
image: nginx
ports:
- "80:80"
- "443:443"
volumes:
- ./data:/etc/nginx
```
修改`data/nginx.conf`
```nginx
events {
worker_connections 1024; <-- event 不用動
}
stream {
map $ssl_preread_server_name $backend_name {
tjn.awin.one trojan;
storj.awin.one swag;
}
# trojan
upstream trojan {
server 192.168.1.31:443;
}
# swag
upstream swag {
server 192.168.1.20:44320;
}
# 监听 443 并开启 ssl_preread
server {
listen 80 reuseport;
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
http {
... <-- http 不用動
}
```
重點來源:
1. [Trojan 共用 443 端口方案 - 程小白](https://www.chengxiaobai.cn/record/trojan-shared-443-port-scheme.html)
2. [NaiveProxy + Trojan + 多HTTPS站点共存复用443端口 | 心底的河流](https://lhy.life/20200815-naiveproxy+trojan/)
3. `$ssl_preread_server_name`的官方說明:[Module ngx_stream_ssl_preread_module](http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html)
## Reverse Proxy
> **重要**確定docker與docker-compose已經安裝好。
> 參考[[RaspberryPi#Docker]]與[[RaspberryPi#docker-compose]]
### Use SWAG docker
[swag](https://github.com/linuxserver/docker-swag)(之前叫做letsencrypt)是linuxserver.io包裝的Nginx webserver和reverse proxy的container。
#### Setup HTTPS
1. 建立folder
```bash
mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag
```
2. 建立`docker-compose.yaml`
```
vim docker-compose.yaml
```
填入內容如下:
```yaml
version: "2.1"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Taipei
- URL=awin.one
- SUBDOMAINS=wildcard
- VALIDATION=dns
- CERTPROVIDER= #optional
- DNSPLUGIN=cloudflare #optional
- PROPAGATION= #optional
- DUCKDNSTOKEN= #optional
- EMAIL=awinhuang@gmail.com
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional
- STAGING=false #optional
- MAXMINDDB_LICENSE_KEY= #optional
volumes:
- ./config:/config
ports:
- 44320:443
- 8020:80 #optional
restart: unless-stopped
```
3. 先跑一次:
```bash
sudo docker-compose up
```
會發現有錯誤,這是正常的,錯誤訊息像這樣:
```
swag | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
swag | Cleaning up challenges
swag | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
```
按`ctrl + c`退出。這時候`config`目錄也會有swag所mapping出來的相關檔案。修改`config/dns-conf/cloudflare.ini`
```bash
vim config/dns-conf/cloudflare.ini
```
把`config/dns-conf/cloudflare.ini`改為:
```
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values
With global api key:
dns_cloudflare_email = awinhuang@gmail.com
dns_cloudflare_api_key = <YOUR_API_KEY_FROM_CLOUDFLARE>
# With token (comment out both lines above and uncomment below):
#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
```
4. 再跑一次:
```bash
sudo docker-compose up
```
這一次就可以順利取得認證了,訊息像這樣:
```
swag | IMPORTANT NOTES:
swag | - Congratulations! Your certificate and chain have been saved at:
swag | /etc/letsencrypt/live/awin.one/fullchain.pem
swag | Your key file has been saved at:
swag | /etc/letsencrypt/live/awin.one/privkey.pem
swag | Your certificate will expire on 2021-04-26. To obtain a new or
swag | tweaked version of this certificate in the future, simply run
swag | certbot again. To non-interactively renew *all* of your
swag | certificates, run "certbot renew"
swag | - If you like Certbot, please consider supporting our work by:
swag |
swag | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
swag | Donating to EFF: https://eff.org/donate-le
swag |
swag | New certificate generated; starting nginx
swag | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag | [cont-init.d] 50-config: exited 0.
swag | [cont-init.d] 60-renew: executing...
swag | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag | [cont-init.d] 60-renew: exited 0.
swag | [cont-init.d] 70-templates: executing...
swag | [cont-init.d] 70-templates: exited 0.
swag | [cont-init.d] 99-custom-files: executing...
swag | [custom-init] no custom files found exiting...
swag | [cont-init.d] 99-custom-files: exited 0.
swag | [cont-init.d] done.
swag | [services.d] starting services
swag | [services.d] done.
swag | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
swag | Server ready
```
最後一行的`swag | Server ready`表示server已經跑起來了。先按下`ctrl + c`退出再來設定reverse proxy。
5. 修正`config/dns-conf/cloudflare.ini`的安全性問題
```
cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini
```
#### Setup reverse proxy
1. 建立folder
```
cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled
```
2. 建立以下檔案:
- `config/nginx/sites-available/common.conf`,內容:
```
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
```
- `config/nginx/sites-available/common_location.conf`,內容:
```
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
```
- `config/nginx/sites-available/storj.conf`,內容:
```
upstream storj {
server 192.168.1.11:14002;
}
server {
listen 443 ssl;
server_name storj.awin.one;
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.11:14002/;
include /config/nginx/sites-available/common_location.conf;
}
}
```
3. 在`config/nginx/sites-enabled`裡面建立要enable的config
```
cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd -
```
4. 修改`config/nginx/nginx.conf`
```
vim config/nginx/nginx.conf
```
找到`include /config/nginx/site-confs/*;`這一行把它comment掉在下面新增一行
```
include /config/nginx/sites-enabled/*.conf;
```
5. 啟動swag
```
cd ~/dockers/linuxserverswag ; sudo docker-compose up -d
```
#### Restart
```bash
cd ~/dockers/linuxserverswag ; sudo docker-compose restart
```
#### Update certification
1. 進到dockr的swag bash裡面`sudo docker exec -it swag /bin/bash`
2. 輸入 `certbot renew`
3. ![[Pasted image 20210422205534.png]]
#### Trouble shooting
- 如果遇到類似下面的錯誤:
```
ERROR: for swag Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated.
```
表示有其他程式佔住了80 port可能是其他docker container或是service必須先關閉它們。[^1]
#### 參考來源
1. [linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.](https://github.com/linuxserver/docker-swag)
2. [How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt](https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/)
3. [SWAG setup - LinuxServer.io](https://docs.linuxserver.io/general/swag#understanding-the-proxy-conf-structure)
-----
- 參考
- [NGINX Docs | NGINX Reverse Proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
- [Nginx 設定反向代理 Reverse Proxy](https://www.opencli.com/linux/nginx-config-reverse-proxy)
- [用 Nginx 伺服器建立反向代理](https://noob.tw/nginx-reverse-proxy/)
- [俄羅斯不愧是戰鬥民族nginx - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/articles/10188498)
[^1]: [啟動docker時出現「Cannot start service :driver failed programming external connectivity on endpoint xxx, Bind for 0.0.0.0:80 failed: port is already allocated 」](https://mitsuiwei.com/docker-cannot-start-service/)

247
05. 資料收集/架站/SWAG Reverse proxy.md
View File

@@ -1,247 +0,0 @@
[SWAG](https://docs.linuxserver.io/general/swag)可以幫我們反向代理並且有https。是由linuxserver.io包裝的Nginx webserver和reverse proxy的container。
#### 建立docker-compose
1. 建立folder
```bash
mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag
```
2. 建立`docker-compose.yaml`
```
vim docker-compose.yaml
```
填入內容如下:
```yaml
version: "2.1"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Taipei
- URL=awin.one
- SUBDOMAINS=wildcard
- VALIDATION=dns
- CERTPROVIDER= #optional
- DNSPLUGIN=cloudflare #optional
- PROPAGATION= #optional
- DUCKDNSTOKEN= #optional
- EMAIL=awinhuang@gmail.com
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional
- STAGING=false #optional
- MAXMINDDB_LICENSE_KEY= #optional
volumes:
- ./config:/config
ports:
- 44320:443
- 8020:80 #optional
restart: unless-stopped
```
3. 先跑一次:
```bash
sudo docker-compose up
```
會發現有錯誤,這是正常的,錯誤訊息像這樣:
```
swag | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
swag | Cleaning up challenges
swag | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
```
按`ctrl + c`退出。這時候`config`目錄也會有swag所mapping出來的相關檔案。修改`config/dns-conf/cloudflare.ini`
```bash
vim config/dns-conf/cloudflare.ini
```
把`config/dns-conf/cloudflare.ini`改為:
```
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values
With global api key:
dns_cloudflare_email = awinhuang@gmail.com
dns_cloudflare_api_key = <YOUR_API_KEY_FROM_CLOUDFLARE>
# With token (comment out both lines above and uncomment below):
#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
```
4. 再跑一次:
```bash
sudo docker-compose up
```
這一次就可以順利取得認證了,訊息像這樣:
```
swag | IMPORTANT NOTES:
swag | - Congratulations! Your certificate and chain have been saved at:
swag | /etc/letsencrypt/live/awin.one/fullchain.pem
swag | Your key file has been saved at:
swag | /etc/letsencrypt/live/awin.one/privkey.pem
swag | Your certificate will expire on 2021-04-26. To obtain a new or
swag | tweaked version of this certificate in the future, simply run
swag | certbot again. To non-interactively renew *all* of your
swag | certificates, run "certbot renew"
swag | - If you like Certbot, please consider supporting our work by:
swag |
swag | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
swag | Donating to EFF: https://eff.org/donate-le
swag |
swag | New certificate generated; starting nginx
swag | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag | [cont-init.d] 50-config: exited 0.
swag | [cont-init.d] 60-renew: executing...
swag | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag | [cont-init.d] 60-renew: exited 0.
swag | [cont-init.d] 70-templates: executing...
swag | [cont-init.d] 70-templates: exited 0.
swag | [cont-init.d] 99-custom-files: executing...
swag | [custom-init] no custom files found exiting...
swag | [cont-init.d] 99-custom-files: exited 0.
swag | [cont-init.d] done.
swag | [services.d] starting services
swag | [services.d] done.
swag | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
swag | Server ready
```
最後一行的`swag | Server ready`表示server已經跑起來了。先按下`ctrl + c`退出再來設定reverse proxy。
5. 修正`config/dns-conf/cloudflare.ini`的安全性問題
```
cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini
```
#### Setup reverse proxy
1. 建立folder
```
cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled
```
2. 建立以下檔案:
- `config/nginx/sites-available/common.conf`,內容:
```
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
```
- `config/nginx/sites-available/common_location.conf`,內容:
```
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
```
- `config/nginx/sites-available/storj.conf`,內容:
```
upstream storj {
server 192.168.1.11:14002;
}
server {
listen 443 ssl;
server_name storj.awin.one;
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.11:14002/;
include /config/nginx/sites-available/common_location.conf;
}
}
```
- `config/nginx/sites-available/blog.conf`,內容:
```
upstream blog {
server 192.168.1.30:80;
}
server {
listen 443 ssl;
server_name blog.awin.one;
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.30:80/;
include /config/nginx/sites-available/common_location.conf;
}
}
```
- `config/nginx/sites-available/gitea.conf`,內容:
```
upstream gitea {
server 192.168.1.32:3000; ## 網址
}
server {
listen 443 ssl;
server_name gitea.awin.one; ## 網域
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.32:3000/; ## 網址
include /config/nginx/sites-available/common_location.conf;
}
}
```
3. 在`config/nginx/sites-enabled`裡面建立要enable的config
```
cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd -
```
4. 修改`config/nginx/nginx.conf`
```
vim config/nginx/nginx.conf
```
找到`include /config/nginx/site-confs/*;`這一行把它comment掉在下面新增一行
```
include /config/nginx/sites-enabled/*.conf;
```
5. 啟動swag
```
cd ~/dockers/linuxserverswag ; sudo docker-compose up -d
```
#### Restart
```bash
cd ~/dockers/linuxserverswag ; sudo docker-compose restart
```
#### Update certification
1. 進到dockr的swag bash裡面`sudo docker exec -it swag /bin/bash`
2. 輸入 `certbot renew`
3. ![[Pasted image 20210422205534.png]]
#### Trouble shooting
- 如果遇到類似下面的錯誤:
```
ERROR: for swag Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated.
```
表示有其他程式佔住了80 port可能是其他docker container或是service必須先關閉它們。[^1]
#### 參考來源
1. [linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.](https://github.com/linuxserver/docker-swag)
2. [How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt](https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/)
3. [SWAG setup - LinuxServer.io](https://docs.linuxserver.io/general/swag#understanding-the-proxy-conf-structure)
4. [NGINX Docs | NGINX Reverse Proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
5. [Nginx 設定反向代理 Reverse Proxy](https://www.opencli.com/linux/nginx-config-reverse-proxy)
6. [用 Nginx 伺服器建立反向代理](https://noob.tw/nginx-reverse-proxy/)
7. [俄羅斯不愧是戰鬥民族nginx - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/articles/10188498)
[^1]: [啟動docker時出現「Cannot start service :driver failed programming external connectivity on endpoint xxx, Bind for 0.0.0.0:80 failed: port is already allocated 」](https://mitsuiwei.com/docker-cannot-start-service/)

38
05. 資料收集/架站/Trojan.md
View File

@@ -1,38 +0,0 @@
## 準備
1. 新增一台container先更新container
```
apt update ;\
apu upgrade -y ;\
apt install curl vim -y
```
2. 安裝trojan
```
mkdir -p ~/trojan ;\
cd ~/trojan
curl -O https://raw.githubusercontent.com/atrandys/trojan/master/trojan_mult.sh ; chmod +x trojan_mult.sh ; ./trojan_mult.sh
```
3. ![trojan](https://lab.twidc.net/wp-content/uploads/2020/12/2-1.jpg)
4. ![3 1](https://lab.twidc.net/wp-content/uploads/2020/12/3-1.jpg)
5. ![4 1](https://lab.twidc.net/wp-content/uploads/2020/12/4-1.jpg)
6. ![5 1](https://lab.twidc.net/wp-content/uploads/2020/12/5-1.jpg)
-----
參考:
1. [Trojan 上網架設(替代VPN)爬梯子 科學上網 利器 - TWIDC](https://lab.twidc.net/trojan-%E4%B8%8A%E7%B6%B2%E6%9E%B6%E7%BD%AE%E6%9B%BF%E4%BB%A3vpn/)
2. [Trojan搭建私人VPN - Lingme](https://lingmin.me/2020/03/03/TrojanVPS/)
3. [[转载+修改]使用Trojan-Go科学上网 - 996 RIP](https://typecho.996.rip/index.php/archives/20/)
4. Source code: [Releases · trojan-gfw/trojan](https://github.com/trojan-gfw/trojan/releases)
## 更新憑證
1. 更新acme`acme.sh --upgrade`
2. 先停止 trojan-web
```bash
systemctl stop trojan-web
```
3. 停止 trojan如下圖
![[Pasted image 20220815134750.png|500]]
4. 切換到 `/root/.acme.sh`,執行 `./acme.sh --cron -f`,如果憑證更新成功,應該會看到類似如下訊息:
![[Pasted image 20220815135026.png|800]]
5. 重啟 trojan
![[Pasted image 20220815135248.png|400]]
6. 重啟trojan-web`systemctl start trojan-web`